reasonable members of that group.
Section 4. Data deletion requirements.
(a) General rule.--Within 120 days of the effective date of
this section, a manufacturer or third party, in connection with
data collection for a product or service, and all others in
active concert or participation with a manufacturer or third
party, directly or through a corporation, subsidiary, division,
website or other device or affiliate, shall destroy data
collected on a consumer's smart device prior to the effective
date of this section, except:
(1) if the data collected was requested by a government
agency or required by law, regulation or court order,
including without limitation as required by rules applicable
to the safeguarding of evidence in pending litigation; or
(2) if the user of the smart device associated with the
data collected has affirmatively consented to the collection,
use or disclosure thereof as provided under section 3(b).
(b) Consumer request.--Following the effective date of this
section, a manufacturer or third party, in connection with data
collection for a product or service, and all others in active
concert or participation with a manufacturer or third party,
directly or through a corporation, subsidiary, division, website
or other device or affiliate, shall destroy data within seven
days of the consumer requesting that the data be deleted.
Section 5. Mandated privacy program.
(a) General rule.--A manufacturer or third party, directly
or through a corporation, subsidiary, division, website or other
device or affiliate, shall establish and implement and maintain
a comprehensive privacy program that is reasonably designed to:
(1) Address privacy risks related to the development and
20200HB2632PN4043 - 6 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30