<enum>I</enum><header>American Privacy Rights</header><section id="H3123193BF6744CFD9DEF06BE803EBBBC"><enum>101.</enum><header>Definitions</header><text display-inline="no-display-inline">In this title:</text><paragraph id="HA553312BCC7E443EB09205FE095DBEC6"><enum>(1)</enum><header>Affirmative express consent</header><subparagraph id="HCAE868720B33482DB2F28B26F188F851"><enum>(A)</enum><header>In general</header><text>The term <quote>affirmative express consent</quote> means an affirmative act by an individual that—</text><clause id="H5B2C43179A7049D09B3B4BF6848A20D5"><enum>(i)</enum><text>clearly communicates the authorization of the individual for an act or practice; and</text></clause><clause id="H197B51D801F4483784C8629A3ED96E6B"><enum>(ii)</enum><text>is provided in response to a specific request from a covered entity, or a service provider on behalf of a covered entity, that meets the requirements of subparagraph (B).</text></clause></subparagraph><subparagraph id="HEAC0D230288548CEB5591B46E563F012"><enum>(B)</enum><header>Request requirements</header><text>The requirements of this subparagraph with respect to a request are the following:</text><clause id="H1E982C3ADBC8412DA8BF73ED555844DA"><enum>(i)</enum><text>The request is provided to the individual in a clear and conspicuous standalone disclosure.</text></clause><clause id="H30664B755BFD4753B0794DD2E6B051DE"><enum>(ii)</enum><text>The request includes a description of each act or practice for which the consent of the individual is sought and—</text><subclause id="HEE082FC39A6B4570BACD9C3751A4C7AD"><enum>(I)</enum><text>clearly distinguishes between an act or practice that is necessary, proportionate, and limited to fulfill a request of the individual and an act or practice that is for another purpose;</text></subclause><subclause id="HDF7CAF409F384B929B222823F6D975D7"><enum>(II)</enum><text>clearly states the specific categories of covered data that the covered entity shall collect, process, retain, or transfer under each such act or practice; and</text></subclause><subclause id="HCF1E3C697CC04A9180BB305F3C4E4FAF"><enum>(III)</enum><text>is written in easy-to-understand language and includes a prominent heading that would enable a reasonable individual to identify and understand each such act or practice.</text></subclause></clause><clause id="H8D40CC373A784176ACFD1C7EF96FDE3A"><enum>(iii)</enum><text>The request clearly explains the applicable rights of the individual related to consent.</text></clause><clause id="HEAD1E8DB5FDA49908018DBBF86D6D74E"><enum>(iv)</enum><text>The request is made in a manner reasonably accessible to and usable by individuals living with disabilities.</text></clause><clause id="HD4D39608372A4DB782131A3766A2DBA8"><enum>(v)</enum><text>The request is made available to the individual in the language in which the covered entity provides a product or service for which authorization is sought.</text></clause><clause id="HE29AD45C02EC4E968AAEDD125240863C"><enum>(vi)</enum><text>The option to refuse consent is at least as prominent as the option to provide consent, and the option to refuse consent takes no more than 1 additional step as compared to the number of steps necessary to provide consent.</text></clause><clause id="H9751955E0C4B422EADCFD72628332BC2"><enum>(vii)</enum><text>With respect to affirmative express consent sought for the collection, processing, retention, or transfer of biometric information or genetic information, the request includes the length of time the covered entity or service provider intends to retain the biometric information or genetic information or, if it is not possible to identify the length of time, the criteria used to determine the length of time the covered entity or service provider intends to retain the biometric information or genetic information.</text></clause></subparagraph><subparagraph id="H04DE10D3DA0843B4BFAA660186D345B5"><enum>(C)</enum><header>Express consent required</header><text>Affirmative express consent to an act or practice may not be inferred from the inaction of an individual or the continued use by an individual of a service or product provided by an entity.</text></subparagraph><subparagraph id="H2DE5BF4A36CB462DA54A30CAC6766897"><enum>(D)</enum><header>Withdrawal of affirmative express consent</header><clause id="HDA6F698F15CD432BB186A49C3BBC37A8"><enum>(i)</enum><header>In general</header><text>A covered entity shall provide an individual with a means to withdraw affirmative express consent previously provided by the individual.</text></clause><clause id="HED6901A879C74F63BE808B282FF2A183"><enum>(ii)</enum><header>Requirements</header><text>The means to withdraw affirmative express consent described in clause (i) shall be—</text><subclause id="H8FB03D598B6E4C5D9B166AAF83FE0E74"><enum>(I)</enum><text>clear and conspicuous; and</text></subclause><subclause id="H60D58215DE7141DD9B0171BD8F5FC833"><enum>(II)</enum><text>as easy for a reasonable individual to use as the mechanism by which the individual provided affirmative express consent.</text></subclause></clause></subparagraph><subparagraph id="HC2FF910D1E094AD786CE815D9BC6A12E" commented="no"><enum>(E)</enum><header>Children and teens</header><text>If a covered entity has knowledge that—</text><clause id="H84C5437FBE4A41228D94D92CE33960D3" commented="no"><enum>(i)</enum><text>an individual is a child, only a parent of the child may provide affirmative express consent on behalf of the child; or</text></clause><clause id="H43EBF050D6434131B52107A5EF5555EE" commented="no"><enum>(ii)</enum><text>an individual is a teen, a parent or the teen may provide affirmative express consent on behalf of the teen.</text></clause></subparagraph></paragraph><paragraph id="H148DD6DA102B42D29B73F14A3C417DD5"><enum>(2)</enum><header>Biometric information</header><subparagraph id="H453A8F85D16944B2A9143A64F7624CFB"><enum>(A)</enum><header>In general</header><text>The term <quote>biometric information</quote> means any covered data that allows or confirms the unique identification or verification of an individual and is generated from the measurement or processing of unique biological, physical, or physiological characteristics, including—</text><clause id="H156180FC9154439C91B8495CCEF537D6"><enum>(i)</enum><text>fingerprints;</text></clause><clause id="H6CD8699211484F20815342F7F83A5A6C"><enum>(ii)</enum><text>voice prints;</text></clause><clause id="HE18931787C9C48439520EC4914102D08"><enum>(iii)</enum><text>iris or retina imagery scans;</text></clause><clause id="H4CB56108AE6A4C4DA3D2E90B7AB367B1"><enum>(iv)</enum><text>facial or hand mapping, geometry, or templates; and</text></clause><clause id="HF201D8B2127843D28BCDF89BEACD87AF"><enum>(v)</enum><text>gait.</text></clause></subparagraph><subparagraph id="HCF37158AF1EA4074AE30BEC630C5A218"><enum>(B)</enum><header>Exclusion</header><text>The term <quote>biometric information</quote> does not include—</text><clause id="HA92B719C88E14F659D190165F8048119"><enum>(i)</enum><text>a digital or physical photograph;</text></clause><clause id="H3540592927C449D6AF7FBF744C77B231"><enum>(ii)</enum><text>an audio or video recording; or</text></clause><clause id="H75B0AC3855064474931AEFB2BF4308C9"><enum>(iii)</enum><text>data derived from a digital or physical photograph or an audio or video recording that cannot be used to identify or authenticate a specific individual.</text></clause></subparagraph></paragraph><paragraph id="H617AA93051EC44638129FA091B394BB6"><enum>(3)</enum><header>Child</header><text>The term <quote>child</quote> means an individual under the age of 13.</text></paragraph><paragraph id="HE217E050F4D1446DA6074C4F66E5B215"><enum>(4)</enum><header>Clear and conspicuous</header><text>The term <quote>clear and conspicuous</quote> means, with respect to a disclosure, that the disclosure is difficult to miss and easily understandable by ordinary consumers.</text></paragraph><paragraph id="H297BDA1FA1234BD8B0C2F1B8B4C53FB5"><enum>(5)</enum><header>Coarse geolocation information</header><text display-inline="yes-display-inline">The term <quote>coarse geolocation information</quote> means information that reveals the present physical location of an individual or device identified by a unique persistent identifier at the ZIP Code attribution level (except, if a geographic area attributed to a ZIP Code is equal to or less than the area of a circle with a radius of 1,850 feet or less, at a level greater than a geographic area equal to the area of a circle with a radius of 1,850 feet).</text></paragraph><paragraph id="HDE4F7A1C98D24309A290D3B0BEF9A04E"><enum>(6)</enum><header>Collect</header><text>The term <quote>collect</quote> means, with respect to covered data, to buy, rent, gather, obtain, receive, access, or otherwise acquire the covered data by any means.</text></paragraph><paragraph id="HBD0019BF6BF14155BA5393CFFEED374B"><enum>(7)</enum><header>Commission</header><text>The term <quote>Commission</quote> means the Federal Trade Commission.</text></paragraph><paragraph id="H98AEF9F777274707832CCCE555516956"><enum>(8)</enum><header>Common branding</header><text>The term <quote>common branding</quote> means a name, service mark, or trademark that is shared by 2 or more entities.</text></paragraph><paragraph id="HEB346613529E48A982E93F5ABDAA3AD1"><enum>(9)</enum><header>Connected device</header><text>The term <quote>connected device</quote> means a device that is capable of connecting to the internet.</text></paragraph><paragraph id="HDA01942C755A47A18D4C12DBBB28A11C"><enum>(10)</enum><header>Contextual advertising</header><text>The term <quote>contextual advertising</quote> means displaying or presenting an advertisement that—</text><subparagraph id="HFACD790DE83C4E379AAB8729475CC5E3"><enum>(A)</enum><text>does not vary based on the identity of the individual recipient; and</text></subparagraph><subparagraph id="H189654DE4B8D4589A712BB42FA26F10E"><enum>(B)</enum><text>is based solely on—</text><clause id="HC2E08BDFF27A4F98B1645CED8F3E055D"><enum>(i)</enum><text>the content of a webpage or online service;</text></clause><clause id="H88E8E3B0001E496C83C91ADB2643B29F"><enum>(ii)</enum><text>a specific request of the individual for information or feedback; or</text></clause><clause id="H0E066B0C17AE456E9304A8D640187BF8"><enum>(iii)</enum><text>coarse geolocation information.</text></clause></subparagraph></paragraph><paragraph id="H58DC71AB74BE4E6C857FFAEE218FA2F8"><enum>(11)</enum><header>Control</header><text>The term <quote>control</quote> means, with respect to an entity—</text><subparagraph id="H4DB1A944826940EBA69F94CBF16B5F2C"><enum>(A)</enum><text>ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of the entity;</text></subparagraph><subparagraph id="H49637CE128774D79A4DE22FDDA3FA356"><enum>(B)</enum><text>control over the election of a majority of the directors of the entity (or of individuals exercising similar functions); or</text></subparagraph><subparagraph id="H094B5AC94F10402B8A682D0709502991"><enum>(C)</enum><text>the power to exercise a controlling influence over the management of the entity.</text></subparagraph></paragraph><paragraph id="HADFDD50A2FAA4193A2373F4973EC464F"><enum>(12)</enum><header>Covered data</header><subparagraph id="HBC39DE856C1C4CE2B2A60B1630FFB0D5"><enum>(A)</enum><header>In general</header><text>The term <quote>covered data</quote> means information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals.</text></subparagraph><subparagraph id="H1CA359BECD22430997B2BC5F018321C5"><enum>(B)</enum><header>Exclusions</header><text>The term <quote>covered data</quote> does not include—</text><clause id="HF358E678180A49619342CD64B32FECC1"><enum>(i)</enum><text>de-identified data;</text></clause><clause id="H0E04387D7B744B22B24A4B81D2265AA3"><enum>(ii)</enum><text>employee information;</text></clause><clause id="H565DCFE805794739A852E9635230DD00"><enum>(iii)</enum><text>publicly available information;</text></clause><clause id="H5D89087508C84054B2E1A5F869BEEA8E"><enum>(iv)</enum><text>inferences made exclusively from multiple independent sources of publicly available information, if such inferences—</text><subclause id="H563E295D1F4045C29920D676F183300C"><enum>(I)</enum><text>do not reveal information about an individual that meets the definition of the term <quote>sensitive covered data</quote> with respect to the individual; and</text></subclause><subclause id="H60F7480455504219A3A255647B4144B6"><enum>(II)</enum><text>are not combined with covered data;</text></subclause></clause><clause id="H82C6257DFA6A42CD822FA4707F029760"><enum>(v)</enum><text>information in the collection of a library, archive, or museum, if—</text><subclause id="H6BED654D8D67408CB78E9254D72B32BC"><enum>(I)</enum><text>the collection is—</text><item id="H41B29F77500945A78DF093FE4FBC46B0"><enum>(aa)</enum><text>open to the public or routinely made available to researchers who are not affiliated with the library, archive, or museum; and</text></item><item id="HF47E9CF13A2B4ECE88183502564AB6E0"><enum>(bb)</enum><text>composed of lawfully acquired materials with respect to which all licensing conditions are met; and</text></item></subclause><subclause id="HE4D35A9350BE450E82EB87E127D5B80B"><enum>(II)</enum><text>the library, archive, or museum has—</text><item id="HAA753C2CB6B24A1CAC3B2937FC88F8FD"><enum>(aa)</enum><text>a public service mission; and</text></item><item id="HBD0F232A6A094DF0BFA093D200393834"><enum>(bb)</enum><text>trained staff or volunteers to provide professional services normally associated with libraries, archives, or museums; or</text></item></subclause></clause><clause id="H6B66270D6ED44493BC7FA3D7243AEDC5" commented="no"><enum>(vi)</enum><text>on-device data.</text></clause></subparagraph></paragraph><paragraph id="H6C8FDD4A9BE34CF78198D4D0673D9DF6"><enum>(13)</enum><header>Covered entity</header><subparagraph id="H118339A5524543D5BE988E93918A0082"><enum>(A)</enum><header>In general</header><text>The term <quote>covered entity</quote> means any entity that, alone or jointly with others, determines the purposes and means of collecting, processing, retaining, or transferring covered data and—</text><clause id="H8F05A7BBCB82465182664B7DB70A9952"><enum>(i)</enum><text>is subject to the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>);</text></clause><clause id="HAC6DB6F0AABB4423B438512264FB2032"><enum>(ii)</enum><text>is a common carrier subject to title II of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/201">47 U.S.C. 201 et seq.</external-xref>); or</text></clause><clause id="H100B970013434618901B35617B88197D"><enum>(iii)</enum><text>is an organization not organized to carry on business for its own profit or that of its members.</text></clause></subparagraph><subparagraph id="H1040CC23C67E4128A8384F9C0092F15B"><enum>(B)</enum><header>Inclusion</header><text>The term <quote>covered entity</quote> includes any entity that controls, is controlled by, or is under common control with another covered entity.</text></subparagraph><subparagraph id="HDA95CC23C6BB48B0B14B17DD906BA773"><enum>(C)</enum><header>Exclusions</header><text>The term <quote>covered entity</quote> does not include—</text><clause id="H9B3E114FA71C488799BF6F1F529C2793"><enum>(i)</enum><text>a Federal, State, Tribal, or local government entity, such as a body, authority, board, bureau, commission, district, agency, or other political subdivision of the Federal Government or a State, Tribal, or local government;</text></clause><clause id="HA4B7E6BECA8D4BC894005C239DFE0E5F"><enum>(ii)</enum><text>an entity that is collecting, processing, retaining, or transferring covered data on behalf of a Federal, State, Tribal, or local government entity, to the extent that such entity is acting as a service provider to the government entity;</text></clause><clause id="H3C534C8D5AD345AC85C8111BE4D27835"><enum>(iii)</enum><text>a small business;</text></clause><clause id="HD880238DF6C34235B273D310C4CFEC9F"><enum>(iv)</enum><text>an individual acting at their own direction and in a non-commercial context;</text></clause><clause id="H34C9B42F03D348FA82D286BDECB77E9A"><enum>(v)</enum><text>the National Center for Missing and Exploited Children; or</text></clause><clause id="HE5A23B1C52FF418FB9921918D6E3FCFD"><enum>(vi)</enum><text>except with respect to requirements under section 109, a nonprofit organization whose primary mission is to prevent, investigate, or deter fraud, to train anti-fraud professionals, or to educate the public about fraud, including insurance fraud, securities fraud, and financial fraud, to the extent the organization collects, processes, retains, or transfers covered data in furtherance of such primary mission.</text></clause></subparagraph><subparagraph id="H54E336B915DC45118A42182419D48D1A"><enum>(D)</enum><header>Nonapplication to service providers</header><text>An entity may not be considered to be a <quote>covered entity</quote> for the purposes of this title, insofar as the entity is acting as a service provider.</text></subparagraph></paragraph><paragraph id="HA79AA223F4CF48F7B36F1A7F6A0380C5"><enum>(14)</enum><header>Covered high-impact social media company</header><subparagraph id="H6D9932AA11FA41F086B55A101775912C"><enum>(A)</enum><header>In general</header><text>The term <quote>covered high-impact social media company</quote> means a covered entity that provides any internet-accessible platform that—</text><clause id="H335FAE25B4954078BF55A899D622C74A"><enum>(i)</enum><text>generates $3,000,000,000 or more in global annual revenue, including the revenue generated by any affiliate of such covered entity;</text></clause><clause id="H4D8038AEACBF4C8CA40CFD3851A3236A"><enum>(ii)</enum><text>has 300,000,000 or more global monthly active users for not fewer than 3 of the preceding 12 months; and</text></clause><clause id="HA12690E2F3484E96885F425C1983A526"><enum>(iii)</enum><text>constitutes an online product or service that is primarily used by users to access or share user-generated content.</text></clause></subparagraph><subparagraph id="HB3D755F3C6C3424ABA4EE259527AE2A3"><enum>(B)</enum><header>Treatment of certain services and applications</header><text>A service or application may not be considered to constitute an online product or service described in subparagraph (A)(iii) solely on the basis of providing any of the following:</text><clause id="H81D4090DCFF74EA5B6E506B1D91E6602"><enum>(i)</enum><text>Email.</text></clause><clause id="HB20FBD36B65E4F998E334315642FD306"><enum>(ii)</enum><text>Career or professional development networking opportunities.</text></clause><clause id="H059471F674714EF2BB15BE11550D0266"><enum>(iii)</enum><text>Reviews of products, services, events, or destinations.</text></clause><clause id="H1816D4B4421C4913BB521F9FEA3F708B"><enum>(iv)</enum><text>A platform for use in a public or private school under the direction of the school.</text></clause><clause id="HBB4AF3CFFB47478DB1C0A42911BD8FB3"><enum>(v)</enum><text>File collaboration.</text></clause><clause id="H32187AFE5C06435EA0810C4D52C4C6F3"><enum>(vi)</enum><text>Cloud storage.</text></clause><clause id="H53F38F6911C34910B5312B1C20C7E914"><enum>(vii)</enum><text>Closed video or audio communications services.</text></clause><clause id="H9FA25AA34C594A5F9055D630E73D847B"><enum>(viii)</enum><text>A wireless messaging service, including such a service provided through short messaging service or multimedia messaging service protocols, that is not a component of, or linked to, a platform of a covered high-impact social media company, if the predominant or exclusive function is direct messaging consisting of the transmission of text, photos, or videos that are sent by electronic means, and if messages are transmitted from the sender to a recipient and are not posted within a platform of a covered high-impact social media company or publicly.</text></clause></subparagraph></paragraph><paragraph id="HA3E50014A6E348D19FF1A9CE04290EBC"><enum>(15)</enum><header>Covered minor</header><text>The term <quote>covered minor</quote> means an individual under the age of 17.</text></paragraph><paragraph id="H26923865DC0F4BDB8162FD22EA67C8A9"><enum>(16)</enum><header>Dark patterns</header><text>The term <quote>dark patterns</quote> means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.</text></paragraph><paragraph id="H69783BA5D4A545089FCA651EF2DAC1EE"><enum>(17)</enum><header>Data broker</header><subparagraph id="H285C2F556B76460CB419D1CA6B4587CE"><enum>(A)</enum><header>In general</header><text>The term <quote>data broker</quote> means a covered entity whose principal source of revenue is derived from processing or transferring covered data that the covered entity did not collect directly from the individuals linked or linkable to the covered data.</text></subparagraph><subparagraph id="HD3B42E7A34D9471DBC163D3560871CBD"><enum>(B)</enum><header>Principal source of revenue</header><text>For purposes of this paragraph, the term <quote>principal source of revenue</quote> means, for the prior 12-month period—</text><clause id="H344C592951E4482480F3B58D4C8B15FE"><enum>(i)</enum><text>revenue that constitutes greater than 50 percent of all revenue of the covered entity during such period; or</text></clause><clause id="HEF36B21E6C154C42B01BD321C873BFC0"><enum>(ii)</enum><text>revenue obtained from processing and transferring the covered data of more than 5,000,000 individuals that the covered entity did not collect directly from the individuals linked or linkable to the covered data.</text></clause></subparagraph><subparagraph id="HD6625362D8524D989DDAD2F5494AF0FD"><enum>(C)</enum><header>Non-application to service providers</header><text>The term <quote>data broker</quote> does not include an entity to the extent that such entity is acting as a service provider.</text></subparagraph></paragraph><paragraph id="HC5A1C17C4C5F47CC83A69D338788EAC5"><enum>(18)</enum><header>De-identified data</header><subparagraph id="H5B014AD00A934004B53E92698C982FB5"><enum>(A)</enum><header>In general</header><text>The term <quote>de-identified data</quote> means information that cannot reasonably be used to infer or derive the identity of an individual, and does not identify and is not linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to an individual, regardless of whether the information is aggregated, if the relevant covered entity or service provider—</text><clause id="H1E6A9A078A69406ABA8E67527EA4DFBB"><enum>(i)</enum><text>takes reasonable physical, administrative, and technical measures to ensure that the information cannot, at any point, be used to re-identify any individual or device that identifies or is linked or reasonably linkable to an individual;</text></clause><clause id="HFAEBE8F830F94E9B9E4C0B4373F33B2F"><enum>(ii)</enum><text>publicly commits in a clear and conspicuous manner to—</text><subclause id="H898C0B5D45474F8AABA9251E5FCA153A"><enum>(I)</enum><text>process, retain, or transfer the information solely in a de-identified form without any reasonable means for re-identification; and</text></subclause><subclause id="HBB4FE3DCE1AF4240B33305732C0CFEB2"><enum>(II)</enum><text>not attempt to re-identify the information with any individual or device that identifies or is linked or reasonably linkable to an individual, except as necessary, limited, and proportionate to test the effectiveness of the measures described in clause (i); and</text></subclause></clause><clause id="HA904C6D82B404DABA770501D7036A2DE"><enum>(iii)</enum><text>contractually obligates any entity that receives the information from the covered entity or service provider to—</text><subclause id="H080CFB598E7D4A719702452E3EB72884"><enum>(I)</enum><text>comply with clauses (i) and (ii) with respect to the information; and</text></subclause><subclause id="HE2C09F3E1D094D06B0A83E39CE4E8F8E"><enum>(II)</enum><text>require that such contractual obligations be included contractually in all subsequent instances in which the information may be received.</text></subclause></clause></subparagraph><subparagraph id="H8F96946C59C1409AA6A426FBE799A804"><enum>(B)</enum><header>Health information</header><text>The term <quote>de-identified data</quote> includes health information (as defined in section 1171 of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d">42 U.S.C. 1320d</external-xref>)) that has been de-identified in accordance with section 164.514(b) of title 45, Code of Federal Regulations, except that if such information is subsequently provided to an entity that is not an entity subject to parts 160 and 164 of such title 45, such entity shall comply with clauses (ii) and (iii) of subparagraph (A) for the information to be considered de-identified under this title.</text></subparagraph></paragraph><paragraph id="H792F19F738F54339863A0BD61A17C813"><enum>(19)</enum><header>Derived data</header><text>The term <quote>derived data</quote> means covered data that is created by the derivation of information, data, assumptions, correlations, inferences, predictions, or conclusions from facts, evidence, or another source of information.</text></paragraph><paragraph id="H150F00E9123C48DFB0149647ECA6F546"><enum>(20)</enum><header>Device</header><text>The term <quote>device</quote> means any electronic equipment capable of collecting, processing, retaining, or transferring covered data that is used by 1 or more individuals, including a connected device or a portable connected device.</text></paragraph><paragraph id="HE01C54AC2ADF4E17AECD0BDA601DBB5E"><enum>(21)</enum><header>Direct mail targeted advertising</header><text>The term <quote>direct mail targeted advertising</quote> means advertising or marketing using third-party data through a direct communication with an individual via direct mail.</text></paragraph><paragraph id="HED2057FE32194B8F981CC916586422CC"><enum>(22)</enum><header>Disability</header><text>The term <quote>disability</quote> has the meaning given such term in section 3 of the Americans with Disabilities Act of 1990 (<external-xref legal-doc="usc" parsable-cite="usc/42/12102">42 U.S.C. 12102</external-xref>).</text></paragraph><paragraph id="HAC4044D308084FA09A0586EAFA3EC2D0"><enum>(23)</enum><header>Email targeted advertising</header><text>The term <quote>email targeted advertising</quote> means advertising or marketing using third-party data through a direct communication with an individual via email.</text></paragraph><paragraph id="H784B19DE144D48DBA7B5E6D9B839B3E1"><enum>(24)</enum><header>Employee</header><text>The term <quote>employee</quote> means an individual who is an employee, director, officer, staff member, paid intern, individual working as an independent contractor (who is not a service provider), volunteer, or unpaid intern of an employer, regardless of whether such individual is paid, unpaid, or engaged on a temporary basis.</text></paragraph><paragraph id="H9531B3E03E08407A8F5D22B54C4D9EDC"><enum>(25)</enum><header>Employee information</header><text>The term <quote>employee information</quote> means information, including biometric information or genetic information—</text><subparagraph id="H3E5D2152059E46BF8148F77514A0A6D9"><enum>(A)</enum><text>about an individual related to the course of employment or application for employment of the individual (including on a contract or temporary basis), if such information is collected, retained, processed, or transferred by the employer or the service provider of the employer solely for purposes necessary for the employment or application of the individual;</text></subparagraph><subparagraph id="HFCB2BFEB066B4131AF6A76E03E20FA8C"><enum>(B)</enum><text>that is emergency contact information for an individual who is an employee or job applicant of an employer, if such information is collected, retained, processed, or transferred by the employer or the service provider of the employer solely for the purpose of having an emergency contact for such individual on file; or</text></subparagraph><subparagraph id="HC2267CA10AFA44328FA77EBA9911C375"><enum>(C)</enum><text>about an individual who is an employee or former employee of an employer, or a relative, dependent, or beneficiary of the employee or former employee, and collected, retained, processed, or transferred for the purpose of administering benefits, including enrollment and disenrollment for benefits, to which the employee, former employee, relative, dependent, or beneficiary is entitled on the basis of the employment of the employee or former employee with the employer, if such information is collected, retained, processed, or transferred by the employer or the service provider of the employer solely for the purpose of administering such benefits.</text></subparagraph></paragraph><paragraph id="H14F66B266855493AAF15F02D03449150"><enum>(26)</enum><header>Entity</header><text>The term <quote>entity</quote> means an individual, a trust, a partnership, an association, an organization, a company, and a corporation.</text></paragraph><paragraph id="H9BC02646975049EDA9FA5C9C6AC534A5"><enum>(27)</enum><header>Executive agency</header><text>The term <quote>Executive agency</quote> has the meaning given such term in section 105 of title 5, United States Code.</text></paragraph><paragraph id="H79BA112A0C2D45799178B8CA409DFE2A"><enum>(28)</enum><header>Federated nonprofit organization</header><text>The term <quote>federated nonprofit organization</quote> means a network or system of 2 or more entities, described in <external-xref legal-doc="usc" parsable-cite="usc/26/501">section 501(c)(3)</external-xref> of the Internal Revenue Code of 1986 and exempt from taxation under section 501(a) of such Code, that share common branding.</text></paragraph><paragraph id="H1B567BAC431F44D382FB8201A8F644BD"><enum>(29)</enum><header>First party</header><text>The term <quote>first party</quote>—</text><subparagraph id="H48EFF8DAA4B04C9AB5ACB5EC7FB257E9"><enum>(A)</enum><text>means a consumer-facing covered entity with which a consumer intends and expects to interact; and</text></subparagraph><subparagraph id="H8DE655A7CB83477AB9A874B127EC0EB1"><enum>(B)</enum><text>includes any entities with which the covered entity shares common branding.</text></subparagraph></paragraph><paragraph id="H4CC20F2DDF184B51AC501FE8FE6A2A57"><enum>(30)</enum><header>First-party advertising</header><subparagraph id="HF6602E5EA22E4B36A04973B42A3A4F77"><enum>(A)</enum><header>In general</header><text>The term <quote>first-party advertising</quote> means advertising or marketing by a first party using the first-party data of the first party and not other forms of covered data and carried out—</text><clause id="H743373A6C5274907A6B25BE54E382D13"><enum>(i)</enum><text>through direct communications with an individual, such as direct mail, email (subject to the CAN-SPAM Act of 2003 (<external-xref legal-doc="usc" parsable-cite="usc/15/7701">15 U.S.C. 7701 et seq.</external-xref>) and the regulations promulgated under such Act), or text message communications (subject to section 227 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/227">47 U.S.C. 227</external-xref>) and the regulations promulgated under such section); or</text></clause><clause id="H3214DD171F1B4EF5AAFD24A626EF64D5" commented="no"><enum>(ii)</enum><text>entirely—</text><subclause id="H928CF6C6EE8E4D89A7391001211F97E0" commented="no"><enum>(I)</enum><text>in a physical location operated by the first party;</text></subclause><subclause id="H86FD13CAB24B475DAE6B01494761F5DF" commented="no"><enum>(II)</enum><text display-inline="yes-display-inline">in the case of a first party that is not a covered high-impact social media company, on a website, online service, online application, or mobile application operated by the first party, through display or presentation of an online advertisement that promotes a product or service (whether offered by the first party or not offered by the first party) to an individual or device identified by a unique persistent identifier, or group of individuals or devices identified by unique persistent identifiers; or</text></subclause><subclause id="H507F49DE56D940B6A6F3D86480D3BE0A" commented="no"><enum>(III)</enum><text display-inline="yes-display-inline">in the case of a first party that is a covered high-impact social media company, on a website, online service, online application, or mobile application operated by the first party, through display or presentation of an online advertisement that promotes a product or service offered by the first party to an individual or device identified by a unique persistent identifier, or group of individuals or devices identified by unique persistent identifiers.</text></subclause></clause></subparagraph><subparagraph id="H3ED00104D1CC42ECB96FB0E2986B7042"><enum>(B)</enum><header>Exclusion</header><text>The term <quote>first-party advertising</quote> does not include contextual advertising.</text></subparagraph></paragraph><paragraph id="HE775CD2A83274B468C47AAB0C7C1E3E7"><enum>(31)</enum><header>First-party data</header><text>The term <quote>first-party data</quote> means covered data collected directly from an individual by a first party, including based on a visit by the individual to or use by the individual of a physical location, website, online service, online application, or mobile application operated by the first party.</text></paragraph><paragraph id="H5891E94F81A34521A358F77D2C81D088"><enum>(32)</enum><header>Genetic information</header><text>The term <quote>genetic information</quote> means any covered data, regardless of format, that concerns the genetic characteristics of an identified or identifiable individual, including—</text><subparagraph id="H62600516B68E40A9B2D0C49EBBE31F42"><enum>(A)</enum><text>raw sequence data that results from the sequencing of the complete, or a portion of, extracted deoxyribonucleic acid (DNA) of an individual; or</text></subparagraph><subparagraph id="H217739590EFC46D5935A003E704F070C"><enum>(B)</enum><text>genotypic and phenotypic information that results from analyzing raw sequence data described in subparagraph (A).</text></subparagraph></paragraph><paragraph id="H2F872D8B84FC4912AAECBB6E8C266E19"><enum>(33)</enum><header>Health information</header><text>The term <quote>health information</quote> means information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or health condition, status, or treatment of an individual, including the precise geolocation information of such treatment.</text></paragraph><paragraph id="H6C30BAD16A894B3BB5D8E7CC7D1A7715"><enum>(34)</enum><header>Individual</header><text>The term <quote>individual</quote> means a natural person residing in the United States.</text></paragraph><paragraph id="H41321864D483424384B2C950F1E83CB9"><enum>(35)</enum><header>Knowledge</header><subparagraph id="HACF1AE1EE7F946BEBBCBF772D7BFBFB3"><enum>(A)</enum><header>In general</header><text>The term <quote>knowledge</quote> means, with respect to whether an individual is a child, teen, or covered minor, actual knowledge or knowledge fairly implied on the basis of objective circumstances.</text></subparagraph><subparagraph id="H4A402B18E87B42F1AB5FF1F629344BEB"><enum>(B)</enum><header>Rule of construction</header><text>For purposes of enforcing this title or a regulation promulgated under this title, a determination as to whether a covered entity has knowledge fairly implied on the basis of objective circumstances that an individual is a child, teen, or covered minor shall rely on competent and reliable evidence, taking into account the totality of the circumstances, including whether a reasonable and prudent person under the circumstances would have known that the individual is a child, teen, or covered minor. Nothing in this title, including a determination described in the preceding sentence, may be construed to require a covered entity to—</text><clause id="H6C7675181254480680F6487DC17A8556"><enum>(i)</enum><text>affirmatively collect any covered data with respect to the age of a child, teen, or covered minor that the covered entity is not already collecting in the normal course of business; or</text></clause><clause id="H1A05A9620C7242B099C0F0C021261B13"><enum>(ii)</enum><text>implement an age gating or age verification functionality.</text></clause></subparagraph><subparagraph id="H266C816687434D45A8FFFF1ACC32C5D9"><enum>(C)</enum><header>Commission guidance</header><clause id="HEA9EDF9981504C3695C037F28213200C"><enum>(i)</enum><header>In general</header><text>Not later than 180 days after the date of the enactment of this Act, the Commission shall issue guidance to provide information, including best practices and examples, for covered entities to use in understanding whether a covered entity has knowledge fairly implied on the basis of objective circumstances that an individual is a child, teen, or covered minor.</text></clause><clause id="H3AFDF4F605A74673AF9099FFA7856F01"><enum>(ii)</enum><header>Limitation</header><text display-inline="yes-display-inline">No guidance issued by the Commission under clause (i) confers any rights on any person, State, or locality, or operates to bind the Commission or any person, State, or locality to the approach recommended in such guidance. Any enforcement action brought pursuant to this title by the Commission, or by the attorney general of a State, the chief consumer protection officer of a State, or an officer or office of a State authorized to enforce privacy or data security laws applicable to covered entities or service providers, shall allege a specific violation of a provision of this title, and the Commission or the attorney general, chief consumer protection officer, or other authorized officer or office of the State, as applicable, may not base an enforcement action on, or as applicable execute a consent order based on, practices that are alleged to be inconsistent with any such guidance, unless the practices allegedly violate this title.</text></clause></subparagraph></paragraph><paragraph id="H5AB7DF9B5AD547EC9D3ECECD6D2C01A7"><enum>(36)</enum><header>Large data holder</header><subparagraph id="H3737C21348E84B438F8158DA1DFC4B7B"><enum>(A)</enum><header>In general</header><text>The term <quote>large data holder</quote> means a covered entity or service provider that, in the most recent calendar year, had an annual gross revenue of not less than $250,000,000 and, subject to subparagraph (B), collected, processed, retained, or transferred—</text><clause id="HB6C4EDD477D74BEC9BB1878FD20F53EA"><enum>(i)</enum><text>the covered data of—</text><subclause id="H9BC02107B40C4F46B83830B36365750E"><enum>(I)</enum><text>more than 5,000,000 individuals;</text></subclause><subclause id="H21A9C3E07BF34C24962AE41FA9C1624C"><enum>(II)</enum><text>more than 15,000,000 portable connected devices that identify or are linked or reasonably linkable to 1 or more individuals; or</text></subclause><subclause id="HEC951F8B15B74D9CA5738706205FFEE9"><enum>(III)</enum><text>more than 35,000,000 connected devices that identify or are linked or reasonable linkable to 1 or more individuals; or</text></subclause></clause><clause id="H68B9186A9D034EE5B195A90CB91BE2D4"><enum>(ii)</enum><text>the sensitive covered data of—</text><subclause id="HC05BE0D9B5884EB8A2A8C78FC7362B8C"><enum>(I)</enum><text>more than 200,000 individuals;</text></subclause><subclause id="H504A5467287A4A038093B45395985EA7"><enum>(II)</enum><text>more than 300,000 portable connected devices that identify or are linked or reasonable linkable to 1 or more individuals; or</text></subclause><subclause id="HB922E6D3FB954CB78BB27F3478556962"><enum>(III)</enum><text>more than 700,000 connected devices that identify or are linked or reasonably linkable to 1 or more individuals.