Read the full stored bill text
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~ G1/2
26/HR43/R1119
PAGE 1 (ELS\KP)
To: Judiciary A
MISSISSIPPI LEGISLATURE REGULAR SESSION 2026
By: Representative Ford (73rd)
HOUSE BILL NO. 1051
AN ACT TO CREATE THE MISSISSIPPI CONSUMER PRIVACY PROTECTION 1
ACT; TO DEFINE TERMS; TO PROVIDE THAT THIS ACT APPLIES TO CERTAIN 2
PERSONS CONDUCTING BUSINESS WITHIN THE STATE THAT EXCEEDS 3
TWENTY-FIVE MILLION DOLLARS IN REVENUE; TO EXEMPT CERTAIN PERSONS 4
AND CERTAIN DATA FROM THIS ACT; TO GRANT CONSUMERS THE RIGHT TO 5
REQUEST A CONTROLLER OF THE CONSUMER'S PERSONAL INFORMATION TO 6
GRANT ACCESS TO, CORRECT INACCURACIES IN, DELETE OR OPT OUT OF THE 7
PROCESSING OF SUCH PERSONAL INFORMATION; TO PROVIDE THAT A 8
CONSUMER MAY INVOKE THE CONSUMER RIGHTS GRANTED UNDER THIS ACT AT 9
ANY TIME BY SUBMITTING A REQUEST TO A CONTROLLER OF PERSONAL 10
INFORMATION; TO REQUIRE A CONTROLLER TO RESPOND TO A CONSUMER 11
WITHIN AT LEAST FORTY-FIVE DAYS; TO REQUIRE A CONTROLLER TO 12
ESTABLISH AN APPEAL PROCESS FOR A CONSUMER TO APPEAL THE 13
CONTROLLER'S REFUSAL TO TAKE ACTION AS REQUESTED BY THE CONSUMER; 14
TO REQUIRE A CONTROLLER TO ADOPT AND IMPLEMENT REASONABLE 15
ADMINISTRATIVE, TECHNICAL AND PHYSICAL DATA SECURITY PRACTICES TO 16
PROTECT THE CONFIDENTIALITY, INTEGRITY AND ACCESSIBILITY OF 17
PERSONAL INFORMATION; TO REQUIRE THE CONTROLLER TO PROVIDE 18
CONSUMERS WITH A REASONABLY ACCESSIBLE, CLEAR AND MEANINGFUL 19
PRIVACY NOTICE, WHICH SHALL INCLUDE THE METHODS BY WHICH A 20
CONSUMER CAN REQUEST TO EXERCISE THE RIGHTS GRANTED UNDER THIS 21
ACT; TO REQUIRE A CONTROLLER WHO SELLS A CONSUMER'S PERSONAL 22
INFORMATION TO THIRD PARTIES OR ENGAGES IN TARGETED ADVERTISING TO 23
PROVIDE CLEAR AND CONSPICUOUS DISCLOSURE OF SUCH ACTIVITY TO A 24
CONSUMER; TO REQUIRE PROCESSORS OF PERSONAL INFORMATION TO ASSIST 25
CONTROLLERS IN THE DUTIES IMPOSED UNDER THIS ACT; TO REQUIRE 26
CONTROLLERS TO CONDUCT AND DOCUMENT A DATA PROTECTION ASSESSMENT 27
OF CERTAIN PROCESSING ACTIVITIES INVOLVING PERSONAL INFORMATION; 28
TO REQUIRE A CONTROLLER IN POSSESSION OF DE-IDENTIFIED DATA TO 29
TAKE REASONABLE MEASURES TO ENSURE THE DATA CANNOT BE ASSOCIATED 30
WITH A NATURAL PERSON; TO PROVIDE THAT NOTHING IN THIS ACT 31
RESTRICTS A CONTROLLER OR PROCESSOR'S ABILITY TO COMPLY WITH OTHER 32
LAWS, INVESTIGATIONS OR LAW ENFORCEMENT REQUESTS, TO DEFEND LEGAL 33
CLAIMS, TO PROVIDE CERTAIN PRODUCTS OR SERVICES SPECIFICALLY 34
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 2 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
REQUESTED BY THE CONSUMER, TO PERFORM UNDER A VALID CONTRACT, TO 35
RESPOND TO SECURITY INCIDENTS, OR TO ENGAGE IN SCIENTIFIC OR 36
STATISTICAL RESEARCH; TO PROVIDE THAT NOTHING IN THIS ACT 37
RESTRICTS A CONTROLLER OR PROCESSOR'S ABILITY TO USE DATA TO 38
CONDUCT RESEARCH, EFFECTUATE A PRODUCT RECALL, RESPOND TO 39
TECHNICAL ERRORS, OR PERFORM CERTAIN INTERNAL OPERATIONS; TO 40
PROVIDE THAT THE ATTORNEY GENERAL SHALL HAVE THE EXCLUSIVE 41
AUTHORITY TO ENFORCE THIS ACT; TO AUTHORIZE THE ATTORNEY GENERAL 42
TO INVESTIGATE POTENTIAL VIOLATIONS OF THIS ACT AND ISSUE CIVIL 43
INVESTIGATIVE DEMANDS; TO PROVIDE CERTAIN RELIEF AND CIVIL 44
PENALTIES FOR VIOLATIONS OF THIS ACT; TO AMEND SECTION 45-38-9, 45
MISSISSIPPI CODE OF 1972, TO PROVIDE THAT THE REQUIREMENTS OF THE 46
WALKER MONTGOMERY PROTECTING CHILDREN ONLINE ACT SHALL CONTROL IN 47
THE CASE OF A CONFLICT WITH THIS ACT; TO BRING FORWARD SECTION 48
11-77-5, MISSISSIPPI CODE OF 1972, FOR THE PURPOSE OF POSSIBLE 49
AMENDMENT; AND FOR RELATED PURPOSES. 50
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MISSISSIPPI: 51
SECTION 1. This act shall be known and may be cited as the 52
"Mississippi Consumer Privacy Protection Act". 53
SECTION 2. As used in this act, the following terms have the 54
meanings as defined in this section, unless the context clearly 55
indicates otherwise: 56
(a) "Affiliate" means a legal entity that controls, is 57
controlled by or is under common control with another legal entity 58
or shares common branding with another legal entity. For purposes 59
of this paragraph (a), the term "control" or "controlled" means: 60
(i) Ownership of, or the power to vote, more than 61
fifty percent (50%) of the outstanding shares of a class of voting 62
security of an entity; 63
(ii) Control in any manner over the election of a 64
majority of the directors or of individuals exercising similar 65
functions relative to an entity; or 66
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 3 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(iii) The power to exercise controlling influence 67
over the management of an entity. 68
(b) "Authenticate" means using reasonable means to 69
verify that a consumer who is entitled to exercise the rights 70
provided in Section 4 of this act is the same consumer who is 71
requesting to exercise such consumer rights with respect to the 72
personal information at issue. 73
(c) "Biometric data" means data generated by automatic 74
measurement of an individual's biological characteristics, such as 75
fingerprints, voiceprints, eye retinas or irises, or other unique 76
biological patterns or characteristics that are used to identify a 77
specific individual. This term does not include: 78
(i) A physical or digital photograph, video 79
recording or audio recording or data generated from a photograph, 80
video recording or audio recording; 81
(ii) Information captured and converted to a 82
mathematical representation, including a numeric string or similar 83
configuration, that cannot be used to recreate data generated by 84
automatic measurement of an individual's biological patterns or 85
characteristics used to identify the specific individual; or 86
(iii) Information collected, used or stored for 87
health care treatment, payment or operations under HIPAA. 88
(d) "Consent" means a clear affirmative act signifying 89
a consumer's freely given, specific, informed and unambiguous 90
agreement to process personal information relating to the 91
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 4 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
consumer. This term includes, but is not limited to, a written 92
statement, including a statement written by electronic means, or 93
an unambiguous affirmative action. 94
(e) "Consumer" means an individual who is a resident of 95
this state acting only in a personal context. This term does not 96
include an individual acting in a commercial or employment 97
context. 98
(f) "Controller" means the person that, alone or 99
jointly with others, determines the purpose and means of 100
processing personal information. 101
(g) "Decisions that produce legal or similarly 102
significant effects concerning the consumer" means decisions made 103
by the controller that result in the provision or denial by the 104
