(f) Each covered entity shall collect and store only information that does not conflict with a trusted party's best interests, which must be: (1) Sufficient to fulfill a legitimate purpose of the covered entity; (2) Relevant to the legitimate purpose of the covered entity; and (3) The minimum amount of information needed for the legitimate purpose of the covered entity.

A chatbot provider may not: 1. Process personal data to inform a chatbot output unless processing personal data is necessary to fulfill an express request that is made by a user and the user provides affirmative consent.

A chatbot provider may not: 2. Process a user's chat log: (a) To determine whether to display an advertisement for a product or service to a user. (b) To determine a product or service or category of a product or service to advertise to a user. (c) To customize an advertisement for presentation to a user.

A chatbot provider may not: 3. Process a user's chat log and personal data: (d) To engage in profiling beyond what is necessary to fulfill an express request. 4. Profile a user based on any classification or designation of the user's personality or behavioral characteristic beyond what is necessary to fulfill an express request made by the user.

A chatbot provider may not: 3. Process a user's chat log and personal data: (c) for training purposes if the user is an adult, unless the chatbot provider first obtains affirmative consent.

A user has a right to access the user's own chat logs at any time. A chatbot provider shall provide a user's own chat log on request by the user and shall provide the chat log in a downloadable and easy to read format. A chatbot provider may not discriminate or retaliate against a user pursuant to subsection A paragraph 7 of this section that requests the user's chat.

(b) An employer shall not use an ADS to collect worker data for a purpose that is not disclosed pursuant to the notice requirements in Chapter 2 (commencing with Section 1522).

(e) A worker shall have the right to request, and an employer shall provide, a copy of the most recent 12 months of the worker's own data primarily used by an ADS to make a discipline, termination, or deactivation decision. A worker is limited to one request every 12 months for a copy of their own data used by an ADS to make a discipline, termination, or deactivation decision. (f) For purposes of safeguarding the privacy rights of consumers, workers, and individuals, when an employer is required to provide worker data pursuant to this part, that worker data shall be provided in a manner that anonymizes the customer's, other worker's, or individual's personal information.

(5) Use or rely upon individualized worker data as inputs or outputs to inform compensation unless the employer can clearly demonstrate that any differences in compensation for substantially similar or comparable work assignments are based upon cost differentials in performing the task involved, or that the data was directly related to the tasks that the worker was hired to perform.

(e) A worker shall have the right to request, and an employer shall provide, a copy of the most recent 12 months of the worker's own data primarily used by an ADS to make a disciplinary, termination, or deactivation decision. A worker is limited to one request every 12 months for a copy of their own data used by an ADS to make a disciplinary, termination, or deactivation decision.
(f) For purposes of safeguarding the privacy rights of consumers, workers, and individuals, when an employer is required to provide worker data pursuant to this part, that worker data shall be provided in a manner that anonymizes the customer's, other worker's, or individual's personal information.

Except as provided in subsection (b) of section 2 of this act, prior to collecting any personal data of an applicant for employment or employee in the state for processing in an automated employment-related decision process, a deployer shall provide to such applicant or employee a written notice disclosing: (1) The purpose of such data collection; (2) The categories of personal data that will be collected for processing in such automated employment-related decision process; (3) The retention period for any personal data collected; (4) The categories of persons who will have access to such personal data; and (5) Information concerning the right, under subparagraph (C) of subdivision (5) of subsection (a) of section 42-518 of the general statutes, to opt out of the processing of personal data for the purposes set forth in said subparagraph.

(1) An artificial intelligence technology company may not sell or disclose personal information of users unless the information is deidentified data. This subsection does not prohibit the sale or disclosure of information specifically authorized by federal law. (2) An artificial intelligence technology company in possession of deidentified data shall do all of the following: (a) Take reasonable measures to ensure that the data cannot be associated with a user. (b) Maintain and use the data in deidentified form. An artificial intelligence technology company may not attempt to reidentify the data, except that the artificial intelligence technology company may attempt to reidentify the data solely for the purpose of determining whether its deidentification processes satisfy the requirements of this section. (c) Contractually obligate a recipient of the deidentified data to comply with this section. (d) Implement business processes to prevent the inadvertent release of deidentified data.

(6) An operator shall protect the confidentiality of age information provided by a user for age verification in accordance with s. 501.1738.

(6) An operator shall protect the confidentiality of age information provided by a user for age verification in accordance with s. 501.1738.

(1) An artificial intelligence technology company may not sell or disclose personal information of users unless the information is deidentified data. This subsection does not prohibit the sale or disclosure of information specifically authorized by federal law. (2) An artificial intelligence technology company in possession of deidentified data shall do all of the following: (a) Take reasonable measures to ensure that the data cannot be associated with a user. (b) Maintain and use the data in deidentified form. An artificial intelligence technology company may not attempt to reidentify the data, except that the artificial intelligence technology company may attempt to reidentify the data solely for the purpose of determining whether its deidentification processes satisfy the requirements of this section. (c) Contractually obligate a recipient of the deidentified data to comply with this section. (d) Implement business processes to prevent the inadvertent release of deidentified data.

(4) Allows the patient to opt out of the processing of the patient's individually identifiable health information or other personal data for purposes of profiling in furtherance of decisions that have legal or similarly significant effects concerning the patient.

A deployer of a chatbot shall do all of the following: 2. Limit the collection and storage of user information collected by the chatbot to what is necessary to fulfill the deployer's purpose for making the chatbot publicly available.

b. Limit the collection and storage of user information collected by the public-facing chatbot to what is necessary to fulfill the deployer's purpose for making the public-facing chatbot publicly available.

A deployer of a chatbot shall do all of the following: 2. Limit the collection and storage of user information collected by the chatbot to what is necessary to fulfill the deployer's purpose for making the chatbot publicly available.

d. Collect employee data for a purpose that is not disclosed pursuant to the notice requirements in section 91F.2.

An employee has the right to request a copy of the most recent twelve months of the employee's own data primarily used by an automated decision system to make a discipline, termination, or deactivation decision. An employer shall provide a copy upon request. An employee is limited to one such request every twelve months.

For purposes of safeguarding the privacy rights of consumers, employees, and individuals, when an employer is required to provide employee data pursuant to this chapter, the employer shall provide the data in a manner that anonymizes the personal information of any customer, employee, or other individual.

2. A private entity shall not collect, capture, purchase, or otherwise obtain an individual's biometric data unless, prior to receiving the biometric data, the private entity does all of the following: a. Informs the subject of the biometric data, or the subject's legal representative, in writing, that the private entity intends to collect the subject's biometric data. b. Informs the subject of the biometric data, or the subject's legal representative, in writing, of the purposes and length of time for which the private entity intends to retain the biometric data.

3. A private entity shall not sell, lease, trade, or otherwise profit from an individual's biometric data.

(2)(a) A person may not capture a biometric identifier of an individual for a commercial purpose unless the person: (i) Informs the individual before capturing the biometric identifier; and (ii) Receives the individual's consent to capture the biometric identifier. (b) For the purposes of this subsection, an individual has not been informed of and has not provided consent for the capture or storage of a biometric identifier for a commercial purpose based solely on the existence of an image or other media containing one (1) or more biometric identifiers of the individual on the internet or other publicly available source unless the image or other media was made publicly available by the individual to whom the biometric identifiers relate.

(3) Persons or entities possessing a biometric identifier of an individual that is captured for a commercial purpose: (a) May not sell, lease, or otherwise disclose the biometric identifier to another person unless: (i) The individual consents to the disclosure for identification purposes in the event of the individual's disappearance or death; (ii) The disclosure completes a financial transaction that the individual requested or authorized; (iii) The disclosure is required or permitted by state or federal law; or (iv) The disclosure is made by or to a law enforcement agency for a law enforcement purpose in response to a warrant;

(d) Shall provide a method for an individual to revoke consent to the storage and transmission of a biometric identifier at any time and shall immediately destroy the biometric identifier upon receiving a revocation of consent unless maintaining the biometric identifier is required by another law.

(f) If an automated decision-making system is collecting employee data, employees and their exclusive bargaining representatives have a right to view the data collected by the automated decision-making system.

(a) It is the policy of this State that a student and the student's parent have the right to: (1) opt out of school-issued personal electronic devices, electronic textbooks, electronic required reading, or electronic or online assignments; (3) opt out of predictive analytics systems without academic penalty. (b) If a student or a student's parent exercises the right outlined in subsection (a), the school shall provide the student with a comparable analog version of what the educational technology provides. As used in this subsection, "comparable analog version" includes, but is not limited to, providing the assignment on physical paper, a physical copy of the required reading, or the option of a physical paper textbook.

