SECOND REGULAR SESSION

HOUSE BILL NO. 1329

97TH GENERAL ASSEMBLY

INTRODUCED BY REPRESENTATIVE BARNES.

5088H.01I                                                                                                                                                  D. ADAM CRUMBLISS, Chief Clerk

AN ACT

To amend chapter 407, RSMo, by adding thereto one new section relating to transfer of personally identifiable consumer information, with penalty provisions.

Be it enacted by the General Assembly of the state of Missouri, as follows:

            Section A. Chapter 407, RSMo, is amended by adding thereto one new section, to be known as section 407.1510, to read as follows:

            407.1510. 1. As used in this section, the following terms mean:

            (1) “Consumer”, an individual who is a resident of this state;

            (2) “Data broker”, any legal or commercial entity that collects, assembles, or maintains personally identifiable information about a consumer for the sale, transmission, or provision of access to any third party, whether that collection, assembly, or maintenance is performed by the data broker directly, by contract, or subcontract with any other entity;

            (3) “Personally identifiable information”, any information that identifies, relates to, describes, or is capable of being associated with a consumer, including, but not limited to, the following:

            (a) Any persistent identifier;

            (b) Driver’s license number, social security number, or other unique identification number created or collected by a government body;

            (c) Education or employment history;

            (d) Financial account number, credit card number, debit card number, or any other financial information;

            (e) First and last name, initials, or some combination thereof;

            (f) Insurance policy number;

            (g) Mailing address, email address, or telephone number; and

            (h) Physical characteristics or description.

            2. No person or entity shall disclose, provide, or otherwise make available the purchasing history of any individual consumer in combination with personally identifiable information of that consumer to a data broker without first obtaining written consent from the consumer to disclose such information. Obtaining such consent shall not be a condition for any transaction between a consumer and a person or entity.

            3. Consent obtained for the purposes of this section shall be valid indefinitely but may be revoked by the consenting consumer in accordance with subsection 5 of this section.

            4. Any person or entity seeking to disclose, provide, or otherwise make available personally identifiable information to a data broker shall maintain instructions for a consumer on how to revoke consent under the privacy policy section on the person or entity’s website.

            5. Any consumer whose privacy is breached by a violation of this section shall have a cause of action against the person or entity which disclosed the information and the data broker that received the information. Damages of such action shall include:

            (a) The greater of actual damages or statutory damages of one thousand dollars per plaintiff; and

            (b) Costs of maintaining the action, including reasonable attorneys’ fees.

In addition, punitive damages may be awarded.

            6. Violation of this section shall be a class A misdemeanor. The attorney general shall have original jurisdiction to enforce the provisions of this section.

•