The controller of a legal entity that conducts business in the state may not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of personal data concerning a known child, without obtaining consent from the child's parent or lawful guardian, in accordance with the children's online privacy protection act requirements. Sensitive data is defined to include genetic or biometric data for the purpose of uniquely identifying a person. The law does not apply to various types of information and entities such as protected health information under HIPAA and identifiable private information according to federal policy for the protection of human subjects. Died. Bill Status: Died