(3) Sell or rent a student's information or data, including covered information or any other person's information collected by the operator for K through 12 school purposes. This subdivision (3) does not apply to the purchase, merger, or other type of acquisition of an operator by another entity if the operator or successor entity complies with this Act regarding previously acquired student information. (3.5) Permit artificial intelligence to train on covered information unless for K through 12 school purposes or in furtherance of improving operability and functionality of the operator's service.

An operator's artificial intelligence model shall not train on a student's covered information and retain the training data indefinitely, unless it first: (A) informs the student or his or her parent in writing that the operator's artificial intelligence model will retain training data indefinitely; and (B) receives a written consent from the student or his or her parent.

(A) In furtherance of the K through 12 school purposes of the site, service, application, or model if the recipient of the covered information disclosed under this clause (A) does not further disclose the information, unless done to allow or improve operability and functionality of the operator's site, service, or application. Improving operability does not include disclosing covered information to any third party to train artificial intelligence that is not for K through 12 school purposes.

Sec. 13. An employer that manages a covered individual through an automated decision system shall allow the covered individual to: (1) opt out of the management through the automated decision system; and (2) be managed through a human manager who is able to make employment related decisions with respect to the covered individual.

(d) A covered entity shall protect the confidentiality of age information provided by a user for age verification by limiting the collection, processing, use and storage of such information to what is strictly necessary to verify a user's age, obtain verifiable parental consent or maintain compliance records.

B. An employer shall not use an ADS to collect worker data for a purpose that is not disclosed pursuant to the notice requirements as provided in R.S. 23:972.

(4)(a) An employer shall allow a worker to access worker data collected, used by, or produced by an ADS and correct errors in any input or output data used by or produced by the ADS or used as corroborating evidence by a human reviewer. (b) An affected worker shall be allowed to choose an authorized representative to request access to the worker's data on his behalf.

F. A worker has the right to request, and an employer shall provide, a copy of the most recent twelve months of the worker's own data primarily used by an ADS to make a discipline, termination, or deactivation decision. A worker shall be limited to one request every twelve months for a copy of his own data used by an ADS to make a discipline, termination, or deactivation decision. G. For purposes of safeguarding the privacy rights of consumers, workers, and individuals, when an employer is required to provide worker data pursuant to this Part, the worker data shall be provided in a manner that provides anonymity regarding the customer's, other worker's, or individual's personal information.

(1) An operator of a mental health chatbot may not sell to or share with any third party any individually identifiable health information of a user or the user's input. This Subsection shall not apply to individually identifiable health information that is requested by a healthcare provider with the consent of the user, provided to a health plan of a user upon request of the user, or shared to ensure the effective functionality of the mental health chatbot with another party with which the operator has a contract related to such functionality. (2) When sharing information pursuant to this Subsection, the operator and the other entity shall comply with all applicable privacy and security provisions of 45 CFR Part 160 and 45 CFR Part 164, Subparts A and E, as if the operator were a covered entity and the other entity were a business associate, as such terms are defined in 45 CFR 160.103.

(c) A covered entity shall not: (i) process or transfer biometric data in any manner not consented to by the end user;

(a) A covered entity shall be prohibited from taking any actions with respect to processing biometric data or designing biometric recognition technologies that conflict with an end user's best interests.

(c) A covered entity shall not: (ii) engage in the sale of biometric data to a third party; (iii) disclose biometric data with any other person or entity except as consistent with the duties of loyalty, care, and confidentiality under subsections 2(a), 2(b) and 2(c)(i) and 2(c)(ii), respectively; or (iv) disclose or share biometric data with any other person unless that person enters into a contract with the covered entity that imposes on the person the same duties of care, loyalty, and confidentiality toward the end user as are imposed on the covered entity under this subsection.

(a) It shall be unlawful for an employer to use an electronic monitoring tool to collect employee information unless: (i) the electronic monitoring tool is primarily used to accomplish any of the following purposes: (A) allowing a worker to accomplish or facilitating the accomplishment of an essential job function; (B) ensuring the quality of goods and services; (C) conducting periodic assessment of worker performance; (D) ensuring or facilitating compliance with employment, labor, or other relevant laws; (E) protecting the health, safety, or security of workers, or the security of the employer's facilities or computer networks; or (F) administering wages and benefits. The department of labor standards may establish additional exceptions under clause (i) through notice and comment rulemaking in compliance with chapter 30A. (ii) the specific type and activated capabilities of an electronic monitoring tool must be narrowly tailored to accomplish the employer's intended, legitimate purpose specified under (i). (iii) the electronic monitoring tool may only be used to accomplish the employer's intended, legitimate purpose specified in (i), and must be customized and implemented in a manner ensuring that the execution of its duties undertaken in the manner least invasive to employees of the employer while accomplishing the employer's legitimate purposes as defined by (i); (iv) the specific form of electronic monitoring is limited to the smallest number of workers, collects the least amount of data and is collected no more frequently than is necessary to accomplish the purpose, and the data collected is deleted once the purpose has been achieved. (v) the employer must ensure that any employee data that is collected utilizing an electronic monitoring tool that is not necessary to accomplish the employer's intended, legitimate purpose is not disclosed to the employer and is promptly disposed of by the vendor; (vi) the employer must ensure that employee data is not collected when the employee is off-duty; and (vii) the employer must ensure that any employee data collected utilizing an electronic monitoring tool that is necessary to accomplish the employer's intended, legitimate purpose, is stored consistent with the commonwealth's data- and cyber- privacy laws, promptly disposed of as soon as the data is no longer needed, and is not utilized by the employer, the vendor or any other third party for any reason except as provided in section 2(c) and section 3(c) of this chapter.

(b) Any employer that uses an electronic monitoring tool shall give prior written notice and must obtain written consent from all candidates and employees subject to electronic monitoring and must also post said notice in a conspicuous place which is readily available for viewing by candidates and employees, pursuant to sections 19B, 52C, and 190(i) of chapter 149 and section 99 of chapter 272. Such notice shall include, at a minimum, the following: (i) a description of the purpose for which the electronic monitoring tool will be used, as specified in subparagraph (i) of paragraph (a) of this subdivision; (ii) a description of the specific employee data to be collected, stored, secured, and disposed of (and the schedule therefore), and the activities, locations, communications, and job roles that will be electronically monitored by the tool; (iii) a description of the dates, times, and frequency that electronic monitoring will occur; (iv) whether and how any employee data collected by the electronic monitoring tool will be used as an input in an automated employment decision tool; (v) whether and how any employee data collected by the electronic monitoring tool will alone or in conjunction with an automated employment decision tool be used to make an employment decision by the employer or employment agency; (vi) whether and how any employee data collected by the electronic monitoring tool may be stored and utilized in discipline, in internal policy compliance, in administrative agency adjudications, and in litigation (whether or not it involves the employee as a party); (vii) whether any employee data collected by the electronic monitoring tool will be used to assess employees' productivity performance or to set productivity standards, and if so, how; (viii) a description of where any employee data collected by the electronic monitoring tool will be stored and the length of time it will be retained; (ix) an explanation for how the specific electronic monitoring practice is the least invasive means available to accomplish the monitoring purpose; (x) a statement that an employee is entitled to notice and maintains the right to refuse the sale, transfer, or disclosure of the employee's employee data subject to the provisions of section 2(f); and (xi) a clear and reasonably understandable description of how an employee can exercise the rights described in this chapter.

(e) An employer shall not use employee data collected via an electronic monitoring tool for purposes other than those specified in the notice provided pursuant to paragraph (c) of subdivision one of this section.

(f) An employer shall not sell, transfer, or disclose employee data collected via an electronic monitoring tool to any other entity unless it is required to do so under federal law or the laws of the commonwealth, or necessary to do so to comply with an impact assessment of an automated employment decision tool pursuant to section one thousand twelve of this article.

(c) A covered entity shall not: (i) process or transfer biometric data in any manner not consented to by the end user; (ii) engage in the sale of biometric data to a third party; (iii) disclose biometric data with any other person or entity except as consistent with the duties of loyalty, care, and confidentiality under subsections 2(a), 2(b) and 2(c)(i) and 2(c)(ii), respectively; or (iv) disclose or share biometric data with any other person unless that person enters into a contract with the covered entity that imposes on the person the same duties of care, loyalty, and confidentiality toward the end user as are imposed on the covered entity under this subsection.