</text></subclause></clause></subparagraph><subparagraph id="HC851AFCCA2E9405481DE16C76B54E085"><enum>(B)</enum><header>Exclusions</header><text>For the purposes of subparagraph (A), a covered entity or service provider may not be considered a large data holder solely on the basis of collecting, processing, retaining, or transferring to a service provider—</text><clause id="HD3A72821B2B345429E2186D985965C0E"><enum>(i)</enum><text>personal mailing or email addresses;</text></clause><clause id="HD994384A756A4A9B91249D41EABFDF37"><enum>(ii)</enum><text>personal telephone numbers;</text></clause><clause id="HFEAF423992EE491081FD5452F67FA218"><enum>(iii)</enum><text>log-in information of an individual or device to allow the individual or device to log in to an account administered by the covered entity; or</text></clause><clause id="HF10E17C61FCF454AB17F5847B31E1F8C"><enum>(iv)</enum><text>in the case of a covered entity that is a seller of goods or services (other than an entity that facilitates payment, such as a bank, credit card processor, mobile payment system, or payment platform), credit, debit, or mobile payment information necessary and used to initiate, render, bill for, finalize, complete, or otherwise facilitate payments for such goods or services.</text></clause></subparagraph><subparagraph id="H7D11FA6BBCF64B30AFDDF3CA0B644A50"><enum>(C)</enum><header>Definition of annual gross revenue</header><text>For the purposes of subparagraph (A), the term <quote>annual gross revenue</quote>, with respect to a covered entity or service provider—</text><clause id="H18E1382020414287A50F72591403784A"><enum>(i)</enum><text>means the gross receipts the covered entity or service provider received, in whatever form from all sources, without subtracting any costs or expenses; and</text></clause><clause id="H0E14C72F9A134F5DAA44ABFFD2B59C42"><enum>(ii)</enum><text>includes contributions, gifts, grants, dues or other assessments, income from investments, and proceeds from the sale of real or personal property.</text></clause></subparagraph></paragraph><paragraph id="H2D06955EE4E84C91A10CDAC173C00833"><enum>(37)</enum><header>Market research</header><text>The term <quote>market research</quote> means the collection, processing, retention, or transfer of covered data, with affirmative express consent, that is necessary, proportionate, and limited to measure and analyze the market or market trends of products, services, advertising, or ideas, if the covered data is not—</text><subparagraph id="H7CFA8458005341D58CD2F9986CE05838"><enum>(A)</enum><text>integrated into any product or service;</text></subparagraph><subparagraph id="H1291473AABB649F68443499598D87CAD"><enum>(B)</enum><text>otherwise used to contact any individual or device of an individual; or</text></subparagraph><subparagraph id="HA86F133EEA6646AAB4B4636D75BE0351"><enum>(C)</enum><text>used for targeted advertising or to otherwise market to any individual or device of an individual.</text></subparagraph></paragraph><paragraph id="H4F55914081FE40A4A4361BFD7BABD800"><enum>(38)</enum><header>Material change</header><text>The term <quote>material change</quote> means, with respect to treatment of covered data, a change by an entity that would likely affect the decision of an individual to engage with and provide covered data to the entity, including providing affirmative express consent for, or opting out of, the collection, processing, retention, or transfer of covered data pertaining to such individual.</text></paragraph><paragraph id="HAAE19F4797F84C8FB61E7580B2D62314"><enum>(39)</enum><header>Mobile application</header><text display-inline="yes-display-inline">The term <quote>mobile application</quote>—</text><subparagraph id="H6CC3F2E753204C3EBF8F492BD5B3F4DE"><enum>(A)</enum><text>means a software program that runs on the operating system of—</text><clause id="H020055390F264B9994E48B00466CF8CF"><enum>(i)</enum><text>a cellular telephone;</text></clause><clause id="H4FA0B6426B6249DB83675869A951D3EA"><enum>(ii)</enum><text>a tablet computer; or</text></clause><clause id="H7797BD08F6354BEA8AC29447EFBD1F95"><enum>(iii)</enum><text>a similar portable computing device that transmits data over a wireless connection; and</text></clause></subparagraph><subparagraph id="HE586F6193FA04AE4864D309F1B35A31E"><enum>(B)</enum><text>includes a service or application offered via a connected device.</text></subparagraph></paragraph><paragraph id="H534A7932A8BF4C4C941992D47E2B58C0"><enum>(40)</enum><header>On-device data</header><subparagraph id="HBEA4820EFFBA419C9DEA109A368F878C"><enum>(A)</enum><header>In general</header><text>The term <quote>on-device data</quote> means data collected, retained, and processed solely on the device of an individual.</text></subparagraph><subparagraph id="H706568154D03481781DA2359325FDF8B"><enum>(B)</enum><header>Limitation</header><text>Data collected, retained, and processed solely on the device of an individual may be considered <quote>on-device data</quote> only if—</text><clause id="HA2E27698EF49435FB8FAF65E475E377F"><enum>(i)</enum><text>such data is not transferred by a covered entity or service provider;</text></clause><clause id="H2015C50E1CBC40958231CA389A985AE2"><enum>(ii)</enum><text>the relevant covered entity clearly and conspicuously provides the device owner with controls that allow the owner to access, correct, delete, and export such data consistent with the rights provided with respect to covered data pursuant to section 105;</text></clause><clause id="HE293989B9B2144D2A73AB931CC128903"><enum>(iii)</enum><text>the relevant covered entity provides easy-to-understand instructions on how the device owner can access such controls; and</text></clause><clause id="H6195218BA299474B8D7CD70C269F5F38"><enum>(iv)</enum><text>the relevant covered entity establishes, implements, and maintains reasonable data security practices, consistent with section 109, to protect—</text><subclause id="H84F1402B0FBA44C6AFB3571ABC275F53"><enum>(I)</enum><text>the confidentiality, integrity, and availability of the on-device data; and</text></subclause><subclause id="H06CF83F582904338AE4B07D470A3598A"><enum>(II)</enum><text>on device data against unauthorized access.</text></subclause></clause></subparagraph></paragraph><paragraph id="HA5C3739363234841B7D24E40E0DFF5C9"><enum>(41)</enum><header>Online activity profile</header><text>The term <quote>online activity profile</quote> means covered data that identifies the online activities of an individual (or a device linked or reasonably linkable to an individual) over time and across third-party websites, online services, online applications, or mobile applications that do not share common branding and that is collected, processed, retained, or transferred for the purpose of evaluating, analyzing, or predicting the behaviors or characteristics of an individual.</text></paragraph><paragraph id="H07F7C5266CEC4C86B9644F3F8FD11D57"><enum>(42)</enum><header>Online application</header><text>The term <quote>online application</quote>—</text><subparagraph id="H6F2276510BAF4426B3E787118737CDA8"><enum>(A)</enum><text>means an internet-connected software program; and</text></subparagraph><subparagraph id="H3D73554C6B2B4F7EA009D022DB636858"><enum>(B)</enum><text>includes a service or application offered via a connected device.</text></subparagraph></paragraph><paragraph id="H604E42FA0BF74DBC9124D78F03C91736"><enum>(43)</enum><header>Parent</header><text>The term <quote>parent</quote> means a legal guardian.</text></paragraph><paragraph id="HD37799F7B4A147C485120C2F56D979FD"><enum>(44)</enum><header>Portable connected device</header><text>The term <quote>portable connected device</quote> means a portable device that is capable of connecting to the internet over a wireless connection, including a smartphone, tablet computer, laptop computer, smartwatch, or similar portable device.</text></paragraph><paragraph id="HA79AB0DC7B0A4ABF929086E41EA56E3B"><enum>(45)</enum><header>Precise geolocation information</header><subparagraph id="H8023B295DE3E465FBFBA5AA4EAA8084A"><enum>(A)</enum><header>In general</header><text>The term <quote>precise geolocation information</quote> means information that reveals the past or present physical location of an individual or device with sufficient precision to identify the location of such individual or device within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet or less.</text></subparagraph><subparagraph id="HDCF15839104E469E914581A676D6BA91"><enum>(B)</enum><header>Exclusions</header><text>The term <quote>precise geolocation information</quote> does not include information derived solely from—</text><clause id="HDBDAC87A224841948A93A5D6FA359E72"><enum>(i)</enum><text>a digital or physical photograph;</text></clause><clause id="H3F0FB3EE9FF346C6899922FF028B0BEF"><enum>(ii)</enum><text>an audio or visual recording; or</text></clause><clause id="HB3A55C276E414DDCB5B0DADAB327B153"><enum>(iii)</enum><text>metadata associated with a digital or physical photograph or an audio or visual recording that cannot be linked to an individual.</text></clause></subparagraph></paragraph><paragraph id="HC4CFBD32072B4B60A29B236577096CF8"><enum>(46)</enum><header>Process</header><text>The term <quote>process</quote> means, with respect to covered data, any operation or set of operations performed on the covered data, including analyzing, organizing, structuring, using, modifying, or otherwise handling the covered data.</text></paragraph><paragraph id="H32396E7AD0614C6D8D73241A552383C3"><enum>(47)</enum><header>Publicly available information</header><subparagraph id="H4CDFA696109D4D52AB9683093ACE3BED"><enum>(A)</enum><header>In general</header><text>The term <quote>publicly available information</quote> means any information that a covered entity has a reasonable basis to believe has been lawfully made available to the general public by—</text><clause id="HF29E30E1E28945B582ECAD1316E2AA1A"><enum>(i)</enum><text>Federal, State, or local government records, if the covered entity collects, processes, retains, and transfers such information in accordance with any restrictions or terms of use placed on the information by the relevant government entity;</text></clause><clause id="H0B6504A86AF842378A443009ABF396DB"><enum>(ii)</enum><text>widely distributed media;</text></clause><clause id="H42114F1B547E439CAE8F56809048D8BF"><enum>(iii)</enum><text>a website or online service made available to all members of the public, for free or for a fee, including where all members of the public can log in to the website or online service; or</text></clause><clause id="H8612D5FBF55B4403BF7B2DA30E735AC7"><enum>(iv)</enum><text>a disclosure to the general public that is required to be made by Federal, State, or local law.</text></clause></subparagraph><subparagraph id="H51166B7CFAA2455CAD3B044006A9C713"><enum>(B)</enum><header>Clarifications; limitations</header><clause id="HB23B72DD9CB8406DB68915E0186FAD96"><enum>(i)</enum><header>Available to all members of the public</header><text>For purposes of this paragraph, information from a website or online service is not available to all members of the public if the individual to whom the information pertains has restricted the information to a specific audience or maintained a default setting that restricts the information to a specific audience.</text></clause><clause id="HF34D168FA84841448D3151D5232F2753"><enum>(ii)</enum><header>Business contact information</header><text>The term <quote>publicly available information</quote> includes business contact information of an individual acting in a business or professional context that is made available on a website or online service made available to all members of the public, including the name, position or title, business telephone number, business email address, or business address of the individual.</text></clause><clause id="HB5025B5486144B2FAF88461AC2C69B0D"><enum>(iii)</enum><header>Other limitations</header><text>The term <quote>publicly available information</quote> does not include—</text><subclause id="H1677C0D7B2EF46D384F835232972F050"><enum>(I)</enum><text>any obscene visual depiction (as such term is used in section 1460 of title 18, United States Code);</text></subclause><subclause id="HF740EF8C156E4571AA0B7B9FB96EDE45"><enum>(II)</enum><text>derived data from publicly available information that reveals information about an individual that meets the definition of the term <quote>sensitive covered data</quote>;</text></subclause><subclause id="H86A9DBE2B5684052999A2A14E933EBC3"><enum>(III)</enum><text>biometric information;</text></subclause><subclause id="H9BC74691494D4B53AFA23C52DE1E8D3A"><enum>(IV)</enum><text>genetic information, unless made publicly available by the individual to whom the information pertains by a means described in clause (ii) or (iii) of subparagraph (A);</text></subclause><subclause id="H41565FCED73E49888859C805E75EE26B"><enum>(V)</enum><text>covered data that is created through the combination of covered data with publicly available information;</text></subclause><subclause id="H6F7F107F5E75470D941C5DB8CCC270A7"><enum>(VI)</enum><text>intimate images, authentic or computer-generated, known to be nonconsensual; or</text></subclause><subclause id="H0E0C2B21BCD542F4831AC2AFAA723BA4"><enum>(VII)</enum><text>sensitive covered data made available by a data broker.</text></subclause></clause></subparagraph></paragraph><paragraph id="HC6F80EDD5A994667944F947F722E4429"><enum>(48)</enum><header>Retain</header><text>The term <quote>retain</quote> means, with respect to covered data, to store, maintain, save, or otherwise keep such data, regardless of format.</text></paragraph><paragraph id="H8FD945533B20425C9F392A5F9D73F08E"><enum>(49)</enum><header>Sensitive covered data</header><subparagraph id="HC56CDBDC427F4AABB8DFB3F4C55C44F8"><enum>(A)</enum><header>In general</header><text>The term <quote>sensitive covered data</quote> means the following forms of covered data:</text><clause id="H4C23AEF7DEE140B88D3A7796610C307E"><enum>(i)</enum><text>A government-issued identifier, including a Social Security number, passport number, or driver’s license number, that is not required by law to be displayed in public.</text></clause><clause id="H2E47D9CCC986479EA1301F55AED653D0"><enum>(ii)</enum><text display-inline="yes-display-inline">Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or health condition, status, or treatment of an individual.</text></clause><clause id="H9458C6AD3CBD4C62A00225224811B8D4"><enum>(iii)</enum><text>Genetic information.</text></clause><clause id="HA5B3D8261B05413C9528417B7E19284C"><enum>(iv)</enum><text>A financial account number, debit card number, credit card number, or any required security or access code, password, or credentials allowing access to any such account or card, except that the last four digits of an account number, debit card number, or credit card number may not be considered sensitive covered data.</text></clause><clause id="H857C9C187EA24E90B9DBE35B5977A541"><enum>(v)</enum><text>Biometric information.</text></clause><clause id="H65B683C606C94019BE8ED87BE638FB53"><enum>(vi)</enum><text>Precise geolocation information.</text></clause><clause id="H5039475DBC1F4E12A866D1A5AB59661F"><enum>(vii)</enum><text>The private communications of an individual (such as voicemails, or other voice or video communications, emails, texts, direct messages, or mail) or information identifying the parties to such communications, information contained in telephone bills, and any information that pertains to the transmission of private voice or video communications, including numbers called, numbers from which calls were placed, the time calls were made, call duration, and location information of the parties to the call, unless the relevant covered entity or service provider is an intended recipient of the communication.</text></clause><clause id="H3987DAB26C0F449F93A0614AAFD5FBBC"><enum>(viii)</enum><text>Unencrypted or unredacted account or device log-in credentials.</text></clause><clause id="H76246E8F8D024F29A100E3F5F1648667"><enum>(ix)</enum><text>Information revealing the sexual behavior of an individual in a manner inconsistent with the reasonable expectation of the individual regarding disclosure of such information.</text></clause><clause id="H32FD389C31D54CB28958FBCB7E487A0F"><enum>(x)</enum><text>Calendar information, address book information, phone, text, or electronic logs, photographs, audio recordings, or videos intended for private use.</text></clause><clause id="H9ADC54D7CBBE4831AAE845E0B878D848"><enum>(xi)</enum><text>A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual.</text></clause><clause id="H9F5E31925B9E4865AA405A465662F0AB"><enum>(xii)</enum><text>Information revealing the extent or content of the access, viewing, or other use by an individual of any video programming (as defined in section 713(h)(2) of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/613">47 U.S.C. 613(h)(2)</external-xref>)), including programming provided by a provider of broadcast television service, cable service, satellite service, or streaming media service, but only with regard to the transfer of such information to a third party (excluding any such information used solely for transfers for independent video measurement).</text></clause><clause id="H211FDDC907924F53AC9F88C7C032CF23"><enum>(xiii)</enum><text>Information collected by a covered entity that is not a provider of a service described in clause (xii) that reveals the video content requested or selected by an individual (excluding any such information used solely for transfers for independent video measurement).</text></clause><clause id="H5FFF25F95CD948E68B1F7CFC05CF6673"><enum>(xiv)</enum><text>Information revealing the race, ethnicity, national origin, religion, or sex of an individual in a manner inconsistent with the reasonable expectation of the individual regarding disclosure of such information.</text></clause><clause id="H71C0DAFF2A714E328EEE17D43DF05E1A"><enum>(xv)</enum><text>An online activity profile.</text></clause><clause id="H63A6BCFE57E5473EA69468BBD885FD51"><enum>(xvi)</enum><text>Information about a covered minor.</text></clause><clause id="H68B45497C9A14EFAA95CC3339C0924A2"><enum>(xvii)</enum><text>Information that reveals the status of an individual as a member of the Armed Forces.</text></clause><clause id="H586DEAE936A94DB5B5A9A42A7A935BFE"><enum>(xviii)</enum><text>Neural data.</text></clause><clause id="HF92FF72A68EF43D8BDF46AF904F407AF"><enum>(xix)</enum><text>Any other covered data collected, processed, retained, or transferred for the purpose of identifying a type of information described in any of clauses (i) through (xviii).</text></clause></subparagraph><subparagraph id="H5310E1B2E48E4AED9D3A867C5EE5FE02"><enum>(B)</enum><header>Third party</header><text>For the purposes of subparagraph (A)(xii), the term <quote>third party</quote> does not include an entity that—</text><clause id="H641BAF7906CF4A66A2DE83EA811FC31C"><enum>(i)</enum><text>is related by common ownership or corporate control to the provider of broadcast television service or streaming media service; and</text></clause><clause id="HCB218BB34565480887466815446C3082"><enum>(ii)</enum><text>provides video programming as described in such subparagraph.</text></clause></subparagraph></paragraph><paragraph id="HD7502CC3DDD94DC1AC19898F4909FF98"><enum>(50)</enum><header>Service provider</header><subparagraph id="H0B11CE61452D4D038CB3CDC28469F957"><enum>(A)</enum><header>In general</header><text>The term <quote>service provider</quote> means an entity that collects, processes, retains, or transfers covered data for the purpose of performing 1 or more services or functions on behalf of, and at the direction of—</text><clause id="HA862B82E72CC42A49AC2EAAF8D804682"><enum>(i)</enum><text>a covered entity or another service provider; or</text></clause><clause id="HC5329B2B19284B5E9680A25B9EB8811E"><enum>(ii)</enum><text display-inline="yes-display-inline">a Federal, State, Tribal, or local government entity.</text></clause></subparagraph><subparagraph id="H49BC4D4DDCB64EA382176A611483598F"><enum>(B)</enum><header>Rule of construction</header><clause id="H2C34DB4BE9274ACF8F138C4E070D0C0D"><enum>(i)</enum><header>In general</header><text>An entity is a covered entity and not a service provider with respect to a specific collecting, processing, retaining, or transferring of covered data, if the entity, alone or jointly with others, determines the purposes and means of the specific collecting, processing, retaining, or transferring of data.</text></clause><clause id="HF0C7AF71B81C4C9E98FFDEC8BF8609C8"><enum>(ii)</enum><header>Instructions</header><text display-inline="yes-display-inline">An entity that is not limited in its collecting, processing, retaining, or transferring of covered data pursuant to the instructions of a covered entity, another service provider, or a Federal, State, Tribal, or local government entity, or that fails to adhere to such instructions, is a covered entity and not a service provider with respect to a specific collecting, processing, retaining, or transferring of such data. If a service provider begins, alone or jointly with others, determining the purposes and means of collecting, processing, retaining, or transferring covered data, the entity is a covered entity with respect to such data.</text></clause><clause id="H474A1B66E55A46B8AEC743756BEC7F11"><enum>(iii)</enum><header>Context required</header><text>Whether an entity is a covered entity or a service provider depends on the facts surrounding how, and the context in which, data is collected, processed, retained, or transferred.</text></clause></subparagraph></paragraph><paragraph id="HD78B4B8E7FAA466A889D1BBCEB9066B4"><enum>(51)</enum><header>Small business</header><subparagraph id="HAC7E4D1E6F5D48018CD12C261DE87316"><enum>(A)</enum><header>In general</header><text>The term <quote>small business</quote> means an entity (including any affiliate of the entity)—</text><clause id="H85B9F7E8FB6C433FAF865B83F1EE5A51"><enum>(i)</enum><text>that has average annual gross revenues for the period of the 3 preceding calendar years (or for the period during which the entity has been in existence, if such period is less than 3 calendar years) not exceeding $40,000,000, indexed to the Producer Price Index reported by the Bureau of Labor Statistics;</text></clause><clause id="HBB01B6B53C96498DBBE6D1AD33112F9E"><enum>(ii)</enum><text>that, on average for the period described in clause (i), did not annually collect, process, retain, or transfer the covered data of more than 200,000 individuals for any purpose other than initiating, rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested service or product; and</text></clause><clause id="H24854A4BEAFC4FCB814A3EAB1E8ACEC4"><enum>(iii)</enum><text>that did not, during the period described in clause (i), transfer covered data to a third party in exchange for revenue or anything of value, except for purposes of initiating, rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested service or product or facilitating web analytics that are not used to create an online activity profile.</text></clause></subparagraph><subparagraph id="HBDC30B0C71B14EB6B5C13DB124EDEAFC"><enum>(B)</enum><header>Nonprofit revenue</header><text>For purposes of subparagraph (A)(i), the term <quote>revenue</quote>, as such term relates to any entity that is not organized to carry on business for its own profit or that of its members, means the gross receipts the entity received, in whatever form from all sources, without subtracting any costs or expenses, and includes contributions, gifts, grants (except for grants from the Federal Government), dues or other assessments, income from investments, or proceeds from the sale of real or personal property.</text></subparagraph></paragraph><paragraph id="H47CDFE057B1A4F7F8635B666293E4074"><enum>(52)</enum><header>State</header><text>The term <quote>State</quote> means each of the 50 States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands of the United States, Guam, American Samoa, and the Commonwealth of the Northern Mariana Islands.</text></paragraph><paragraph id="H616551101930482BB26800C0CF2F361F"><enum>(53)</enum><header>Substantial privacy harm</header><text>The term <quote>substantial privacy harm</quote> means—</text><subparagraph id="HC0D8FEF4645A4D4296CCF35B88A69E26"><enum>(A)</enum><text>any alleged financial harm of not less than $10,000; or</text></subparagraph><subparagraph id="HA05AB9D514CF4369A3E6C55A4686F602"><enum>(B)</enum><text>any alleged physical or mental harm to an individual that involves—</text><clause id="H19AFB25D7C16403A8E21326103E67432"><enum>(i)</enum><text>treatment by a licensed, credentialed, or otherwise bona fide health care provider, hospital, community health center, clinic, hospice, or residential or outpatient facility for medical, mental health, or addiction care; or</text></clause><clause id="H5DD2F6DA0FCA4340B313146B98D13193"><enum>(ii)</enum><text>physical injury, highly offensive intrusion into the privacy expectations of a reasonable individual under the circumstances, or discrimination on the basis of race, color, religion, national origin, sex, or disability.</text></clause></subparagraph></paragraph><paragraph id="HF6F51C0082B74D4EB5FB40208C5405A6"><enum>(54)</enum><header>Targeted advertising</header><text>The term <quote>targeted advertising</quote>—</text><subparagraph id="H906AD4F8AC714E419E552738DBB1E78D"><enum>(A)</enum><text>means displaying or presenting an online advertisement to an individual or to a device identified by a unique persistent identifier (or to a group of individuals or devices identified by unique persistent identifiers), if the advertisement is selected based, in whole or in part, on known or predicted preferences or interests associated with the individual or device;</text></subparagraph><subparagraph id="H5CF1D9C8BBB2442D8387B4F60569D895"><enum>(B)</enum><text>includes—</text><clause id="HFC626297FEB643C8AF38BA705BC15B19"><enum>(i)</enum><text>an online advertisement by a covered high-impact social media company for a product or service that is not a product or service offered by the covered high-impact social media company; and</text></clause><clause id="H8AFB5F4EA577486FAC1D81B95BABF541"><enum>(ii)</enum><text>an online advertisement for a product or service based on the previous interaction of an individual or a device identified by a unique persistent identifier with such product or service on a website or online service that does not share common branding or affiliation with the website or online service displaying or presenting the advertisement; and</text></clause></subparagraph><subparagraph id="H800A2C861EB2407AB55FB8DBC0270623"><enum>(C)</enum><text>excludes contextual advertising and first-party advertising.</text></subparagraph></paragraph><paragraph id="H4B0D08EB88524F98B5DDBFF433EE9CAF"><enum>(55)</enum><header>Teen</header><text>The term <quote>teen</quote> means an individual 13 years of age or older, but under the age of 17.</text></paragraph><paragraph id="H8F1DB585470B46B4BC8FB58B84F5D822"><enum>(56)</enum><header>Third party</header><text>The term <quote>third party</quote>—</text><subparagraph id="HAF890524F0514FDAB7F5494CD41C8161"><enum>(A)</enum><text>means any entity that—</text><clause id="HDEE7722B8DAB464E90BDB71D302391A6"><enum>(i)</enum><text>receives covered data from another entity that is not the individual to whom the data pertains; and</text></clause><clause id="H79ED34B6010C40E6868B694D418D1136"><enum>(ii)</enum><text>is not a service provider with respect to such data; and</text></clause></subparagraph><subparagraph id="H7CD2E0EB21004892BA65E2A590061B75"><enum>(B)</enum><text>does not include an entity that collects covered data from another entity if the 2 entities are—</text><clause id="H5C49240495C8462D9BF0F25704DB107B"><enum>(i)</enum><text>related by common ownership or corporate control; or</text></clause><clause id="H3D5574058D414E6B8194CCBD0EDAF2FD"><enum>(ii)</enum><text>nonprofit entities that are part of the same federated nonprofit organization.</text></clause></subparagraph></paragraph><paragraph id="HFCC568F9231846608201FF8E2FE150A0"><enum>(57)</enum><header>Third-party data</header><text>The term <quote>third-party data</quote> means covered data that has been transferred to a third party.</text></paragraph><paragraph id="H60AFB48676744B97A5715A27A45E4B7F"><enum>(58)</enum><header>Transfer</header><text>The term <quote>transfer</quote> means, with respect to covered data, to disclose, release, share, disseminate, make available, sell, rent, or license the covered data (orally, in writing, electronically, or by any other means) for consideration of any kind or for a commercial purpose.</text></paragraph><paragraph id="H62C98A3498194967A71FBCE20C2555F6"><enum>(59)</enum><header>Unique persistent identifier</header><subparagraph id="H0F3348E0B2DD420CAAED8BAD5214A950"><enum>(A)</enum><header>In general</header><text>The term <quote>unique persistent identifier</quote> means a technologically created identifier to the extent that such identifier is reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals, including device identifiers, Internet Protocol addresses, cookies, beacons, pixel tags, mobile ad identifiers or similar technology customer numbers, unique pseudonyms, user aliases, telephone numbers, or other forms of persistent or probabilistic identifiers that are linked or reasonably linkable to 1 or more individuals or devices.</text></subparagraph><subparagraph id="HE71C949ABD04485196E62C614DB087AC"><enum>(B)</enum><header>Exclusion</header><text>The term <quote>unique persistent identifier</quote> does not include an identifier assigned by a covered entity for the sole purpose of giving effect to the exercise of affirmative express consent or opt out by an individual with respect to the collecting, processing, retaining, and transfer of covered data or otherwise limiting the collecting, processing, retaining, or transfer of covered data.</text></subparagraph></paragraph><paragraph id="H967C829EAEAF492BA2430A099FD242A8"><enum>(60)</enum><header>Widely distributed media</header><subparagraph id="HEFF69430CA3443509D9B1E29F2AED6EC"><enum>(A)</enum><header>In general</header><text>The term <quote>widely distributed media</quote> means information that is available to the general public, including information from a telephone book or online directory, a television, internet, or radio program, the news media, or an internet site that is available to the general public on an unrestricted basis.</text></subparagraph><subparagraph id="H3BAE10B8CD2B4E2B90C56984A031BDBF"><enum>(B)</enum><header>Exclusion</header><text>The term <quote>widely distributed media</quote> does not include an obscene visual depiction (as such term is used in section 1460 of title 18, United States Code).</text></subparagraph></paragraph></section><section id="H067618BDEC2C4F54A48518E56BC519AC"><enum>102.</enum><header>Data minimization</header><subsection id="H813210FB1BF040E6BB31A383FCC65B11"><enum>(a)</enum><header>In general</header><text>A covered entity may not collect, process, retain, or transfer covered data of an individual or direct a service provider to collect, process, retain, or transfer covered data of an individual beyond what is necessary, proportionate, and limited—</text><paragraph id="H3DDEE2958660416A9640B38D0C6EAEB9"><enum>(1)</enum><text>to provide or maintain—</text><subparagraph id="H2CC9BD86529C4881A330BF1F92C931CF"><enum>(A)</enum><text>a specific product or service requested by the individual to whom the data pertains, including any associated routine administrative, operational, or account-servicing activity, such as billing, shipping, delivery, storage, or accounting; or</text></subparagraph><subparagraph id="H24DEEE720C3648FDBA56B13E1D0016D7"><enum>(B)</enum><text>a communication, that is not an advertisement, by the covered entity to the individual reasonably anticipated within the context of the relationship; or</text></subparagraph></paragraph><paragraph id="H12000D37E35F4110A87641F4B1B7AB40"><enum>(2)</enum><text>for a purpose expressly permitted under subsection (d).</text></paragraph></subsection><subsection id="H01C552444A2F432F995EB186B05D0130"><enum>(b)</enum><header>Additional protections for sensitive covered data</header><text>Subject to subsection (a), a covered entity may not transfer sensitive covered data to a third party or direct a service provider to transfer sensitive covered data to a third party without the affirmative express consent of the individual to whom such data pertains, unless for a purpose permitted by paragraph (2), (3), (4), (5), (6), (8), (9), (11), (12), or (13) of subsection (d).</text></subsection><subsection id="H649FB2E8697E45009A7729948BE65A16"><enum>(c)</enum><header>Additional protections for biometric information and genetic information</header><paragraph id="HD1339DAE90EC4F3685A641271A29B264"><enum>(1)</enum><header>Collection</header><text>Subject to subsection (a), a covered entity may not collect biometric information or genetic information or direct a service provider to collect biometric information or genetic information without the affirmative express consent of the individual to whom such information pertains.</text></paragraph><paragraph id="HC5273248B6D247D08144F6697C2F772F"><enum>(2)</enum><header>Processing</header><text>Subject to subsection (a), a covered entity may not process biometric information or genetic information or direct a service provider to process biometric information or genetic information without the affirmative express consent of the individual to whom such information pertains, unless for a purpose permitted by paragraph (2), (3), or (4) of subsection (d).</text></paragraph><paragraph id="H1E374042B4454DA4942D854F2F2D0385"><enum>(3)</enum><header>Retention</header><text>Subject to subsection (a), a covered entity may not retain biometric information or direct a service provider to retain biometric information beyond the point at which the purpose for which an individual provided affirmative express consent under paragraph (1) has been satisfied or beyond the date that is 3 years after the date of the last interaction of the individual with the covered entity or service provider, whichever occurs first, unless for a purpose permitted under paragraph (2), (3), or (4) of subsection (d).</text></paragraph><paragraph id="H97029F8BDA754A0FBAB4F493C2E87008"><enum>(4)</enum><header>Transfer</header><subparagraph id="H480729C03EB9496A97A85F60A1C93A07"><enum>(A)</enum><header>Affirmative express consent required</header><text>Subject to subsection (a), a covered entity may not transfer biometric information or genetic information to a third party or direct a service provider to transfer biometric information or genetic information to a third party without the affirmative express consent of the individual to whom such information pertains, unless for a purpose permitted by paragraph (2), (3), or (4) of subsection (d).</text></subparagraph><subparagraph id="H405F6FC5BF2D44D7A54C936AFD72966A"><enum>(B)</enum><header>No transfer for payment or other valuable consideration</header><text>A covered entity may not transfer biometric information or genetic information to a third party, or direct a service provider to transfer biometric information or genetic information to a third party, for payment or other valuable consideration (regardless of the purpose of the transfer, including a purpose described in subparagraph (A)).</text></subparagraph></paragraph></subsection><subsection id="H71ADF7D569944A87B352A796B9C2F12D"><enum>(d)</enum><header>Permitted purposes</header><text>Subject to the requirements in subsections (b) and (c), a covered entity may collect, process, retain, or transfer or direct a service provider to collect, process, retain, or transfer covered data for the following purposes, if the covered entity or service provider can demonstrate that the collection, processing, retention, or transfer is necessary, proportionate, and limited to such purpose:</text><paragraph id="HF33DD0D3EF3746108DE71369BFC897F4"><enum>(1)</enum><text>To protect data security as described in section 109, protect against spam, or protect and maintain networks and systems, including through diagnostics, debugging, and repairs.</text></paragraph><paragraph id="H6537DE8D4DA84D47A66F27AA8C81C411"><enum>(2)</enum><text>To comply with a legal obligation imposed by a Federal, State, Tribal, or local law that is not preempted by this title.</text></paragraph><paragraph id="H0DD48EF952244D109F053A7DF5FE5CD6"><enum>(3)</enum><text>To investigate, establish, prepare for, exercise, or defend cognizable legal claims of the covered entity or service provider.</text></paragraph><paragraph id="H4E1039DF30EB46BCA095B4A0C9200364"><enum>(4)</enum><text>To transfer covered data to a Federal, State, Tribal, or local law enforcement agency pursuant to a lawful warrant, administrative subpoena, or other form of lawful process.</text></paragraph><paragraph id="HDB2893AB1AC54178825BEF55158BA412"><enum>(5)</enum><text>To effectuate a product recall pursuant to Federal or State law, or to fulfill a warranty.</text></paragraph><paragraph id="H1CAB820F922348CA85B2670FC4FBCCC8"><enum>(6)</enum><text>To conduct market research.</text></paragraph><paragraph id="HBCC92EFD212945399D739D8D217C61E6"><enum>(7)</enum><text>With respect to covered data previously collected in accordance with this title, to process the covered data such that the covered data becomes de-identified data, including in order to—</text><subparagraph id="HA08B0AC46BC545EEBEDF1824F3CE3307"><enum>(A)</enum><text>develop or enhance a product or service of the covered entity or service provider;</text></subparagraph><subparagraph id="H8A48A717CA3541C7B97B88EFC2FC3132"><enum>(B)</enum><text>conduct research or analytics to improve a product or service of the covered entity or service provider;</text></subparagraph><subparagraph id="HCD4766B352364F239A6C13D5483CA737"><enum>(C)</enum><text display-inline="yes-display-inline">conduct research to investigate, establish, or improve the effectiveness or safety of medical products, including drugs, biologics, and medical devices;</text></subparagraph><subparagraph id="HD19AE4437B3A46AD81DC7D978E923B74"><enum>(D)</enum><text>enable the effective delivery and administration of health care products and treatments to patients, in compliance with Federal regulations; or</text></subparagraph><subparagraph id="H06E299BCA8D4408AAD855F4FFEE4F92D"><enum>(E)</enum><text>monitor the safety and efficacy of health care products and services administered to patients, in compliance with Federal regulations.</text></subparagraph></paragraph><paragraph id="H536CE9FCD25246E29AA327EC7BC4D449"><enum>(8)</enum><text>To transfer assets to a third party in the context of a merger, acquisition, bankruptcy, or similar transaction, with respect to which the third party assumes control, in whole or in part, of the assets of the covered entity, but only if the covered entity, in a reasonable time prior to such transfer, provides each affected individual with—</text><subparagraph id="H2A22294F95FA40E4945B50D6A634D8A4"><enum>(A)</enum><text>a notice describing such transfer, including the name of the entity or entities receiving the covered data of the individual and the privacy policies of such entity or entities as described in section 104; and</text></subparagraph><subparagraph id="H3007C1AF989144D0BB9EECF117E8965B"><enum>(B)</enum><text>a reasonable opportunity to—</text><clause id="H2767AFC4B3224A55930EBC4F72E57BD4"><enum>(i)</enum><text>withdraw any previously provided consent in accordance with the requirements of affirmative express consent under this title related to the covered data of the individual; and</text></clause><clause id="H2EF7EA082F3B4060A647C82D679BE042"><enum>(ii)</enum><text>request the deletion of the covered data of the individual, as described in section 105.</text></clause></subparagraph></paragraph><paragraph id="H770990EA940F4299B3FF2191A49A7D0B"><enum>(9)</enum><text>With respect to a covered entity or service provider that is a telecommunications carrier or a provider of a mobile service, interconnected VoIP service, or non-interconnected VoIP service (as such terms are defined in section 3 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/153">47 U.S.C. 153</external-xref>)), to provide call location information in a manner described in subparagraph (A) or (C) of section 222(d)(4) of such Act (<external-xref legal-doc="usc" parsable-cite="usc/47/222">47 U.S.C. 222(d)(4)</external-xref>).