<enum>I</enum><header>Commercial privacy</header><section id="ID1CBE799910FD4334B0BBFC318C672A95"> <enum>101.</enum> <header>Short title</header><text display-inline="no-display-inline">This title may be cited as the <quote><short-title>Commercial Privacy Bill of Rights Act of 2014</short-title></quote>.</text></section><section id="id2C8D1ACA33704A10B25A7038D648ADB5"><enum>102.</enum><header>Findings</header> <text display-inline="no-display-inline">The Congress finds the following:</text> <paragraph id="ID8476717062244A1EB722809900B19E11"> <enum>(1)</enum> <text>Personal privacy is worthy of protection through appropriate legislation.</text> </paragraph><paragraph id="ID679855E86C074CF0BE9C7E68952C9BDD"> <enum>(2)</enum> <text>Trust in the treatment of personally identifiable information collected on and off the Internet is essential for businesses to succeed.</text> </paragraph><paragraph id="IDE9E27E61683A462596B4D229362D6376"> <enum>(3)</enum> <text>Persons interacting with others engaged in interstate commerce have a significant interest in their personal information, as well as a right to control how that information is collected, used, stored, or transferred.</text> </paragraph><paragraph id="IDFD9823A17FD440369BFBAB638EFC827E"> <enum>(4)</enum> <text>Persons engaged in interstate commerce and collecting personally identifiable information on individuals have a responsibility to treat that information with respect and in accordance with common standards.</text> </paragraph><paragraph id="IDEB36E8D9AE534109BBC5619D539E49CA"> <enum>(5)</enum> <text>On the day before the date of the enactment of this Act, the laws of the Federal Government and State and local governments provided inadequate privacy protection for individuals engaging in and interacting with persons engaged in interstate commerce.</text> </paragraph><paragraph id="ID223971B146CC4C1DAC10D1FA1DF4A335"> <enum>(6)</enum> <text>As of the day before the date of the enactment of this Act, with the exception of Federal Trade Commission enforcement of laws against unfair and deceptive practices, the Federal Government has eschewed general commercial privacy laws in favor of industry self-regulation, which has led to several self-policing schemes, some of which are enforceable, and some of which provide insufficient privacy protection to individuals.</text> </paragraph><paragraph id="ID01BAFCE1D7E64A8CB047993492385213"> <enum>(7)</enum> <text>As of the day before the date of the enactment of this Act, many collectors of personally identifiable information have yet to provide baseline fair information practice protections for individuals.</text> </paragraph><paragraph id="ID49BE6B7698FF4DAFAF4EFEF45970E9E8"> <enum>(8)</enum> <text>The ease of gathering and compiling personal information on the Internet and off, both overtly and surreptitiously, is becoming increasingly efficient and effortless due to advances in technology which have provided information gatherers the ability to compile seamlessly highly detailed personal histories of individuals.</text> </paragraph><paragraph id="ID3EC8A02E434A4B0A8570FD7BA33D97B2"> <enum>(9)</enum> <text>Personal information requires greater privacy protection than is available on the day before the date of the enactment of this Act. Vast amounts of personal information, including sensitive information, about individuals are collected on and off the Internet, often combined and sold or otherwise transferred to third parties, for purposes unknown to an individual to whom the personally identifiable information pertains.</text> </paragraph><paragraph id="IDF58079F0607F44818A0E072EA1C12763"> <enum>(10)</enum> <text>Toward the close of the 20th century, as individuals' personal information was increasingly collected, profiled, and shared for commercial purposes, and as technology advanced to facilitate these practices, Congress enacted numerous statutes to protect privacy.</text> </paragraph><paragraph id="ID8EC5497B45784CF9A1A9609808783BA1"> <enum>(11)</enum> <text>Those statutes apply to the government, telephones, cable television, e-mail, video tape rentals, and the Internet (but only with respect to children and law enforcement requests).</text> </paragraph><paragraph id="ID2361EE73444B4333BC2874B8E5DB9A75"> <enum>(12)</enum> <text>As in those instances, the Federal Government has a substantial interest in creating a level playing field of protection across all collectors of personally identifiable information, both in the United States and abroad.</text> </paragraph><paragraph id="ID4205096CC2DC474EB4518C83B9E807FC"> <enum>(13)</enum> <text>Enhancing individual privacy protection in a balanced way that establishes clear, consistent rules, both domestically and internationally, will stimulate commerce by instilling greater consumer confidence at home and greater confidence abroad as more and more entities digitize personally identifiable information, whether collected, stored, or used online or offline.</text> </paragraph></section><section id="IDDC7640A1B70B48E49F7869BF33FC4144"> <enum>103.</enum> <header>Definitions</header> <subsection id="id71FD548E7F0045B1B2A69E4DF207A2D3"><enum>(a)</enum><header>In general</header><text display-inline="yes-display-inline">Subject to subsection (b), in this title:</text> <paragraph id="idFDC54BF284F54CD6815A1B4D0CF8A97D"> <enum>(1)</enum> <header>Commission</header> <text>The term <term>Commission</term> means the Federal Trade Commission.</text> </paragraph><paragraph id="ID4E141E123723457890000AD2F44CE929"> <enum>(2)</enum> <header>Covered entity</header> <text>The term <term>covered entity</term> means any person to whom this title applies under section 151.</text> </paragraph><paragraph id="IDFEF32194B3B246689A3CAA16C45E73C7"> <enum>(3)</enum> <header>Covered information</header> <subparagraph id="id3A8B8DC6C1AD4D64A6D9EF29102BFBE4"> <enum>(A)</enum> <header>In general</header> <text>Except as provided in subparagraph (B), the term <term>covered information</term> means only the following:</text> <clause id="IDE28A22F58BE44BE8BFAB6762A941AF9E"> <enum>(i)</enum> <text>Personally identifiable information.</text> </clause><clause id="ID6EF63EF54A944862A8ED091527DB7177"> <enum>(ii)</enum> <text>Unique identifier information.</text> </clause><clause id="ID8883671AFC574A47A5323E87519FCBAA"> <enum>(iii)</enum> <text>Any information that is collected, used, or stored in connection with personally identifiable information or unique identifier information in a manner that may reasonably be used by the party collecting the information to identify a specific individual.</text> </clause></subparagraph><subparagraph id="IDd4ee5baa740e4dc69585f76eed532081"> <enum>(B)</enum> <header>Exception</header> <text>The term <term>covered information</term> does not include the following:</text> <clause id="idC84202A07F0346D698B82D91C15AAFB4"> <enum>(i)</enum> <text>Personally identifiable information obtained from public records that is not merged with covered information gathered elsewhere.</text> </clause><clause id="id4FD9577ED1DA44F4B7F46CFF83C1C812"> <enum>(ii)</enum> <text>Personally identifiable information that is obtained from a forum—</text> <subclause id="idA91F7B4998044A5B91FE5AF20CFE098B"> <enum>(I)</enum> <text>where the individual voluntarily shared the information or authorized the information to be shared; and</text> </subclause><subclause id="id7B6C968B5B214459880B6CD742F1B781"> <enum>(II)</enum> <text>that—</text> <item id="id2055AACF22A24FCB88E26737D3203E16"> <enum>(aa)</enum> <text>is widely and publicly available and was not made publicly available in bad faith; and</text> </item><item id="idA5A5E5E6001446B1B876CE858676AC8B"> <enum>(bb)</enum> <text>contains no restrictions on who can access and view such information.</text> </item></subclause></clause><clause id="id4668805DBAD445DE9599B922AB9E9397"> <enum>(iii)</enum> <text>Personally identifiable information reported in public media.</text> </clause><clause id="id86729812AC2B4E5BA656D01D862CAE71"> <enum>(iv)</enum> <text>Personally identifiable information dedicated to contacting an individual at the individual's place of work.</text> </clause></subparagraph></paragraph><paragraph id="id441679F34F314900866786F6B1A80986"> <enum>(4)</enum> <header>Established business relationship</header> <text>The term <term>established business relationship</term> means, with respect to a covered entity and a person, a relationship formed with or without the exchange of consideration, involving the establishment of an account by the person with the covered entity for the receipt of products or services offered by the covered entity.</text> </paragraph><paragraph id="ID9B5731CF71514CA4B20CC16B08DA50CD"> <enum>(5)</enum> <header>Personally identifiable information</header> <text>The term <term>personally identifiable information</term> means only the following:</text> <subparagraph id="ID5F116DE8AEBA4F04B8010D976CA61358"> <enum>(A)</enum> <text>Any of the following information about an individual:</text> <clause id="ID5866ACEEDDC348F1B4684EEC8F57BDDB"> <enum>(i)</enum> <text>The first name (or initial) and last name of an individual, whether given at birth or time of adoption, or resulting from a lawful change of name.</text> </clause><clause id="ID3236558DF68A4E8EBD7049CEF58CD868"> <enum>(ii)</enum> <text>The postal address of a physical place of residence of such individual.</text> </clause><clause id="IDF24A4FE437684EACBE31D9170EAEB4DB"> <enum>(iii)</enum> <text>An e-mail address.</text> </clause><clause id="IDCB3F19D3797E42D6BF7564C324F5A51A"> <enum>(iv)</enum> <text>A telephone number or mobile device number.</text> </clause><clause id="IDD2E7DA90F6EE42C3956EC1C941AA0766"> <enum>(v)</enum> <text>A social security number or other government issued identification number issued to such individual.</text> </clause><clause id="IDDB2147A5447943839E00FB69538556F7"> <enum>(vi)</enum> <text>The account number of a credit card issued to such individual.</text> </clause><clause id="IDC5C80A14033C445BBC918EDF24B1709D"> <enum>(vii)</enum> <text>Unique identifier information that alone can be used to identify a specific individual.</text> </clause><clause id="IDE9D4CC017D494DA184F0870CC6D1B415"> <enum>(viii)</enum> <text>Biometric data about such individual, including fingerprints and retina scans.</text> </clause></subparagraph><subparagraph id="ID95C9B5D6AA7F4368926A481E0D980666"> <enum>(B)</enum> <text>If used, transferred, or stored in connection with 1 or more of the items of information described in subparagraph (A), any of the following:</text> <clause id="IDD2983F4CDEC849C2A31019145FF8A393"> <enum>(i)</enum> <text>A date of birth.</text> </clause><clause id="id95C38C935C6B4B9FB2209EB0F4BED799"> <enum>(ii)</enum> <text>The number of a certificate of birth or adoption.</text> </clause><clause id="idAD0EFFB114D149EA9A9B7F2F26F2F55D"> <enum>(iii)</enum> <text>A place of birth.</text> </clause><clause id="ID5AC6EA5616144A18B5F3568AFFCECB95"> <enum>(iv)</enum> <text>Unique identifier information that alone cannot be used to identify a specific individual.</text> </clause><clause id="ID4648D97E61274F8BAFA50F45B421C449"> <enum>(v)</enum> <text>Precise geographic location, at the same degree of specificity as a global positioning system or equivalent system, and not including any general geographic information that may be derived from an Internet Protocol address.</text> </clause><clause id="id3283CBE8857A472B9BD8206DC05CD177"> <enum>(vi)</enum> <text>Information about an individual's quantity, technical configuration, type, destination, location, and amount of uses of voice services, regardless of technology used.</text> </clause><clause id="ID9C09EEC7A05940A290D8A4683FCD55BA"> <enum>(vii)</enum> <text>Any other information concerning an individual that may reasonably be used by the party using, collecting, or storing that information to identify that individual.</text> </clause></subparagraph></paragraph><paragraph id="ID0F51542974CD43498C577D5A5801340F"> <enum>(6)</enum> <header>Sensitive personally identifiable information</header> <text>The term <term>sensitive personally identifiable information</term> means—</text> <subparagraph id="id2E8C5F961DE94AE0B2BC4A3535481163"> <enum>(A)</enum> <text>personally identifiable information which, if lost, compromised, or disclosed without authorization either alone or with other information, carries a significant risk of economic or physical harm; or</text> </subparagraph><subparagraph id="id5CD88C916BCC41EC835247E86223DB04"> <enum>(B)</enum> <text>information related to—</text> <clause id="id29088C8C74DF47B4957297AA4BB8CD32"> <enum>(i)</enum> <text>a particular medical condition or a health record; or</text> </clause><clause id="id4FBFA509BD0343DBACB5BC046E86B47F"> <enum>(ii)</enum> <text>the religious affiliation of an individual.</text> </clause></subparagraph></paragraph><paragraph id="IDC453CCDB034549118B15B72AC3DEE663"> <enum>(7)</enum> <header>Third party</header> <subparagraph id="id19970F8B08B8449E9B9A85CBA2870433"><enum>(A)</enum><header>In general</header><text>The term <term>third party</term> means, with respect to a covered entity, a person that—</text> <clause id="id692623027EDA45E78B97215D531136AF"> <enum>(i)</enum> <text>is—</text><subclause id="id5CF1820418F44437B10B9E6734B0D051"><enum>(I)</enum><text>not related to the covered entity by common ownership or corporate control; or</text></subclause><subclause id="id604A57E1E5F041EFBF6C57D250904442"><enum>(II)</enum><text>related to the covered entity by common ownership or corporate control and an ordinary consumer would not understand that the covered entity and the person were related by common ownership or corporate control;</text> </subclause></clause><clause id="idF48BD3F6345E44E1B634A85ED6DB471F"> <enum>(ii)</enum> <text>is not a service provider used by the covered entity to receive personally identifiable information or sensitive personally identifiable information in performing services or functions on behalf of and under the instruction of the covered entity; and</text> </clause><clause id="id2F619B8958154DA783CD98B2E8C0FE8D"> <enum>(iii)</enum> <text>with respect to the collection of covered information of an individual, does not have an established business relationship with the individual and does not identify itself to the individual at the time of such collection in a clear and conspicuous manner that is visible to the individual.</text> </clause></subparagraph><subparagraph id="id6F297F4859A444C1997ACEE96EFB2622"><enum>(B)</enum><header>Common brands</header><text>The term <term>third party</term> may include, with respect to a covered entity, a person who operates under a common brand with the covered entity.</text></subparagraph></paragraph><paragraph id="IDBD858F26A4DE407FBC80C1739ED6FF99"> <enum>(8)</enum> <header>Unauthorized use</header> <subparagraph id="id1A989DAEF10B4BF9BDB0A14ECCEED490"> <enum>(A)</enum> <header>In general</header> <text>The term <term>unauthorized use</term> means the use of covered information by a covered entity or its service provider for any purpose not authorized by the individual to whom such information relates.</text> </subparagraph><subparagraph id="id9D79E14E08D44941915F4131B0B3FDA9"> <enum>(B)</enum> <header>Exceptions</header> <text>Except as provided in subparagraph (C), the term <term>unauthorized use</term> does not include use of covered information relating to an individual by a covered entity or its service provider as follows:</text> <clause id="ID9928DFE4BD79418EB198DDD8F0568153"> <enum>(i)</enum> <text>To process and enforce a transaction or deliver a service requested by that individual.</text> </clause><clause id="IDABAB2D67BDE443558CC704F347E2CE95"> <enum>(ii)</enum> <text>To operate the covered entity that is providing a transaction or delivering a service requested by that individual, such as inventory management, financial reporting and accounting, planning, and product or service improvement or forecasting.</text> </clause><clause id="ID4FF6121B9BB0442EB84B3CDEC3863FD0"> <enum>(iii)</enum> <text>To prevent or detect fraud or to provide for a physically or virtually secure environment.</text> </clause><clause id="IDDC4D754CA6B04894AFCB774E0E8D4940"> <enum>(iv)</enum> <text>To investigate a possible crime.</text> </clause><clause id="id471FB188B27A4CC6909AB87DCBC33F7B"> <enum>(v)</enum> <text>That is required by a provision of law or legal process.</text> </clause><clause id="ID5D28F5E60BE34FFA982BEC402B69E716"> <enum>(vi)</enum> <text>To market or advertise to an individual from a covered entity within the context of a covered entity's own Internet website, services, or products if the covered information used for such marketing or advertising was—</text> <subclause id="idC6C8B00472CD4FFEAA35880BAF13165F"> <enum>(I)</enum> <text>collected directly by the covered entity; or</text> </subclause><subclause id="id9DF337A08C1744769CF0A52A2270F288"> <enum>(II)</enum> <text>shared with the covered entity—</text> <item id="id96446EB545104E70B76FB43279C9591C"> <enum>(aa)</enum> <text>at the affirmative request of the individual; or</text> </item><item id="idD6E8629696FC4D95A13414EA2127C89E"> <enum>(bb)</enum> <text>by an entity with which the individual has an established business relationship.</text> </item></subclause></clause><clause id="IDC2D707F5509544339B135492C8540042"> <enum>(vii)</enum> <text>Use that is necessary for the improvement of transaction or service delivery through research, testing, analysis, and development.</text> </clause><clause id="ID897D125C07CE485192B5152C0E9F4439"> <enum>(viii)</enum> <text>Use that is necessary for internal operations, including the following:</text> <subclause id="id982675544DF34B1482BB474706275A2A"> <enum>(I)</enum> <text>Collecting customer satisfaction surveys and conducting customer research to improve customer service information.</text> </subclause><subclause id="id7F9800CD03064FEAAB0A17D1A39309D4"> <enum>(II)</enum> <text>Information collected by an Internet website about the visits to such website and the click-through rates at such website—</text> <item id="id0AF0D98115864F57846F090AAE6735DE"> <enum>(aa)</enum> <text>to improve website navigation and performance; or</text> </item><item id="id70A54C4DC580438D8298C3961A6F61EA"> <enum>(bb)</enum> <text>to understand and improve the interaction of an individual with the advertising of a covered entity.</text> </item></subclause></clause><clause id="id14E974EDFDB74E05A4872BCEFEDA283B"> <enum>(ix)</enum> <text>Use—</text> <subclause id="idB5D25B3D983749D7944CC0BB1B16C2F3"> <enum>(I)</enum> <text>by a covered entity with which an individual has an established business relationship;</text> </subclause><subclause id="idA088744A8A7B4932AD4304C3A9327B8A"> <enum>(II)</enum> <text>which the individual could have reasonably expected, at the time such relationship was established, was related to a service provided pursuant to such relationship; and</text> </subclause><subclause id="id7C83551A7964431A925D7A823581C1CE"> <enum>(III)</enum> <text>which does not constitute a material change in use or practice from what could have reasonably been expected.</text> </subclause></clause></subparagraph><subparagraph id="id62D1442895134098883D23CC83A7A0B0"> <enum>(C)</enum> <header>Savings</header> <text>A use of covered information regarding an individual by a covered entity or its service provider may only be excluded under subparagraph (B) from the definition of <quote>unauthorized use</quote> under subparagraph (A) if the use is reasonable and consistent with the practices and purposes described in the notice given the individual in accordance with section 121(a)(1).</text> </subparagraph></paragraph><paragraph id="ID87B74D28F88048C8B5441A8E901C9905"> <enum>(9)</enum> <header>Unique identifier information</header> <text>The term <term>unique identifier information</term> means a unique persistent identifier associated with an individual or a networked device, including a customer number held in a cookie, a user ID, a processor serial number, or a device serial number.</text></paragraph></subsection><subsection id="idC84A55C0A4EA4670972482C40ED07FAD"><enum>(b)</enum><header>Modified definition by rulemaking</header><text>If the Commission determines that a term defined in any of paragraphs (3) through (8) is not reasonably sufficient to protect an individual from unfair or deceptive acts or practices, the Commission may by rule modify such definition as the Commission considers appropriate to protect such individual from an unfair or deceptive act or practice to the extent that the Commission determines will not unreasonably impede interstate commerce.</text></subsection></section><subtitle id="IDB46BEDB6A323470392A46C0B59D19D0D"> <enum>A</enum> <header>Right to security and accountability</header> <section id="ID4CA46AD4F32144588E586685256010E1"> <enum>111.</enum> <header>Security</header> <subsection id="id76B72F54E499416B83C7578D99C593D7"> <enum>(a)</enum> <header>Rulemaking required</header> <text display-inline="yes-display-inline">Not later than 180 days after the date of the enactment of this Act, the Commission shall initiate a rulemaking proceeding to require each covered entity to carry out security measures to protect the covered information it collects and maintains.</text> </subsection><subsection id="id039C446A7A474B68B17B0E14E91CF8AB"> <enum>(b)</enum> <header>Proportion</header> <text display-inline="yes-display-inline">The requirements prescribed under subsection (a) shall provide for security measures that are proportional to the size, type, nature, and sensitivity of the covered information a covered entity collects.</text> </subsection><subsection id="id13924EE057424FB1969FEA7D2A40D721"> <enum>(c)</enum> <header>Consistency</header> <text>The requirements prescribed under subsection (a) shall be consistent with guidance provided by the Commission and recognized industry practices for safety and security on the day before the date of the enactment of this Act.</text> </subsection><subsection id="idDF87749FE79A4EC8A27B29EB810AEC96"> <enum>(d)</enum> <header>Technological means</header> <text display-inline="yes-display-inline">In a rule prescribed under subsection (a), the Commission may not require a specific technological means of meeting a requirement.</text> </subsection></section><section id="ID9A265885F4F441E5A9BC71CB5E6D617E"> <enum>112.</enum> <header>Accountability</header> <text display-inline="no-display-inline">Each covered entity shall, in a manner proportional to the size, type, and nature of the covered information it collects—</text> <paragraph id="ID56CC2390BE81452D95B2E7EDDD985278"> <enum>(1)</enum> <text>have managerial accountability, proportional to the size and structure of the covered entity, for the adoption and implementation of policies consistent with this title;</text> </paragraph><paragraph id="IDAA491F154A8947F8A450D8117EB32970"> <enum>(2)</enum> <text>have a process to respond to non-frivolous inquiries from individuals regarding the collection, use, transfer, or storage of covered information relating to such individuals; and</text> </paragraph><paragraph id="IDBCE3A65C0B844DDDA776E80BD8D2CAAF"> <enum>(3)</enum> <text>describe the means of compliance of the covered entity with the requirements of this Act upon request from—</text> <subparagraph id="id36DC78FF73A74771A31EB9D068FF4B7F"> <enum>(A)</enum> <text>the Commission; or</text> </subparagraph><subparagraph id="idE5CDC056CC6A41808834AF306C4C83EC"> <enum>(B)</enum> <text>an appropriate safe harbor program established under section 151.</text> </subparagraph></paragraph></section><section id="id97DDB8DF897749B3B63484D6108CC741"> <enum>113.</enum> <header>Privacy by design</header> <text display-inline="no-display-inline">Each covered entity shall, in a manner proportional to the size, type, and nature of the covered information that it collects, implement a comprehensive information privacy program by—</text> <paragraph id="ID172941727f1e42dd86e60396a285f7be"> <enum>(1)</enum> <text>incorporating necessary development processes and practices throughout the product life cycle that are designed to safeguard the personally identifiable information that is covered information of individuals based on—</text> <subparagraph id="idFE0BC375CF464401AB4649F14C51E7A7"> <enum>(A)</enum> <text>the reasonable expectations of such individuals regarding privacy; and</text> </subparagraph><subparagraph id="idFA075E199BA54261B97A3C51213D1FD1"> <enum>(B)</enum> <text>the relevant threats that need to be guarded against in meeting those expectations; and</text> </subparagraph></paragraph><paragraph id="id12D737D7BB2B47E38607112480657CB3"> <enum>(2)</enum> <text>maintaining appropriate management processes and practices throughout the data life cycle that are designed to ensure that information systems comply with—</text> <subparagraph id="idDC073ED418EE4D6280747843F6C88501"> <enum>(A)</enum> <text>the provisions of this title;</text> </subparagraph><subparagraph id="idAB61674C94E0404E8B1B8F9FFAAB8CD2"> <enum>(B)</enum> <text>the privacy policies of a covered entity; and</text> </subparagraph><subparagraph id="id2AAC952697A24838A72FA62D3F387BDD"> <enum>(C)</enum> <text>the privacy preferences of individuals that are consistent with the consent choices and related mechanisms of individual participation as described in section 122.</text> </subparagraph></paragraph></section></subtitle><subtitle id="ID825DDA0E130B4886A879AD488CFA0B1A"> <enum>B</enum> <header>Right to notice and individual participation</header> <section id="IDA181E5162B2F4EC2AE67BC9BF9F86AD2"> <enum>121.</enum> <header>Transparent notice of practices and purposes</header> <subsection id="IDBBD12DC872EF4C7C81AA5491C8AF7885"> <enum>(a)</enum> <header>In general</header> <text>Not later than 60 days after the date of the enactment of this Act, the Commission shall initiate a rulemaking proceeding to require each covered entity—</text> <paragraph id="ID9C484381460F4B6CB021460D5C82B242"> <enum>(1)</enum> <text>to provide accurate, clear, concise, and timely notice to individuals of—</text> <subparagraph id="id1646C3AF8FF94D77B3ABAE43212D4DD1"> <enum>(A)</enum> <text>the practices of the covered entity regarding the collection, use, transfer, and storage of covered information; and</text> </subparagraph><subparagraph id="id5AE441B318074FD996F6DC10828C46B7"> <enum>(B)</enum> <text>the specific purposes of those practices;</text> </subparagraph></paragraph><paragraph id="IDA1B649ED068040D185DB702AB7AB42E8"> <enum>(2)</enum> <text>to provide accurate, clear, concise, and timely notice to individuals before implementing a material change in such practices; and</text> </paragraph><paragraph id="ID9C472F52087E4478991C030F5BED0683"> <enum>(3)</enum> <text>to maintain the notice required by paragraph (1) in a form that individuals can readily access.</text> </paragraph></subsection><subsection id="IDDE917CCDD3DC49F99A8CF90D85E39A02"> <enum>(b)</enum> <header>Compliance and other considerations</header> <text>In the rulemaking required by subsection (a), the Commission—</text> <paragraph id="IDC1969019F6FC456E8B201EC76EC39175"> <enum>(1)</enum> <text>shall consider the types of devices and methods individuals will use to access the required notice;</text> </paragraph><paragraph id="ID3458C5EA96094F24A0F906DAEFFB0EEE"> <enum>(2)</enum> <text>may provide that a covered entity unable to provide the required notice when information is collected may comply with the requirement of subsection (a)(1) by providing an alternative time and means for an individual to receive the required notice promptly;</text> </paragraph><paragraph id="IDD20CC5E7FF7F464EA1477736C878625B"> <enum>(3)</enum> <text>may draft guidance for covered entities to use in designing their own notice and may include a draft model template for covered entities to use in designing their own notice; and</text> </paragraph><paragraph id="IDFCA874075E1641028ACB41E6DFC2F974"> <enum>(4)</enum> <text>may provide guidance on how to construct computer-readable notices or how to use other technology to deliver the required notice.</text> </paragraph></subsection></section><section id="ID637E5D16C8B14E9880943F341077075F"> <enum>122.</enum> <header>Individual participation</header> <subsection id="IDF448EA7A183B454A920BF88ACEAFEB78"> <enum>(a)</enum> <header>In general</header> <text>Not later than 180 days after the date of the enactment of this Act, the Commission shall initiate a rulemaking proceeding to require each covered entity—</text> <paragraph id="ID6E5A510AA383422D8F9F63DAF64F44B9"> <enum>(1)</enum> <text>to offer individuals a clear and conspicuous mechanism for opt-in consent for any use of their covered information that would otherwise be unauthorized use;</text> </paragraph><paragraph id="id0EC2A7A9D2D44A0DB2DCA1F309F37557"> <enum>(2)</enum> <text>to offer individuals a robust, clear, and conspicuous mechanism for opt-in consent for the use by third parties of the individuals' covered information for behavioral advertising or marketing;</text> </paragraph><paragraph id="ID8DFDEED19B54444CBFC5C7E452F78633"> <enum>(3)</enum> <text>to provide any individual to whom the personally identifiable information that is covered information pertains, and which the covered entity or its service provider stores, appropriate and reasonable—</text> <subparagraph id="idF3F3314070BA489B85472F38F98A43BC"> <enum>(A)</enum> <text>access to such information; and</text> </subparagraph><subparagraph id="idBBBCB036E90D420E9740A79CA734CFAB"> <enum>(B)</enum> <text>mechanisms to correct such information to improve the accuracy of such information; and</text> </subparagraph></paragraph><paragraph id="id67E8693FA9C249A1AB3B7D32877A0725"> <enum>(4)</enum> <text>in the case that a covered entity enters bankruptcy or an individual requests the termination of a service provided by the covered entity to the individual or termination of some other relationship with the covered entity, to permit the individual to easily request that—</text> <subparagraph id="id48D500BB72574DE0836640EDAB3C4A5D"> <enum>(A)</enum> <text>all of the personally identifiable information that is covered information that the covered entity maintains relating to the individual, except for information the individual authorized the sharing of or which the individual shared with the covered entity in a forum that is widely and publicly available, be rendered not personally identifiable; or</text> </subparagraph><subparagraph id="idD19C0DAE6A1346289F76E279B6841433"> <enum>(B)</enum> <text>if rendering such information not personally identifiable is not possible, to cease the unauthorized use or transfer to a third party for an unauthorized use of such information or to cease use of such information for marketing, unless such unauthorized use or transfer is otherwise required by a provision of law.</text> </subparagraph></paragraph></subsection><subsection id="ID520F040A93744ADFB08479AD864943AA"> <enum>(b)</enum> <header>Unauthorized use transfers</header> <text>In the rulemaking required by subsection (a), the Commission shall provide that with respect to transfers of covered information to a third party for which an individual provides opt-in consent, the third party to which the information is transferred may not use such information for any unauthorized use other than a use—</text> <paragraph id="id170F2A811A934C99972CA197CD6A1940"> <enum>(1)</enum> <text>specified pursuant to the purposes stated in the required notice under section 121(a); and</text> </paragraph><paragraph id="id137CBA052649498C84775B4DEA0930D7"> <enum>(2)</enum> <text>authorized by the individual when the individual granted consent for the transfer of the information to the third party.</text> </paragraph></subsection><subsection id="ID18C64F99156B4BF78A68C8DD968E0BBE"> <enum>(c)</enum> <header>Alternative means To terminate use of covered information</header> <text>In the rulemaking required by subsection (a), the Commission shall allow a covered entity to provide individuals an alternative means, in lieu of the access, consent, and correction requirements, of prohibiting a covered entity from use or transfer of that individual's covered information.</text> </subsection><subsection id="ID24251CDEAEF84636ABFA6B905AE878C4"> <enum>(d)</enum> <header>Service providers</header> <paragraph id="IDB06C8FCBB38D46D1870EEA42BB697D86"> <enum>(1)</enum> <header>In general</header> <text>The use of a service provider by a covered entity to receive covered information in performing services or functions on behalf of and under the instruction of the covered entity does not constitute an unauthorized use of such information by the covered entity if the covered entity and the service provider execute a contract that requires the service provider to collect, use, and store the information on behalf of the covered entity in a manner consistent with—</text> <subparagraph id="id190DB45E5B15468180CA8B946B8F76B6"> <enum>(A)</enum> <text>the requirements of this title; and</text> </subparagraph><subparagraph id="idF695E51463C24D489F172A110B51EB47"> <enum>(B)</enum> <text>the policies and practices related to such information of the covered entity.</text> </subparagraph></paragraph><paragraph id="ID8942CDC599CE43A8B3EFDCD4CC802B2C"> <enum>(2)</enum> <header>Transfers between service providers for a covered entity</header> <text>The disclosure by a service provider of covered information pursuant to a contract with a covered entity to another service provider in order to perform the same service or functions for that covered entity does not constitute an unauthorized use.</text> </paragraph><paragraph id="IDD5809A1EA27848568DD32E659E26ED70"> <enum>(3)</enum> <header>Liability remains with covered entity</header> <text>A covered entity remains responsible and liable for the protection of covered information that has been transferred to a service provider for processing, notwithstanding any agreement to the contrary between a covered entity and the service provider.</text> </paragraph></subsection></section></subtitle><subtitle id="ID717DCBA4EDEC49FCB66D8829E3C996F7"> <enum>C</enum> <header>Rights relating to data minimization, constraints on distribution, and data integrity</header> <section id="idF795DB6B50244DC5A08619E2FACEDE64"> <enum>131.</enum> <header>Data minimization</header> <text display-inline="no-display-inline">Each covered entity shall—</text> <paragraph id="ID96d06f460662443c9cc4627073e2b5de"> <enum>(1)</enum> <text>collect only as much covered information relating to an individual as is reasonably necessary—</text> <subparagraph id="ID7b027b7a657a459197f3d9f7e6284050"> <enum>(A)</enum> <text>to process or enforce a transaction or deliver a service requested by such individual;</text> </subparagraph><subparagraph id="IDe30b89d2d5274090a722a14c69504bdf"> <enum>(B)</enum> <text>for the covered entity to provide a transaction or delivering a service requested by such individual, such as inventory management, financial reporting and accounting, planning, product or service improvement or forecasting, and customer support and service;</text> </subparagraph><subparagraph id="ID9291675f5d1b433cbdbcbd05de45473f"> <enum>(C)</enum> <text>to prevent or detect fraud or to provide for a secure environment;</text> </subparagraph><subparagraph id="ID3575302411c345ffa91d3db86f02cc3f"> <enum>(D)</enum> <text>to investigate a possible crime;</text> </subparagraph><subparagraph id="id2551213AD032402CB5906154E59BF1FE"> <enum>(E)</enum> <text>to comply with a provision of law;</text> </subparagraph><subparagraph id="ID7c93da76075f481ab4eb69e3d120b66c"> <enum>(F)</enum> <text>for the covered entity to market or advertise to such individual if the covered information used for such marketing or advertising was collected directly by the covered entity; or</text> </subparagraph><subparagraph id="IDfa302f0a9973404888ca00d45f7429f9"> <enum>(G)</enum> <text>for internal operations, including—</text> <clause id="id7E7B8CC6DA2041CC89C204D38131ACEF"> <enum>(i)</enum> <text>collecting customer satisfaction surveys and conducting customer research to improve customer service; and</text> </clause><clause id="idF63E23FEDC434306A0AEC650CB8FB116"> <enum>(ii)</enum> <text>collection from an Internet website of information about visits and click-through rates relating to such website to improve—</text> <subclause id="idEC731678DAB7485FB52626F811D2E782"> <enum>(I)</enum> <text>website navigation and performance; and</text> </subclause><subclause id="id7B5FE42891B546489A4E7982797A1B5B"> <enum>(II)</enum> <text>the customer’s experience;</text> </subclause></clause></subparagraph></paragraph><paragraph id="IDde62a45edd2c4e5094b662fbfeec11e9"> <enum>(2)</enum> <text>retain covered information for only such duration as—</text> <subparagraph id="idB265F05B8B3E4A188E5E572E137B9F06"> <enum>(A)</enum> <text>with respect to the provision of a transaction or delivery of a service to an individual—</text> <clause id="id81A14964D7834539825DBBDED9AC6202"> <enum>(i)</enum> <text>is necessary to provide such transaction or deliver such service to such individual; or</text> </clause><clause id="idC23C8E6AC3F3464185C314D78F29FA73"> <enum>(ii)</enum> <text>if such service is ongoing, is reasonable for the ongoing nature of the service; or</text> </clause></subparagraph><subparagraph id="id501D01A1997248BBA8B1AF6C2884B5F4"> <enum>(B)</enum> <text>is required by a provision of law;</text></subparagraph></paragraph><paragraph id="id295C3DBFF1224695ABF4ADBEB89E55CE"><enum>(3)</enum><text>retain covered information only for the purpose it was collected, or reasonably related purposes; and</text> </paragraph><paragraph id="id60C199A2155C4D5693203FE1FA6E3D29"><enum>(4)</enum><text>exercise reasonable data retention procedures with respect to both the initial collection and subsequent retention.</text></paragraph></section><section id="ID3E9F4EBB04E44525912351CF7D0E25F0"> <enum>132.</enum> <header>Constraints on distribution of information</header> <subsection id="IDB3ACB18FF9D54D569C53299EE84DF875"> <enum>(a)</enum> <header>In general</header> <text>Each covered entity shall—</text> <paragraph id="ID5D6AD6A2CA2B42448154C4EDE77EB4C9"> <enum>(1)</enum> <text>require by contract that any third party to which it transfers covered information use the information only for purposes that are consistent with—</text> <subparagraph id="idEABC3ECA70E9491C903134B4BCFE4A88"> <enum>(A)</enum> <text>the provisions of this title; and</text> </subparagraph><subparagraph id="id708692ED823949D6B24D5C5338219BE5"> <enum>(B)</enum> <text>as specified in the contract;</text> </subparagraph></paragraph><paragraph id="ID791959C6730C4803B05B15B5D382460D"> <enum>(2)</enum> <text>require by contract that such third party may not combine information that the covered entity has transferred to it, that relates to an individual, and that is not personally identifiable information with other information in order to identify such individual, unless the covered entity has obtained the opt-in consent of such individual for such combination and identification; and</text> </paragraph><paragraph id="ID7E576EFE59074BAFAD6605F35463F1CD"> <enum>(3)</enum> <text>before executing a contract with a third party—</text> <subparagraph id="idF637E4FA8B724FF6A07B290D5F2FF14E"> <enum>(A)</enum> <text>assure through due diligence that the third party is a legitimate organization; and</text> </subparagraph><subparagraph id="id2DF51356296949269B17F375CA226833"> <enum>(B)</enum> <text>in the case of a material violation of the contract, at a minimum notify the Commission of such violation.