(e) A covered entity shall not discriminate against a consumer because of the withheld consent under this title, including, but not limited to: (i) denying goods or services to the end user; (ii) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; (iii) providing a different level or quality of goods or services to the end user; (iv) suggesting that the end user will receive a different price or rate for goods or services or a different level or quality of goods or services.

(a) Covered entities shall not use biometric data to help make decisions that produce legal effects or similarly significant effects concerning end users. Decisions that include legal effects or similarly significant effects concerning end users include, without limitation, denial or degradation of consequential services or support, such as financial or lending services, housing, insurance, educational enrollment, criminal justice, employment opportunities, health care services, and access to basic necessities, such as food and water.

(b) No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (1) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) receives written consent executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative. Written consent may be obtained by electronic means.

(c) No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information.

(d) No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless: (1) the subject of the biometric identifier or biometric information or the subject's legally authorized representative provides written consent to the disclosure or redisclosure; (2) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative; (3) the disclosure or redisclosure is required by state or federal law or municipal ordinance; or (4) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

(F) (1) A controller shall limit the collection of personal data to what is reasonably necessary and proportionate to satisfy the requirements of this subtitle. (2) A controller may not use data regarding emotional state or mental health vulnerabilities to tailor algorithms to increase the duration or frequency of use of a chatbot.

5. Disclosure of records and communications. All records kept by a licensed professional and all communications between an individual seeking therapy or psychotherapy services and a licensed professional or between a client and a licensed professional are confidential and may not be disclosed except as required under law.

2. User information collection and storage. A deployer shall collect and store only information that does not conflict with a user's safety and well-being. A deployer may not collect and store information except to fulfill a legitimate purpose of the deployer. A deployer may collect and store information that is adequate to fulfill a legitimate purpose of the deployer, but only to the extent that the information: A. Is relevant to that legitimate purpose; and B. Is the minimum amount of information necessary to fulfill that legitimate purpose.

Sec. 5. (1) Except as provided in this act, an employer shall not use an electronic monitoring tool or automated decisions tool to collect a covered individual's data. (2) An employer may use an electronic monitoring tool for only the following purposes: (a) To allow an employee to accomplish or facilitate an essential job function. (b) To monitor production processes or quality. (c) To periodically assess an employee's performance. (d) To ensure or facilitate compliance with state or federal labor or employment law. (e) To protect the health, safety, or security of covered individuals. (f) To administer wages and benefits, if it can be determined that the electronic monitoring system uses only data regarding the city where the covered individual works and the costs of living in that area. (g) To accomplish any other purpose that enables business operations as determined by the department.

(3) An employer that uses an electronic monitoring tool or automated decisions tool must do all of the following: (a) Provide written notice that the employer is using an electronic monitoring tool or automated decisions tool to all covered individuals who are subject to the tool. (b) Obtain written consent from each covered individual to electronically monitor or use an automated decisions tool on the covered individual in accordance with this act. (c) Ensure that data collected through the electronic monitoring tool or automated decisions tool is accurate and up to date. (d) Allow a covered individual to correct inaccurate data about that covered individual.

(e) Use the tool in a narrowly tailored manner to accomplish a purpose described in subsection (2) or section 4(2). (f) Use the tool through the least invasive means possible for the covered individual whom the tool monitors. (g) Ensure the tool applies to the smallest number of covered individuals, collects the least amount of data, and is used no more frequently than necessary to accomplish a purpose described in subsection (2) or section 4(2). (h) Ensure that the tool does not collect any data of an employee when the employee is off duty.

(4) An employer that uses an electronic monitoring tool for a purpose described in subsection (2) or an automated decisions tool for a purpose described in section 4(2) shall not do any of the following: (a) Collect any of the following data of a covered individual: (i) Health, medical, lifestyle, and wellness information, including, but not limited to, the covered individual's medical history, physical or mental condition, diet or physical activity patterns, heart rate, medical treatment or diagnosis by a health care professional, health insurance policy number, subscriber identification number, or other unique identifier used to identify the covered individual. (ii) A qualified characteristic. (iii) Information related to workplace activities, including, but not limited, all of the following: (A) Human resources information, including contents of a covered individual's personnel file or performance evaluations. (B) Work process information, such as productivity and efficiency information. (C) Information that captures workplace communications and interactions, including emails, texts, internal message boards, and customer interaction and ratings. (D) Device usage, including calls placed or geolocation information. (E) Audio-video information and other information collected from sensors, including movement tracking, thermal sensors, voiceprints, or facial, emotion, and gait recognition. (F) Inputs of or outputs generated by an automated decisions tool that are linked to a covered individual. (G) Online information, including a covered individual's internet protocol address, private social media activity, or other digital sources or unique identifiers associated with a covered individual. (b) Identify, punish, or obtain data about a covered individual who engages in an activity that is protected under state or federal labor or employment law. (c) Monitor bathrooms or other similar private areas, including, but not limited to, locker rooms, changing areas, breakrooms, smoking areas, employee cafeterias, lounges, areas designated to express breast milk, or areas designated for prayer or other religious activity. The prohibition under this subdivision includes data collection on the frequency of use of those private areas and conducting audio or visual monitoring of a workplace in an employee's residence, an employee's personal vehicle, or property owned or leased by an employee.

A person is prohibited from collecting biometric data from an individual unless the person receives the individual's consent to collect the biometric data before the collection occurs.

A person who obtains biometric data: (1) must not sell, lease, or otherwise disclose the biometric data to another person unless: (i) the individual consents to the disclosure for identification purposes in the event of the individual's disappearance or death; (ii) the disclosure completes a financial transaction that the individual requested or authorized; (iii) the disclosure is required or permitted by a federal or state law; or (iv) the disclosure is made by or to a law enforcement agency for a law enforcement purpose in response to a warrant;

Subd. 2. Record requests. (a) A worker has the right to request a copy of: (1) any of the worker's data collected, used, or produced by an automated decision system; (2) any input or output data used or produced by the automated decision system; and (3) corroborating evidence used by a human reviewer. (b) The employer must provide copies of the data requested within seven days of receiving a worker's request. Subd. 3. Record corrections. (a) A worker has the right to request corrections to: (1) any worker data collected, used, or produced by an automated decision system; (2) any input or output data used or produced by the automated decision system; and (3) any corroborating evidence used by a human reviewer. (b) An employer that receives a request to correct any of the information listed in paragraph (a) must investigate and determine whether the disputed data is inaccurate. (c) If an employer determines that the disputed data is inaccurate, the employer must: (1) promptly correct the disputed data and inform the worker of the employer's decision and action; (2) review and adjust any employment-related decisions that were partially or solely based on the inaccurate data and inform the worker of the adjustment; and (3) inform any third parties with which the employer shared the inaccurate data, or from which the employer received the inaccurate data, of the error and direct those third parties to correct the data. (d) If an employer, upon investigation, determines that the disputed data is accurate, the employer must inform the worker of: (1) the decision not to amend the disputed data; (2) the steps taken to verify the accuracy of the data; and (3) the evidence supporting the decision not to amend the disputed data.

(b) An employer must not use an automated decision system that uses individualized worker data as inputs or outputs to set compensation, unless the employer can demonstrate that: (1) the input data is directly related to the ability of the worker to complete the task, such as education, training, experience, or seniority; (2) the inputs used are clearly communicated to the worker such that the worker knows their compensation is a function of the identified attributes; and (3) the employer uses the automated decision system either: (i) not more than once per six-month period per worker; or (ii) only in conjunction with a meaningful change in work duties, such as hiring or promotion.

(e) A job applicant or worker must receive the notice required under this section and respond with affirmative written consent before the worker or applicant is subject to an automated decision system. (f) If reasonable alternatives to the use of the automated decision system exist, the worker must be allowed to opt out of being subject to the automated decision system.

A person is prohibited from collecting biometric data from an individual unless the person receives the individual's consent to collect the biometric data before the collection occurs.

A person who obtains biometric data: (1) must not sell, lease, or otherwise disclose the biometric data to another person unless: (i) the individual consents to the disclosure for identification purposes in the event of the individual's disappearance or death; (ii) the disclosure completes a financial transaction that the individual requested or authorized; (iii) the disclosure is required or permitted by a federal or state law; or (iv) the disclosure is made by or to a law enforcement agency for a law enforcement purpose in response to a warrant; (2) must store, transmit, and protect from disclosure the biometric data using reasonable care and in a manner that is at least as or more protective than the manner in which the person stores, transmits, and protects other confidential information the person possesses;

(3) must delete and destroy the biometric data within a reasonable time, but no later than one year from the date the purpose for collecting the data expires, unless the data is maintained pursuant to a federal or state law that requires a longer retention period, in which case the biometric data must be destroyed within a reasonable time frame but no later than one year from the date that the state or federal law retention period expires. If an employer collects an employee's biometric data for security purposes, the purpose for collecting the data expires upon termination of the employment relationship.