</text></paragraph><paragraph id="H149D3BC8FD2F4B91B4061FC0DF55B0ED"><enum>(10)</enum><text>To prevent, detect, protect against, investigate, or respond to fraud, excluding the transfer of covered data for payment or other valuable consideration to a government entity.</text></paragraph><paragraph id="H53FFE180FEB54D6797FE54ACCEB741D9"><enum>(11)</enum><text>To prevent, detect, protect against, investigate, or respond to an ongoing or imminent security incident relating to network security or physical security, including an intrusion or trespass, medical alert or request for a medical response, fire alarm or request for a fire response, or access control.</text></paragraph><paragraph id="H182F70B08B644A6FBF737B73DC403FD4"><enum>(12)</enum><text>To prevent, detect, protect against, investigate, or respond to an imminent or ongoing public safety incident (such as a mass casualty event, natural disaster, or national security incident), excluding the transfer of covered data for payment or other valuable consideration to a government entity.</text></paragraph><paragraph id="H6ACDE3B5B8E64AA9AF5EE4682C6AD195"><enum>(13)</enum><text>Except with respect to health information, to prevent, detect, protect against, investigate, or respond to criminal activity or harassment, excluding the transfer of covered data for payment or other valuable consideration to a government entity.</text></paragraph><paragraph id="H31DE311F905D4C3F95C4F3F3C13076D7"><enum>(14)</enum><text display-inline="yes-display-inline">Except with respect to sensitive covered data, and only with respect to covered data previously collected in accordance with this title, to process or transfer such data to provide first-party advertising or contextual advertising or to measure and report on marketing performance or media performance by the covered entity, including processing or transferring covered data for measurement and reporting of frequency, attribution, and performance, including by independent entities, except that this paragraph does not permit the processing or transfer of covered data for first-party advertising to a covered minor as prohibited by section 120.</text></paragraph><paragraph id="H9E5D633D8DF84DDBB9F6818247A2BCC8"><enum>(15)</enum><text display-inline="yes-display-inline">Except with respect to sensitive covered data, and only with respect to covered data previously collected in accordance with this title, to process or transfer such data to provide targeted advertising, direct mail targeted advertising, or email targeted advertising (subject to the CAN-SPAM Act of 2003 (<external-xref legal-doc="usc" parsable-cite="usc/15/7701">15 U.S.C. 7701 et seq.</external-xref>) and the regulations promulgated under such Act) or to measure and report on marketing performance or media performance, including processing or transferring covered data for measurement and reporting of frequency, attribution, and performance, including by independent entities, except that this paragraph does not permit the processing or transfer of covered data for targeted advertising to an individual who has opted out of targeted advertising pursuant to section 106 or to a covered minor as prohibited by section 120.</text></paragraph><paragraph id="HF10A3AA15B474A579E955E7D0809792E"><enum>(16)</enum><text>To conduct a public or peer-reviewed scientific, historical, or statistical research project that—</text><subparagraph id="H60453A08D1A047A2B4A82154E70476EF"><enum>(A)</enum><text>is in the public interest;</text></subparagraph><subparagraph id="H3D6C7C661F4A457B8E16C30A652DD38B"><enum>(B)</enum><text>adheres to all relevant laws and regulations governing such research, including regulations for the protection of human subjects, if applicable;</text></subparagraph><subparagraph id="HE9ED642AC34C46489D5946893C4C6292" commented="no"><enum>(C)</enum><text>limits transfers to third parties of sensitive covered data to only those transfers necessary, proportionate, and limited to carry out the research; and</text></subparagraph><subparagraph id="H53339E7CFC8C405391DD85244DDD576D"><enum>(D)</enum><text>prohibits the transfer of covered data to a data broker.</text></subparagraph></paragraph><paragraph id="HC354D32EE3F6404BA7D848EB889A49F1"><enum>(17)</enum><text>To conduct medical research in compliance with part 46 of title 45, Code of Federal Regulations, or parts 50 and 56 of title 21, Code of Federal Regulations. </text></paragraph></subsection><subsection id="H496E55D8469C41C4AD603B36362BA8D4"><enum>(e)</enum><header>Guidance</header><text>Not later than 180 days after the date of the enactment of this Act, the Commission shall issue guidance regarding what is necessary, proportionate, and limited to comply with this section.</text></subsection><subsection id="H0D4A93D746FC493DB864074335A18DB0"><enum>(f)</enum><header>Journalism</header><text>Nothing in this title may be construed to limit or diminish journalism, including gathering, preparing, collecting, photographing, recording, writing, editing, reporting, or investigating news or information that concerns local, national, or international events or other matters of public interest for dissemination to the public.</text></subsection></section><section id="H6B7B7FFA4CCC424682660176A41583B3"><enum>103.</enum><header>Privacy by design</header><subsection id="HBF1A4BAF42F24053B96A2E12F2361AAA"><enum>(a)</enum><header>In general</header><text>Each covered entity and service provider shall establish, implement, and maintain reasonable policies, practices, and procedures that reflect the role of the covered entity or service provider in the collection, processing, retention, and transferring of covered data.</text></subsection><subsection id="H11CD8BCCEF6C43FB8ACBA944E4E3A50C"><enum>(b)</enum><header>Requirements</header><text>The policies, practices, and procedures required by subsection (a) shall—</text><paragraph id="HE41BAFCBA1134BB7AF52BBB424B35414" commented="no"><enum>(1)</enum><text>identify, assess, and mitigate privacy risks related to covered minors (including, if applicable, in a manner that considers the developmental needs of different age ranges of covered minors), individuals living with disabilities, and individuals over the age of 65;</text></paragraph><paragraph id="H21A73D26997A4BE1AC90F09DA7B40B04"><enum>(2)</enum><text>mitigate privacy risks related to the products and services of the covered entity or service provider, including in the design, development, and implementation of such products and services, taking into account the role of the covered entity or service provider and the information available to the covered entity or service provider; and</text></paragraph><paragraph id="H94B50329229144CC8829C820A6728661"><enum>(3)</enum><text>implement reasonable internal training and safeguards to promote compliance with this title and to mitigate privacy risks, taking into account the role of the covered entity or service provider and the information available to the covered entity or service provider.</text></paragraph></subsection><subsection id="H473F35FAD5784481898E837D4C7ED65F"><enum>(c)</enum><header>Factors to consider</header><text>The policies, practices, and procedures established by a covered entity or service provider under subsection (a) shall align with, as applicable—</text><paragraph id="H3704109DE5F140CA89650D66860331F2"><enum>(1)</enum><text>the nature, scope, and complexity of the activities engaged in by the covered entity or service provider, including whether the covered entity or service provider is a large data holder, nonprofit organization, or data broker, taking into account the role of the covered entity or service provider and the information available to the covered entity or service provider;</text></paragraph><paragraph id="HFD67BF9A74F244198DC829AF9512EFC8"><enum>(2)</enum><text>the sensitivity of the covered data collected, processed, retained, or transferred by the covered entity or service provider;</text></paragraph><paragraph id="H2CF395C0A26646099B8DAD044299940D"><enum>(3)</enum><text>the volume of covered data collected, processed, retained, or transferred by the covered entity or service provider;</text></paragraph><paragraph id="HE6A8E004D00C4067BDC3BE94A3804602"><enum>(4)</enum><text>the number of individuals and devices to which the covered data collected, processed, retained, or transferred by the covered entity or service provider relates;</text></paragraph><paragraph id="H837F5C3714504A1C8070415040934F8F"><enum>(5)</enum><text>state-of-the-art administrative, technological, and organizational measures that, by default, serve the purpose of protecting the privacy and security of covered data as required by this title; and</text></paragraph><paragraph id="H4EE7D913175345978BA668E24A7983C8"><enum>(6)</enum><text>the cost of implementing such policies, practices, and procedures in relation to the risks and nature of the covered data involved.</text></paragraph></subsection><subsection id="H6AB44328618B4361A65833BD05CE9DCB"><enum>(d)</enum><header>Commission guidance</header><text>Not later than 1 year after the date of the enactment of this Act, the Commission shall issue guidance with respect to what constitutes reasonable policies, practices, and procedures as required by subsection (a). In issuing such guidance, the Commission shall consider unique circumstances applicable to nonprofit organizations, service providers, and data brokers.</text></subsection></section><section id="H69055538B64F4AA5839B38CF5906C29C"><enum>104.</enum><header>Transparency</header><subsection id="H05A175CFBE53466CB975E8EA206E4487"><enum>(a)</enum><header>In general</header><text>Each covered entity and service provider shall make publicly available a clear and conspicuous, not misleading, and easy-to-read privacy policy that provides a detailed and accurate representation of the data collection, processing, retention, and transfer activities of the covered entity or service provider.</text></subsection><subsection id="H2AE421A298474715A9676C5AE346E98A"><enum>(b)</enum><header>Content of privacy policy</header><text>The privacy policy required under subsection (a) shall include, at a minimum, the following:</text><paragraph id="H82004EB091C7407EA45877A0AF34A0EE"><enum>(1)</enum><text>The identity and the contact information of—</text><subparagraph id="H4AE3016DEC4245E1A899A67CB35B3BA2"><enum>(A)</enum><text>the covered entity or service provider to which the privacy policy applies, including a point of contact and a monitored email address or other monitored online contact mechanism, as applicable, specific to data privacy and data security inquiries; and</text></subparagraph><subparagraph id="H8DB0996C5F0844D89B327D7B39FA559F"><enum>(B)</enum><text>any affiliate within the same corporate structure as the covered entity or service provider, to which the covered entity or service provider may transfer data, that—</text><clause id="H7AF67FB0397544EE93CCB8E1868708F4"><enum>(i)</enum><text>is not under common branding with the covered entity or service provider; or</text></clause><clause id="H46AD57400DA84F01BD24F0A0DB6FAD60"><enum>(ii)</enum><text>has different contact information than the covered entity or service provider.</text></clause></subparagraph></paragraph><paragraph id="H6D54D216C6034AED8EEF1122FC696E26"><enum>(2)</enum><text>With respect to the collection, processing, and retention of covered data—</text><subparagraph id="HE8C1CEAA3DA24A7F88558D7E9C49EDC9"><enum>(A)</enum><text>the categories of covered data the covered entity or service provider collects, processes, or retains; and</text></subparagraph><subparagraph id="HF1094C589705478C93FC88EDC4B6D085"><enum>(B)</enum><text>the processing purposes for each such category of covered data.</text></subparagraph></paragraph><paragraph id="H60B4EE51F671410F880CD1FCC68EE7DA"><enum>(3)</enum><text>Whether the covered entity or service provider transfers covered data and, if so—</text><subparagraph id="HE0F6B0148FFF413AAD301ABDB1018482"><enum>(A)</enum><text>each category of service provider or third party to which the covered entity or service provider transfers covered data;</text></subparagraph><subparagraph id="H4A2B4EDA2A2A48F18FB12171B4DD3844"><enum>(B)</enum><text>the name of each data broker to which the covered entity or service provider transfers covered data; and</text></subparagraph><subparagraph id="H5A972200FAD04532805718BCA57BD47C"><enum>(C)</enum><text>the purposes for which such data is transferred.</text></subparagraph></paragraph><paragraph id="H6AA0A3EEABFF40B4BA8838E169571447"><enum>(4)</enum><text>The length of time the covered entity or service provider intends to retain each category of covered data or, if it is not possible to identify the length of time, the criteria used to determine the length of time the covered entity or service provider intends to retain each category of covered data.</text></paragraph><paragraph id="H9DDA01986169479FBBCB5F7D2AFC9E10"><enum>(5)</enum><text>A prominent description of how an individual may exercise the rights, as applicable, of the individual under this title.</text></paragraph><paragraph id="H919FD2F458DC4DC9B03B147E03E05A3A"><enum>(6)</enum><text>A description of how the covered entity treats data collected from covered minors differently than data collected from other individuals, if the covered entity has knowledge that the covered entity has collected data from covered minors.</text></paragraph><paragraph id="H6FAC1893435D449B8D7615FB09728D86"><enum>(7)</enum><text>A general description of the data security practices of the covered entity or service provider.</text></paragraph><paragraph id="H2F5055B8730D4C7CB2CDDDE4CAB2BA0A"><enum>(8)</enum><text>The effective date of the privacy policy.</text></paragraph><paragraph id="HDFB76BC9633C4208B2361F96AB346CD8"><enum>(9)</enum><text>Whether any covered data collected by the covered entity or service provider is transferred to, processed in, retained in, or otherwise accessible to a foreign adversary (as determined by the Secretary of Commerce and specified in section 7.4 of title 15, Code of Federal Regulations (or any successor regulation)).</text></paragraph></subsection><subsection id="H1B83566D531447BB8FBD73E8F3FEAAF6"><enum>(c)</enum><header>Languages</header><text>A privacy policy required under subsection (a) shall be made available to the public—</text><paragraph id="H4D90CA97A13241059CCDB4C127A68122"><enum>(1)</enum><text>in the 10 most-used languages in which a covered entity or service provider provides products or services or carries out activities related to such products or services; or</text></paragraph><paragraph id="H3C28F87756014040B3273D78496F0AC8"><enum>(2)</enum><text>if the covered entity or service provider provides products or services in fewer than 10 languages, in the languages in which the covered entity or service provider provides products or services or carries out activities related to such products or services.</text></paragraph></subsection><subsection id="H14027D7BFF8A4BB7930739CD167A8954"><enum>(d)</enum><header>Accessibility</header><text>A covered entity or service provider shall provide the disclosures required under this section in a manner that is reasonably accessible to and usable by individuals living with disabilities.</text></subsection><subsection id="H7E3470F3AC4C4DAD81BCD21079344661"><enum>(e)</enum><header>Material changes</header><paragraph id="HA415F062724442B2B3A13CF40EBB8C2A"><enum>(1)</enum><header>Notice and opt out</header><text>A covered entity that makes a material change to the privacy policy or practices of the covered entity shall—</text><subparagraph id="H53366BE8412640138BDA865968189115"><enum>(A)</enum><text>provide to each affected individual, in a clear and conspicuous manner—</text><clause id="H536BCA7403FA41018795440CB504E71F"><enum>(i)</enum><text>advance notice of such material change; and</text></clause><clause id="HA93085473F864020862CF0620C77706C"><enum>(ii)</enum><text>a means to opt out of the collection, processing, retention, or transfer of any covered data of such individual pursuant to such material change; and</text></clause></subparagraph><subparagraph id="H92EED59281504211B0ACF9F7781DEE8C"><enum>(B)</enum><text>with respect to the covered data of any individual who opts out using the means described in subparagraph (A)(ii), discontinue the collection, processing, retention, or transfer of such covered data, unless such collection, processing, retention, or transfer is necessary, proportionate, and limited to provide or maintain a product or service specifically requested by the individual.</text></subparagraph></paragraph><paragraph id="H54D1768C11264F7B8913AFBA10B0F041"><enum>(2)</enum><header>Direct notification</header><text display-inline="yes-display-inline">A covered entity shall take all reasonable electronic measures to provide direct notification, if possible, to each affected individual regarding material changes to the privacy policy of the covered entity, and such notification shall be provided in each language in which the privacy policy is made available, taking into account available technology and the nature of the relationship between the covered entity and the individual.</text></paragraph><paragraph id="H484DF6CF96F141F5A96BC17BAC8D70C8"><enum>(3)</enum><header>Clarification</header><text>Except as provided in paragraph (1)(B), nothing in this subsection may be construed to affect the requirements for covered entities under sections 102, 105, and 106.</text></paragraph></subsection><subsection id="HA24F505178024FB1AE19FA04D721BDB1"><enum>(f)</enum><header>Transparency requirements for large data holders</header><paragraph id="H430892A8E46744F18E19B430A88C6840"><enum>(1)</enum><header>Retention of privacy policies; log of material changes</header><subparagraph id="HB40E94DFB8C84F66BFE2A8705FE411DE"><enum>(A)</enum><header>In general</header><text>Beginning on the date that is 180 days after the date of the enactment of this Act, each large data holder shall—</text><clause id="HCB3EB9142B204E1884A712FA1CC20033"><enum>(i)</enum><text>retain and publish on the website of the large data holder a copy of each version of the privacy policy of the large data holder required under subsection (a) for not less than 10 years; and</text></clause><clause id="H0DE28B98F2ED4F41A8CD4943D03F6777"><enum>(ii)</enum><text>make publicly available on the website of the large data holder, in a clear and conspicuous manner, a log that describes the date and nature of each material change to the privacy policy of the large data holder during the preceding 10-year period in a manner that is sufficient for a reasonable individual to understand the effect of each material change.</text></clause></subparagraph><subparagraph id="HA3D14D00B53C44E5A84DE6C87F026B3F"><enum>(B)</enum><header>Exclusion</header><text>This paragraph does not apply to material changes to previous versions of the privacy policy of a large data holder that precede the date that is 180 days after the date of the enactment of this Act.</text></subparagraph></paragraph><paragraph id="H5B93A7F07A334BDCA527C86C259E00F8"><enum>(2)</enum><header>Short form notice to consumers</header><subparagraph id="H9259FD6663C84A7D8C51803A6FF1164C"><enum>(A)</enum><header>In general</header><text>In addition to the privacy policy required under subsection (a), a large data holder shall provide a short-form notice of the covered data practices of the large data holder in a manner that—</text><clause id="HB33FCFC814EE414C9C7CAF27FD237774"><enum>(i)</enum><text>is concise;</text></clause><clause id="HA9D4760956A34768B76D4CC647A186EF"><enum>(ii)</enum><text>is clear and conspicuous;</text></clause><clause id="H8446D0C26BC74A4CA4412CB522005562"><enum>(iii)</enum><text>is readily accessible to an individual, based on the manner in which the individual interacts with the large data holder and the products or services of the large data holder and what is reasonably anticipated within the context of the relationship between the individual and the large data holder;</text></clause><clause id="H69BF270F251E4A45BEB50EEE974D9EA9"><enum>(iv)</enum><text>includes an overview of individual rights and disclosures to reasonably draw attention to data practices that may be unexpected or that involve sensitive covered data; and</text></clause><clause id="HA84B5E59A6CA4DEDA1597F7E3F5484F8"><enum>(v)</enum><text>is not more than 500 words in length in the English language or, if in a language other than English, not more than 550 words in length.</text></clause></subparagraph><subparagraph id="H489709C7852A4B67AF02C0E04F7A27C4"><enum>(B)</enum><header>Guidance</header><text>Not later than 180 days after the date of the enactment of this Act, the Commission shall issue guidance establishing the minimum disclosures necessary for the short-form notice described in this paragraph and shall include templates or models for such notice.</text></subparagraph></paragraph></subsection></section><section id="HFF43E2FA96A84E0792BB05CBE60CCEDA"><enum>105.</enum><header>Individual control over covered data</header><subsection id="HD6189F35F9EF4CB8A75221E742EF575B"><enum>(a)</enum><header>Access to, and correction, deletion, and portability of, covered data</header><text>After receiving a verified request from an individual, including a parent acting on behalf of a child of the parent, a covered entity shall provide the individual with the right to—</text><paragraph id="H3ACF7914FDB04F5C8E33434678A20A28"><enum>(1)</enum><text>access—</text><subparagraph id="H0208433AD793440F80CB612DAC50BA43"><enum>(A)</enum><text>in a format that can be naturally read by a human, the covered data of the individual or child (as applicable) (or an accurate representation of the covered data of the individual or child (as applicable), if the covered data is no longer in the possession of the covered entity or a service provider acting on behalf of the covered entity) that is collected, processed, or retained by the covered entity or any service provider of the covered entity;</text></subparagraph><subparagraph id="HCA0478A5848F4DF98E13C08F224AE653"><enum>(B)</enum><text>the name of any third party or service provider to whom the covered entity has transferred the covered data, as well as the categories of sources from which the covered data was collected; and</text></subparagraph><subparagraph id="H1F727A71B46246528F23C6116DE68F41"><enum>(C)</enum><text>a description of the purpose for which the covered entity transferred any covered data of the individual or child (as applicable) to a third party or service provider;</text></subparagraph></paragraph><paragraph id="HAD43E4BBE1574FC89E27D54F8EA486F6"><enum>(2)</enum><text>correct any inaccuracy or incomplete information with respect to the covered data of the individual or child (as applicable) that is collected, processed, or retained by the covered entity and, for covered data that has been transferred, request the covered entity to notify any third party or service provider to which the covered entity transferred such covered data of the corrected information, including so that service providers may provide the assistance required by section 111(a)(1)(C);</text></paragraph><paragraph id="H1EF2A356158344FA989A6D1676639AE6"><enum>(3)</enum><text>delete covered data of the individual or child (as applicable) that is retained by the covered entity and, for covered data that has been transferred, request that the covered entity notify any third party or service provider to which the covered entity transferred such covered data of the deletion request, including so that service providers may provide the assistance required by section 111(a)(1)(C); </text></paragraph><paragraph id="HF09BC489AB4941B78D5B6C06A10C2B19"><enum>(4)</enum><text>to the extent technically feasible, have exported covered data of the individual or child (as applicable) that is collected, processed, or retained by the covered entity, without licensing restrictions that unreasonably limit such transfers, in—</text><subparagraph id="H7C6875F094834A51977BC21C9CABAE5D"><enum>(A)</enum><text>a format that can be naturally read by a human; and</text></subparagraph><subparagraph id="H63C75A1D38BB403D822A6C09B8CEBD60"><enum>(B)</enum><text>a format that is portable, structured, interoperable, and machine-readable; and</text></subparagraph></paragraph><paragraph id="HC5873A99A6E54F45BFFAEC60B74DEFD5"><enum>(5)</enum><text display-inline="yes-display-inline">delete any content or information submitted to the covered entity by the individual when a covered minor and, for any such content or information that has been transferred, request that the covered entity notify any third party or service provider to which the covered entity transferred such content or information of the deletion request, including so that service providers may provide the assistance required by section 111(a)(1)(C).</text></paragraph></subsection><subsection id="HB1066E23EB03429AAAC86C77994BD313"><enum>(b)</enum><header>Frequency and cost</header><text>A covered entity—</text><paragraph id="H82E5E2CBBCEA462289F529FF32C13BD4"><enum>(1)</enum><text>shall provide an individual with the opportunity to exercise each of the rights described in subsection (a); and</text></paragraph><paragraph id="H0A29A15F9CA940A8B8D18B639D348900"><enum>(2)</enum><text>with respect to—</text><subparagraph id="H44E98F439D55496EB0EEFC8B4C2379FA"><enum>(A)</enum><text>the first 3 instances that an individual exercises any right described in subsection (a) during any 12-month period, shall allow the individual to exercise such right free of charge; and</text></subparagraph><subparagraph id="HF3E5ED916BD14E1A925758D861A495AE"><enum>(B)</enum><text>any instance beyond the first 3 instances described in subparagraph (A), may charge a reasonable fee for each additional request to exercise any such right during such 12-month period.</text></subparagraph></paragraph></subsection><subsection id="H9563B48FD9BF460BBE5E70A815E927B7"><enum>(c)</enum><header>Timing</header><paragraph id="HB885A630C4AA42F1B2DC3BF2F7599EAC"><enum>(1)</enum><header>In general</header><text>Subject to subsections (b), (d), and (e), each request under subsection (a) shall be completed—</text><subparagraph id="H7EFE1F2FCD5240FCAFCEE93E2A6198CD"><enum>(A)</enum><text>by any covered entity that is a large data holder or data broker, not later than 30 calendar days after receiving such request from an individual, unless it is impossible or demonstrably impracticable to verify the individual; or</text></subparagraph><subparagraph id="H01BACBA224E740B5A37FD5B744E4562B"><enum>(B)</enum><text display-inline="yes-display-inline">by a covered entity that is not a large data holder or data broker, not later than 45 calendar days after receiving such request from an individual, unless it is impossible or demonstrably impracticable to verify the individual.</text></subparagraph></paragraph><paragraph id="H864E9E531FFA422E8F829E11BBD39FB2"><enum>(2)</enum><header>Extension</header><text>A response period required under paragraph (1) may be extended once, by not more than the applicable time period described in such paragraph, when reasonably necessary, considering the complexity and number of requests from the individual, if the covered entity informs the individual of any such extension, and the reason for the extension, within the initial response period.</text></paragraph></subsection><subsection id="HBCA7813D282C4B53912E4A925B208B7A"><enum>(d)</enum><header>Verification</header><paragraph id="H538B654AFBAA4C72B6552B3582F11ACF"><enum>(1)</enum><header>In general</header><text>A covered entity shall reasonably verify that an individual making a request to exercise a right described in subsection (a) is—</text><subparagraph id="H6AD8ECA83DE24A5DA0704051C8E72A99"><enum>(A)</enum><text>the individual whose covered data is the subject of the request;</text></subparagraph><subparagraph id="H5C60B94A3AB645EB8E937DA219097A75"><enum>(B)</enum><text>the parent of the child whose covered data (or, with respect to a request under subsection (a)(5), whose content or other information) is the subject of the request; or</text></subparagraph><subparagraph id="H558CCBDA6EDA4301877115264F81D937"><enum>(C)</enum><text>another individual who is a natural person who is authorized to make such a request on behalf of the individual whose covered data is the subject of the request.</text></subparagraph></paragraph><paragraph id="H31F0385CFA5E45BCB47EB7B60D8016BB" commented="no"><enum>(2)</enum><header>Additional information</header><text>If a covered entity cannot make the verification described in paragraph (1), the covered entity may request that the individual making the request provide any additional information necessary for the sole purpose of making such verification, except that—</text><subparagraph id="HD4943D4E01F242849BE0229660ED72F2" commented="no"><enum>(A)</enum><text>the request of the covered entity may not be burdensome on the individual; and</text></subparagraph><subparagraph id="HEC368F8FFFD149F9B6184DDBDBC995D2" commented="no"><enum>(B)</enum><text>the covered entity may not process, retain, or transfer such additional information for any other purpose.</text></subparagraph></paragraph></subsection><subsection id="HEA7E1490D83041629BB5931E6B85C43B"><enum>(e)</enum><header>Exceptions</header><paragraph id="H123EE8BB6B4C4C318836B5D04B82F66D"><enum>(1)</enum><header>Required exceptions</header><text>A covered entity may not permit an individual to exercise a right described in subsection (a), in whole or in part, if the covered entity—</text><subparagraph id="HE51216BE05734042AB668CA29E3FB0A5"><enum>(A)</enum><text>cannot reasonably make the verification described in subsection (d)(1);</text></subparagraph><subparagraph id="HE18B9B2DD476406B9E60529131617D4C"><enum>(B)</enum><text>determines that exercise of the right would require access to, or the correction or deletion of, the sensitive covered data of an individual other than the individual whose covered data is the subject of the request;</text></subparagraph><subparagraph id="H35FABE408A54483EBC4CB1B481290EDA"><enum>(C)</enum><text>determines that exercise of the right would require correction or deletion of covered data subject to a warrant, lawfully executed subpoena, or litigation hold notice or equivalent preservation notice in connection with such warrant or subpoena or issued in a matter in which the covered entity is a named party;</text></subparagraph><subparagraph id="HEADDF4960D3D4344AD95D7DA4C031EA6"><enum>(D)</enum><text>determines that exercise of the right would violate a Federal, State, Tribal, or local law that is not preempted by this title;</text></subparagraph><subparagraph id="H51604307B00E44858EB06CA942AE1D1B"><enum>(E)</enum><text>determines that exercise of the right would violate the professional ethical obligations of the covered entity;</text></subparagraph><subparagraph id="H68D1FA8EF0724A5F92721B7D3F44651E"><enum>(F)</enum><text>reasonably believes that the request is made to further fraud;</text></subparagraph><subparagraph id="H8C002FA5329E4FD080296AFC75CF5339"><enum>(G)</enum><text>except with respect to health information, reasonably believes that the request is made in furtherance of criminal activity; or</text></subparagraph><subparagraph id="H0DC9F740C4D4444F83989CE0003F15BB"><enum>(H)</enum><text>reasonably believes that complying with the request would threaten data security or network security.</text></subparagraph></paragraph><paragraph id="H30F943676571419B953F82DB59195C2F"><enum>(2)</enum><header>Permissive exceptions</header><text>A covered entity may decline, in whole or in part, to comply with a request to exercise a right described in subsection (a), with adequate explanation to the individual making the request, if compliance with the request would—</text><subparagraph id="H5FD8674BE4804FCEB7E1DAD5D1A96218"><enum>(A)</enum><text>be demonstrably impracticable due to technological limitations or prohibitive cost, and if the covered entity provides a detailed description to the individual regarding the inability to comply with the request due to technological limitations or prohibitive cost;</text></subparagraph><subparagraph id="H02B00A7099774DF49ECC5EF6D23FAC4C"><enum>(B)</enum><text>delete covered data necessary to perform a contract between the covered entity and the individual;</text></subparagraph><subparagraph id="H97284F05AB454D18BC6F8EA450A1AD89"><enum>(C)</enum><text>with respect to a right described in paragraph (1) or (4) of subsection (a), require the covered entity to release trade secrets or other privileged, proprietary, or confidential business information;</text></subparagraph><subparagraph id="HE770CB6C2E9F43B380F6CCA54150B92E"><enum>(D)</enum><text>prevent a covered entity from being able to maintain a confidential record of opt-out requests pursuant to this title that is maintained solely for the purpose of preventing covered data of an individual from being collected, processed, retained, or transferred after the individual submits an opt-out request; </text></subparagraph><subparagraph id="H728FF47187334D3AB0E84A4E12398F96"><enum>(E)</enum><text>with respect to a deletion request, require a private elementary or secondary school (as determined under State law) or a private institution of higher education (as defined in title I of the Higher Education Act of 1965 (<external-xref legal-doc="usc" parsable-cite="usc/20/1001">20 U.S.C. 1001 et seq.</external-xref>)) to delete covered data, if the deletion would unreasonably interfere with the provision of education services by, or the ordinary operation of, the school or institution;</text></subparagraph><subparagraph id="HC28310D140FE48BE954437DA3D884B35"><enum>(F)</enum><text>delete covered data that relates to a public figure regarding a matter of legitimate public interest and for which the requesting individual has no reasonable expectation of privacy; or</text></subparagraph><subparagraph id="HC6B09A63745F40B4B765B915E0447EB9"><enum>(G)</enum><text>delete covered data that the covered entity reasonably believes may be evidence of an abuse of the products or services of the covered entity, including a violation of terms of service.</text></subparagraph></paragraph><paragraph id="H23AF784E5EB04BD88226691CA9B2401D"><enum>(3)</enum><header>Rule of construction</header><text>This section may not be construed to require a covered entity or service provider acting on behalf of a covered entity to—</text><subparagraph id="H902767CB92934AF29B72310FFF21B043"><enum>(A)</enum><text>retain covered data collected for a 1-time transaction, if such covered data is not processed or transferred by the covered entity for any purpose other than completing such transaction;</text></subparagraph><subparagraph id="HD27AD1D21D9D46C38601BED9182980A7"><enum>(B)</enum><text>re-identify, or attempt to re-identify, de-identified data; or</text></subparagraph><subparagraph id="H559C9F4CD4014847A749E53D2F47312D"><enum>(C)</enum><text>collect or retain any data in order to be capable of associating a request with the covered data that is the subject of the request.</text></subparagraph></paragraph><paragraph id="HB8BB4CA0BDFF4BF7BC8B90CC534A1EBE"><enum>(4)</enum><header>Partial compliance</header><text>In the event a covered entity declines a request under paragraph (2), the covered entity shall comply with the remainder of the request if partial compliance is possible and not unduly burdensome.</text></paragraph><paragraph id="H8370654534714DD1AABF3A6C8678B050"><enum>(5)</enum><header>Number of requests</header><text>For purposes of paragraph (2)(A), the receipt of a large number of verified requests, on its own, may not be considered to render compliance with a request demonstrably impracticable.</text></paragraph><paragraph id="H03FEB3A6DCFB4601AF886C393AA6CCFF"><enum>(6)</enum><header>Additional exceptions</header><subparagraph id="H27793F516A29457A9760F609A4B1CB1D"><enum>(A)</enum><header>In general</header><text>The Commission may promulgate regulations, in accordance with section 553 of title 5, United States Code, to establish additional permissive exceptions to subsection (a) necessary to protect the rights of individuals, to alleviate undue burdens on covered entities, to prevent unjust or unreasonable outcomes from the exercise of access, correction, deletion, or portability rights, or to otherwise fulfill the purposes of this section.</text></subparagraph><subparagraph id="H33968F26BFF042118002004F223BE4C9"><enum>(B)</enum><header>Considerations</header><text>In establishing any exceptions under subparagraph (A), the Commission shall consider any relevant changes in technology, means for protecting privacy and other rights, and beneficial uses of covered data by covered entities.</text></subparagraph><subparagraph id="H8CED5881FD5B4A848748DD9408D29412"><enum>(C)</enum><header>Clarification</header><text>A covered entity may decline to comply with a request of an individual to exercise a right under this section pursuant to an exception the Commission establishes under this paragraph.</text></subparagraph></paragraph></subsection><subsection id="H8A3F6C9FE8BE485FAD73459C18F8D463"><enum>(f)</enum><header>Large data holder metrics reporting</header><text>With respect to each calendar year for which an entity is a large data holder, such entity shall comply with the following requirements:</text><paragraph id="H419DD712E2424B04ADCAE92F86D24CAC"><enum>(1)</enum><header>Required metrics</header><text>Compile the following information for such calendar year:</text><subparagraph id="HE77D167CE9D849128EE3C02CF72BE058"><enum>(A)</enum><text>The number of verified access requests under subsection (a)(1).</text></subparagraph><subparagraph id="HA4D1F0DC253C4CC8B40A5EBD825B4310"><enum>(B)</enum><text>The number of verified deletion requests under subsection (a)(3).</text></subparagraph><subparagraph id="H674A6A6B1F504B2E9B2B6E11278548C4"><enum>(C)</enum><text>The number of verified deletion requests under subsection (a)(5).</text></subparagraph><subparagraph id="H29F4000A353B4C09B34051D15A7E4859"><enum>(D)</enum><text>The number of verified requests to opt out of covered data transfers under section 106(a)(1).</text></subparagraph><subparagraph id="HAC59CC7395EA435F9DD95EF27A119EC2"><enum>(E)</enum><text>The number of verified requests to opt out of targeted advertising under section 106(a)(2).</text></subparagraph><subparagraph id="H6C089545AECE4DE68461B297B4528881"><enum>(F)</enum><text>For each category of request described in subparagraphs (A) through (E), the number of such requests that the large data holder complied with in whole or in part.</text></subparagraph><subparagraph id="H1CC5A98560E94CEAA2587970CF1DF532"><enum>(G)</enum><text display-inline="yes-display-inline">For each category of request described in subparagraphs (A) through (E), the average number of days within which the large data holder substantively responded to the requests.</text></subparagraph></paragraph><paragraph id="HEAEF73380AC344C1B67B6604DEE86905"><enum>(2)</enum><header>Public disclosure</header><text>Not later than July 1 of each calendar year, disclose the information compiled under paragraph (1) for the previous calendar year—</text><subparagraph id="HE3F9B82B4F47425D84378ADA63CE040D"><enum>(A)</enum><text>in the privacy policy of the large data holder; or</text></subparagraph><subparagraph id="HF3C4155353C441C295E5D65B91E0A4D8"><enum>(B)</enum><text>on a publicly available website of the large data holder that is accessible from a hyperlink included in the privacy policy.</text></subparagraph></paragraph></subsection><subsection id="H7464398CE2A34EF9AF52F6881B9A2715"><enum>(g)</enum><header>Guidance</header><text>Not later than 1 year after the date of the enactment of this Act, the Commission shall issue guidance to clarify or explain the provisions of this section and establish practices by which a covered entity may verify a request to exercise a right described in subsection (a).</text></subsection><subsection id="HE22D5D0F468A4E15976B66DF419F9A7B"><enum>(h)</enum><header>Accessibility</header><paragraph id="H43B9689B822B4CC8BB77098B0200DF5F"><enum>(1)</enum><header>Language</header><text>A covered entity shall facilitate the ability of individuals to make requests to exercise rights described in subsection (a) in any language in which the covered entity provides a product or service.