controller of financial or lending services, housing, insurance, 105
education enrollment or opportunity, criminal justice, employment 106
opportunities, health care services or access to basic 107
necessities, such as food and water. 108
(h) "De-identified data" means data that cannot 109
reasonably be linked to an identified or identifiable individual 110
or to any device linked to such individual. 111
(i) "Health record" means written, printed or 112
electronically recorded material that: 113
(i) In the course of providing health care 114
services to an individual was created or is maintained by a health 115
care facility; and 116
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 5 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(ii) Concerns the individual and the health care 117
services provided. 118
This term includes the substance of a communication made by 119
an individual to a health care facility in confidence during or in 120
connection with the provision of health care services or 121
information otherwise acquired by the health care facility about 122
an individual in confidence and in connection with the provision 123
of health care services to the individual. 124
(j) "HIPAA" means the Health Insurance Portability and 125
Accountability Act of 1996 (42 USC Section 1320d et seq.), the 126
Health Information Technology for Economic and Clinical Health Act 127
(Public Law 111-5), any subsequent amendments thereto and any 128
regulations promulgated thereunder, including, but not limited to, 129
45 CFR Parts 160 and 164. 130
(k) "Identified or identifiable individual" means a 131
natural person who can be readily identified, whether directly or 132
indirectly. 133
(l) "Known child" means an individual who the 134
controller has actual knowledge is under thirteen (13) years of 135
age. 136
(m) "NIST" means the National Institute of Standards 137
and Technology privacy framework entitled "A Tool for Improving 138
Privacy through Enterprise Risk Management Version 1.0" or any 139
subsequent version thereof. 140
(n) "Person" means any individual or entity. 141
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 6 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(o) "Personal information" means information that is 142
linked or reasonably linkable to an identified or identifiable 143
individual. This term does not include information that: 144
(i) Is lawfully made available through federal, 145
state or local government records, or information that a 146
controller or processor has a reasonable basis to believe is 147
lawfully made available to the general public through widely 148
distributed media, by the consumer, or by a person to which the 149
consumer has disclosed the information, unless the consumer has 150
restricted the information to a specific audience; 151
(ii) Does not identify an individual and with 152
respect to which there is no reasonable basis to believe that the 153
information can be used alone or in combination with other 154
information to identify an individual; or 155
(iii) Is de-identified using a method no less 156
secure than methods authorized under HIPAA. 157
(p) "Precise geolocation data" means information 158
derived from technology, including, but not limited to, global 159
positioning system level latitude and longitude coordinates or 160
other mechanisms, that directly identifies the specific location 161
of a natural person with precision and accuracy within a radius of 162
one thousand seven hundred fifty (1,750) feet. This term does not 163
include the content of communications or data generated by or 164
connected to advanced utility metering infrastructure systems or 165
equipment for use by a utility. 166
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 7 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(q) "Process" or "processing" means an operation or set 167
of operations performed, whether by manual or automated means, on 168
personal information or on sets of personal information, such as 169
the collection, use, storage, disclosure, analysis, deletion or 170
modification of personal information. 171
(r) "Processor" means a person that processes personal 172
information on behalf of a controller. 173
(s) "Profiling" means a form of automated processing 174
performed on personal information solely to evaluate, analyze or 175
predict personal aspects related to an identified or identifiable 176
individual's economic situation, health, personal preferences, 177
interests, reliability, behavior, location or movements. 178
(t) "Pseudonymous data" means personal information that 179
cannot be attributed to a specific individual without the use of 180
additional information, provided that the additional information 181
is kept separately and is subject to appropriate technical and 182
organizational measures to ensure that the personal information is 183
not attributed to an identified or identifiable individual. 184
(u) "Sale of personal information" means the exchange 185
of personal information for monetary or other valuable 186
consideration by the controller to a third party. This term does 187
not include: 188
(i) The disclosure of personal information to a 189
processor that processes the personal information on behalf of the 190
controller; 191
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 8 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(ii) The disclosure of personal information to a 192
third party for purposes of providing a product or service 193
requested by the consumer; 194
(iii) The disclosure or transfer of personal 195
information to an affiliate of the controller; 196
(iv) The disclosure of information that the 197
consumer: 198
1. Intentionally made available to the 199
general public via a channel of mass media; and 200
2. Did not restrict to a specific audience; 201
or 202
(v) The disclosure or transfer of personal 203
information to a third party as an asset that is part of a merger, 204
acquisition, bankruptcy or other transaction in which the third 205
party assumes control of all or part of the controller's assets. 206
(v) "Sensitive data" means a category of personal 207
information that includes: 208
(i) Personal information revealing an individual's 209
racial or ethnic origin, religious belief, mental or physical 210
health diagnosis, sexual orientation, or citizenship or 211
immigration status; 212
(ii) The processing of genetic data or biometric 213
data for the purpose of uniquely identifying an individual; 214
(iii) The personal information collected from a 215
known child; or 216
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 9 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(iv) Precise geolocation data. 217
(w) "Targeted advertising" means displaying to a 218