Subd. 2. Record requests. (a) A worker has the right to request a copy of: (1) any of the worker's data collected, used, or produced by an automated decision system; (2) any input or output data used or produced by the automated decision system; and (3) corroborating evidence used by a human reviewer. (b) The employer must provide copies of the data requested within seven days of receiving a worker's request. Subd. 3. Record corrections. (a) A worker has the right to request corrections to: (1) any worker data collected, used, or produced by an automated decision system; (2) any input or output data used or produced by the automated decision system; and (3) any corroborating evidence used by a human reviewer. (b) An employer that receives a request to correct any of the information listed in paragraph (a) must investigate and determine whether the disputed data is inaccurate. (c) If an employer determines that the disputed data is inaccurate, the employer must: (1) promptly correct the disputed data and inform the worker of the employer's decision and action; (2) review and adjust any employment-related decisions that were partially or solely based on the inaccurate data and inform the worker of the adjustment; and (3) inform any third parties with which the employer shared the inaccurate data, or from which the employer received the inaccurate data, of the error and direct those third parties to correct the data. (d) If an employer, upon investigation, determines that the disputed data is accurate, the employer must inform the worker of: (1) the decision not to amend the disputed data; (2) the steps taken to verify the accuracy of the data; and (3) the evidence supporting the decision not to amend the disputed data.

2. No private entity shall collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information unless it first: (1) Informs the person or customer, or the person's or customer's legally authorized representative, in writing that a biometric identifier or biometric information is being collected or stored; (2) Informs the person or customer, or the person's or customer's legally authorized representative, of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) Receives a written release executed by the person or customer, or the person's or customer's legally authorized representative.

(2) No private entity in possession of a biometric identifier or biometric information shall sell, lease, or trade a person's or a customer's biometric identifier or biometric information.

4. No private entity in possession of a biometric identifier or biometric information shall disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless: (1) The person or customer, or the person's or customer's legally authorized representative, provides written release to the disclosure or redisclosure; (2) The disclosure or redisclosure completes a financial transaction requested or authorized by the person or customer, or the person's or customer's legally authorized representative; (3) The disclosure or redisclosure is required by state law, federal law, or municipal ordinance; or (4) The disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

(e) A covered entity shall: a. Establish, implement, and maintain reasonable data security to: (i) Limit collection of personal data to that which is minimally necessary to verify a user's age or maintain compliance with this section; and (ii) Protect such age verification data against unauthorized access; b. Protect such age verification data against unauthorized access; c. Protect the integrity and confidentiality of such data by only transmitting such data using industry-standard encryption protocols; d. Retain such data for no longer than is reasonably necessary to verify a user's age or maintain compliance with this section; and e. Not share with, transfer to, or sell to any other entity such data.

Manufacturers of publicly distributed online media in the state that use an artificial intelligence system to direct, control, or focus the information any one individual can see, whether entirely or in part, shall disclose the use of the system and provide a user with the option to opt out.

(b) A licensee shall do all of the following: (1) Implement industry-standard encryption for data in transit and at rest, maintain detailed access logs, and conduct regular security audits no less than once every six (6) months. (2) Report any data breaches within twenty-four (24) hours to the Department and within forty-eight (48) hours to affected consumers, notwithstanding any provision of law to the contrary. (3) Obtain explicit user consent for data collection and use. (4) Provide users with access to their personal data. (5) Provide users with the ability to delete their data upon request.

(5) Duty of loyalty in collection. — A covered platform shall collect and store only that information that does not conflict with a trusting party's best interests. Such information must be (i) adequate, in the sense that it is sufficient to fulfill a legitimate purpose of the platform; (ii) relevant, in the sense that the information has a relevant link to that legitimate purpose, and (iii) necessary, in the sense that it is the minimum amount of information which is needed for that legitimate purpose. (7) Duty of loyalty in gatekeeping. — A covered platform shall be a loyal gatekeeper of personal information from a trusted party, including avoiding conflicts to the best interests of trusting parties when allowing government or other third-party access to trusting parties and their data.

(a) A covered platform must do each of the following: (1) Ensure that all user-related data disclosed collected through conversations between users and chatbots or through third-party cookies, undergoes a process of de-identification prior to storage and analysis; (2) Take reasonable care to prohibit the incorporation or inclusion of any sensitive personal information derived from a user during the use of a chatbot into an aggregate dataset used to train any chatbot or generative artificial intelligence system. (3) Store all chatbot conversations which does not include sensitive personal information for at least sixty (60) days. (b) Each covered platform that meets the standard set forth in subsection (a) of this section shall utilize self-destructing messages with a predetermined destruction period of thirty (30) days after the data has been acquired. (c) The requirements of subsection (b) of this section shall apply to all chatbots which are employed in: healthcare, financial services, the legal field, government services, mental health support, and education. In general, this applies to any domain, beyond those specifically listed, where chatbots are employed primarily for the processing or storage of sensitive personal information. (d) All covered platforms shall utilize transport encryption for all messages between a user and a chatbot.

(iii) If applicable, provide information to the consumer regarding the consumer's right to opt out of the processing of personal data concerning the consumer for any purpose of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer under subdivision (2)(e)(iii) of section 87-1107.

a. A business entity shall not sell, lease, trade, share, or otherwise profit from information obtained through the business entity's use of a biometric surveillance system on a consumer. b. A violation of this section shall be an unlawful practice and a violation of P.L.1960, c.39 (C.56:8-1 et seq.).

a. It shall be an unlawful practice and a violation of P.L.1960, c.39 (C.56:8-1 et seq.) for a business entity to use any biometric surveillance system on a consumer at the physical premises of the business entity, except as provided in subsection c. of this section. b. A business entity may use a biometric surveillance system on a consumer at the physical premises of the business entity, if: (1) the business entity provides clear and conspicuous notice to the consumer regarding its use of a biometric surveillance system; and (2) the biometric surveillance system is used for a lawful purpose. The business entity may satisfy the notice requirement of paragraph (1) of this section by posting a sign in a conspicuous location at the perimeter of any area where a biometric surveillance system is being used.

a. A business entity shall not sell, lease, trade, share, or otherwise profit from information obtained through the business entity's use of a biometric surveillance system on a consumer. b. A violation of this section shall be an unlawful practice and a violation of P.L.1960, c.39 (C.56:8-1 et seq.).

b. An employer shall not share an applicant's video except with a service provider whose expertise or technology is necessary to evaluate the applicant's fitness for a position.

c. Upon request from the applicant, an employer, within 30 days after receipt of the request, shall delete an applicant's interviews and instruct any other persons who received copies of the applicant's video interviews to also delete the videos, including all electronically generated backup copies. Any other person or service provider shall comply with the employer's instructions.

5. New York residents are entitled to protection from inappropriate or irrelevant data use in the design, development, and deployment of automated systems, and from the compounded harm of its reuse.

1. New York residents shall be protected from abusive data practices via built-in protections and shall maintain agency over the use of their personal data.
2. Privacy violations shall be mitigated through design choices that include privacy protections by default, ensuring that data collection conforms to reasonable expectations and that only strictly necessary data for the specific context is collected.

3. Designers, developers, and deployers of automated systems must seek and respect the decisions of New York residents regarding the collection, use, access, transfer, and deletion of their data in all appropriate ways and to the fullest extent possible. Where not possible, alternative privacy by design safeguards must be implemented.
4. Automated systems shall not employ user experience or design decisions that obscure user choice or burden users with default settings that are privacy-invasive.
5. Consent shall be used to justify the collection of data only in instances where it can be appropriately and meaningfully given. Any consent requests shall be brief, understandable in plain language, and provide New York residents with agency over data collection and its specific context of use.
6. Any existing practice of complex notice-and-choice for broad data use shall be transformed, emphasizing clarity and user comprehension.

7. Enhanced protections and restrictions shall be established for data and inferences related to sensitive domains. In sensitive domains, individual data and related inferences may only be used for necessary functions, safeguarded by ethical review and use prohibitions.

