(1) The requirements imposed on controllers and processors under this part may not restrict a controller’s or processor’s ability to collect, use, or retain data to do any of the following:(a) Conduct internal research to develop, improve, or repair products, services, or technology.
(b) Effect a product recall.
(c) Identify and repair technical errors that impair existing or intended functionality.
(d) Perform internal operations that are:1. Reasonably aligned with the expectations of the consumer;
2. Reasonably anticipated based on the consumer’s existing relationship with the controller; or
3. Otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.
(2) A requirement imposed on a controller or processor under this part does not apply if compliance with the requirement by the controller or processor, as applicable, would violate an evidentiary privilege under the laws of this state.