consumer an advertisement that is selected based on personal 219
information obtained from such consumer's activities over time and 220
across nonaffiliated websites or online applications to predict 221
the consumer's preferences or interests. This term does not 222
include: 223
(i) Advertisements based on activities within a 224
controller's own websites or online applications; 225
(ii) Advertisements based on the context of a 226
consumer's current search query, visit to a website, or online 227
application; 228
(iii) Advertisements directed to a consumer in 229
response to the consumer's request for information or feedback; or 230
(iv) Personal information processed solely for 231
measuring or reporting advertising performance, reach or 232
frequency. 233
(x) "Third party" means a person other than the 234
consumer, controller, processor or an affiliate of the controller 235
or processor. 236
SECTION 3. (1) This act applies to a person that conducts 237
business in this state by producing products or services targeted 238
to consumers of this state that exceeds Twenty-five Million 239
Dollars ($25,000,000.00) in revenue and that: 240
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 10 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(a) Controls or processes personal information of at 241
least twenty-five thousand (25,000) consumers and derives more 242
than fifty percent (50%) of gross revenue from the sale of 243
personal information; or 244
(b) During a calendar year, controls or processes 245
personal information of at least one hundred seventy-five thousand 246
(175,000) consumers. 247
(2) This act does not apply to: 248
(a) A financial institution or an affiliate of a 249
financial institution or data that is subject to Title V of the 250
Gramm-Leach-Bliley Act (15 USC Section 6801 et seq.); 251
(b) A person licensed in this state under Title 83, 252
Mississippi Code of 1972, to transact the business of insurance; 253
(c) A covered entity or business associate subject to 254
HIPAA; 255
(d) An air carrier regulated by the United States 256
Secretary of Transportation under 49 USC Section 41712 and exempt 257
from state regulations under 49 USC Section 41713(b)(1); 258
(e) A nonprofit organization exempt from taxation under 259
the Internal Revenue Code, codified in 26 USC Section 501 et seq.; 260
(f) Any agency or department of this state; 261
(g) Any county, municipality or other political 262
subdivision of this state; 263
(h) Any public or private college or university in this 264
state that does not engage in the sale of personal information; 265
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 11 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(i) A public utility operating in this state under 266
Title 77, Mississippi Code of 1972, that does not engage in the 267
sale of personal information; 268
(j) Health records; 269
(k) Personally identifying information of a victim 270
under Section 93-21-125; 271
(l) Mandatory reporters under Sections 43-21-353, 272
43-47-7, 43-47-37, 97-3-54.1, 97-5-51 or 97-29-49; or 273
(m) Data or personal information that is: 274
(i) Protected health information under HIPAA; 275
(ii) Health care related information that is 276
de-identified in accordance with HIPAA; 277
(iii) Considered patient identifying information 278
for purposes of 42 USC Section 290dd-2; 279
(iv) Private data kept or maintained by medical 280
cannabis establishments under Section 41-137-49; 281
(v) Processed for purposes of: 282
1. Research conducted in accordance with the 283
protection of human subjects under 45 CFR Part 46; 284
2. Human subjects research conducted in 285
accordance with good clinical practice guidelines issued by the 286
International Council for Harmonization of Technical Requirements 287
for Pharmaceuticals for Human Use; or 288
3. Research conducted in accordance with the 289
protection of human subjects under 21 CFR Parts 50 and 56; 290
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 12 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(vi) Created for purposes of the Health Care 291
Quality Improvement Act of 1986 (42 USC Section 11101 et seq.); 292
(vii) Considered patient safety work product for 293
purposes of the Patient Safety and Quality Improvement Act (42 USC 294
Section 299b-21 et seq.); 295
(viii) Included in a limited data set as described 296
in 45 CFR Section 164.514(e), to the extent that the information 297
is used, disclosed and maintained in the manner specified in 45 298
CFR Section 164.514(e); 299
(ix) Originated from, and intermingled to be 300
indistinguishable with, or information treated in the same manner 301
as, information exempt under this subsection (2) that is 302
maintained by a covered entity or business associate subject to 303
HIPAA or a qualified service organization as defined by 42 USC 304
Section 290dd-2; 305
(x) Used only for public health activities and 306
purposes as authorized by HIPAA; 307
(xi) Collected, maintained, disclosed, sold, 308
communicated or used by a consumer reporting agency or furnisher 309
that provides information regarding a consumer's creditworthiness, 310
credit standing, credit capacity, character, general reputation, 311
personal characteristics or mode of living for use in a consumer 312
report, and by a user of a consumer report, but only to the extent 313
that such activity is regulated by and authorized under the Fair 314
Credit Reporting Act (15 USC Section 1681 et seq.); 315
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 13 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(xii) Collected, processed or disclosed in 316
compliance with the Driver's Privacy Protection Act of 1994 (18 317
USC Section 2721 et seq.); 318
(xiii) Regulated by the Family Educational Rights 319
and Privacy Act (FERPA) (20 USC Section 1232g et seq.); 320
(xiv) Collected, processed or disclosed in 321
compliance with the Farm Credit Act (12 USC Section 2001 et seq.); 322
or 323
(xv) Maintained or used for purposes of compliance 324
with the regulation of listed chemicals under the Controlled 325
Substances Act (21 USC Section 830); 326
(xvi) Collected or processed in the course of an 327
individual applying to, being employed by, or acting as an agent 328
or independent contractor of a controller, processor or third 329
party, to the extent that the data is collected and used within 330
the context of that role; 331
(xvii) Collected or processed for use as the 332
emergency contact information of an individual employed by or 333
acting as an agent or independent contractor of a controller, 334
processor or third party for use as emergency contact purposes 335
with the consent of such individual; or 336
(xviii) Necessary to retain to administer benefits 337
provided to an individual employed by or acting as an agent or 338