</text> </subparagraph></paragraph></subsection><subsection id="IDDDC296E5DDD84A589C4D636EDBDC2E39"> <enum>(b)</enum> <header>Transfers to unreliable third parties prohibited</header> <text>A covered entity may not transfer covered information to a third party that the covered entity knows—</text> <paragraph id="id7CEAD5DB26484FE6B1854FB9E525F2F0"> <enum>(1)</enum> <text>has intentionally or willfully violated a contract required by subsection (a); and</text> </paragraph><paragraph id="id586C799939DE404983A2180662BE3292"> <enum>(2)</enum> <text>is reasonably likely to violate such contract.</text> </paragraph></subsection><subsection id="IDB7EBC31DB19142658C535867BC92F1DD"> <enum>(c)</enum> <header>Application of rules to third parties</header> <paragraph id="IDF95950CA837D4121ADB6D4BD6DC2BA46"> <enum>(1)</enum> <header>In general</header> <text>Except as provided in paragraph (2), a third party that receives covered information from a covered entity shall be subject to the provisions of this Act as if it were a covered entity.</text> </paragraph><paragraph id="ID2F4D9EA8EFEC42F0A3249CE283B3704A"> <enum>(2)</enum> <header>Exemption</header> <text>The Commission may, as it determines appropriate, exempt classes of third parties from liability under any provision of subtitle B if the Commission finds that—</text> <subparagraph id="idC2D5CFB96705405C9E0558F7D577F941"> <enum>(A)</enum> <text>such class of third parties cannot reasonably comply with such provision; or</text> </subparagraph><subparagraph id="idFCE8FF6AD0C6416285FCD8D33B9F3E8E"> <enum>(B)</enum> <text>with respect to covered information relating to individuals that is transferred to such class, compliance by such class with such provision would not sufficiently benefit such individuals.</text> </subparagraph></paragraph></subsection></section><section id="ID0A5C0D8973EB4C0B80D5538494BC8D2D"> <enum>133.</enum> <header>Data integrity</header> <subsection id="id607E0D7058B9454F9217E502E1CFE2FD"> <enum>(a)</enum> <header>In general</header> <text display-inline="yes-display-inline">Each covered entity shall attempt to establish and maintain reasonable procedures to ensure that personally identifiable information that is covered information and maintained by the covered entity is accurate in those instances where the covered information could be used to deny consumers benefits or cause significant harm.</text> </subsection><subsection id="idD64EB7FA1E3442F889460FB5D175640E"> <enum>(b)</enum> <header>Exception</header> <text display-inline="yes-display-inline">Subsection (a) shall not apply to covered information of an individual maintained by a covered entity that is provided—</text> <paragraph id="id3D679FA980F849EEBF1D4F387475448C"> <enum>(1)</enum> <text display-inline="yes-display-inline">directly to the covered entity by the individual;</text> </paragraph><paragraph id="id4CCEE44F60024B2BBE3CE80EDF8ADB61"> <enum>(2)</enum> <text display-inline="yes-display-inline">to the covered entity by another entity at the request of the individual;</text></paragraph><paragraph id="idC20A012E285C4FE4976A29A4719F0EED"><enum>(3)</enum><text>to prevent or detect fraud; or</text></paragraph><paragraph id="id0E855CD316FF45B9B027C34827037C46"><enum>(4)</enum><text>to provide for a secure environment.</text></paragraph></subsection></section></subtitle><subtitle id="idb7c98a1d9e6a49d1bd9f579a938d074c"><enum>D</enum><header>Right to notice of breaches of security</header><section id="idd7e5bc196743448d86eb07bad6a47575"><enum>141.</enum><header>Definitions</header><text display-inline="no-display-inline">In this subtitle:</text><paragraph id="idcda40dc26aa644189b21d22d57d67268"><enum>(1)</enum><header>Breach of security</header><subparagraph id="id1cf6b6c22c35426fb7a820e4d55ec371"><enum>(A)</enum><header>In general</header><text>The term <term>breach of security</term> means compromise of the security, confidentiality, or integrity of, or loss of, data in electronic form that results in, or there is a reasonable basis to conclude has resulted in, unauthorized access to or acquisition of personally identifiable information from a covered entity.</text></subparagraph><subparagraph id="ide07916c1b48742dca82e9149676f008f"><enum>(B)</enum><header>Exclusions</header><text>The term <term>breach of security</term> does not include—</text><clause id="id9f1d76b52f8e4dd690e2aa282635bbd7"><enum>(i)</enum><text>a good faith acquisition of personally identifiable information by a covered entity, or an employee or agent of a covered entity, if the personally identifiable information is not subject to further use or unauthorized disclosure;</text></clause><clause id="id0db622905ecf47e6aebefdb7c543bee5"><enum>(ii)</enum><text>any lawfully authorized investigative, protective, or intelligence activity of a law enforcement or an intelligence agency of the United States, a State, or a political subdivision of a State; or</text></clause><clause id="id502814f7388e441cb86ba32fee85af2e"><enum>(iii)</enum><text>the release of a public record not otherwise subject to confidentiality or nondisclosure requirements.</text></clause></subparagraph></paragraph><paragraph id="idc337071a458147cc874740212629174c"><enum>(2)</enum><header>Data in electronic form</header><text>The term <term>data in electronic form</term> means any data stored electronically or digitally on any computer system or other database, including recordable tapes and other mass storage devices.</text></paragraph><paragraph id="idb0b1998ad9f649608a7845ba36909a5b"><enum>(3)</enum><header>Designated entity</header><text>The term <term>designated entity</term> means the Federal Government entity designated by the Secretary of Homeland Security under section 143(a).</text></paragraph><paragraph id="id3741676b08e3481f81eebfc8bff14fef"><enum>(4)</enum><header>Identity theft</header><text>The term <term>identity theft</term> means the unauthorized use of another person's personally identifiable information for the purpose of engaging in commercial transactions under the identity of such other person, including any contact that violates <external-xref legal-doc="usc" parsable-cite="usc/18/1028A">section 1028A</external-xref> of title 18, United States Code.</text></paragraph><paragraph id="id9ff17d4634464174b3eb10ff92855fb4"><enum>(5)</enum><header>Major credit reporting agency</header><text>The term <term>major credit reporting agency</term> means a consumer reporting agency that compiles and maintains files on consumers on a nationwide basis within the meaning of section 603(p) of the Fair Credit Reporting Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1681a">15 U.S.C. 1681a(p)</external-xref>).</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id86e5c3765f4b429e9769e29e7026c2d8"><enum>(6)</enum><header>Service provider</header><text>The term <term>service provider</term> means a person that provides electronic data transmission, routing, intermediate and transient storage, or connections to its system or network, where the person providing such services does not select or modify the content of the electronic data, is not the sender or the intended recipient of the data, and does not differentiate personally identifiable information from other information that such person transmits, routes, or stores, or for which such person provides connections. Any such person shall be treated as a service provider under this subtitle only to the extent that it is engaged in the provision of such transmission, routing, intermediate and transient storage, or connections.</text></paragraph></section><section id="idE475F1D364AB4433A74BD9DFF7DFD82B"><enum>142.</enum><header>Notice to individuals</header><subsection id="id0fd9ed665a1245c4831f9527c4feb758"><enum>(a)</enum><header>In general</header><text>A covered entity that owns or possesses data in electronic form containing personally identifiable information, following the discovery of a breach of security of the system maintained by the covered entity that contains such information, shall notify—</text><paragraph id="id0282e0154dc643e2a385998e32202290"><enum>(1)</enum><text>each individual who is a citizen or resident of the United States and whose personally identifiable information has been, or is reasonably believed to have been, acquired or accessed from the covered entity as a result of the breach of security; and</text></paragraph><paragraph id="id66cc5b33d29a4a2c8b3ab5eb6abc22c2"><enum>(2)</enum><text>the Commission, unless the covered entity has notified the designated entity under section 143.</text></paragraph></subsection><subsection id="ida57d8f993d1f4709a99230374f6c6f73"><enum>(b)</enum><header>Special notification requirements</header><paragraph id="id27c8632d24384219b52cad096d9649cf"><enum>(1)</enum><header>Third parties</header><text>In the event of a breach of security of a system maintained by a third party that has been contracted to maintain or process data in electronic form containing personally identifiable information on behalf of a covered entity who owns or possesses such data, the third party shall notify the covered entity of the breach of security.</text></paragraph><paragraph id="id833e6d8856d04f92a77c93d11009bda9"><enum>(2)</enum><header>Service providers</header><text>If a service provider becomes aware of a breach of security of data in electronic form containing personally identifiable information that is owned or possessed by another covered entity that connects to or uses a system or network provided by the service provider for the purpose of transmitting, routing, or providing intermediate or transient storage of such data, the service provider shall notify of the breach of security only the covered entity who initiated such connection, transmission, routing, or storage if such covered entity can be reasonably identified.</text></paragraph><paragraph id="idb2c6a084500b48c594da403c0e7d07c9"><enum>(3)</enum><header>Coordination of notification with credit reporting agencies</header><subparagraph id="id2E6337E527F141B8A1C0AF08ADEED985"><enum>(A)</enum><header>In general</header><text>If a covered entity is required to provide notification to more than 5,000 individuals under subsection (a)(1), the covered entity also shall notify each major credit reporting agency of the timing and distribution of the notices, except when the only personally identifiable information that is the subject of the breach of security is the individual's first name or initial and last name, or address, or phone number, in combination with a credit or debit card number, and any required security code.</text></subparagraph><subparagraph id="idBFD99E32FBBB4DE3A1A56DA7627B7354"><enum>(B)</enum><header>Notice to credit reporting agencies before individuals</header><text>Such notice shall be given to each credit reporting agency without unreasonable delay and, if it will not delay notice to the affected individuals, prior to the distribution of notices to the affected individuals.</text></subparagraph></paragraph></subsection><subsection id="id9d2704ecd7fc4843865ca791d638eb73"><enum>(c)</enum><header>Timeliness of notification</header><paragraph id="idae95eb7c32154abebf4ae716c67598c2"><enum>(1)</enum><header>In general</header><text>All notifications required under this section shall be made without unreasonable delay following the discovery by the covered entity of a security breach.</text></paragraph><paragraph id="idd4395dfd66db4e3ea3bf5af61a1b68ca"><enum>(2)</enum><header>Reasonable delay</header><subparagraph id="idce44f729aa434f31b9a1283b3295e5ef"><enum>(A)</enum><header>In general</header><text>Reasonable delay under this subsection may include any time necessary to determine the scope of the security breach, prevent further disclosures, restore the reasonable integrity of the data system, and provide notice to law enforcement when required.</text></subparagraph><subparagraph id="idb853a1ff76d649ebbbd89aaa99f91af1"><enum>(B)</enum><header>Extension</header><clause id="id62f96d53f9044b1a89c94c404d017c4f"><enum>(i)</enum><header>In general</header><text>Except as provided in subsection (d), delay of notification shall not exceed 60 days following the discovery of the security breach, unless the covered entity requests an extension of time and the Commission determines in writing that additional time is reasonably necessary to determine the scope of the security breach, prevent further disclosures, restore the reasonable integrity of the data system, or to provide notice to the designated entity.</text></clause><clause id="ideaa2be6d5a2b4122ac0d0b9f11a4a49e"><enum>(ii)</enum><header>Approval of request</header><text>If the Commission approves the request for delay, the covered entity may delay the period for notification for additional periods of up to 30 days.</text></clause></subparagraph></paragraph><paragraph id="id7fb037bc1f414aa2a222ad727dc43aa2"><enum>(3)</enum><header>Burden of production</header><text>The covered entity, third party, or service provider required to provide notice under this title shall, upon the request of the Commission provide records or other evidence of the notifications required under this subtitle, including to the extent applicable, the reasons for any delay of notification.</text></paragraph></subsection><subsection id="idf6293128f800444e9562e96c09575d08"><enum>(d)</enum><header>Method and content of notification</header><paragraph id="id27e0225cad25481db5a3a4482881d030"><enum>(1)</enum><header>Direct notification</header><subparagraph id="id67fbace0a47e489aa52aabb163fcb15b"><enum>(A)</enum><header>Method of direct notification</header><text>Except as provided in paragraph (2), a covered entity shall be in compliance with the notification requirement under subsection (a)(1) if—</text><clause id="id75d29d46d4f24194a8cbe895782e78f2"><enum>(i)</enum><text>the covered entity provides conspicuous and clearly identified notification—</text><subclause id="id7cb2b13f6f6a423687503f6ef1c9b97e"><enum>(I)</enum><text>in writing; or</text></subclause><subclause id="idf3eb7b81b3b841b2883ae934643eb643"><enum>(II)</enum><text>by e-mail or other electronic means if—</text><item id="idd72a5e42a0bf406e8ac97bce49594051"><enum>(aa)</enum><text>the covered entity's primary method of communication with the individual is by e-mail or such other electronic means; or</text></item><item id="id555606d8aaa14ba1aeab18f912d85197"><enum>(bb)</enum><text>the individual has consented to receive notification by e-mail or such other electronic means and such notification is provided in a manner that is consistent with the provisions permitting electronic transmission of notices under section 101 of the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001); and</text></item></subclause></clause><clause id="id2c3622d2f9ed43f2a26420d6dff8722b"><enum>(ii)</enum><text>the method of notification selected under clause (i) can reasonably be expected to reach the intended individual.</text></clause></subparagraph><subparagraph id="ida8dec447827b487e9c73b3606f5b0913"><enum>(B)</enum><header>Content of direct notification</header><text>Each method of notification under subparagraph (A) shall include the following:</text><clause id="idb158327cb0bd43ba8ffdeef711a085da"><enum>(i)</enum><text>The date, estimated date, or estimated date range of the breach of security.</text></clause><clause id="id741a16127559475192355864f1910ab8"><enum>(ii)</enum><text>A description of the personally identifiable information that was or is reasonably believed to have been acquired or accessed as a result of the breach of security.</text></clause><clause id="id1b834c4ad3d74e1eb20a1c3ba666d6f3"><enum>(iii)</enum><text>A telephone number that an individual can use at no cost to the individual to contact the covered entity to inquire about the breach of security or the information the covered entity maintained about that individual.</text></clause><clause id="idc350136116844b30b19a38ed26c4d15f"><enum>(iv)</enum><text>Notice that the individual may be entitled to consumer credit reports under subsection (e)(1).</text></clause><clause id="iddfc47c594b584747a2a7a8d911a62ced"><enum>(v)</enum><text>Instructions how an individual can request consumer credit reports under subsection (e)(1).</text></clause><clause id="idbee2ab746e1d44f7b5128b18a995ed94"><enum>(vi)</enum><text>A telephone number, that an individual can use at no cost to the individual, and an address to contact each major credit reporting agency.</text></clause><clause id="idbca7f954ae744e87aea846a4791fa863"><enum>(vii)</enum><text>A telephone number, that an individual can use at no cost to the individual, and an Internet website address to obtain information regarding identity theft from the Commission.</text></clause></subparagraph></paragraph><paragraph id="id5415b79a3f204342b3cbab5c596c5fdb"><enum>(2)</enum><header>Substitute notification</header><subparagraph id="id001962b84c644bc3a95779814e25eb12"><enum>(A)</enum><header>Circumstances giving rise to substitute notification</header><text>A covered entity required to provide notification to individuals under subsection (a)(1) may provide notification under this paragraph instead of paragraph (1) of this subsection if—</text><clause id="id4ed3403ddd054d7cbb0faeafb2bc098a"><enum>(i)</enum><text>notification under paragraph (1) is not feasible due to lack of sufficient contact information for the individual required to be notified; or</text></clause><clause id="id0c2adb4d830745eca77a65d10129dee1"><enum>(ii)</enum><text>the covered entity owns or possesses data in electronic form containing personally identifiable information of fewer than 10,000 individuals and direct notification is not feasible due to excessive cost to the covered entity required to provide such notification relative to the resources of such covered entity, as determined in accordance with the regulations issued by the Commission under paragraph (3)(A).</text></clause></subparagraph><subparagraph id="idfb166b23f35a4b509f371c4a91841ba3"><enum>(B)</enum><header>Method of substitute notification</header><text>Notification under this paragraph shall include the following:</text><clause id="idaab86c1f931c4a458932fdf046f372b0"><enum>(i)</enum><text>Conspicuous and clearly identified notification by e-mail to the extent the covered entity has an e-mail address for an individual who is entitled to notification under subsection (a)(1).</text></clause><clause id="idb344b9ba098449ed8c56032f27d4a039"><enum>(ii)</enum><text>Conspicuous and clearly identified notification on the Internet website of the covered entity if the covered entity maintains an Internet website.</text></clause><clause id="id4a4b985698e54fe999c97a299a16cefa"><enum>(iii)</enum><text>Notification to print and to broadcast media, including major media in metropolitan and rural areas where the individuals whose personally identifiable information was acquired or accessed reside.</text></clause></subparagraph><subparagraph id="id4fad552c00474b3b95c90d7ee26cbf6b"><enum>(C)</enum><header>Content of substitute notification</header><text>Each method of notification under this paragraph shall include the following:</text><clause id="id09f3e2fea1164cb3911893cb2d6a9b35"><enum>(i)</enum><text>The date, estimated date, or estimated date range of the breach of security.</text></clause><clause id="id4c213ce228ec4bb1b43b1d5538ffc24f"><enum>(ii)</enum><text>A description of the types of personally identifiable information that were or are reasonably believed to have been acquired or accessed as a result of the breach of security.</text></clause><clause id="id98410418c37640e79e6b9fa4147f011d"><enum>(iii)</enum><text>Notice that an individual may be entitled to consumer credit reports under subsection (e)(1).</text></clause><clause id="idcd72cb0af55c4c69bb2925075635f957"><enum>(iv)</enum><text>Instructions how an individual can request consumer credit reports under subsection (e)(1).</text></clause><clause id="ide306739c179c437cba27ba57a66238d5"><enum>(v)</enum><text>A telephone number that an individual can use at no cost to the individual to learn whether the individual's personally identifiable information is included in the breach of security.</text></clause><clause id="idb641920ff64a43e5bc5c879871fb26b4"><enum>(vi)</enum><text>A telephone number, that an individual can use at no cost to the individual, and an address to contact each major credit reporting agency.</text></clause><clause id="id7ca0ee532f18449eb5cd9126ffde1ff8"><enum>(vii)</enum><text>A telephone number, that an individual can use at no cost to the individual, and an Internet website address to obtain information from the Commission regarding identity theft.</text></clause></subparagraph></paragraph><paragraph id="id09d76616dc6b4d89a775e702891b77f9"><enum>(3)</enum><header>Regulations and guidance</header><subparagraph id="id7576e2de53d84a0392633c7b7fd6bf80"><enum>(A)</enum><header>Regulations concerning substitute notification</header><clause id="id7F698BF97FBC4204B3A8409967432DC3"><enum>(i)</enum><header>In general</header><text>Not later than 1 year after the date of the enactment of this Act, the Commission shall prescribe criteria for determining circumstances under which notification may be provided under paragraph (2), including criteria for determining whether providing notification under paragraph (1) is not feasible due to excessive costs to the covered entity required to provide such notification relative to the resources of such covered entity.</text></clause><clause id="id7659E2A9E22545E9A33B12D8F4365767"><enum>(ii)</enum><header>Other circumstances</header><text>The regulations required by clause (i) may also identify other circumstances in which notification under paragraph (2) would be appropriate, including circumstances under which the cost of providing direct notification exceeds the benefits to individuals.</text></clause></subparagraph><subparagraph id="idc2cbcb0d3aa14fe193e92374c7654909"><enum>(B)</enum><header>Guidance</header><clause id="id3DBFAE6EB4D541578522AAB2B14EC039"><enum>(i)</enum><header>In general</header><text>The Commission, in consultation with the Administrator of the Small Business Administration, shall publish and otherwise make available general guidance with respect to compliance with this subsection.</text></clause><clause id="id589FB5B887AB438EB20A3B5E2838FEDC"><enum>(ii)</enum><header>Contents</header><text>The guidance required by clause (i) shall include the following:</text><subclause id="id04cf3a02e5c142468d64721fbdfe2fbf"><enum>(I)</enum><text>A description of written or e-mail notification that complies with paragraph (1).</text></subclause><subclause id="id31c1face03b54ee6bac71b519f02c59b"><enum>(II)</enum><text>Guidance on the content of notification under paragraph (2), including the extent of notification to print and broadcast media that complies with subparagraph (B)(iii) of such paragraph.</text></subclause></clause></subparagraph></paragraph></subsection><subsection id="id01f4ed35a3e04bc4a8410ca5fa29728f"><enum>(e)</enum><header>Other obligations following breach</header><paragraph id="ide40e88664c3340ae8e0461823bf526b4"><enum>(1)</enum><header>In general</header><text>Subject to the provisions of this subsection, not later than 60 days after the date of a request by an individual who received notification under subsection (a)(1) and quarterly thereafter for 2 years, a covered entity required to provide notification under such subsection to such individual shall provide, or arrange for the provision of, to such individual at no cost to such individual, consumer credit reports from at least 1 major credit reporting agency.</text></paragraph><paragraph id="id1928be985c26475fbffd5463d6465e55"><enum>(2)</enum><header>Limitation</header><text>Paragraph (1) shall not apply if the only personally identifiable information that is the subject of the breach of security is the individual's first name or initial and last name, or address, or phone number, in combination with a credit or debit card number, and any required security code.</text></paragraph><paragraph id="idb50e1bf8452f48b68caa35937c391e24"><enum>(3)</enum><header>Rulemaking</header><text>Not later than 1 year after the date of the enactment of this Act, the Commission shall prescribe the following:</text><subparagraph id="id261d315108054e848b6f411333789035"><enum>(A)</enum><text>Criteria for determining the circumstances under which a covered entity required to provide notification under subsection (a)(1) must provide or arrange for the provision of free consumer credit reports under this subsection.</text></subparagraph><subparagraph id="id38a9ee396f5c4515afe2e16e26edb263"><enum>(B)</enum><text>A simple process under which a covered entity that is a small business concern or small nonprofit organization may request a full or a partial waiver or a modified or an alternative means of complying with this subsection if providing free consumer credit reports is not feasible due to excessive costs relative to the resources of such covered entity and relative to the level of harm, to affected individuals, caused by the breach of security.</text></subparagraph></paragraph><paragraph id="id5944F15B7B534336A8BC6CB7DF6871B8"><enum>(4)</enum><header>Definitions</header><text>In this subsection:</text><subparagraph id="id12B5374C2BE54746B9C4B7DB72504FBA"><enum>(A)</enum><header>Small business concern</header><text>The term <term>small business concern</term> has the meaning given such term under section 3 of the Small Business Act (<external-xref legal-doc="usc" parsable-cite="usc/15/632">15 U.S.C. 632</external-xref>).</text></subparagraph><subparagraph id="id103FEDB27DCC456B8014088EB56604BD"><enum>(B)</enum><header>Small nonprofit organization</header><text>The term <term>small nonprofit organization</term> has the meaning the Commission shall give such term for purposes of this subsection.</text></subparagraph></paragraph></subsection><subsection id="id31276209918c4aeaa0360f75ed8725b7"><enum>(f)</enum><header>Delay of notification authorized for national security and law enforcement purposes</header><paragraph id="idb9390a4a445e45ffa262030b5bcadc6e"><enum>(1)</enum><header>In general</header><text>If the United States Secret Service or the Federal Bureau of Investigation determines that notification under this section would impede a criminal investigation or a national security activity, such notification shall be delayed upon written notice from the United States Secret Service or the Federal Bureau of Investigation to the covered entity that experienced the breach of security. The notification from the United States Secret Service or the Federal Bureau of Investigation shall specify the period of delay requested for national security or law enforcement purposes.</text></paragraph><paragraph id="idee675d40bed944aaae745999b516a73f"><enum>(2)</enum><header>Subsequent delay of notification</header><subparagraph id="ID618a1e67cca94bd08392cfd40a9043e5"><enum>(A)</enum><header>In general</header><text>If the notification required under subsection (a)(1) is delayed pursuant to paragraph (1), a covered entity shall give notice not more than 30 days after the day such law enforcement or national security delay was invoked unless a Federal law enforcement or intelligence agency provides written notification that further delay is necessary.</text></subparagraph><subparagraph id="id20544ef1cb8d4ca883e5544598c6ede2"><enum>(B)</enum><header>Written justification requirements</header><clause id="ide49e71a6bff34e36a0db0e29a2a4e786"><enum>(i)</enum><header>United States Secret Service</header><text>If the United States Secret Service instructs a covered entity to delay notification under this section beyond the 30-day period set forth in subparagraph (A) (referred to in this clause as <quote>subsequent delay</quote>), the United States Secret Service shall submit written justification for the subsequent delay to the Secretary of Homeland Security before the subsequent delay begins.</text></clause><clause id="id0c8fe6352f8c4d86a51a5b83d2515688"><enum>(ii)</enum><header>Federal Bureau of Investigation</header><text>If the Federal Bureau of Investigation instructs a covered entity to delay notification under this section beyond the 30-day period set forth in subparagraph (A) (referred to in this clause as <quote>subsequent delay</quote>), the Federal Bureau of Investigation shall submit written justification for the subsequent delay to the Attorney General before the subsequent delay begins.</text></clause></subparagraph></paragraph><paragraph id="id3cd1c2ea398848c4bbd91da0b9904470"><enum>(3)</enum><header>Law enforcement immunity</header><text>No cause of action shall lie in any court against any Federal agency for acts relating to the delay of notification for national security or law enforcement purposes under this subtitle.</text></paragraph></subsection><subsection id="id96fdbf23bd464ec1a5ccc3991bcdfcc0"><enum>(g)</enum><header>General exemption</header><paragraph id="id03bd3a8f8cad4c96bb03a5356cc2ea63"><enum>(1)</enum><header>In general</header><text>A covered entity shall be exempt from the requirements under this section if, following a breach of security, the covered entity reasonably concludes that there is no reasonable risk of identity theft, fraud, or other unlawful conduct.</text></paragraph><paragraph id="id97708385ca854ac4b0d8f6dff3afb0d5"><enum>(2)</enum><header>FTC guidance</header><text>Not later than 1 year after the date of the enactment of this Act, the Commission, after consultation with the Director of the National Institute of Standards and Technology, shall issue guidance regarding the application of the exemption under paragraph (1).</text></paragraph></subsection><subsection id="id7be4c106f41941488078d51e55b960b7"><enum>(h)</enum><header>Exemptions for national security and law enforcement purposes</header><paragraph id="id6ac290f4d94f4895b56bb0c90d911b94"><enum>(1)</enum><header>In general</header><text>A covered entity shall be exempt from the notice requirements under this section if—</text><subparagraph id="idea2694aa598444b984de5b8f95421e6a"><enum>(A)</enum><text>a determination is made—</text><clause id="id9d5d2c002e8a4ef79420bb65c7072aa0"><enum>(i)</enum><text>by the United States Secret Service or the Federal Bureau of Investigation that notification of the breach of security could be reasonably expected to reveal sensitive sources and methods or similarly impede the ability of the Government to conduct law enforcement or intelligence investigations; or</text></clause><clause id="id6d7c98aae7224ca48ad55508468f568c"><enum>(ii)</enum><text>by the Federal Bureau of Investigation that notification of the breach of security could be reasonably expected to cause damage to the national security; and</text></clause></subparagraph><subparagraph id="id5952f9ff3d474a238fbbaa9be810db5f"><enum>(B)</enum><text>the United States Secret Service or the Federal Bureau of Investigation, as the case may be, provides written notice of its determination under subparagraph (A) to the covered entity.</text></subparagraph></paragraph><paragraph id="id7e8959ae953942e69879aa39fe18d0c7"><enum>(2)</enum><header>United States Secret Service</header><text>If the United States Secret Service invokes an exemption under paragraph (1), the United States Secret Service shall submit written justification for invoking the exemption to the Secretary of Homeland Security before the exemption is invoked.</text></paragraph><paragraph id="id2cc9ebf6210b44c3b8e5cdcff79dca1f"><enum>(3)</enum><header>Federal Bureau of Investigation</header><text>If the Federal Bureau of Investigation invokes an exemption under paragraph (1), the Federal Bureau of Investigation shall submit written justification for invoking the exemption to the Attorney General before the exemption is invoked.</text></paragraph><paragraph id="id09d724fd94b84c64a36ee941a3385168"><enum>(4)</enum><header>Immunity</header><text>No cause of action shall lie in any court against any Federal agency for acts relating to the exemption from notification for national security or law enforcement purposes under this subtitle.</text></paragraph><paragraph id="id488491c391a84e6abf6d17eafbc4efde"><enum>(5)</enum><header>Reports</header><text>Not later than 540 days after the date of the enactment of this Act, and upon request by Congress thereafter, the United States Secret Service and the Federal Bureau of Investigation shall submit to Congress a report on the number and nature of breaches of security subject to the exemptions for national security and law enforcement purposes under this subsection.</text></paragraph></subsection><subsection id="id412d30c27db9425f9dffdaac1a9ce6a1"><enum>(i)</enum><header>Financial fraud prevention exemption</header><paragraph id="idf641111f59724a85a34ccec888bba11d"><enum>(1)</enum><header>In general</header><text>A covered entity shall be exempt from the notice requirements under this section if the covered entity utilizes or participates in a security program that—</text><subparagraph id="id6efeae865c9946398eaf073f67292098"><enum>(A)</enum><text>effectively blocks the use of the personally identifiable information to initiate an unauthorized financial transaction before it is charged to the account of the individual; and</text></subparagraph><subparagraph id="id9c3b313eef874e40b83d229fd170880e"><enum>(B)</enum><text>provides notice to each affected individual after a breach of security that resulted in attempted fraud or an attempted unauthorized transaction.</text></subparagraph></paragraph><paragraph id="id1cbcf051f90c43178e80fb2949b7555f"><enum>(2)</enum><header>Limitations</header><text>An exemption under paragraph (1) shall not apply if—</text><subparagraph id="idde4a38dd9d7b446ea12cb54bd962b551"><enum>(A)</enum><text>the breach of security includes personally identifiable information, other than a credit card number or credit card security code, of any type; or</text></subparagraph><subparagraph id="idb9464eff42314321963b82daf6129c49"><enum>(B)</enum><text>the breach of security includes both the individual's credit card number and the individual's first and last name.</text></subparagraph></paragraph></subsection><subsection id="idacdf83b6c046493fac78bd0691c4c918"><enum>(j)</enum><header>Financial institutions regulated by Federal functional regulators</header><paragraph id="idb25df6c71dfc4b34991a251a3e7185a6"><enum>(1)</enum><header>In general</header><text>A covered financial institution shall be deemed in compliance with this section if—</text><subparagraph id="id10cef03d576a4d1c9e67574f6fc0c30e"><enum>(A)</enum><text>the Federal functional regulator with jurisdiction over the covered financial institution has issued a standard by regulation or guideline under title V of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6801">15 U.S.C. 6801 et seq.</external-xref>) that—</text><clause id="idf4428e8c7b4d4fa4927cd6fb8bd6e280"><enum>(i)</enum><text>requires financial institutions within its jurisdiction to provide notification to individuals following a breach of security; and</text></clause><clause id="id79fcdc7df44647b9bbea3d2f452a8a96"><enum>(ii)</enum><text>provides protections substantially similar to, or greater than, those required under this Act; and</text></clause></subparagraph><subparagraph id="id1af0ea348cb1428295db52c0c19b38fc"><enum>(B)</enum><text>the covered financial institution is in compliance with the standard under subparagraph (A).</text></subparagraph></paragraph><paragraph id="id479ad19a7aa04e22a124334d204f36a9"><enum>(2)</enum><header>Definitions</header><text>In this subsection:</text><subparagraph id="id8f6772668b84488a87bb9290ad0ec4df"><enum>(A)</enum><header>Covered financial institution</header><text>The term <term>covered financial institution</term> means a financial institution that is subject to—</text><clause id="id668e5038076a4cb2b3ba2ab5440b1dfc"><enum>(i)</enum><text>the data security requirements of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6801">15 U.S.C. 6801 et seq.</external-xref>);</text></clause><clause id="id9ab6c6250c61477eb0e96079165966aa"><enum>(ii)</enum><text>any implementing standard issued by regulation or guideline issued under that Act; and</text></clause><clause id="id8fc38512d4c54d92a8566eece8f54a8d"><enum>(iii)</enum><text>the jurisdiction of a Federal functional regulator under that Act.</text></clause></subparagraph><subparagraph id="id007b2c139cd04940960f94fb8d4b7a0f"><enum>(B)</enum><header>Federal functional regulator</header><text>The term <term>Federal functional regulator</term> has the meaning given the term in section 509 of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6809">15 U.S.C. 6809</external-xref>).</text></subparagraph><subparagraph id="idf8042f621e064867ae6c7acb582175fb"><enum>(C)</enum><header>Financial institution</header><text>The term <term>financial institution</term> has the meaning given the term in section 509 of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6809">15 U.S.C. 6809</external-xref>).</text></subparagraph></paragraph></subsection><subsection id="id475a2bad19a944e89c75f40b8df3aa9d"><enum>(k)</enum><header>Exemption; health privacy</header><paragraph id="id6b0c5e6d7cdb4b5fae89044c10a1e849"><enum>(1)</enum><header>Covered entity or business associate under HITECH Act</header><text>To the extent that a covered entity under this section acts as a covered entity or a business associate under section 13402 of the Health Information Technology for Economic and Clinical Health Act (<external-xref legal-doc="usc" parsable-cite="usc/42/17932">42 U.S.C. 17932</external-xref>), has the obligation to provide notification to individuals following a breach of security under that Act or its implementing regulations, and is in compliance with that obligation, the covered entity shall be deemed in compliance with this section.</text></paragraph><paragraph id="idfad397eb9a624e0ca815e8cabff6d8a6"><enum>(2)</enum><header>Entity subject to HITECH Act</header><text>To the extent that a covered entity under this section acts as a vendor of personal health records, a third party service provider, or other entity subject to section 13407 of the Health Information Technology for Economical and Clinical Health Act (<external-xref legal-doc="usc" parsable-cite="usc/42/17937">42 U.S.C. 17937</external-xref>), has the obligation to provide notification to individuals following a breach of security under that Act or its implementing regulations, and is in compliance with that obligation, the covered entity shall be deemed in compliance with this section.</text></paragraph><paragraph id="idef5c816f069a483e8ea223ba1e8ffaf6"><enum>(3)</enum><header>Limitation of statutory construction</header><text>Nothing in this subtitle may be construed in any way to give effect to the sunset provision under section 13407(g)(2) of the Health Information Technology for Economic and Clinical Health Act (<external-xref legal-doc="usc" parsable-cite="usc/42/17937">42 U.S.C. 17937(g)(2)</external-xref>) or to otherwise limit or affect the applicability, under section 13407 of that Act, of the requirement to provide notification to individuals following a breach of security for vendors of personal health records and each entity described in clause (ii), (iii), or (iv) of section 13424(b)(1)(A) of that Act (42 U.S.C. 17953(b)(1)(A)).</text></paragraph></subsection><subsection id="id9430a90a324d4caba4047a2677d42992"><enum>(l)</enum><header>Internet website notice of Federal Trade Commission</header><text>If the Commission, upon receiving notification of any breach of security that is reported to the Commission, finds that notification of the breach of security via the Commission's Internet website would be in the public interest or for the protection of consumers, the Commission shall place such a notice in a clear and conspicuous location on its Internet website.