§ 522. Information and source code sharing. 1. Licensees shall be permitted to share information and source code with any third party, provided however, that where information is biometric information such party shall be jointly liable for any harm or violations under this article with the licensee. The secretary may, in their discretion, prohibit any person from accessing the information or source code of a licensee provided however that the secretary shall provide a written justification for such a prohibition. 2. For purposes of this section, "biometric information" shall include a person's: (a) faceprint; (b) voiceprint; (c) fingerprint; (d) gaitprint; (e) irisprint; (f) psychological profile; or (g) any other data related to a person's body or mind that can be used to identify a person. 3. This section shall only apply to the sharing of information received or generated by the licensee or source code created by the licensee and shall not apply to a third party integrating their systems with the licensee.

2. No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (a) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (b) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (c) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.

1. A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information within a reasonable time, but in no event later than sixty days, after it is no longer necessary to maintain for the permissible purpose or purposes identified in the notice or for which the individual provided valid authorization or within three years of the individual's last interaction with the private entity, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines.

2. No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (a) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (b) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (c) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.

1. A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information within a reasonable time, but in no event later than sixty days, after it is no longer necessary to maintain for the permissible purpose or purposes identified in the notice or for which the individual provided valid authorization or within three years of the individual's last interaction with the private entity, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines.

3. No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information.

4. No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless: (a) the subject of the biometric identifier or biometric information or the subject's legally authorized representative consents to the disclosure or redisclosure; (b) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative; (c) the disclosure or redisclosure is required by federal, state or local law or municipal ordinance; or (d) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

News media employers shall not directly or through a third party authorize the training of a generative artificial intelligence system on the work product of a news media worker without notice, consent and an opportunity to bargain over appropriate remuneration. A news media employer shall not penalize a news media worker for declining to consent to allow their work product to be used to train a generative artificial intelligence system.

(a) It shall be an unlawful discriminatory practice for an employer to use artificial intelligence for recruitment, hiring, promotion, renewal of employment, selection for training or apprenticeship, discharge, discipline, tenure, or the terms, privileges, or conditions of employment that has the effect of subjecting employees to discrimination on the basis of age, race, creed, color, national origin, citizenship or immigration status, sexual orientation, gender identity or expression, military status, sex, disability, predisposing genetic characteristics, familial status, marital status, or status as a victim of domestic violence or to use zip codes as a proxy for such protected classes.

B. Deployers shall collect and store only that information that does not conflict with a trusting party's best interests. Such information must be: 1. Adequate, in the sense that it is sufficient to fulfill a legitimate purpose of the deployer; 2. Relevant, in the sense that the information has a relevant link to that legitimate purpose; and 3. Necessary, in the sense that it is the minimum amount of information which is needed for that legitimate purpose.

(6) Patient data must not be used beyond the intended and stated purpose of the artificial intelligence-based algorithms, consistent with the laws of this Commonwealth and 42 U.S.C. Ch. 7 Subch. XI Part C (relating to administrative simplification), as applicable.

(8) The data of the covered person must not be used beyond the intended and stated purpose of the artificial intelligence-based algorithms, consistent with Commonwealth law and 42 U.S.C. Ch. 7, Subch. XI Part C (relating to administrative simplification), as applicable.

(8) The data of the covered person or enrollees must not be used beyond the intended and stated purpose of the artificial intelligence-based algorithms, consistent with the laws of this Commonwealth and the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191, 110 Stat. 1936), as applicable.

(a) Prohibition.--Except as provided under subsections (b) and (c), a supplier may not sell to or share with a third party the following: (1) Individually identifiable health information of a consumer. (2) Consumer input. (b) Applicability.--The prohibition under subsection (a) shall not apply if: (1) Either: (i) A health care provider requests access to the individually identifiable health information of the consumer and the consumer consents to the access in accordance with subsection (d). (ii) The consumer requests that a health plan be provided access to the individually identifiable health information of the consumer and the consumer consents to the access in accordance with subsection (d). (2) The individually identifiable health information is shared in accordance with subsection (c). (c) Sharing information.-- (1) A supplier may share a consumer's individually identifiable health information if: (i) the sharing of the information is necessary to ensure the effective functionality of the chatbot with a third party with which the supplier has a contract related to the functionality; and (ii) the consumer consents to the sharing of the information in accordance with subsection (d). (2) When sharing information in accordance with this subsection, the supplier and the third party shall comply with all applicable privacy and security provisions of 45 CFR Pts. 160 (relating to general administrative requirements) and 164 (relating to security and privacy), as if the supplier were a covered entity and the third party were a business associate. (d) Consent.-- (1) A consumer may consent to access to individually identifiable health information of the consumer by a health care provider or health plan in accordance with this section. (2) To be effective, the consent under this subsection must: (i) Be in writing. (ii) Acknowledge that the consumer understands and agrees to the access of the individually identifiable health information of the consumer by a health care provider or health plan. (3) The consent under this subsection may involve the consumer initialing or signing the acknowledgment described in paragraph (2)(ii), checking a box, providing an electronic signature or hitting a button.

All records kept by a licensed professional and all communications between an individual seeking therapy or psychotherapy services and a licensed professional shall be confidential and shall not be disclosed except as provided pursuant to the provisions of § 40.1-5-26.

(a) It shall be unlawful for an employer to use an electronic monitoring tool to collect employee information unless: (1) The electronic monitoring tool is primarily used to accomplish any of the following legitimate purposes: (i) Allowing a worker to accomplish or facilitating the accomplishment of an essential job function; (ii) Ensuring the quality of goods and services; (iii) Conducting periodic assessment of worker performance; (iv) Ensuring or facilitating compliance with employment, labor, or other relevant laws; (v) Protecting the health, safety, or security of workers, or the security of the employer's facilities or computer networks; or (vi) Administering wages and benefits. (2) The department of labor and training standards may establish additional exceptions under this subsection, pursuant to chapter 35 of title 42 ("administrative procedures act.") (b)(1) The specific type and activated capabilities of an electronic monitoring tool shall be narrowly tailored to accomplish the employer's intended, legitimate purpose specified under subsection (a)(1) of this section; (2) The electronic monitoring tool shall only be used to accomplish the employer's intended, legitimate purpose specified in subsection (a)(1) of this section, and shall be customized and implemented in a manner ensuring that the execution of its duties are undertaken in the manner least invasive to employees of the employer, while still accomplishing the employer's legitimate purposes as defined by subsection (a)(1) of this section; (3) The specific form of electronic monitoring is limited to the smallest number of workers, collection of the least amount of data which shall be collected no more frequently than is necessary to accomplish the purpose, and the data collected, shall be deleted once the purpose has been achieved; (4) The employer shall ensure that any employee data that is collected utilizing an electronic monitoring tool that is not necessary to accomplish the employer's intended, legitimate purpose shall not be disclosed to the employer and shall be promptly disposed of by the vendor; (5) The employer shall ensure that employee data is not collected when the employee is off-duty; and (6) The employer shall ensure that any employee data collected utilizing an electronic monitoring tool that is necessary to accomplish the employer's intended, legitimate purpose, is stored consistent with the state's data and cyber privacy laws, promptly disposed of as soon as the data is no longer needed, and is not utilized by the employer, the vendor or any other third party for any reason except, as provided in subsection (c) of this section.

(e) Notwithstanding the allowable purposes for electronic monitoring described in subsection (a) of this section, an employer shall not: (1) Use an electronic monitoring tool in such a manner that results in a violation of labor, employment, civil rights law or any other law of the state; (2) Use an electronic monitoring tool or data collected via an electronic monitoring tool in such a manner as to threaten the health, welfare, safety, or legal rights of employees or the general public; (3) Use an electronic monitoring tool to monitor employees who are off-duty or not performing work-related tasks; (4) Use an electronic monitoring tool in order to obtain information about an employee's health, including health status and health conditions, the race, color, religious creed, national origin, sex, gender identity, sexual orientation, genetic information, pregnancy or a condition related to said pregnancy including, but not limited to, lactation or the need to express breast milk for a nursing child, ancestry or status as a veteran or membership in any group protected from employment discrimination under title 28 or any other applicable law; (5) Use an electronic monitoring tool in order to identify, punish, or obtain information about employees engaging in activity protected under labor or employment law; (6) Conduct audio or visual monitoring of bathrooms or other similarly private areas, including locker rooms, changing areas, breakrooms, smoking areas, employee cafeterias, lounges, and areas designated to express breast milk, or areas designated for prayer or other religious activity, including data collection on the frequency of use of those private areas; (7) Conduct audio or visual monitoring of a workplace in an employee's residence, an employee's personal vehicle, or property owned or leased by an employee; (8) Use an electronic monitoring tool that incorporates facial recognition; (9) Use an electronic monitoring tool that incorporates gait, voice analysis, or emotion recognition technology; (10) Take adverse action against an employee, based, in whole or in part, on their opposition or refusal to submit to a practice that the employee believes in good faith violates this section; (11) Take adverse employment action against an employee on the basis of data collected via continuous incremental time-tracking tools, except in the case of egregious misconduct; or (12) Take adverse employment action against an employee based on any data collected via electronic monitoring, if such data measures an employee's performance in relation to a performance standard that has not been previously, clearly, and unmistakably disclosed to such employee, as well as to all other classes of employees to whom it applies in violation of this section, or if such data was collected without proper notice to employees or candidates pursuant to this section.