independent contractor of a controller, processor or third party. 339
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 14 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(3) Controllers and processors that comply with the 340
verifiable parental consent requirements of the Children's Online 341
Privacy Protection Act (15 USC Section 6501 et seq.) shall be 342
deemed compliant with an obligation to obtain parental consent 343
under this act. 344
(4) Nothing in this act shall be construed to: 345
(a) Conflict with the specific requirements for the 346
management of health records; 347
(b) Require a controller, processor, third party or 348
consumer to disclose trade secrets; or 349
(c) Modify the obligations imposed on digital service 350
providers under Section 45-38-9. 351
SECTION 4. (1) (a) A consumer may invoke the consumer 352
rights provided in paragraph (b) of this subsection at any time by 353
submitting a request to a controller through a method provided by 354
the controller pursuant to subsection (8) of this section. The 355
consumer must specify the rights the consumer seeks to exercise in 356
the request. The parent or legal guardian of a known child may 357
exercise the consumer rights provided in paragraph (b) of this 358
subsection on behalf of the known child regarding personal 359
information belonging to the known child. 360
(b) A controller must comply with an authenticated 361
consumer request to exercise the right to: 362
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 15 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(i) Confirm whether a controller is processing the 363
consumer's personal information and, if so, to access such 364
personal information; 365
(ii) Correct inaccuracies in the consumer's 366
personal information, taking into account the nature of the 367
personal information and the purposes of the processing of the 368
personal information; 369
(iii) Delete personal information provided by or 370
obtained regarding the consumer; however: 371
1. A controller is not required to delete 372
information maintained or used as aggregate or de-identified data, 373
provided that such data in the possession of the controller is not 374
linked to a specific consumer; and 375
2. A controller that obtained personal 376
information regarding a consumer from a source other than the 377
consumer is in compliance with a consumer's request to delete such 378
personal information if the controller retains a record of the 379
deletion request and the minimum information necessary to ensure 380
that the consumer's personal information remains deleted from the 381
controller's records and does not use the retained personal 382
information for any purpose prohibited under this act; 383
(iv) Obtain a copy of the consumer's personal 384
information that the consumer previously provided to the 385
controller in a portable and, to the extent technically feasible, 386
readily usable format that allows the consumer to transmit such 387
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 16 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
personal information to another controller without undue delay or 388
difficulty, where the processing is carried out by automated 389
means; or 390
(v) Opt out of the processing of the consumer's 391
personal information by the controller for purposes of: 392
1. Engaging in the sale of personal 393
information regarding the consumer; 394
2. Targeted advertising; or 395
3. Profiling to inform decisions that produce 396
legal or similarly significant effects concerning the consumer. 397
(2) Except as otherwise provided in this act, a controller 398
must comply with an authenticated request by a consumer to 399
exercise the rights provided in subsection (1) of this section as 400
follows: 401
(a) A controller shall respond to the consumer without 402
undue delay, but in all cases within forty-five (45) days of 403
receipt of a request submitted pursuant to subsection (1) of this 404
section. The response period may be extended once by forty-five 405
(45) additional days when reasonably necessary, considering the 406
complexity and number of the consumer's requests, if the 407
controller informs the consumer of the extension within the 408
initial forty-five (45) day response period and provides the 409
reason for the extension; 410
(b) If a controller declines to take action regarding 411
the consumer's request, the controller shall inform the consumer 412
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 17 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
without undue delay, but in all cases within forty-five (45) days 413
of receipt of the request, of the justification for declining to 414
take action and instructions for how to appeal the decision 415
pursuant to subsection (3) of this section; 416
(c) Information provided in response to a consumer 417
request shall be provided by a controller without charge to the 418
consumer, up to twice annually per consumer. If requests from a 419
consumer are manifestly unfounded, technically infeasible, 420
excessive or repetitive, the controller may charge the consumer a 421
reasonable fee to cover the administrative costs of complying with 422
the request or decline to act on the request. The controller 423
bears the burden of demonstrating the manifestly unfounded, 424
technically infeasible, excessive or repetitive nature of the 425
request; and 426
(d) If a controller is unable to authenticate the 427
request using commercially reasonable efforts, the controller is 428
not required to comply the request and may require the consumer to 429
provide additional information reasonably necessary to 430
authenticate the request before taking action. 431
(3) A controller shall establish a process for a consumer to 432
appeal a controller's refusal to comply with a request, which 433
shall be initiated by the consumer within a reasonable amount of 434
time after receiving notice of such refusal. The appeal process 435
shall be: 436
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 18 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(a) Made available to the consumer in a conspicuous 437
manner; 438
(b) Available at no cost to the consumer; and 439
(c) Similar to the process for submitting requests to 440
initiate action pursuant to subsection (1) of this section. 441
Within sixty (60) days of receipt of notice of an appeal, a 442
controller shall inform the consumer in writing of the 443
controller's decision to grant or deny the appeal and of any 444
action taken or not taken in response to the appeal, including a 445
written explanation of the reasons for the decision. If the 446
appeal is denied, the controller must also provide the consumer 447
with an online method, if available, or other reasonably 448