</text></subsection><subsection id="id04c0b1fc847743f297e33968eee3b070"><enum>(m)</enum><header>FTC study on notification in languages in addition to English</header><text>Not later than 1 year after the date of the enactment of this Act, the Commission shall conduct a study on the feasibility and advisability of requiring notification provided pursuant to subsection (d)(1) to be provided in a language in addition to English to individuals known to speak only such other language.</text></subsection></section><section id="id57e4b856395e430787f0b54df0e0bea5"><enum>143.</enum><header>Notice to law enforcement</header><subsection id="id544cc35fa05548f280e9d807158d69a4"><enum>(a)</enum><header>Designation of Government entity To receive notice</header><text>Not later than 60 days after the date of the enactment of this Act, the Secretary of Homeland Security shall designate a Federal Government entity to receive notice under this section.</text></subsection><subsection id="id04cff713be42416c822702f97263ddac"><enum>(b)</enum><header>Notice to designated entity</header><text>A covered entity shall notify the designated entity of a breach of security if—</text><paragraph id="id68147a90724549bfb3b57c64b16dbc84"><enum>(1)</enum><text>the number of individuals whose personally identifiable information was, or is reasonably believed to have been, acquired or accessed as a result of the breach of security exceeds 10,000;</text></paragraph><paragraph id="ideea4be455d5c4932958fe7da4c62e9c9"><enum>(2)</enum><text>the breach of security involves a database, networked or integrated databases, or other data system containing the personally identifiable information of more than 1,000,000 individuals;</text></paragraph><paragraph id="id94ec0588d5984c7c996122a578d63b3e"><enum>(3)</enum><text>the breach of security involves databases owned by the Federal Government; or</text></paragraph><paragraph id="ide79b03575992407283e62b7dff0552ae"><enum>(4)</enum><text>the breach of security involves primarily personally identifiable information of individuals known to the covered entity to be employees or contractors of the Federal Government involved in national security or law enforcement.</text></paragraph></subsection><subsection id="id71bdeea4150348d1a53501c7f8ccf534"><enum>(c)</enum><header>Content of notices</header><paragraph id="id58e97a5a51354c30bb25200435f46d03"><enum>(1)</enum><header>In general</header><text>Each notice under subsection (b) shall contain the following:</text><subparagraph id="id00d7461e399f4a74a5e28ae604b1d6bb"><enum>(A)</enum><text>The date, estimated date, or estimated date range of the breach of security.</text></subparagraph><subparagraph id="idcae3924d7d85460889ebdb12b8a3d475"><enum>(B)</enum><text>A description of the nature of the breach of security.</text></subparagraph><subparagraph id="id833545498e5442c49e6d613d82ec09d3"><enum>(C)</enum><text>A description of each type of personally identifiable information that was or is reasonably believed to have been acquired or accessed as a result of the breach of security.</text></subparagraph><subparagraph id="id793d6e4b945e4caeb980e937ff3c6af1"><enum>(D)</enum><text>A statement of each paragraph under subsection (b) that applies to the breach of security.</text></subparagraph></paragraph><paragraph id="id0dac3ddfac104535891194eb14767f15"><enum>(2)</enum><header>Construction</header><text>Nothing in this section shall be construed to require a covered entity to reveal specific or identifying information about an individual as part of the notice under paragraph (1).</text></paragraph></subsection><subsection id="id115772ece9c8404c9c165b7b6dd09513"><enum>(d)</enum><header>Notice by designated entity</header><text>The designated entity shall promptly provide each notice it receives under subsection (b) to the following:</text><paragraph id="idf8362fb463d042a59b1fff16b4451ff2"><enum>(1)</enum><text>The United States Secret Service.</text></paragraph><paragraph id="id4d280072831549e7a243c3c425e7b19b"><enum>(2)</enum><text>The Federal Bureau of Investigation.</text></paragraph><paragraph id="id08b5d81d179a4fb6a182880b230fe192"><enum>(3)</enum><text>The Commission.</text></paragraph><paragraph id="id7dc2a85c517e4c86ab009931f8eec654"><enum>(4)</enum><text>The United States Postal Inspection Service, if the breach of security involves mail fraud.</text></paragraph><paragraph id="id7552babf668142db87acf7a14c703a7a"><enum>(5)</enum><text>The attorney general of each State affected by the breach of security.</text></paragraph><paragraph id="ide984b7646ee64b6aaa786bf34e08e2ba"><enum>(6)</enum><text>Such other Federal agencies as the designated entity considers appropriate for law enforcement, national security, or data security purposes.</text></paragraph></subsection><subsection id="id4ce8bb81b6fc4fa08ee254fb13076c11"><enum>(e)</enum><header>Timing of notices</header><text>Notice under this section shall be delivered as follows:</text><paragraph id="ida9d0d51d50ea4345a64259f231331e1b"><enum>(1)</enum><text>Notice under subsection (b) shall be delivered as promptly as possible, but—</text><subparagraph id="id707bc0df3dc04717aa8f305adc4d63aa"><enum>(A)</enum><text>not less than 3 business days before notification to an individual under section 142(a)(1); and</text></subparagraph><subparagraph id="idb024ce59ec074fd4b9cf9a5d49e48e7e"><enum>(B)</enum><text>not later than 10 days after the date of discovery of the events requiring notice.</text></subparagraph></paragraph><paragraph id="id930d13257bad40598fd3f40e7a5471a9"><enum>(2)</enum><text>Notice under subsection (d) shall be delivered as promptly as possible, but not later than 1 business day after the date that the designated entity receives notice of a breach of security from a covered entity.</text></paragraph></subsection></section></subtitle><subtitle id="IDB55C089BDF6B4CA2BA22D13C1581D668"> <enum>E</enum> <header>Enforcement</header> <section id="ID1D14C2EED2E144B9BE84CC259257D950"> <enum>151.</enum> <header>General application</header> <text display-inline="no-display-inline">The requirements of this title shall apply to any person who—</text> <paragraph id="IDDABA742D20C847DCBF1135318135B8D3"> <enum>(1)</enum> <text>collects, uses, transfers, or stores covered information concerning more than 5,000 individuals during any consecutive 12-month period; and</text> </paragraph><paragraph id="ID237F2B4C8FFB48018900251ED4854082"> <enum>(2)</enum> <text>is—</text> <subparagraph id="ID8725363053394A7EBE6FE47DAA801DCA"> <enum>(A)</enum> <text>a person over which the Commission has authority pursuant to section 5(a)(2) of the <act-name parsable-cite="FTCA">Federal Trade Commission Act</act-name> (15 U.S.C. 45(a)(2));</text> </subparagraph><subparagraph id="ID1D98A5D93214465E8D5B9F630D87E711"> <enum>(B)</enum> <text>a common carrier subject to the <act-name parsable-cite="CA34">Communications Act of 1934</act-name> (<external-xref legal-doc="usc" parsable-cite="usc/47/151">47 U.S.C. 151 et seq.</external-xref>), notwithstanding the definition of the term <quote>Acts to regulate commerce</quote> in section 4 of the <act-name parsable-cite="FTCA">Federal Trade Commission Act</act-name> (15 U.S.C. 44) and the exception provided by section 5(a)(2) of the <act-name parsable-cite="FTCA">Federal Trade Commission Act</act-name> (15 U.S.C. 45(a)(2)) for such carriers; or</text> </subparagraph><subparagraph id="ID518BDB709A0D4D029C729AADEA8BFBE7"> <enum>(C)</enum> <text>a nonprofit organization, including any organization described in section 501(c) of the Internal Revenue Code of 1986 that is exempt from taxation under section 501(a) of such Code, notwithstanding the definition of the term <quote>Acts to regulate commerce</quote> in section 4 of the <act-name parsable-cite="FTCA">Federal Trade Commission Act</act-name> (<external-xref legal-doc="usc" parsable-cite="usc/15/44">15 U.S.C. 44</external-xref>) and the exception provided by section 5(a)(2) of the <act-name parsable-cite="FTCA">Federal Trade Commission Act</act-name> (15 U.S.C. 45(a)(2)) for such organizations.</text> </subparagraph></paragraph></section><section id="ID4E7960C9B01F45788D6AD21C175529CC"> <enum>152.</enum> <header>Enforcement by the Federal Trade Commission</header> <subsection id="IDF83B488A593E461B81EF60C5308B695B"> <enum>(a)</enum> <header>Unfair or deceptive acts or practices</header> <text>A reckless or repetitive violation of a provision of this title, except section 143, shall be treated as an unfair or deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the <act-name parsable-cite="FTCA">Federal Trade Commission Act</act-name> (<external-xref legal-doc="usc" parsable-cite="usc/15/57a">15 U.S.C. 57a(a)(1)(B)</external-xref>) regarding unfair or deceptive acts or practices.</text> </subsection><subsection id="IDA754B63077F54F18AF2116B2AFB4C435"> <enum>(b)</enum> <header>Powers of commission</header> <paragraph id="ID47EB07B95B2946C4B92B1CC498852057"> <enum>(1)</enum> <header>In general</header> <text>Except as provided in paragraph (3), the Commission shall enforce this title, except section 143, in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the <act-name parsable-cite="FTCA">Federal Trade Commission Act</act-name> (15 U.S.C. 41 et seq.) were incorporated into and made a part of this title.</text></paragraph><paragraph id="id9F91CC460E944FADB5363A4885A56314"><enum>(2)</enum><header>Privileges and immunities</header><text>Except as provided in paragraph (3), any person who violates a provision of this title, except section 143, shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>).</text> </paragraph><paragraph id="ID4D03D65F7C3448A48A26AF01BE6DB371"> <enum>(3)</enum> <header>Common carriers and nonprofit organizations</header> <text>The Commission shall enforce this title, except section 143, with respect to common carriers and nonprofit organizations described in section 151 to the extent necessary to effectuate the purposes of this title as if such carriers and nonprofit organizations were persons over which the Commission has authority pursuant to section 5(a)(2) of the <act-name parsable-cite="FTCA">Federal Trade Commission Act</act-name> (15 U.S.C. 45(a)(2)).</text> </paragraph></subsection><subsection id="IDE443486922B44940954F55A03CA6CF14"> <enum>(c)</enum> <header>Rulemaking authority</header> <paragraph id="ID50D6DE4212D94091BA63E543D5694E34"> <enum>(1)</enum> <header>Limitation</header> <text>In promulgating rules under this title, the Commission may not require the deployment or use of any specific products or technologies, including any specific computer software or hardware.</text> </paragraph><paragraph id="ID43F4D13C32A44D19B9128775004A404D"> <enum>(2)</enum> <header>Administrative procedure</header> <text>The Commission shall promulgate regulations under this title in accordance with <external-xref legal-doc="usc" parsable-cite="usc/5/553">section 553</external-xref> of title 5, United States Code.</text></paragraph></subsection><subsection id="id18ee8849911e414b9ea687a0a3e5433d"><enum>(d)</enum><header>Rule of construction</header><text>Nothing in this title shall be construed to limit the authority of the Commission under any other provision of law.</text></subsection></section><section id="idcd5daf6c6ffe47ff9c49875dedc1e400"><enum>153.</enum><header>Enforcement by Attorney General</header><subsection id="idd0adfb4d5d0841668ef4c9e592f329f6"><enum>(a)</enum><header>In general</header><text>The Attorney General may bring a civil action in the appropriate United States district court against any covered entity that engages in conduct constituting a violation of section 143.</text></subsection><subsection id="id22a78e0079634bf29bcf56cf0412ba8e"><enum>(b)</enum><header>Penalties</header><paragraph id="id1c748e6eec26469194db3bce38fe7ab6"><enum>(1)</enum><header>In general</header><text>Upon proof of such conduct by a preponderance of the evidence, a covered entity shall be subject to a civil penalty of not more than $1,000 per individual whose personally identifiable information was or is reasonably believed to have been accessed or acquired as a result of the breach of security that is the basis of the violation, up to a maximum of $100,000 per day while such violation persists.</text></paragraph><paragraph id="id58797ac8a22e440c996bf0456431881d"><enum>(2)</enum><header>Limitations</header><text>The total amount of the civil penalty assessed under this subsection against a covered entity for acts or omissions relating to a single breach of security shall not exceed $3,000,000, unless the conduct constituting a violation of subtitle D was reckless or repeated, in which case an additional civil penalty of up to $3,000,000 may be imposed.</text></paragraph><paragraph id="ida5b55e913b81445a9f3986bb3cf9e339"><enum>(3)</enum><header>Adjustment for inflation</header><text>Beginning on the date that the Consumer Price Index is first published by the Bureau of Labor Statistics that is after 1 year after the date of the enactment of this Act, and each year thereafter, the amounts specified in paragraphs (1) and (2) shall be increased by the percentage increase in the Consumer Price Index published on that date from the Consumer Price Index published the previous year.</text></paragraph></subsection><subsection id="id2faa14f81ab64ecf86dd54763c7ce417"><enum>(c)</enum><header>Injunctive actions</header><text>If it appears that a covered entity has engaged, or is engaged, in any act or practice that constitutes a violation of subtitle D, the Attorney General may petition an appropriate United States district court for an order enjoining such practice or enforcing compliance with such subtitle.</text></subsection><subsection commented="no" display-inline="no-display-inline" id="id74012a6dddcc486b9a251fa1790663f9"><enum>(d)</enum><header>Issuance of order</header><text>A court may issue such an order under paragraph (c) if it finds that the conduct in question constitutes a violation of subtitle D.</text></subsection></section><section id="IDB9D3FF75855C4C6999C5881071D2FD6E"> <enum>154.</enum> <header>Enforcement by States</header> <subsection id="IDB3A44622CE7F4E4F9CF531BDD600A608"> <enum>(a)</enum> <header>Civil action</header> <text>In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is adversely affected by a covered entity who violates any part of this title in a manner that results in economic or physical harm to an individual or engages in a pattern or practice that violates any part of this title other than section 143, the attorney general may, as parens patriae, bring a civil action on behalf of the residents of the State in an appropriate district court of the United States—</text> <paragraph id="IDEE6E90E78360429A9D274F516CA3921A"> <enum>(1)</enum> <text>to enjoin further violation of this title or a regulation promulgated under this title by the defendant;</text> </paragraph><paragraph id="ID3289D48ED2994534B1D31EA559431784"> <enum>(2)</enum> <text>to compel compliance with this title or a regulation promulgated under this title; or</text> </paragraph><paragraph id="ID9ABB135527764D0C8E2A099C9A709907"> <enum>(3)</enum> <text>for violations of this title or a regulation promulgated under this title to obtain civil penalties in the amount determined under section title.</text> </paragraph></subsection><subsection id="id2724F1BDE09F4A2D8521F59360770F28"> <enum>(b)</enum> <header>Rights of Federal Trade Commission</header> <paragraph id="idC0B790DC068D4BC1A67B1299122C65FB"> <enum>(1)</enum> <header>Notice to Federal Trade Commission</header> <subparagraph id="id382AB7FFFA0147ABA5FE47CB012A4AB3"> <enum>(A)</enum> <header>In general</header> <text>Except as provided in subparagraph (C), the attorney general of a State shall notify the Commission in writing of any civil action under subsection (b), prior to initiating such civil action.</text> </subparagraph><subparagraph id="id9CA7BBEEF49546DE9BE7667CFB63720B"> <enum>(B)</enum> <header>Contents</header> <text>The notice required by subparagraph (A) shall include a copy of the complaint to be filed to initiate such civil action.</text> </subparagraph><subparagraph id="id06BB6C08B4D845E987AF62E06484E082"> <enum>(C)</enum> <header>Exception</header> <text>If it is not feasible for the attorney general of a State to provide the notice required by subparagraph (A), the State shall provide notice immediately upon instituting a civil action under subsection (b).</text> </subparagraph></paragraph><paragraph id="idFDA71129413D49D091CB7378BDC4CDF7"> <enum>(2)</enum> <header>Intervention by Federal Trade Commission</header> <text>Upon receiving notice required by paragraph (1) with respect to a civil action, the Commission may—</text> <subparagraph id="id29250F981EFF4C33AAC89F00E4FD620D"> <enum>(A)</enum> <text>intervene in such action; and</text> </subparagraph><subparagraph id="id58B841634B2144CFAF8EA4CB2D5F1208"> <enum>(B)</enum> <text>upon intervening—</text> <clause id="id1D60CA42B48142F7A2BB2BC56A3C0725"> <enum>(i)</enum> <text>be heard on all matters arising in such civil action; and</text> </clause><clause commented="no" display-inline="no-display-inline" id="idEFA533783CF84EC280AA505434FBDA1B"> <enum>(ii)</enum> <text>file petitions for appeal of a decision in such action.</text> </clause></subparagraph></paragraph></subsection><subsection id="HFCAC11A2050245859700994D9E465916"> <enum>(c)</enum> <header>Preemptive action by Federal Trade Commission</header> <text>If the Commission institutes a civil action for violation of this title or a regulation promulgated under this title, no attorney general of a State may bring a civil action under subsection (a) against any defendant named in the complaint of the Commission for violation of this title or a regulation promulgated under this title that is alleged in such complaint.</text> </subsection><subsection id="HD352B695DE604A66B0CCE992535EF35B"> <enum>(d)</enum> <header>Investigatory powers</header> <text>Nothing in this section may be construed to prevent the attorney general of a State from exercising the powers conferred on such attorney general by the laws of such State to conduct investigations or to administer oaths or affirmations or to compel the attendance of witnesses or the production of documentary and other evidence.</text></subsection><subsection commented="no" id="idF45716195150436CAEA7BD63FD6D340F"><enum>(e)</enum><header>Venue; service of process</header> <paragraph commented="no" id="id0A67EA6EA218494B9BB9AC3C4814FCD5"><enum>(1)</enum><header>Venue</header><text>Any action brought under subsection (a) may be brought in—</text> <subparagraph commented="no" id="id86559A108F1B4EC5BFDDA77B2955AEFD"><enum>(A)</enum><text>the district court of the United States that meets applicable requirements relating to venue under <external-xref legal-doc="usc" parsable-cite="usc/28/1391">section 1391</external-xref> of title 28, United States Code; or</text> </subparagraph><subparagraph commented="no" id="idDAC0C565E8D3474F8E26FBF81D95D342"><enum>(B)</enum><text>another court of competent jurisdiction.</text> </subparagraph></paragraph><paragraph commented="no" id="id266E36A39A3E40F68557649A1932E544"><enum>(2)</enum><header>Service of process</header><text>In an action brought under subsection (a), process may be served in any district in which the defendant—</text> <subparagraph commented="no" id="id1FE9A42E217B4ABEBB56252C9C709EAB"><enum>(A)</enum><text>is an inhabitant; or</text> </subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idA5CF19E48BAF45F4AF021EBD7E12E7AC"><enum>(B)</enum><text>may be found.</text> </subparagraph></paragraph></subsection><subsection commented="no" id="idE2B7EC2B71254531859D2E5E10762CC3"><enum>(f)</enum><header>Actions by other State officials</header> <paragraph commented="no" id="id4D5DD688630347AA904252A17B23D2AC"><enum>(1)</enum><header>In general</header><text>In addition to civil actions brought by attorneys general under subsection (a), any other officer of a State who is authorized by the State to do so may bring a civil action under subsection (a), subject to the same requirements and limitations that apply under this section to civil actions brought by attorneys general.</text> </paragraph><paragraph commented="no" display-inline="no-display-inline" id="idBE217025D7C34EA58348DA6461F3753C"><enum>(2)</enum><header>Savings provision</header><text>Nothing in this section may be construed to prohibit an authorized official of a State from initiating or continuing any proceeding in a court of the State for a violation of any civil or criminal law of the State.</text></paragraph></subsection></section><section id="ID981AD43AE0394BDEB8D21B253FAA49EA"> <enum>155.</enum> <header>Civil penalties</header> <subsection id="IDF39B3B42965243ADAB8FAB655A14D38A"> <enum>(a)</enum> <header>In general</header> <text>In an action brought under section 154, in addition to any other penalty otherwise applicable to a violation of this title or any regulation promulgated under this title, the following civil penalties shall apply:</text> <paragraph id="ID6AC51CE36498490390C3D8CE8DD230B7"> <enum>(1)</enum> <header>Subtitle A violations</header> <text>A covered entity that recklessly or repeatedly violates subtitle A is liable for a civil penalty equal to the amount calculated by multiplying the number of days that the entity is not in compliance with such subtitle by an amount not to exceed $33,000.</text> </paragraph><paragraph id="IDC54FAC86A9CA4E719CE5FCD979FDA3A1"> <enum>(2)</enum> <header>Subtitle B violations</header> <text>A covered entity that recklessly or repeatedly violates subtitle B is liable for a civil penalty equal to the amount calculated by multiplying the number of days that such an entity is not in compliance with such subtitle, or the number of individuals for whom the entity failed to obtain consent as required by such subtitle, whichever is greater, by an amount not to exceed $33,000.</text></paragraph><paragraph id="idd36f2f42bf154f30a59de7e9feb9641e"><enum>(3)</enum><header>Subtitle D violations</header><text>A covered entity that recklessly or repeatedly violates section 142 is liable for a civil penalty equal to the amount calculated by multiplying the number of violations of such section by an amount not to exceed $33,000. Each failure to send notification as required under such section to a resident of the State shall be treated as a separate violation.</text></paragraph></subsection><subsection id="IDE95FC862199F4C7FA8C9B186A5220300"> <enum>(b)</enum> <header>Adjustment for inflation</header> <text>Beginning on the date that the Consumer Price Index for All Urban Consumers is first published by the Bureau of Labor Statistics that is after 1 year after the date of the enactment of this Act, and each year thereafter, each of the amounts specified in subsection (a) shall be increased by the percentage increase in the Consumer Price Index published on that date from the Consumer Price Index published the previous year.</text> </subsection><subsection id="ID2B786D7AD4234B9F98837B8459E1FC7E"> <enum>(c)</enum> <header>Maximum total liability</header> <text>Notwithstanding the number of actions which may be brought against a covered entity under section 154, the maximum civil penalty for which any covered entity may be liable under this section in such actions shall not exceed—</text> <paragraph id="ID0A5F7851927140C8A505329FEB3814EB"> <enum>(1)</enum> <text>$6,000,000 for any related series of violations of any rule promulgated under subtitle A;</text> </paragraph><paragraph id="IDC81E2B383CEF4AE5B030275546ED928B"> <enum>(2)</enum> <text>$6,000,000 for any related series of violations of subtitle B; and</text> </paragraph><paragraph id="id3A5BEAFF5AC947B083310453669ACEE9"><enum>(3)</enum><text>$6,000,000 for any related series of violations of section 142.</text></paragraph></subsection></section><section id="ID85D25D4A4E0C47DB9BE3407B43191594"> <enum>156.</enum> <header>Effect on other laws</header> <subsection id="ID78D5364096A340D19B1D07F2F127078E"> <enum>(a)</enum> <header>Preemption of State laws</header> <text>The provisions of this title shall supersede any provisions of the law of any State relating to those entities covered by the regulations issued pursuant to this title, to the extent that such provisions relate to the collection, use, or disclosure of—</text> <paragraph id="id5729696FCA234FE78ED6279D164FAB8A"> <enum>(1)</enum> <text>covered information addressed in this title; or</text> </paragraph><paragraph id="id734BD5E72E2A4B39B1F6F2FB85130EB6"> <enum>(2)</enum> <text>personally identifiable information or personal identification information addressed in provisions of the law of a State.</text> </paragraph></subsection><subsection id="ID58EA0B8D7B86498184C56D916E61C1B5"> <enum>(b)</enum> <header>Unauthorized civil actions; certain State laws</header> <paragraph id="IDAEC0985CE9D54D9F95EC6D34EF695C8B"> <enum>(1)</enum> <header>Unauthorized actions</header> <text>No person other than a person specified in section 154 may bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating this title or a regulation promulgated under this title.</text> </paragraph><paragraph id="ID726CBDD5B9734DB0A6A32A14047815F6"> <enum>(2)</enum> <header>Protection of certain state laws</header> <text>This title shall not be construed to preempt the applicability of—</text> <subparagraph id="ID38B50830DB3B4832A3B8FFCDB0A33CC9"> <enum>(A)</enum> <text>State laws that address the collection, use, or disclosure of health information or financial information; or</text> </subparagraph><subparagraph id="ID199F2041BA474A198F92F5D6C79E55E0"> <enum>(B)</enum> <text>other State laws to the extent that those laws relate to acts of fraud.</text> </subparagraph></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="ID7741578E61A94B14B36C511333F3DAB7"> <enum>(c)</enum> <header>Rule of construction relating to required disclosures to government entities</header> <text>This title shall not be construed to expand or limit the duty or authority of a covered entity or third party to disclose personally identifiable information to a government entity under any provision of law.</text> </subsection></section><section id="ID8089E0D9CD894FFDAE004119801BADBB"> <enum>157.</enum> <header>No private right of action</header> <text display-inline="no-display-inline">This title may not be construed to provide any private right of action.</text></section></subtitle><subtitle id="ID1DAB2E3D98B747799A58621C13AC0425"> <enum>F</enum> <header>Co-Regulatory safe harbor programs</header> <section id="ID0B24BA96848841EF8BDA9B996129645C"> <enum>161.</enum> <header>Establishment of safe harbor programs</header> <subsection id="IDdfedd18bcc6a45eb804b9ea6c6b22047"> <enum>(a)</enum> <header>In general</header> <text>Not later than 1 year after the date of the enactment of this Act, the Commission shall initiate a rulemaking proceeding to establish requirements for the establishment and administration of safe harbor programs under which a nongovernmental organization will administer a program that—</text> <paragraph id="IDe12bfe769e1943cb8f2d03c266769605"> <enum>(1)</enum> <text>establishes a mechanism for participants to implement the requirements of this title with regards to—</text> <subparagraph id="IDad844a064a0d495f92bd68a9e9110ff9"> <enum>(A)</enum> <text>certain types of unauthorized uses of covered information as described in paragraph (2); or</text> </subparagraph><subparagraph id="id390D2530EDFC4A8E94DE6BF740D6C11C"> <enum>(B)</enum> <text>any unauthorized use of covered information; and</text> </subparagraph></paragraph><paragraph id="ID7f798a505cd5423daa6e5ca477c90c2e"> <enum>(2)</enum> <text>offers consumers a clear, conspicuous, persistent, and effective means of opting out of the transfer of covered information by a covered entity participating in the safe harbor program to a third party for—</text> <subparagraph id="ID7566f8139c9644799096db5a6c68738a"> <enum>(A)</enum> <text>behavioral advertising purposes;</text> </subparagraph><subparagraph id="IDf5bb463f3c9b4286a26c2429e8e5a3b0"> <enum>(B)</enum> <text>location-based advertising purposes;</text> </subparagraph><subparagraph id="ID1a8e65d18a904e2ea3304a0bedd9a2b2"> <enum>(C)</enum> <text>other specific types of unauthorized use; or</text> </subparagraph><subparagraph id="ID6708160a0bba4034a1c8d9a63a373a9d"> <enum>(D)</enum> <text>any unauthorized use.</text> </subparagraph></paragraph></subsection><subsection id="ID03c8c98ee1234bee9d45bc985fc1c466"> <enum>(b)</enum> <header>Selection of nongovernmental organizations To administer program</header> <paragraph id="id675B6EE34AB748DFBF80337AC65A1AB1"> <enum>(1)</enum> <header>Submittal of applications</header> <text>An applicant seeking to administer a program under the requirements established pursuant to subsection (a) shall submit to the Commission an application therefor at such time, in such manner, and containing such information as the Commission may require.</text> </paragraph><paragraph id="idDF9DA1ABEFAE4D27806413D8CE578C77"> <enum>(2)</enum> <header>Notice and receipt of applications</header> <text>Upon completion of the rulemaking proceedings required by subsection (a), the Commission shall—</text> <subparagraph id="idE8688D0AEBB14B559D06741634276544"> <enum>(A)</enum> <text>publish a notice in the Federal Register that it will receive applications for approval of safe harbor programs under this subtitle; and</text> </subparagraph><subparagraph id="idFDE598136FCB4C33B147D8A0F006BE55"> <enum>(B)</enum> <text>begin receiving applications under paragraph (1).</text> </subparagraph></paragraph><paragraph id="idD2FBE66007AE41208802BF30A51FDFA7"> <enum>(3)</enum> <header>Selection</header> <text>Not later than 270 days after the date on which the Commission receives a completed application under this subsection, the Commission shall grant or deny the application on the basis of the Commission's evaluation of the applicant’s capacity to provide protection of individuals’ covered information with regard to specific types of unauthorized uses of covered information as described in subsection (a)(2) that is substantially equivalent to or superior to the protection otherwise provided under this title.</text> </paragraph><paragraph id="id49C468BC557A4C60800FDF2237B9F38C"> <enum>(4)</enum> <header>Written findings</header> <text>Any decision reached by the Commission under this subsection shall be accompanied by written findings setting forth the basis for and reasons supporting such decision.</text> </paragraph></subsection><subsection id="IDcfad05169b7d4fa4b433ad7fd7625b56"> <enum>(c)</enum> <header>Scope of safe harbor protection</header> <text>The scope of protection offered by safe harbor programs approved by the Commission that establish mechanisms for participants to implement the requirements of the title only for certain uses of covered information as described in subsection (a)(2) shall be limited to participating entities’ use of those particular types of covered information.</text> </subsection><subsection id="ID75c3aec5ef0c4bc182e0582c5e33951c"> <enum>(d)</enum> <header>Supervision by Federal Trade Commission</header> <paragraph id="id94E4D62E71584B41A965CCE0C0E1BA39"> <enum>(1)</enum> <header>In general</header> <text>The Commission shall exercise oversight and supervisory authority of a safe harbor program approved under this section through—</text> <subparagraph id="id69FB54737F7F4DD3885E10B75EB40DCF"> <enum>(A)</enum> <text>ongoing review of the practices of the nongovernmental organization administering the program;</text> </subparagraph><subparagraph id="idD5E16446693C43C9871A9895FB81A193"> <enum>(B)</enum> <text>the imposition of civil penalties on the nongovernmental organization if it is not compliant with the requirements established under subsection (a); and</text> </subparagraph><subparagraph id="id459BF1A9EB704D0F87950D662FE31EE5"> <enum>(C)</enum> <text>withdrawal of authorization to administer the safe harbor program under this subtitle.</text> </subparagraph></paragraph><paragraph id="idD6D2C6564870456B9B268EDDFAA5614A"> <enum>(2)</enum> <header>Annual reports by nongovernmental organizations</header> <text>Each year, each nongovernmental organization administering a safe harbor program under this section shall submit to the Commission a report on its activities under this subtitle during the preceding year.</text> </paragraph></subsection></section><section id="ID23e53dc29c964d5d92130ea1075d5e8f"> <enum>162.</enum> <header>Participation in safe harbor program</header> <subsection id="IDbcdbd78a42bd450980eb431314d14e5e"> <enum>(a)</enum> <header>Exemption</header> <text>Any covered entity that participates in, and demonstrates compliance with, a safe harbor program administered under section 161 shall be exempt from any provision of subtitle B or subtitle C if the Commission finds that the requirements of the safe harbor program are substantially the same as or more protective of privacy of individuals than the requirements of the provision from which the exemption is granted.</text> </subsection><subsection id="ID6e0f506394ef40ea88d637b04cbadc6b"> <enum>(b)</enum> <header>Limitation</header> <text>Nothing in this subtitle shall be construed to exempt any covered entity participating in a safe harbor program from compliance with any other requirement of the regulations promulgated under this title for which the safe harbor does not provide an exception.</text> </subsection></section></subtitle><subtitle id="ID8C8750AA42DD466AA0960D135ACD04B7"> <enum>G</enum> <header>Application with other Federal laws</header> <section id="ID2D1058163FFC4DFFAAD3C3A95F03B438"> <enum>171.</enum> <header>Application with other Federal laws</header> <subsection id="id469DAFFB2E2349F993E670D4E2B12587"> <enum>(a)</enum> <header>Qualified exemption for persons subject to other Federal privacy laws</header> <text>If a person is subject to a provision of this title and a provision of a Federal privacy law described in subsection (d), such provision of this title shall not apply to such person to the extent that such provision of Federal privacy law applies to such person.</text> </subsection><subsection id="id0478D44F94FB414A8D1EFD343D2C1784"> <enum>(b)</enum> <header>Protection of other Federal privacy laws</header> <text>Nothing in this title may be construed to modify, limit, or supersede the operation of the Federal privacy laws described in subsection (d) or the provision of information permitted or required, expressly or by implication, by such laws, with respect to Federal rights and practices.</text> </subsection><subsection id="id18164BD22E5941CE91C83C16021FBBED"> <enum>(c)</enum> <header>Communications infrastructure and privacy</header> <text>If a person is subject to a provision of section 222 or 631 of the Communications Act of 1934 (47 U.S.C. 222 and 551) and a provision of this title, such provision of such section 222 or 631 shall not apply to such person to the extent that such provision of this title applies to such person.</text> </subsection><subsection id="id202C58563ACB4085B418ECA432F90CA7"> <enum>(d)</enum> <header>Other Federal privacy laws described</header> <text>The Federal privacy laws described in this subsection are as follows:</text> <paragraph id="idE831933693EE41EB93AFB88C3BC8F238"> <enum>(1)</enum> <text>Section 552a of title 5, United States Code (commonly known as the Privacy Act of 1974).</text> </paragraph><paragraph id="idB63161AAF6DD4241B4C7D69E1B28544C"> <enum>(2)</enum> <text>The Right to Financial Privacy Act of 1978 (<external-xref legal-doc="usc" parsable-cite="usc/12/3401">12 U.S.C. 3401 et seq.</external-xref>).</text> </paragraph><paragraph id="id61E02E4C47B0412EAFC5C19456F601A6"> <enum>(3)</enum> <text>The Fair Credit Reporting Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1681">15 U.S.C. 1681 et seq.</external-xref>).</text> </paragraph><paragraph id="idD785C582E782479196F7A655C12E1357"> <enum>(4)</enum> <text>The Fair Debt Collection Practices Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1692">15 U.S.C. 1692 et seq.</external-xref>).</text> </paragraph><paragraph id="id23C9C59C82CA46878B7ED0E438D910C8"> <enum>(5)</enum> <text>The Children’s Online Privacy Protection Act of 1998 (<external-xref legal-doc="usc" parsable-cite="usc/15/6501">15 U.S.C. 6501 et seq.</external-xref>).</text> </paragraph><paragraph id="id325326C01FD7437AA0908468EE29B805"> <enum>(6)</enum> <text>Title V of the Gramm-Leach-Bliley Act of 1999 (<external-xref legal-doc="usc" parsable-cite="usc/15/6801">15 U.S.C. 6801 et seq.</external-xref>).</text> </paragraph><paragraph id="id40190CA5472D4652A167100F55E1B16E"> <enum>(7)</enum> <text>Chapters 119, 123, and 206 of title 18, United States Code.</text> </paragraph><paragraph id="idD4DB16240A0C4776A395DDE94764F9C3"> <enum>(8)</enum> <text>Section 2710 of title 18, United States Code.</text> </paragraph><paragraph id="id224B61A4BADE4CA7A417B2389CCEA369"> <enum>(9)</enum> <text>Section 444 of the General Education Provisions Act (<external-xref legal-doc="usc" parsable-cite="usc/20/1232g">20 U.S.C. 1232g</external-xref>) (commonly referred to as the <quote>Family Educational Rights and Privacy Act of 1974</quote>).</text> </paragraph><paragraph id="id74D2C21101F5405F8A02E380885D269B"> <enum>(10)</enum> <text>Section 445 of the General Education Provisions Act (<external-xref legal-doc="usc" parsable-cite="usc/20/1232h">20 U.S.C. 1232h</external-xref>).</text> </paragraph><paragraph id="id47C5DCD2A01C4F5A95BE73632F20A73D"> <enum>(11)</enum> <text>The Privacy Protection Act of 1980 (<external-xref legal-doc="usc" parsable-cite="usc/42/2000aa">42 U.S.C. 2000aa et seq.</external-xref>).</text> </paragraph><paragraph id="idA52B77783F364C7C8146F02520EED9B6"> <enum>(12)</enum> <text>The regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-2">42 U.S.C. 1320d–2</external-xref> note), as such regulations relate to a person described in section 1172(a) of the Social Security Act (42 U.S.C. 1320d–1(a)) or to transactions referred to in section 1173(a)(1) of such Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-2">42 U.S.C. 1320d–2(a)(1)</external-xref>).</text> </paragraph><paragraph id="idEDA5E0AD214249318F79504927971C7C"> <enum>(13)</enum> <text>The Communications Assistance for Law Enforcement Act (47 U.S.C. 1001 et seq.).</text> </paragraph><paragraph commented="no" display-inline="no-display-inline" id="idB6F4BBE20F8243159E8BB1DF988D985D"> <enum>(14)</enum> <text>Section 227 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/227">47 U.S.C. 227</external-xref>).</text> </paragraph></subsection></section></subtitle><subtitle id="IDBDC35D4271CB4F0CB2A6B6FD7D95040D"> <enum>H</enum> <header>Development of commercial data privacy policy in the Department of Commerce</header> <section id="IDBF6BD70197A14643AC74A9E8118D1263"> <enum>181.</enum> <header>Direction to develop commercial data privacy policy</header> <text display-inline="no-display-inline">The Secretary of Commerce shall contribute to the development of commercial data privacy policy by—</text> <paragraph id="ID61CE9BDA78BC41FEA09B380A39953856"> <enum>(1)</enum> <text>convening private sector stakeholders, including members of industry, civil society groups, academia, in open forums, to develop codes of conduct in support of applications for safe harbor programs under subtitle F;</text> </paragraph><paragraph id="IDCFE93F48EDA448A2AB9C26E6096D1815"> <enum>(2)</enum> <text>expanding interoperability between the United States commercial data privacy framework and other national and regional privacy frameworks;</text> </paragraph><paragraph id="ID06028F7A2A544ED4A12C49ED6CECA8EF"> <enum>(3)</enum> <text>conducting research related to improving privacy protection under this title; and</text> </paragraph><paragraph id="id81655AE7F0D94310938B87D2A10CBF3E"> <enum>(4)</enum> <text>conducting research related to improving data sharing practices, including the use of anonymised data, and growing the information economy.</text></paragraph></section></subtitle>