</text></paragraph><paragraph id="HD4D3216A8E93451CAEC13A840F825975"><enum>(2)</enum><header>Individuals living with disabilities</header><text>The mechanisms by which a covered entity enables individuals to make a request to exercise a right described in subsection (a) shall be readily accessible and usable by individuals living with disabilities.</text></paragraph></subsection></section><section id="H91B7618FF33046489E4F3CE0F1691C77"><enum>106.</enum><header>Opt-out rights and universal mechanisms</header><subsection id="HE77AFFF5C25B46C68A1D7F71A43709FF"><enum>(a)</enum><header>In general</header><text>A covered entity shall provide to an individual the following opt-out rights with respect to the covered data of the individual:</text><paragraph id="HAF67A2996B7C43F5B8F8DF925761EF89"><enum>(1)</enum><header>Right to opt out of covered data transfers to third parties</header><text>A covered entity—</text><subparagraph id="H2563AF0F0F51445F98C3C9001F21A3D6"><enum>(A)</enum><text>shall provide an individual with a clear and conspicuous means to opt out of the transfer of the covered data of the individual to a third party;</text></subparagraph><subparagraph id="H30760674DCDC4E2B83A7808BDE7A81AA"><enum>(B)</enum><text>upon establishment of an opt out mechanism that meets the requirements and technical specifications promulgated under subsection (b), shall allow an individual to make an opt-out designation pursuant to subparagraph (A) through the opt out mechanism;</text></subparagraph><subparagraph id="H561F9BA5ACAF4AE7920A7DA8E7151F28"><enum>(C)</enum><text>shall abide by an opt-out designation made pursuant to subparagraph (A) and communicate such designation to all relevant service providers and third parties; and</text></subparagraph><subparagraph id="H8CE5785634F14C19A317B1088010E786"><enum>(D)</enum><text>except as provided in subsection (b) or (c)(4) of section 102, paragraph (3) or (4) of section 112(c), or section 120(b), need not allow an individual to opt out of a transfer of covered data made pursuant to a permissible purpose described in paragraph (1), (2), (3), (4), (5), (6), (7), (8), (9), (10), (11), (12), (13), or (14) of section 102(d).</text></subparagraph></paragraph><paragraph id="HF5367BB149E6438B8BED540B217AE295"><enum>(2)</enum><header>Right to opt out of targeted advertising</header><text>A covered entity that engages in targeted advertising shall—</text><subparagraph id="H17535DA73FFB4E4C820BACD6BA255222"><enum>(A)</enum><text>provide an individual with a clear and conspicuous means to opt out of the processing and transfer of covered data of the individual in furtherance of targeted advertising;</text></subparagraph><subparagraph id="HFE073D4643C646618D9985142CC00A3D"><enum>(B)</enum><text>upon establishment of an opt out mechanism that meets the requirements and technical specifications promulgated under subsection (b), allow an individual to make an opt-out designation with respect to targeted advertising through the opt-out mechanism; and</text></subparagraph><subparagraph id="HD6A15BEB67B0437887F8828686720FE3"><enum>(C)</enum><text>abide by any such opt-out designation made by an individual and communicate such designation to all relevant service providers and third parties.</text></subparagraph></paragraph></subsection><subsection id="H594A1832A40F4BD88D47CFCF5CB9CA3B"><enum>(b)</enum><header>Universal opt-out mechanisms</header><paragraph id="H1B166954FEFF4DCE90F08DF575461805"><enum>(1)</enum><header>In general</header><text>Not later than 2 years after the date of the enactment of this Act, the Commission shall, in consultation with the Secretary of Commerce, promulgate regulations, in accordance with section 553 of title 5, United States Code, to establish requirements and technical specifications for 1 or more opt-out mechanisms (including global privacy signals, such as browser or device privacy settings) for individuals to exercise the opt-out rights established under this title through a single interface that—</text><subparagraph id="H0B7132DA761B4E1DBD39BCA02ADA368F"><enum>(A)</enum><text>ensures that the opt-out preference signal—</text><clause id="H01E74B82C06A43F9B07C16248926EC64"><enum>(i)</enum><text>is clearly described, and easy-to-use by a reasonable individual;</text></clause><clause id="H1CA17D095E124E0F9B4EE105C9FCDF41"><enum>(ii)</enum><text>does not require that an individual provide additional information beyond what is necessary to indicate such preference;</text></clause><clause id="H5C91402C333C42D887AD15425F2ADF21"><enum>(iii)</enum><text>clearly represents the preference of an individual;</text></clause><clause id="H650EFBA0719844ECA50177CB2B952812"><enum>(iv)</enum><text>is provided—</text><subclause id="HEA3922AD2F7745F881AA2C5FC55417A3"><enum>(I)</enum><text>in the 10 most-used languages in which a covered entity provides products or services subject to the opt-out; or</text></subclause><subclause id="H287F1C4DE92A48B5B4CB526E2D80A03B"><enum>(II)</enum><text>if the covered entity provides products or services subject to the opt-out in fewer than 10 languages, in the languages in which the covered entity provides such products or services; and</text></subclause></clause><clause id="HB7A998905CED4F09AB8C6C75E141120D"><enum>(v)</enum><text>is provided in a manner that is reasonably accessible to and usable by individuals living with disabilities;</text></clause></subparagraph><subparagraph id="H1681F424A8794D71B799929971D0E550"><enum>(B)</enum><text>provides a mechanism for an individual to selectively opt out of the collection, processing, retention, or transfer of covered data by a covered entity, without affecting the preferences of the individual with respect to other entities or disabling the opt-out preference signal globally;</text></subparagraph><subparagraph id="H8AFAC17125554C96A33BA8F5AD42F710"><enum>(C)</enum><text>states that, in the case of a page or setting view that the individual accesses to set the opt-out preference signal, the individual should see up to 2 choices, corresponding to the rights established under subsection (a); and</text></subparagraph><subparagraph id="HD2739C3587714C6CAA16CADD42ACACBB"><enum>(D)</enum><text>ensures that the opt-out preference signal will be registered and set only by the individual or by another individual who is a natural person on behalf of the individual.</text></subparagraph></paragraph><paragraph id="H93A75623BBCD4C859BC26F787DE21367"><enum>(2)</enum><header>Effect of designations</header><text>A covered entity shall abide by any designation made by an individual through any mechanism that meets the requirements and technical specifications promulgated under paragraph (1).</text></paragraph></subsection></section><section id="HF11D4B9D99F1401295EF70D05B169305"><enum>107.</enum><header>Interference with consumer rights</header><subsection id="H02F6077FB8154C8A8F324224E8697A2F"><enum>(a)</enum><header>Dark patterns prohibited</header><paragraph id="H456A4641FA8848B6B060479E2F5033E2"><enum>(1)</enum><header>In general</header><text>A covered entity may not use dark patterns to—</text><subparagraph id="HACDC1C1308F7432A8717E7613A60F443"><enum>(A)</enum><text>divert the attention of an individual from any notice required under this title;</text></subparagraph><subparagraph id="H7F5975C44CCB43B985C6FE870A775B0E"><enum>(B)</enum><text>impair the ability of an individual to exercise any right under this title; or</text></subparagraph><subparagraph id="H8F1CF52A3FDD4E54B8A9C61A863A1F28"><enum>(C)</enum><text>obtain, infer, or facilitate the consent of an individual for any action that requires the consent of an individual under this title.</text></subparagraph></paragraph><paragraph id="H844CCA9A2D0E42A6A844451926DBDF14"><enum>(2)</enum><header>Clarification</header><text>Any agreement by an individual that is obtained, inferred, or facilitated through dark patterns does not constitute consent for any purpose under this title.</text></paragraph></subsection><subsection id="HE8C30CBCCCBA4417B57EFA1EC09C9AC4"><enum>(b)</enum><header>Individual autonomy</header><text>A covered entity may not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of a right described in this title through the use of any false, fictitious, fraudulent, or materially misleading statement or representation.</text></subsection></section><section id="H67176B0ABFC84A7D91E322AB1F70234C"><enum>108.</enum><header>Prohibition on denial of service and waiver of rights</header><subsection id="HAC4AE28EB10E4ECAAA7ADBDF6A99F869"><enum>(a)</enum><header>Retaliation through service or pricing prohibited</header><text>A covered entity may not retaliate against an individual for exercising any of the rights established under this title, or any regulations promulgated under this title, including by denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services.</text></subsection><subsection id="HD090B90B8C904ABA813570CF5BA812C2"><enum>(b)</enum><header>Rules of construction</header><paragraph id="H80490E9DF1C0463DBA9ADD3AA3A25DF9"><enum>(1)</enum><header>Bona fide loyalty programs</header><subparagraph id="HCCA1B73D79454D2199C6C4A1BB6BBB2E"><enum>(A)</enum><header>In general</header><text>Nothing in subsection (a) may be construed to prohibit a covered entity from offering—</text><clause id="HD056D1712F2A442CA330AE34CBB1D4BE"><enum>(i)</enum><text display-inline="yes-display-inline">to an individual different prices, rates, levels, qualities, or selections of goods or services, or functionalities with respect to a product or service, including offering goods or services for no fee, if the offering is in connection with the voluntary participation of the individual in a bona fide loyalty program, and if—</text><subclause id="HFC4F0ADF25FA43C8BC33A90DDF5799D2"><enum>(I)</enum><text>the individual provided affirmative express consent to participate in such bona fide loyalty program;</text></subclause><subclause id="H8DC14247B5FA4B029AA8EB34CF825A99"><enum>(II)</enum><text>the covered entity abides by the exercise by the individual of any right provided by subsection (b) or (c) of section 102, section 105, or section 106; and</text></subclause><subclause id="H0EDFFEA15F394FEC9DA7E72E30D23A58"><enum>(III)</enum><text>the sale of covered data is not a condition of participation in the bona fide loyalty program; or</text></subclause></clause><clause id="H70D0FAC4DD6E4C92A27F119C56AC7F9D"><enum>(ii)</enum><text>to an individual different prices, rates, levels, qualities, or selections of goods or services, or functionalities with respect to a product or service, based on the decision of the individual to terminate membership in a bona fide loyalty program or to exercise a right under section 105(a)(3) to delete covered data that is necessary for participation in the bona fide loyalty program.</text></clause></subparagraph><subparagraph id="H036217D25AEA423B841085DBB3C98363"><enum>(B)</enum><header>Bona fide loyalty program defined</header><text>For purposes of this section, the term <quote>bona fide loyalty program</quote>—</text><clause id="H9369207105A74B1BB88A2B216D70015B"><enum>(i)</enum><text>includes rewards, premium features, discounts, and club card programs offered by a covered entity; and</text></clause><clause id="HB2124B2000F049EE818921D9D8589373"><enum>(ii)</enum><text>excludes such programs offered by a covered high-impact social media company or data broker.</text></clause></subparagraph></paragraph><paragraph id="HBC5043660CAA4A60B2A04992AC148286"><enum>(2)</enum><header>Market research</header><text>Nothing in subsection (a) may be construed to prohibit a covered entity from offering a financial incentive or other consideration to an individual for participation in market research.</text></paragraph><paragraph id="HD5A8EFA3BF2D4741AE38D1B6C077B52C"><enum>(3)</enum><header>Declining a product or service</header><text>Nothing in subsection (a) may be construed to prohibit a covered entity from declining to provide a product or service or a bona fide loyalty program to an individual, if any collection, processing, retention, or transfer affected by the individual exercising a right established under this title is necessary, proportionate, and limited to providing such product or service.</text></paragraph></subsection></section><section id="HE61AE3852A9245029E1700E911F4E9C8"><enum>109.</enum><header>Data security and protection of covered data</header><subsection id="HD7AFF1F1966A4FB7B5DCAD6E8EA7B622"><enum>(a)</enum><header>Establishment of data security practices</header><paragraph id="HCF368AB839B04DD48B3F1FFD79D8A12C"><enum>(1)</enum><header>In general</header><text>Each covered entity or service provider shall establish, implement, and maintain reasonable data security practices to protect—</text><subparagraph id="HAD26EF83EDB14992BB99C737C5B3B439"><enum>(A)</enum><text>the confidentiality, integrity, and availability of covered data; and</text></subparagraph><subparagraph id="H96AA283070D64F3682AEE46837AAF666"><enum>(B)</enum><text>covered data against unauthorized access.</text></subparagraph></paragraph><paragraph id="H46D345D0EDCE42BEB26E829C32F79841"><enum>(2)</enum><header>Considerations</header><text>The data security practices required under paragraph (1) shall be appropriate to—</text><subparagraph id="HA1DEEB05593A45369DA9E9596CD59AA6"><enum>(A)</enum><text>the size and complexity of the covered entity or service provider;</text></subparagraph><subparagraph id="HF13B649EDA944EE1828AB5D1D90F9FB5"><enum>(B)</enum><text>the nature and scope of the relevant collecting, processing, retaining, or transferring of covered data, taking into account changing business operations with respect to covered data;</text></subparagraph><subparagraph id="H62EEACDBB683423091AFFD5189B9B6F8"><enum>(C)</enum><text>the volume, nature, and sensitivity of the covered data; and</text></subparagraph><subparagraph id="H00C2BA75214B4F30984FF47EE3FE3DCE"><enum>(D)</enum><text>the state-of-the-art (and limitations thereof) in administrative, technical, and physical safeguards for protecting covered data.</text></subparagraph></paragraph></subsection><subsection id="H2758712AE09049EDB71B505191BF20B2"><enum>(b)</enum><header>Specific requirements</header><text>The data security practices required under subsection (a) shall include, at a minimum, the following:</text><paragraph id="H16566A4F88D341AC9912BCEB1D238CC9"><enum>(1)</enum><header>Assess vulnerabilities</header><text display-inline="yes-display-inline">Routinely identifying and assessing any reasonably foreseeable internal or external risk to, or vulnerability in, each system maintained by the covered entity or service provider that collects, processes, retains, or transfers covered data, including unauthorized access to or corruption of such covered data, human vulnerabilities, access rights, and the use of service providers. Such activities shall include developing and implementing a plan for receiving and considering unsolicited reports of vulnerability by any entity and, if such a report is reasonably credible, performing a reasonable and timely investigation of such report and taking appropriate action to protect covered data against the vulnerability.</text></paragraph><paragraph id="HB2F2175FAE15453CA88FCC1E5304CDB6"><enum>(2)</enum><header>Preventive and corrective action</header><subparagraph id="H6EC801E5E4404AB48AEFEB49369043A5"><enum>(A)</enum><header>In general</header><text>Taking preventive and corrective action to mitigate any reasonably foreseeable internal or external risk to, or vulnerability of, covered data identified by the covered entity or service provider, consistent with the nature of such risk or vulnerability and the role of the covered entity or service provider in collecting, processing, retaining, or transferring the data, which may include implementing administrative, technical, or physical safeguards or changes to data security practices or the architecture, installation, or implementation of network or operating software.</text></subparagraph><subparagraph id="H09E62432BAFC419C9D89044C6DA17D93"><enum>(B)</enum><header>Evaluation of preventative and corrective action</header><text display-inline="yes-display-inline">Evaluating and making reasonable adjustments to the action described in subparagraph (A) in light of any material changes in state-of-the-art technology, internal or external threats to covered data, and changing business operations with respect to covered data.</text></subparagraph></paragraph><paragraph id="H908825C103CC4E23836F86A05BFB11CE"><enum>(3)</enum><header>Information retention and disposal</header><text display-inline="yes-display-inline">Disposing of covered data (either by or at the direction of the covered entity) that is required to be deleted by law or is no longer necessary for the purpose for which the data was collected, processed, retained, or transferred, unless a permitted purpose under section 102(d) applies, except that retention and disposal of biometric information shall be governed by section 102(c)(3). Such disposal shall include destroying, permanently erasing, or otherwise modifying the covered data to make such data permanently unreadable or indecipherable and unrecoverable to ensure ongoing compliance with this section.</text></paragraph><paragraph id="HAF0CECA0ECB04C829FC4E1460F744984"><enum>(4)</enum><header>Retention schedule</header><text>Developing, maintaining, and adhering to a retention schedule for covered data consistent with paragraph (3).</text></paragraph><paragraph id="H5BC4714582244C32A48BEF5937EF2E03"><enum>(5)</enum><header>Training</header><text>Training each employee with access to covered data on how to safeguard covered data, and updating such training as necessary.</text></paragraph><paragraph id="H063F4252C69B41FC99E7D257C7A42859"><enum>(6)</enum><header>Incident response</header><text>Implementing procedures to detect, respond to, and recover from data security incidents, including breaches.</text></paragraph></subsection><subsection id="HAB343489ECDB4676BCE9749E18EF76DB"><enum>(c)</enum><header>Regulations</header><text>The Commission may, in consultation with the Secretary of Commerce, promulgate, in accordance with section 553 of title 5, United States Code, technology-neutral, process-based regulations to carry out this section.</text></subsection></section><section id="HC120FFA22AE044F6830A896676534CBF"><enum>110.</enum><header>Executive responsibility</header><subsection id="HDAB14CAAB3FF4F7EBF4CFD3EF7BA1851"><enum>(a)</enum><header>Designation of privacy and data security officers</header><paragraph id="H8332CB81A0B44E6EBC91351DFA13A203"><enum>(1)</enum><header>In general</header><text>A covered entity or service provider (except for a large data holder) shall designate 1 or more qualified employees to serve as privacy and data security officers.</text></paragraph><paragraph id="HBC7B06EAD0874C6F8D8688764DFA1541"><enum>(2)</enum><header>Requirements for officers</header><text>An employee who is designated by a covered entity or service provider as a privacy and data security officer shall, at a minimum—</text><subparagraph id="H1F0B80A50883458FBD69D041D18993DC"><enum>(A)</enum><text>implement a data privacy program and a data security program to safeguard the privacy and security of covered data in compliance with the requirements of this title; and</text></subparagraph><subparagraph id="H1234943488344B8F9F512DCE3A94E483"><enum>(B)</enum><text>facilitate the ongoing compliance of the covered entity or service provider with this title.</text></subparagraph></paragraph></subsection><subsection id="HD6F7A2EB057147469644BE4686FD716C"><enum>(b)</enum><header>Requirements for large data holders</header><paragraph id="H945656F4E01748129FC3BE68D34C8235"><enum>(1)</enum><header>Designation</header><text>A covered entity or service provider that is a large data holder shall designate 1 qualified employee to serve as a privacy officer and 1 qualified employee to serve as a data security officer.</text></paragraph><paragraph id="H786B7D3F4B0D4CAABE0C85211F940866"><enum>(2)</enum><header>Annual certification</header><subparagraph id="HE0CCDCD6E6764BA88790D33BAD4A464A"><enum>(A)</enum><header>In general</header><text display-inline="yes-display-inline">Beginning on the date that is 1 year after the date of the enactment of this Act, the chief executive officer of a large data holder (or, if the large data holder does not have a chief executive officer, the highest ranking officer of the large data holder) and each privacy officer and data security officer of such large data holder designated under paragraph (1), shall annually certify to the Commission, in a manner specified by the Commission, that the large data holder implements and maintains—</text><clause id="HEE035CA6511E4FC1AB0E0FD0D5859893"><enum>(i)</enum><text>internal controls reasonably designed, implemented, maintained, and monitored to comply with this title; and</text></clause><clause id="HF52EA1EE9E534B6AA209E2779DFFE35B"><enum>(ii)</enum><text>internal reporting structures (as described in paragraph (3)) to ensure that such certifying officers are involved in, and responsible for, decisions that impact compliance by the large data holder with this title.</text></clause></subparagraph><subparagraph id="H137E57BDE2FF4B6685AB6C8FAD3D1BAC"><enum>(B)</enum><header>Requirements</header><text>A certification submitted under subparagraph (A) shall be based on a review of the effectiveness of the internal controls and reporting structures of the large data holder that is conducted by the certifying officers not more than 90 days before the submission of the certification.</text></subparagraph></paragraph><paragraph id="HF5ED7778FEDB48D387E56047C5AEE4E5"><enum>(3)</enum><header>Internal reporting structure requirements</header><text>At least 1 of the officers designated under paragraph (1) shall, either directly or through a supervised designee—</text><subparagraph id="HA9E3394F715A49B3A4F59A5F433ACD16"><enum>(A)</enum><text>establish practices to periodically review and update, as necessary, the privacy and security policies, practices, and procedures of the large data holder;</text></subparagraph><subparagraph id="HDEBC651E0FD24763BF043454FB621EED"><enum>(B)</enum><text>conduct biennial and comprehensive audits to ensure the policies, practices, and procedures of the large data holder comply with this title and, upon request, make such audits available to the Commission;</text></subparagraph><subparagraph id="H1B2CF5FAD0B644CDB1CE16F5C53FD2FF"><enum>(C)</enum><text>develop a program to educate and train employees about the requirements of this title;</text></subparagraph><subparagraph id="H1C33B0CA9D7940F4B18281DF1E22789E"><enum>(D)</enum><text>maintain updated, accurate, clear, and understandable records of all significant privacy and data security practices of the large data holder; and</text></subparagraph><subparagraph id="H78C1E103A0D148778211E5F55D588B57"><enum>(E)</enum><text>serve as the point of contact between the large data holder and enforcement authorities.</text></subparagraph></paragraph><paragraph id="H058353BFC0CF455887237A514CBBAE57"><enum>(4)</enum><header>Privacy impact assessments</header><subparagraph id="H4A78D6CC8D84497AA1AFE5DBD0A9280F"><enum>(A)</enum><header>In general</header><text display-inline="yes-display-inline">Not later than 1 year after the date of the enactment of this Act or 1 year after the date on which an entity first meets the definition of the term <quote>large data holder</quote>, whichever is earlier, and biennially thereafter, each large data holder shall conduct a privacy impact assessment that weighs the benefits of the covered data collection, processing, retention, and transfer practices of the entity against the potential adverse consequences of such practices to individual privacy.</text></subparagraph><subparagraph id="H97D5A4CB2F47412E98F71AD49E523012"><enum>(B)</enum><header>Assessment requirements</header><text>A privacy impact assessment required under subparagraph (A) shall be—</text><clause id="H3CDBCAD34D454A8983077D46C2FB9993"><enum>(i)</enum><text>reasonable and appropriate in scope given—</text><subclause id="H6B7B18B341FA419BB4CA61A899087560"><enum>(I)</enum><text>the nature and volume of the covered data collected, processed, retained, or transferred by the large data holder; and</text></subclause><subclause id="H0CC32E0482DA45DB9801A0DFF6B5327E"><enum>(II)</enum><text>the potential risks posed to the privacy of individuals by the collection, processing, retention, and transfer of covered data by the large data holder;</text></subclause></clause><clause id="H038D6621A1594EDAA49873C1A868BAE2"><enum>(ii)</enum><text>documented in written form and maintained by the large data holder for as long as the relevant privacy policy is required to be retained under section 104(f)(1); and</text></clause><clause id="H18EE8BC8DE9C4EA0A58FA74A7F353C9C"><enum>(iii)</enum><text>approved by the privacy officer of the large data holder.</text></clause></subparagraph><subparagraph id="H11BA4D0031D1485E8CA87432E9AF7525"><enum>(C)</enum><header>Additional factors to include in assessment</header><text display-inline="yes-display-inline">In assessing privacy risks for purposes of an assessment conducted under subparagraph (A), including significant risks of harm to the privacy of an individual or the security of covered data, the large data holder shall include reviews of the means by which technologies, including blockchain and distributed ledger technologies and other emerging technologies, including privacy enhancing technologies, are used to secure covered data.</text></subparagraph></paragraph></subsection></section><section id="H08A19F443E6D4145A1B8C81E412B1694"><enum>111.</enum><header>Service providers and third parties</header><subsection id="H4AF96AFEBF0949599437F12574D54DD1"><enum>(a)</enum><header>Service providers</header><paragraph id="HE258E8CD641B4A608D6BB98B211E5BC7"><enum>(1)</enum><header>In general</header><text>A service provider that collects, processes, retains, or transfers covered data on behalf of or at the direction of a covered entity or another service provider—</text><subparagraph id="HD15ED6ED2AAE4D8BBB1D597311BC18C4"><enum>(A)</enum><text display-inline="yes-display-inline">shall adhere to the instructions of the covered entity or other service provider and collect, process, retain, or transfer covered data only to the extent necessary, proportionate, and limited to provide a service requested by the covered entity or other service provider, as set out in the contract described in paragraph (2);</text></subparagraph><subparagraph id="HF46C57AA1CA745B5A7E1A534702535AF"><enum>(B)</enum><text display-inline="yes-display-inline">may not collect, process, retain, or transfer covered data if the service provider has actual knowledge that the covered entity or other service provider violated this title with respect to such data;</text></subparagraph><subparagraph id="HD8C2D6C820964CAE91F79D390740601D"><enum>(C)</enum><text display-inline="yes-display-inline">shall assist the covered entity or other service provider in fulfilling the obligations of the covered entity or other service provider to respond to consumer rights requests pursuant to this title by—</text><clause id="H1016EE1DDCEE431F9F0EDD939CF01EA0"><enum>(i)</enum><text>providing appropriate technical and organizational support, taking into account the nature of the processing and the information reasonably available to the service provider; or</text></clause><clause id="HF2D08F1C14A6420E867947BD3A03110C"><enum>(ii)</enum><text display-inline="yes-display-inline">fulfilling a request by the covered entity or other service provider to execute a consumer rights request that the covered entity or other service provider has determined should be compiled with, by either—</text><subclause id="H33473E6F1C3A44C2A745D4C11EEEED1B"><enum>(I)</enum><text display-inline="yes-display-inline">complying with the request pursuant to the instructions of the covered entity or other service provider; or</text></subclause><subclause id="HAE5FDDC7C2B84FE28E30D0544964FBCA"><enum>(II)</enum><text display-inline="yes-display-inline">providing written verification to the covered entity or other service provider that the service provider does not hold data related to the request, that complying with the request would be inconsistent with the legal obligations of the service provider, or that the request falls within an exception pursuant to this title;</text></subclause></clause></subparagraph><subparagraph id="HE201F4DFE8BD49BBBDB6055CAA5116C6"><enum>(D)</enum><text display-inline="yes-display-inline">shall, upon the reasonable request of the covered entity or other service provider, make available to the covered entity or other service provider all information necessary to demonstrate the compliance of the service provider with the requirements of this title;</text></subparagraph><subparagraph id="H133083DA0EEB479DB5DA99ECA5187056"><enum>(E)</enum><text display-inline="yes-display-inline">shall delete or return, as directed by the covered entity or other service provider, all covered data as soon as practicable after the contractually agreed upon end of the provision of services, unless the retention by the service provider of covered data is required by law;</text></subparagraph><subparagraph id="HDFBD6B513D114685918F8AB2B77B2B61"><enum>(F)</enum><text display-inline="yes-display-inline">may engage another service provider for purposes of processing or retaining covered data on behalf of the covered entity or other service provider only after exercising reasonable care in selecting another service provider as required by subsection (d), providing the covered entity or other service provider with written notice of the engagement, and entering into a written contract that requires the other service provider to satisfy the requirements of this title with respect to covered data; and</text></subparagraph><subparagraph id="H2819C73319054E08B8126000969F3B8A"><enum>(G)</enum><text>shall—</text><clause id="HC8916D818359459A906690A72D7D88E0"><enum>(i)</enum><text display-inline="yes-display-inline">allow and cooperate with reasonable assessments by the covered entity or other service provider at least annually; or</text></clause><clause id="HF2488C9367EE4DB7A79FCB74D93C6C92"><enum>(ii)</enum><text display-inline="yes-display-inline">arrange for a qualified and independent assessor to conduct an assessment of the policies and technical and organizational measures of the service provider in support of the obligations of the service provider under this title at least annually, using an appropriate and accepted control standard or framework and assessment procedure for such assessments, and report the results of such assessment to the covered entity or other service provider.</text></clause></subparagraph></paragraph><paragraph id="HBA108ED97E3446A2A852B694AB2EA485"><enum>(2)</enum><header>Contract requirements</header><text>An entity may only operate as a service provider pursuant to a contract between a covered entity and a service provider. Such contract—</text><subparagraph id="HC7759A5928A64D0CBD97B9D6A9C9B589"><enum>(A)</enum><text>shall govern the data processing procedures of the service provider with respect to any collection, processing, retention, or transfer performed on behalf of the covered entity;</text></subparagraph><subparagraph id="H0E404BC6201347FD907799367ECD196F"><enum>(B)</enum><text>shall clearly set forth—</text><clause id="HC8B388ACEC14456FB4DC1A869F1BE928"><enum>(i)</enum><text>instructions for collecting, processing, retaining, or transferring data;</text></clause><clause id="HCB6A00234618472FAC2AB77133C83F5A"><enum>(ii)</enum><text>the nature and purpose of the collection, processing, retention, or transfer;</text></clause><clause id="HA5BF9168A3964B9D878AC139FC5997BF"><enum>(iii)</enum><text>the type of data subject to collection, processing, retention, or transfer;</text></clause><clause id="HE7D38155515543669FDA611E7F0F4637"><enum>(iv)</enum><text>the duration of the processing or retention; and</text></clause><clause id="H42B52AE20EBF430EA5E28F16B47B4C0F"><enum>(v)</enum><text>the rights and obligations of both parties;</text></clause></subparagraph><subparagraph id="HCC9F3E203C1D4518984A2E9E247EA6E1"><enum>(C)</enum><text>may not relieve the covered entity or service provider of any obligation under this title; and</text></subparagraph><subparagraph id="HD1270B584B3448E79E8A90AA4E17D3C5"><enum>(D)</enum><text>shall prohibit—</text><clause id="HB45D1D8C8AD64B1D9B7093BFC7695795"><enum>(i)</enum><text>the collection, processing, retention, or transfer of covered data in a manner that does not comply with the requirements of paragraph (1); and</text></clause><clause id="H547E911E29194B7AB91E40C11553B793"><enum>(ii)</enum><text>combining covered data that the service provider receives from or on behalf of a covered entity with covered data that the service provider receives from or on behalf of another entity or collects from the interaction of the service provider with an individual, unless such combining is necessary for a purpose described in section 102(d), other than a purpose described in paragraph (7), (14), (15), or (16) of such section, and is otherwise permitted under the contract.</text></clause></subparagraph></paragraph></subsection><subsection id="H3BE0848F7D894AB58B5D7466F5001462"><enum>(b)</enum><header>Third parties</header><paragraph id="HBBF076A7A98847268C1FEA1C41E7D0C9" commented="no"><enum>(1)</enum><header>In general</header><text>A third party may not process, retain, or transfer third-party data for a purpose other than—</text><subparagraph id="H67B7B23A26B34A049EB258C6561BF4B3" commented="no"><enum>(A)</enum><text>in the case of sensitive covered data—</text><clause id="H0B725938059B4458A455FC8B21527F34" commented="no"><enum>(i)</enum><text>except as provided in clause (ii), a purpose for which an individual gave affirmative express consent pursuant to subsection (b) or (c) of section 102; or</text></clause><clause id="H5691F8F7AC0E4D9BAEA5A3B8AE8D5E72" commented="no"><enum>(ii)</enum><text display-inline="yes-display-inline">in the case of sensitive covered data with respect to which affirmative express consent is not required pursuant to subsection (b) of section 102, a purpose for which the covered entity or service provider made a disclosure pursuant to section 104; or</text></clause></subparagraph><subparagraph id="H9085C4830C4A4E0C80110F1ACBA4C32D" commented="no"><enum>(B)</enum><text>in the case of covered data that is not sensitive covered data, a purpose for which the covered entity or service provider made a disclosure pursuant to section 104.</text></subparagraph></paragraph><paragraph id="HDE1D1499F4FD4A179AD95EA45DEEAD6F"><enum>(2)</enum><header>Contract requirements</header><text display-inline="yes-display-inline">Before transferring covered data to a third party, a covered entity or service provider shall enter into a contract with the third party that—</text><subparagraph id="HF3290E51760E4CF5B12614E953820BDA"><enum>(A)</enum><text>identifies the purposes for which covered data is being transferred;</text></subparagraph><subparagraph id="H13995A730B734886914EA8F716AE8032"><enum>(B)</enum><text>specifies that the third party may only use the covered data for such purposes;</text></subparagraph><subparagraph id="H1BD48285648C4793A0817503C777FAEC"><enum>(C)</enum><text>with respect to the covered data transferred, requires the third party to comply with all applicable provisions of, and regulations promulgated under, this title;</text></subparagraph><subparagraph id="H8609FACE05CF4AE887E5203CE50668FE"><enum>(D)</enum><text>requires the third party to notify the covered entity or service provider if the third party makes a determination that the third party can no longer meet the obligations of the third party under this title; and</text></subparagraph><subparagraph id="HF7434D04B76B48C0AF10BBD999B72F19"><enum>(E)</enum><text>grants the covered entity or service provider the right, upon notice (including under subparagraph (D)), to take reasonable and appropriate steps to stop and remediate unauthorized use of covered data by the third party.</text></subparagraph></paragraph></subsection><subsection id="H8AC55A30CA0E460B902D1D154D47FECC"><enum>(c)</enum><header>Rules of construction</header><paragraph id="H197B0D5B3B994C2C94C93A1B8CB461FE"><enum>(1)</enum><header>Successive actor violations</header><subparagraph id="H7F1295127A0C42B6878B0DEE16C0E942"><enum>(A)</enum><header>In general</header><text>With respect to a violation of this title by a service provider or third party regarding covered data received by the service provider or third party from a covered entity or another service provider, the covered entity or service provider that transferred such covered data may not be considered to be in violation of this title if the covered entity or service provider transferred the covered data in compliance with the requirements of this title and, at the time of transferring such covered data, did not have actual knowledge, or reason to believe, that the service provider or third party to which the covered data was transferred intended to violate this title.</text></subparagraph><subparagraph id="HB5A51098FC5C4936B609291C2764C2D1"><enum>(B)</enum><header>Knowledge of violation</header><text>A covered entity or service provider that transfers covered data to a service provider or third party and has actual knowledge, or reason to believe, that such service provider or third party is violating, or is about to violate, the requirements of this title shall immediately cease the transfer of covered data to such service provider or third party.</text></subparagraph></paragraph><paragraph id="HDD41A02215C44AD5817B68A9665CFAB7"><enum>(2)</enum><header>Prior actor violations</header><text>An entity that collects, processes, retains, or transfers covered data in compliance with the requirements of this title may not be considered to be in violation of this title as a result of a violation by an entity from which it receives, or on whose behalf it collects, processes, retains, or transfers, covered data.</text></paragraph></subsection><subsection id="H9B0C0DD3079D4C4E8DB8CB156161E7D1"><enum>(d)</enum><header>Reasonable care</header><paragraph id="H338D2223FB1B469D9B3F7B6270AEE614"><enum>(1)</enum><header>Service provider selection</header><text>A covered entity or service provider shall exercise reasonable care in selecting a service provider.</text></paragraph><paragraph id="H1DEDE832CBE340B3A499A9905D1A5304"><enum>(2)</enum><header>Transfer to third party</header><text>A covered entity or service provider shall exercise reasonable care in deciding to transfer covered data to a third party.</text></paragraph><paragraph id="HDC1751487FDB47BF8560717B8C7EBF94"><enum>(3)</enum><header>Guidance</header><text>Not later than 2 years after the date of the enactment of this Act, the Commission shall publish guidance regarding compliance with this subsection.</text></paragraph></subsection><subsection id="HF921CA1025604840BC76D9D8291DDE46"><enum>(e)</enum><header>Rule of construction</header><text>Solely for purposes of this section, the requirements under this section for service providers to contract with, assist, and follow the instructions of covered entities shall also apply to any entity that collects, processes, retains, or transfers covered data for the purpose of performing services on behalf of, or at the direction of, a government entity, as though such government entity were a covered entity.</text></subsection></section><section id="HC61D99C5F8DA42C3ADD0F8CE27E55646"><enum>112.