(1) This part applies only to a person who:(a) Conducts business in this state or produces a product or service used by residents of this state; and
(b) Processes or engages in the sale of personal data.
(2) This part does not apply to any of the following:(a) A state agency or a political subdivision of the state.
(b) A financial institution or data subject to Title V, Gramm-Leach-Bliley Act, 15 U.S.C. ss. 6801 et seq.
(c) A covered entity or business associate governed by the privacy, security, and breach notification regulations issued by the United States Department of Health and Human Services, 45 C.F.R. parts 160 and 164, established under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq., and the Health Information Technology for Economic and Clinical Health Act, Division A, Title XIII and Division B, Title IV, Pub. L. No. 111-5.
(d) A nonprofit organization.
(e) A postsecondary education institution.
(f) The processing of personal data:1. By a person in the course of a purely personal or household activity.
2. Solely for measuring or reporting advertising performance, reach, or frequency.
(3) A controller or processor that complies with the authenticated parental consent requirements of the Children’s Online Privacy Protection Act, 15 U.S.C. ss. 6501 et seq., with respect to data collected online, is considered to be in compliance with any requirement to obtain parental consent under this part.