113 S2378 IS: Commercial Privacy Bill of Rights Act of 2014 U.S. Senate 2014-05-21 text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.

Table of contents

The table of contents for this Act is as follows:

Sec. 1. Table of contents.

TITLE I—Commercial privacy

Sec. 101. Short title.

Sec. 102. Findings.

Sec. 103. Definitions.

Subtitle A—Right to security and accountability

Sec. 111. Security.

Sec. 112. Accountability.

Sec. 113. Privacy by design.

Subtitle B—Right to notice and individual participation

Sec. 121. Transparent notice of practices and purposes.

Sec. 122. Individual participation.

Subtitle C—Rights relating to data minimization, constraints on distribution, and data integrity

Sec. 131. Data minimization.

Sec. 132. Constraints on distribution of information.

Sec. 133. Data integrity.

Subtitle D—Right to notice of breaches of security

Sec. 141. Definitions.

Sec. 142. Notice to individuals.

Sec. 143. Notice to law enforcement.

Subtitle E—Enforcement

Sec. 151. General application.

Sec. 152. Enforcement by the Federal Trade Commission.

Sec. 153. Enforcement by Attorney General.

Sec. 154. Enforcement by States.

Sec. 155. Civil penalties.

Sec. 156. Effect on other laws.

Sec. 157. No private right of action.

Subtitle F—Co-Regulatory safe harbor programs

Sec. 161. Establishment of safe harbor programs.

Sec. 162. Participation in safe harbor program.

Subtitle G—Application with other Federal laws

Sec. 171. Application with other Federal laws.

Subtitle H—Development of commercial data privacy policy in the Department of Commerce

Sec. 181. Direction to develop commercial data privacy policy.

TITLE II—Online privacy of children

Sec. 201. Short title.

Sec. 202. Findings.

Sec. 203. Definitions.

Sec. 204. Online collection, use, and disclosure of personal information of children.

Sec. 205. Targeted marketing to children or minors.

Sec. 206. Digital Marketing Bill of Rights for Teens and Fair Information Practices Principles.

Sec. 207. Online collection of geolocation information of children and minors.

Sec. 208. Removal of content.

Sec. 209. Enforcement and applicability.

Sec. 210. Rule for treatment of users of websites, services, and applications directed to children or minors.

Sec. 211. Effective dates.