</enum><header>Data brokers</header><subsection id="H8344E03557CA46C09EA51CB1EA3A0FC2"><enum>(a)</enum><header>Notice</header><text>A data broker shall—</text><paragraph id="H5B09B3CB4CB44C52A7C00405E3DDFC3D"><enum>(1)</enum><text>establish and maintain a publicly available website; and</text></paragraph><paragraph id="H2A4E452D83C44983B6C06FE40A3404B6"><enum>(2)</enum><text>place a clear and conspicuous, and not misleading, notice on such publicly available website, and any mobile application of the data broker, that—</text><subparagraph id="HBE81D1056C1E4A61B902839E96E13FF3"><enum>(A)</enum><text>states that the entity is a data broker;</text></subparagraph><subparagraph id="HF61673A484814261982DF89E5BF2472E"><enum>(B)</enum><text>states that an individual may exercise a right described in section 105 or 106, and includes a link or other tool to allow an individual to exercise such right;</text></subparagraph><subparagraph id="H486572C5B44743D8B1FB858BCE530223"><enum>(C)</enum><text>includes a link to the website described in subsection (c)(3);</text></subparagraph><subparagraph id="H9B87BF349AF747D19E780768ED9944CE"><enum>(D)</enum><text>is reasonably accessible to and usable by individuals living with disabilities; and</text></subparagraph><subparagraph id="H81A6EC42C9DE4D1389E2FC0A791AC784"><enum>(E)</enum><text>is provided in any language in which the data broker provides products or services.</text></subparagraph></paragraph></subsection><subsection id="H87C435BCEB5844EE8EF1ABE8D579917B"><enum>(b)</enum><header>Prohibited practices</header><text>A data broker may not—</text><paragraph id="H86C33C09809143A1B785166D55F91DAF"><enum>(1)</enum><text>advertise or market access to, or the transfer of, covered data for the purposes of—</text><subparagraph id="H581C91053EFF43C784EB38E14A003ADF"><enum>(A)</enum><text>stalking or harassing an individual; or</text></subparagraph><subparagraph id="H4330B8EDC15042C29FEAB51F68940FA2"><enum>(B)</enum><text>engaging in fraud, identity theft, or unfair or deceptive acts or practices; or</text></subparagraph></paragraph><paragraph id="H418550D38BFC4F3489E62DDF4DB4CA84"><enum>(2)</enum><text>misrepresent the business practices of the data broker.</text></paragraph></subsection><subsection id="H910F949D34DA4933BDA1E5B5AB3E3CCE"><enum>(c)</enum><header>Data broker registration</header><paragraph id="H38C130A562D345BAA065675C6F94D567"><enum>(1)</enum><header>In general</header><text>Not later than January 31 of each calendar year that follows a calendar year during which an entity acted as a data broker with respect to more than 5,000 individuals or devices that identify or are linked or reasonably linkable to an individual, such entity shall register with the Commission in accordance with this subsection.</text></paragraph><paragraph id="HA6DC4A1519AF400D99A6B0026919A54B"><enum>(2)</enum><header>Registration requirements</header><text>In registering with the Commission as required under paragraph (1), a data broker shall do the following:</text><subparagraph id="HED46714111B4458DB4423B6AC23E1646"><enum>(A)</enum><text>Pay to the Commission a registration fee of $100.</text></subparagraph><subparagraph id="HB87CDF76F72C47309BDBA8008A1A92FE"><enum>(B)</enum><text>Provide the Commission with the following information:</text><clause id="H8F90435F534C43988802560962C89CA4"><enum>(i)</enum><text>The legal name and primary valid physical postal address, email address, and internet address of the data broker.</text></clause><clause id="H9DA77D713320476EA1BC319B4ECD9BEC"><enum>(ii)</enum><text>A description of the categories of covered data the data broker collects, processes, retains, or transfers.</text></clause><clause id="H331A8D93303344DDAC734A6AFD5B7D8A"><enum>(iii)</enum><text>The contact information of the data broker, including the name of a contact person, a human-monitored telephone number, a human-monitored e-mail address, a website, and a physical mailing address.</text></clause><clause id="H96FB6BB25D454F4795D1DAA5EADC2A23"><enum>(iv)</enum><text>A link to a website through which an individual may easily exercise the rights described in sections 105 and 106.</text></clause></subparagraph></paragraph><paragraph id="H47CA88ACFA8A416E963590BCD8C0F798"><enum>(3)</enum><header>Data broker registry</header><subparagraph id="H639B932BF33F44E7A3068B766F7449DB"><enum>(A)</enum><header>Establishment</header><text>The Commission shall establish and maintain on a publicly available website a searchable list of data brokers that are registered with the Commission under this subsection.</text></subparagraph><subparagraph id="HE6DF85FEA4E94FA2B10B83D37634E171"><enum>(B)</enum><header>Requirements</header><text>The registry established under subparagraph (A) shall—</text><clause id="H18F58978C69D4CF58B4F6F7FFB349543"><enum>(i)</enum><text>allow members of the public to search for and identify data brokers;</text></clause><clause id="H8D3C588203174B1EA01288B6BFE4B97A"><enum>(ii)</enum><text>include the information required under paragraph (2)(B) for each data broker;</text></clause><clause id="HDC58BF725E2A49559AF3E4B6A4638B2B"><enum>(iii)</enum><text>include a mechanism by which an individual, including a parent acting on behalf of a child of the parent, may submit to all registered data brokers a <quote>Do Not Collect</quote> request that results in registered data brokers no longer collecting covered data related to such individual or child (as applicable) without the affirmative express consent of such individual; and</text></clause><clause id="H0C0272A9433C4275BADC4E0E5AD00517"><enum>(iv)</enum><text display-inline="yes-display-inline">include a mechanism by which an individual, including a parent acting on behalf of a child of the parent, may submit to all registered data brokers a <quote>Delete My Data</quote> request that results in registered data brokers deleting all covered data related to such individual or child (as applicable) that the data broker did not collect directly from such individual or when acting as a service provider.</text></clause></subparagraph><subparagraph id="H59467238B3C54B0BA696FD9B76EB22B1"><enum>(C)</enum><header>Affordability</header><text>A data broker may not charge an individual a fee to exercise a right under this paragraph.</text></subparagraph></paragraph><paragraph id="HD7AAD297C8C046FB876DBF300D5B1079"><enum>(4)</enum><header>Do not collect and delete my data requests</header><subparagraph id="H9B2BE7496C5B4D44996D149B0A1C5C75"><enum>(A)</enum><header>Compliance</header><text display-inline="yes-display-inline">Subject to subparagraph (B), each data broker that receives a request from an individual, including a parent acting on behalf of a child of the parent, using the mechanism established under paragraph (3)(B)(iii) or paragraph (3)(B)(iv) shall comply with such request not later than 30 days after the date on which the request is received by the data broker.</text></subparagraph><subparagraph id="H2D8289815949489EBE7FB53FB39E31F4"><enum>(B)</enum><header>Exception</header><text>A data broker may decline to fulfill a request from an individual, if—</text><clause id="HCBBA0F9DD9E348408A4CE56121F64184"><enum>(i)</enum><text>the data broker has actual knowledge that the individual has been convicted of a crime related to the abduction or sexual exploitation of a child; and</text></clause><clause id="H402B707148CA495CBF253F008D7FCD7D"><enum>(ii)</enum><text>the data collected by the data broker is necessary—</text><subclause id="HA5853BC93EA949ED925B902B81CC6059"><enum>(I)</enum><text>to carry out a national or State-run sex offender registry; or</text></subclause><subclause id="H0138277D061043D0985C8EB68360E219"><enum>(II)</enum><text>for the National Center for Missing and Exploited Children.</text></subclause></clause></subparagraph></paragraph></subsection></section><section id="H72264840D6C34DCCB9F9EFE415FC4BBD"><enum>113.</enum><header>Commission-approved compliance guidelines</header><subsection id="H4D1AC0D4ABAB41E1A145521FD96DF300"><enum>(a)</enum><header>Application for compliance guideline approval</header><paragraph id="H61EB404EDFED46E68FDF089D68C508C5"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">A covered entity that is not a data broker and is not a large data holder, or a group of such covered entities, may apply to the Commission for approval of 1 or more sets of compliance guidelines governing the collection, processing, retention, or transfer of covered data by the covered entity or covered entities.</text></paragraph><paragraph id="HAF288B94204443A181412379A275629B"><enum>(2)</enum><header>Application requirements</header><text>An application under paragraph (1) shall include—</text><subparagraph id="HB00A254ED2414ECD99F2CF0CCCBF9914"><enum>(A)</enum><text>a description of how the proposed guidelines will meet or exceed the applicable requirements of this title;</text></subparagraph><subparagraph id="HB61674B3ADF84E9490C4C255005AAE1E"><enum>(B)</enum><text>a description of the entities or activities the proposed guidelines are designed to cover;</text></subparagraph><subparagraph id="HCEFF651B650948A9BBA0204D0BB1A4BB"><enum>(C)</enum><text>a list of the covered entities, to the extent known at the time of application, that intend to adhere to the proposed guidelines;</text></subparagraph><subparagraph id="H5CFFE36241634B36A93CAE2E93741472"><enum>(D)</enum><text>a description of an independent organization, not associated with any of the intended adhering covered entities, that will administer the proposed guidelines; and</text></subparagraph><subparagraph id="H61ED03A052DB44989ED5F1CA5FD3DCF5"><enum>(E)</enum><text>a description of how such intended adhering entities will be assessed for adherence to the proposed guidelines by the independent organization described in subparagraph (D).</text></subparagraph></paragraph><paragraph id="H35F4935628064256854A539700057ABD"><enum>(3)</enum><header>Commission review</header><subparagraph id="HCF5FFA551FE24B9FA2371509DE9687EC"><enum>(A)</enum><header>Initial approval</header><clause id="H0065ABB1AE88493A87422CCEBB8D80C7"><enum>(i)</enum><header>Public comment period</header><text>Not later than 90 days after receipt of an application regarding proposed guidelines submitted pursuant to paragraph (1), the Commission shall publish the application and provide an opportunity for public comment on such proposed guidelines.</text></clause><clause id="H0EE89AEE7CD64C0787BDB39C47AA8C93"><enum>(ii)</enum><header>Approval criteria</header><text>The Commission shall approve an application regarding proposed guidelines submitted pursuant to paragraph (1), including the independent organization that will administer the guidelines, if the applicant demonstrates that the proposed guidelines—</text><subclause id="HC8904D168F8742C9A8CCC3D93B171DCC"><enum>(I)</enum><text>meet or exceed the applicable requirements of this title;</text></subclause><subclause id="HB5874051E94A4E90A30E5237399C8415"><enum>(II)</enum><text>provide for regular review and validation by an independent organization to ensure that the covered entity or covered entities adhering to the guidelines continue to meet or exceed the applicable requirements of this title; and</text></subclause><subclause id="H43A7CEAAB5964D96B84100DFBF547263"><enum>(III)</enum><text>include a means of enforcement if a covered entity does not meet or exceed the requirements in the guidelines, which may include referral to the Commission for enforcement under section 115 or referral to the appropriate State attorney general for enforcement under section 116.</text></subclause></clause><clause id="HE514334933174A798A64E1A9B63E38F2"><enum>(iii)</enum><header>Timeline</header><text>Not later than 1 year after the date on which the Commission receives an application regarding proposed guidelines pursuant to paragraph (1), the Commission shall issue a determination approving or denying the application, including the relevant independent organization, and providing the reasons for approving or denying the application.</text></clause></subparagraph><subparagraph id="H0654E4F6BCA1406AB8AA057EEEDFCFF7"><enum>(B)</enum><header>Approval of modifications</header><clause id="HE3823B1B6E40407C8C72765423D6C9BE"><enum>(i)</enum><header>In general</header><text display-inline="yes-display-inline">If the independent organization administering a set of guidelines approved under subparagraph (A) makes significant changes to the guidelines, the independent organization shall submit the updated guidelines to the Commission for approval. As soon as feasible, the Commission shall publish the updated guidelines and provide an opportunity for public comment.</text></clause><clause id="H9C5E70A72D9E4F2AA427B0FED1D4AC68"><enum>(ii)</enum><header>Timeline</header><text display-inline="yes-display-inline">The Commission shall approve or deny any significant change to guidelines submitted under clause (i) not later than 180 days after the date on which the Commission receives the submission for approval.</text></clause></subparagraph></paragraph></subsection><subsection id="HF4F9D05B7D8A4E7B94C9C7C9887D405D"><enum>(b)</enum><header>Withdrawal of approval</header><paragraph id="H95955079936441D5BEA5AF78A9ECE942"><enum>(1)</enum><header>In general</header><text>If at any time the Commission determines that guidelines previously approved under this section no longer meet the applicable requirements of this title or that compliance with the approved guidelines is insufficiently enforced by the independent organization administering the guidelines, the Commission shall notify the relevant covered entity or group of covered entities and the independent organization of the determination of the Commission to withdraw approval of the guidelines, including the basis for the determination.</text></paragraph><paragraph id="HB53CAA3273BF4DAEA810F2942EB1D1B1"><enum>(2)</enum><header>Opportunity to cure</header><subparagraph id="HCA5E818FD9DE4355B8048691B58B8312"><enum>(A)</enum><header>In general</header><text>Not later than 180 days after receipt of a notice under paragraph (1), the covered entity or group of covered entities and the independent organization may cure any alleged deficiency with the guidelines or the enforcement of the guidelines and submit each proposed cure to the Commission.</text></subparagraph><subparagraph id="HD1E786EB88B84F93A21BC5BECD4AFC7C"><enum>(B)</enum><header>Effect on withdrawal of approval</header><text>If the Commission determines that cures proposed under subparagraph (A) eliminate alleged deficiencies in the guidelines, the Commission may not withdraw the approval of such guidelines on the basis of such deficiencies.</text></subparagraph></paragraph></subsection><subsection id="H04AA8DF0C0904A818F4FBECBBAD3B38E"><enum>(c)</enum><header>Certification</header><text>A covered entity with guidelines approved by the Commission under this section shall—</text><paragraph id="H708723A4E8F941C5878BFFE7E4FE732A"><enum>(1)</enum><text>publicly self-certify that the covered entity is in compliance with the guidelines; and</text></paragraph><paragraph id="HE05B471C6D314D7FB4283AE83F92A0AE"><enum>(2)</enum><text>as part of the self-certification under paragraph (1), indicate the independent organization responsible for assessing compliance with the guidelines.</text></paragraph></subsection><subsection id="HE427A0C255C5440EA85D56F31FEA8011"><enum>(d)</enum><header>Rebuttable presumption of compliance</header><text>A covered entity that is eligible to participate in guidelines approved under this section, participates in the guidelines, and is in compliance with the guidelines shall be entitled to a rebuttable presumption that the covered entity is in compliance with the relevant provisions of this title to which the guidelines apply.</text></subsection><subsection id="H0B66D5E551364E16ABC904489673F01E" commented="no"><enum>(e)</enum><header>Eligibility of service providers</header><text display-inline="yes-display-inline">This section shall apply to a service provider that is not a large data holder, or a group of such service providers, in the same manner as this section applies to a covered entity or group of covered entities. Such a service provider or group of service providers may apply for approval of, and participate in, the same guidelines as a covered entity or group of covered entities.</text></subsection></section><section id="H7208E37F05084C85899B069002426A23"><enum>114.</enum><header>Privacy-enhancing technology pilot program</header><subsection id="H218A74D35613460F9A546009E192AF02"><enum>(a)</enum><header>Privacy-Enhancing technology defined</header><text>In this section, the term <quote>privacy-enhancing technology</quote>—</text><paragraph id="H377EEE82907447DBBE6A94936367AC4D"><enum>(1)</enum><text>means any software or hardware solution, cryptographic algorithm, or other technical process of extracting the value of information without substantially reducing the privacy and security of the information; and</text></paragraph><paragraph id="H28DCCDC1771C451F95E83E0BD1A94B22"><enum>(2)</enum><text>includes technologies with functionality similar to homomorphic encryption, differential privacy, zero-knowledge proofs, synthetic data generation, federated learning, and secure multi-party computation.</text></paragraph></subsection><subsection id="H046BDBF3ED3F40068A40DFA93BED0D39"><enum>(b)</enum><header>Establishment</header><text>Not later than 1 year after the date of the enactment of this Act, the Commission shall establish and carry out a pilot program to encourage private sector use of privacy-enhancing technologies for the purposes of protecting covered data to comply with section 109.</text></subsection><subsection id="H2EEF4CCCC8034A14B6F630E4A3EC8A93"><enum>(c)</enum><header>Purposes</header><text>Under the pilot program established under subsection (b), the Commission shall—</text><paragraph id="HFF5395D9BBA74CD38AFB5E5896149F0D"><enum>(1)</enum><text>develop and implement a petition process for covered entities to request to be a part of the pilot program; and</text></paragraph><paragraph id="HAF144F5AEF374CBCAECB17CE399BA303"><enum>(2)</enum><text>build an auditing system that leverages privacy-enhancing technologies to support the enforcement actions of the Commission.</text></paragraph></subsection><subsection id="HF09F3A5163E34CE3A743F666C2FA86A6"><enum>(d)</enum><header>Petition process</header><text>A covered entity wishing to be accepted into the pilot program established under subsection (b) shall demonstrate to the Commission that the privacy-enhancing technologies to be used under the pilot program by the covered entity will establish data security practices that meet or exceed all or some of the requirements in section 109. If the covered entity demonstrates the privacy-enhancing technologies meet or exceed the requirements in section 109, the Commission may accept the covered entity to be a part of the pilot program. If the Commission does not accept a covered entity to be a part of the pilot program, the Commission shall provide an adequate response to the covered entity detailing why the covered entity was not accepted, and the covered entity may subsequently revise the petition of the covered entity to address any deficiencies indicated by the Commission in the response of the Commission to the covered entity.</text></subsection><subsection id="HB18F29BCCFF942B0A0F55AFCE508DFDF"><enum>(e)</enum><header>Requirements</header><text>In carrying out the pilot program established under subsection (b), the Commission shall—</text><paragraph id="HDDDF7CE2DCB0431C9CC17470D79DDF1E"><enum>(1)</enum><text>receive input from private, public, and academic stakeholders; and</text></paragraph><paragraph id="H267B920BBF8E449A95A8F3A7BC41E716"><enum>(2)</enum><text>develop ongoing public and private sector engagement, in consultation with the Secretary of Commerce, to disseminate voluntary, consensus-based resources to increase the integration of privacy-enhancing technologies in data collection, sharing, and analytics by the public and private sectors.</text></paragraph></subsection><subsection id="HB1DC751C407E442CBD174AB1B1C58E46"><enum>(f)</enum><header>Conclusion of pilot program</header><text>The Commission shall terminate the pilot program established under subsection (b) not later than 10 years after the commencement of the program.</text></subsection><subsection id="H699218A84C254D5E94A72C665223214A"><enum>(g)</enum><header>Study required</header><paragraph id="HAB106AD9811049B8B6020C7E9C8511A0"><enum>(1)</enum><header>In general</header><text>The Comptroller General of the United States shall conduct a study—</text><subparagraph id="H397357DA225445EBBD9339571916050D"><enum>(A)</enum><text>to assess the progress of the pilot program established under subsection (b);</text></subparagraph><subparagraph id="H52340A9D570E4951BEBEE116BBDDF68D"><enum>(B)</enum><text>to determine the effectiveness of using privacy-enhancing technologies at the Commission to support oversight of the data security practices of covered entities; and</text></subparagraph><subparagraph id="H85EA73C448374872B79749F54FF761A0"><enum>(C)</enum><text>to develop recommendations to improve and advance privacy-enhancing technologies, including by improving communication and coordination between covered entities and the Commission to increase implementation of privacy-enhancing technologies by such entities and the Commission.</text></subparagraph></paragraph><paragraph id="HB69007BD965445C792D091B989A9C7EE"><enum>(2)</enum><header>Initial briefing</header><text>Not later than 3 years after the date of the enactment of this Act, the Comptroller General shall brief the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate on the initial results of the study conducted under paragraph (1).</text></paragraph><paragraph id="H978F3A65DDC84762B9CBC81849A849CA"><enum>(3)</enum><header>Final report</header><text>Not later than 240 days after the date on which the briefing required by paragraph (2) is conducted, the Comptroller General shall submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a final report setting forth the results of the study conducted under paragraph (1), including the recommendations developed under subparagraph (C) of such paragraph.</text></paragraph></subsection><subsection id="HEC813C0DD24E4F03A72000AA5205B16D"><enum>(h)</enum><header>Audit of covered entities</header><text>The Commission shall, on an ongoing basis, audit covered entities who have been accepted to be part of the pilot program established under subsection (b) to determine whether such a covered entity is maintaining the use and implementation of privacy-enhancing technologies to secure covered data.</text></subsection><subsection id="HE07E9EB60C604FBC8A80910ECED6F928"><enum>(i)</enum><header>Withdrawal from the pilot program</header><text>If at any time the Commission determines that a covered entity accepted to be a part of the pilot program established under subsection (b) is no longer maintaining the use of privacy-enhancing technologies, the Commission shall notify the covered entity of the determination of the Commission to withdraw approval for the covered entity to be a part of the pilot program and the basis for doing so. Not later than 180 days after the date on which a covered entity receives such notice, the covered entity may cure any alleged deficiency with the use of privacy-enhancing technologies and submit each proposed cure to the Commission. If the Commission determines that such cures eliminate alleged deficiencies with the use of privacy-enhancing technologies, the Commission may not withdraw the approval of the covered entity to be a part of the pilot program on the basis of such deficiencies.</text></subsection><subsection id="H37CE9369BCA34D32B221B99F95319B4C"><enum>(j)</enum><header>Limitations on liability</header><text>Any covered entity that petitions, and is accepted, to be part of the pilot program established under subsection (b), actively implements and maintains the use of privacy-enhancing technologies, and is determined by the Commission to be in compliance with the program shall—</text><paragraph id="HD932CCD2D85540C3A9D44C9406DB601F"><enum>(1)</enum><text>for any action under section 115 or 116 for a violation of section 109, be deemed to be in compliance with section 109 with respect to the covered data subject to the privacy-enhancing technologies; and</text></paragraph><paragraph id="HE9321A95EB654997B7343E20AA1823B9"><enum>(2)</enum><text>for any action under section 117 for a violation of section 109, be entitled to a rebuttable presumption that such entity is in compliance with section 109 with respect to the covered data subject to the privacy-enhancing technologies.</text></paragraph></subsection></section><section id="H03D6C7413CF146C7B5917BC44FA9742F"><enum>115.</enum><header>Enforcement by Federal Trade Commission</header><subsection id="HD28C51268BA941FE9DD0D72B32BFB7C1"><enum>(a)</enum><header>New bureau</header><paragraph id="HE2F5CB6EBE8943CABC82B51A1F1ADC16"><enum>(1)</enum><header>In general</header><text>Subject to the availability of appropriations, the Commission shall establish, within the Commission, a new bureau comparable in structure, size, organization, and authority to the existing bureaus within the Commission related to consumer protection and competition.</text></paragraph><paragraph id="HEEBFF98354934D86A62E2286FECF6E87"><enum>(2)</enum><header>Mission</header><text>The mission of the bureau established under this subsection shall be to assist the Commission in exercising the authority of the Commission under this title and related authorities.</text></paragraph><paragraph id="H4278790F142642439C891EAC05034010"><enum>(3)</enum><header>Staff</header><subparagraph id="H52A98E5FF8A34B78A7E92C12AC6BFCAE"><enum>(A)</enum><header>In general</header><text>In staffing the bureau established under this subsection, the Commission shall ensure the allocation of full time employees or full time employee equivalents that include attorneys, economists, investigators, technologists, and mental health professionals with experience in the well-being of children and teens.</text></subparagraph><subparagraph id="H3B0C3A23546049C4ABF101AB114B3AD1"><enum>(B)</enum><header>Technologist defined</header><text>For the purposes of this paragraph, the term <quote>technologist</quote> means an individual with training and expertise with respect to technology, including state-of-the art information technology, network or data security, hardware or software development, privacy-enhancing technologies, cryptography, computer science, data science, advertising technology, web tracking, machine learning, and other related fields and applications.</text></subparagraph></paragraph><paragraph id="H492F7EF71FAA419F9D532632A7A5D750"><enum>(4)</enum><header>Timeline</header><text>The bureau established under this subsection shall be established, staffed, and fully operational not later than 180 days after the date of the enactment of this Act.</text></paragraph></subsection><subsection id="H92A9D45976064E9583A9268D23C266CE"><enum>(b)</enum><header>Enforcement by commission</header><paragraph id="H6F293900904142E999E685AAD14A2DCC"><enum>(1)</enum><header>Unfair or deceptive acts or practices</header><text>A violation of this title or a regulation promulgated under this title shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/57a">15 U.S.C. 57a(a)(1)(B)</external-xref>).</text></paragraph><paragraph id="HFD58381D11DF478283C2B2BED9CF36D3"><enum>(2)</enum><header>Powers of commission</header><subparagraph id="H229114262E8242DE950D6EC1C7D14BD2"><enum>(A)</enum><header>In general</header><text>Except as provided in paragraph (3) or otherwise provided in this title, the Commission shall enforce this title and the regulations promulgated under this title in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>) were incorporated into and made a part of this title.</text></subparagraph><subparagraph id="H62AE0D76E2904169A3A21C6173E9D8A5"><enum>(B)</enum><header>Privileges and immunities</header><text>Any entity that violates this title or a regulation promulgated under this title shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>).</text></subparagraph></paragraph><paragraph id="HE85A712B4DC6462695F77E957E2647D4"><enum>(3)</enum><header>Common carriers and nonprofits</header><text>Notwithstanding section 4, 5(a)(2), or 6 of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/44">15 U.S.C. 44</external-xref>; 45(a)(2); 46) or any jurisdictional limitation of the Commission, the Commission shall also enforce this title, and the regulations promulgated under this title, in the same manner provided in paragraphs (1) and (2) of this subsection with respect to—</text><subparagraph id="H6C4713AFDDA14E07ACB81CC52A610A61"><enum>(A)</enum><text>common carriers subject to title II of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/201">47 U.S.C. 201 et seq.</external-xref>); and</text></subparagraph><subparagraph id="H43F2E44871B6443C9C7AF56ACE2CC419"><enum>(B)</enum><text>organizations not organized to carry on business for their own profit or that of their members.</text></subparagraph></paragraph><paragraph id="H2AC9F5051DDA47AEB37126AE9582607F"><enum>(4)</enum><header>Penalty offset for state or individual actions</header><text>Any amount that a court orders an entity to pay in an action brought under this subsection shall be offset by any amount a court has ordered the entity to pay in an action brought against the entity for the same violation under section 116 or 117.</text></paragraph><paragraph id="HE14B9A51A8AC450184B5A58279006DF6"><enum>(5)</enum><header>Privacy and security victims relief fund</header><subparagraph id="HC410CB8FFDE846B98269EF6085EEA13F"><enum>(A)</enum><header>Establishment of victims relief fund</header><text>There is established in the Treasury of the United States a separate fund to be known as the <quote>Privacy and Security Victims Relief Fund</quote> (in this paragraph referred to as the <quote>Victims Relief Fund</quote>).</text></subparagraph><subparagraph id="HDB4D42957DD44EEEBBC23CCE5617E999"><enum>(B)</enum><header>Deposits</header><text>The Commission or the Attorney General of the United States, as applicable, shall deposit into the Victims Relief Fund the amount of any civil penalty obtained in any civil action the Commission, or the Attorney General on behalf of the Commission, commences to enforce this title or a regulation promulgated under this title.</text></subparagraph><subparagraph id="H63029898FEAA49FC827B72FDBC87B40D"><enum>(C)</enum><header>Use of fund amounts</header><clause id="HF325B437BCE84CD3AB4259205947DE3D"><enum>(i)</enum><header>Availability to the commission</header><text>Notwithstanding section 3302 of title 31, United States Code, amounts in the Victims Relief Fund shall be available to the Commission, without fiscal year limitation, to provide redress, damages, payments or compensation, or other monetary relief to persons affected by an act or practice for which civil penalties, other monetary relief, or any other forms of relief (including injunctive relief) have been ordered in a civil action or administrative proceeding the Commission commences, or in any civil action the Attorney General of the United States commences on behalf of the Commission, to enforce this title or a regulation promulgated under this title.</text></clause><clause id="HA0625DBBC174463FAFFC74AF5216C045"><enum>(ii)</enum><header>Other permissible uses</header><text>To the extent that individuals cannot be located or such redress, damages, payments or compensation, or other monetary relief are otherwise not practicable, the Commission may use amounts in the Victims Relief Fund for the purpose of—</text><subclause id="H040D80891429485ABB82803A2ACA840C"><enum>(I)</enum><text>consumer or business education relating to data privacy or data security; or</text></subclause><subclause id="H69ACF778312F4B3DAB4ACF7376D09DED"><enum>(II)</enum><text>engaging in technological research that the Commission considers necessary to implement this title, including promoting privacy-enhancing technologies that promote compliance with this title.</text></subclause></clause></subparagraph><subparagraph id="H013276B7D4364A9D90A4B6334441B395"><enum>(D)</enum><header>Calculation</header><text>Any amount that the Commission provides to a person as redress, payments or compensation, or other monetary relief under subparagraph (C) with respect to a violation by an entity shall be offset by any amount the person received from an action brought against the entity for the same violation under section 116 or 117.</text></subparagraph><subparagraph id="HC8156C3BD76A42C7B1D49BC58AAD45EC"><enum>(E)</enum><header>Rule of construction</header><text>Amounts collected and deposited in the Victims Relief Fund may not be construed to be Government funds or appropriated monies and may not be subject to apportionment for the purpose of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/31/15">chapter 15</external-xref> of title 31, United States Code, or under any other authority.</text></subparagraph></paragraph></subsection><subsection id="HDA49B11707AA4ABEB59FFA7BBD63A989"><enum>(c)</enum><header>Report</header><paragraph id="H0328ACEC7D3B495D9DAE2D0FF7EAA19D"><enum>(1)</enum><header>In general</header><text>Not later than 4 years after the date of the enactment of this Act, and annually thereafter, the Commission shall submit to Congress a report describing investigations conducted during the prior year with respect to violations of this title, including—</text><subparagraph id="HF4307891B28143BE8A9068609576059E"><enum>(A)</enum><text>the number of such investigations the Commission commenced;</text></subparagraph><subparagraph id="H66235ED2100F47E8948EF0FB92CB923D"><enum>(B)</enum><text>the number of such investigations the Commission closed with no official agency action;</text></subparagraph><subparagraph id="HDACF037B71864748A15EF44C67D0FE2B"><enum>(C)</enum><text>the disposition of such investigations, if such investigations have concluded and resulted in official agency action; and</text></subparagraph><subparagraph id="H170CA5AE348F4475881991FE827547B5"><enum>(D)</enum><text>for each investigation that was closed with no official agency action, the industry sectors of the covered entities subject to each investigation.</text></subparagraph></paragraph><paragraph id="H353E913075F24FB0B92DB0C39D317EC3"><enum>(2)</enum><header>Privacy protections</header><text>A report required under paragraph (1) may not include the identity of any person who is the subject of an investigation or any other information that identifies such a person.</text></paragraph><paragraph id="H97BB1C98D3BA498FAE7F122EF2881B29"><enum>(3)</enum><header>Annual plan</header><text>Not later than 540 days after the date of the enactment of this Act, and annually thereafter, the Commission shall submit to Congress a plan for the next calendar year describing the projected activities of the Commission under this title, including—</text><subparagraph id="H7586EB28C1724A0EB36C756269F39029"><enum>(A)</enum><text>the policy priorities of the Commission and any changes to the previous policy priorities of the Commission;</text></subparagraph><subparagraph id="H09DF5B299DD14173B34007F11B782760"><enum>(B)</enum><text>any rulemaking proceedings projected to be commenced, including any such proceedings to amend or repeal a rule;</text></subparagraph><subparagraph id="H9E49FBD1610E467AA985EC5EC15FAB59"><enum>(C)</enum><text>any plans to develop, update, or withdraw guidelines or guidance required under this title;</text></subparagraph><subparagraph id="H4E2A458F0E2746C9901E5D585101605A"><enum>(D)</enum><text>any plans to restructure the Commission; and</text></subparagraph><subparagraph id="HD67D25A7D3394BC495EC132D7E41D51A"><enum>(E)</enum><text>projected dates and timelines, or changes to projected dates and timelines, associated with any of the requirements under this title.</text></subparagraph></paragraph></subsection></section><section id="H0A3045A8B5854502A2C857049AE2D546"><enum>116.</enum><header>Enforcement by States</header><subsection id="H4D969273207743CD975CA1A80DB7782D"><enum>(a)</enum><header>Civil action</header><paragraph id="H59D042FCF4BB4B22B44F814956D56B14"><enum>(1)</enum><header>In general</header><text>In any case in which the attorney general of a State, the chief consumer protection officer of a State, or an officer or office of a State authorized to enforce privacy or data security laws applicable to covered entities or service providers has reason to believe that an interest of the residents of the State has been or is adversely affected by the engagement of any entity in an act or practice that violates this title or a regulation promulgated under this title, the attorney general, chief consumer protection officer, or other authorized officer or office of the State may bring a civil action in the name of the State, or as parens patriae on behalf of the residents of the State, in an appropriate Federal district court of the United States to—</text><subparagraph id="HC22EC39354F34CFB86E36D10FFA068B9"><enum>(A)</enum><text>enjoin such act or practice;</text></subparagraph><subparagraph id="HB24D3A4CCEB4447A9AB6279B2B844F31"><enum>(B)</enum><text>enforce compliance with this title or the regulations promulgated under this title;</text></subparagraph><subparagraph id="H1D06554D11DD4DB5B40E46590B8588F4"><enum>(C)</enum><text>obtain civil penalties;</text></subparagraph><subparagraph id="H09B1E36D67A14362A44F1945B64AACFA"><enum>(D)</enum><text>obtain damages, restitution, or other compensation on behalf of the residents of the State;</text></subparagraph><subparagraph id="H635224174ACA40E6B73586BF0DDD759A"><enum>(E)</enum><text>obtain reasonable attorney’s fees and other litigation costs reasonably incurred; or</text></subparagraph><subparagraph id="H17C9791DDF844919B440C86EA53805E6"><enum>(F)</enum><text>obtain such other relief as the court may consider to be appropriate.</text></subparagraph></paragraph><paragraph id="H5F6041F2C6584D41B08CED5FB9B70E9C"><enum>(2)</enum><header>Limitation</header><text>In any case with respect to which the attorney general of a State, the chief consumer protection officer of a State, or an officer or office of a State authorized to enforce privacy or data security laws applicable to covered entities or service providers brings an action under paragraph (1), no other officer or office of the same State may institute a civil action under paragraph (1) against the same defendant for the same violation of this title or regulation promulgated under this title.</text></paragraph></subsection><subsection id="H443697236CC54B5F85DAC37C45A00E4F"><enum>(b)</enum><header>Rights of the commission</header><paragraph id="HB257C7F8214D45C3BA9D50C81EB02C40"><enum>(1)</enum><header>In general</header><text>Except if not feasible, a State officer shall notify the Commission in writing prior to initiating a civil action under subsection (a). Such notice shall include a copy of the complaint to be filed to initiate such action. Upon receiving such notice, the Commission may intervene in such action and, upon intervening—</text><subparagraph id="H5751A87D35BD46078707EC87FF2473F1"><enum>(A)</enum><text>be heard on all matters arising in such action; and</text></subparagraph><subparagraph id="HFFD06CA73FE843EC8C744F388F5DDCD4"><enum>(B)</enum><text>file petitions for appeal of a decision in such action.</text></subparagraph></paragraph><paragraph id="H787F8117479546BA908E7A77F651635B"><enum>(2)</enum><header>Notification timeline</header><text>If not feasible for a State officer to provide the notification required by paragraph (1) before initiating a civil action under subsection (a), the State officer shall notify the Commission immediately after initiating the civil action.</text></paragraph></subsection><subsection id="HABDB29DEC7C64573BA29F675D6488FB4"><enum>(c)</enum><header>Actions by the commission</header><text>In any case in which a civil action is instituted by or on behalf of the Commission for a violation of this title or a regulation promulgated under this title, no attorney general of a State, chief consumer protection officer of a State, or officer or office of a State authorized to enforce privacy or data security laws may, during the pendency of such action, institute a civil action against any defendant named in the complaint in the action instituted by or on behalf of the Commission for a violation of this title or a regulation promulgated under this title that is alleged in such complaint.