(1) This part may not be construed to restrict a controller’s or processor’s ability to do any of the following:(a) Comply with federal or state laws, rules, or regulations.
(b) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities.
(c) Investigate, establish, exercise, prepare for, or defend legal claims.
(d) Provide a product or service specifically requested by a consumer or the parent or guardian of a child; perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty; or take steps at the request of the consumer before entering into a contract.
(e) Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another individual and in which the processing cannot be manifestly based on another legal basis.
(f) Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity.
(g) Preserve the integrity or security of systems or investigate, report, or prosecute those responsible for breaches of system security.
(h) Engage in public or peer-reviewed scientific or statistical research in the public interest which adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board or similar independent oversight entity that determines:1. Whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller;
2. Whether the expected benefits of the research outweigh the privacy risks; and
3. Whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification.
(i) Assist another controller, processor, or third party in complying with the requirements of this part.
(j) Disclose personal data disclosed when a consumer uses or directs the controller to intentionally disclose information to a third party or uses the controller to intentionally interact with a third party. An intentional interaction occurs when the consumer intends to interact with the third party by one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.
(k) Transfer personal data to a third party as an asset that is part of a merger, an acquisition, a bankruptcy, or other transaction in which the third party assumes control of all or part of the controller, provided that the information is used or shared in a manner consistent with this part. If a third party materially alters how it uses or shares the personal data of a consumer in a manner that is materially inconsistent with the commitments or promises made at the time of collection, it must provide prior notice of the new or changed practice to the consumer. The notice must be sufficiently prominent and robust to ensure that consumers can easily exercise choices consistent with this part.