<enum>I</enum><header>Commercial privacy</header><section id="ID1CBE799910FD4334B0BBFC318C672A95"> <enum>101.</enum> <header>Short title</header><text display-inline="no-display-inline">This title may be cited as the <quote><short-title>Commercial Privacy Bill of Rights Act of 2014</short-title></quote>.</text></section><section id="id2C8D1ACA33704A10B25A7038D648ADB5"><enum>102.</enum><header>Findings</header> <text display-inline="no-display-inline">The Congress finds the following:</text> <paragraph id="ID8476717062244A1EB722809900B19E11"> <enum>(1)</enum> <text>Personal privacy is worthy of protection through appropriate legislation.</text> </paragraph><paragraph id="ID679855E86C074CF0BE9C7E68952C9BDD"> <enum>(2)</enum> <text>Trust in the treatment of personally identifiable information collected on and off the Internet is essential for businesses to succeed.</text> </paragraph><paragraph id="IDE9E27E61683A462596B4D229362D6376"> <enum>(3)</enum> <text>Persons interacting with others engaged in interstate commerce have a significant interest in their personal information, as well as a right to control how that information is collected, used, stored, or transferred.</text> </paragraph><paragraph id="IDFD9823A17FD440369BFBAB638EFC827E"> <enum>(4)</enum> <text>Persons engaged in interstate commerce and collecting personally identifiable information on individuals have a responsibility to treat that information with respect and in accordance with common standards.</text> </paragraph><paragraph id="IDEB36E8D9AE534109BBC5619D539E49CA"> <enum>(5)</enum> <text>On the day before the date of the enactment of this Act, the laws of the Federal Government and State and local governments provided inadequate privacy protection for individuals engaging in and interacting with persons engaged in interstate commerce.</text> </paragraph><paragraph id="ID223971B146CC4C1DAC10D1FA1DF4A335"> <enum>(6)</enum> <text>As of the day before the date of the enactment of this Act, with the exception of Federal Trade Commission enforcement of laws against unfair and deceptive practices, the Federal Government has eschewed general commercial privacy laws in favor of industry self-regulation, which has led to several self-policing schemes, some of which are enforceable, and some of which provide insufficient privacy protection to individuals.</text> </paragraph><paragraph id="ID01BAFCE1D7E64A8CB047993492385213"> <enum>(7)</enum> <text>As of the day before the date of the enactment of this Act, many collectors of personally identifiable information have yet to provide baseline fair information practice protections for individuals.</text> </paragraph><paragraph id="ID49BE6B7698FF4DAFAF4EFEF45970E9E8"> <enum>(8)</enum> <text>The ease of gathering and compiling personal information on the Internet and off, both overtly and surreptitiously, is becoming increasingly efficient and effortless due to advances in technology which have provided information gatherers the ability to compile seamlessly highly detailed personal histories of individuals.</text> </paragraph><paragraph id="ID3EC8A02E434A4B0A8570FD7BA33D97B2"> <enum>(9)</enum> <text>Personal information requires greater privacy protection than is available on the day before the date of the enactment of this Act. Vast amounts of personal information, including sensitive information, about individuals are collected on and off the Internet, often combined and sold or otherwise transferred to third parties, for purposes unknown to an individual to whom the personally identifiable information pertains.</text> </paragraph><paragraph id="IDF58079F0607F44818A0E072EA1C12763"> <enum>(10)</enum> <text>Toward the close of the 20th century, as individuals' personal information was increasingly collected, profiled, and shared for commercial purposes, and as technology advanced to facilitate these practices, Congress enacted numerous statutes to protect privacy.</text> </paragraph><paragraph id="ID8EC5497B45784CF9A1A9609808783BA1"> <enum>(11)</enum> <text>Those statutes apply to the government, telephones, cable television, e-mail, video tape rentals, and the Internet (but only with respect to children and law enforcement requests).</text> </paragraph><paragraph id="ID2361EE73444B4333BC2874B8E5DB9A75"> <enum>(12)</enum> <text>As in those instances, the Federal Government has a substantial interest in creating a level playing field of protection across all collectors of personally identifiable information, both in the United States and abroad.</text> </paragraph><paragraph id="ID4205096CC2DC474EB4518C83B9E807FC"> <enum>(13)</enum> <text>Enhancing individual privacy protection in a balanced way that establishes clear, consistent rules, both domestically and internationally, will stimulate commerce by instilling greater consumer confidence at home and greater confidence abroad as more and more entities digitize personally identifiable information, whether collected, stored, or used online or offline.</text> </paragraph></section><section id="IDDC7640A1B70B48E49F7869BF33FC4144"> <enum>103.</enum> <header>Definitions</header> <subsection id="id71FD548E7F0045B1B2A69E4DF207A2D3"><enum>(a)</enum><header>In general</header><text display-inline="yes-display-inline">Subject to subsection (b), in this title:</text> <paragraph id="idFDC54BF284F54CD6815A1B4D0CF8A97D"> <enum>(1)</enum> <header>Commission</header> <text>The term <term>Commission</term> means the Federal Trade Commission.</text> </paragraph><paragraph id="ID4E141E123723457890000AD2F44CE929"> <enum>(2)</enum> <header>Covered entity</header> <text>The term <term>covered entity</term> means any person to whom this title applies under section 151.</text> </paragraph><paragraph id="IDFEF32194B3B246689A3CAA16C45E73C7"> <enum>(3)</enum> <header>Covered information</header> <subparagraph id="id3A8B8DC6C1AD4D64A6D9EF29102BFBE4"> <enum>(A)</enum> <header>In general</header> <text>Except as provided in subparagraph (B), the term <term>covered information</term> means only the following:</text> <clause id="IDE28A22F58BE44BE8BFAB6762A941AF9E"> <enum>(i)</enum> <text>Personally identifiable information.</text> </clause><clause id="ID6EF63EF54A944862A8ED091527DB7177"> <enum>(ii)</enum> <text>Unique identifier information.</text> </clause><clause id="ID8883671AFC574A47A5323E87519FCBAA"> <enum>(iii)</enum> <text>Any information that is collected, used, or stored in connection with personally identifiable information or unique identifier information in a manner that may reasonably be used by the party collecting the information to identify a specific individual.</text> </clause></subparagraph><subparagraph id="IDd4ee5baa740e4dc69585f76eed532081"> <enum>(B)</enum> <header>Exception</header> <text>The term <term>covered information</term> does not include the following:</text> <clause id="idC84202A07F0346D698B82D91C15AAFB4"> <enum>(i)</enum> <text>Personally identifiable information obtained from public records that is not merged with covered information gathered elsewhere.</text> </clause><clause id="id4FD9577ED1DA44F4B7F46CFF83C1C812"> <enum>(ii)</enum> <text>Personally identifiable information that is obtained from a forum—</text> <subclause id="idA91F7B4998044A5B91FE5AF20CFE098B"> <enum>(I)</enum> <text>where the individual voluntarily shared the information or authorized the information to be shared; and</text> </subclause><subclause id="id7B6C968B5B214459880B6CD742F1B781"> <enum>(II)</enum> <text>that—</text> <item id="id2055AACF22A24FCB88E26737D3203E16"> <enum>(aa)</enum> <text>is widely and publicly available and was not made publicly available in bad faith; and</text> </item><item id="idA5A5E5E6001446B1B876CE858676AC8B"> <enum>(bb)</enum> <text>contains no restrictions on who can access and view such information.</text> </item></subclause></clause><clause id="id4668805DBAD445DE9599B922AB9E9397"> <enum>(iii)</enum> <text>Personally identifiable information reported in public media.</text> </clause><clause id="id86729812AC2B4E5BA656D01D862CAE71"> <enum>(iv)</enum> <text>Personally identifiable information dedicated to contacting an individual at the individual's place of work.</text> </clause></subparagraph></paragraph><paragraph id="id441679F34F314900866786F6B1A80986"> <enum>(4)</enum> <header>Established business relationship</header> <text>The term <term>established business relationship</term> means, with respect to a covered entity and a person, a relationship formed with or without the exchange of consideration, involving the establishment of an account by the person with the covered entity for the receipt of products or services offered by the covered entity.</text> </paragraph><paragraph id="ID9B5731CF71514CA4B20CC16B08DA50CD"> <enum>(5)</enum> <header>Personally identifiable information</header> <text>The term <term>personally identifiable information</term> means only the following:</text> <subparagraph id="ID5F116DE8AEBA4F04B8010D976CA61358"> <enum>(A)</enum> <text>Any of the following information about an individual:</text> <clause id="ID5866ACEEDDC348F1B4684EEC8F57BDDB"> <enum>(i)</enum> <text>The first name (or initial) and last name of an individual, whether given at birth or time of adoption, or resulting from a lawful change of name.</text> </clause><clause id="ID3236558DF68A4E8EBD7049CEF58CD868"> <enum>(ii)</enum> <text>The postal address of a physical place of residence of such individual.</text> </clause><clause id="IDF24A4FE437684EACBE31D9170EAEB4DB"> <enum>(iii)</enum> <text>An e-mail address.</text> </clause><clause id="IDCB3F19D3797E42D6BF7564C324F5A51A"> <enum>(iv)</enum> <text>A telephone number or mobile device number.</text> </clause><clause id="IDD2E7DA90F6EE42C3956EC1C941AA0766"> <enum>(v)</enum> <text>A social security number or other government issued identification number issued to such individual.</text> </clause><clause id="IDDB2147A5447943839E00FB69538556F7"> <enum>(vi)</enum> <text>The account number of a credit card issued to such individual.</text> </clause><clause id="IDC5C80A14033C445BBC918EDF24B1709D"> <enum>(vii)</enum> <text>Unique identifier information that alone can be used to identify a specific individual.</text> </clause><clause id="IDE9D4CC017D494DA184F0870CC6D1B415"> <enum>(viii)</enum> <text>Biometric data about such individual, including fingerprints and retina scans.</text> </clause></subparagraph><subparagraph id="ID95C9B5D6AA7F4368926A481E0D980666"> <enum>(B)</enum> <text>If used, transferred, or stored in connection with 1 or more of the items of information described in subparagraph (A), any of the following:</text> <clause id="IDD2983F4CDEC849C2A31019145FF8A393"> <enum>(i)</enum> <text>A date of birth.</text> </clause><clause id="id95C38C935C6B4B9FB2209EB0F4BED799"> <enum>(ii)</enum> <text>The number of a certificate of birth or adoption.</text> </clause><clause id="idAD0EFFB114D149EA9A9B7F2F26F2F55D"> <enum>(iii)</enum> <text>A place of birth.</text> </clause><clause id="ID5AC6EA5616144A18B5F3568AFFCECB95"> <enum>(iv)</enum> <text>Unique identifier information that alone cannot be used to identify a specific individual.</text> </clause><clause id="ID4648D97E61274F8BAFA50F45B421C449"> <enum>(v)</enum> <text>Precise geographic location, at the same degree of specificity as a global positioning system or equivalent system, and not including any general geographic information that may be derived from an Internet Protocol address.</text> </clause><clause id="id3283CBE8857A472B9BD8206DC05CD177"> <enum>(vi)</enum> <text>Information about an individual's quantity, technical configuration, type, destination, location, and amount of uses of voice services, regardless of technology used.</text> </clause><clause id="ID9C09EEC7A05940A290D8A4683FCD55BA"> <enum>(vii)</enum> <text>Any other information concerning an individual that may reasonably be used by the party using, collecting, or storing that information to identify that individual.</text> </clause></subparagraph></paragraph><paragraph id="ID0F51542974CD43498C577D5A5801340F"> <enum>(6)</enum> <header>Sensitive personally identifiable information</header> <text>The term <term>sensitive personally identifiable information</term> means—</text> <subparagraph id="id2E8C5F961DE94AE0B2BC4A3535481163"> <enum>(A)</enum> <text>personally identifiable information which, if lost, compromised, or disclosed without authorization either alone or with other information, carries a significant risk of economic or physical harm; or</text> </subparagraph><subparagraph id="id5CD88C916BCC41EC835247E86223DB04"> <enum>(B)</enum> <text>information related to—</text> <clause id="id29088C8C74DF47B4957297AA4BB8CD32"> <enum>(i)</enum> <text>a particular medical condition or a health record; or</text> </clause><clause id="id4FBFA509BD0343DBACB5BC046E86B47F"> <enum>(ii)</enum> <text>the religious affiliation of an individual.</text> </clause></subparagraph></paragraph><paragraph id="IDC453CCDB034549118B15B72AC3DEE663"> <enum>(7)</enum> <header>Third party</header> <subparagraph id="id19970F8B08B8449E9B9A85CBA2870433"><enum>(A)</enum><header>In general</header><text>The term <term>third party</term> means, with respect to a covered entity, a person that—</text> <clause id="id692623027EDA45E78B97215D531136AF"> <enum>(i)</enum> <text>is—</text><subclause id="id5CF1820418F44437B10B9E6734B0D051"><enum>(I)</enum><text>not related to the covered entity by common ownership or corporate control; or</text></subclause><subclause id="id604A57E1E5F041EFBF6C57D250904442"><enum>(II)</enum><text>related to the covered entity by common ownership or corporate control and an ordinary consumer would not understand that the covered entity and the person were related by common ownership or corporate control;</text> </subclause></clause><clause id="idF48BD3F6345E44E1B634A85ED6DB471F"> <enum>(ii)</enum> <text>is not a service provider used by the covered entity to receive personally identifiable information or sensitive personally identifiable information in performing services or functions on behalf of and under the instruction of the covered entity; and</text> </clause><clause id="id2F619B8958154DA783CD98B2E8C0FE8D"> <enum>(iii)</enum> <text>with respect to the collection of covered information of an individual, does not have an established business relationship with the individual and does not identify itself to the individual at the time of such collection in a clear and conspicuous manner that is visible to the individual.</text> </clause></subparagraph><subparagraph id="id6F297F4859A444C1997ACEE96EFB2622"><enum>(B)</enum><header>Common brands</header><text>The term <term>third party</term> may include, with respect to a covered entity, a person who operates under a common brand with the covered entity.</text></subparagraph></paragraph><paragraph id="IDBD858F26A4DE407FBC80C1739ED6FF99"> <enum>(8)</enum> <header>Unauthorized use</header> <subparagraph id="id1A989DAEF10B4BF9BDB0A14ECCEED490"> <enum>(A)</enum> <header>In general</header> <text>The term <term>unauthorized use</term> means the use of covered information by a covered entity or its service provider for any purpose not authorized by the individual to whom such information relates.</text> </subparagraph><subparagraph id="id9D79E14E08D44941915F4131B0B3FDA9"> <enum>(B)</enum> <header>Exceptions</header> <text>Except as provided in subparagraph (C), the term <term>unauthorized use</term> does not include use of covered information relating to an individual by a covered entity or its service provider as follows:</text> <clause id="ID9928DFE4BD79418EB198DDD8F0568153"> <enum>(i)</enum> <text>To process and enforce a transaction or deliver a service requested by that individual.</text> </clause><clause id="IDABAB2D67BDE443558CC704F347E2CE95"> <enum>(ii)</enum> <text>To operate the covered entity that is providing a transaction or delivering a service requested by that individual, such as inventory management, financial reporting and accounting, planning, and product or service improvement or forecasting.</text> </clause><clause id="ID4FF6121B9BB0442EB84B3CDEC3863FD0"> <enum>(iii)</enum> <text>To prevent or detect fraud or to provide for a physically or virtually secure environment.</text> </clause><clause id="IDDC4D754CA6B04894AFCB774E0E8D4940"> <enum>(iv)</enum> <text>To investigate a possible crime.</text> </clause><clause id="id471FB188B27A4CC6909AB87DCBC33F7B"> <enum>(v)</enum> <text>That is required by a provision of law or legal process.</text> </clause><clause id="ID5D28F5E60BE34FFA982BEC402B69E716"> <enum>(vi)</enum> <text>To market or advertise to an individual from a covered entity within the context of a covered entity's own Internet website, services, or products if the covered information used for such marketing or advertising was—</text> <subclause id="idC6C8B00472CD4FFEAA35880BAF13165F"> <enum>(I)</enum> <text>collected directly by the covered entity; or</text> </subclause><subclause id="id9DF337A08C1744769CF0A52A2270F288"> <enum>(II)</enum> <text>shared with the covered entity—</text> <item id="id96446EB545104E70B76FB43279C9591C"> <enum>(aa)</enum> <text>at the affirmative request of the individual; or</text> </item><item id="idD6E8629696FC4D95A13414EA2127C89E"> <enum>(bb)</enum> <text>by an entity with which the individual has an established business relationship.</text> </item></subclause></clause><clause id="IDC2D707F5509544339B135492C8540042"> <enum>(vii)</enum> <text>Use that is necessary for the improvement of transaction or service delivery through research, testing, analysis, and development.</text> </clause><clause id="ID897D125C07CE485192B5152C0E9F4439"> <enum>(viii)</enum> <text>Use that is necessary for internal operations, including the following:</text> <subclause id="id982675544DF34B1482BB474706275A2A"> <enum>(I)</enum> <text>Collecting customer satisfaction surveys and conducting customer research to improve customer service information.</text> </subclause><subclause id="id7F9800CD03064FEAAB0A17D1A39309D4"> <enum>(II)</enum> <text>Information collected by an Internet website about the visits to such website and the click-through rates at such website—</text> <item id="id0AF0D98115864F57846F090AAE6735DE"> <enum>(aa)</enum> <text>to improve website navigation and performance; or</text> </item><item id="id70A54C4DC580438D8298C3961A6F61EA"> <enum>(bb)</enum> <text>to understand and improve the interaction of an individual with the advertising of a covered entity.</text> </item></subclause></clause><clause id="id14E974EDFDB74E05A4872BCEFEDA283B"> <enum>(ix)</enum> <text>Use—</text> <subclause id="idB5D25B3D983749D7944CC0BB1B16C2F3"> <enum>(I)</enum> <text>by a covered entity with which an individual has an established business relationship;</text> </subclause><subclause id="idA088744A8A7B4932AD4304C3A9327B8A"> <enum>(II)</enum> <text>which the individual could have reasonably expected, at the time such relationship was established, was related to a service provided pursuant to such relationship; and</text> </subclause><subclause id="id7C83551A7964431A925D7A823581C1CE"> <enum>(III)</enum> <text>which does not constitute a material change in use or practice from what could have reasonably been expected.</text> </subclause></clause></subparagraph><subparagraph id="id62D1442895134098883D23CC83A7A0B0"> <enum>(C)</enum> <header>Savings</header> <text>A use of covered information regarding an individual by a covered entity or its service provider may only be excluded under subparagraph (B) from the definition of <quote>unauthorized use</quote> under subparagraph (A) if the use is reasonable and consistent with the practices and purposes described in the notice given the individual in accordance with section 121(a)(1).</text> </subparagraph></paragraph><paragraph id="ID87B74D28F88048C8B5441A8E901C9905"> <enum>(9)</enum> <header>Unique identifier information</header> <text>The term <term>unique identifier information</term> means a unique persistent identifier associated with an individual or a networked device, including a customer number held in a cookie, a user ID, a processor serial number, or a device serial number.</text></paragraph></subsection><subsection id="idC84A55C0A4EA4670972482C40ED07FAD"><enum>(b)</enum><header>Modified definition by rulemaking</header><text>If the Commission determines that a term defined in any of paragraphs (3) through (8) is not reasonably sufficient to protect an individual from unfair or deceptive acts or practices, the Commission may by rule modify such definition as the Commission considers appropriate to protect such individual from an unfair or deceptive act or practice to the extent that the Commission determines will not unreasonably impede interstate commerce.</text></subsection></section><subtitle id="IDB46BEDB6A323470392A46C0B59D19D0D"> <enum>A</enum> <header>Right to security and accountability</header> <section id="ID4CA46AD4F32144588E586685256010E1"> <enum>111.</enum> <header>Security</header> <subsection id="id76B72F54E499416B83C7578D99C593D7"> <enum>(a)</enum> <header>Rulemaking required</header> <text display-inline="yes-display-inline">Not later than 180 days after the date of the enactment of this Act, the Commission shall initiate a rulemaking proceeding to require each covered entity to carry out security measures to protect the covered information it collects and maintains.</text> </subsection><subsection id="id039C446A7A474B68B17B0E14E91CF8AB"> <enum>(b)</enum> <header>Proportion</header> <text display-inline="yes-display-inline">The requirements prescribed under subsection (a) shall provide for security measures that are proportional to the size, type, nature, and sensitivity of the covered information a covered entity collects.</text> </subsection><subsection id="id13924EE057424FB1969FEA7D2A40D721"> <enum>(c)</enum> <header>Consistency</header> <text>The requirements prescribed under subsection (a) shall be consistent with guidance provided by the Commission and recognized industry practices for safety and security on the day before the date of the enactment of this Act.</text> </subsection><subsection id="idDF87749FE79A4EC8A27B29EB810AEC96"> <enum>(d)</enum> <header>Technological means</header> <text display-inline="yes-display-inline">In a rule prescribed under subsection (a), the Commission may not require a specific technological means of meeting a requirement.</text> </subsection></section><section id="ID9A265885F4F441E5A9BC71CB5E6D617E"> <enum>112.</enum> <header>Accountability</header> <text display-inline="no-display-inline">Each covered entity shall, in a manner proportional to the size, type, and nature of the covered information it collects—</text> <paragraph id="ID56CC2390BE81452D95B2E7EDDD985278"> <enum>(1)</enum> <text>have managerial accountability, proportional to the size and structure of the covered entity, for the adoption and implementation of policies consistent with this title;</text> </paragraph><paragraph id="IDAA491F154A8947F8A450D8117EB32970"> <enum>(2)</enum> <text>have a process to respond to non-frivolous inquiries from individuals regarding the collection, use, transfer, or storage of covered information relating to such individuals; and</text> </paragraph><paragraph id="IDBCE3A65C0B844DDDA776E80BD8D2CAAF"> <enum>(3)</enum> <text>describe the means of compliance of the covered entity with the requirements of this Act upon request from—</text> <subparagraph id="id36DC78FF73A74771A31EB9D068FF4B7F"> <enum>(A)</enum> <text>the Commission; or</text> </subparagraph><subparagraph id="idE5CDC056CC6A41808834AF306C4C83EC"> <enum>(B)</enum> <text>an appropriate safe harbor program established under section 151.</text> </subparagraph></paragraph></section><section id="id97DDB8DF897749B3B63484D6108CC741"> <enum>113.</enum> <header>Privacy by design</header> <text display-inline="no-display-inline">Each covered entity shall, in a manner proportional to the size, type, and nature of the covered information that it collects, implement a comprehensive information privacy program by—</text> <paragraph id="ID172941727f1e42dd86e60396a285f7be"> <enum>(1)</enum> <text>incorporating necessary development processes and practices throughout the product life cycle that are designed to safeguard the personally identifiable information that is covered information of individuals based on—</text> <subparagraph id="idFE0BC375CF464401AB4649F14C51E7A7"> <enum>(A)</enum> <text>the reasonable expectations of such individuals regarding privacy; and</text> </subparagraph><subparagraph id="idFA075E199BA54261B97A3C51213D1FD1"> <enum>(B)</enum> <text>the relevant threats that need to be guarded against in meeting those expectations; and</text> </subparagraph></paragraph><paragraph id="id12D737D7BB2B47E38607112480657CB3"> <enum>(2)</enum> <text>maintaining appropriate management processes and practices throughout the data life cycle that are designed to ensure that information systems comply with—</text> <subparagraph id="idDC073ED418EE4D6280747843F6C88501"> <enum>(A)</enum> <text>the provisions of this title;</text> </subparagraph><subparagraph id="idAB61674C94E0404E8B1B8F9FFAAB8CD2"> <enum>(B)</enum> <text>the privacy policies of a covered entity; and</text> </subparagraph><subparagraph id="id2AAC952697A24838A72FA62D3F387BDD"> <enum>(C)</enum> <text>the privacy preferences of individuals that are consistent with the consent choices and related mechanisms of individual participation as described in section 122.</text> </subparagraph></paragraph></section></subtitle><subtitle id="ID825DDA0E130B4886A879AD488CFA0B1A"> <enum>B</enum> <header>Right to notice and individual participation</header> <section id="IDA181E5162B2F4EC2AE67BC9BF9F86AD2"> <enum>121.</enum> <header>Transparent notice of practices and purposes</header> <subsection id="IDBBD12DC872EF4C7C81AA5491C8AF7885"> <enum>(a)</enum> <header>In general</header> <text>Not later than 60 days after the date of the enactment of this Act, the Commission shall initiate a rulemaking proceeding to require each covered entity—</text> <paragraph id="ID9C484381460F4B6CB021460D5C82B242"> <enum>(1)</enum> <text>to provide accurate, clear, concise, and timely notice to individuals of—</text> <subparagraph id="id1646C3AF8FF94D77B3ABAE43212D4DD1"> <enum>(A)</enum> <text>the practices of the covered entity regarding the collection, use, transfer, and storage of covered information; and</text> </subparagraph><subparagraph id="id5AE441B318074FD996F6DC10828C46B7"> <enum>(B)</enum> <text>the specific purposes of those practices;</text> </subparagraph></paragraph><paragraph id="IDA1B649ED068040D185DB702AB7AB42E8"> <enum>(2)</enum> <text>to provide accurate, clear, concise, and timely notice to individuals before implementing a material change in such practices; and</text> </paragraph><paragraph id="ID9C472F52087E4478991C030F5BED0683"> <enum>(3)</enum> <text>to maintain the notice required by paragraph (1) in a form that individuals can readily access.</text> </paragraph></subsection><subsection id="IDDE917CCDD3DC49F99A8CF90D85E39A02"> <enum>(b)</enum> <header>Compliance and other considerations</header> <text>In the rulemaking required by subsection (a), the Commission—</text> <paragraph id="IDC1969019F6FC456E8B201EC76EC39175"> <enum>(1)</enum> <text>shall consider the types of devices and methods individuals will use to access the required notice;</text> </paragraph><paragraph id="ID3458C5EA96094F24A0F906DAEFFB0EEE"> <enum>(2)</enum> <text>may provide that a covered entity unable to provide the required notice when information is collected may comply with the requirement of subsection (a)(1) by providing an alternative time and means for an individual to receive the required notice promptly;</text> </paragraph><paragraph id="IDD20CC5E7FF7F464EA1477736C878625B"> <enum>(3)</enum> <text>may draft guidance for covered entities to use in designing their own notice and may include a draft model template for covered entities to use in designing their own notice; and</text> </paragraph><paragraph id="IDFCA874075E1641028ACB41E6DFC2F974"> <enum>(4)</enum> <text>may provide guidance on how to construct computer-readable notices or how to use other technology to deliver the required notice.</text> </paragraph></subsection></section><section id="ID637E5D16C8B14E9880943F341077075F"> <enum>122.</enum> <header>Individual participation</header> <subsection id="IDF448EA7A183B454A920BF88ACEAFEB78"> <enum>(a)</enum> <header>In general</header> <text>Not later than 180 days after the date of the enactment of this Act, the Commission shall initiate a rulemaking proceeding to require each covered entity—</text> <paragraph id="ID6E5A510AA383422D8F9F63DAF64F44B9"> <enum>(1)</enum> <text>to offer individuals a clear and conspicuous mechanism for opt-in consent for any use of their covered information that would otherwise be unauthorized use;</text> </paragraph><paragraph id="id0EC2A7A9D2D44A0DB2DCA1F309F37557"> <enum>(2)</enum> <text>to offer individuals a robust, clear, and conspicuous mechanism for opt-in consent for the use by third parties of the individuals' covered information for behavioral advertising or marketing;</text> </paragraph><paragraph id="ID8DFDEED19B54444CBFC5C7E452F78633"> <enum>(3)</enum> <text>to provide any individual to whom the personally identifiable information that is covered information pertains, and which the covered entity or its service provider stores, appropriate and reasonable—</text> <subparagraph id="idF3F3314070BA489B85472F38F98A43BC"> <enum>(A)</enum> <text>access to such information; and</text> </subparagraph><subparagraph id="idBBBCB036E90D420E9740A79CA734CFAB"> <enum>(B)</enum> <text>mechanisms to correct such information to improve the accuracy of such information; and</text> </subparagraph></paragraph><paragraph id="id67E8693FA9C249A1AB3B7D32877A0725"> <enum>(4)</enum> <text>in the case that a covered entity enters bankruptcy or an individual requests the termination of a service provided by the covered entity to the individual or termination of some other relationship with the covered entity, to permit the individual to easily request that—</text> <subparagraph id="id48D500BB72574DE0836640EDAB3C4A5D"> <enum>(A)</enum> <text>all of the personally identifiable information that is covered information that the covered entity maintains relating to the individual, except for information the individual authorized the sharing of or which the individual shared with the covered entity in a forum that is widely and publicly available, be rendered not personally identifiable; or</text> </subparagraph><subparagraph id="idD19C0DAE6A1346289F76E279B6841433"> <enum>(B)</enum> <text>if rendering such information not personally identifiable is not possible, to cease the unauthorized use or transfer to a third party for an unauthorized use of such information or to cease use of such information for marketing, unless such unauthorized use or transfer is otherwise required by a provision of law.</text> </subparagraph></paragraph></subsection><subsection id="ID520F040A93744ADFB08479AD864943AA"> <enum>(b)</enum> <header>Unauthorized use transfers</header> <text>In the rulemaking required by subsection (a), the Commission shall provide that with respect to transfers of covered information to a third party for which an individual provides opt-in consent, the third party to which the information is transferred may not use such information for any unauthorized use other than a use—</text> <paragraph id="id170F2A811A934C99972CA197CD6A1940"> <enum>(1)</enum> <text>specified pursuant to the purposes stated in the required notice under section 121(a); and</text> </paragraph><paragraph id="id137CBA052649498C84775B4DEA0930D7"> <enum>(2)</enum> <text>authorized by the individual when the individual granted consent for the transfer of the information to the third party.</text> </paragraph></subsection><subsection id="ID18C64F99156B4BF78A68C8DD968E0BBE"> <enum>(c)</enum> <header>Alternative means To terminate use of covered information</header> <text>In the rulemaking required by subsection (a), the Commission shall allow a covered entity to provide individuals an alternative means, in lieu of the access, consent, and correction requirements, of prohibiting a covered entity from use or transfer of that individual's covered information.</text> </subsection><subsection id="ID24251CDEAEF84636ABFA6B905AE878C4"> <enum>(d)</enum> <header>Service providers</header> <paragraph id="IDB06C8FCBB38D46D1870EEA42BB697D86"> <enum>(1)</enum> <header>In general</header> <text>The use of a service provider by a covered entity to receive covered information in performing services or functions on behalf of and under the instruction of the covered entity does not constitute an unauthorized use of such information by the covered entity if the covered entity and the service provider execute a contract that requires the service provider to collect, use, and store the information on behalf of the covered entity in a manner consistent with—</text> <subparagraph id="id190DB45E5B15468180CA8B946B8F76B6"> <enum>(A)</enum> <text>the requirements of this title; and</text> </subparagraph><subparagraph id="idF695E51463C24D489F172A110B51EB47"> <enum>(B)</enum> <text>the policies and practices related to such information of the covered entity.</text> </subparagraph></paragraph><paragraph id="ID8942CDC599CE43A8B3EFDCD4CC802B2C"> <enum>(2)</enum> <header>Transfers between service providers for a covered entity</header> <text>The disclosure by a service provider of covered information pursuant to a contract with a covered entity to another service provider in order to perform the same service or functions for that covered entity does not constitute an unauthorized use.</text> </paragraph><paragraph id="IDD5809A1EA27848568DD32E659E26ED70"> <enum>(3)</enum> <header>Liability remains with covered entity</header> <text>A covered entity remains responsible and liable for the protection of covered information that has been transferred to a service provider for processing, notwithstanding any agreement to the contrary between a covered entity and the service provider.</text> </paragraph></subsection></section></subtitle><subtitle id="ID717DCBA4EDEC49FCB66D8829E3C996F7"> <enum>C</enum> <header>Rights relating to data minimization, constraints on distribution, and data integrity</header> <section id="idF795DB6B50244DC5A08619E2FACEDE64"> <enum>131.</enum> <header>Data minimization</header> <text display-inline="no-display-inline">Each covered entity shall—</text> <paragraph id="ID96d06f460662443c9cc4627073e2b5de"> <enum>(1)</enum> <text>collect only as much covered information relating to an individual as is reasonably necessary—</text> <subparagraph id="ID7b027b7a657a459197f3d9f7e6284050"> <enum>(A)</enum> <text>to process or enforce a transaction or deliver a service requested by such individual;</text> </subparagraph><subparagraph id="IDe30b89d2d5274090a722a14c69504bdf"> <enum>(B)</enum> <text>for the covered entity to provide a transaction or delivering a service requested by such individual, such as inventory management, financial reporting and accounting, planning, product or service improvement or forecasting, and customer support and service;</text> </subparagraph><subparagraph id="ID9291675f5d1b433cbdbcbd05de45473f"> <enum>(C)</enum> <text>to prevent or detect fraud or to provide for a secure environment;</text> </subparagraph><subparagraph id="ID3575302411c345ffa91d3db86f02cc3f"> <enum>(D)</enum> <text>to investigate a possible crime;</text> </subparagraph><subparagraph id="id2551213AD032402CB5906154E59BF1FE"> <enum>(E)</enum> <text>to comply with a provision of law;</text> </subparagraph><subparagraph id="ID7c93da76075f481ab4eb69e3d120b66c"> <enum>(F)</enum> <text>for the covered entity to market or advertise to such individual if the covered information used for such marketing or advertising was collected directly by the covered entity; or</text> </subparagraph><subparagraph id="IDfa302f0a9973404888ca00d45f7429f9"> <enum>(G)</enum> <text>for internal operations, including—</text> <clause id="id7E7B8CC6DA2041CC89C204D38131ACEF"> <enum>(i)</enum> <text>collecting customer satisfaction surveys and conducting customer research to improve customer service; and</text> </clause><clause id="idF63E23FEDC434306A0AEC650CB8FB116"> <enum>(ii)</enum> <text>collection from an Internet website of information about visits and click-through rates relating to such website to improve—</text> <subclause id="idEC731678DAB7485FB52626F811D2E782"> <enum>(I)</enum> <text>website navigation and performance; and</text> </subclause><subclause id="id7B5FE42891B546489A4E7982797A1B5B"> <enum>(II)</enum> <text>the customer’s experience;</text> </subclause></clause></subparagraph></paragraph><paragraph id="IDde62a45edd2c4e5094b662fbfeec11e9"> <enum>(2)</enum> <text>retain covered information for only such duration as—</text> <subparagraph id="idB265F05B8B3E4A188E5E572E137B9F06"> <enum>(A)</enum> <text>with respect to the provision of a transaction or delivery of a service to an individual—</text> <clause id="id81A14964D7834539825DBBDED9AC6202"> <enum>(i)</enum> <text>is necessary to provide such transaction or deliver such service to such individual; or</text> </clause><clause id="idC23C8E6AC3F3464185C314D78F29FA73"> <enum>(ii)</enum> <text>if such service is ongoing, is reasonable for the ongoing nature of the service; or</text> </clause></subparagraph><subparagraph id="id501D01A1997248BBA8B1AF6C2884B5F4"> <enum>(B)</enum> <text>is required by a provision of law;</text></subparagraph></paragraph><paragraph id="id295C3DBFF1224695ABF4ADBEB89E55CE"><enum>(3)</enum><text>retain covered information only for the purpose it was collected, or reasonably related purposes; and</text> </paragraph><paragraph id="id60C199A2155C4D5693203FE1FA6E3D29"><enum>(4)</enum><text>exercise reasonable data retention procedures with respect to both the initial collection and subsequent retention.</text></paragraph></section><section id="ID3E9F4EBB04E44525912351CF7D0E25F0"> <enum>132.</enum> <header>Constraints on distribution of information</header> <subsection id="IDB3ACB18FF9D54D569C53299EE84DF875"> <enum>(a)</enum> <header>In general</header> <text>Each covered entity shall—</text> <paragraph id="ID5D6AD6A2CA2B42448154C4EDE77EB4C9"> <enum>(1)</enum> <text>require by contract that any third party to which it transfers covered information use the information only for purposes that are consistent with—</text> <subparagraph id="idEABC3ECA70E9491C903134B4BCFE4A88"> <enum>(A)</enum> <text>the provisions of this title; and</text> </subparagraph><subparagraph id="id708692ED823949D6B24D5C5338219BE5"> <enum>(B)</enum> <text>as specified in the contract;</text> </subparagraph></paragraph><paragraph id="ID791959C6730C4803B05B15B5D382460D"> <enum>(2)</enum> <text>require by contract that such third party may not combine information that the covered entity has transferred to it, that relates to an individual, and that is not personally identifiable information with other information in order to identify such individual, unless the covered entity has obtained the opt-in consent of such individual for such combination and identification; and</text> </paragraph><paragraph id="ID7E576EFE59074BAFAD6605F35463F1CD"> <enum>(3)</enum> <text>before executing a contract with a third party—</text> <subparagraph id="idF637E4FA8B724FF6A07B290D5F2FF14E"> <enum>(A)</enum> <text>assure through due diligence that the third party is a legitimate organization; and</text> </subparagraph><subparagraph id="id2DF51356296949269B17F375CA226833"> <enum>(B)</enum> <text>in the case of a material violation of the contract, at a minimum notify the Commission of such violation.</text> </subparagraph></paragraph></subsection><subsection id="IDDDC296E5DDD84A589C4D636EDBDC2E39"> <enum>(b)</enum> <header>Transfers to unreliable third parties prohibited</header> <text>A covered entity may not transfer covered information to a third party that the covered entity knows—</text> <paragraph id="id7CEAD5DB26484FE6B1854FB9E525F2F0"> <enum>(1)</enum> <text>has intentionally or willfully violated a contract required by subsection (a); and</text> </paragraph><paragraph id="id586C799939DE404983A2180662BE3292"> <enum>(2)</enum> <text>is reasonably likely to violate such contract.</text> </paragraph></subsection><subsection id="IDB7EBC31DB19142658C535867BC92F1DD"> <enum>(c)</enum> <header>Application of rules to third parties</header> <paragraph id="IDF95950CA837D4121ADB6D4BD6DC2BA46"> <enum>(1)</enum> <header>In general</header> <text>Except as provided in paragraph (2), a third party that receives covered information from a covered entity shall be subject to the provisions of this Act as if it were a covered entity.</text> </paragraph><paragraph id="ID2F4D9EA8EFEC42F0A3249CE283B3704A"> <enum>(2)</enum> <header>Exemption</header> <text>The Commission may, as it determines appropriate, exempt classes of third parties from liability under any provision of subtitle B if the Commission finds that—</text> <subparagraph id="idC2D5CFB96705405C9E0558F7D577F941"> <enum>(A)</enum> <text>such class of third parties cannot reasonably comply with such provision; or</text> </subparagraph><subparagraph id="idFCE8FF6AD0C6416285FCD8D33B9F3E8E"> <enum>(B)</enum> <text>with respect to covered information relating to individuals that is transferred to such class, compliance by such class with such provision would not sufficiently benefit such individuals.</text> </subparagraph></paragraph></subsection></section><section id="ID0A5C0D8973EB4C0B80D5538494BC8D2D"> <enum>133.</enum> <header>Data integrity</header> <subsection id="id607E0D7058B9454F9217E502E1CFE2FD"> <enum>(a)</enum> <header>In general</header> <text display-inline="yes-display-inline">Each covered entity shall attempt to establish and maintain reasonable procedures to ensure that personally identifiable information that is covered information and maintained by the covered entity is accurate in those instances where the covered information could be used to deny consumers benefits or cause significant harm.</text> </subsection><subsection id="idD64EB7FA1E3442F889460FB5D175640E"> <enum>(b)</enum> <header>Exception</header> <text display-inline="yes-display-inline">Subsection (a) shall not apply to covered information of an individual maintained by a covered entity that is provided—</text> <paragraph id="id3D679FA980F849EEBF1D4F387475448C"> <enum>(1)</enum> <text display-inline="yes-display-inline">directly to the covered entity by the individual;</text> </paragraph><paragraph id="id4CCEE44F60024B2BBE3CE80EDF8ADB61"> <enum>(2)</enum> <text display-inline="yes-display-inline">to the covered entity by another entity at the request of the individual;</text></paragraph><paragraph id="idC20A012E285C4FE4976A29A4719F0EED"><enum>(3)</enum><text>to prevent or detect fraud; or</text></paragraph><paragraph id="id0E855CD316FF45B9B027C34827037C46"><enum>(4)</enum><text>to provide for a secure environment.</text></paragraph></subsection></section></subtitle><subtitle id="idb7c98a1d9e6a49d1bd9f579a938d074c"><enum>D</enum><header>Right to notice of breaches of security</header><section id="idd7e5bc196743448d86eb07bad6a47575"><enum>141.</enum><header>Definitions</header><text display-inline="no-display-inline">In this subtitle:</text><paragraph id="idcda40dc26aa644189b21d22d57d67268"><enum>(1)</enum><header>Breach of security</header><subparagraph id="id1cf6b6c22c35426fb7a820e4d55ec371"><enum>(A)</enum><header>In general</header><text>The term <term>breach of security</term> means compromise of the security, confidentiality, or integrity of, or loss of, data in electronic form that results in, or there is a reasonable basis to conclude has resulted in, unauthorized access to or acquisition of personally identifiable information from a covered entity.</text></subparagraph><subparagraph id="ide07916c1b48742dca82e9149676f008f"><enum>(B)</enum><header>Exclusions</header><text>The term <term>breach of security</term> does not include—</text><clause id="id9f1d76b52f8e4dd690e2aa282635bbd7"><enum>(i)</enum><text>a good faith acquisition of personally identifiable information by a covered entity, or an employee or agent of a covered entity, if the personally identifiable information is not subject to further use or unauthorized disclosure;</text></clause><clause id="id0db622905ecf47e6aebefdb7c543bee5"><enum>(ii)</enum><text>any lawfully authorized investigative, protective, or intelligence activity of a law enforcement or an intelligence agency of the United States, a State, or a political subdivision of a State; or</text></clause><clause id="id502814f7388e441cb86ba32fee85af2e"><enum>(iii)</enum><text>the release of a public record not otherwise subject to confidentiality or nondisclosure requirements.</text></clause></subparagraph></paragraph><paragraph id="idc337071a458147cc874740212629174c"><enum>(2)</enum><header>Data in electronic form</header><text>The term <term>data in electronic form</term> means any data stored electronically or digitally on any computer system or other database, including recordable tapes and other mass storage devices.