</text></subsection><subsection id="H08C33F2423E14D7A8C8EB4E9920DB1D6"><enum>(d)</enum><header>Investigatory powers</header><text>Nothing in this title may be construed to prevent the attorney general of a State, the chief consumer protection officer of a State, or an officer or office of a State authorized to enforce privacy or data security laws applicable to covered entities or service providers from exercising the powers conferred on such officer or office to conduct investigations, to administer oaths or affirmations, or to compel the attendance of witnesses or the production of documentary or other evidence.</text></subsection><subsection id="H0B638ED0F9FB440080B493E494A9A97A"><enum>(e)</enum><header>Venue; service of process</header><paragraph id="HBFA9DD0869F949FE8AECBEC9A0CB304A"><enum>(1)</enum><header>Venue</header><text>Any action brought under subsection (a) may be brought in any Federal district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.</text></paragraph><paragraph id="H2FCAA9928DDC49EC939D26DA4845C429"><enum>(2)</enum><header>Service of process</header><text>In an action brought under subsection (a), process may be served in any district in which the defendant—</text><subparagraph id="H250B1E6C6B59470BA35CB66473CB001E"><enum>(A)</enum><text>is an inhabitant; or</text></subparagraph><subparagraph id="HFF14163ECEC44E6598807A703D9F5EE1"><enum>(B)</enum><text>may be found.</text></subparagraph></paragraph></subsection><subsection id="HCEFD17D37A4E4D8A88F2206C0495E856"><enum>(f)</enum><header>GAO study</header><paragraph id="H78C5D36A391A4B73B51EF22368E91870"><enum>(1)</enum><header>In general</header><text>The Comptroller General of the United States shall conduct a study of the practice of State attorneys general hiring, or otherwise contracting with, outside firms to assist in enforcement efforts pursuant to this title, which shall include the study of—</text><subparagraph id="H351F46A8B4BB4505AFF113C7871C8A4C"><enum>(A)</enum><text>the frequency with which each State attorney general hires or contracts with outside firms to assist in such enforcement efforts;</text></subparagraph><subparagraph id="H11FA612B41D84158B62F8FE17F4F57F9"><enum>(B)</enum><text>the contingency fees, hourly rates, and other costs of hiring or contracting with outside firms;</text></subparagraph><subparagraph id="H9503A2E4E95A4A5187724206FCD14147"><enum>(C)</enum><text>the types of matters for which outside firms are hired or contracted;</text></subparagraph><subparagraph id="H40F8F8EF07B64017A6AD81B25B01B236"><enum>(D)</enum><text>the bid and selection process for such outside firms, including reviews of conflicts of interest;</text></subparagraph><subparagraph id="H9D69357BCE464CB3BA960F6BBD6A00BB"><enum>(E)</enum><text>the practices State attorneys general set in place to protect sensitive information that would become accessible by outside firms while the outside firms are assisting in such enforcement efforts;</text></subparagraph><subparagraph id="HB4C3494E3188431682C93B2C25EEBC95"><enum>(F)</enum><text>the percentage of monetary recovery that is returned to victims and the percentage of such recovery that is retained by outside firms; and</text></subparagraph><subparagraph id="HCE28FBEF366043BE9935ACCEFA494D56"><enum>(G)</enum><text>the market average for the hourly rate of hired or contracted attorneys in each market.</text></subparagraph></paragraph><paragraph id="H235A4875F65147B49AACEF796CDDD37F"><enum>(2)</enum><header>Report</header><text display-inline="yes-display-inline">Not later than 1 year after the date of the enactment of this Act, the Comptroller General shall submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a report on the results of the study conducted under paragraph (1).</text></paragraph></subsection><subsection id="H28002A8D347E4B948B498D28BDBA8222"><enum>(g)</enum><header>Preservation of state powers</header><text>Except as provided in subsections (a)(2) and (c), no provision of this section may be construed as altering, limiting, or affecting the authority of a State attorney general, the chief consumer protection officer of a State, or an officer or office of a State authorized to enforce laws applicable to covered entities or service providers to—</text><paragraph id="H90E955F1A5FA4B14BD36A50C9645CF90"><enum>(1)</enum><text>bring an action or other regulatory proceeding arising solely under the laws in effect in such State; or</text></paragraph><paragraph id="H9A3853BEDBFD4773B50592B29BA0CA76" commented="no"><enum>(2)</enum><text>exercise the powers conferred on the attorney general, chief consumer protection officer, or officer or office by the laws of such State, including the ability to conduct investigations, to administer oaths or affirmations, or to compel the attendance of witnesses or the production of documentary or other evidence.</text></paragraph></subsection><subsection id="HDAF2189D2C9B4CD38C088D8FD93FF2BA"><enum>(h)</enum><header>Calculation</header><text>Any amount that a court orders an entity to pay to a person under this section shall be offset by any amount the person received from an action brought against the entity for the same violation under section 115 or 117.</text></subsection></section><section id="H1B66737E32494798AC0D4F33A29C4EA4"><enum>117.</enum><header>Enforcement by persons</header><subsection id="HAD56B1DE9D804E49806A28F081D862A5"><enum>(a)</enum><header>Civil action</header><paragraph id="H070F5BE7AD0448BE8E93334F28E47FB2"><enum>(1)</enum><header>In general</header><text>Subject to subsections (b) and (c), a person may bring a civil action against a covered entity or service provider for a violation of subsection (b) or (c) of section 102, subsection (a) or (e) of section 104, section 105, subsection (a) or (b)(2) of section 106, section 107, section 108, section 109 to the extent such action alleges a data breach arising from a violation of subsection (a) of such section, subsection (d) of section 111, or subsection (c)(4) of section 112, or a regulation promulgated thereunder, in an appropriate Federal district court of the United States.</text></paragraph><paragraph id="HC799E4FE66E346D9855BF3DB2F8732D8"><enum>(2)</enum><header>Relief</header><subparagraph id="H00AA0909D1F04D51B827EC65CD92822C"><enum>(A)</enum><header>In general</header><text>In a civil action brought under paragraph (1) in which the plaintiff prevails, the court may award the plaintiff—</text><clause id="HD2B117693A714F6E99C31325C84403FA"><enum>(i)</enum><text>an amount equal to the sum of any actual damages;</text></clause><clause id="HB22457A72CC2423F9C9AD08E4AAB7FDF"><enum>(ii)</enum><text>injunctive relief, including an order that an entity retrieve any covered data transferred in violation of this title;</text></clause><clause id="HC98CBFAA7EC747A6BEF672D82DB0F80B"><enum>(iii)</enum><text>declaratory relief; and</text></clause><clause id="HF0BB099DD57B4E79975B164C4322F236"><enum>(iv)</enum><text>reasonable attorney fees and litigation costs.</text></clause></subparagraph><subparagraph id="H2DB211A5312B40528719CF91EBCD2033"><enum>(B)</enum><header>Biometric and genetic information</header><text display-inline="yes-display-inline">In a civil action brought under paragraph (1) for a violation of this title with respect to section 102(c), in which the plaintiff prevails, if the conduct underlying the violation occurred primarily and substantially in Illinois, the court may award the plaintiff—</text><clause id="HB0055DA8A62D43A690418AF0085B5B7C"><enum>(i)</enum><text>for a violation involving biometric information, the same relief as set forth in section 20 of the Biometric Information Privacy Act (740 ILCS 14/20), as such statute reads on December 31, 2024; or</text></clause><clause id="HCAFD35437438443594D059F36447ECB1"><enum>(ii)</enum><text display-inline="yes-display-inline">for a violation involving genetic information, the same relief as set forth in section 40 of the Genetic Information Privacy Act (410 ILCS 513/40), as such statute reads on December 31, 2024.</text></clause></subparagraph><subparagraph id="HB78E67AD876C4504BADB0FCF1A775288"><enum>(C)</enum><header>Data security</header><clause id="H2A64A43B89CE4AAAAF7DD941F682B996"><enum>(i)</enum><header>In general</header><text>In a civil action brought under paragraph (1) for a violation of this title alleging unauthorized access of covered information as a result of a violation of section 109(a), in which the plaintiff prevails, the court may award a plaintiff who is a resident of California the same relief as set forth in section 1798.150 of the California Civil Code, as such statute read on January 1, 2024.</text></clause><clause id="HCF4C81F659604FA4A9E778C60455AD6A"><enum>(ii)</enum><header>Covered information defined</header><text>For purposes of this subparagraph, the term <quote>covered information</quote> means the following:</text><subclause id="H147F3BA54F614CDE802E74197D0710F7"><enum>(I)</enum><text>A username, email address, or telephone number of an individual in combination with a password or security question or answer that would permit access to an account held by the individual that contains or provides access to sensitive covered data.</text></subclause><subclause id="H4FE9329AD45E46ABA2EAF68CF8443454"><enum>(II)</enum><text>The first name or first initial of an individual and the last name of the individual in combination with 1 or more of the following categories of sensitive covered data, if either the name or the sensitive covered data are not encrypted or redacted:</text><item id="HC69DD12C10514939AAF2746C8FE89953"><enum>(aa)</enum><text>A government-issued identifier described in section 101(49)(A)(i).</text></item><item id="H3E4884CB19384695AD897E81E62C738F"><enum>(bb)</enum><text>A financial account number described in section 101(49)(A)(iv).</text></item><item id="H2A800D0185844970A208BC1DBF8CBF8C"><enum>(cc)</enum><text>Health information, but only to the extent such information reveals the history of medical treatment or diagnosis by a health care professional of the individual.</text></item><item id="HD073BC0908044253AFD743C0B5174F27"><enum>(dd)</enum><text>Biometric information.</text></item><item id="HDFA0BE35DF2F4EA2BC319A6F43F7B4AA"><enum>(ee)</enum><text>Genetic information.</text></item></subclause></clause></subparagraph><subparagraph id="HD7A1195FCB96463E9EDABFCAB15F3A4D"><enum>(D)</enum><header>Limitations on dual actions</header><text>Any amount that a court orders an entity to pay to a person under subparagraph (A)(i), (B), or (C) shall be offset by any amount the person received from an action brought against the entity for the same violation under section 115 or 116.</text></subparagraph></paragraph></subsection><subsection id="H5F80B2B67EAC4A17881921E67C1D3F59"><enum>(b)</enum><header>Opportunity to cure in actions for injunctive relief</header><paragraph id="H380508C40A9347D6978DAECA10BA2423"><enum>(1)</enum><header>Notice</header><text>Subject to paragraph (3), an action for injunctive relief may be brought by a person under this section only if, prior to initiating such action against an entity, the person provides to the entity written notice identifying the specific provisions of this title the person alleges have been or are being violated.</text></paragraph><paragraph id="H0EA85FF1F8E04929988D569A14C24B21"><enum>(2)</enum><header>Effect of cure</header><text>In the event a cure is possible with respect to a violation alleged in a notice described in paragraph (1) and, not later than 60 days after the date of receipt of such notice, the entity cures such violation and provides the person an express written statement that the violation has been cured and that no further such violations shall occur, an action for injunctive relief may not be permitted with respect to the noticed violation.</text></paragraph><paragraph id="H1DD919ADCEC84F56B633CF146F30DBE7"><enum>(3)</enum><header>Injunctive relief for a substantial privacy harm</header><text>Notice is not required under paragraph (1) prior to bringing an action for injunctive relief for a violation that resulted in a substantial privacy harm.</text></paragraph></subsection><subsection id="HEB087C768C74460A8368E563B1F5F589"><enum>(c)</enum><header>Notice of actions seeking actual damages</header><paragraph id="H8B50FEFF213C4021A59C36F4618390E8"><enum>(1)</enum><header>Notice</header><text>Subject to paragraph (4), an action under this section for actual damages may be brought by a person only if, 60 days prior to initiating such action against an entity, the person provides the entity written notice identifying the specific provisions of this title the person alleges have been or are being violated.</text></paragraph><paragraph id="HDFAF0435E594483091E015613E12E8DA"><enum>(2)</enum><header>Settlement</header><text>An entity that receives a written notice from a person under paragraph (1) may settle with the person who sent the written notice.</text></paragraph><paragraph id="HE3688C466FB64EC58EEB37180787A62C"><enum>(3)</enum><header>Effect of settlement</header><text>In the event of a settlement under paragraph (2), the terms of such settlement shall govern any future action under this section for actual damages between the parties to the settlement that relates to the underlying facts that resulted in the settlement.</text></paragraph><paragraph id="H714734A687F84365BC55720ACC1CC49F"><enum>(4)</enum><header>No notice required for a substantial privacy harm</header><text>Notice is not required under paragraph (1) prior to bringing an action for actual damages for a violation of this title that resulted in a substantial privacy harm, if such action includes a claim for a preliminary injunction or temporary restraining order.</text></paragraph></subsection><subsection id="HD3B58E9912D941C2B6D68FC606ECAA9D"><enum>(d)</enum><header>Pre-Dispute arbitration agreements</header><paragraph id="H5E6C5660ED864EDCBB4F0787DC4FF169"><enum>(1)</enum><header>In general</header><text>Notwithstanding any other provision of law, at the election of the person alleging a violation of this title, no pre-dispute arbitration agreement shall be valid or enforceable with respect to—</text><subparagraph id="H408C9124C07E4A76A54D2EF71DFFCD7D"><enum>(A)</enum><text>a claim alleging a violation involving an individual under the age of 18; or</text></subparagraph><subparagraph id="H809766581B264CB1A86D19D056B04CDD"><enum>(B)</enum><text>a claim alleging a violation that resulted in a substantial privacy harm.</text></subparagraph></paragraph><paragraph id="H1CDA20F18EC041E6AFB8F285E2416DC2"><enum>(2)</enum><header>Determination of applicability</header><text>Any issue as to whether this subsection applies to a dispute shall be determined under Federal law. The applicability of this subsection to an agreement to arbitrate and the validity and enforceability of an agreement to which this subsection applies shall be determined by a Federal court, rather than an arbitrator, irrespective of whether the party resisting arbitration challenges the arbitration agreement specifically or in conjunction with other terms of the contract containing the agreement, and irrespective of whether the agreement purports to delegate the determination to an arbitrator.</text></paragraph><paragraph id="H86B6F3EAD4D3476C8895806C1162EBC3"><enum>(3)</enum><header>Pre-dispute arbitration agreement defined</header><text>For purposes of this subsection, the term <quote>pre-dispute arbitration agreement</quote> means any agreement to arbitrate a dispute that has not arisen at the time of the making of the agreement.</text></paragraph></subsection><subsection id="H1288C04DA80446DF9CCEE36562656D62"><enum>(e)</enum><header>Combined notices</header><text>A person may combine the notices required by subsections (b)(1) and (c)(1) into a single notice, if the single notice complies with the requirements of each such subsection.</text></subsection><subsection id="H5D3C8BF4F1994ACC8C47309A70CDFA13"><enum>(f)</enum><header>Bad faith</header><text>If a person represented by counsel brings a civil action under this section against a covered entity or service provider requesting actual damages from the covered entity or service provider, and fails to provide notice to the covered entity or service provider in accordance with this section, the action may be dismissed without prejudice and may not be reinstated until the person has complied with the notice requirements of this section.</text></subsection></section><section id="H79E7428FDC174676B7525B367E283110"><enum>118.</enum><header>Relation to other laws</header><subsection id="H348E005A2B914E1D92F393BEA085B186"><enum>(a)</enum><header>Preemption of state laws</header><paragraph id="H068C9A3FD1C74014BD4E481368063F9C"><enum>(1)</enum><header>Congressional intent</header><text>The purposes of this section are to—</text><subparagraph id="HE49B0516900D4C368E7FD616186C4782"><enum>(A)</enum><text>establish a uniform national privacy and data security standard in the United States to prevent administrative costs and burdens from being placed on interstate commerce; and</text></subparagraph><subparagraph id="H3FA376514E6B432F9083E2503FFDD2C0"><enum>(B)</enum><text>expressly preempt the laws of a State or political subdivision of a State as provided in this subsection.</text></subparagraph></paragraph><paragraph id="HEC4E3B287557414283252A10723AD0A1"><enum>(2)</enum><header>Preemption</header><text>Except as provided in paragraphs (3) and (4), no State or political subdivision of a State may adopt, maintain, enforce, impose, or continue in effect any law, regulation, rule, requirement, prohibition, standard, or other provision covered by the provisions of this title or a rule, regulation, or requirement promulgated under this title.</text></paragraph><paragraph id="H9EAF90E98D164BE3B75BF34CB30B91A2"><enum>(3)</enum><header>State law preservation</header><text>Paragraph (2) may not be construed to preempt, displace, or supplant the following State laws, rules, regulations, or requirements:</text><subparagraph id="HFBB6B360AA3647F29D8243E9E75A0986"><enum>(A)</enum><text>Consumer protection laws of general applicability, such as laws regulating deceptive, unfair, or unconscionable practices.</text></subparagraph><subparagraph id="H837B7704F2E64231B8BBEEF1E7148665"><enum>(B)</enum><text>Civil rights laws.</text></subparagraph><subparagraph id="H023DA8EF5BD941F49C474662C687AA1B"><enum>(C)</enum><text>Provisions of laws that address the privacy rights or other protections of employees or employee information.</text></subparagraph><subparagraph id="H89B5ADE3F7554D3F85BE243AF94CAAF7"><enum>(D)</enum><text>Provisions of laws that address the privacy rights or other protections of students or student information.</text></subparagraph><subparagraph id="H7260B5F89A2F436B854A08400FD8A23E"><enum>(E)</enum><text>Provisions of laws, insofar as such provisions address notification requirements in the event of a data breach.</text></subparagraph><subparagraph id="HB77B0C7816E84BD494E1E49CE46F6A5C"><enum>(F)</enum><text>Contract or tort law.</text></subparagraph><subparagraph id="H9A1417B4BA5249B292F9B28CB2330E02"><enum>(G)</enum><text>Criminal laws.</text></subparagraph><subparagraph id="H91F017DA87C14037903003C8B666FBEE"><enum>(H)</enum><text>Civil laws regarding—</text><clause id="H66C0F92653E5485593131F49C0646C41"><enum>(i)</enum><text>blackmail;</text></clause><clause id="H445297958F66410B971A9EDCAB24E90A"><enum>(ii)</enum><text>stalking (including cyberstalking);</text></clause><clause id="HBB521AA8FE1E48C5893D6E5B149F5305"><enum>(iii)</enum><text>cyberbullying;</text></clause><clause id="HB6EC7984008B45F5A98B1042C66A3861"><enum>(iv)</enum><text>intimate images (whether authentic or computer-generated) known to be nonconsensual;</text></clause><clause id="H2A7EA7B317CA429B82D0FA29D19958F4"><enum>(v)</enum><text>child abuse;</text></clause><clause id="H4BB6DAC47AF043EBB6EE9A4FA8D1E826"><enum>(vi)</enum><text>child sexual abuse material;</text></clause><clause id="H8B16EA90F5594054A3654F64AA7F613C"><enum>(vii)</enum><text>child abduction or attempted child abduction;</text></clause><clause id="HF5334C2D271C4E3C91056452AE26DCB4"><enum>(viii)</enum><text>child trafficking; or</text></clause><clause id="HC78077EB70474423915078D7D0EF336F"><enum>(ix)</enum><text>sexual harassment.</text></clause></subparagraph><subparagraph id="HE47CB9E475134A29A251FE1EB04C3847"><enum>(I)</enum><text>Public safety or sector-specific laws unrelated to privacy or data security, but only to the extent such laws do not directly conflict with the provisions of this title.</text></subparagraph><subparagraph id="HCF27B06A497143FCB5053FB6FC1B3A5E"><enum>(J)</enum><text>Provisions of laws that address public records, criminal justice information systems, arrest records, mug shots, conviction records, or non-conviction records.</text></subparagraph><subparagraph id="H9DD1CF65135E4D1990B17ADF40A0E516"><enum>(K)</enum><text>Provisions of laws that address banking records, financial records, tax records, Social Security numbers, credit cards, identity theft, credit reporting and investigations, credit repair, credit clinics, or check-cashing services.</text></subparagraph><subparagraph id="HB0DFAC23435E4A4981A27AA31052472E"><enum>(L)</enum><text>Provisions of laws that address electronic surveillance, wiretapping, or telephone monitoring.</text></subparagraph><subparagraph id="H16396BB726584C6C98E9DA6A892885BD"><enum>(M)</enum><text>Provisions of laws that address unsolicited email messages, telephone solicitation, or caller identification.</text></subparagraph><subparagraph id="H9979873CEF5E48EF90886C34103119B6"><enum>(N)</enum><text>Provisions of laws that protect the privacy of health information, healthcare information, medical information, medical records, HIV status, or HIV testing.</text></subparagraph><subparagraph id="H7ECCED19346B4756840C55819C8B1FF1"><enum>(O)</enum><text>Provisions of laws that address the confidentiality of library records.</text></subparagraph><subparagraph id="HB6D8749AB4CF4FDD8FC8DDB1B49436BD"><enum>(P)</enum><text>Provisions of laws that address the use of encryption as a means of providing data security.</text></subparagraph></paragraph><paragraph id="H7B891BE871B04ED1941BD3AB37CE51CB"><enum>(4)</enum><header>Additional preemption limitations</header><text>Notwithstanding paragraph (2), the provisions of this title shall preempt any State law, rule, or regulation that provides protections for children or teens only to the extent that such State law, rule, or regulation conflicts with a provision of this title. Nothing in this title shall be construed to prohibit any State from enacting a law, rule, or regulation that provides greater protection to children or teens than the provisions of this title.</text></paragraph></subsection><subsection id="H1B15E792705844F488D2E2084CB1331E"><enum>(b)</enum><header>Federal law preservation</header><paragraph id="H24842897123143D58B2E77CCBE4FA4E1"><enum>(1)</enum><header>In general</header><text>Nothing in this title or a regulation promulgated under this title may be construed to limit—</text><subparagraph id="HB35FEF2FC836433EAE541C6EDB1B3ACC"><enum>(A)</enum><text>the authority of the Commission, or any other Executive agency, under any other provision of law;</text></subparagraph><subparagraph id="HE03730D4ECC84A7E99030CBCACB95266"><enum>(B)</enum><text>any requirement for a common carrier subject to section 64.2011 of title 47, Code of Federal Regulations (or any successor regulation), regarding information security breaches; or</text></subparagraph><subparagraph id="H2E86EB01F33140D9AA3E102DD7B60BFA"><enum>(C)</enum><text>any other provision of Federal law, except as otherwise provided in this title.</text></subparagraph></paragraph><paragraph id="H8EB3141CC11446099AC8DA293AF1E280"><enum>(2)</enum><header>Antitrust savings clause</header><subparagraph id="H5F211CC7D95040E4B2E7C624F964C0DF"><enum>(A)</enum><header>Antitrust laws defined</header><text>For purposes of this paragraph, the term <quote>antitrust laws</quote>—</text><clause id="HE321E9CCC551472A9855F2A29DB76C1C"><enum>(i)</enum><text>has the meaning given such term in subsection (a) of the first section of the Clayton Act (<external-xref legal-doc="usc" parsable-cite="usc/15/12">15 U.S.C. 12(a)</external-xref>); and</text></clause><clause id="H27544164618447E68FD772A6D6C26740"><enum>(ii)</enum><text>includes section 5 of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45</external-xref>), to the extent such section applies to unfair methods of competition.</text></clause></subparagraph><subparagraph id="H6CB2A3C5A3B14CB5B4E5DC7D50112642"><enum>(B)</enum><header>Full application of the antitrust laws</header><text>Nothing in this title or a regulation promulgated under this title may be construed to modify, impair, supersede the operation of, or preclude the application of the antitrust laws.</text></subparagraph></paragraph><paragraph id="H9E5F1FA0EE0D47B9AF9B7D013CF2309E"><enum>(3)</enum><header>Application of other Federal privacy and data security requirements</header><subparagraph id="HA70AA7F66ECF4EAF89F6B2DBFE311662"><enum>(A)</enum><header>In general</header><text>To the extent that a covered entity or service provider is required to comply with any Federal law or regulation described in subparagraph (B), such covered entity or service provider is not subject to this title with respect to the activities governed by the requirements of such law or regulation.</text></subparagraph><subparagraph id="H5C54FEAB26D247258FF365876C14EDAC"><enum>(B)</enum><header>Laws and regulations described</header><text>The Federal laws and regulations described in this subparagraph are the following:</text><clause id="HBC71AEA9BB264180BC89E41C54BDA916"><enum>(i)</enum><text>Title V of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6801">15 U.S.C. 6801 et seq.</external-xref>).</text></clause><clause id="H3CB1021B559C4C48911C48158B12769B"><enum>(ii)</enum><text>Part C of title XI of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d">42 U.S.C. 1320d et seq.</external-xref>).</text></clause><clause id="H9CE8BDBCDEED40E38A734E2EC659FBBF"><enum>(iii)</enum><text>Subtitle D of the Health Information Technology for Economic and Clinical Health Act (<external-xref legal-doc="usc" parsable-cite="usc/42/17921">42 U.S.C. 17921 et seq.</external-xref>).</text></clause><clause id="H085732DE4DB144C8AE997EFBBFEA27C9"><enum>(iv)</enum><text>The regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-2">42 U.S.C. 1320d–2</external-xref> note).</text></clause><clause id="H8A77DD32EFE745B685FC404807CDBD6F"><enum>(v)</enum><text>The requirements regarding the confidentiality of substance use disorder information under section 543 of the Public Health Service Act (<external-xref legal-doc="usc" parsable-cite="usc/42/290dd-2">42 U.S.C. 290dd–2</external-xref>) or any regulation promulgated under such section.</text></clause><clause id="HCDDE79922C2A41408172314D11EC03AD"><enum>(vi)</enum><text>The Fair Credit Reporting Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1681">15 U.S.C. 1681 et seq.</external-xref>).</text></clause><clause id="H61B0EBECAFD940EE844F0FDD6402B7DD"><enum>(vii)</enum><text>Section 444 of the General Education Provisions Act (commonly known as the <quote>Family Educational Rights and Privacy Act of 1974</quote>) (<external-xref legal-doc="usc" parsable-cite="usc/20/1232g">20 U.S.C. 1232g</external-xref>) and part 99 of title 34, Code of Federal Regulations (or any successor regulation), to the extent a covered entity or service provider is an educational agency or institution (as defined in such section or section 99.3 of title 34, Code of Federal Regulations (or any successor regulation)).</text></clause><clause id="H0C33826A077347F58D100D1EEFFAF897"><enum>(viii)</enum><text>The regulations related to the protection of human subjects under part 46 of title 45, Code of Federal Regulations.</text></clause><clause id="H91EC2DA838594B78B36E4828D1CD723E"><enum>(x)</enum><text>The Health Care Quality Improvement Act of 1986 (<external-xref legal-doc="usc" parsable-cite="usc/42/11101">42 U.S.C. 11101 et seq.</external-xref>).</text></clause><clause id="H9B1161B304EB40CA86A76663A7122176"><enum>(xi)</enum><text>Part C of title IX of the Public Health Service Act (<external-xref legal-doc="usc" parsable-cite="usc/42/299b-21">42 U.S.C. 299b–21 et seq.</external-xref>).</text></clause><clause id="H4F5A80DBF33044178B957AF403405E47"><enum>(xii)</enum><text><external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/18/123">Chapter 123</external-xref> of title 18, United States Code.</text></clause></subparagraph><subparagraph id="H16970FFA6421400A8B97C672EC062043"><enum>(C)</enum><header>Implementation guidance</header><text>Not later than 1 year after the date of the enactment of this Act, the Commission shall issue guidance with respect to the implementation of this paragraph.</text></subparagraph></paragraph></subsection><subsection id="H2AE26694569C4B59BAC60182F146A151"><enum>(c)</enum><header>Preservation of common law or statutory causes of action for civil relief</header><text>Nothing in this title, nor any amendment, standard, rule, requirement, assessment, or regulation promulgated under this title, may be construed to preempt, displace, or supplant any Federal or State common law rights or remedies, or any State statute creating a remedy for civil relief, including any cause of action for personal injury, wrongful death, property damage, or other financial, physical, reputational, or psychological injury based in negligence, strict liability, products liability, failure to warn, an objectively offensive intrusion into the private affairs or concerns of an individual, or any other legal theory of liability under any Federal or State common law, or any State statutory law, except that the fact of a violation of this title or a regulation promulgated under this title may not be pleaded as an element of any violation of such law.</text></subsection><subsection id="HF9936BAAEBAC4822943077985B4BA6B4" commented="no"><enum>(d)</enum><header>Nonapplication of certain provisions of Communications Act of 1934 and Telecommunications Act of 1996 related to FCC privacy and data security laws and regulations</header><paragraph id="HD78F8583CC0049E48BA34BE2A2A2F534" commented="no"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">Except as provided in paragraph (2), sections 201, 202, 222, 338(i), and 631 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/201">47 U.S.C. 201</external-xref>; 202; 222; 338(i); 551) and section 706 of the Telecommunications Act of 1996 (<external-xref legal-doc="usc" parsable-cite="usc/47/1302">47 U.S.C. 1302</external-xref>), and any regulation or order issued by the Federal Communications Commission under any such section, do not apply to any covered entity or service provider with respect to the collection, processing, retention, transfer, or security of covered data (or the equivalent of such data), to the extent that such sections or any regulation or order issued under such sections would otherwise cover the collection, processing, retention, transfer, or security of covered data (or the equivalent of such data) in order to protect consumer privacy or the security of such data, and a covered entity or service provider shall instead be covered by the requirements of this title with respect to the collection, processing, retention, transfer, and security of covered data.</text></paragraph><paragraph id="HB8458C13508F4E0793264CEDBC974DAE"><enum>(2)</enum><header>Exceptions</header><text>Paragraph (1) does not supersede any authority of the Federal Communications Commission with respect to the following:</text><subparagraph id="H7D177A9A60664D8BAF59E2A57DF967A7"><enum>(A)</enum><text display-inline="yes-display-inline">Emergency services (as defined in section 7 of the Wireless Communications and Public Safety Act of 1999 (<external-xref legal-doc="usc" parsable-cite="usc/47/615b">47 U.S.C. 615b</external-xref>)).</text></subparagraph><subparagraph id="H0627B7CA77BC4DEEAED8168C1A298A1D"><enum>(B)</enum><text>Proceedings to implement section 227 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/227">47 U.S.C. 227</external-xref>) or the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (<external-xref legal-doc="public-law" parsable-cite="pl/116/105">Public Law 116–105</external-xref>; 133 Stat. 3274), or any other authority used by the Federal Communications Commission to prevent or reduce unwanted telephone calls or text messages.</text></subparagraph><subparagraph id="HDECDF8E8B4D6491D9E0737B34287976A"><enum>(C)</enum><text>An enforcement action alleging or finding a violation of a section of the Communications Act of 1934 specified in paragraph (1), if such action was adopted by the Federal Communications Commission prior to the date of the enactment of this Act.</text></subparagraph><subparagraph id="HED771608D3C34F3CB05EC5B6BB08D24A"><enum>(D)</enum><text>Subsection (a) of section 222 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/222">47 U.S.C. 222</external-xref>), to the extent such subsection imposes a duty on every telecommunications carrier to protect the confidentiality of proprietary information of, and relating to, other telecommunications carriers and equipment manufacturers.</text></subparagraph><subparagraph id="H876BBBA2D7A843928C2F7EF01F34BCC2"><enum>(E)</enum><text>Subsections (b), (d), and (g) of section 222 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/222">47 U.S.C. 222</external-xref>).</text></subparagraph><subparagraph id="H640A8B86B99944619CC7B03AB3AF3EE7"><enum>(F)</enum><text>Any obligation of an international treaty related to the exchange of traffic implemented and enforced by the Federal Communications Commission.</text></subparagraph></paragraph></subsection></section><section id="H4B686BB63CE24BD689FB8A1F0EEB1E93"><enum>119.</enum><header>Children’s Online Privacy Protection Act of 1998</header><text display-inline="no-display-inline">Nothing in this title may be construed to relieve or change any obligation that a covered entity or other person may have under the Children’s Online Privacy Protection Act of 1998 (<external-xref legal-doc="usc" parsable-cite="usc/15/6501">15 U.S.C. 6501 et seq.</external-xref>).</text></section><section id="H544D150523D44CCEA837F39E4C822FD2"><enum>120.</enum><header>Data protections for covered minors</header><subsection id="HF70F7B6E941145E0B3776DAF2FA2A35F"><enum>(a)</enum><header>Prohibition on targeted and first-Party advertising to covered minors</header><text>A covered entity or service provider acting on behalf of a covered entity may not engage in targeted advertising or first-party advertising to an individual if the covered entity has knowledge that the individual is a covered minor, except that a covered entity or service provider may present or display to a covered minor age-appropriate advertisements intended for an audience of covered minors, if the covered entity or service provider does not use any covered data in relation to such advertisements, other than data relating to the status of the individual as a covered minor.</text></subsection><subsection id="HEA0ADE9084374A9E86B8672F0A2B9965"><enum>(b)</enum><header>Data transfer requirements related to covered minors</header><paragraph id="H195EB96AD2154BA98BF4A3785294211F"><enum>(1)</enum><header>In general</header><text>Except as provided in paragraph (2), and notwithstanding section 102(b), a covered entity or a service provider acting on behalf of a covered entity may not transfer or direct a service provider to transfer the covered data of an individual to a third party if the covered entity—</text><subparagraph id="HB8B1179F55CD4B80A26B9B66F80CDAFE"><enum>(A)</enum><text>has knowledge that the individual is a covered minor; and</text></subparagraph><subparagraph id="HEA7071591D054E62B7F776ADBAF5186B"><enum>(B)</enum><text>has not obtained affirmative express consent, unless the transfer is necessary, proportionate, and limited to a purpose expressly permitted by paragraph (2), (3), (4), (8), (9), (11), (12), or (13) of section 102(d).</text></subparagraph></paragraph><paragraph id="H0888113A438245CB8943C3D5BF72CC8A"><enum>(2)</enum><header>Exception</header><text>A covered entity or service provider may collect, process, retain, or transfer covered data of an individual that the covered entity or service provider knows is a covered minor in order to submit information relating to child victimization to law enforcement or to the nonprofit, national resource center and clearinghouse congressionally designated to provide assistance to victims, families, child-serving professionals, and the general public on missing and exploited children issues.</text></paragraph></subsection><subsection id="H28A7DA4C2872483DB82F0792F4B282B8" commented="no"><enum>(c)</enum><header>Rulemaking</header><text>The Commission may conduct a rulemaking pursuant to section 553 of title 5, United States Code, to establish processes for parents and teens to exercise the rights provided in this title with respect to covered entities and data brokers. Any such rulemaking shall take into account—</text><paragraph id="HF5E6FAEE412E4A6591F3FF11A13445AE"><enum>(1)</enum><text>the specific needs of parents, children, and teens;</text></paragraph><paragraph id="HD4605D33DB7B4EA9822D8F12CA76029B"><enum>(2)</enum><text>how best to harmonize the processes provided for under this title with the processes and guidance provided for under the Children’s Online Privacy Protection Act of 1998 (<external-xref legal-doc="usc" parsable-cite="usc/15/6501">15 U.S.C. 6501 et seq.</external-xref>), as amended by title II of this Act, and any regulations promulgated by the Commission thereunder; and</text></paragraph><paragraph id="H3001AD4462E842639C97CD21E100894E"><enum>(3)</enum><text>options for reducing undue burdens on parents, children, teens, covered entities, and data brokers.</text></paragraph></subsection></section><section id="H83CA47A82394450487C4D66B02268496"><enum>121.</enum><header>Termination of FTC rulemaking on commercial surveillance and data security</header><text display-inline="no-display-inline">Beginning on the date of the enactment of this Act, the rulemaking proposed in the advance notice of proposed rulemaking titled <quote>Trade Regulation Rule on Commercial Surveillance and Data Security</quote> and published on August 22, 2022 (87 Fed. Reg. 51273) shall be terminated.</text></section><section id="H78B174699D3D406FA46E0F20FE44297A"><enum>122.</enum><header>Severability</header><text display-inline="no-display-inline">If any provision of this title, or the application thereof to any person or circumstance, is held invalid, the remainder of this title, and the application of such provision to other persons not similarly situated or to other circumstances, may not be affected by the invalidation.</text></section><section id="HB36FB98BF1CB4DF18EA248CFB1DF3E58"><enum>123.</enum><header>Innovation rulemakings</header><text display-inline="no-display-inline">The Commission may conduct a rulemaking pursuant to section 553 of title 5, United States Code—</text><paragraph id="HFF7B2EAB5C0B42248769BB46BDCAFA43"><enum>(1)</enum><text>to include other covered data in the definition of the term <quote>sensitive covered data</quote>, except that the Commission may not expand the category of information described in section 101(49)(A)(ii); and</text></paragraph><paragraph id="HC6CDAF011FF84F37BDFE22BB54F84251"><enum>(2)</enum><text>to include in the list of permitted purposes in section 102(d) other permitted purposes for collecting, processing, retaining, or transferring covered data.</text></paragraph></section><section id="H5BD2DEB8019F4EB3AD5E7CECB18F86FB"><enum>124.</enum><header>Effective date</header><text display-inline="no-display-inline">Unless otherwise specified in this title, this title shall take effect on the date that is 180 days after the date of the enactment of this Act.</text></section>