(f) An employer shall not use employee data collected via an electronic monitoring tool for purposes other than those specified in the notice provided pursuant to subsection (c) of this section. (g) An employer shall not sell, transfer, or disclose employee data collected via an electronic monitoring tool to any other entity unless it is required to do so under federal law or the laws of the state, or necessary to do so to comply with an impact assessment of an automated decision system used pursuant to this section.

(a) It shall be unlawful for an employer to use an electronic monitoring tool to collect employee information unless: (1) The electronic monitoring tool is primarily used to accomplish any of the following legitimate purposes: (i) Allowing a worker to accomplish or facilitating the accomplishment of an essential job function; (ii) Ensuring the quality of goods and services; (iii) Conducting periodic assessment of worker performance; (iv) Ensuring or facilitating compliance with employment, labor, or other relevant laws; (v) Protecting the health, safety, or security of workers, or the security of the employer's facilities or computer networks; or (vi) Administering wages and benefits. (2) The department of labor and training standards may establish additional exceptions under this subsection, pursuant to chapter 35 of title 42 ("administrative procedures act.") (b)(1) The specific type and activated capabilities of an electronic monitoring tool shall be narrowly tailored to accomplish the employer's intended, legitimate purpose specified under subsection (a)(1) of this section; (2) The electronic monitoring tool shall only be used to accomplish the employer's intended, legitimate purpose specified in subsection (a)(1) of this section, and shall be customized and implemented in a manner ensuring that the execution of its duties are undertaken in the manner least invasive to employees of the employer, while still accomplishing the employer's legitimate purposes as defined by subsection (a)(1) of this section; (3) The specific form of electronic monitoring is limited to the smallest number of workers, collection of the least amount of data which shall be collected no more frequently than is necessary to accomplish the purpose, and the data collected, shall be deleted once the purpose has been achieved; (4) The employer shall ensure that any employee data that is collected utilizing an electronic monitoring tool that is not necessary to accomplish the employer's intended, legitimate purpose shall not be disclosed to the employer and shall be promptly disposed of by the vendor; (5) The employer shall ensure that employee data is not collected when the employee is off-duty; and (6) The employer shall ensure that any employee data collected utilizing an electronic monitoring tool that is necessary to accomplish the employer's intended, legitimate purpose, is stored consistent with the state's data and cyber privacy laws, promptly disposed of as soon as the data is no longer needed, and is not utilized by the employer, the vendor or any other third party for any reason except, as provided in subsection (c) of this section.

(c) Any employer that uses an electronic monitoring tool shall give prior written notice and shall obtain written acknowledgment from all candidates and employees subject to electronic monitoring and shall also post said notice in a conspicuous place which is readily available for viewing by candidates for employment and employees. Such notice shall include, at a minimum, the following: (1) A description of the purpose for which the electronic monitoring tool will be used, as specified in subsection (a)(1) of this section; (2) A description of the specific employee data to be collected, stored, secured, and disposed of (and the schedule therefor), and the activities, locations, communications, and job roles that will be electronically monitored by the tool; (3) A description of the dates, times, and frequency that electronic monitoring will occur; (4) Whether and how any employee data collected by the electronic monitoring tool will be used as an input in an automated decision system; (5) Whether and how any employee data collected by the electronic monitoring tool will alone or in conjunction with an automated decision system be used to make an employment decision by the employer or employment agency; (6) Whether and how any employee data collected by the electronic monitoring tool may be stored and utilized in discipline, in internal policy compliance, in administrative agency adjudications, in litigation (whether or not it involves the employee or not as a party); (7) Whether any employee data collected by the electronic monitoring tool will be used to assess employees' productivity performance or to set productivity standards, and if so, how; (8) A description of where any employee data collected by the electronic monitoring tool will be stored and the length of time it will be retained; (9) An explanation for how the specific electronic monitoring practice is the least invasive means available to accomplish the monitoring purpose; (10) That an employee is entitled to notice and maintains the right to refuse the sale, transfer, or disclosure of their employee data, subject to the provisions of subsection (g) of this section; and (11) A clear and reasonably understandable description of how an employee can exercise the rights described in this chapter.

(e) Notwithstanding the allowable purposes for electronic monitoring described in subsection (a) of this section, an employer shall not: (1) Use an electronic monitoring tool in such a manner that results in a violation of labor, employment, civil rights law or any other law of the state; (2) Use an electronic monitoring tool or data collected via an electronic monitoring tool in such a manner as to threaten the health, welfare, safety, or legal rights of employees or the general public; (3) Use an electronic monitoring tool to monitor employees who are off-duty or not performing work-related tasks; (4) Use an electronic monitoring tool in order to obtain information about an employee's health, including health status and health conditions, the race, color, religious creed, national origin, sex, gender identity, sexual orientation, genetic information, pregnancy or a condition related to said pregnancy including, but not limited to, lactation or the need to express breast milk for a nursing child, ancestry or status as a veteran or membership in any group protected from employment discrimination under title 28 or any other applicable law; (5) Use an electronic monitoring tool in order to identify, punish, or obtain information about employees engaging in activity protected under labor or employment law; (6) Conduct audio or visual monitoring of bathrooms or other similarly private areas, including locker rooms, changing areas, breakrooms, smoking areas, employee cafeterias, lounges, and areas designated to express breast milk, or areas designated for prayer or other religious activity, including data collection on the frequency of use of those private areas; (7) Conduct audio or visual monitoring of a workplace in an employee's residence, an employee's personal vehicle, or property owned or leased by an employee; (8) Use an electronic monitoring tool that incorporates facial recognition; (9) Use an electronic monitoring tool that incorporates gait, voice analysis, or emotion recognition technology;

(f) An employer shall not use employee data collected via an electronic monitoring tool for purposes other than those specified in the notice provided pursuant to subsection (c) of this section. (g) An employer shall not sell, transfer, or disclose employee data collected via an electronic monitoring tool to any other entity unless it is required to do so under federal law or the laws of the state, or necessary to do so to comply with an impact assessment of an automated decision system used pursuant to this section.

(A) A chatbot provider may not: (1) process personal data to inform a chatbot output unless processing personal data is necessary to fulfill an express request that is made by a user and the user provides affirmative consent;

(A) A chatbot provider may not: (2) process a user's chat log: (a) to determine whether to display an advertisement for a product or service to a user; (b) to determine a product or service or category of a product or service to advertise to a user; or (c) to customize an advertisement for presentation to a user;

(A) A chatbot provider may not: (3) process a user's chat log and personal data: (a) if the chatbot provider knows or reasonably should have known that based on knowledge of objective circumstances the user is a minor and the user's parent or legal guardian did not provide affirmative consent; (b) for training purposes if the chatbot provider knows or reasonably should have known that based on knowledge of objective circumstances the user is a minor and the user's parent or legal guardian did not provide affirmative consent; (c) for training purposes if the user is an adult, unless the chatbot provider first obtains affirmative consent; or (d) to engage in profiling beyond what is necessary to fulfill an express request;

(A) A chatbot provider may not: (4) profile a user based on any classification or designation of the user's personality or behavioral characteristic beyond what is necessary to fulfill an express request made by the user;

(A) A chatbot provider may not: (5) sell a user's chat logs; (6) retain a user's chat log for more than ten years, unless retention is necessary to comply with this chapter or otherwise required by law;

(B) A user has a right to access the user's own chat logs at any time. A chatbot provider shall provide a user's own chat log on request by the user and shall provide the chat log in a downloadable and easy to read format. A chatbot provider may not discriminate or retaliate against a user that requests the user's chat.

(E) A chatbot provider shall take the necessary physical, administrative, and technical measures to prevent deidentified data from being reidentified and to process, retain, and transfer deidentified data without any reasonable means of reidentification.