convenient method through which the consumer may contact the 449
Attorney General to submit a complaint. 450
SECTION 5. (1) A controller shall limit the collection of 451
personal information to what is adequate, relevant and reasonably 452
necessary for the purposes for which the data is processed, as 453
disclosed to the consumer. Except as provided in Section 9 of 454
this act, a controller may not process personal information for 455
purposes that are beyond what is adequate, relevant and reasonably 456
necessary for the purposes for which the personal information is 457
processed, as disclosed to the consumer, unless the controller 458
obtains the consumer's consent. 459
(2) A controller shall create, maintain and comply with a 460
written privacy program, as described in Section 11 of this act, 461
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 19 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
consisting of administrative, technical and physical data security 462
practices to protect the confidentiality, integrity and 463
accessibility of personal information. The data security 464
practices shall be appropriate to the volume and nature of the 465
personal information at issue. 466
(3) A controller may not discriminate against a consumer for 467
exercising his or her rights as provided in Section 4 of this act, 468
including, but not limited to, by denying goods or services to the 469
consumer, charging higher prices or rates for goods or services to 470
the consumer, or providing a lower level of quality of goods or 471
services to the consumer. However, this subsection (3) does not 472
require a controller to provide a product or service that requires 473
the personal information of a consumer that the controller does 474
not collect or maintain, or prohibit a controller from offering a 475
different price, rate, level, quality or selection of goods or 476
services to a consumer, including offering goods or services for 477
no fee, if the consumer has exercised the right to opt out 478
pursuant to Section 4 of this act or if the offer is related to a 479
consumer's voluntary participation in a bona fide loyalty, 480
rewards, premium features, discounts or club card program. 481
(4) A controller may not process sensitive data collected 482
from a consumer for a nonexempt purpose without obtaining the 483
consumer's consent, or, in the case of the processing of sensitive 484
data concerning a known child, without processing the data in 485
accordance with the Children's Online Privacy Protection Act (15 486
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 20 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
USC Section 6501 et seq.) and its implementing regulations and 487
with Section 45-38-9 if the controller is a digital service 488
provider subject to the Walker Montgomery Protecting Children 489
Online Act. 490
(5) (a) A provision of a contract or agreement that waives 491
or limits a consumer's rights as provided in Section 4 of this act 492
is contrary to public policy and void as to that provision. 493
(b) This subsection (5) applies only to contracts 494
entered into, amended or renewed on or after July 1, 2026. 495
(c) Nothing in this act shall prevent a consumer from 496
declining to request information from a controller, declining to 497
opt out of a controller's sale of the consumer's personal 498
information, or authorizing a controller to sell the consumer's 499
personal information after previously opting out. 500
(6) A controller shall provide a reasonably accessible, 501
clear and meaningful privacy notice to consumers that includes: 502
(a) The categories of personal information processed by 503
the controller; 504
(b) The purpose for processing personal information; 505
(c) How consumers may exercise their consumer rights 506
under Section 4 of this act, including how a consumer may appeal a 507
controller's decision with regard to the consumer's request; 508
(d) The categories of personal information that the 509
controller sells to third parties, if any; and 510
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 21 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(e) The categories of third parties, if any, with whom 511
the controller engages in the sale of personal information. 512
(7) If a controller engages in the sale of personal 513
information to third parties or processes personal information for 514
targeted advertising, the controller must clearly and 515
conspicuously disclose the processing, as well as the manner in 516
which a consumer may exercise the right to opt out of the 517
processing. 518
(8) (a) A controller must provide, and must describe in the 519
privacy notice required under subsection (6) of this section, one 520
or more secure and reliable methods for a consumer to submit a 521
request to exercise the consumer's rights as provided in Section 4 522
of this act. Such methods must account for: 523
(i) The ways in which a consumer normally 524
interacts with the controller; 525
(ii) The need for secure and reliable 526
communication of such requests; and 527
(iii) The controller's ability to authenticate the 528
identity of the consumer making the request through a particular 529
method. 530
(b) A controller may not require a consumer to create a 531
new account in order to exercise the consumer's rights as provided 532
in Section 4 of this act, but may require a consumer to use his or 533
her existing account. 534
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 22 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
SECTION 6. (1) A processor must adhere to the instructions 535
of a controller and assist the controller in meeting the 536
controller's obligations under this act, including, but not 537
limited to: 538
(a) Taking into account the nature of processing and 539
the information available to the processor, by appropriate 540
technical and organizational measures, insofar as reasonably 541
practicable, to fulfill the controller's obligation to respond to 542
consumer requests pursuant to Section 4 of this act; and 543
(b) By providing necessary information to enable the 544
controller to conduct and document data protection assessments 545
pursuant to Section 7 of this act. 546
(2) A contract between a controller and a processor shall 547
govern the processor's data processing procedures with respect to 548
processing performed on behalf of the controller. The contract 549
shall be binding and shall clearly state the instructions for 550
processing data, the nature and purpose of processing, the type of 551
data subject to processing, the duration of processing, and the 552
rights and obligations of both parties. The contract shall also 553
require the processor to: 554
(a) Ensure that each person processing personal 555
information is subject to a duty of confidentiality with respect 556