</text></paragraph><paragraph id="idb0b1998ad9f649608a7845ba36909a5b"><enum>(3)</enum><header>Designated entity</header><text>The term <term>designated entity</term> means the Federal Government entity designated by the Secretary of Homeland Security under section 143(a).</text></paragraph><paragraph id="id3741676b08e3481f81eebfc8bff14fef"><enum>(4)</enum><header>Identity theft</header><text>The term <term>identity theft</term> means the unauthorized use of another person's personally identifiable information for the purpose of engaging in commercial transactions under the identity of such other person, including any contact that violates <external-xref legal-doc="usc" parsable-cite="usc/18/1028A">section 1028A</external-xref> of title 18, United States Code.</text></paragraph><paragraph id="id9ff17d4634464174b3eb10ff92855fb4"><enum>(5)</enum><header>Major credit reporting agency</header><text>The term <term>major credit reporting agency</term> means a consumer reporting agency that compiles and maintains files on consumers on a nationwide basis within the meaning of section 603(p) of the Fair Credit Reporting Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1681a">15 U.S.C. 1681a(p)</external-xref>).</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id86e5c3765f4b429e9769e29e7026c2d8"><enum>(6)</enum><header>Service provider</header><text>The term <term>service provider</term> means a person that provides electronic data transmission, routing, intermediate and transient storage, or connections to its system or network, where the person providing such services does not select or modify the content of the electronic data, is not the sender or the intended recipient of the data, and does not differentiate personally identifiable information from other information that such person transmits, routes, or stores, or for which such person provides connections. Any such person shall be treated as a service provider under this subtitle only to the extent that it is engaged in the provision of such transmission, routing, intermediate and transient storage, or connections.</text></paragraph></section><section id="idE475F1D364AB4433A74BD9DFF7DFD82B"><enum>142.</enum><header>Notice to individuals</header><subsection id="id0fd9ed665a1245c4831f9527c4feb758"><enum>(a)</enum><header>In general</header><text>A covered entity that owns or possesses data in electronic form containing personally identifiable information, following the discovery of a breach of security of the system maintained by the covered entity that contains such information, shall notify—</text><paragraph id="id0282e0154dc643e2a385998e32202290"><enum>(1)</enum><text>each individual who is a citizen or resident of the United States and whose personally identifiable information has been, or is reasonably believed to have been, acquired or accessed from the covered entity as a result of the breach of security; and</text></paragraph><paragraph id="id66cc5b33d29a4a2c8b3ab5eb6abc22c2"><enum>(2)</enum><text>the Commission, unless the covered entity has notified the designated entity under section 143.</text></paragraph></subsection><subsection id="ida57d8f993d1f4709a99230374f6c6f73"><enum>(b)</enum><header>Special notification requirements</header><paragraph id="id27c8632d24384219b52cad096d9649cf"><enum>(1)</enum><header>Third parties</header><text>In the event of a breach of security of a system maintained by a third party that has been contracted to maintain or process data in electronic form containing personally identifiable information on behalf of a covered entity who owns or possesses such data, the third party shall notify the covered entity of the breach of security.</text></paragraph><paragraph id="id833e6d8856d04f92a77c93d11009bda9"><enum>(2)</enum><header>Service providers</header><text>If a service provider becomes aware of a breach of security of data in electronic form containing personally identifiable information that is owned or possessed by another covered entity that connects to or uses a system or network provided by the service provider for the purpose of transmitting, routing, or providing intermediate or transient storage of such data, the service provider shall notify of the breach of security only the covered entity who initiated such connection, transmission, routing, or storage if such covered entity can be reasonably identified.</text></paragraph><paragraph id="idb2c6a084500b48c594da403c0e7d07c9"><enum>(3)</enum><header>Coordination of notification with credit reporting agencies</header><subparagraph id="id2E6337E527F141B8A1C0AF08ADEED985"><enum>(A)</enum><header>In general</header><text>If a covered entity is required to provide notification to more than 5,000 individuals under subsection (a)(1), the covered entity also shall notify each major credit reporting agency of the timing and distribution of the notices, except when the only personally identifiable information that is the subject of the breach of security is the individual's first name or initial and last name, or address, or phone number, in combination with a credit or debit card number, and any required security code.</text></subparagraph><subparagraph id="idBFD99E32FBBB4DE3A1A56DA7627B7354"><enum>(B)</enum><header>Notice to credit reporting agencies before individuals</header><text>Such notice shall be given to each credit reporting agency without unreasonable delay and, if it will not delay notice to the affected individuals, prior to the distribution of notices to the affected individuals.</text></subparagraph></paragraph></subsection><subsection id="id9d2704ecd7fc4843865ca791d638eb73"><enum>(c)</enum><header>Timeliness of notification</header><paragraph id="idae95eb7c32154abebf4ae716c67598c2"><enum>(1)</enum><header>In general</header><text>All notifications required under this section shall be made without unreasonable delay following the discovery by the covered entity of a security breach.</text></paragraph><paragraph id="idd4395dfd66db4e3ea3bf5af61a1b68ca"><enum>(2)</enum><header>Reasonable delay</header><subparagraph id="idce44f729aa434f31b9a1283b3295e5ef"><enum>(A)</enum><header>In general</header><text>Reasonable delay under this subsection may include any time necessary to determine the scope of the security breach, prevent further disclosures, restore the reasonable integrity of the data system, and provide notice to law enforcement when required.</text></subparagraph><subparagraph id="idb853a1ff76d649ebbbd89aaa99f91af1"><enum>(B)</enum><header>Extension</header><clause id="id62f96d53f9044b1a89c94c404d017c4f"><enum>(i)</enum><header>In general</header><text>Except as provided in subsection (d), delay of notification shall not exceed 60 days following the discovery of the security breach, unless the covered entity requests an extension of time and the Commission determines in writing that additional time is reasonably necessary to determine the scope of the security breach, prevent further disclosures, restore the reasonable integrity of the data system, or to provide notice to the designated entity.</text></clause><clause id="ideaa2be6d5a2b4122ac0d0b9f11a4a49e"><enum>(ii)</enum><header>Approval of request</header><text>If the Commission approves the request for delay, the covered entity may delay the period for notification for additional periods of up to 30 days.</text></clause></subparagraph></paragraph><paragraph id="id7fb037bc1f414aa2a222ad727dc43aa2"><enum>(3)</enum><header>Burden of production</header><text>The covered entity, third party, or service provider required to provide notice under this title shall, upon the request of the Commission provide records or other evidence of the notifications required under this subtitle, including to the extent applicable, the reasons for any delay of notification.</text></paragraph></subsection><subsection id="idf6293128f800444e9562e96c09575d08"><enum>(d)</enum><header>Method and content of notification</header><paragraph id="id27e0225cad25481db5a3a4482881d030"><enum>(1)</enum><header>Direct notification</header><subparagraph id="id67fbace0a47e489aa52aabb163fcb15b"><enum>(A)</enum><header>Method of direct notification</header><text>Except as provided in paragraph (2), a covered entity shall be in compliance with the notification requirement under subsection (a)(1) if—</text><clause id="id75d29d46d4f24194a8cbe895782e78f2"><enum>(i)</enum><text>the covered entity provides conspicuous and clearly identified notification—</text><subclause id="id7cb2b13f6f6a423687503f6ef1c9b97e"><enum>(I)</enum><text>in writing; or</text></subclause><subclause id="idf3eb7b81b3b841b2883ae934643eb643"><enum>(II)</enum><text>by e-mail or other electronic means if—</text><item id="idd72a5e42a0bf406e8ac97bce49594051"><enum>(aa)</enum><text>the covered entity's primary method of communication with the individual is by e-mail or such other electronic means; or</text></item><item id="id555606d8aaa14ba1aeab18f912d85197"><enum>(bb)</enum><text>the individual has consented to receive notification by e-mail or such other electronic means and such notification is provided in a manner that is consistent with the provisions permitting electronic transmission of notices under section 101 of the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001); and</text></item></subclause></clause><clause id="id2c3622d2f9ed43f2a26420d6dff8722b"><enum>(ii)</enum><text>the method of notification selected under clause (i) can reasonably be expected to reach the intended individual.</text></clause></subparagraph><subparagraph id="ida8dec447827b487e9c73b3606f5b0913"><enum>(B)</enum><header>Content of direct notification</header><text>Each method of notification under subparagraph (A) shall include the following:</text><clause id="idb158327cb0bd43ba8ffdeef711a085da"><enum>(i)</enum><text>The date, estimated date, or estimated date range of the breach of security.</text></clause><clause id="id741a16127559475192355864f1910ab8"><enum>(ii)</enum><text>A description of the personally identifiable information that was or is reasonably believed to have been acquired or accessed as a result of the breach of security.</text></clause><clause id="id1b834c4ad3d74e1eb20a1c3ba666d6f3"><enum>(iii)</enum><text>A telephone number that an individual can use at no cost to the individual to contact the covered entity to inquire about the breach of security or the information the covered entity maintained about that individual.</text></clause><clause id="idc350136116844b30b19a38ed26c4d15f"><enum>(iv)</enum><text>Notice that the individual may be entitled to consumer credit reports under subsection (e)(1).</text></clause><clause id="iddfc47c594b584747a2a7a8d911a62ced"><enum>(v)</enum><text>Instructions how an individual can request consumer credit reports under subsection (e)(1).</text></clause><clause id="idbee2ab746e1d44f7b5128b18a995ed94"><enum>(vi)</enum><text>A telephone number, that an individual can use at no cost to the individual, and an address to contact each major credit reporting agency.</text></clause><clause id="idbca7f954ae744e87aea846a4791fa863"><enum>(vii)</enum><text>A telephone number, that an individual can use at no cost to the individual, and an Internet website address to obtain information regarding identity theft from the Commission.</text></clause></subparagraph></paragraph><paragraph id="id5415b79a3f204342b3cbab5c596c5fdb"><enum>(2)</enum><header>Substitute notification</header><subparagraph id="id001962b84c644bc3a95779814e25eb12"><enum>(A)</enum><header>Circumstances giving rise to substitute notification</header><text>A covered entity required to provide notification to individuals under subsection (a)(1) may provide notification under this paragraph instead of paragraph (1) of this subsection if—</text><clause id="id4ed3403ddd054d7cbb0faeafb2bc098a"><enum>(i)</enum><text>notification under paragraph (1) is not feasible due to lack of sufficient contact information for the individual required to be notified; or</text></clause><clause id="id0c2adb4d830745eca77a65d10129dee1"><enum>(ii)</enum><text>the covered entity owns or possesses data in electronic form containing personally identifiable information of fewer than 10,000 individuals and direct notification is not feasible due to excessive cost to the covered entity required to provide such notification relative to the resources of such covered entity, as determined in accordance with the regulations issued by the Commission under paragraph (3)(A).</text></clause></subparagraph><subparagraph id="idfb166b23f35a4b509f371c4a91841ba3"><enum>(B)</enum><header>Method of substitute notification</header><text>Notification under this paragraph shall include the following:</text><clause id="idaab86c1f931c4a458932fdf046f372b0"><enum>(i)</enum><text>Conspicuous and clearly identified notification by e-mail to the extent the covered entity has an e-mail address for an individual who is entitled to notification under subsection (a)(1).</text></clause><clause id="idb344b9ba098449ed8c56032f27d4a039"><enum>(ii)</enum><text>Conspicuous and clearly identified notification on the Internet website of the covered entity if the covered entity maintains an Internet website.</text></clause><clause id="id4a4b985698e54fe999c97a299a16cefa"><enum>(iii)</enum><text>Notification to print and to broadcast media, including major media in metropolitan and rural areas where the individuals whose personally identifiable information was acquired or accessed reside.</text></clause></subparagraph><subparagraph id="id4fad552c00474b3b95c90d7ee26cbf6b"><enum>(C)</enum><header>Content of substitute notification</header><text>Each method of notification under this paragraph shall include the following:</text><clause id="id09f3e2fea1164cb3911893cb2d6a9b35"><enum>(i)</enum><text>The date, estimated date, or estimated date range of the breach of security.</text></clause><clause id="id4c213ce228ec4bb1b43b1d5538ffc24f"><enum>(ii)</enum><text>A description of the types of personally identifiable information that were or are reasonably believed to have been acquired or accessed as a result of the breach of security.</text></clause><clause id="id98410418c37640e79e6b9fa4147f011d"><enum>(iii)</enum><text>Notice that an individual may be entitled to consumer credit reports under subsection (e)(1).</text></clause><clause id="idcd72cb0af55c4c69bb2925075635f957"><enum>(iv)</enum><text>Instructions how an individual can request consumer credit reports under subsection (e)(1).</text></clause><clause id="ide306739c179c437cba27ba57a66238d5"><enum>(v)</enum><text>A telephone number that an individual can use at no cost to the individual to learn whether the individual's personally identifiable information is included in the breach of security.</text></clause><clause id="idb641920ff64a43e5bc5c879871fb26b4"><enum>(vi)</enum><text>A telephone number, that an individual can use at no cost to the individual, and an address to contact each major credit reporting agency.</text></clause><clause id="id7ca0ee532f18449eb5cd9126ffde1ff8"><enum>(vii)</enum><text>A telephone number, that an individual can use at no cost to the individual, and an Internet website address to obtain information from the Commission regarding identity theft.</text></clause></subparagraph></paragraph><paragraph id="id09d76616dc6b4d89a775e702891b77f9"><enum>(3)</enum><header>Regulations and guidance</header><subparagraph id="id7576e2de53d84a0392633c7b7fd6bf80"><enum>(A)</enum><header>Regulations concerning substitute notification</header><clause id="id7F698BF97FBC4204B3A8409967432DC3"><enum>(i)</enum><header>In general</header><text>Not later than 1 year after the date of the enactment of this Act, the Commission shall prescribe criteria for determining circumstances under which notification may be provided under paragraph (2), including criteria for determining whether providing notification under paragraph (1) is not feasible due to excessive costs to the covered entity required to provide such notification relative to the resources of such covered entity.</text></clause><clause id="id7659E2A9E22545E9A33B12D8F4365767"><enum>(ii)</enum><header>Other circumstances</header><text>The regulations required by clause (i) may also identify other circumstances in which notification under paragraph (2) would be appropriate, including circumstances under which the cost of providing direct notification exceeds the benefits to individuals.</text></clause></subparagraph><subparagraph id="idc2cbcb0d3aa14fe193e92374c7654909"><enum>(B)</enum><header>Guidance</header><clause id="id3DBFAE6EB4D541578522AAB2B14EC039"><enum>(i)</enum><header>In general</header><text>The Commission, in consultation with the Administrator of the Small Business Administration, shall publish and otherwise make available general guidance with respect to compliance with this subsection.</text></clause><clause id="id589FB5B887AB438EB20A3B5E2838FEDC"><enum>(ii)</enum><header>Contents</header><text>The guidance required by clause (i) shall include the following:</text><subclause id="id04cf3a02e5c142468d64721fbdfe2fbf"><enum>(I)</enum><text>A description of written or e-mail notification that complies with paragraph (1).</text></subclause><subclause id="id31c1face03b54ee6bac71b519f02c59b"><enum>(II)</enum><text>Guidance on the content of notification under paragraph (2), including the extent of notification to print and broadcast media that complies with subparagraph (B)(iii) of such paragraph.</text></subclause></clause></subparagraph></paragraph></subsection><subsection id="id01f4ed35a3e04bc4a8410ca5fa29728f"><enum>(e)</enum><header>Other obligations following breach</header><paragraph id="ide40e88664c3340ae8e0461823bf526b4"><enum>(1)</enum><header>In general</header><text>Subject to the provisions of this subsection, not later than 60 days after the date of a request by an individual who received notification under subsection (a)(1) and quarterly thereafter for 2 years, a covered entity required to provide notification under such subsection to such individual shall provide, or arrange for the provision of, to such individual at no cost to such individual, consumer credit reports from at least 1 major credit reporting agency.</text></paragraph><paragraph id="id1928be985c26475fbffd5463d6465e55"><enum>(2)</enum><header>Limitation</header><text>Paragraph (1) shall not apply if the only personally identifiable information that is the subject of the breach of security is the individual's first name or initial and last name, or address, or phone number, in combination with a credit or debit card number, and any required security code.</text></paragraph><paragraph id="idb50e1bf8452f48b68caa35937c391e24"><enum>(3)</enum><header>Rulemaking</header><text>Not later than 1 year after the date of the enactment of this Act, the Commission shall prescribe the following:</text><subparagraph id="id261d315108054e848b6f411333789035"><enum>(A)</enum><text>Criteria for determining the circumstances under which a covered entity required to provide notification under subsection (a)(1) must provide or arrange for the provision of free consumer credit reports under this subsection.</text></subparagraph><subparagraph id="id38a9ee396f5c4515afe2e16e26edb263"><enum>(B)</enum><text>A simple process under which a covered entity that is a small business concern or small nonprofit organization may request a full or a partial waiver or a modified or an alternative means of complying with this subsection if providing free consumer credit reports is not feasible due to excessive costs relative to the resources of such covered entity and relative to the level of harm, to affected individuals, caused by the breach of security.</text></subparagraph></paragraph><paragraph id="id5944F15B7B534336A8BC6CB7DF6871B8"><enum>(4)</enum><header>Definitions</header><text>In this subsection:</text><subparagraph id="id12B5374C2BE54746B9C4B7DB72504FBA"><enum>(A)</enum><header>Small business concern</header><text>The term <term>small business concern</term> has the meaning given such term under section 3 of the Small Business Act (<external-xref legal-doc="usc" parsable-cite="usc/15/632">15 U.S.C. 632</external-xref>).</text></subparagraph><subparagraph id="id103FEDB27DCC456B8014088EB56604BD"><enum>(B)</enum><header>Small nonprofit organization</header><text>The term <term>small nonprofit organization</term> has the meaning the Commission shall give such term for purposes of this subsection.</text></subparagraph></paragraph></subsection><subsection id="id31276209918c4aeaa0360f75ed8725b7"><enum>(f)</enum><header>Delay of notification authorized for national security and law enforcement purposes</header><paragraph id="idb9390a4a445e45ffa262030b5bcadc6e"><enum>(1)</enum><header>In general</header><text>If the United States Secret Service or the Federal Bureau of Investigation determines that notification under this section would impede a criminal investigation or a national security activity, such notification shall be delayed upon written notice from the United States Secret Service or the Federal Bureau of Investigation to the covered entity that experienced the breach of security. The notification from the United States Secret Service or the Federal Bureau of Investigation shall specify the period of delay requested for national security or law enforcement purposes.</text></paragraph><paragraph id="idee675d40bed944aaae745999b516a73f"><enum>(2)</enum><header>Subsequent delay of notification</header><subparagraph id="ID618a1e67cca94bd08392cfd40a9043e5"><enum>(A)</enum><header>In general</header><text>If the notification required under subsection (a)(1) is delayed pursuant to paragraph (1), a covered entity shall give notice not more than 30 days after the day such law enforcement or national security delay was invoked unless a Federal law enforcement or intelligence agency provides written notification that further delay is necessary.</text></subparagraph><subparagraph id="id20544ef1cb8d4ca883e5544598c6ede2"><enum>(B)</enum><header>Written justification requirements</header><clause id="ide49e71a6bff34e36a0db0e29a2a4e786"><enum>(i)</enum><header>United States Secret Service</header><text>If the United States Secret Service instructs a covered entity to delay notification under this section beyond the 30-day period set forth in subparagraph (A) (referred to in this clause as <quote>subsequent delay</quote>), the United States Secret Service shall submit written justification for the subsequent delay to the Secretary of Homeland Security before the subsequent delay begins.</text></clause><clause id="id0c8fe6352f8c4d86a51a5b83d2515688"><enum>(ii)</enum><header>Federal Bureau of Investigation</header><text>If the Federal Bureau of Investigation instructs a covered entity to delay notification under this section beyond the 30-day period set forth in subparagraph (A) (referred to in this clause as <quote>subsequent delay</quote>), the Federal Bureau of Investigation shall submit written justification for the subsequent delay to the Attorney General before the subsequent delay begins.</text></clause></subparagraph></paragraph><paragraph id="id3cd1c2ea398848c4bbd91da0b9904470"><enum>(3)</enum><header>Law enforcement immunity</header><text>No cause of action shall lie in any court against any Federal agency for acts relating to the delay of notification for national security or law enforcement purposes under this subtitle.</text></paragraph></subsection><subsection id="id96fdbf23bd464ec1a5ccc3991bcdfcc0"><enum>(g)</enum><header>General exemption</header><paragraph id="id03bd3a8f8cad4c96bb03a5356cc2ea63"><enum>(1)</enum><header>In general</header><text>A covered entity shall be exempt from the requirements under this section if, following a breach of security, the covered entity reasonably concludes that there is no reasonable risk of identity theft, fraud, or other unlawful conduct.</text></paragraph><paragraph id="id97708385ca854ac4b0d8f6dff3afb0d5"><enum>(2)</enum><header>FTC guidance</header><text>Not later than 1 year after the date of the enactment of this Act, the Commission, after consultation with the Director of the National Institute of Standards and Technology, shall issue guidance regarding the application of the exemption under paragraph (1).</text></paragraph></subsection><subsection id="id7be4c106f41941488078d51e55b960b7"><enum>(h)</enum><header>Exemptions for national security and law enforcement purposes</header><paragraph id="id6ac290f4d94f4895b56bb0c90d911b94"><enum>(1)</enum><header>In general</header><text>A covered entity shall be exempt from the notice requirements under this section if—</text><subparagraph id="idea2694aa598444b984de5b8f95421e6a"><enum>(A)</enum><text>a determination is made—</text><clause id="id9d5d2c002e8a4ef79420bb65c7072aa0"><enum>(i)</enum><text>by the United States Secret Service or the Federal Bureau of Investigation that notification of the breach of security could be reasonably expected to reveal sensitive sources and methods or similarly impede the ability of the Government to conduct law enforcement or intelligence investigations; or</text></clause><clause id="id6d7c98aae7224ca48ad55508468f568c"><enum>(ii)</enum><text>by the Federal Bureau of Investigation that notification of the breach of security could be reasonably expected to cause damage to the national security; and</text></clause></subparagraph><subparagraph id="id5952f9ff3d474a238fbbaa9be810db5f"><enum>(B)</enum><text>the United States Secret Service or the Federal Bureau of Investigation, as the case may be, provides written notice of its determination under subparagraph (A) to the covered entity.</text></subparagraph></paragraph><paragraph id="id7e8959ae953942e69879aa39fe18d0c7"><enum>(2)</enum><header>United States Secret Service</header><text>If the United States Secret Service invokes an exemption under paragraph (1), the United States Secret Service shall submit written justification for invoking the exemption to the Secretary of Homeland Security before the exemption is invoked.</text></paragraph><paragraph id="id2cc9ebf6210b44c3b8e5cdcff79dca1f"><enum>(3)</enum><header>Federal Bureau of Investigation</header><text>If the Federal Bureau of Investigation invokes an exemption under paragraph (1), the Federal Bureau of Investigation shall submit written justification for invoking the exemption to the Attorney General before the exemption is invoked.</text></paragraph><paragraph id="id09d724fd94b84c64a36ee941a3385168"><enum>(4)</enum><header>Immunity</header><text>No cause of action shall lie in any court against any Federal agency for acts relating to the exemption from notification for national security or law enforcement purposes under this subtitle.</text></paragraph><paragraph id="id488491c391a84e6abf6d17eafbc4efde"><enum>(5)</enum><header>Reports</header><text>Not later than 540 days after the date of the enactment of this Act, and upon request by Congress thereafter, the United States Secret Service and the Federal Bureau of Investigation shall submit to Congress a report on the number and nature of breaches of security subject to the exemptions for national security and law enforcement purposes under this subsection.</text></paragraph></subsection><subsection id="id412d30c27db9425f9dffdaac1a9ce6a1"><enum>(i)</enum><header>Financial fraud prevention exemption</header><paragraph id="idf641111f59724a85a34ccec888bba11d"><enum>(1)</enum><header>In general</header><text>A covered entity shall be exempt from the notice requirements under this section if the covered entity utilizes or participates in a security program that—</text><subparagraph id="id6efeae865c9946398eaf073f67292098"><enum>(A)</enum><text>effectively blocks the use of the personally identifiable information to initiate an unauthorized financial transaction before it is charged to the account of the individual; and</text></subparagraph><subparagraph id="id9c3b313eef874e40b83d229fd170880e"><enum>(B)</enum><text>provides notice to each affected individual after a breach of security that resulted in attempted fraud or an attempted unauthorized transaction.</text></subparagraph></paragraph><paragraph id="id1cbcf051f90c43178e80fb2949b7555f"><enum>(2)</enum><header>Limitations</header><text>An exemption under paragraph (1) shall not apply if—</text><subparagraph id="idde4a38dd9d7b446ea12cb54bd962b551"><enum>(A)</enum><text>the breach of security includes personally identifiable information, other than a credit card number or credit card security code, of any type; or</text></subparagraph><subparagraph id="idb9464eff42314321963b82daf6129c49"><enum>(B)</enum><text>the breach of security includes both the individual's credit card number and the individual's first and last name.</text></subparagraph></paragraph></subsection><subsection id="idacdf83b6c046493fac78bd0691c4c918"><enum>(j)</enum><header>Financial institutions regulated by Federal functional regulators</header><paragraph id="idb25df6c71dfc4b34991a251a3e7185a6"><enum>(1)</enum><header>In general</header><text>A covered financial institution shall be deemed in compliance with this section if—</text><subparagraph id="id10cef03d576a4d1c9e67574f6fc0c30e"><enum>(A)</enum><text>the Federal functional regulator with jurisdiction over the covered financial institution has issued a standard by regulation or guideline under title V of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6801">15 U.S.C. 6801 et seq.</external-xref>) that—</text><clause id="idf4428e8c7b4d4fa4927cd6fb8bd6e280"><enum>(i)</enum><text>requires financial institutions within its jurisdiction to provide notification to individuals following a breach of security; and</text></clause><clause id="id79fcdc7df44647b9bbea3d2f452a8a96"><enum>(ii)</enum><text>provides protections substantially similar to, or greater than, those required under this Act; and</text></clause></subparagraph><subparagraph id="id1af0ea348cb1428295db52c0c19b38fc"><enum>(B)</enum><text>the covered financial institution is in compliance with the standard under subparagraph (A).</text></subparagraph></paragraph><paragraph id="id479ad19a7aa04e22a124334d204f36a9"><enum>(2)</enum><header>Definitions</header><text>In this subsection:</text><subparagraph id="id8f6772668b84488a87bb9290ad0ec4df"><enum>(A)</enum><header>Covered financial institution</header><text>The term <term>covered financial institution</term> means a financial institution that is subject to—</text><clause id="id668e5038076a4cb2b3ba2ab5440b1dfc"><enum>(i)</enum><text>the data security requirements of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6801">15 U.S.C. 6801 et seq.</external-xref>);</text></clause><clause id="id9ab6c6250c61477eb0e96079165966aa"><enum>(ii)</enum><text>any implementing standard issued by regulation or guideline issued under that Act; and</text></clause><clause id="id8fc38512d4c54d92a8566eece8f54a8d"><enum>(iii)</enum><text>the jurisdiction of a Federal functional regulator under that Act.</text></clause></subparagraph><subparagraph id="id007b2c139cd04940960f94fb8d4b7a0f"><enum>(B)</enum><header>Federal functional regulator</header><text>The term <term>Federal functional regulator</term> has the meaning given the term in section 509 of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6809">15 U.S.C. 6809</external-xref>).</text></subparagraph><subparagraph id="idf8042f621e064867ae6c7acb582175fb"><enum>(C)</enum><header>Financial institution</header><text>The term <term>financial institution</term> has the meaning given the term in section 509 of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6809">15 U.S.C. 6809</external-xref>).</text></subparagraph></paragraph></subsection><subsection id="id475a2bad19a944e89c75f40b8df3aa9d"><enum>(k)</enum><header>Exemption; health privacy</header><paragraph id="id6b0c5e6d7cdb4b5fae89044c10a1e849"><enum>(1)</enum><header>Covered entity or business associate under HITECH Act</header><text>To the extent that a covered entity under this section acts as a covered entity or a business associate under section 13402 of the Health Information Technology for Economic and Clinical Health Act (<external-xref legal-doc="usc" parsable-cite="usc/42/17932">42 U.S.C. 17932</external-xref>), has the obligation to provide notification to individuals following a breach of security under that Act or its implementing regulations, and is in compliance with that obligation, the covered entity shall be deemed in compliance with this section.</text></paragraph><paragraph id="idfad397eb9a624e0ca815e8cabff6d8a6"><enum>(2)</enum><header>Entity subject to HITECH Act</header><text>To the extent that a covered entity under this section acts as a vendor of personal health records, a third party service provider, or other entity subject to section 13407 of the Health Information Technology for Economical and Clinical Health Act (<external-xref legal-doc="usc" parsable-cite="usc/42/17937">42 U.S.C. 17937</external-xref>), has the obligation to provide notification to individuals following a breach of security under that Act or its implementing regulations, and is in compliance with that obligation, the covered entity shall be deemed in compliance with this section.</text></paragraph><paragraph id="idef5c816f069a483e8ea223ba1e8ffaf6"><enum>(3)</enum><header>Limitation of statutory construction</header><text>Nothing in this subtitle may be construed in any way to give effect to the sunset provision under section 13407(g)(2) of the Health Information Technology for Economic and Clinical Health Act (<external-xref legal-doc="usc" parsable-cite="usc/42/17937">42 U.S.C. 17937(g)(2)</external-xref>) or to otherwise limit or affect the applicability, under section 13407 of that Act, of the requirement to provide notification to individuals following a breach of security for vendors of personal health records and each entity described in clause (ii), (iii), or (iv) of section 13424(b)(1)(A) of that Act (42 U.S.C. 17953(b)(1)(A)).</text></paragraph></subsection><subsection id="id9430a90a324d4caba4047a2677d42992"><enum>(l)</enum><header>Internet website notice of Federal Trade Commission</header><text>If the Commission, upon receiving notification of any breach of security that is reported to the Commission, finds that notification of the breach of security via the Commission's Internet website would be in the public interest or for the protection of consumers, the Commission shall place such a notice in a clear and conspicuous location on its Internet website.</text></subsection><subsection id="id04c0b1fc847743f297e33968eee3b070"><enum>(m)</enum><header>FTC study on notification in languages in addition to English</header><text>Not later than 1 year after the date of the enactment of this Act, the Commission shall conduct a study on the feasibility and advisability of requiring notification provided pursuant to subsection (d)(1) to be provided in a language in addition to English to individuals known to speak only such other language.</text></subsection></section><section id="id57e4b856395e430787f0b54df0e0bea5"><enum>143.</enum><header>Notice to law enforcement</header><subsection id="id544cc35fa05548f280e9d807158d69a4"><enum>(a)</enum><header>Designation of Government entity To receive notice</header><text>Not later than 60 days after the date of the enactment of this Act, the Secretary of Homeland Security shall designate a Federal Government entity to receive notice under this section.</text></subsection><subsection id="id04cff713be42416c822702f97263ddac"><enum>(b)</enum><header>Notice to designated entity</header><text>A covered entity shall notify the designated entity of a breach of security if—</text><paragraph id="id68147a90724549bfb3b57c64b16dbc84"><enum>(1)</enum><text>the number of individuals whose personally identifiable information was, or is reasonably believed to have been, acquired or accessed as a result of the breach of security exceeds 10,000;</text></paragraph><paragraph id="ideea4be455d5c4932958fe7da4c62e9c9"><enum>(2)</enum><text>the breach of security involves a database, networked or integrated databases, or other data system containing the personally identifiable information of more than 1,000,000 individuals;</text></paragraph><paragraph id="id94ec0588d5984c7c996122a578d63b3e"><enum>(3)</enum><text>the breach of security involves databases owned by the Federal Government; or</text></paragraph><paragraph id="ide79b03575992407283e62b7dff0552ae"><enum>(4)</enum><text>the breach of security involves primarily personally identifiable information of individuals known to the covered entity to be employees or contractors of the Federal Government involved in national security or law enforcement.</text></paragraph></subsection><subsection id="id71bdeea4150348d1a53501c7f8ccf534"><enum>(c)</enum><header>Content of notices</header><paragraph id="id58e97a5a51354c30bb25200435f46d03"><enum>(1)</enum><header>In general</header><text>Each notice under subsection (b) shall contain the following:</text><subparagraph id="id00d7461e399f4a74a5e28ae604b1d6bb"><enum>(A)</enum><text>The date, estimated date, or estimated date range of the breach of security.</text></subparagraph><subparagraph id="idcae3924d7d85460889ebdb12b8a3d475"><enum>(B)</enum><text>A description of the nature of the breach of security.</text></subparagraph><subparagraph id="id833545498e5442c49e6d613d82ec09d3"><enum>(C)</enum><text>A description of each type of personally identifiable information that was or is reasonably believed to have been acquired or accessed as a result of the breach of security.</text></subparagraph><subparagraph id="id793d6e4b945e4caeb980e937ff3c6af1"><enum>(D)</enum><text>A statement of each paragraph under subsection (b) that applies to the breach of security.</text></subparagraph></paragraph><paragraph id="id0dac3ddfac104535891194eb14767f15"><enum>(2)</enum><header>Construction</header><text>Nothing in this section shall be construed to require a covered entity to reveal specific or identifying information about an individual as part of the notice under paragraph (1).</text></paragraph></subsection><subsection id="id115772ece9c8404c9c165b7b6dd09513"><enum>(d)</enum><header>Notice by designated entity</header><text>The designated entity shall promptly provide each notice it receives under subsection (b) to the following:</text><paragraph id="idf8362fb463d042a59b1fff16b4451ff2"><enum>(1)</enum><text>The United States Secret Service.</text></paragraph><paragraph id="id4d280072831549e7a243c3c425e7b19b"><enum>(2)</enum><text>The Federal Bureau of Investigation.</text></paragraph><paragraph id="id08b5d81d179a4fb6a182880b230fe192"><enum>(3)</enum><text>The Commission.</text></paragraph><paragraph id="id7dc2a85c517e4c86ab009931f8eec654"><enum>(4)</enum><text>The United States Postal Inspection Service, if the breach of security involves mail fraud.</text></paragraph><paragraph id="id7552babf668142db87acf7a14c703a7a"><enum>(5)</enum><text>The attorney general of each State affected by the breach of security.</text></paragraph><paragraph id="ide984b7646ee64b6aaa786bf34e08e2ba"><enum>(6)</enum><text>Such other Federal agencies as the designated entity considers appropriate for law enforcement, national security, or data security purposes.</text></paragraph></subsection><subsection id="id4ce8bb81b6fc4fa08ee254fb13076c11"><enum>(e)</enum><header>Timing of notices</header><text>Notice under this section shall be delivered as follows:</text><paragraph id="ida9d0d51d50ea4345a64259f231331e1b"><enum>(1)</enum><text>Notice under subsection (b) shall be delivered as promptly as possible, but—</text><subparagraph id="id707bc0df3dc04717aa8f305adc4d63aa"><enum>(A)</enum><text>not less than 3 business days before notification to an individual under section 142(a)(1); and</text></subparagraph><subparagraph id="idb024ce59ec074fd4b9cf9a5d49e48e7e"><enum>(B)</enum><text>not later than 10 days after the date of discovery of the events requiring notice.</text></subparagraph></paragraph><paragraph id="id930d13257bad40598fd3f40e7a5471a9"><enum>(2)</enum><text>Notice under subsection (d) shall be delivered as promptly as possible, but not later than 1 business day after the date that the designated entity receives notice of a breach of security from a covered entity.</text></paragraph></subsection></section></subtitle><subtitle id="IDB55C089BDF6B4CA2BA22D13C1581D668"> <enum>E</enum> <header>Enforcement</header> <section id="ID1D14C2EED2E144B9BE84CC259257D950"> <enum>151.</enum> <header>General application</header> <text display-inline="no-display-inline">The requirements of this title shall apply to any person who—</text> <paragraph id="IDDABA742D20C847DCBF1135318135B8D3"> <enum>(1)</enum> <text>collects, uses, transfers, or stores covered information concerning more than 5,000 individuals during any consecutive 12-month period; and</text> </paragraph><paragraph id="ID237F2B4C8FFB48018900251ED4854082"> <enum>(2)</enum> <text>is—</text> <subparagraph id="ID8725363053394A7EBE6FE47DAA801DCA"> <enum>(A)</enum> <text>a person over which the Commission has authority pursuant to section 5(a)(2) of the <act-name parsable-cite="FTCA">Federal Trade Commission Act</act-name> (15 U.S.C. 45(a)(2));</text> </subparagraph><subparagraph id="ID1D98A5D93214465E8D5B9F630D87E711"> <enum>(B)</enum> <text>a common carrier subject to the <act-name parsable-cite="CA34">Communications Act of 1934</act-name> (<external-xref legal-doc="usc" parsable-cite="usc/47/151">47 U.S.C. 151 et seq.</external-xref>), notwithstanding the definition of the term <quote>Acts to regulate commerce</quote> in section 4 of the <act-name parsable-cite="FTCA">Federal Trade Commission Act</act-name> (15 U.S.C. 44) and the exception provided by section 5(a)(2) of the <act-name parsable-cite="FTCA">Federal Trade Commission Act</act-name> (15 U.S.C. 45(a)(2)) for such carriers; or</text> </subparagraph><subparagraph id="ID518BDB709A0D4D029C729AADEA8BFBE7"> <enum>(C)</enum> <text>a nonprofit organization, including any organization described in section 501(c) of the Internal Revenue Code of 1986 that is exempt from taxation under section 501(a) of such Code, notwithstanding the definition of the term <quote>Acts to regulate commerce</quote> in section 4 of the <act-name parsable-cite="FTCA">Federal Trade Commission Act</act-name> (<external-xref legal-doc="usc" parsable-cite="usc/15/44">15 U.S.C. 44</external-xref>) and the exception provided by section 5(a)(2) of the <act-name parsable-cite="FTCA">Federal Trade Commission Act</act-name> (15 U.S.C. 45(a)(2)) for such organizations.</text> </subparagraph></paragraph></section><section id="ID4E7960C9B01F45788D6AD21C175529CC"> <enum>152.</enum> <header>Enforcement by the Federal Trade Commission</header> <subsection id="IDF83B488A593E461B81EF60C5308B695B"> <enum>(a)</enum> <header>Unfair or deceptive acts or practices</header> <text>A reckless or repetitive violation of a provision of this title, except section 143, shall be treated as an unfair or deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the <act-name parsable-cite="FTCA">Federal Trade Commission Act</act-name> (<external-xref legal-doc="usc" parsable-cite="usc/15/57a">15 U.S.C. 57a(a)(1)(B)</external-xref>) regarding unfair or deceptive acts or practices.</text> </subsection><subsection id="IDA754B63077F54F18AF2116B2AFB4C435"> <enum>(b)</enum> <header>Powers of commission</header> <paragraph id="ID47EB07B95B2946C4B92B1CC498852057"> <enum>(1)</enum> <header>In general</header> <text>Except as provided in paragraph (3), the Commission shall enforce this title, except section 143, in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the <act-name parsable-cite="FTCA">Federal Trade Commission Act</act-name> (15 U.S.C. 41 et seq.) were incorporated into and made a part of this title.</text></paragraph><paragraph id="id9F91CC460E944FADB5363A4885A56314"><enum>(2)</enum><header>Privileges and immunities</header><text>Except as provided in paragraph (3), any person who violates a provision of this title, except section 143, shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>).</text> </paragraph><paragraph id="ID4D03D65F7C3448A48A26AF01BE6DB371"> <enum>(3)</enum> <header>Common carriers and nonprofit organizations</header> <text>The Commission shall enforce this title, except section 143, with respect to common carriers and nonprofit organizations described in section 151 to the extent necessary to effectuate the purposes of this title as if such carriers and nonprofit organizations were persons over which the Commission has authority pursuant to section 5(a)(2) of the <act-name parsable-cite="FTCA">Federal Trade Commission Act</act-name> (15 U.S.C. 45(a)(2)).</text> </paragraph></subsection><subsection id="IDE443486922B44940954F55A03CA6CF14"> <enum>(c)</enum> <header>Rulemaking authority</header> <paragraph id="ID50D6DE4212D94091BA63E543D5694E34"> <enum>(1)</enum> <header>Limitation</header> <text>In promulgating rules under this title, the Commission may not require the deployment or use of any specific products or technologies, including any specific computer software or hardware.