116 HR 8818 IH: American Privacy Rights Act of 2024 U.S. House of Representatives 2024-06-25 text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.

Short title; table of contents

(a)

Short title

This Act may be cited as the

American Privacy Rights Act of 2024

.(b)

Table of contents

The table of contents for this Act is as follows:

Sec. 1. Short title; table of contents.

Title I—American Privacy Rights

Sec. 101. Definitions.

Sec. 102. Data minimization.

Sec. 103. Privacy by design.

Sec. 104. Transparency.

Sec. 105. Individual control over covered data.

Sec. 106. Opt-out rights and universal mechanisms.

Sec. 107. Interference with consumer rights.

Sec. 108. Prohibition on denial of service and waiver of rights.

Sec. 109. Data security and protection of covered data.

Sec. 110. Executive responsibility.

Sec. 111. Service providers and third parties.

Sec. 112. Data brokers.

Sec. 113. Commission-approved compliance guidelines.

Sec. 114. Privacy-enhancing technology pilot program.

Sec. 115. Enforcement by Federal Trade Commission.

Sec. 116. Enforcement by States.

Sec. 117. Enforcement by persons.

Sec. 118. Relation to other laws.

Sec. 119. Children’s Online Privacy Protection Act of 1998.

Sec. 120. Data protections for covered minors.

Sec. 121. Termination of FTC rulemaking on commercial surveillance and data security.

Sec. 122. Severability.

Sec. 123. Innovation rulemakings.

Sec. 124. Effective date.

Title II—Children’s Online Privacy Protection Act 2.0

Sec. 201. Short title.

Sec. 202. Online collection, use, disclosure, and deletion of personal information of children.

Sec. 203. Study and reports on mobile and online application oversight and enforcement.

Sec. 204. Severability.