to the data; 557
(b) At the controller's direction, delete or return all 558
personal information to the controller as requested at the end of 559
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 23 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
the provision of services, unless retention of the personal 560
information is required by law; 561
(c) Upon the reasonable request of the controller, make 562
available to the controller all information in its possession 563
necessary to demonstrate the processor's compliance with the 564
obligations under this act; 565
(d) Either: 566
(i) Allow, and cooperate with, reasonable 567
assessments by the controller or the controller's designated 568
assessor; or 569
(ii) Arrange for a qualified and independent 570
assessor to conduct an assessment of the processor's policies and 571
technical and organizational measures using an appropriate and 572
accepted control standard or framework and assessment procedure 573
for the assessments, and provide a report of each assessment to 574
the controller upon request; and 575
(e) Engage a subcontractor pursuant to a written 576
contract in that requires the subcontractor to meet the 577
obligations of the processor with respect to the personal 578
information. 579
(3) Nothing in this section shall relieve a controller or a 580
processor from the liabilities imposed by virtue of the controller 581
or processor's role in the processing relationship as described in 582
subsection (2) of this section. 583
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 24 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(4) Determining whether a person is acting as a controller 584
or processor with respect to a specific processing of data is a 585
fact-based determination that depends upon the context in which 586
personal information is processed. A processor that continues to 587
adhere to a controller's instructions with respect to a specific 588
processing of personal information remains a processor. 589
SECTION 7. (1) For processing activities created or 590
generated on or after July 1, 2026, a controller must conduct and 591
document a data protection assessment of the following processing 592
activities involving personal information: 593
(a) The processing of personal information for targeted 594
advertising; 595
(b) The sale of personal information; 596
(c) The processing of personal information for 597
profiling if the profiling presents a reasonably foreseeable risk 598
of: 599
(i) Unfair or deceptive treatment of, or unlawful 600
disparate impact on, consumers; 601
(ii) Financial, physical or reputational injury to 602
consumers; 603
(iii) A physical or other intrusion upon the 604
solitude or seclusion, or the private affairs or concerns, of 605
consumers if the intrusion would be offensive to a reasonable 606
person; or 607
(iv) Other substantial injury to consumers; 608
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 25 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(d) The processing of sensitive data; and 609
(e) Processing activities involving personal 610
information that present a heightened risk of harm to consumers. 611
(2) Data protection assessments conducted pursuant to 612
subsection (1) of this section must identify and weigh the 613
benefits that may flow, directly and indirectly, to the 614
controller, consumer, other stakeholders and/or the public as a 615
result of the processing against the potential risks to the rights 616
of the consumer associated with the processing, as mitigated by 617
the safeguards employed by the controller to reduce such risks. 618
The use of de-identified data and the reasonable expectations of 619
consumers, as well as the context of the processing and the 620
relationship between the controller and the consumer whose 621
personal information will be processed, shall be factored into 622
this assessment by the controller. 623
(3) Data protection assessments are confidential and are not 624
subject to public inspection under the Mississippi Public Records 625
Act of 1983 (Section 25-61-1 et seq.). 626
(4) A single data protection assessment may address a 627
comparable set of processing operations that include similar 628
activities. 629
SECTION 8. (1) A controller in possession of de-identified 630
data shall take reasonable measures to ensure that the data cannot 631
be associated with a natural person and shall maintain any 632
de-identified data in its de-identified form. 633
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 26 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(2) Nothing in this act shall require a controller or 634
processor to: 635
(a) Reidentify de-identified data or pseudonymous data; 636
or 637
(b) Maintain data in identifiable form, or collect, 638
obtain, retain or access data or technology, in order to be 639
capable of associating an authenticated consumer request with 640
personal information. 641
(3) Nothing in this act shall require a controller to comply 642
with an authenticated consumer request, pursuant to Section 4 of 643
this act, if: 644
(i) The controller is not reasonably capable of 645
associating the request with the personal information, or it would 646
be unreasonably burdensome for the controller to associate the 647
request with the personal information; 648
(ii) The controller does not use the personal 649
information to recognize or respond to the specific consumer who 650
is the subject of the personal information, or associate the 651
personal information with other personal information about the 652
same specific consumer; and 653
(iii) The controller does not engage in the sale 654
of personal information to a third party or otherwise voluntarily 655
disclose the personal information to a third party other than a 656
processor, except as otherwise permitted in this act. 657
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 27 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(4) The consumer rights provided in Section 4 of this act do 658
not apply to pseudonymous data in cases where the controller is 659
able to demonstrate that the information necessary to identify the 660
consumer is kept separately and is subject to effective technical 661
and organizational controls that prevent the controller from 662
accessing that information. 663
(5) A controller that discloses pseudonymous data or 664
de-identified data shall exercise reasonable oversight to monitor 665
compliance with contractual commitments to which the pseudonymous 666
data or de-identified data is subject and shall take appropriate 667
steps to address breaches of those contractual commitments. 668
SECTION 9. (1) Nothing in this act shall restrict a 669
controller or processor's ability to: 670