All records kept by a licensed professional and all communications between an individual seeking therapy or psychotherapy services and a licensed professional shall be confidential and shall not be disclosed except as required pursuant to Section 44-22-100.

(A) A chatbot provider may not: (1) process personal data to inform a chatbot output unless processing personal data is necessary to fulfill an express request that is made by a user and the user provides affirmative consent;

(A) A chatbot provider may not: (2) process a user's chat log: (a) to determine whether to display an advertisement for a product or service to a user; (b) to determine a product or service or category of a product or service to advertise to a user; or (c) to customize an advertisement for presentation to a user;

(A) A chatbot provider may not: (3) process a user's chat log and personal data: (a) if the chatbot provider knows or reasonably should have known that based on knowledge of objective circumstances the user is a minor and the user's parent or legal guardian did not provide affirmative consent; (b) for training purposes if the chatbot provider knows or reasonably should have known that based on knowledge of objective circumstances the user is a minor and the user's parent or legal guardian did not provide affirmative consent; (c) for training purposes if the user is an adult, unless the chatbot provider first obtains affirmative consent; or (d) to engage in profiling beyond what is necessary to fulfill an express request;

(A) A chatbot provider may not: (4) profile a user based on any classification or designation of the user's personality or behavioral characteristic beyond what is necessary to fulfill an express request made by the user;

(A) A chatbot provider may not: (5) sell a user's chat logs; (6) retain a user's chat log for more than ten years, unless retention is necessary to comply with this chapter or otherwise required by law;

(A) A chatbot provider may not: (7) discriminate or retaliate against a user, including: (a) denying products or services to the user; (b) charging different prices or rates for products or services to the user; or (c) providing lower quality products or services to the user for refusing to consent to the use of chat logs or personal data for training purposes.

(B) A user has a right to access the user's own chat logs at any time. A chatbot provider shall provide a user's own chat log on request by the user and shall provide the chat log in a downloadable and easy to read format. A chatbot provider may not discriminate or retaliate against a user that requests the user's chat.

(E) A chatbot provider shall take the necessary physical, administrative, and technical measures to prevent deidentified data from being reidentified and to process, retain, and transfer deidentified data without any reasonable means of reidentification.

Provide to all individuals the right to opt out of the use of the automated decision system for employment decisions and a process by which individuals with disabilities may seek accommodations for the automated decision system;

Provide to all individuals the right to opt out of the use of the automated decision system for employment decisions and a process by which individuals with disabilities may seek accommodations for the automated decision system;

An operator shall not train the underlying model of a companion chatbot with the inputs of a minor unless the minor's parent or guardian has affirmatively provided written consent to the operator to use the minor's personal information for that specific purpose.

C. A deployer shall collect and store only such information as does not conflict with a user's best interests. Such information shall be (i) adequate, in the sense that it is sufficient to fulfill a legitimate purpose of the deployer; (ii) relevant, in the sense that the information has a relevant link to such legitimate purpose; and (iii) necessary, in the sense that it is the minimum amount of information that is needed for such legitimate purpose.

(b) Employee monitoring restricted. An employer shall not engage in electronic monitoring of an employee unless all of the following requirements are met: (1) the employer's purpose in utilizing the electronic monitoring is to: (A) assist or allow the employee to accomplish an essential job function; (B) monitor production processes or quality; (C) ensure compliance with applicable employment or labor laws; (D) protect the health, safety, or security of the employee, clients, or the public; (E) secure the employer's physical or digital property; (F) conduct periodic assessment of employee performance; or (G) track time worked or production output for purposes of determining the employee's compensation; (2) the specific form of electronic monitoring is necessary to accomplish the purpose identified pursuant to subdivision (1) of this subsection and is used exclusively to accomplish that purpose; (3) the specific form of electronic monitoring is the least invasive means, with respect to the employee, of accomplishing the purpose identified pursuant to subdivision (1) of this subsection; (4) the specific form of electronic monitoring is used with the smallest number of employees, collects the smallest amount of data necessary to accomplish the purpose identified pursuant to subdivision (1) of this subsection, and is collected not more frequently than necessary to accomplish that purpose; and (5) the employer ensures that only authorized persons have access to any data produced through the electronic monitoring and that the data is only used for the purpose and duration that the employee has been notified of pursuant to subsection (c) of this section.

(c) Required notice for employee monitoring. (1) At least 15 calendar days prior to commencing any form of electronic monitoring, an employer shall provide notice of the electronic monitoring to each employee who will be subject to it. The notice shall, at a minimum, include the following information: (A) the specific form of electronic monitoring; (B) a description of the intended purpose of the electronic monitoring and why the electronic monitoring is necessary to accomplish that purpose; (C) a description of how any data generated by the electronic monitoring will be used, including whether and how the data generated by the electronic monitoring will be used to inform employment-related decisions; (D) a description of the technologies that will be used to conduct the electronic monitoring; (E) a description of the specific activities, locations, communications, and job roles that will be electronically monitored; (F) the name of any person conducting electronic monitoring on the employer's behalf and any associated contract language related to the monitoring; (G) the name of any person, apart from the employer, who will have access to any data generated by the electronic monitoring and the reason why the person will have access to the data; (H) the positions within the employer that will have access to any data generated by the electronic monitoring; (I) when, where, and how frequently monitoring will occur; (J) the period of time for which any data generated by the electronic monitoring will be retained by the employer or another person and when that data will be destroyed; (K) notice of how an employee may access the data generated by the electronic monitoring and the process to correct any errors in the data; (L) a cover sheet that concisely summarizes the details contained in the notice; (M) notice of an employee's rights pursuant to this section and the judicial and administrative remedies available for redressing the wrongful use of electronic monitoring; and (N) instructions on how an employee can file a complaint against an employer for violations of this section. (2) If an employer uses electronic monitoring to track employee productivity or performance, the employer shall include the following information in the notice required by subdivision (1) of this subsection: (A) the performance or productivity standards by which employees will be assessed and how employees will be measured against those standards; (B) how performance or productivity data will be monitored and collected, including the identity of the employees subject to such monitoring and when, where, and how the monitoring and data collection will occur; and (C) any adverse consequences for failing to meet a performance or productivity standard and whether there is any bonus or incentive program associated with meeting or exceeding each standard. (3)(A) Notice of electronic monitoring provided pursuant to this section shall be written in plain, clear, and concise language and provided to each employee in the employee's primary language. (B) An employer shall provide a new, updated notice to employees if it makes any significant changes to the manner of electronic monitoring or to the way that the employer utilizes the electronic monitoring or any data generated by it.

(4) Notwithstanding subdivisions (1) and (2) of this subsection, prior notice of electronic monitoring shall not be required if: (A) the employer has reasonable grounds to believe that the employee is engaged in conduct that: (i) is illegal; (ii) violates the legal rights of the employer or another employee; or (iii) creates a hostile work environment; and (B) the electronic monitoring is reasonably likely to produce evidence of the conduct, is otherwise conducted in compliance with the previsions of this section, and is narrowly tailored to the purpose of identifying the conduct.

(5)(A) An employer that utilizes electronic monitoring shall annually provide each of its employees with a list of all electronic monitoring systems currently in use by the employer in relation to that employee. The list shall be provided in the primary language of the employee. (B) As used in this subdivision (5), "currently in use" means that the employer: (i) is currently using the system in relation to the employee; (ii) used the electronic monitoring system in relation to the employee within the past 90 days; or (iii) intends to use the electronic monitoring system in relation to the employee within the next 30 days.

(d) Prohibitions on employee monitoring. Notwithstanding the purposes for electronic monitoring set forth in subdivision (b)(1) of this section, electronic monitoring shall not be used: (1) in any manner that violates State or federal labor, employment, civil rights, or human rights laws; (2) in relation to employees who are off-duty and not performing work-related tasks, including employees on-call; (3) to identify, punish, or obtain information about employees exercising legal rights, including rights guaranteed by labor and employment laws; (4) for audio-visual monitoring of bathrooms, locker rooms, changing areas, breakrooms, smoking areas, areas designated for the expression of breast milk, employee cafeterias, lounges, or other similarly private areas; (5) to determine the frequency with which employees visit or use bathrooms, locker rooms, changing areas, breakrooms, smoking areas, employee cafeterias, lounges, or other similarly private areas; (6) for monitoring, including audio-visual monitoring, of any space within an employee's residence or personal vehicle, or a property owned or rented by the employee, unless the monitoring is necessary to ensure the employee's health and safety or to verify the security of employer or client data; (7) to obtain information about an employee's actual or perceived age, color, disability, ethnicity, genetic information, limited proficiency in the English language, national origin, race, religion, pursuit or receipt of reproductive health care, sex, sexual orientation, gender identity or expression, marital status, family responsibilities, personal appearance, immigration status, political affiliation or association, neurodiversity, veteran status, or other classification protected under State or federal law; (8) to take adverse employment action against an employee on the basis of data collected via continuous incremental time-tracking tools; or (9) in a manner that harms health or safety or violates the legal rights of any employee.