</text> </paragraph><paragraph id="ID43F4D13C32A44D19B9128775004A404D"> <enum>(2)</enum> <header>Administrative procedure</header> <text>The Commission shall promulgate regulations under this title in accordance with <external-xref legal-doc="usc" parsable-cite="usc/5/553">section 553</external-xref> of title 5, United States Code.</text></paragraph></subsection><subsection id="id18ee8849911e414b9ea687a0a3e5433d"><enum>(d)</enum><header>Rule of construction</header><text>Nothing in this title shall be construed to limit the authority of the Commission under any other provision of law.</text></subsection></section><section id="idcd5daf6c6ffe47ff9c49875dedc1e400"><enum>153.</enum><header>Enforcement by Attorney General</header><subsection id="idd0adfb4d5d0841668ef4c9e592f329f6"><enum>(a)</enum><header>In general</header><text>The Attorney General may bring a civil action in the appropriate United States district court against any covered entity that engages in conduct constituting a violation of section 143.</text></subsection><subsection id="id22a78e0079634bf29bcf56cf0412ba8e"><enum>(b)</enum><header>Penalties</header><paragraph id="id1c748e6eec26469194db3bce38fe7ab6"><enum>(1)</enum><header>In general</header><text>Upon proof of such conduct by a preponderance of the evidence, a covered entity shall be subject to a civil penalty of not more than $1,000 per individual whose personally identifiable information was or is reasonably believed to have been accessed or acquired as a result of the breach of security that is the basis of the violation, up to a maximum of $100,000 per day while such violation persists.</text></paragraph><paragraph id="id58797ac8a22e440c996bf0456431881d"><enum>(2)</enum><header>Limitations</header><text>The total amount of the civil penalty assessed under this subsection against a covered entity for acts or omissions relating to a single breach of security shall not exceed $3,000,000, unless the conduct constituting a violation of subtitle D was reckless or repeated, in which case an additional civil penalty of up to $3,000,000 may be imposed.</text></paragraph><paragraph id="ida5b55e913b81445a9f3986bb3cf9e339"><enum>(3)</enum><header>Adjustment for inflation</header><text>Beginning on the date that the Consumer Price Index is first published by the Bureau of Labor Statistics that is after 1 year after the date of the enactment of this Act, and each year thereafter, the amounts specified in paragraphs (1) and (2) shall be increased by the percentage increase in the Consumer Price Index published on that date from the Consumer Price Index published the previous year.</text></paragraph></subsection><subsection id="id2faa14f81ab64ecf86dd54763c7ce417"><enum>(c)</enum><header>Injunctive actions</header><text>If it appears that a covered entity has engaged, or is engaged, in any act or practice that constitutes a violation of subtitle D, the Attorney General may petition an appropriate United States district court for an order enjoining such practice or enforcing compliance with such subtitle.</text></subsection><subsection commented="no" display-inline="no-display-inline" id="id74012a6dddcc486b9a251fa1790663f9"><enum>(d)</enum><header>Issuance of order</header><text>A court may issue such an order under paragraph (c) if it finds that the conduct in question constitutes a violation of subtitle D.</text></subsection></section><section id="IDB9D3FF75855C4C6999C5881071D2FD6E"> <enum>154.</enum> <header>Enforcement by States</header> <subsection id="IDB3A44622CE7F4E4F9CF531BDD600A608"> <enum>(a)</enum> <header>Civil action</header> <text>In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is adversely affected by a covered entity who violates any part of this title in a manner that results in economic or physical harm to an individual or engages in a pattern or practice that violates any part of this title other than section 143, the attorney general may, as parens patriae, bring a civil action on behalf of the residents of the State in an appropriate district court of the United States—</text> <paragraph id="IDEE6E90E78360429A9D274F516CA3921A"> <enum>(1)</enum> <text>to enjoin further violation of this title or a regulation promulgated under this title by the defendant;</text> </paragraph><paragraph id="ID3289D48ED2994534B1D31EA559431784"> <enum>(2)</enum> <text>to compel compliance with this title or a regulation promulgated under this title; or</text> </paragraph><paragraph id="ID9ABB135527764D0C8E2A099C9A709907"> <enum>(3)</enum> <text>for violations of this title or a regulation promulgated under this title to obtain civil penalties in the amount determined under section title.</text> </paragraph></subsection><subsection id="id2724F1BDE09F4A2D8521F59360770F28"> <enum>(b)</enum> <header>Rights of Federal Trade Commission</header> <paragraph id="idC0B790DC068D4BC1A67B1299122C65FB"> <enum>(1)</enum> <header>Notice to Federal Trade Commission</header> <subparagraph id="id382AB7FFFA0147ABA5FE47CB012A4AB3"> <enum>(A)</enum> <header>In general</header> <text>Except as provided in subparagraph (C), the attorney general of a State shall notify the Commission in writing of any civil action under subsection (b), prior to initiating such civil action.</text> </subparagraph><subparagraph id="id9CA7BBEEF49546DE9BE7667CFB63720B"> <enum>(B)</enum> <header>Contents</header> <text>The notice required by subparagraph (A) shall include a copy of the complaint to be filed to initiate such civil action.</text> </subparagraph><subparagraph id="id06BB6C08B4D845E987AF62E06484E082"> <enum>(C)</enum> <header>Exception</header> <text>If it is not feasible for the attorney general of a State to provide the notice required by subparagraph (A), the State shall provide notice immediately upon instituting a civil action under subsection (b).</text> </subparagraph></paragraph><paragraph id="idFDA71129413D49D091CB7378BDC4CDF7"> <enum>(2)</enum> <header>Intervention by Federal Trade Commission</header> <text>Upon receiving notice required by paragraph (1) with respect to a civil action, the Commission may—</text> <subparagraph id="id29250F981EFF4C33AAC89F00E4FD620D"> <enum>(A)</enum> <text>intervene in such action; and</text> </subparagraph><subparagraph id="id58B841634B2144CFAF8EA4CB2D5F1208"> <enum>(B)</enum> <text>upon intervening—</text> <clause id="id1D60CA42B48142F7A2BB2BC56A3C0725"> <enum>(i)</enum> <text>be heard on all matters arising in such civil action; and</text> </clause><clause commented="no" display-inline="no-display-inline" id="idEFA533783CF84EC280AA505434FBDA1B"> <enum>(ii)</enum> <text>file petitions for appeal of a decision in such action.</text> </clause></subparagraph></paragraph></subsection><subsection id="HFCAC11A2050245859700994D9E465916"> <enum>(c)</enum> <header>Preemptive action by Federal Trade Commission</header> <text>If the Commission institutes a civil action for violation of this title or a regulation promulgated under this title, no attorney general of a State may bring a civil action under subsection (a) against any defendant named in the complaint of the Commission for violation of this title or a regulation promulgated under this title that is alleged in such complaint.</text> </subsection><subsection id="HD352B695DE604A66B0CCE992535EF35B"> <enum>(d)</enum> <header>Investigatory powers</header> <text>Nothing in this section may be construed to prevent the attorney general of a State from exercising the powers conferred on such attorney general by the laws of such State to conduct investigations or to administer oaths or affirmations or to compel the attendance of witnesses or the production of documentary and other evidence.</text></subsection><subsection commented="no" id="idF45716195150436CAEA7BD63FD6D340F"><enum>(e)</enum><header>Venue; service of process</header> <paragraph commented="no" id="id0A67EA6EA218494B9BB9AC3C4814FCD5"><enum>(1)</enum><header>Venue</header><text>Any action brought under subsection (a) may be brought in—</text> <subparagraph commented="no" id="id86559A108F1B4EC5BFDDA77B2955AEFD"><enum>(A)</enum><text>the district court of the United States that meets applicable requirements relating to venue under <external-xref legal-doc="usc" parsable-cite="usc/28/1391">section 1391</external-xref> of title 28, United States Code; or</text> </subparagraph><subparagraph commented="no" id="idDAC0C565E8D3474F8E26FBF81D95D342"><enum>(B)</enum><text>another court of competent jurisdiction.</text> </subparagraph></paragraph><paragraph commented="no" id="id266E36A39A3E40F68557649A1932E544"><enum>(2)</enum><header>Service of process</header><text>In an action brought under subsection (a), process may be served in any district in which the defendant—</text> <subparagraph commented="no" id="id1FE9A42E217B4ABEBB56252C9C709EAB"><enum>(A)</enum><text>is an inhabitant; or</text> </subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idA5CF19E48BAF45F4AF021EBD7E12E7AC"><enum>(B)</enum><text>may be found.</text> </subparagraph></paragraph></subsection><subsection commented="no" id="idE2B7EC2B71254531859D2E5E10762CC3"><enum>(f)</enum><header>Actions by other State officials</header> <paragraph commented="no" id="id4D5DD688630347AA904252A17B23D2AC"><enum>(1)</enum><header>In general</header><text>In addition to civil actions brought by attorneys general under subsection (a), any other officer of a State who is authorized by the State to do so may bring a civil action under subsection (a), subject to the same requirements and limitations that apply under this section to civil actions brought by attorneys general.</text> </paragraph><paragraph commented="no" display-inline="no-display-inline" id="idBE217025D7C34EA58348DA6461F3753C"><enum>(2)</enum><header>Savings provision</header><text>Nothing in this section may be construed to prohibit an authorized official of a State from initiating or continuing any proceeding in a court of the State for a violation of any civil or criminal law of the State.</text></paragraph></subsection></section><section id="ID981AD43AE0394BDEB8D21B253FAA49EA"> <enum>155.</enum> <header>Civil penalties</header> <subsection id="IDF39B3B42965243ADAB8FAB655A14D38A"> <enum>(a)</enum> <header>In general</header> <text>In an action brought under section 154, in addition to any other penalty otherwise applicable to a violation of this title or any regulation promulgated under this title, the following civil penalties shall apply:</text> <paragraph id="ID6AC51CE36498490390C3D8CE8DD230B7"> <enum>(1)</enum> <header>Subtitle A violations</header> <text>A covered entity that recklessly or repeatedly violates subtitle A is liable for a civil penalty equal to the amount calculated by multiplying the number of days that the entity is not in compliance with such subtitle by an amount not to exceed $33,000.</text> </paragraph><paragraph id="IDC54FAC86A9CA4E719CE5FCD979FDA3A1"> <enum>(2)</enum> <header>Subtitle B violations</header> <text>A covered entity that recklessly or repeatedly violates subtitle B is liable for a civil penalty equal to the amount calculated by multiplying the number of days that such an entity is not in compliance with such subtitle, or the number of individuals for whom the entity failed to obtain consent as required by such subtitle, whichever is greater, by an amount not to exceed $33,000.</text></paragraph><paragraph id="idd36f2f42bf154f30a59de7e9feb9641e"><enum>(3)</enum><header>Subtitle D violations</header><text>A covered entity that recklessly or repeatedly violates section 142 is liable for a civil penalty equal to the amount calculated by multiplying the number of violations of such section by an amount not to exceed $33,000. Each failure to send notification as required under such section to a resident of the State shall be treated as a separate violation.</text></paragraph></subsection><subsection id="IDE95FC862199F4C7FA8C9B186A5220300"> <enum>(b)</enum> <header>Adjustment for inflation</header> <text>Beginning on the date that the Consumer Price Index for All Urban Consumers is first published by the Bureau of Labor Statistics that is after 1 year after the date of the enactment of this Act, and each year thereafter, each of the amounts specified in subsection (a) shall be increased by the percentage increase in the Consumer Price Index published on that date from the Consumer Price Index published the previous year.</text> </subsection><subsection id="ID2B786D7AD4234B9F98837B8459E1FC7E"> <enum>(c)</enum> <header>Maximum total liability</header> <text>Notwithstanding the number of actions which may be brought against a covered entity under section 154, the maximum civil penalty for which any covered entity may be liable under this section in such actions shall not exceed—</text> <paragraph id="ID0A5F7851927140C8A505329FEB3814EB"> <enum>(1)</enum> <text>$6,000,000 for any related series of violations of any rule promulgated under subtitle A;</text> </paragraph><paragraph id="IDC81E2B383CEF4AE5B030275546ED928B"> <enum>(2)</enum> <text>$6,000,000 for any related series of violations of subtitle B; and</text> </paragraph><paragraph id="id3A5BEAFF5AC947B083310453669ACEE9"><enum>(3)</enum><text>$6,000,000 for any related series of violations of section 142.</text></paragraph></subsection></section><section id="ID85D25D4A4E0C47DB9BE3407B43191594"> <enum>156.</enum> <header>Effect on other laws</header> <subsection id="ID78D5364096A340D19B1D07F2F127078E"> <enum>(a)</enum> <header>Preemption of State laws</header> <text>The provisions of this title shall supersede any provisions of the law of any State relating to those entities covered by the regulations issued pursuant to this title, to the extent that such provisions relate to the collection, use, or disclosure of—</text> <paragraph id="id5729696FCA234FE78ED6279D164FAB8A"> <enum>(1)</enum> <text>covered information addressed in this title; or</text> </paragraph><paragraph id="id734BD5E72E2A4B39B1F6F2FB85130EB6"> <enum>(2)</enum> <text>personally identifiable information or personal identification information addressed in provisions of the law of a State.</text> </paragraph></subsection><subsection id="ID58EA0B8D7B86498184C56D916E61C1B5"> <enum>(b)</enum> <header>Unauthorized civil actions; certain State laws</header> <paragraph id="IDAEC0985CE9D54D9F95EC6D34EF695C8B"> <enum>(1)</enum> <header>Unauthorized actions</header> <text>No person other than a person specified in section 154 may bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating this title or a regulation promulgated under this title.</text> </paragraph><paragraph id="ID726CBDD5B9734DB0A6A32A14047815F6"> <enum>(2)</enum> <header>Protection of certain state laws</header> <text>This title shall not be construed to preempt the applicability of—</text> <subparagraph id="ID38B50830DB3B4832A3B8FFCDB0A33CC9"> <enum>(A)</enum> <text>State laws that address the collection, use, or disclosure of health information or financial information; or</text> </subparagraph><subparagraph id="ID199F2041BA474A198F92F5D6C79E55E0"> <enum>(B)</enum> <text>other State laws to the extent that those laws relate to acts of fraud.</text> </subparagraph></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="ID7741578E61A94B14B36C511333F3DAB7"> <enum>(c)</enum> <header>Rule of construction relating to required disclosures to government entities</header> <text>This title shall not be construed to expand or limit the duty or authority of a covered entity or third party to disclose personally identifiable information to a government entity under any provision of law.</text> </subsection></section><section id="ID8089E0D9CD894FFDAE004119801BADBB"> <enum>157.</enum> <header>No private right of action</header> <text display-inline="no-display-inline">This title may not be construed to provide any private right of action.</text></section></subtitle><subtitle id="ID1DAB2E3D98B747799A58621C13AC0425"> <enum>F</enum> <header>Co-Regulatory safe harbor programs</header> <section id="ID0B24BA96848841EF8BDA9B996129645C"> <enum>161.</enum> <header>Establishment of safe harbor programs</header> <subsection id="IDdfedd18bcc6a45eb804b9ea6c6b22047"> <enum>(a)</enum> <header>In general</header> <text>Not later than 1 year after the date of the enactment of this Act, the Commission shall initiate a rulemaking proceeding to establish requirements for the establishment and administration of safe harbor programs under which a nongovernmental organization will administer a program that—</text> <paragraph id="IDe12bfe769e1943cb8f2d03c266769605"> <enum>(1)</enum> <text>establishes a mechanism for participants to implement the requirements of this title with regards to—</text> <subparagraph id="IDad844a064a0d495f92bd68a9e9110ff9"> <enum>(A)</enum> <text>certain types of unauthorized uses of covered information as described in paragraph (2); or</text> </subparagraph><subparagraph id="id390D2530EDFC4A8E94DE6BF740D6C11C"> <enum>(B)</enum> <text>any unauthorized use of covered information; and</text> </subparagraph></paragraph><paragraph id="ID7f798a505cd5423daa6e5ca477c90c2e"> <enum>(2)</enum> <text>offers consumers a clear, conspicuous, persistent, and effective means of opting out of the transfer of covered information by a covered entity participating in the safe harbor program to a third party for—</text> <subparagraph id="ID7566f8139c9644799096db5a6c68738a"> <enum>(A)</enum> <text>behavioral advertising purposes;</text> </subparagraph><subparagraph id="IDf5bb463f3c9b4286a26c2429e8e5a3b0"> <enum>(B)</enum> <text>location-based advertising purposes;</text> </subparagraph><subparagraph id="ID1a8e65d18a904e2ea3304a0bedd9a2b2"> <enum>(C)</enum> <text>other specific types of unauthorized use; or</text> </subparagraph><subparagraph id="ID6708160a0bba4034a1c8d9a63a373a9d"> <enum>(D)</enum> <text>any unauthorized use.</text> </subparagraph></paragraph></subsection><subsection id="ID03c8c98ee1234bee9d45bc985fc1c466"> <enum>(b)</enum> <header>Selection of nongovernmental organizations To administer program</header> <paragraph id="id675B6EE34AB748DFBF80337AC65A1AB1"> <enum>(1)</enum> <header>Submittal of applications</header> <text>An applicant seeking to administer a program under the requirements established pursuant to subsection (a) shall submit to the Commission an application therefor at such time, in such manner, and containing such information as the Commission may require.</text> </paragraph><paragraph id="idDF9DA1ABEFAE4D27806413D8CE578C77"> <enum>(2)</enum> <header>Notice and receipt of applications</header> <text>Upon completion of the rulemaking proceedings required by subsection (a), the Commission shall—</text> <subparagraph id="idE8688D0AEBB14B559D06741634276544"> <enum>(A)</enum> <text>publish a notice in the Federal Register that it will receive applications for approval of safe harbor programs under this subtitle; and</text> </subparagraph><subparagraph id="idFDE598136FCB4C33B147D8A0F006BE55"> <enum>(B)</enum> <text>begin receiving applications under paragraph (1).</text> </subparagraph></paragraph><paragraph id="idD2FBE66007AE41208802BF30A51FDFA7"> <enum>(3)</enum> <header>Selection</header> <text>Not later than 270 days after the date on which the Commission receives a completed application under this subsection, the Commission shall grant or deny the application on the basis of the Commission's evaluation of the applicant’s capacity to provide protection of individuals’ covered information with regard to specific types of unauthorized uses of covered information as described in subsection (a)(2) that is substantially equivalent to or superior to the protection otherwise provided under this title.</text> </paragraph><paragraph id="id49C468BC557A4C60800FDF2237B9F38C"> <enum>(4)</enum> <header>Written findings</header> <text>Any decision reached by the Commission under this subsection shall be accompanied by written findings setting forth the basis for and reasons supporting such decision.</text> </paragraph></subsection><subsection id="IDcfad05169b7d4fa4b433ad7fd7625b56"> <enum>(c)</enum> <header>Scope of safe harbor protection</header> <text>The scope of protection offered by safe harbor programs approved by the Commission that establish mechanisms for participants to implement the requirements of the title only for certain uses of covered information as described in subsection (a)(2) shall be limited to participating entities’ use of those particular types of covered information.</text> </subsection><subsection id="ID75c3aec5ef0c4bc182e0582c5e33951c"> <enum>(d)</enum> <header>Supervision by Federal Trade Commission</header> <paragraph id="id94E4D62E71584B41A965CCE0C0E1BA39"> <enum>(1)</enum> <header>In general</header> <text>The Commission shall exercise oversight and supervisory authority of a safe harbor program approved under this section through—</text> <subparagraph id="id69FB54737F7F4DD3885E10B75EB40DCF"> <enum>(A)</enum> <text>ongoing review of the practices of the nongovernmental organization administering the program;</text> </subparagraph><subparagraph id="idD5E16446693C43C9871A9895FB81A193"> <enum>(B)</enum> <text>the imposition of civil penalties on the nongovernmental organization if it is not compliant with the requirements established under subsection (a); and</text> </subparagraph><subparagraph id="id459BF1A9EB704D0F87950D662FE31EE5"> <enum>(C)</enum> <text>withdrawal of authorization to administer the safe harbor program under this subtitle.</text> </subparagraph></paragraph><paragraph id="idD6D2C6564870456B9B268EDDFAA5614A"> <enum>(2)</enum> <header>Annual reports by nongovernmental organizations</header> <text>Each year, each nongovernmental organization administering a safe harbor program under this section shall submit to the Commission a report on its activities under this subtitle during the preceding year.</text> </paragraph></subsection></section><section id="ID23e53dc29c964d5d92130ea1075d5e8f"> <enum>162.</enum> <header>Participation in safe harbor program</header> <subsection id="IDbcdbd78a42bd450980eb431314d14e5e"> <enum>(a)</enum> <header>Exemption</header> <text>Any covered entity that participates in, and demonstrates compliance with, a safe harbor program administered under section 161 shall be exempt from any provision of subtitle B or subtitle C if the Commission finds that the requirements of the safe harbor program are substantially the same as or more protective of privacy of individuals than the requirements of the provision from which the exemption is granted.</text> </subsection><subsection id="ID6e0f506394ef40ea88d637b04cbadc6b"> <enum>(b)</enum> <header>Limitation</header> <text>Nothing in this subtitle shall be construed to exempt any covered entity participating in a safe harbor program from compliance with any other requirement of the regulations promulgated under this title for which the safe harbor does not provide an exception.</text> </subsection></section></subtitle><subtitle id="ID8C8750AA42DD466AA0960D135ACD04B7"> <enum>G</enum> <header>Application with other Federal laws</header> <section id="ID2D1058163FFC4DFFAAD3C3A95F03B438"> <enum>171.</enum> <header>Application with other Federal laws</header> <subsection id="id469DAFFB2E2349F993E670D4E2B12587"> <enum>(a)</enum> <header>Qualified exemption for persons subject to other Federal privacy laws</header> <text>If a person is subject to a provision of this title and a provision of a Federal privacy law described in subsection (d), such provision of this title shall not apply to such person to the extent that such provision of Federal privacy law applies to such person.</text> </subsection><subsection id="id0478D44F94FB414A8D1EFD343D2C1784"> <enum>(b)</enum> <header>Protection of other Federal privacy laws</header> <text>Nothing in this title may be construed to modify, limit, or supersede the operation of the Federal privacy laws described in subsection (d) or the provision of information permitted or required, expressly or by implication, by such laws, with respect to Federal rights and practices.</text> </subsection><subsection id="id18164BD22E5941CE91C83C16021FBBED"> <enum>(c)</enum> <header>Communications infrastructure and privacy</header> <text>If a person is subject to a provision of section 222 or 631 of the Communications Act of 1934 (47 U.S.C. 222 and 551) and a provision of this title, such provision of such section 222 or 631 shall not apply to such person to the extent that such provision of this title applies to such person.</text> </subsection><subsection id="id202C58563ACB4085B418ECA432F90CA7"> <enum>(d)</enum> <header>Other Federal privacy laws described</header> <text>The Federal privacy laws described in this subsection are as follows:</text> <paragraph id="idE831933693EE41EB93AFB88C3BC8F238"> <enum>(1)</enum> <text>Section 552a of title 5, United States Code (commonly known as the Privacy Act of 1974).</text> </paragraph><paragraph id="idB63161AAF6DD4241B4C7D69E1B28544C"> <enum>(2)</enum> <text>The Right to Financial Privacy Act of 1978 (<external-xref legal-doc="usc" parsable-cite="usc/12/3401">12 U.S.C. 3401 et seq.</external-xref>).</text> </paragraph><paragraph id="id61E02E4C47B0412EAFC5C19456F601A6"> <enum>(3)</enum> <text>The Fair Credit Reporting Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1681">15 U.S.C. 1681 et seq.</external-xref>).</text> </paragraph><paragraph id="idD785C582E782479196F7A655C12E1357"> <enum>(4)</enum> <text>The Fair Debt Collection Practices Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1692">15 U.S.C. 1692 et seq.</external-xref>).</text> </paragraph><paragraph id="id23C9C59C82CA46878B7ED0E438D910C8"> <enum>(5)</enum> <text>The Children’s Online Privacy Protection Act of 1998 (<external-xref legal-doc="usc" parsable-cite="usc/15/6501">15 U.S.C. 6501 et seq.</external-xref>).</text> </paragraph><paragraph id="id325326C01FD7437AA0908468EE29B805"> <enum>(6)</enum> <text>Title V of the Gramm-Leach-Bliley Act of 1999 (<external-xref legal-doc="usc" parsable-cite="usc/15/6801">15 U.S.C. 6801 et seq.</external-xref>).</text> </paragraph><paragraph id="id40190CA5472D4652A167100F55E1B16E"> <enum>(7)</enum> <text>Chapters 119, 123, and 206 of title 18, United States Code.</text> </paragraph><paragraph id="idD4DB16240A0C4776A395DDE94764F9C3"> <enum>(8)</enum> <text>Section 2710 of title 18, United States Code.</text> </paragraph><paragraph id="id224B61A4BADE4CA7A417B2389CCEA369"> <enum>(9)</enum> <text>Section 444 of the General Education Provisions Act (<external-xref legal-doc="usc" parsable-cite="usc/20/1232g">20 U.S.C. 1232g</external-xref>) (commonly referred to as the <quote>Family Educational Rights and Privacy Act of 1974</quote>).</text> </paragraph><paragraph id="id74D2C21101F5405F8A02E380885D269B"> <enum>(10)</enum> <text>Section 445 of the General Education Provisions Act (<external-xref legal-doc="usc" parsable-cite="usc/20/1232h">20 U.S.C. 1232h</external-xref>).</text> </paragraph><paragraph id="id47C5DCD2A01C4F5A95BE73632F20A73D"> <enum>(11)</enum> <text>The Privacy Protection Act of 1980 (<external-xref legal-doc="usc" parsable-cite="usc/42/2000aa">42 U.S.C. 2000aa et seq.</external-xref>).</text> </paragraph><paragraph id="idA52B77783F364C7C8146F02520EED9B6"> <enum>(12)</enum> <text>The regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-2">42 U.S.C. 1320d–2</external-xref> note), as such regulations relate to a person described in section 1172(a) of the Social Security Act (42 U.S.C. 1320d–1(a)) or to transactions referred to in section 1173(a)(1) of such Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-2">42 U.S.C. 1320d–2(a)(1)</external-xref>).</text> </paragraph><paragraph id="idEDA5E0AD214249318F79504927971C7C"> <enum>(13)</enum> <text>The Communications Assistance for Law Enforcement Act (47 U.S.C. 1001 et seq.).</text> </paragraph><paragraph commented="no" display-inline="no-display-inline" id="idB6F4BBE20F8243159E8BB1DF988D985D"> <enum>(14)</enum> <text>Section 227 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/227">47 U.S.C. 227</external-xref>).</text> </paragraph></subsection></section></subtitle><subtitle id="IDBDC35D4271CB4F0CB2A6B6FD7D95040D"> <enum>H</enum> <header>Development of commercial data privacy policy in the Department of Commerce</header> <section id="IDBF6BD70197A14643AC74A9E8118D1263"> <enum>181.</enum> <header>Direction to develop commercial data privacy policy</header> <text display-inline="no-display-inline">The Secretary of Commerce shall contribute to the development of commercial data privacy policy by—</text> <paragraph id="ID61CE9BDA78BC41FEA09B380A39953856"> <enum>(1)</enum> <text>convening private sector stakeholders, including members of industry, civil society groups, academia, in open forums, to develop codes of conduct in support of applications for safe harbor programs under subtitle F;</text> </paragraph><paragraph id="IDCFE93F48EDA448A2AB9C26E6096D1815"> <enum>(2)</enum> <text>expanding interoperability between the United States commercial data privacy framework and other national and regional privacy frameworks;</text> </paragraph><paragraph id="ID06028F7A2A544ED4A12C49ED6CECA8EF"> <enum>(3)</enum> <text>conducting research related to improving privacy protection under this title; and</text> </paragraph><paragraph id="id81655AE7F0D94310938B87D2A10CBF3E"> <enum>(4)</enum> <text>conducting research related to improving data sharing practices, including the use of anonymised data, and growing the information economy.</text></paragraph></section></subtitle><enum>II</enum><header>Online privacy of children</header><section id="idF5D7AE32864F4EEAB2CA023710B1FBD3"><enum>201.</enum><header>Short title</header><text display-inline="no-display-inline">This title may be cited as the <quote><short-title>Do Not Track Kids Act of 2014</short-title></quote>.</text></section><section commented="no" id="H104C45DA34BF4C6E814DE9472C8DB054"><enum>202.</enum><header>Findings</header><text display-inline="no-display-inline">Congress finds the following:</text><paragraph id="HD1E8F0B7B38E45F79EF243B7139AB4EE"><enum>(1)</enum><text display-inline="yes-display-inline">Since the enactment of the Children’s Online Privacy Protection Act of 1998, the World Wide Web has changed dramatically, with the creation of tens of millions of websites, the proliferation of entirely new media platforms, and the emergence of a diverse ecosystem of services, devices, and applications that enable users to connect wirelessly within an online environment without being tethered to a desktop computer.</text></paragraph><paragraph id="H697711D028AE4705A22297A3FD1B2E01"><enum>(2)</enum><text display-inline="yes-display-inline">The explosive growth of the Internet ecosystem has unleashed a wide array of opportunities to learn, communicate, participate in civic life, access entertainment, and engage in commerce.</text></paragraph><paragraph id="H34B5D533905E4274B65F3E9EEBD0F244"><enum>(3)</enum><text display-inline="yes-display-inline">In addition to these significant benefits, the Internet also presents challenges, particularly with respect to the efforts of entities to track the online activities of children and minors and to collect, use, and disclose personal information about them, including their geolocation, for commercial purposes.</text></paragraph><paragraph id="H7B95CF0A88FF433DA977FA50FCD11EE7"><enum>(4)</enum><text display-inline="yes-display-inline">Children and teens are visiting numerous companies’ websites, and marketers are using multimedia games, online quizzes, and mobile phone and tablet applications to create ties to children and teens.</text></paragraph><paragraph id="HE3E5F87079344D0195F19B0DF9C47D76"><enum>(5)</enum><text display-inline="yes-display-inline">According to a study by the Wall Street Journal in 2010, websites directed to children and teens were more likely to use cookies and other tracking tools than sites directed to a general audience.</text></paragraph><paragraph id="HC4310A116AC645AC804E771E962F96B7"><enum>(6)</enum><text display-inline="yes-display-inline">This study examined 50 popular websites for children and teens in the United States and found that these 50 sites placed 4,123 cookies, beacons, and other tracking tools on the test computer used for the study.</text></paragraph><paragraph id="H94B58EEC949A408B9CF05CD55D0AD5B1"><enum>(7)</enum><text display-inline="yes-display-inline">This is 30 percent greater than the number of such tracking tools that were placed on the test computer in a similar study of the 50 overall most popular websites in the United States, which are generally directed to adults.</text></paragraph><paragraph id="H9C1DA584C3164BA296261CA3A91761DB"><enum>(8)</enum><text>Children and teens lack the cognitive ability to distinguish advertising from program content and to understand that the purpose of advertising is to persuade them, making them unable to activate the defenses on which adults rely.</text></paragraph><paragraph id="H4845CA8253C14AF4900051354AF7C6A8"><enum>(9)</enum><text>Children and teens are less able than adults to understand the potential long-term consequences of having their information available to third parties, including advertisers, and other individuals.</text></paragraph><paragraph id="H161AE0F076D247FD886785F01A069944"><enum>(10)</enum><text>According to Common Sense Media and the Center for Digital Democracy, 90 percent of teens have used some form of social media, 75 percent have a social networking site, and 51 percent check their social networking site at least once a day.</text></paragraph><paragraph commented="no" id="H791F040614A34D0E89B0A9871639F79D"><enum>(11)</enum><text>Ninety-one percent of parents and 91 percent of adults believe it is not okay for advertisers to collect information about a child’s location from that child’s mobile phone.</text></paragraph><paragraph commented="no" id="H0687215791914A149FD3846A4FA9489C"><enum>(12)</enum><text>Ninety-four percent of parents and 91 percent of adults agree that advertisers should receive the parent’s permission before putting tracking software on a child’s computer.</text></paragraph><paragraph id="H2F09C41BF8744A68BCC7A8061D0ADD8C"><enum>(13)</enum><text>Ninety-six percent of parents and 94 percent of adults expressed disapproval when asked if it is <quote>okay for a website to ask children for personal information about their friends</quote>.</text></paragraph><paragraph id="H86D2A6285B1A496BADF03B8825366D2E"><enum>(14)</enum><text display-inline="yes-display-inline">Eighty-eight percent of parents would support a law that requires search engines and social networking sites to get users’ permission before using their personal information.</text></paragraph><paragraph id="H1494027570CE438797D3F3F90A9E083E"><enum>(15)</enum><text display-inline="yes-display-inline">A Commonsense Media/Zogby poll found that 94 percent of parents and 94 percent of adults believe individuals should have the ability to request the deletion, after a specific period of time, of all of their personal information held by an online search engine, social networking site, or marketing company.</text></paragraph><paragraph id="HEBF126232E714595AAEA237642F389C8"><enum>(16)</enum><text display-inline="yes-display-inline">According to a Pew/Berkman Center poll, 69 percent of parents of teens who engage in online activity are concerned about how that activity might affect their children’s future academic or employment opportunities.</text></paragraph><paragraph id="H1DB57E1AEB72481D854ED236E7E7DB6F"><enum>(17)</enum><text display-inline="yes-display-inline">Eighty-one percent of parents of teens who engage in online activity say they are concerned about how much information advertisers can learn about their children’s online activity.</text></paragraph></section><section id="HBF1DE7F91FF845D29614D0F31E5B8C30"><enum>203.</enum><header>Definitions</header><subsection id="HD9C3DD3B60D1493A931BA9E56F0C2B7F"><enum>(a)</enum><header>In general</header><text display-inline="yes-display-inline">In this title:</text><paragraph id="H05FF5328FEA345EFABFC340EDF325912"><enum>(1)</enum><header>Minor</header><text>The term <term>minor</term> means an individual over the age of 12 and under the age of 16.</text></paragraph><paragraph commented="no" id="H8E2F1973A550434DA32B3A082360B5A3"><enum>(2)</enum><header>Targeted marketing</header><text>The term <term>targeted marketing</term> means advertising or other efforts to market a product or service that are directed to a specific individual or device—</text><subparagraph id="HE8CCC83012A14494B797C731B45E3364"><enum>(A)</enum><text>based on the personal information of the individual or a unique identifier of the device; and</text></subparagraph><subparagraph id="HF9920083D76E4754B867ED43C8EC7AD6"><enum>(B)</enum><text display-inline="yes-display-inline">as a result of use by the individual, or access by the device, of a website, online service, online application, or mobile application.</text></subparagraph></paragraph></subsection><subsection id="H21D2EBA88C6E43E0A05BEB2B8E062A94"><enum>(b)</enum><header>Terms defined by Commission</header><text display-inline="yes-display-inline">In this title, the terms <term>directed to minors</term> and <term>geolocation information</term> shall have the meanings given such terms by the Commission by regulation. Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate, under <external-xref legal-doc="usc" parsable-cite="usc/5/553">section 553</external-xref> of title 5, United States Code, regulations that define such terms broadly enough so that they are not limited to current technology, consistent with the principles articulated by the Commission regarding the definition of the term <term>Internet</term> in its statement of basis and purpose on the final rule under the Children’s Online Privacy Protection Act of 1998 (<external-xref legal-doc="usc" parsable-cite="usc/15/6501">15 U.S.C. 6501 et seq.</external-xref>) promulgated on November 3, 1999 (64 Fed. Reg. 59891).</text></subsection><subsection commented="no" display-inline="no-display-inline" id="H92B2301F98B54CF6A03BCBE70FDDDB57"><enum>(c)</enum><header>Other definitions</header><text display-inline="yes-display-inline">The definitions set forth in section 1302 of the Children’s Online Privacy Protection Act of 1998 (<external-xref legal-doc="usc" parsable-cite="usc/15/6501">15 U.S.C. 6501</external-xref>), as amended by section 3(a), shall apply in this title, except to the extent the Commission provides otherwise by regulations issued under <external-xref legal-doc="usc" parsable-cite="usc/5/553">section 553</external-xref> of title 5, United States Code.</text></subsection></section><section id="HB5783DE0D15D4F45A75E667B53B1D854"><enum>204.</enum><header>Online collection, use, and disclosure of personal information of children</header><subsection id="H9368D68ACAF848909874084B808A6456"><enum>(a)</enum><header>Definitions</header><text display-inline="yes-display-inline">Section 1302 of the Children’s Online Privacy Protection Act of 1998 (<external-xref legal-doc="usc" parsable-cite="usc/15/6501">15 U.S.C. 6501</external-xref>) is amended—</text><paragraph id="H6BAE0B363D2C47B49FAD941E6C28A84A"><enum>(1)</enum><text>by amending paragraph (2) to read as follows:</text><quoted-block display-inline="no-display-inline" id="id8AFA0719D5B14F0C954C3F70998727E1" style="OLC"><paragraph id="HAD13AA52BF4E4B2E9FF910E645C94876"><enum>(2)</enum><header>Operator</header><text display-inline="yes-display-inline">The term <term>operator</term>—</text><subparagraph id="HEE0A84539A3C4CD79A5DD7EF7AD97C52"><enum>(A)</enum><text display-inline="yes-display-inline">means any person who, for commercial purposes, in interstate or foreign commerce, operates or provides a website on the Internet, online service, online application, or mobile application, and who—</text><clause id="H778348421A4B409590F58900C8F6C486"><enum>(i)</enum><text display-inline="yes-display-inline">collects or maintains, either directly or through a service provider, personal information from or about the users of such website, service, or application;</text></clause><clause id="HE9C40BC488F24877BDA3150642C8C8D5"><enum>(ii)</enum><text display-inline="yes-display-inline">allows another person to collect personal information directly from users of such website, service, or application (in which case the operator is deemed to have collected the information); or</text></clause><clause id="H6E271C90D8B04A8DA042B2E70361178C"><enum>(iii)</enum><text display-inline="yes-display-inline">allows users of such website, service, or application to publicly disclose personal information (in which case the operator is deemed to have collected the information); and</text></clause></subparagraph><subparagraph commented="no" id="HE3B7A68C7CE64436A497DE404C59FE72"><enum>(B)</enum><text>does not include any nonprofit entity that would otherwise be exempt from coverage under section 5 of the Federal Trade Commission Act (15 U.S.C. 45).</text></subparagraph></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></paragraph><paragraph id="H0A044AF08C21483880D709B20DDD8579"><enum>(2)</enum><text>in paragraph (4)—</text><subparagraph id="HB3D388550AC4415B9D236706E9A06974"><enum>(A)</enum><text>by amending subparagraph (A) to read as follows:</text><quoted-block display-inline="no-display-inline" id="H7A47F1D8BC5C4F7F89104E4F28C11DE7" style="OLC"><subparagraph id="HBB04E3A6832241918B199CCE8D27D183"><enum>(A)</enum><text display-inline="yes-display-inline">the release of personal information for any purpose, except where such information is provided to a person other than an operator who provides support for the internal operations of the website, online service, online application, or mobile application of the operator and does not disclose or use that information for any other purpose; and</text></subparagraph><after-quoted-block>; and</after-quoted-block></quoted-block></subparagraph><subparagraph id="H455672B973B445DC822118553ADE4FEA"><enum>(B)</enum><text>in subparagraph (B), by striking <quote>website or online service</quote> and inserting <quote>website, online service, online application, or mobile application</quote>;</text></subparagraph></paragraph><paragraph id="HF5446FE77A8F4B71A16742A153BDABB0"><enum>(3)</enum><text>in paragraph (8)—</text><subparagraph id="HDD3B8E650D384002B4C6172B75E17D09"><enum>(A)</enum><text>by amending subparagraph (G) to read as follows:</text><quoted-block display-inline="no-display-inline" id="H84EC2D08B02B4D6F9375F63C178E5389" style="OLC"><subparagraph id="H488150444A97413DAC4B4A7C10239C8B"><enum>(G)</enum><text display-inline="yes-display-inline">information concerning a child or the parents of that child (including any unique or substantially unique identifier, such as a customer number) that an operator collects online from the child and combines with an identifier described in subparagraphs (A) through (G).</text></subparagraph><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph><subparagraph id="H873390E10E0349AEA49FEBA4EA259178"><enum>(B)</enum><text>by redesignating subparagraphs (F) and (G) as subparagraphs (G) and (H), respectively; and</text></subparagraph><subparagraph id="HD0FC0F698F5E4348B39A491D98B32146"><enum>(C)</enum><text>by inserting after subparagraph (E) the following new subparagraph:</text><quoted-block display-inline="no-display-inline" id="HB6C062359035473695FDE2A216CF4B05" style="OLC"><subparagraph commented="no" id="HBC35B714B3624F98B41FA3C8DE60E6FB"><enum>(F)</enum><text display-inline="yes-display-inline">information (including an Internet protocol address) that permits the identification of an individual, the computer of an individual, or any other device used by an individual to access the Internet or an online service, online application, or mobile application;</text></subparagraph><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph></paragraph><paragraph id="HC13B290AAF914C61806463DDFA76C5F8"><enum>(4)</enum><text>by striking paragraph (10) and redesignating paragraphs (11) and (12) as paragraphs (10) and (11), respectively; and</text></paragraph><paragraph id="HCA39E96FE5BC4E7D80B80C531206B983"><enum>(5)</enum><text>by adding at the end the following new paragraph:</text><quoted-block display-inline="no-display-inline" id="H5974FEF0CC354288BD88C1CB46A472C9" style="OLC"><paragraph id="H82EDF7560DCF4F91984E4E1CFAE4496F"><enum>(12)</enum><header>Online, online service, online application, mobile application, directed to children</header><text display-inline="yes-display-inline">The terms <term>online</term>, <term>online service</term>, <term>online application</term>, <term>mobile application</term>, and <term>directed to children</term> shall have the meanings given such terms by the Commission by regulation. Not later than 1 year after the date of the enactment of the <short-title>Commercial Privacy Bill of Rights Act of 2014</short-title>, the Commission shall promulgate, under <external-xref legal-doc="usc" parsable-cite="usc/5/553">section 553</external-xref> of title 5, United States Code, regulations that define such terms broadly enough so that they are not limited to current technology, consistent with the principles articulated by the Commission regarding the definition of the term <term>Internet</term> in its statement of basis and purpose on the final rule under this title promulgated on November 3, 1999 (64 Fed. Reg. 59891). The definition of the term <term>online service</term> in such regulations shall include broadband Internet access service (as defined in the Report and Order of the Federal Communications Commission relating to the matter of preserving the open Internet and broadband industry practices (FCC 10–201, adopted by the Commission on December 21, 2010)).