(a) Comply with federal, state or local laws, rules or 671
regulations; 672
(b) Comply with a civil, criminal or regulatory 673
inquiry, investigation, subpoena or summons by federal, state, 674
local or other governmental authorities; 675
(c) Cooperate with law enforcement agencies concerning 676
conduct or activity that the controller or processor reasonably 677
and in good faith believes may violate federal, state or local 678
laws, rules or regulations; 679
(d) Investigate, establish, exercise, prepare for or 680
defend legal claims; 681
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 28 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(e) Provide a product or service specifically requested 682
by a consumer or the parent or legal guardian of a known child, 683
perform a contract to which the consumer or the parent or legal 684
guardian of a known child is a party, including fulfilling the 685
terms of a written warranty, or take steps at the request of the 686
consumer or the parent or legal guardian of a known child before 687
entering into a contract; 688
(f) Take immediate steps to protect an interest that is 689
essential for the life or physical safety of the consumer or of 690
another natural person; 691
(g) Prevent, detect, protect against or respond to 692
security incidents, identity theft, fraud, harassment, malicious 693
or deceptive activity, or illegal activity; 694
(h) Preserve the integrity or security of systems; 695
(i) Investigate, report or prosecute those responsible 696
for security incidents or illegal activity; 697
(j) Engage in public or peer-reviewed scientific or 698
statistical research in the public interest that adheres to all 699
other applicable ethics and privacy laws and is approved, 700
monitored and governed by an institutional review board or similar 701
independent oversight entity that determines whether: 702
(i) Deletion of the information is likely to 703
provide substantial benefits that do not exclusively accrue to the 704
controller; 705
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 29 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(ii) The expected benefits of the research 706
outweigh the privacy risks; and 707
(iii) The controller has implemented reasonable 708
safeguards to mitigate privacy risks associated with the research, 709
including risks associated with re-identification; or 710
(k) Assist another controller, processor or third party 711
with the obligations under this act. 712
(2) The obligations imposed on controllers or processors 713
under this act shall not restrict a controller or processor's 714
ability to collect, use or retain data to: 715
(a) Conduct internal research to develop, improve or 716
repair products, services or technology; 717
(b) Effectuate a product recall; 718
(c) Identify and repair technical errors that impair 719
existing or intended functionality; 720
(d) Authenticate an individual for the purpose of 721
allowing access to a secure location or facility; or 722
(e) Perform internal operations that are reasonably 723
aligned with the expectations of the consumer or reasonably 724
anticipated based on the consumer's existing relationship with the 725
controller or are otherwise compatible with processing data to 726
provide a product or service specifically requested by a consumer 727
or to perform under a contract to which the consumer is a party. 728
(3) The obligations imposed on controllers or processors 729
under this act shall not apply if compliance would violate an 730
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 30 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
evidentiary privilege under the laws of this state. Nothing in 731
this act shall prevent a controller or processor from providing 732
personal information concerning a consumer to a person covered by 733
an evidentiary privilege under the laws of this state as part of a 734
privileged communication. 735
(4) (a) A controller or processor that discloses personal 736
information to a third-party controller or processor, in 737
compliance with the requirements of this act, shall not be in 738
violation of this act if the third-party controller or processor 739
that receives and processes the personal information is in 740
violation of this act, provided that, at the time of disclosing 741
the personal information, the disclosing controller or processor 742
did not have actual knowledge that the recipient intended to 743
commit a violation. 744
(b) A third-party controller or processor receiving 745
personal information from a controller or processor in compliance 746
with the requirements of this act is not in violation of this act 747
for the violations of the controller or processor from which it 748
receives such personal information, provided that, at the time of 749
receiving the personal information, the receiving third-party 750
controller or processor did not have actual knowledge of the 751
violation committed by the controller or processor from which the 752
information was received. 753
(5) Nothing in this act shall be construed as an obligation 754
imposed on a controller or a processor that adversely affects the 755
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 31 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
rights or freedoms of a person pursuant to the First Amendment to 756
the United States Constitution, or that applies to the processing 757
of personal information by a person in the course of a purely 758
personal activity. 759
(6) A controller may not process personal information for 760
purposes other than those expressly listed in this act or 761
otherwise allowed by this act. Personal information processed by 762
a controller pursuant to this section may be processed to the 763
extent that the processing is: 764
(a) Reasonably necessary and proportionate to the 765
purposes listed in this act; and 766
(b) Adequate, relevant and limited to what is necessary 767
in relation to the specific purposes listed in this act. 768
(7) Personal information shall be subject to reasonable 769
administrative, technical and physical measures to protect the 770
confidentiality, integrity and accessibility of the personal 771
information and to reduce reasonably foreseeable risks of harm to 772
consumers relating to the collection, use or retention of personal 773
information. 774
SECTION 10. (1) (a) The Attorney General has the exclusive 775
authority to enforce this act. If the Attorney General has 776
reasonable cause to believe that a person has engaged in, is 777
engaging in, or is about to engage in a violation of this act, the 778
Attorney General may issue a civil investigative demand, conduct a 779
civil investigation and/or bring civil action. 780
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 32 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(b) The Attorney General may request, pursuant to a 781