(e) Restriction of employee monitoring through personal devices. (1) An employer shall not require an employee to install an application on a personal device for purposes of electronic monitoring or to wear a device or attach, embed, or physically implant a device on the employee's clothing that can be used for electronic monitoring, unless the electronic monitoring is: (A) necessary to accomplish the employee's essential job function; and (B) limited to only the times and activities necessary to accomplish the essential job functions. (2) Any location tracking function of an application or device shall be disabled outside of the times when the employee is engaged in activities necessary to accomplish essential job functions. (3) An employer shall not require an employee to physically implant a device on the employee's body for purposes of employee monitoring.

(j) Employee right to access and correct data. (1) Within seven days of receiving a request, an employer shall provide an employee with access to any data that relates to the employee that was produced or utilized by electronic monitoring or an automated decision system used by the employer. (2) Within seven days of receiving a request to correct potential errors identified by an employee, an employer shall: (A) correct the erroneous information or data and provide the employee with a notice that complies with subdivision (c)(3)(A) of this section, explaining the steps taken by the employer; or (B) provide the employee with a notice explaining that the employer has not corrected the information or data and describing the steps the employer has taken to verify the accuracy of the disputed information or data.

A chatbot provider shall not: (1) process personal data other than input data to inform chatbot outputs unless the processing of personal data is necessary to fulfill an express request made by a user and that user has provided affirmative consent;

A chatbot provider shall not: (2) process a user's chat log to: (A) determine whether to display an advertisement for a product or service to the user; (B) determine a product, service, or category of product or service to advertise to the user; or (C) customize an advertisement or how an advertisement is presented to the user;

A chatbot provider shall not: (3) process a user's chat log or personal data: (A) if the chatbot provider knows or should have known, based on knowledge fairly implied on the basis of objective circumstances, that the user is under 18 years of age without the affirmative consent of that user's parent or legal guardian; (B) for training purposes, if the chatbot provider knows or should have known, based on knowledge fairly implied on the basis of objective circumstances, that a user is under 18 years of age; (C) of a user over 18 years of age for training purposes, unless the chatbot provider first obtains affirmative consent; or (D) to engage in profiling beyond what is necessary to fulfill an express request from the user;

A chatbot provider shall not: (4) use any classification or designation of a user's personality or behavioral characteristics created through profiling beyond what is necessary to fulfill an express request made by the user;

(b) Right to access. A user has the right to access, in a portable and readily usable format and at any time, any of the user's own chat logs that a chatbot provider has retained. (1) Chat logs must be made available to users in a downloadable and human- and machine-readable format. (2) A chatbot provider shall not discriminate or retaliate against any user, including by denying products or services, charging different prices or rates for products or services, or providing lower-quality products or services to the user, for accessing their own chat logs.

(a) Prohibition. Subject to the limited exceptions provided in this section, no person shall: (1) collect or record an individual's neural data gathered from a brain-computer interface; or (2) share with a third party an individual's neural data gathered from a brain-computer interface. (b) Consent to collect. A person shall not collect or record an individual's neural data gathered from a brain-computer interface unless the person: (1) provides the individual with a written notice explaining how the person will use the individual's neural data; and (2) thereafter receives written informed consent from the individual to collect or record the individual's neural data.

(c) Consent to share. A person shall not share with a third party an individual's neural data gathered from a brain-computer interface unless the person: (1) provides the individual with a written request for the individual's neural data to be shared with a third party and for what purposes, including the name and address of the third party; and (2) thereafter receives written informed consent from the individual to share the individual's neural data with the third party.

(d) Revocation of consent. (1) An individual who has provided written informed consent allowing a person to collect, record, or share the individual's neural data pursuant to this section has the right to revoke consent at any time thereafter by providing written notice to the person initially receiving the consent. This revocation of consent notice shall be as easy or easier for the individual to provide as compared to the requirements for initially providing consent. (2) A person who receives written notice from an individual revoking consent pursuant to subdivision (1) of this subsection shall: (A) destroy all records of the individual's neural data not later than 10 days after receiving the notice; and (B) in the case of the revocation of consent to share an individual's neural data, immediately: (i) cease sharing an individual's neural data with all third parties upon receipt of the notice; and (ii) inform all third parties with whom the person has shared the individual's neural data that the individual has revoked consent.

(a)(1) Except as provided in subdivision (2) of this subsection, a supplier of a mental health chatbot shall not sell to or share with any third party any: (A) individually identifiable health information of a Vermont user; or (B) user input of a Vermont user. (2) The prohibition set forth in subdivision (1) of this subsection shall not apply to individually identifiable health information that is: (A) requested by a health care provider with the consent of the Vermont user; (B) provided to a health plan of a Vermont user upon request of the Vermont user; or (C) shared in compliance with subsection (b) of this section. (b)(1) A supplier may share individually identifiable health information necessary to ensure the effective functionality of the mental health chatbot with another person with whom the supplier has a contract related to such functionality. (2) When sharing information pursuant to subdivision (1) of this subsection, the supplier and the other person shall comply with all applicable privacy and security provisions of 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A and E, as if the supplier were a covered entity and the other person were a business associate, as those terms are defined in 45 C.F.R. § 160.103.

To safeguard the privacy, confidentiality, security, and integrity of a consumer's genetic data, an entity shall: (1) Provide clear and complete information regarding the entity's policies and procedures for the collection, use, or disclosure of genetic data by making available to a consumer: (A) A high-level privacy policy overview that includes basic, essential information about the entity's collection, use, or disclosure of genetic data; and (B) A prominent, publicly available privacy notice that includes, at a minimum, information about the entity's data collection, consent, use, access, disclosure, transfer, security, and retention and deletion practices for genetic data; (2) Obtain initial express consent from a consumer, parent, guardian, or power of attorney for the collection, use, or disclosure of the consumer's genetic data that: (A) Clearly describes the entity's use of the genetic data that the entity collects through the entity's genetic testing product or service; (B) Specifies the categories of individuals within the entity that have access to test results; and (C) Specifies how the entity may share the genetic data;

(4) If the entity engages in any of the following, obtain a consumer's: (A) Separate express consent for: (i) The transfer or disclosure of the consumer's genetic data or biological sample to any third party other than the entity's processors, including the name of the third party to which the consumer's genetic data or biological sample will be transferred or disclosed with the consumer's express consent; (ii) The use of genetic data beyond the primary purpose of the entity's genetic testing product or service and inherent contextual uses; or (iii) The entity's retention of any biological sample provided by the consumer following the entity's completion of the initial testing service requested by the consumer; (B) Informed express consent for transfer or disclosure of the consumer's genetic data to third party persons for: (i) Research purposes; or (ii) Research conducted under the control of the entity for the purpose of publication or generalizable knowledge; and (C) Express consent for: (i) Marketing to a consumer based on the consumer's genetic data; (ii) Marketing by a third-party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service. Marketing does not include the provision of customized content or offers on the websites or through the applications or services provided by the entity with the first-party relationship to the consumer; or (iii) Sale or other valuable consideration of the consumer's genetic data.

(6) Develop, implement, and maintain a comprehensive security program to protect a consumer's genetic data against unauthorized access, use, or disclosure; and (A) Provide a process for a consumer to: (i) Access the consumer's genetic data; (ii) Delete the consumer's genetic data; (iii) Revoke any consent provided by the consumer; and (iv) Request and obtain the destruction of the consumer's biological sample.

(7) Genetic data and biometric samples of West Virginia residents collected in the state may not be stored within the territorial boundaries of any country currently sanctioned in any way by the United States office of foreign asset control or designated as a foreign adversary under 15 CFR 7.4(a). Genetic data or biometric data of West Virginia residents collected in the state may only be transferred or stored outside the United States with the consent of the resident.

(b) No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (1) Informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) Informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) Receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.

(c) No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information.

(d) No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless: (1) The subject of the biometric identifier or biometric information or the subject's legally authorized representative consents to the disclosure or redisclosure; (2) The disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative; (3) The disclosure or redisclosure is required by state or federal law or municipal ordinance; or (4) The disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.