</text></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection><subsection id="H62C5F93A583A496D84983D06767D5771"><enum>(b)</enum><header>Online collection, use, and disclosure of personal information of children</header><text display-inline="yes-display-inline">Section 1303 of the Children’s Online Privacy Protection Act of 1998 (<external-xref legal-doc="usc" parsable-cite="usc/15/6502">15 U.S.C. 6502</external-xref>) is amended—</text><paragraph id="H4A67DF061CAC4C0F95F3F556BA5C630A"><enum>(1)</enum><text>by striking the heading and inserting the following: <quote><header-in-text level="section" style="OLC">Online collection, use, and disclosure of personal information of children.</header-in-text></quote>;</text></paragraph><paragraph id="HC9886E45D2B14B96852815A9A9C05137"><enum>(2)</enum><text>in subsection (a)—</text><subparagraph id="H4AC52743EA6C4F1395D529132B08128D"><enum>(A)</enum><text>by amending paragraph (1) to read as follows:</text><quoted-block display-inline="no-display-inline" id="H679BB3D08BFC45FE809E1DBB8D95E728" style="OLC"><paragraph id="H756A234B56274E82A6133DA2C17DCA42"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">It is unlawful for an operator of a website, online service, online application, or mobile application directed to children, or an operator having actual knowledge that personal information being collected is from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b).</text></paragraph><after-quoted-block>; and</after-quoted-block></quoted-block></subparagraph><subparagraph id="HE81BC93FDC4047E097E1B414F054CE6E"><enum>(B)</enum><text>in paragraph (2)—</text><clause id="H8A60DD7CA01848DD958305FC4E7F06AA"><enum>(i)</enum><text>by striking <quote>of such a website or online service</quote>; and</text></clause><clause id="HC0E109849ABE43AEB563D2996F6E2CA9"><enum>(ii)</enum><text>by striking <quote>subsection (b)(1)(B)(iii)</quote> and inserting <quote>subsection (b)(1)(C)(iii)</quote>; and</text></clause></subparagraph></paragraph><paragraph id="HD60420BDEDDB482FA959769C0351CD21"><enum>(3)</enum><text display-inline="yes-display-inline">in subsection (b)—</text><subparagraph id="H8FE655AE8F6B489AA316BB129F5DB194"><enum>(A)</enum><text>by amending paragraph (1) to read as follows:</text><quoted-block display-inline="no-display-inline" id="H8C8F3FA9B78B475A823F00A107321420" style="OLC"><paragraph id="H1D3FBC969609445594A481F8E89A08AA"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">Not later than 1 year after the date of the enactment of the <short-title>Commercial Privacy Bill of Rights Act of 2014</short-title>, the Commission shall promulgate, under <external-xref legal-doc="usc" parsable-cite="usc/5/553">section 553</external-xref> of title 5, United States Code, regulations to require an operator of a website, online service, online application, or mobile application directed to children, or an operator having actual knowledge that personal information being collected is from a child—</text><subparagraph id="HA4DC91FB18C64687B89ACF597A9D4BCC"><enum>(A)</enum><text>to provide clear and conspicuous notice in clear and plain language of the types of personal information the operator collects, how the operator uses such information, whether the operator discloses such information, and the procedures or mechanisms the operator uses to ensure that personal information is not collected from children except in accordance with the regulations promulgated under this paragraph;</text></subparagraph><subparagraph id="HD28B34969806437CB7A67FAC308A494C"><enum>(B)</enum><text display-inline="yes-display-inline">to obtain verifiable parental consent for the collection, use, or disclosure of personal information of a child;</text></subparagraph><subparagraph id="H46A9336A099848FFBCBFCD15D6F06731"><enum>(C)</enum><text>to provide to a parent whose child has provided personal information to the operator, upon request by and proper identification of the parent—</text><clause id="H09A47C5F343841D887E149AF61ED6223"><enum>(i)</enum><text>a description of the specific types of personal information collected from the child by the operator;</text></clause><clause id="H8DEF6A6C5BDD49F583C76B9C47FF102F"><enum>(ii)</enum><text>the opportunity at any time to refuse to permit the further use or maintenance in retrievable form, or future collection, by the operator of personal information collected from the child; and</text></clause><clause id="H7C3CB230BA15464DB594013796F96C67"><enum>(iii)</enum><text>a means that is reasonable under the circumstances for the parent to obtain any personal information collected from the child, if such information is available to the operator at the time the parent makes the request;</text></clause></subparagraph><subparagraph id="HFAC72D7E5A9545B797935D83EC904771"><enum>(D)</enum><text>not to condition participation in a game, or use of a website, service, or application, by a child on the provision by the child of more personal information than is reasonably required to participate in the game or use the website, service, or application; and</text></subparagraph><subparagraph id="H6F43BB06C2014060918C071AE906B739"><enum>(E)</enum><text>to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.</text></subparagraph></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph><subparagraph id="HC4D27087EA8A4D0A99F1E2F54A763D68"><enum>(B)</enum><text display-inline="yes-display-inline">in paragraph (2)—</text><clause id="H26781792710E4C45BABD610E10C109E2"><enum>(i)</enum><text>in the matter preceding subparagraph (A), by striking <quote>paragraph (1)(A)(ii)</quote> and inserting <quote>paragraph (1)(B)</quote>; and</text></clause><clause id="H5696785382AF4EF3AEAA601F4FDDF5AF"><enum>(ii)</enum><text>in subparagraph (A), by inserting <quote>or to contact a different child</quote> after <quote>to recontact the child</quote>;</text></clause></subparagraph><subparagraph id="H84798315A4674AF39B48B5665125CB6D"><enum>(C)</enum><text display-inline="yes-display-inline">by amending paragraph (3) to read as follows:</text><quoted-block display-inline="no-display-inline" id="HE711DB383E45425BB526E1DC13CFC2F4" style="OLC"><paragraph id="H6B06594F97A64167A52F39A7067C2286"><enum>(3)</enum><header>Continuation of service</header><text display-inline="yes-display-inline">The regulations shall prohibit an operator from discontinuing service provided to a child on the basis of refusal by the parent of the child, under the regulations prescribed under paragraph (1)(C)(ii), to permit the further use or maintenance in retrievable form, or future collection, by the operator of personal information collected from the child, to the extent that the operator is capable of providing such service without such information.</text></paragraph><after-quoted-block>; and</after-quoted-block></quoted-block></subparagraph><subparagraph id="H4064E97FDE354F68995CC98167D23E45"><enum>(D)</enum><text>by adding at the end the following:</text><quoted-block display-inline="no-display-inline" id="H92C7684077F445E99F2843A57BEB9BEA" style="OLC"><paragraph id="H1B5DF9761956496AB54162BF3E9B3F63"><enum>(4)</enum><header>Rule for treatment of users of websites, services, and applications directed to children</header><text display-inline="yes-display-inline">An operator of a website, online service, online application, or mobile application that is directed to children shall treat all users of such website, service, or application as children for purposes of this title, except as permitted by the Commission by a regulation promulgated under this title.</text></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></subparagraph></paragraph></subsection><subsection id="HB5B4C8DDDD634DCA8F5D9BEDD76CB718"><enum>(c)</enum><header>Administration and applicability of Act</header><text display-inline="yes-display-inline">Section 1306 of the Children's Online Privacy Protection Act of 1998 (<external-xref legal-doc="usc" parsable-cite="usc/15/6505">15 U.S.C. 6505</external-xref>) is amended—</text><paragraph commented="no" id="H49E3E673846A49D6882491FEAAE40B2C"><enum>(1)</enum><text>in subsection (b)—</text><subparagraph commented="no" id="H96C6F2D78F76483186ACA458C9CEE2AA"><enum>(A)</enum><text>in paragraph (1), by striking <quote>, in the case of</quote> and all that follows and inserting the following: <quote>by the appropriate Federal banking agency with respect to any insured depository institution (as such terms are defined in section 3 of such Act (<external-xref legal-doc="usc" parsable-cite="usc/12/1813">12 U.S.C. 1813</external-xref>));</quote>; and</text></subparagraph><subparagraph commented="no" id="H8DFFFE5802554B20A8ADBB2DAD35DC04"><enum>(B)</enum><text>by striking paragraph (2) and redesignating paragraphs (3) through (6) as paragraphs (2) through (5), respectively; and</text></subparagraph></paragraph><paragraph id="HBECC50AF64E34D488708A3B8C072A5E1"><enum>(2)</enum><text>by adding at the end the following new subsection:</text><quoted-block display-inline="no-display-inline" id="HFEC431880F704F8FA04132E9CC2B9CD5" style="OLC"><subsection display-inline="no-display-inline" id="H72DE33DB352A4246806343416551A128"><enum>(f)</enum><header>Telecommunications carriers and cable operators</header><paragraph id="H6CA585F2D96A4BD08BA234915FF87E57"><enum>(1)</enum><header>Enforcement by FTC</header><text display-inline="yes-display-inline">Notwithstanding section 5(a)(2) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45(a)(2)</external-xref>), compliance with the requirements imposed under this title shall be enforced by the Commission with respect to any telecommunications carrier (as defined in section 3 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/153">47 U.S.C. 153</external-xref>)).</text></paragraph><paragraph id="HD51F646C678140AD973B25120F7AC721"><enum>(2)</enum><header>Relationship to other law</header><text display-inline="yes-display-inline">To the extent that sections 222, 338(i), and 631 of the Communications Act of 1934 (47 U.S.C. 222; 338(i); 551) are inconsistent with this title, this title controls.</text></paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection></section><section id="HEB629AF6865C433F8F12BC733A14B4E3"><enum>205.</enum><header>Targeted marketing to children or minors</header><subsection id="H020E03BACD3D4D08B106355CFB606D2A"><enum>(a)</enum><header>Acts prohibited</header><text display-inline="yes-display-inline">It is unlawful for—</text><paragraph id="HC7133CB270064BF59C58967AA14F92E1"><enum>(1)</enum><text display-inline="yes-display-inline">an operator of a website, online service, online application, or mobile application directed to children, or an operator having actual knowledge that personal information being collected is from a child, to use, disclose to third parties, or compile personal information for targeted marketing purposes without verifiable parental consent; or</text></paragraph><paragraph id="H98A6D4DC3C11479994A4B361D7AF8D25"><enum>(2)</enum><text display-inline="yes-display-inline">an operator of a website, online service, online application, or mobile application directed to minors, or an operator having actual knowledge that personal information being collected is from a minor, to use, disclose to third parties, or compile personal information for targeted marketing purposes without the consent of the minor.</text></paragraph></subsection><subsection id="H349CC2B20F3F409C90BBCF9DDCA27EB4"><enum>(b)</enum><header>Regulations</header><text display-inline="yes-display-inline">Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate, under section 553 of title 5, United States Code, regulations to implement this section.</text></subsection></section><section id="H9F96ECE430CD469FA7DBDD9CA988AB01"><enum>206.</enum><header>Digital Marketing Bill of Rights for Teens and Fair Information Practices Principles</header><subsection id="HFFF90B1FB1C94D44B4BAAA6BC954F8C4"><enum>(a)</enum><header>Acts prohibited</header><text display-inline="yes-display-inline">It is unlawful for an operator of a website, online service, online application, or mobile application directed to minors, or an operator having actual knowledge that personal information being collected is from a minor, to collect personal information from a minor unless such operator has adopted and complies with a Digital Marketing Bill of Rights for Teens that is consistent with the Fair Information Practices Principles described in subsection (b).</text></subsection><subsection id="HAFE64244ADB24A65B00EB9D68272DBB4"><enum>(b)</enum><header>Fair Information Practices Principles</header><text display-inline="yes-display-inline">The Fair Information Practices Principles described in this subsection are the following:</text><paragraph id="H8AB905ECDE1740E0A6B7875DB9F9620C"><enum>(1)</enum><header>Collection limitation principle</header><text display-inline="yes-display-inline">Except as provided in paragraph (3), personal information should be collected from a minor only when collection of the personal information is—</text><subparagraph id="H1737E3CB53DD49869559FD4F89D9FBE1"><enum>(A)</enum><text display-inline="yes-display-inline">consistent with the context of a particular transaction or service or the relationship of the minor with the operator, including collection necessary to fulfill a transaction or provide a service requested by the minor; or</text></subparagraph><subparagraph id="H37D1DC68F4D34ED3A1CB23F3344D1A29"><enum>(B)</enum><text>required or specifically authorized by law.</text></subparagraph></paragraph><paragraph id="H95579177440C430F82EA53CC6B4F2F3B"><enum>(2)</enum><header>Data quality principle</header><text display-inline="yes-display-inline">The personal information of a minor should be accurate, complete, and kept up-to-date to the extent necessary to fulfill the purposes described in subparagraphs (A) through (D) of paragraph (3).</text></paragraph><paragraph id="H5768214B921F4181B96CABEBD029604E"><enum>(3)</enum><header>Purpose specification principle</header><text display-inline="yes-display-inline">The purposes for which personal information is collected should be specified to the minor not later than at the time of the collection of the information. The subsequent use or disclosure of the information should be limited to—</text><subparagraph id="HA7EF708EEB40482F9022EEA1E62887E9"><enum>(A)</enum><text>fulfillment of the transaction or service requested by the minor;</text></subparagraph><subparagraph id="HD90DF8CDF3D747E2B45E0A496B11084E"><enum>(B)</enum><text>support for the internal operations of the website, service, or application, as described in <external-xref legal-doc="regulation" parsable-cite="cfr/16/312.2">section 312.2</external-xref> of title 16, Code of Federal Regulations;</text></subparagraph><subparagraph id="H56756CD03A0848E9936ACC9002048C00"><enum>(C)</enum><text>compliance with legal process or other purposes expressly authorized under specific legal authority; or</text></subparagraph><subparagraph id="H0E726DACA2844D46A6083441D4E9CAA0"><enum>(D)</enum><text>other purposes—</text><clause id="HB2CA9381F0004FA4B08AB4D48027734C"><enum>(i)</enum><text>that are specified in a notice to the minor; and</text></clause><clause id="HC55B7736B927416B8201678259063785"><enum>(ii)</enum><text>to which the minor has consented under paragraph (7) before the information is used or disclosed for such other purposes.</text></clause></subparagraph></paragraph><paragraph id="H06A41024639F4DA694958A26F5241F06"><enum>(4)</enum><header>Retention limitation principle</header><text display-inline="yes-display-inline">The personal information of a minor should not be retained for longer than is necessary to fulfill a transaction or provide a service requested by the minor or such other purposes specified in subparagraphs (A) through (D) of paragraph (3). The operator should implement a reasonable and appropriate data disposal policy based on the nature and sensitivity of such personal information.</text></paragraph><paragraph id="HA3F01D21905E40E0AF0C11B5209AC287"><enum>(5)</enum><header>Security safeguards principle</header><text display-inline="yes-display-inline">The personal information of a minor should be protected by reasonable and appropriate security safeguards against risks such as loss or unauthorized access, destruction, use, modification, or disclosure.</text></paragraph><paragraph id="H36AE940505E34643964A02C28C1135FD"><enum>(6)</enum><header>Openness principle</header><subparagraph id="HEC15B00CCB474D0796F5C6035A526C40"><enum>(A)</enum><header>In general</header><text>The operator should maintain a general policy of openness about developments, practices, and policies with respect to the personal information of a minor. The operator should provide each minor using the website, online service, online application, or mobile application of the operator with a clear and prominent means—</text><clause id="H82E6B16B063F4A7BAD9C56B3E5FA9180"><enum>(i)</enum><text>to identify and contact the operator, by, at a minimum, disclosing, clearly and prominently, the identity of the operator and—</text><subclause id="HE1E2AB03149B4F2CAC5242977ABF211F"><enum>(I)</enum><text>in the case of an operator who is an individual, the address of the principal residence of the operator and an e-mail address and telephone number for the operator; or</text></subclause><subclause id="H0EECD6893C704DCF98B72BDF91E01C06"><enum>(II)</enum><text>in the case of any other operator, the address of the principal place of business of the operator and an e-mail address and telephone number for the operator;</text></subclause></clause><clause id="HD7A88E8C9EB1449CB66EBADD52FBC87C"><enum>(ii)</enum><text>to determine whether the operator possesses any personal information of the minor, the nature of any such information, and the purposes for which the information was collected and is being retained;</text></clause><clause id="H6836CAEAC3134E728CDB0DBD5925A70C"><enum>(iii)</enum><text>to obtain any personal information of the minor that is in the possession of the operator from the operator, or from a person specified by the operator, within a reasonable time after making a request, at a charge (if any) that is not excessive, in a reasonable manner, and in a form that is readily intelligible to the minor;</text></clause><clause id="H7EAA9931FD224BEE989A067C8C30BF42"><enum>(iv)</enum><text>to challenge the accuracy of personal information of the minor that is in the possession of the operator; and</text></clause><clause id="H0DDBE5988D504E3B97E7DD283DBD4DCD"><enum>(v)</enum><text>if the minor establishes the inaccuracy of personal information in a challenge under clause (iv), to have such information erased, corrected, completed, or otherwise amended.</text></clause></subparagraph><subparagraph id="HF7D31B470D0B43139166893407423AF7"><enum>(B)</enum><header>Limitation</header><text>Nothing in this paragraph shall be construed to permit an operator to erase or otherwise modify personal information requested by a law enforcement agency pursuant to legal authority.</text></subparagraph></paragraph><paragraph id="HCC879282E07842FF80B1A4268EDCC0C5"><enum>(7)</enum><header>Individual participation principle</header><text display-inline="yes-display-inline">The operator should—</text><subparagraph id="H8132942D7E4E430281E1E8CED7279E75"><enum>(A)</enum><text>obtain consent from a minor before using or disclosing the personal information of the minor for any purpose other than the purposes described in subparagraphs (A) through (C) of paragraph (3); and</text></subparagraph><subparagraph id="HF996F725A6444311B3BCA417279D3F92"><enum>(B)</enum><text>obtain affirmative express consent from a minor before using or disclosing previously collected personal information of the minor for purposes that constitute a material change in practice from the original purposes specified to the minor under paragraph (3).</text></subparagraph></paragraph></subsection><subsection id="HB0D080837D574450AFE33103EBAF5227"><enum>(c)</enum><header>Regulations</header><text display-inline="yes-display-inline">Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate, under section 553 of title 5, United States Code, regulations to implement this section, including regulations further defining the Fair Information Practices Principles described in subsection (b).</text></subsection></section><section id="H1BE8E20F77794A08BFD08CE1550CC9E7"><enum>207.</enum><header>Online collection of geolocation information of children and minors</header><subsection id="HDDB2421F48484958BBD4149B2277E6D9"><enum>(a)</enum><header>Acts prohibited</header><paragraph id="HACE9CBB5FEFB49E1A2AC2B5AD6921C92"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">It is unlawful for an operator of a website, online service, online application, or mobile application directed to children or minors, or an operator having actual knowledge that geolocation information being collected is from a child or minor, to collect geolocation information from a child or minor in a manner that violates the regulations prescribed under subsection (b).</text></paragraph><paragraph id="H6C8ECF0EF9114A6AB90C929013C4039B"><enum>(2)</enum><header>Disclosure to parent or minor protected</header><text>Notwithstanding paragraph (1), neither an operator nor the operator’s agent shall be held to be liable under any Federal or State law for any disclosure made in good faith and following reasonable procedures in responding to a request for disclosure of geolocation information under subparagraph (C)(ii)(III) or (D)(ii)(III) of subsection (b)(1).</text></paragraph></subsection><subsection id="H0B024826787B4A22B25381F028050BB2"><enum>(b)</enum><header>Regulations</header><paragraph id="H74BC137EA11E4F0485DD2F81A6AB3842"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate, under <external-xref legal-doc="usc" parsable-cite="usc/5/553">section 553</external-xref> of title 5, United States Code, regulations that require an operator of a website, online service, online application, or mobile application directed to children or minors, or an operator having actual knowledge that geolocation information being collected is from a child or minor—</text><subparagraph id="H10024A8D2AF84CE9B94C76E6ABC74E82"><enum>(A)</enum><text display-inline="yes-display-inline">to provide clear and conspicuous notice in clear and plain language of any geolocation information the operator collects, how the operator uses such information, and whether the operator discloses such information;</text></subparagraph><subparagraph id="HCD1610BD7C6043AF82A84C94FC79C40C"><enum>(B)</enum><text>to establish procedures or mechanisms to ensure that geolocation information is not collected from children or minors except in accordance with regulations promulgated under this paragraph;</text></subparagraph><subparagraph display-inline="no-display-inline" id="H0EC81FFA137A4D2AA6AB0637FDD7E65B"><enum>(C)</enum><text display-inline="yes-display-inline">in the case of collection of geolocation information from a child—</text><clause id="HF912709048DF4BEDA3A5B92663A81A56"><enum>(i)</enum><text>prior to collecting such information, to obtain verifiable parental consent; and</text></clause><clause id="H3B407CE16A5C481BBDBD6720D0B23CD4"><enum>(ii)</enum><text>after collecting such information, to provide to the parent of the child, upon request by and proper identification of the parent—</text><subclause id="HBFE75A48A5874F3DA4F6AF156E5618FB"><enum>(I)</enum><text>a description of the geolocation information collected from the child by the operator;</text></subclause><subclause id="HFC97C6F3844544D884C7CD9C636F4695"><enum>(II)</enum><text>the opportunity at any time to refuse to permit the further use or maintenance in retrievable form, or future collection, by the operator of geolocation information from the child; and</text></subclause><subclause id="HC485C6605E044FE4AF2C79F7EC3C9060"><enum>(III)</enum><text display-inline="yes-display-inline">a means that is reasonable under the circumstances for the parent to obtain any geolocation information collected from the child, if such information is available to the operator at the time the parent makes the request; and</text></subclause></clause></subparagraph><subparagraph id="HA083345F6C104632A06449F4267CEB2E"><enum>(D)</enum><text display-inline="yes-display-inline">in the case of collection of geolocation information from a minor—</text><clause id="HB31C178DFFE54A42B0C3EE08F118CAB4"><enum>(i)</enum><text display-inline="yes-display-inline">prior to collecting such information, to obtain affirmative express consent from such minor; and</text></clause><clause id="H5364AB56DFF347D7BC9573CCBC3A1CBF"><enum>(ii)</enum><text>after collecting such information, to provide to the minor, upon request—</text><subclause id="HB362AD9F274040828777425E41E5FC46"><enum>(I)</enum><text>a description of the geolocation information collected from the minor by the operator;</text></subclause><subclause id="HD4016AD32538494A818BBF72F3ED04B3"><enum>(II)</enum><text>the opportunity at any time to refuse to permit the further use or maintenance in retrievable form, or future collection, by the operator of geolocation information from the minor; and</text></subclause><subclause id="H95AA0198559440B6A5223816C88D48F9"><enum>(III)</enum><text display-inline="yes-display-inline">a means that is reasonable under the circumstances for the minor to obtain any geolocation information collected from the minor, if such information is available to the operator at the time the minor makes the request.</text></subclause></clause></subparagraph></paragraph><paragraph id="H167BAC6E07A94C388AA4F09D5259DC07"><enum>(2)</enum><header>When consent not required</header><text display-inline="yes-display-inline">The regulations promulgated under paragraph (1) shall provide that verifiable parental consent under subparagraph (C)(i) of such paragraph or affirmative express consent under subparagraph (D)(i) of such paragraph is not required when the collection of the geolocation information of a child or minor is necessary, to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety.</text></paragraph><paragraph id="HF2F983198B8940909A98C1A4E4EB2D9D"><enum>(3)</enum><header>Continuation of service</header><text display-inline="yes-display-inline">The regulations promulgated under paragraph (1) shall prohibit an operator from discontinuing service provided to—</text><subparagraph id="HE7C7848530D2468BB97781C46CC4194B"><enum>(A)</enum><text display-inline="yes-display-inline">a child on the basis of refusal by the parent of the child, under subparagraph (C)(ii)(II) of such paragraph, to permit the further use or maintenance in retrievable form, or future online collection, of geolocation information from the child by the operator, to the extent that the operator is capable of providing such service without such information; or</text></subparagraph><subparagraph commented="no" id="HB7E81AC1553948AD9BA1120B4E65AA51"><enum>(B)</enum><text display-inline="yes-display-inline">a minor on the basis of refusal by the minor, under subparagraph (D)(ii)(II) of such paragraph, to permit the further use or maintenance in retrievable form, or future online collection, of geolocation information from the minor by the operator, to the extent that the operator is capable of providing such service without such information.</text></subparagraph></paragraph></subsection><subsection id="H8EB9CD8F2B6544858190D61679F9C886"><enum>(c)</enum><header>Inconsistent State law</header><text display-inline="yes-display-inline">No State or local government may impose any liability for commercial activities or actions by operators in interstate or foreign commerce in connection with an activity or action described in this section that is inconsistent with the treatment of those activities or actions under this section.</text></subsection></section><section id="HA254422E8AC844A1AC27F6B50D2BD19E"><enum>208.</enum><header>Removal of content</header><subsection id="H9EC48376EB3B4750BE5593460B912804"><enum>(a)</enum><header>Acts prohibited</header><text display-inline="yes-display-inline">It is unlawful for an operator of a website, online service, online application, or mobile application to make publicly available through the website, service, or application content or information that contains or displays personal information of children or minors in a manner that violates the regulations prescribed under subsection (b).</text></subsection><subsection id="H40BDD0A2C3BE4033AE0EFB597828E369"><enum>(b)</enum><header>Regulations</header><paragraph id="H670A6CA355164C10A05F14CF0E98E497"><enum>(1)</enum><header>In general</header><text>Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate, under <external-xref legal-doc="usc" parsable-cite="usc/5/553">section 553</external-xref> of title 5, United States Code, regulations that require an operator—</text><subparagraph id="HD452F788D23F4F03954755830E5EA7D9"><enum>(A)</enum><text display-inline="yes-display-inline">to the extent technologically feasible, to implement mechanisms that permit a user of the website, service, or application of the operator to erase or otherwise eliminate content or information submitted to the website, service, or application by such user that is publicly available through the website, service, or application and contains or displays personal information of children or minors; and</text></subparagraph><subparagraph id="H311E2D95902349D7A7DD27CD714451EE"><enum>(B)</enum><text display-inline="yes-display-inline">to take appropriate steps to make users aware of such mechanisms and to provide notice to users that such mechanisms do not necessarily provide comprehensive removal of the content or information submitted by such users.</text></subparagraph></paragraph><paragraph id="HC59F4A303BDF4D99B1074E90CDCF7528"><enum>(2)</enum><header>Exception</header><text>The regulations promulgated under paragraph (1) may not require an operator or third party to erase or otherwise eliminate content or information that—</text><subparagraph id="HA9E5EF06A5C7441B9B36813895643BE5"><enum>(A)</enum><text display-inline="yes-display-inline">any other provision of Federal or State law requires the operator or third party to maintain; or</text></subparagraph><subparagraph id="H5E0953219C744E0E81C3A2491C07E80F"><enum>(B)</enum><text display-inline="yes-display-inline">was submitted to the website, service, or application of the operator by any person other than the user who is attempting to erase or otherwise eliminate such content or information, including content or information submitted by such user that was republished or resubmitted by another person.</text></subparagraph></paragraph><paragraph id="H7DDF82D74100415FA93D6CFB8A481557"><enum>(3)</enum><header>Limitation</header><text>Nothing in this section shall be construed to limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.</text></paragraph></subsection></section><section id="HA1F8E5D54ED34F2AB64F918D3E25E634"><enum>209.</enum><header>Enforcement and applicability</header><subsection id="HC2CC1133F5D9485582BFC1322AE0D8BE"><enum>(a)</enum><header>Enforcement by the Commission</header><paragraph id="HF6896EE465924D2DA60DF6404EAB52A0"><enum>(1)</enum><header>In general</header><text>Except as otherwise provided, this title and the regulations prescribed under this title shall be enforced by the Commission under the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>).</text></paragraph><paragraph id="HF45ABC12CBDE48FE881BE0BA9003DC39"><enum>(2)</enum><header>Unfair or deceptive acts or practices</header><text display-inline="yes-display-inline">Subject to subsection (b), a violation of this title or a regulation prescribed under this title shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).</text></paragraph><paragraph id="HECD38FAB9D664EECA46AA422060C8767"><enum>(3)</enum><header>Actions by the Commission</header><subparagraph id="idE40AE7F2430047DDBB267B72E304D587"><enum>(A)</enum><header>In general</header><text display-inline="yes-display-inline">Subject to subsection (b), and except as provided in subsection (d)(1), the Commission shall prevent any person from violating this title or a regulation prescribed under this title in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>) were incorporated into and made a part of this title.</text></subparagraph><subparagraph id="idAAE7C3799E2B4424937CA7EE4D27ADE0"><enum>(B)</enum><header>Privileges and immunities</header><text display-inline="yes-display-inline">Any person who violates this title or a regulation prescribed under this title shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.).</text></subparagraph></paragraph></subsection><subsection commented="no" id="H52739EAF0DD849B2B96D2F50CFC93B48"><enum>(b)</enum><header>Enforcement by certain other agencies</header><text>Notwithstanding subsection (a), compliance with the requirements imposed under this title shall be enforced as follows:</text><paragraph commented="no" id="HF70C174467114416BB831A36E550AFDC"><enum>(1)</enum><text display-inline="yes-display-inline">Under section 8 of the Federal Deposit Insurance Act (<external-xref legal-doc="usc" parsable-cite="usc/12/1818">12 U.S.C. 1818</external-xref>) by the appropriate Federal banking agency, with respect to an insured depository institution (as such terms are defined in section 3 of such Act (<external-xref legal-doc="usc" parsable-cite="usc/12/1813">12 U.S.C. 1813</external-xref>)).</text></paragraph><paragraph commented="no" id="H1D7F097FF4524A078C69C422FD5B5867"><enum>(2)</enum><text>Under the Federal Credit Union Act (<external-xref legal-doc="usc" parsable-cite="usc/12/1751">12 U.S.C. 1751 et seq.</external-xref>) by the National Credit Union Administration Board, with respect to any Federal credit union.</text></paragraph><paragraph commented="no" id="H98BA628EEBE04F5890B7380A9A0BAB65"><enum>(3)</enum><text>Under part A of subtitle VII of title 49, United States Code, by the Secretary of Transportation, with respect to any air carrier or foreign air carrier subject to such part.</text></paragraph><paragraph commented="no" id="H70B9FB7C0CF94111BA69E5747E2E9A11"><enum>(4)</enum><text>Under the Packers and Stockyards Act, 1921 (<external-xref legal-doc="usc" parsable-cite="usc/7/181">7 U.S.C. 181 et seq.</external-xref>) (except as provided in section 406 of such Act (<external-xref legal-doc="usc" parsable-cite="usc/7/226">7 U.S.C. 226</external-xref>; 227)) by the Secretary of Agriculture, with respect to any activities subject to such Act.</text></paragraph><paragraph commented="no" id="HFAC14D729158424A955F3A1315882FD3"><enum>(5)</enum><text>Under the Farm Credit Act of 1971 (<external-xref legal-doc="usc" parsable-cite="usc/12/2001">12 U.S.C. 2001 et seq.</external-xref>) by the Farm Credit Administration, with respect to any Federal land bank, Federal land bank association, Federal intermediate credit bank, or production credit association.</text></paragraph></subsection><subsection id="HBA99118C3A514319A4CB9C9F23B1DDBF"><enum>(c)</enum><header>Enforcement by States</header><paragraph id="HEBFEA4D0AE9141B28A95359207558849"><enum>(1)</enum><header>Civil actions</header><text display-inline="yes-display-inline">In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that violates this title or a regulation prescribed under this title, the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction to—</text><subparagraph id="HF3393B3CDD6D44D2AC2684370BA863F9"><enum>(A)</enum><text>enjoin that practice;</text></subparagraph><subparagraph id="H90B06E81122346D29CE8F9848B16AB47"><enum>(B)</enum><text>enforce compliance with this title or such regulation;</text></subparagraph><subparagraph id="HAC1AB2A211E04891A322E5DA3C5FDA4D"><enum>(C)</enum><text>obtain damages, restitution, or other compensation on behalf of residents of the State; or</text></subparagraph><subparagraph id="HE21CD04D028845FFAE11573EA03982A1"><enum>(D)</enum><text>obtain such other relief as the court may consider to be appropriate.</text></subparagraph></paragraph><paragraph id="id05FA0E79631E4A07BAD4E627E2044299"><enum>(2)</enum><header>Rights of Federal Trade Commission</header><subparagraph id="id07F5ABDEAEA0457D8AA820957665DE12"><enum>(A)</enum><header>Notice to Federal Trade Commission</header><clause id="idB164C4AD5B404FEF85FD1F83155A1F1E"><enum>(i)</enum><header>In general</header><text>Except as provided in clause (iii), the attorney general of a State shall notify the Federal Trade Commission in writing that the attorney general intends to bring a civil action under paragraph (1) before initiating the civil action.</text> </clause><clause id="id1F619F0DFAD34C8D97E5F7457C12CA89"><enum>(ii)</enum><header>Contents</header><text>The notification required by clause (i) with respect to a civil action shall include a copy of the complaint to be filed to initiate the civil action.</text> </clause><clause id="id72EDA8DD6435400B9AA8FE0A76AC6385"><enum>(iii)</enum><header>Exception</header><text>If it is not feasible for the attorney general of a State to provide the notification required by clause (i) before initiating a civil action under paragraph (1), the attorney general shall notify the Federal Trade Commission immediately upon instituting the civil action.</text> </clause></subparagraph><subparagraph id="id6318A7AB10D04121956FA8D99484D2FE"><enum>(B)</enum><header>Intervention by Federal Trade Commission</header><text>The Federal Trade Commission may—</text> <clause id="idD74CBF74CE084E7E8079C4BE13F1A16D"><enum>(i)</enum><text>intervene in any civil action brought by the attorney general of a State under paragraph (1); and</text> </clause><clause id="idB448D8A2F574489EADECDCEE22C1E557"><enum>(ii)</enum><text>upon intervening—</text> <subclause id="id8008402559184FA78615EAE579D4D7A9"><enum>(I)</enum><text>be heard on all matters arising in the civil action; and</text> </subclause><subclause commented="no" display-inline="no-display-inline" id="id13AE77F2A4B4438897EF92C4C06E351D"><enum>(II)</enum><text>file petitions for appeal of a decision in the civil action.</text></subclause></clause></subparagraph></paragraph><paragraph id="H58B2C03858DE422BBDF4991F91AACE90"><enum>(3)</enum><header>Investigatory powers</header><text>For purposes of bringing any civil action under paragraph (1), nothing in this title shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to—</text><subparagraph id="HE9E88901B63C476AA6D20A677AB2A435"><enum>(A)</enum><text>conduct investigations;</text></subparagraph><subparagraph id="H4EB38E77451944F0ACC51F94C039AFA9"><enum>(B)</enum><text>administer oaths or affirmations; or</text></subparagraph><subparagraph id="H14E0379EE9AA4685822CFA1B91420A72"><enum>(C)</enum><text>compel the attendance of witnesses or the production of documentary and other evidence.</text></subparagraph></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id54FE574985044DD9AFFF938BAEC2C4D3"><enum>(4)</enum><header display-inline="yes-display-inline">Preemptive action by Federal Trade Commission</header><text display-inline="yes-display-inline">If the Federal Trade Commission institutes a civil action or an administrative action with respect to a violation of this title, the attorney general of a State may not, during the pendency of such action, bring a civil action under paragraph (1) against any defendant named in the complaint of the Commission for the violation with respect to which the Commission instituted such action.</text></paragraph><paragraph id="HE7438D1273334E2FABCA38302E39212F"><enum>(5)</enum><header>Venue; service of process</header><subparagraph id="HF0545D3FBCD74F20864A30A8DF1DCC3F"><enum>(A)</enum><header>Venue</header><text>Any action brought under paragraph (1) may be brought in the district court of the United States that meets applicable requirements relating to venue under <external-xref legal-doc="usc" parsable-cite="usc/28/1391">section 1391</external-xref> of title 28, United States Code.</text></subparagraph><subparagraph id="H62261B52C34747209779B8E56A547D6E"><enum>(B)</enum><header>Service of process</header><text>In an action brought under paragraph (1), process may be served in any district in which the defendant—</text><clause id="HEC1E776AE3A646B1B55B35DD7D1A94D8"><enum>(i)</enum><text>is an inhabitant; or</text></clause><clause id="HD98569DB948C4B57946271184244B0C6"><enum>(ii)</enum><text>may be found.</text></clause></subparagraph></paragraph><paragraph commented="no" id="HBF9D8AC8EC23413BB5041BD600316B74"><enum>(6)</enum><header>Actions by other State officials</header> <subparagraph commented="no" id="HFCA071F7EC78467D0083EF5E74487B8"><enum>(A)</enum><header>In general</header><text>In addition to civil actions brought by attorneys general under paragraph (1), any other officer of a State who is authorized by the State to do so may bring a civil action under paragraph (1), subject to the same requirements and limitations that apply under this subsection to civil actions brought by attorneys general.</text> </subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="H391A9B80D5FE465498F0E3E2B5E6C92F"><enum>(B)</enum><header>Savings provision</header><text>Nothing in this subsection may be construed to prohibit an authorized official of a State from initiating or continuing any proceeding in a court of the State for a violation of any civil or criminal law of the State.</text></subparagraph></paragraph></subsection><subsection id="H957CA93AB4604AD9838FAA32B6D72301"><enum>(d)</enum><header>Telecommunications carriers and cable operators</header><paragraph id="H7B852D16E57841CF89D9D33EBD81575D"><enum>(1)</enum><header>Enforcement by FTC</header><text display-inline="yes-display-inline">Notwithstanding section 5(a)(2) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45(a)(2)</external-xref>), compliance with the requirements imposed under this title shall be enforced by the Commission with respect to any telecommunications carrier (as defined in section 3 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/153">47 U.S.C. 153</external-xref>)).</text></paragraph><paragraph id="HAE18D301B5A446D5BCA22A457A76ADFE"><enum>(2)</enum><header>Relationship to other law</header><text display-inline="yes-display-inline">To the extent that sections 222, 338(i), and 631 of the Communications Act of 1934 (47 U.S.C. 222; 338(i); 551) are inconsistent with this title, this title controls.</text></paragraph></subsection></section><section commented="no" id="H8FAFE8BFF6FE4597B25793E713C38A85"><enum>210.</enum><header>Rule for treatment of users of websites, services, and applications directed to children or minors</header><text display-inline="no-display-inline">An operator of a website, online service, online application, or mobile application that is directed to children or minors shall treat all users of such website, service, or application as children or minors (as the case may be) for purposes of this title, except as permitted by the Commission by a regulation promulgated under this title.</text></section><section commented="no" id="HB32584A7D6654F9090236730AD0AFBC7"><enum>211.</enum><header>Effective dates</header><subsection commented="no" id="HC78DBCB46B7F4F97937F768A703BD2F4"><enum>(a)</enum><header>In general</header><text>Except as provided in subsections (b) and (c), this title and the amendments made by this title shall take effect on the date that is 1 year after the date of the enactment of this Act.</text></subsection><subsection commented="no" id="H8658089BBD0C4A248EFF101CD0AEA774"><enum>(b)</enum><header>Authority To promulgate regulations</header><text>The following shall take effect on the date of the enactment of this Act:</text><paragraph commented="no" id="H6F848A5F4AFD44C28991BA3D35A19CD7"><enum>(1)</enum><text display-inline="yes-display-inline">The amendments made by subsections (a)(5) and (b)(3)(A) of section 204.</text></paragraph><paragraph commented="no" id="H1F9ED773BE2F433CAD47B14D0E51087E"><enum>(2)</enum><text>Sections 205(b), 206(c), 207(b), and 208(b).</text></paragraph><paragraph id="HF99145C3E107433CBF5A9E1FC5F88271"><enum>(3)</enum><text>Subsections (b) and (c) of section 203.</text></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="H3FEFD9607695448B9AC71681048C0FD9"><enum>(c)</enum><header>Digital Marketing Bill of Rights for Teens</header><text>Section 206, except for subsection (c) of such section, shall take effect on the date that is 180 days after the promulgation of regulations under such subsection.</text></subsection></section>