civil investigative demand, that a controller disclose a data 782
protection assessment conducted under Section 7 of this act that 783
is relevant to an investigation conducted by the Attorney General, 784
and the controller shall make the data protection assessment 785
available to the Attorney General. The Attorney General shall 786
evaluate the data protection assessment for compliance with the 787
responsibilities set forth in this act. The disclosure of a data 788
protection assessment pursuant to a request from the Attorney 789
General shall not constitute a waiver of attorney-client privilege 790
or work-product protection with respect to the assessment and 791
information contained in the assessment. 792
(2) Before initiating an action under this section, the 793
Attorney General shall provide a controller or processor with 794
sixty (60) days' written notice identifying the specific 795
provisions of this act that the Attorney General alleges have been 796
or are being violated. If, within the sixty-day period, the 797
controller or processor cures the noticed violation and provides 798
the Attorney General with an express written statement that the 799
alleged violations have been cured and that no such further 800
violations shall occur, the Attorney General shall not initiate an 801
action against the controller or processor; however, if a 802
controller or processor continues to violate this act following 803
the sixty-day period provided or breaches an express written 804
statement provided to the Attorney General, the Attorney General 805
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 33 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
may bring an action in a court of competent jurisdiction seeking 806
any of the following relief: 807
(a) Declaratory judgment; 808
(b) Injunctive relief, including preliminary and 809
permanent injunctions; 810
(c) Civil penalties of up to Seven Thousand Five 811
Hundred Dollars ($7,500.00) for each violation of this act; 812
(d) Reasonable attorney's fees and investigative costs; 813
or 814
(e) Other relief the court determines appropriate. 815
(3) Nothing in this act shall be construed as providing the 816
basis for, or be subject to, a private right of action for 817
violations of this act or under any other law. 818
SECTION 11. (1) A controller or processor shall have an 819
affirmative defense to a cause of action for a violation of this 820
act if the controller or processor creates, maintains and complies 821
with a written privacy program that: 822
(a) Reasonably conforms to the NIST or comparable 823
privacy framework designed to safeguard consumer privacy; 824
(b) Is updated to reasonably conform with a subsequent 825
revision to the NIST or comparable privacy framework within two 826
(2) years of the publication date stated in the most recent 827
revision to the NIST or comparable privacy framework; and 828
(c) Provides a person with the substantive rights 829
required by this act. 830
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 34 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(2) The scale and scope of a controller or processor's 831
privacy program under subsection (1) of this section shall account 832
for the following factors: 833
(a) The size and complexity of the controller or 834
processor's business; 835
(b) The nature and scope of the activities of the 836
controller or processor; 837
(c) The sensitivity of the personal information 838
processed; 839
(d) The cost and availability of tools to improve 840
privacy protections and data governance; and 841
(e) Compliance with a comparable state or federal law, 842
if applicable. 843
SECTION 12. Section 45-38-9, Mississippi Code of 1972, is 844
amended as follows: 845
45-38-9. (1) A digital service provider that enters into an 846
agreement with a known minor for access to a digital service 847
shall: 848
(a) Limit collection of the known minor's personal 849
identifying information to information reasonably necessary to 850
provide the digital service; and 851
(b) Limit use of the known minor's personal identifying 852
information to the purpose for which the information was 853
collected. 854
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 35 (ELS\KP)
ST: Mississippi Consumer Privacy Protection
Act; create.
(2) A digital service provider that enters into an agreement 855
with a known minor for access to a digital service may not: 856
(a) Use the digital service to collect the known 857
minor's precise geolocation data; 858
(b) Use the digital service to display targeted 859
advertising involving harmful material to the known minor; or 860
(c) Share, disclose or sell the known minor's personal 861
identifying information unless required to: 862
(i) Comply with a civil, criminal or regulatory 863
inquiry, investigation, subpoena or summons by a governmental 864
entity; 865
(ii) Comply with a law enforcement investigation; 866
(iii) Detect, block or prevent the distribution of 867
unlawful, obscene or other harmful material to a known minor; 868
(iv) Block or filter spam; 869
(v) Prevent criminal activity; or 870
(vi) Protect the security of a digital service. 871
(3) In the case of a conflict between this section and 872
Sections 4 through 9 of this act, this section shall control. 873
SECTION 13. Section 11-77-5, Mississippi Code of 1972, is 874
brought forward as follows: 875
11-77-5. (1) Any commercial entity that knowingly and 876
intentionally publishes or distributes material harmful to minors 877
on the internet from a website that contains a substantial portion 878
of such material shall be held liable if the entity fails to 879
H. B. No. 1051 *HR43/R1119* ~ OFFICIAL ~
26/HR43/R1119
PAGE 36 (ELS\KP)
perform reasonable age verification methods to verify the age of 880
individuals attempting to access the material. 881
(2) Any commercial entity or third party that performs the 882
required age verification shall not retain any identifying 883
information of the individual after access has been granted to the 884
material. 885
(3) (a) Any commercial entity that is found to have 886
violated this section shall be liable to an individual for damages 887
resulting from a minor's accessing the material, including court 888
costs and reasonable attorney fees as ordered by the court. 889
(b) A commercial entity that is found to have knowingly 890
retained identifying information of the individual after access 891
has been granted to the individual shall be liable to the 892
individual for damages resulting from retaining the identifying 893
information, including court costs and reasonable attorney fees as 894
ordered by the court. 895
SECTION 14. This act shall take effect and be in force from 896
and after July 1, 2026. 897