<enum>I</enum><header>American Privacy Rights</header><section id="H3123193BF6744CFD9DEF06BE803EBBBC"><enum>101.</enum><header>Definitions</header><text display-inline="no-display-inline">In this title:</text><paragraph id="HA553312BCC7E443EB09205FE095DBEC6"><enum>(1)</enum><header>Affirmative express consent</header><subparagraph id="HCAE868720B33482DB2F28B26F188F851"><enum>(A)</enum><header>In general</header><text>The term <quote>affirmative express consent</quote> means an affirmative act by an individual that—</text><clause id="H5B2C43179A7049D09B3B4BF6848A20D5"><enum>(i)</enum><text>clearly communicates the authorization of the individual for an act or practice; and</text></clause><clause id="H197B51D801F4483784C8629A3ED96E6B"><enum>(ii)</enum><text>is provided in response to a specific request from a covered entity, or a service provider on behalf of a covered entity, that meets the requirements of subparagraph (B).</text></clause></subparagraph><subparagraph id="HEAC0D230288548CEB5591B46E563F012"><enum>(B)</enum><header>Request requirements</header><text>The requirements of this subparagraph with respect to a request are the following:</text><clause id="H1E982C3ADBC8412DA8BF73ED555844DA"><enum>(i)</enum><text>The request is provided to the individual in a clear and conspicuous standalone disclosure.</text></clause><clause id="H30664B755BFD4753B0794DD2E6B051DE"><enum>(ii)</enum><text>The request includes a description of each act or practice for which the consent of the individual is sought and—</text><subclause id="HEE082FC39A6B4570BACD9C3751A4C7AD"><enum>(I)</enum><text>clearly distinguishes between an act or practice that is necessary, proportionate, and limited to fulfill a request of the individual and an act or practice that is for another purpose;</text></subclause><subclause id="HDF7CAF409F384B929B222823F6D975D7"><enum>(II)</enum><text>clearly states the specific categories of covered data that the covered entity shall collect, process, retain, or transfer under each such act or practice; and</text></subclause><subclause id="HCF1E3C697CC04A9180BB305F3C4E4FAF"><enum>(III)</enum><text>is written in easy-to-understand language and includes a prominent heading that would enable a reasonable individual to identify and understand each such act or practice.</text></subclause></clause><clause id="H8D40CC373A784176ACFD1C7EF96FDE3A"><enum>(iii)</enum><text>The request clearly explains the applicable rights of the individual related to consent.</text></clause><clause id="HEAD1E8DB5FDA49908018DBBF86D6D74E"><enum>(iv)</enum><text>The request is made in a manner reasonably accessible to and usable by individuals living with disabilities.</text></clause><clause id="HD4D39608372A4DB782131A3766A2DBA8"><enum>(v)</enum><text>The request is made available to the individual in the language in which the covered entity provides a product or service for which authorization is sought.</text></clause><clause id="HE29AD45C02EC4E968AAEDD125240863C"><enum>(vi)</enum><text>The option to refuse consent is at least as prominent as the option to provide consent, and the option to refuse consent takes no more than 1 additional step as compared to the number of steps necessary to provide consent.</text></clause><clause id="H9751955E0C4B422EADCFD72628332BC2"><enum>(vii)</enum><text>With respect to affirmative express consent sought for the collection, processing, retention, or transfer of biometric information or genetic information, the request includes the length of time the covered entity or service provider intends to retain the biometric information or genetic information or, if it is not possible to identify the length of time, the criteria used to determine the length of time the covered entity or service provider intends to retain the biometric information or genetic information.</text></clause></subparagraph><subparagraph id="H04DE10D3DA0843B4BFAA660186D345B5"><enum>(C)</enum><header>Express consent required</header><text>Affirmative express consent to an act or practice may not be inferred from the inaction of an individual or the continued use by an individual of a service or product provided by an entity.</text></subparagraph><subparagraph id="H2DE5BF4A36CB462DA54A30CAC6766897"><enum>(D)</enum><header>Withdrawal of affirmative express consent</header><clause id="HDA6F698F15CD432BB186A49C3BBC37A8"><enum>(i)</enum><header>In general</header><text>A covered entity shall provide an individual with a means to withdraw affirmative express consent previously provided by the individual.</text></clause><clause id="HED6901A879C74F63BE808B282FF2A183"><enum>(ii)</enum><header>Requirements</header><text>The means to withdraw affirmative express consent described in clause (i) shall be—</text><subclause id="H8FB03D598B6E4C5D9B166AAF83FE0E74"><enum>(I)</enum><text>clear and conspicuous; and</text></subclause><subclause id="H60D58215DE7141DD9B0171BD8F5FC833"><enum>(II)</enum><text>as easy for a reasonable individual to use as the mechanism by which the individual provided affirmative express consent.</text></subclause></clause></subparagraph><subparagraph id="HC2FF910D1E094AD786CE815D9BC6A12E" commented="no"><enum>(E)</enum><header>Children and teens</header><text>If a covered entity has knowledge that—</text><clause id="H84C5437FBE4A41228D94D92CE33960D3" commented="no"><enum>(i)</enum><text>an individual is a child, only a parent of the child may provide affirmative express consent on behalf of the child; or</text></clause><clause id="H43EBF050D6434131B52107A5EF5555EE" commented="no"><enum>(ii)</enum><text>an individual is a teen, a parent or the teen may provide affirmative express consent on behalf of the teen.</text></clause></subparagraph></paragraph><paragraph id="H148DD6DA102B42D29B73F14A3C417DD5"><enum>(2)</enum><header>Biometric information</header><subparagraph id="H453A8F85D16944B2A9143A64F7624CFB"><enum>(A)</enum><header>In general</header><text>The term <quote>biometric information</quote> means any covered data that allows or confirms the unique identification or verification of an individual and is generated from the measurement or processing of unique biological, physical, or physiological characteristics, including—</text><clause id="H156180FC9154439C91B8495CCEF537D6"><enum>(i)</enum><text>fingerprints;</text></clause><clause id="H6CD8699211484F20815342F7F83A5A6C"><enum>(ii)</enum><text>voice prints;</text></clause><clause id="HE18931787C9C48439520EC4914102D08"><enum>(iii)</enum><text>iris or retina imagery scans;</text></clause><clause id="H4CB56108AE6A4C4DA3D2E90B7AB367B1"><enum>(iv)</enum><text>facial or hand mapping, geometry, or templates; and</text></clause><clause id="HF201D8B2127843D28BCDF89BEACD87AF"><enum>(v)</enum><text>gait.</text></clause></subparagraph><subparagraph id="HCF37158AF1EA4074AE30BEC630C5A218"><enum>(B)</enum><header>Exclusion</header><text>The term <quote>biometric information</quote> does not include—</text><clause id="HA92B719C88E14F659D190165F8048119"><enum>(i)</enum><text>a digital or physical photograph;</text></clause><clause id="H3540592927C449D6AF7FBF744C77B231"><enum>(ii)</enum><text>an audio or video recording; or</text></clause><clause id="H75B0AC3855064474931AEFB2BF4308C9"><enum>(iii)</enum><text>data derived from a digital or physical photograph or an audio or video recording that cannot be used to identify or authenticate a specific individual.</text></clause></subparagraph></paragraph><paragraph id="H617AA93051EC44638129FA091B394BB6"><enum>(3)</enum><header>Child</header><text>The term <quote>child</quote> means an individual under the age of 13.</text></paragraph><paragraph id="HE217E050F4D1446DA6074C4F66E5B215"><enum>(4)</enum><header>Clear and conspicuous</header><text>The term <quote>clear and conspicuous</quote> means, with respect to a disclosure, that the disclosure is difficult to miss and easily understandable by ordinary consumers.</text></paragraph><paragraph id="H297BDA1FA1234BD8B0C2F1B8B4C53FB5"><enum>(5)</enum><header>Coarse geolocation information</header><text display-inline="yes-display-inline">The term <quote>coarse geolocation information</quote> means information that reveals the present physical location of an individual or device identified by a unique persistent identifier at the ZIP Code attribution level (except, if a geographic area attributed to a ZIP Code is equal to or less than the area of a circle with a radius of 1,850 feet or less, at a level greater than a geographic area equal to the area of a circle with a radius of 1,850 feet).</text></paragraph><paragraph id="HDE4F7A1C98D24309A290D3B0BEF9A04E"><enum>(6)</enum><header>Collect</header><text>The term <quote>collect</quote> means, with respect to covered data, to buy, rent, gather, obtain, receive, access, or otherwise acquire the covered data by any means.</text></paragraph><paragraph id="HBD0019BF6BF14155BA5393CFFEED374B"><enum>(7)</enum><header>Commission</header><text>The term <quote>Commission</quote> means the Federal Trade Commission.</text></paragraph><paragraph id="H98AEF9F777274707832CCCE555516956"><enum>(8)</enum><header>Common branding</header><text>The term <quote>common branding</quote> means a name, service mark, or trademark that is shared by 2 or more entities.</text></paragraph><paragraph id="HEB346613529E48A982E93F5ABDAA3AD1"><enum>(9)</enum><header>Connected device</header><text>The term <quote>connected device</quote> means a device that is capable of connecting to the internet.</text></paragraph><paragraph id="HDA01942C755A47A18D4C12DBBB28A11C"><enum>(10)</enum><header>Contextual advertising</header><text>The term <quote>contextual advertising</quote> means displaying or presenting an advertisement that—</text><subparagraph id="HFACD790DE83C4E379AAB8729475CC5E3"><enum>(A)</enum><text>does not vary based on the identity of the individual recipient; and</text></subparagraph><subparagraph id="H189654DE4B8D4589A712BB42FA26F10E"><enum>(B)</enum><text>is based solely on—</text><clause id="HC2E08BDFF27A4F98B1645CED8F3E055D"><enum>(i)</enum><text>the content of a webpage or online service;</text></clause><clause id="H88E8E3B0001E496C83C91ADB2643B29F"><enum>(ii)</enum><text>a specific request of the individual for information or feedback; or</text></clause><clause id="H0E066B0C17AE456E9304A8D640187BF8"><enum>(iii)</enum><text>coarse geolocation information.</text></clause></subparagraph></paragraph><paragraph id="H58DC71AB74BE4E6C857FFAEE218FA2F8"><enum>(11)</enum><header>Control</header><text>The term <quote>control</quote> means, with respect to an entity—</text><subparagraph id="H4DB1A944826940EBA69F94CBF16B5F2C"><enum>(A)</enum><text>ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of the entity;</text></subparagraph><subparagraph id="H49637CE128774D79A4DE22FDDA3FA356"><enum>(B)</enum><text>control over the election of a majority of the directors of the entity (or of individuals exercising similar functions); or</text></subparagraph><subparagraph id="H094B5AC94F10402B8A682D0709502991"><enum>(C)</enum><text>the power to exercise a controlling influence over the management of the entity.</text></subparagraph></paragraph><paragraph id="HADFDD50A2FAA4193A2373F4973EC464F"><enum>(12)</enum><header>Covered data</header><subparagraph id="HBC39DE856C1C4CE2B2A60B1630FFB0D5"><enum>(A)</enum><header>In general</header><text>The term <quote>covered data</quote> means information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals.</text></subparagraph><subparagraph id="H1CA359BECD22430997B2BC5F018321C5"><enum>(B)</enum><header>Exclusions</header><text>The term <quote>covered data</quote> does not include—</text><clause id="HF358E678180A49619342CD64B32FECC1"><enum>(i)</enum><text>de-identified data;</text></clause><clause id="H0E04387D7B744B22B24A4B81D2265AA3"><enum>(ii)</enum><text>employee information;</text></clause><clause id="H565DCFE805794739A852E9635230DD00"><enum>(iii)</enum><text>publicly available information;</text></clause><clause id="H5D89087508C84054B2E1A5F869BEEA8E"><enum>(iv)</enum><text>inferences made exclusively from multiple independent sources of publicly available information, if such inferences—</text><subclause id="H563E295D1F4045C29920D676F183300C"><enum>(I)</enum><text>do not reveal information about an individual that meets the definition of the term <quote>sensitive covered data</quote> with respect to the individual; and</text></subclause><subclause id="H60F7480455504219A3A255647B4144B6"><enum>(II)</enum><text>are not combined with covered data;</text></subclause></clause><clause id="H82C6257DFA6A42CD822FA4707F029760"><enum>(v)</enum><text>information in the collection of a library, archive, or museum, if—</text><subclause id="H6BED654D8D67408CB78E9254D72B32BC"><enum>(I)</enum><text>the collection is—</text><item id="H41B29F77500945A78DF093FE4FBC46B0"><enum>(aa)</enum><text>open to the public or routinely made available to researchers who are not affiliated with the library, archive, or museum; and</text></item><item id="HF47E9CF13A2B4ECE88183502564AB6E0"><enum>(bb)</enum><text>composed of lawfully acquired materials with respect to which all licensing conditions are met; and</text></item></subclause><subclause id="HE4D35A9350BE450E82EB87E127D5B80B"><enum>(II)</enum><text>the library, archive, or museum has—</text><item id="HAA753C2CB6B24A1CAC3B2937FC88F8FD"><enum>(aa)</enum><text>a public service mission; and</text></item><item id="HBD0F232A6A094DF0BFA093D200393834"><enum>(bb)</enum><text>trained staff or volunteers to provide professional services normally associated with libraries, archives, or museums; or</text></item></subclause></clause><clause id="H6B66270D6ED44493BC7FA3D7243AEDC5" commented="no"><enum>(vi)</enum><text>on-device data.</text></clause></subparagraph></paragraph><paragraph id="H6C8FDD4A9BE34CF78198D4D0673D9DF6"><enum>(13)</enum><header>Covered entity</header><subparagraph id="H118339A5524543D5BE988E93918A0082"><enum>(A)</enum><header>In general</header><text>The term <quote>covered entity</quote> means any entity that, alone or jointly with others, determines the purposes and means of collecting, processing, retaining, or transferring covered data and—</text><clause id="H8F05A7BBCB82465182664B7DB70A9952"><enum>(i)</enum><text>is subject to the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>);</text></clause><clause id="HAC6DB6F0AABB4423B438512264FB2032"><enum>(ii)</enum><text>is a common carrier subject to title II of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/201">47 U.S.C. 201 et seq.</external-xref>); or</text></clause><clause id="H100B970013434618901B35617B88197D"><enum>(iii)</enum><text>is an organization not organized to carry on business for its own profit or that of its members.</text></clause></subparagraph><subparagraph id="H1040CC23C67E4128A8384F9C0092F15B"><enum>(B)</enum><header>Inclusion</header><text>The term <quote>covered entity</quote> includes any entity that controls, is controlled by, or is under common control with another covered entity.</text></subparagraph><subparagraph id="HDA95CC23C6BB48B0B14B17DD906BA773"><enum>(C)</enum><header>Exclusions</header><text>The term <quote>covered entity</quote> does not include—</text><clause id="H9B3E114FA71C488799BF6F1F529C2793"><enum>(i)</enum><text>a Federal, State, Tribal, or local government entity, such as a body, authority, board, bureau, commission, district, agency, or other political subdivision of the Federal Government or a State, Tribal, or local government;</text></clause><clause id="HA4B7E6BECA8D4BC894005C239DFE0E5F"><enum>(ii)</enum><text>an entity that is collecting, processing, retaining, or transferring covered data on behalf of a Federal, State, Tribal, or local government entity, to the extent that such entity is acting as a service provider to the government entity;</text></clause><clause id="H3C534C8D5AD345AC85C8111BE4D27835"><enum>(iii)</enum><text>a small business;</text></clause><clause id="HD880238DF6C34235B273D310C4CFEC9F"><enum>(iv)</enum><text>an individual acting at their own direction and in a non-commercial context;</text></clause><clause id="H34C9B42F03D348FA82D286BDECB77E9A"><enum>(v)</enum><text>the National Center for Missing and Exploited Children; or</text></clause><clause id="HE5A23B1C52FF418FB9921918D6E3FCFD"><enum>(vi)</enum><text>except with respect to requirements under section 109, a nonprofit organization whose primary mission is to prevent, investigate, or deter fraud, to train anti-fraud professionals, or to educate the public about fraud, including insurance fraud, securities fraud, and financial fraud, to the extent the organization collects, processes, retains, or transfers covered data in furtherance of such primary mission.</text></clause></subparagraph><subparagraph id="H54E336B915DC45118A42182419D48D1A"><enum>(D)</enum><header>Nonapplication to service providers</header><text>An entity may not be considered to be a <quote>covered entity</quote> for the purposes of this title, insofar as the entity is acting as a service provider.</text></subparagraph></paragraph><paragraph id="HA79AA223F4CF48F7B36F1A7F6A0380C5"><enum>(14)</enum><header>Covered high-impact social media company</header><subparagraph id="H6D9932AA11FA41F086B55A101775912C"><enum>(A)</enum><header>In general</header><text>The term <quote>covered high-impact social media company</quote> means a covered entity that provides any internet-accessible platform that—</text><clause id="H335FAE25B4954078BF55A899D622C74A"><enum>(i)</enum><text>generates $3,000,000,000 or more in global annual revenue, including the revenue generated by any affiliate of such covered entity;</text></clause><clause id="H4D8038AEACBF4C8CA40CFD3851A3236A"><enum>(ii)</enum><text>has 300,000,000 or more global monthly active users for not fewer than 3 of the preceding 12 months; and</text></clause><clause id="HA12690E2F3484E96885F425C1983A526"><enum>(iii)</enum><text>constitutes an online product or service that is primarily used by users to access or share user-generated content.</text></clause></subparagraph><subparagraph id="HB3D755F3C6C3424ABA4EE259527AE2A3"><enum>(B)</enum><header>Treatment of certain services and applications</header><text>A service or application may not be considered to constitute an online product or service described in subparagraph (A)(iii) solely on the basis of providing any of the following:</text><clause id="H81D4090DCFF74EA5B6E506B1D91E6602"><enum>(i)</enum><text>Email.</text></clause><clause id="HB20FBD36B65E4F998E334315642FD306"><enum>(ii)</enum><text>Career or professional development networking opportunities.</text></clause><clause id="H059471F674714EF2BB15BE11550D0266"><enum>(iii)</enum><text>Reviews of products, services, events, or destinations.</text></clause><clause id="H1816D4B4421C4913BB521F9FEA3F708B"><enum>(iv)</enum><text>A platform for use in a public or private school under the direction of the school.</text></clause><clause id="HBB4AF3CFFB47478DB1C0A42911BD8FB3"><enum>(v)</enum><text>File collaboration.</text></clause><clause id="H32187AFE5C06435EA0810C4D52C4C6F3"><enum>(vi)</enum><text>Cloud storage.</text></clause><clause id="H53F38F6911C34910B5312B1C20C7E914"><enum>(vii)</enum><text>Closed video or audio communications services.</text></clause><clause id="H9FA25AA34C594A5F9055D630E73D847B"><enum>(viii)</enum><text>A wireless messaging service, including such a service provided through short messaging service or multimedia messaging service protocols, that is not a component of, or linked to, a platform of a covered high-impact social media company, if the predominant or exclusive function is direct messaging consisting of the transmission of text, photos, or videos that are sent by electronic means, and if messages are transmitted from the sender to a recipient and are not posted within a platform of a covered high-impact social media company or publicly.</text></clause></subparagraph></paragraph><paragraph id="HA3E50014A6E348D19FF1A9CE04290EBC"><enum>(15)</enum><header>Covered minor</header><text>The term <quote>covered minor</quote> means an individual under the age of 17.</text></paragraph><paragraph id="H26923865DC0F4BDB8162FD22EA67C8A9"><enum>(16)</enum><header>Dark patterns</header><text>The term <quote>dark patterns</quote> means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.</text></paragraph><paragraph id="H69783BA5D4A545089FCA651EF2DAC1EE"><enum>(17)</enum><header>Data broker</header><subparagraph id="H285C2F556B76460CB419D1CA6B4587CE"><enum>(A)</enum><header>In general</header><text>The term <quote>data broker</quote> means a covered entity whose principal source of revenue is derived from processing or transferring covered data that the covered entity did not collect directly from the individuals linked or linkable to the covered data.</text></subparagraph><subparagraph id="HD3B42E7A34D9471DBC163D3560871CBD"><enum>(B)</enum><header>Principal source of revenue</header><text>For purposes of this paragraph, the term <quote>principal source of revenue</quote> means, for the prior 12-month period—</text><clause id="H344C592951E4482480F3B58D4C8B15FE"><enum>(i)</enum><text>revenue that constitutes greater than 50 percent of all revenue of the covered entity during such period; or</text></clause><clause id="HEF36B21E6C154C42B01BD321C873BFC0"><enum>(ii)</enum><text>revenue obtained from processing and transferring the covered data of more than 5,000,000 individuals that the covered entity did not collect directly from the individuals linked or linkable to the covered data.</text></clause></subparagraph><subparagraph id="HD6625362D8524D989DDAD2F5494AF0FD"><enum>(C)</enum><header>Non-application to service providers</header><text>The term <quote>data broker</quote> does not include an entity to the extent that such entity is acting as a service provider.</text></subparagraph></paragraph><paragraph id="HC5A1C17C4C5F47CC83A69D338788EAC5"><enum>(18)</enum><header>De-identified data</header><subparagraph id="H5B014AD00A934004B53E92698C982FB5"><enum>(A)</enum><header>In general</header><text>The term <quote>de-identified data</quote> means information that cannot reasonably be used to infer or derive the identity of an individual, and does not identify and is not linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to an individual, regardless of whether the information is aggregated, if the relevant covered entity or service provider—</text><clause id="H1E6A9A078A69406ABA8E67527EA4DFBB"><enum>(i)</enum><text>takes reasonable physical, administrative, and technical measures to ensure that the information cannot, at any point, be used to re-identify any individual or device that identifies or is linked or reasonably linkable to an individual;</text></clause><clause id="HFAEBE8F830F94E9B9E4C0B4373F33B2F"><enum>(ii)</enum><text>publicly commits in a clear and conspicuous manner to—</text><subclause id="H898C0B5D45474F8AABA9251E5FCA153A"><enum>(I)</enum><text>process, retain, or transfer the information solely in a de-identified form without any reasonable means for re-identification; and</text></subclause><subclause id="HBB4FE3DCE1AF4240B33305732C0CFEB2"><enum>(II)</enum><text>not attempt to re-identify the information with any individual or device that identifies or is linked or reasonably linkable to an individual, except as necessary, limited, and proportionate to test the effectiveness of the measures described in clause (i); and</text></subclause></clause><clause id="HA904C6D82B404DABA770501D7036A2DE"><enum>(iii)</enum><text>contractually obligates any entity that receives the information from the covered entity or service provider to—</text><subclause id="H080CFB598E7D4A719702452E3EB72884"><enum>(I)</enum><text>comply with clauses (i) and (ii) with respect to the information; and</text></subclause><subclause id="HE2C09F3E1D094D06B0A83E39CE4E8F8E"><enum>(II)</enum><text>require that such contractual obligations be included contractually in all subsequent instances in which the information may be received.</text></subclause></clause></subparagraph><subparagraph id="H8F96946C59C1409AA6A426FBE799A804"><enum>(B)</enum><header>Health information</header><text>The term <quote>de-identified data</quote> includes health information (as defined in section 1171 of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d">42 U.S.C. 1320d</external-xref>)) that has been de-identified in accordance with section 164.514(b) of title 45, Code of Federal Regulations, except that if such information is subsequently provided to an entity that is not an entity subject to parts 160 and 164 of such title 45, such entity shall comply with clauses (ii) and (iii) of subparagraph (A) for the information to be considered de-identified under this title.</text></subparagraph></paragraph><paragraph id="H792F19F738F54339863A0BD61A17C813"><enum>(19)</enum><header>Derived data</header><text>The term <quote>derived data</quote> means covered data that is created by the derivation of information, data, assumptions, correlations, inferences, predictions, or conclusions from facts, evidence, or another source of information.</text></paragraph><paragraph id="H150F00E9123C48DFB0149647ECA6F546"><enum>(20)</enum><header>Device</header><text>The term <quote>device</quote> means any electronic equipment capable of collecting, processing, retaining, or transferring covered data that is used by 1 or more individuals, including a connected device or a portable connected device.</text></paragraph><paragraph id="HE01C54AC2ADF4E17AECD0BDA601DBB5E"><enum>(21)</enum><header>Direct mail targeted advertising</header><text>The term <quote>direct mail targeted advertising</quote> means advertising or marketing using third-party data through a direct communication with an individual via direct mail.</text></paragraph><paragraph id="HED2057FE32194B8F981CC916586422CC"><enum>(22)</enum><header>Disability</header><text>The term <quote>disability</quote> has the meaning given such term in section 3 of the Americans with Disabilities Act of 1990 (<external-xref legal-doc="usc" parsable-cite="usc/42/12102">42 U.S.C. 12102</external-xref>).</text></paragraph><paragraph id="HAC4044D308084FA09A0586EAFA3EC2D0"><enum>(23)</enum><header>Email targeted advertising</header><text>The term <quote>email targeted advertising</quote> means advertising or marketing using third-party data through a direct communication with an individual via email.</text></paragraph><paragraph id="H784B19DE144D48DBA7B5E6D9B839B3E1"><enum>(24)</enum><header>Employee</header><text>The term <quote>employee</quote> means an individual who is an employee, director, officer, staff member, paid intern, individual working as an independent contractor (who is not a service provider), volunteer, or unpaid intern of an employer, regardless of whether such individual is paid, unpaid, or engaged on a temporary basis.</text></paragraph><paragraph id="H9531B3E03E08407A8F5D22B54C4D9EDC"><enum>(25)</enum><header>Employee information</header><text>The term <quote>employee information</quote> means information, including biometric information or genetic information—</text><subparagraph id="H3E5D2152059E46BF8148F77514A0A6D9"><enum>(A)</enum><text>about an individual related to the course of employment or application for employment of the individual (including on a contract or temporary basis), if such information is collected, retained, processed, or transferred by the employer or the service provider of the employer solely for purposes necessary for the employment or application of the individual;</text></subparagraph><subparagraph id="HFCB2BFEB066B4131AF6A76E03E20FA8C"><enum>(B)</enum><text>that is emergency contact information for an individual who is an employee or job applicant of an employer, if such information is collected, retained, processed, or transferred by the employer or the service provider of the employer solely for the purpose of having an emergency contact for such individual on file; or</text></subparagraph><subparagraph id="HC2267CA10AFA44328FA77EBA9911C375"><enum>(C)</enum><text>about an individual who is an employee or former employee of an employer, or a relative, dependent, or beneficiary of the employee or former employee, and collected, retained, processed, or transferred for the purpose of administering benefits, including enrollment and disenrollment for benefits, to which the employee, former employee, relative, dependent, or beneficiary is entitled on the basis of the employment of the employee or former employee with the employer, if such information is collected, retained, processed, or transferred by the employer or the service provider of the employer solely for the purpose of administering such benefits.</text></subparagraph></paragraph><paragraph id="H14F66B266855493AAF15F02D03449150"><enum>(26)</enum><header>Entity</header><text>The term <quote>entity</quote> means an individual, a trust, a partnership, an association, an organization, a company, and a corporation.</text></paragraph><paragraph id="H9BC02646975049EDA9FA5C9C6AC534A5"><enum>(27)</enum><header>Executive agency</header><text>The term <quote>Executive agency</quote> has the meaning given such term in section 105 of title 5, United States Code.</text></paragraph><paragraph id="H79BA112A0C2D45799178B8CA409DFE2A"><enum>(28)</enum><header>Federated nonprofit organization</header><text>The term <quote>federated nonprofit organization</quote> means a network or system of 2 or more entities, described in <external-xref legal-doc="usc" parsable-cite="usc/26/501">section 501(c)(3)</external-xref> of the Internal Revenue Code of 1986 and exempt from taxation under section 501(a) of such Code, that share common branding.</text></paragraph><paragraph id="H1B567BAC431F44D382FB8201A8F644BD"><enum>(29)</enum><header>First party</header><text>The term <quote>first party</quote>—</text><subparagraph id="H48EFF8DAA4B04C9AB5ACB5EC7FB257E9"><enum>(A)</enum><text>means a consumer-facing covered entity with which a consumer intends and expects to interact; and</text></subparagraph><subparagraph id="H8DE655A7CB83477AB9A874B127EC0EB1"><enum>(B)</enum><text>includes any entities with which the covered entity shares common branding.</text></subparagraph></paragraph><paragraph id="H4CC20F2DDF184B51AC501FE8FE6A2A57"><enum>(30)</enum><header>First-party advertising</header><subparagraph id="HF6602E5EA22E4B36A04973B42A3A4F77"><enum>(A)</enum><header>In general</header><text>The term <quote>first-party advertising</quote> means advertising or marketing by a first party using the first-party data of the first party and not other forms of covered data and carried out—</text><clause id="H743373A6C5274907A6B25BE54E382D13"><enum>(i)</enum><text>through direct communications with an individual, such as direct mail, email (subject to the CAN-SPAM Act of 2003 (<external-xref legal-doc="usc" parsable-cite="usc/15/7701">15 U.S.C. 7701 et seq.</external-xref>) and the regulations promulgated under such Act), or text message communications (subject to section 227 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/227">47 U.S.C. 227</external-xref>) and the regulations promulgated under such section); or</text></clause><clause id="H3214DD171F1B4EF5AAFD24A626EF64D5" commented="no"><enum>(ii)</enum><text>entirely—</text><subclause id="H928CF6C6EE8E4D89A7391001211F97E0" commented="no"><enum>(I)</enum><text>in a physical location operated by the first party;</text></subclause><subclause id="H86FD13CAB24B475DAE6B01494761F5DF" commented="no"><enum>(II)</enum><text display-inline="yes-display-inline">in the case of a first party that is not a covered high-impact social media company, on a website, online service, online application, or mobile application operated by the first party, through display or presentation of an online advertisement that promotes a product or service (whether offered by the first party or not offered by the first party) to an individual or device identified by a unique persistent identifier, or group of individuals or devices identified by unique persistent identifiers; or</text></subclause><subclause id="H507F49DE56D940B6A6F3D86480D3BE0A" commented="no"><enum>(III)</enum><text display-inline="yes-display-inline">in the case of a first party that is a covered high-impact social media company, on a website, online service, online application, or mobile application operated by the first party, through display or presentation of an online advertisement that promotes a product or service offered by the first party to an individual or device identified by a unique persistent identifier, or group of individuals or devices identified by unique persistent identifiers.</text></subclause></clause></subparagraph><subparagraph id="H3ED00104D1CC42ECB96FB0E2986B7042"><enum>(B)</enum><header>Exclusion</header><text>The term <quote>first-party advertising</quote> does not include contextual advertising.</text></subparagraph></paragraph><paragraph id="HE775CD2A83274B468C47AAB0C7C1E3E7"><enum>(31)</enum><header>First-party data</header><text>The term <quote>first-party data</quote> means covered data collected directly from an individual by a first party, including based on a visit by the individual to or use by the individual of a physical location, website, online service, online application, or mobile application operated by the first party.</text></paragraph><paragraph id="H5891E94F81A34521A358F77D2C81D088"><enum>(32)</enum><header>Genetic information</header><text>The term <quote>genetic information</quote> means any covered data, regardless of format, that concerns the genetic characteristics of an identified or identifiable individual, including—</text><subparagraph id="H62600516B68E40A9B2D0C49EBBE31F42"><enum>(A)</enum><text>raw sequence data that results from the sequencing of the complete, or a portion of, extracted deoxyribonucleic acid (DNA) of an individual; or</text></subparagraph><subparagraph id="H217739590EFC46D5935A003E704F070C"><enum>(B)</enum><text>genotypic and phenotypic information that results from analyzing raw sequence data described in subparagraph (A).</text></subparagraph></paragraph><paragraph id="H2F872D8B84FC4912AAECBB6E8C266E19"><enum>(33)</enum><header>Health information</header><text>The term <quote>health information</quote> means information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or health condition, status, or treatment of an individual, including the precise geolocation information of such treatment.</text></paragraph><paragraph id="H6C30BAD16A894B3BB5D8E7CC7D1A7715"><enum>(34)</enum><header>Individual</header><text>The term <quote>individual</quote> means a natural person residing in the United States.</text></paragraph><paragraph id="H41321864D483424384B2C950F1E83CB9"><enum>(35)</enum><header>Knowledge</header><subparagraph id="HACF1AE1EE7F946BEBBCBF772D7BFBFB3"><enum>(A)</enum><header>In general</header><text>The term <quote>knowledge</quote> means, with respect to whether an individual is a child, teen, or covered minor, actual knowledge or knowledge fairly implied on the basis of objective circumstances.</text></subparagraph><subparagraph id="H4A402B18E87B42F1AB5FF1F629344BEB"><enum>(B)</enum><header>Rule of construction</header><text>For purposes of enforcing this title or a regulation promulgated under this title, a determination as to whether a covered entity has knowledge fairly implied on the basis of objective circumstances that an individual is a child, teen, or covered minor shall rely on competent and reliable evidence, taking into account the totality of the circumstances, including whether a reasonable and prudent person under the circumstances would have known that the individual is a child, teen, or covered minor. Nothing in this title, including a determination described in the preceding sentence, may be construed to require a covered entity to—</text><clause id="H6C7675181254480680F6487DC17A8556"><enum>(i)</enum><text>affirmatively collect any covered data with respect to the age of a child, teen, or covered minor that the covered entity is not already collecting in the normal course of business; or</text></clause><clause id="H1A05A9620C7242B099C0F0C021261B13"><enum>(ii)</enum><text>implement an age gating or age verification functionality.</text></clause></subparagraph><subparagraph id="H266C816687434D45A8FFFF1ACC32C5D9"><enum>(C)</enum><header>Commission guidance</header><clause id="HEA9EDF9981504C3695C037F28213200C"><enum>(i)</enum><header>In general</header><text>Not later than 180 days after the date of the enactment of this Act, the Commission shall issue guidance to provide information, including best practices and examples, for covered entities to use in understanding whether a covered entity has knowledge fairly implied on the basis of objective circumstances that an individual is a child, teen, or covered minor.</text></clause><clause id="H3AFDF4F605A74673AF9099FFA7856F01"><enum>(ii)</enum><header>Limitation</header><text display-inline="yes-display-inline">No guidance issued by the Commission under clause (i) confers any rights on any person, State, or locality, or operates to bind the Commission or any person, State, or locality to the approach recommended in such guidance. Any enforcement action brought pursuant to this title by the Commission, or by the attorney general of a State, the chief consumer protection officer of a State, or an officer or office of a State authorized to enforce privacy or data security laws applicable to covered entities or service providers, shall allege a specific violation of a provision of this title, and the Commission or the attorney general, chief consumer protection officer, or other authorized officer or office of the State, as applicable, may not base an enforcement action on, or as applicable execute a consent order based on, practices that are alleged to be inconsistent with any such guidance, unless the practices allegedly violate this title.</text></clause></subparagraph></paragraph><paragraph id="H5AB7DF9B5AD547EC9D3ECECD6D2C01A7"><enum>(36)</enum><header>Large data holder</header><subparagraph id="H3737C21348E84B438F8158DA1DFC4B7B"><enum>(A)</enum><header>In general</header><text>The term <quote>large data holder</quote> means a covered entity or service provider that, in the most recent calendar year, had an annual gross revenue of not less than $250,000,000 and, subject to subparagraph (B), collected, processed, retained, or transferred—</text><clause id="HB6C4EDD477D74BEC9BB1878FD20F53EA"><enum>(i)</enum><text>the covered data of—</text><subclause id="H9BC02107B40C4F46B83830B36365750E"><enum>(I)</enum><text>more than 5,000,000 individuals;</text></subclause><subclause id="H21A9C3E07BF34C24962AE41FA9C1624C"><enum>(II)</enum><text>more than 15,000,000 portable connected devices that identify or are linked or reasonably linkable to 1 or more individuals; or</text></subclause><subclause id="HEC951F8B15B74D9CA5738706205FFEE9"><enum>(III)</enum><text>more than 35,000,000 connected devices that identify or are linked or reasonable linkable to 1 or more individuals; or</text></subclause></clause><clause id="H68B9186A9D034EE5B195A90CB91BE2D4"><enum>(ii)</enum><text>the sensitive covered data of—</text><subclause id="HC05BE0D9B5884EB8A2A8C78FC7362B8C"><enum>(I)</enum><text>more than 200,000 individuals;</text></subclause><subclause id="H504A5467287A4A038093B45395985EA7"><enum>(II)</enum><text>more than 300,000 portable connected devices that identify or are linked or reasonable linkable to 1 or more individuals; or</text></subclause><subclause id="HB922E6D3FB954CB78BB27F3478556962"><enum>(III)</enum><text>more than 700,000 connected devices that identify or are linked or reasonably linkable to 1 or more individuals.</text></subclause></clause></subparagraph><subparagraph id="HC851AFCCA2E9405481DE16C76B54E085"><enum>(B)</enum><header>Exclusions</header><text>For the purposes of subparagraph (A), a covered entity or service provider may not be considered a large data holder solely on the basis of collecting, processing, retaining, or transferring to a service provider—</text><clause id="HD3A72821B2B345429E2186D985965C0E"><enum>(i)</enum><text>personal mailing or email addresses;</text></clause><clause id="HD994384A756A4A9B91249D41EABFDF37"><enum>(ii)</enum><text>personal telephone numbers;</text></clause><clause id="HFEAF423992EE491081FD5452F67FA218"><enum>(iii)</enum><text>log-in information of an individual or device to allow the individual or device to log in to an account administered by the covered entity; or</text></clause><clause id="HF10E17C61FCF454AB17F5847B31E1F8C"><enum>(iv)</enum><text>in the case of a covered entity that is a seller of goods or services (other than an entity that facilitates payment, such as a bank, credit card processor, mobile payment system, or payment platform), credit, debit, or mobile payment information necessary and used to initiate, render, bill for, finalize, complete, or otherwise facilitate payments for such goods or services.</text></clause></subparagraph><subparagraph id="H7D11FA6BBCF64B30AFDDF3CA0B644A50"><enum>(C)</enum><header>Definition of annual gross revenue</header><text>For the purposes of subparagraph (A), the term <quote>annual gross revenue</quote>, with respect to a covered entity or service provider—</text><clause id="H18E1382020414287A50F72591403784A"><enum>(i)</enum><text>means the gross receipts the covered entity or service provider received, in whatever form from all sources, without subtracting any costs or expenses; and</text></clause><clause id="H0E14C72F9A134F5DAA44ABFFD2B59C42"><enum>(ii)</enum><text>includes contributions, gifts, grants, dues or other assessments, income from investments, and proceeds from the sale of real or personal property.</text></clause></subparagraph></paragraph><paragraph id="H2D06955EE4E84C91A10CDAC173C00833"><enum>(37)</enum><header>Market research</header><text>The term <quote>market research</quote> means the collection, processing, retention, or transfer of covered data, with affirmative express consent, that is necessary, proportionate, and limited to measure and analyze the market or market trends of products, services, advertising, or ideas, if the covered data is not—</text><subparagraph id="H7CFA8458005341D58CD2F9986CE05838"><enum>(A)</enum><text>integrated into any product or service;</text></subparagraph><subparagraph id="H1291473AABB649F68443499598D87CAD"><enum>(B)</enum><text>otherwise used to contact any individual or device of an individual; or</text></subparagraph><subparagraph id="HA86F133EEA6646AAB4B4636D75BE0351"><enum>(C)</enum><text>used for targeted advertising or to otherwise market to any individual or device of an individual.</text></subparagraph></paragraph><paragraph id="H4F55914081FE40A4A4361BFD7BABD800"><enum>(38)</enum><header>Material change</header><text>The term <quote>material change</quote> means, with respect to treatment of covered data, a change by an entity that would likely affect the decision of an individual to engage with and provide covered data to the entity, including providing affirmative express consent for, or opting out of, the collection, processing, retention, or transfer of covered data pertaining to such individual.</text></paragraph><paragraph id="HAAE19F4797F84C8FB61E7580B2D62314"><enum>(39)</enum><header>Mobile application</header><text display-inline="yes-display-inline">The term <quote>mobile application</quote>—</text><subparagraph id="H6CC3F2E753204C3EBF8F492BD5B3F4DE"><enum>(A)</enum><text>means a software program that runs on the operating system of—</text><clause id="H020055390F264B9994E48B00466CF8CF"><enum>(i)</enum><text>a cellular telephone;</text></clause><clause id="H4FA0B6426B6249DB83675869A951D3EA"><enum>(ii)</enum><text>a tablet computer; or</text></clause><clause id="H7797BD08F6354BEA8AC29447EFBD1F95"><enum>(iii)</enum><text>a similar portable computing device that transmits data over a wireless connection; and</text></clause></subparagraph><subparagraph id="HE586F6193FA04AE4864D309F1B35A31E"><enum>(B)</enum><text>includes a service or application offered via a connected device.</text></subparagraph></paragraph><paragraph id="H534A7932A8BF4C4C941992D47E2B58C0"><enum>(40)</enum><header>On-device data</header><subparagraph id="HBEA4820EFFBA419C9DEA109A368F878C"><enum>(A)</enum><header>In general</header><text>The term <quote>on-device data</quote> means data collected, retained, and processed solely on the device of an individual.</text></subparagraph><subparagraph id="H706568154D03481781DA2359325FDF8B"><enum>(B)</enum><header>Limitation</header><text>Data collected, retained, and processed solely on the device of an individual may be considered <quote>on-device data</quote> only if—</text><clause id="HA2E27698EF49435FB8FAF65E475E377F"><enum>(i)</enum><text>such data is not transferred by a covered entity or service provider;</text></clause><clause id="H2015C50E1CBC40958231CA389A985AE2"><enum>(ii)</enum><text>the relevant covered entity clearly and conspicuously provides the device owner with controls that allow the owner to access, correct, delete, and export such data consistent with the rights provided with respect to covered data pursuant to section 105;</text></clause><clause id="HE293989B9B2144D2A73AB931CC128903"><enum>(iii)</enum><text>the relevant covered entity provides easy-to-understand instructions on how the device owner can access such controls; and</text></clause><clause id="H6195218BA299474B8D7CD70C269F5F38"><enum>(iv)</enum><text>the relevant covered entity establishes, implements, and maintains reasonable data security practices, consistent with section 109, to protect—</text><subclause id="H84F1402B0FBA44C6AFB3571ABC275F53"><enum>(I)</enum><text>the confidentiality, integrity, and availability of the on-device data; and</text></subclause><subclause id="H06CF83F582904338AE4B07D470A3598A"><enum>(II)</enum><text>on device data against unauthorized access.</text></subclause></clause></subparagraph></paragraph><paragraph id="HA5C3739363234841B7D24E40E0DFF5C9"><enum>(41)</enum><header>Online activity profile</header><text>The term <quote>online activity profile</quote> means covered data that identifies the online activities of an individual (or a device linked or reasonably linkable to an individual) over time and across third-party websites, online services, online applications, or mobile applications that do not share common branding and that is collected, processed, retained, or transferred for the purpose of evaluating, analyzing, or predicting the behaviors or characteristics of an individual.</text></paragraph><paragraph id="H07F7C5266CEC4C86B9644F3F8FD11D57"><enum>(42)</enum><header>Online application</header><text>The term <quote>online application</quote>—</text><subparagraph id="H6F2276510BAF4426B3E787118737CDA8"><enum>(A)</enum><text>means an internet-connected software program; and</text></subparagraph><subparagraph id="H3D73554C6B2B4F7EA009D022DB636858"><enum>(B)</enum><text>includes a service or application offered via a connected device.</text></subparagraph></paragraph><paragraph id="H604E42FA0BF74DBC9124D78F03C91736"><enum>(43)</enum><header>Parent</header><text>The term <quote>parent</quote> means a legal guardian.</text></paragraph><paragraph id="HD37799F7B4A147C485120C2F56D979FD"><enum>(44)</enum><header>Portable connected device</header><text>The term <quote>portable connected device</quote> means a portable device that is capable of connecting to the internet over a wireless connection, including a smartphone, tablet computer, laptop computer, smartwatch, or similar portable device.</text></paragraph><paragraph id="HA79AB0DC7B0A4ABF929086E41EA56E3B"><enum>(45)</enum><header>Precise geolocation information</header><subparagraph id="H8023B295DE3E465FBFBA5AA4EAA8084A"><enum>(A)</enum><header>In general</header><text>The term <quote>precise geolocation information</quote> means information that reveals the past or present physical location of an individual or device with sufficient precision to identify the location of such individual or device within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet or less.</text></subparagraph><subparagraph id="HDCF15839104E469E914581A676D6BA91"><enum>(B)</enum><header>Exclusions</header><text>The term <quote>precise geolocation information</quote> does not include information derived solely from—</text><clause id="HDBDAC87A224841948A93A5D6FA359E72"><enum>(i)</enum><text>a digital or physical photograph;</text></clause><clause id="H3F0FB3EE9FF346C6899922FF028B0BEF"><enum>(ii)</enum><text>an audio or visual recording; or</text></clause><clause id="HB3A55C276E414DDCB5B0DADAB327B153"><enum>(iii)</enum><text>metadata associated with a digital or physical photograph or an audio or visual recording that cannot be linked to an individual.</text></clause></subparagraph></paragraph><paragraph id="HC4CFBD32072B4B60A29B236577096CF8"><enum>(46)</enum><header>Process</header><text>The term <quote>process</quote> means, with respect to covered data, any operation or set of operations performed on the covered data, including analyzing, organizing, structuring, using, modifying, or otherwise handling the covered data.</text></paragraph><paragraph id="H32396E7AD0614C6D8D73241A552383C3"><enum>(47)</enum><header>Publicly available information</header><subparagraph id="H4CDFA696109D4D52AB9683093ACE3BED"><enum>(A)</enum><header>In general</header><text>The term <quote>publicly available information</quote> means any information that a covered entity has a reasonable basis to believe has been lawfully made available to the general public by—</text><clause id="HF29E30E1E28945B582ECAD1316E2AA1A"><enum>(i)</enum><text>Federal, State, or local government records, if the covered entity collects, processes, retains, and transfers such information in accordance with any restrictions or terms of use placed on the information by the relevant government entity;</text></clause><clause id="H0B6504A86AF842378A443009ABF396DB"><enum>(ii)</enum><text>widely distributed media;</text></clause><clause id="H42114F1B547E439CAE8F56809048D8BF"><enum>(iii)</enum><text>a website or online service made available to all members of the public, for free or for a fee, including where all members of the public can log in to the website or online service; or</text></clause><clause id="H8612D5FBF55B4403BF7B2DA30E735AC7"><enum>(iv)</enum><text>a disclosure to the general public that is required to be made by Federal, State, or local law.</text></clause></subparagraph><subparagraph id="H51166B7CFAA2455CAD3B044006A9C713"><enum>(B)</enum><header>Clarifications; limitations</header><clause id="HB23B72DD9CB8406DB68915E0186FAD96"><enum>(i)</enum><header>Available to all members of the public</header><text>For purposes of this paragraph, information from a website or online service is not available to all members of the public if the individual to whom the information pertains has restricted the information to a specific audience or maintained a default setting that restricts the information to a specific audience.</text></clause><clause id="HF34D168FA84841448D3151D5232F2753"><enum>(ii)</enum><header>Business contact information</header><text>The term <quote>publicly available information</quote> includes business contact information of an individual acting in a business or professional context that is made available on a website or online service made available to all members of the public, including the name, position or title, business telephone number, business email address, or business address of the individual.</text></clause><clause id="HB5025B5486144B2FAF88461AC2C69B0D"><enum>(iii)</enum><header>Other limitations</header><text>The term <quote>publicly available information</quote> does not include—</text><subclause id="H1677C0D7B2EF46D384F835232972F050"><enum>(I)</enum><text>any obscene visual depiction (as such term is used in section 1460 of title 18, United States Code);</text></subclause><subclause id="HF740EF8C156E4571AA0B7B9FB96EDE45"><enum>(II)</enum><text>derived data from publicly available information that reveals information about an individual that meets the definition of the term <quote>sensitive covered data</quote>;</text></subclause><subclause id="H86A9DBE2B5684052999A2A14E933EBC3"><enum>(III)</enum><text>biometric information;</text></subclause><subclause id="H9BC74691494D4B53AFA23C52DE1E8D3A"><enum>(IV)</enum><text>genetic information, unless made publicly available by the individual to whom the information pertains by a means described in clause (ii) or (iii) of subparagraph (A);</text></subclause><subclause id="H41565FCED73E49888859C805E75EE26B"><enum>(V)</enum><text>covered data that is created through the combination of covered data with publicly available information;</text></subclause><subclause id="H6F7F107F5E75470D941C5DB8CCC270A7"><enum>(VI)</enum><text>intimate images, authentic or computer-generated, known to be nonconsensual; or</text></subclause><subclause id="H0E0C2B21BCD542F4831AC2AFAA723BA4"><enum>(VII)</enum><text>sensitive covered data made available by a data broker.</text></subclause></clause></subparagraph></paragraph><paragraph id="HC6F80EDD5A994667944F947F722E4429"><enum>(48)</enum><header>Retain</header><text>The term <quote>retain</quote> means, with respect to covered data, to store, maintain, save, or otherwise keep such data, regardless of format.</text></paragraph><paragraph id="H8FD945533B20425C9F392A5F9D73F08E"><enum>(49)</enum><header>Sensitive covered data</header><subparagraph id="HC56CDBDC427F4AABB8DFB3F4C55C44F8"><enum>(A)</enum><header>In general</header><text>The term <quote>sensitive covered data</quote> means the following forms of covered data:</text><clause id="H4C23AEF7DEE140B88D3A7796610C307E"><enum>(i)</enum><text>A government-issued identifier, including a Social Security number, passport number, or driver’s license number, that is not required by law to be displayed in public.</text></clause><clause id="H2E47D9CCC986479EA1301F55AED653D0"><enum>(ii)</enum><text display-inline="yes-display-inline">Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or health condition, status, or treatment of an individual.</text></clause><clause id="H9458C6AD3CBD4C62A00225224811B8D4"><enum>(iii)</enum><text>Genetic information.</text></clause><clause id="HA5B3D8261B05413C9528417B7E19284C"><enum>(iv)</enum><text>A financial account number, debit card number, credit card number, or any required security or access code, password, or credentials allowing access to any such account or card, except that the last four digits of an account number, debit card number, or credit card number may not be considered sensitive covered data.</text></clause><clause id="H857C9C187EA24E90B9DBE35B5977A541"><enum>(v)</enum><text>Biometric information.</text></clause><clause id="H65B683C606C94019BE8ED87BE638FB53"><enum>(vi)</enum><text>Precise geolocation information.</text></clause><clause id="H5039475DBC1F4E12A866D1A5AB59661F"><enum>(vii)</enum><text>The private communications of an individual (such as voicemails, or other voice or video communications, emails, texts, direct messages, or mail) or information identifying the parties to such communications, information contained in telephone bills, and any information that pertains to the transmission of private voice or video communications, including numbers called, numbers from which calls were placed, the time calls were made, call duration, and location information of the parties to the call, unless the relevant covered entity or service provider is an intended recipient of the communication.</text></clause><clause id="H3987DAB26C0F449F93A0614AAFD5FBBC"><enum>(viii)</enum><text>Unencrypted or unredacted account or device log-in credentials.</text></clause><clause id="H76246E8F8D024F29A100E3F5F1648667"><enum>(ix)</enum><text>Information revealing the sexual behavior of an individual in a manner inconsistent with the reasonable expectation of the individual regarding disclosure of such information.</text></clause><clause id="H32FD389C31D54CB28958FBCB7E487A0F"><enum>(x)</enum><text>Calendar information, address book information, phone, text, or electronic logs, photographs, audio recordings, or videos intended for private use.</text></clause><clause id="H9ADC54D7CBBE4831AAE845E0B878D848"><enum>(xi)</enum><text>A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual.</text></clause><clause id="H9F5E31925B9E4865AA405A465662F0AB"><enum>(xii)</enum><text>Information revealing the extent or content of the access, viewing, or other use by an individual of any video programming (as defined in section 713(h)(2) of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/613">47 U.S.C. 613(h)(2)</external-xref>)), including programming provided by a provider of broadcast television service, cable service, satellite service, or streaming media service, but only with regard to the transfer of such information to a third party (excluding any such information used solely for transfers for independent video measurement).</text></clause><clause id="H211FDDC907924F53AC9F88C7C032CF23"><enum>(xiii)</enum><text>Information collected by a covered entity that is not a provider of a service described in clause (xii) that reveals the video content requested or selected by an individual (excluding any such information used solely for transfers for independent video measurement).</text></clause><clause id="H5FFF25F95CD948E68B1F7CFC05CF6673"><enum>(xiv)</enum><text>Information revealing the race, ethnicity, national origin, religion, or sex of an individual in a manner inconsistent with the reasonable expectation of the individual regarding disclosure of such information.</text></clause><clause id="H71C0DAFF2A714E328EEE17D43DF05E1A"><enum>(xv)</enum><text>An online activity profile.</text></clause><clause id="H63A6BCFE57E5473EA69468BBD885FD51"><enum>(xvi)</enum><text>Information about a covered minor.</text></clause><clause id="H68B45497C9A14EFAA95CC3339C0924A2"><enum>(xvii)</enum><text>Information that reveals the status of an individual as a member of the Armed Forces.</text></clause><clause id="H586DEAE936A94DB5B5A9A42A7A935BFE"><enum>(xviii)</enum><text>Neural data.</text></clause><clause id="HF92FF72A68EF43D8BDF46AF904F407AF"><enum>(xix)</enum><text>Any other covered data collected, processed, retained, or transferred for the purpose of identifying a type of information described in any of clauses (i) through (xviii).</text></clause></subparagraph><subparagraph id="H5310E1B2E48E4AED9D3A867C5EE5FE02"><enum>(B)</enum><header>Third party</header><text>For the purposes of subparagraph (A)(xii), the term <quote>third party</quote> does not include an entity that—</text><clause id="H641BAF7906CF4A66A2DE83EA811FC31C"><enum>(i)</enum><text>is related by common ownership or corporate control to the provider of broadcast television service or streaming media service; and</text></clause><clause id="HCB218BB34565480887466815446C3082"><enum>(ii)</enum><text>provides video programming as described in such subparagraph.</text></clause></subparagraph></paragraph><paragraph id="HD7502CC3DDD94DC1AC19898F4909FF98"><enum>(50)</enum><header>Service provider</header><subparagraph id="H0B11CE61452D4D038CB3CDC28469F957"><enum>(A)</enum><header>In general</header><text>The term <quote>service provider</quote> means an entity that collects, processes, retains, or transfers covered data for the purpose of performing 1 or more services or functions on behalf of, and at the direction of—</text><clause id="HA862B82E72CC42A49AC2EAAF8D804682"><enum>(i)</enum><text>a covered entity or another service provider; or</text></clause><clause id="HC5329B2B19284B5E9680A25B9EB8811E"><enum>(ii)</enum><text display-inline="yes-display-inline">a Federal, State, Tribal, or local government entity.</text></clause></subparagraph><subparagraph id="H49BC4D4DDCB64EA382176A611483598F"><enum>(B)</enum><header>Rule of construction</header><clause id="H2C34DB4BE9274ACF8F138C4E070D0C0D"><enum>(i)</enum><header>In general</header><text>An entity is a covered entity and not a service provider with respect to a specific collecting, processing, retaining, or transferring of covered data, if the entity, alone or jointly with others, determines the purposes and means of the specific collecting, processing, retaining, or transferring of data.</text></clause><clause id="HF0C7AF71B81C4C9E98FFDEC8BF8609C8"><enum>(ii)</enum><header>Instructions</header><text display-inline="yes-display-inline">An entity that is not limited in its collecting, processing, retaining, or transferring of covered data pursuant to the instructions of a covered entity, another service provider, or a Federal, State, Tribal, or local government entity, or that fails to adhere to such instructions, is a covered entity and not a service provider with respect to a specific collecting, processing, retaining, or transferring of such data. If a service provider begins, alone or jointly with others, determining the purposes and means of collecting, processing, retaining, or transferring covered data, the entity is a covered entity with respect to such data.</text></clause><clause id="H474A1B66E55A46B8AEC743756BEC7F11"><enum>(iii)</enum><header>Context required</header><text>Whether an entity is a covered entity or a service provider depends on the facts surrounding how, and the context in which, data is collected, processed, retained, or transferred.</text></clause></subparagraph></paragraph><paragraph id="HD78B4B8E7FAA466A889D1BBCEB9066B4"><enum>(51)</enum><header>Small business</header><subparagraph id="HAC7E4D1E6F5D48018CD12C261DE87316"><enum>(A)</enum><header>In general</header><text>The term <quote>small business</quote> means an entity (including any affiliate of the entity)—</text><clause id="H85B9F7E8FB6C433FAF865B83F1EE5A51"><enum>(i)</enum><text>that has average annual gross revenues for the period of the 3 preceding calendar years (or for the period during which the entity has been in existence, if such period is less than 3 calendar years) not exceeding $40,000,000, indexed to the Producer Price Index reported by the Bureau of Labor Statistics;</text></clause><clause id="HBB01B6B53C96498DBBE6D1AD33112F9E"><enum>(ii)</enum><text>that, on average for the period described in clause (i), did not annually collect, process, retain, or transfer the covered data of more than 200,000 individuals for any purpose other than initiating, rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested service or product; and</text></clause><clause id="H24854A4BEAFC4FCB814A3EAB1E8ACEC4"><enum>(iii)</enum><text>that did not, during the period described in clause (i), transfer covered data to a third party in exchange for revenue or anything of value, except for purposes of initiating, rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested service or product or facilitating web analytics that are not used to create an online activity profile.</text></clause></subparagraph><subparagraph id="HBDC30B0C71B14EB6B5C13DB124EDEAFC"><enum>(B)</enum><header>Nonprofit revenue</header><text>For purposes of subparagraph (A)(i), the term <quote>revenue</quote>, as such term relates to any entity that is not organized to carry on business for its own profit or that of its members, means the gross receipts the entity received, in whatever form from all sources, without subtracting any costs or expenses, and includes contributions, gifts, grants (except for grants from the Federal Government), dues or other assessments, income from investments, or proceeds from the sale of real or personal property.</text></subparagraph></paragraph><paragraph id="H47CDFE057B1A4F7F8635B666293E4074"><enum>(52)</enum><header>State</header><text>The term <quote>State</quote> means each of the 50 States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands of the United States, Guam, American Samoa, and the Commonwealth of the Northern Mariana Islands.</text></paragraph><paragraph id="H616551101930482BB26800C0CF2F361F"><enum>(53)</enum><header>Substantial privacy harm</header><text>The term <quote>substantial privacy harm</quote> means—</text><subparagraph id="HC0D8FEF4645A4D4296CCF35B88A69E26"><enum>(A)</enum><text>any alleged financial harm of not less than $10,000; or</text></subparagraph><subparagraph id="HA05AB9D514CF4369A3E6C55A4686F602"><enum>(B)</enum><text>any alleged physical or mental harm to an individual that involves—</text><clause id="H19AFB25D7C16403A8E21326103E67432"><enum>(i)</enum><text>treatment by a licensed, credentialed, or otherwise bona fide health care provider, hospital, community health center, clinic, hospice, or residential or outpatient facility for medical, mental health, or addiction care; or</text></clause><clause id="H5DD2F6DA0FCA4340B313146B98D13193"><enum>(ii)</enum><text>physical injury, highly offensive intrusion into the privacy expectations of a reasonable individual under the circumstances, or discrimination on the basis of race, color, religion, national origin, sex, or disability.</text></clause></subparagraph></paragraph><paragraph id="HF6F51C0082B74D4EB5FB40208C5405A6"><enum>(54)</enum><header>Targeted advertising</header><text>The term <quote>targeted advertising</quote>—</text><subparagraph id="H906AD4F8AC714E419E552738DBB1E78D"><enum>(A)</enum><text>means displaying or presenting an online advertisement to an individual or to a device identified by a unique persistent identifier (or to a group of individuals or devices identified by unique persistent identifiers), if the advertisement is selected based, in whole or in part, on known or predicted preferences or interests associated with the individual or device;</text></subparagraph><subparagraph id="H5CF1D9C8BBB2442D8387B4F60569D895"><enum>(B)</enum><text>includes—</text><clause id="HFC626297FEB643C8AF38BA705BC15B19"><enum>(i)</enum><text>an online advertisement by a covered high-impact social media company for a product or service that is not a product or service offered by the covered high-impact social media company; and</text></clause><clause id="H8AFB5F4EA577486FAC1D81B95BABF541"><enum>(ii)</enum><text>an online advertisement for a product or service based on the previous interaction of an individual or a device identified by a unique persistent identifier with such product or service on a website or online service that does not share common branding or affiliation with the website or online service displaying or presenting the advertisement; and</text></clause></subparagraph><subparagraph id="H800A2C861EB2407AB55FB8DBC0270623"><enum>(C)</enum><text>excludes contextual advertising and first-party advertising.</text></subparagraph></paragraph><paragraph id="H4B0D08EB88524F98B5DDBFF433EE9CAF"><enum>(55)</enum><header>Teen</header><text>The term <quote>teen</quote> means an individual 13 years of age or older, but under the age of 17.</text></paragraph><paragraph id="H8F1DB585470B46B4BC8FB58B84F5D822"><enum>(56)</enum><header>Third party</header><text>The term <quote>third party</quote>—</text><subparagraph id="HAF890524F0514FDAB7F5494CD41C8161"><enum>(A)</enum><text>means any entity that—</text><clause id="HDEE7722B8DAB464E90BDB71D302391A6"><enum>(i)</enum><text>receives covered data from another entity that is not the individual to whom the data pertains; and</text></clause><clause id="H79ED34B6010C40E6868B694D418D1136"><enum>(ii)</enum><text>is not a service provider with respect to such data; and</text></clause></subparagraph><subparagraph id="H7CD2E0EB21004892BA65E2A590061B75"><enum>(B)</enum><text>does not include an entity that collects covered data from another entity if the 2 entities are—</text><clause id="H5C49240495C8462D9BF0F25704DB107B"><enum>(i)</enum><text>related by common ownership or corporate control; or</text></clause><clause id="H3D5574058D414E6B8194CCBD0EDAF2FD"><enum>(ii)</enum><text>nonprofit entities that are part of the same federated nonprofit organization.</text></clause></subparagraph></paragraph><paragraph id="HFCC568F9231846608201FF8E2FE150A0"><enum>(57)</enum><header>Third-party data</header><text>The term <quote>third-party data</quote> means covered data that has been transferred to a third party.</text></paragraph><paragraph id="H60AFB48676744B97A5715A27A45E4B7F"><enum>(58)</enum><header>Transfer</header><text>The term <quote>transfer</quote> means, with respect to covered data, to disclose, release, share, disseminate, make available, sell, rent, or license the covered data (orally, in writing, electronically, or by any other means) for consideration of any kind or for a commercial purpose.</text></paragraph><paragraph id="H62C98A3498194967A71FBCE20C2555F6"><enum>(59)</enum><header>Unique persistent identifier</header><subparagraph id="H0F3348E0B2DD420CAAED8BAD5214A950"><enum>(A)</enum><header>In general</header><text>The term <quote>unique persistent identifier</quote> means a technologically created identifier to the extent that such identifier is reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals, including device identifiers, Internet Protocol addresses, cookies, beacons, pixel tags, mobile ad identifiers or similar technology customer numbers, unique pseudonyms, user aliases, telephone numbers, or other forms of persistent or probabilistic identifiers that are linked or reasonably linkable to 1 or more individuals or devices.</text></subparagraph><subparagraph id="HE71C949ABD04485196E62C614DB087AC"><enum>(B)</enum><header>Exclusion</header><text>The term <quote>unique persistent identifier</quote> does not include an identifier assigned by a covered entity for the sole purpose of giving effect to the exercise of affirmative express consent or opt out by an individual with respect to the collecting, processing, retaining, and transfer of covered data or otherwise limiting the collecting, processing, retaining, or transfer of covered data.</text></subparagraph></paragraph><paragraph id="H967C829EAEAF492BA2430A099FD242A8"><enum>(60)</enum><header>Widely distributed media</header><subparagraph id="HEFF69430CA3443509D9B1E29F2AED6EC"><enum>(A)</enum><header>In general</header><text>The term <quote>widely distributed media</quote> means information that is available to the general public, including information from a telephone book or online directory, a television, internet, or radio program, the news media, or an internet site that is available to the general public on an unrestricted basis.</text></subparagraph><subparagraph id="H3BAE10B8CD2B4E2B90C56984A031BDBF"><enum>(B)</enum><header>Exclusion</header><text>The term <quote>widely distributed media</quote> does not include an obscene visual depiction (as such term is used in section 1460 of title 18, United States Code).</text></subparagraph></paragraph></section><section id="H067618BDEC2C4F54A48518E56BC519AC"><enum>102.</enum><header>Data minimization</header><subsection id="H813210FB1BF040E6BB31A383FCC65B11"><enum>(a)</enum><header>In general</header><text>A covered entity may not collect, process, retain, or transfer covered data of an individual or direct a service provider to collect, process, retain, or transfer covered data of an individual beyond what is necessary, proportionate, and limited—</text><paragraph id="H3DDEE2958660416A9640B38D0C6EAEB9"><enum>(1)</enum><text>to provide or maintain—</text><subparagraph id="H2CC9BD86529C4881A330BF1F92C931CF"><enum>(A)</enum><text>a specific product or service requested by the individual to whom the data pertains, including any associated routine administrative, operational, or account-servicing activity, such as billing, shipping, delivery, storage, or accounting; or</text></subparagraph><subparagraph id="H24DEEE720C3648FDBA56B13E1D0016D7"><enum>(B)</enum><text>a communication, that is not an advertisement, by the covered entity to the individual reasonably anticipated within the context of the relationship; or</text></subparagraph></paragraph><paragraph id="H12000D37E35F4110A87641F4B1B7AB40"><enum>(2)</enum><text>for a purpose expressly permitted under subsection (d).</text></paragraph></subsection><subsection id="H01C552444A2F432F995EB186B05D0130"><enum>(b)</enum><header>Additional protections for sensitive covered data</header><text>Subject to subsection (a), a covered entity may not transfer sensitive covered data to a third party or direct a service provider to transfer sensitive covered data to a third party without the affirmative express consent of the individual to whom such data pertains, unless for a purpose permitted by paragraph (2), (3), (4), (5), (6), (8), (9), (11), (12), or (13) of subsection (d).</text></subsection><subsection id="H649FB2E8697E45009A7729948BE65A16"><enum>(c)</enum><header>Additional protections for biometric information and genetic information</header><paragraph id="HD1339DAE90EC4F3685A641271A29B264"><enum>(1)</enum><header>Collection</header><text>Subject to subsection (a), a covered entity may not collect biometric information or genetic information or direct a service provider to collect biometric information or genetic information without the affirmative express consent of the individual to whom such information pertains.</text></paragraph><paragraph id="HC5273248B6D247D08144F6697C2F772F"><enum>(2)</enum><header>Processing</header><text>Subject to subsection (a), a covered entity may not process biometric information or genetic information or direct a service provider to process biometric information or genetic information without the affirmative express consent of the individual to whom such information pertains, unless for a purpose permitted by paragraph (2), (3), or (4) of subsection (d).</text></paragraph><paragraph id="H1E374042B4454DA4942D854F2F2D0385"><enum>(3)</enum><header>Retention</header><text>Subject to subsection (a), a covered entity may not retain biometric information or direct a service provider to retain biometric information beyond the point at which the purpose for which an individual provided affirmative express consent under paragraph (1) has been satisfied or beyond the date that is 3 years after the date of the last interaction of the individual with the covered entity or service provider, whichever occurs first, unless for a purpose permitted under paragraph (2), (3), or (4) of subsection (d).</text></paragraph><paragraph id="H97029F8BDA754A0FBAB4F493C2E87008"><enum>(4)</enum><header>Transfer</header><subparagraph id="H480729C03EB9496A97A85F60A1C93A07"><enum>(A)</enum><header>Affirmative express consent required</header><text>Subject to subsection (a), a covered entity may not transfer biometric information or genetic information to a third party or direct a service provider to transfer biometric information or genetic information to a third party without the affirmative express consent of the individual to whom such information pertains, unless for a purpose permitted by paragraph (2), (3), or (4) of subsection (d).</text></subparagraph><subparagraph id="H405F6FC5BF2D44D7A54C936AFD72966A"><enum>(B)</enum><header>No transfer for payment or other valuable consideration</header><text>A covered entity may not transfer biometric information or genetic information to a third party, or direct a service provider to transfer biometric information or genetic information to a third party, for payment or other valuable consideration (regardless of the purpose of the transfer, including a purpose described in subparagraph (A)).</text></subparagraph></paragraph></subsection><subsection id="H71ADF7D569944A87B352A796B9C2F12D"><enum>(d)</enum><header>Permitted purposes</header><text>Subject to the requirements in subsections (b) and (c), a covered entity may collect, process, retain, or transfer or direct a service provider to collect, process, retain, or transfer covered data for the following purposes, if the covered entity or service provider can demonstrate that the collection, processing, retention, or transfer is necessary, proportionate, and limited to such purpose:</text><paragraph id="HF33DD0D3EF3746108DE71369BFC897F4"><enum>(1)</enum><text>To protect data security as described in section 109, protect against spam, or protect and maintain networks and systems, including through diagnostics, debugging, and repairs.</text></paragraph><paragraph id="H6537DE8D4DA84D47A66F27AA8C81C411"><enum>(2)</enum><text>To comply with a legal obligation imposed by a Federal, State, Tribal, or local law that is not preempted by this title.</text></paragraph><paragraph id="H0DD48EF952244D109F053A7DF5FE5CD6"><enum>(3)</enum><text>To investigate, establish, prepare for, exercise, or defend cognizable legal claims of the covered entity or service provider.</text></paragraph><paragraph id="H4E1039DF30EB46BCA095B4A0C9200364"><enum>(4)</enum><text>To transfer covered data to a Federal, State, Tribal, or local law enforcement agency pursuant to a lawful warrant, administrative subpoena, or other form of lawful process.</text></paragraph><paragraph id="HDB2893AB1AC54178825BEF55158BA412"><enum>(5)</enum><text>To effectuate a product recall pursuant to Federal or State law, or to fulfill a warranty.</text></paragraph><paragraph id="H1CAB820F922348CA85B2670FC4FBCCC8"><enum>(6)</enum><text>To conduct market research.</text></paragraph><paragraph id="HBCC92EFD212945399D739D8D217C61E6"><enum>(7)</enum><text>With respect to covered data previously collected in accordance with this title, to process the covered data such that the covered data becomes de-identified data, including in order to—</text><subparagraph id="HA08B0AC46BC545EEBEDF1824F3CE3307"><enum>(A)</enum><text>develop or enhance a product or service of the covered entity or service provider;</text></subparagraph><subparagraph id="H8A48A717CA3541C7B97B88EFC2FC3132"><enum>(B)</enum><text>conduct research or analytics to improve a product or service of the covered entity or service provider;</text></subparagraph><subparagraph id="HCD4766B352364F239A6C13D5483CA737"><enum>(C)</enum><text display-inline="yes-display-inline">conduct research to investigate, establish, or improve the effectiveness or safety of medical products, including drugs, biologics, and medical devices;</text></subparagraph><subparagraph id="HD19AE4437B3A46AD81DC7D978E923B74"><enum>(D)</enum><text>enable the effective delivery and administration of health care products and treatments to patients, in compliance with Federal regulations; or</text></subparagraph><subparagraph id="H06E299BCA8D4408AAD855F4FFEE4F92D"><enum>(E)</enum><text>monitor the safety and efficacy of health care products and services administered to patients, in compliance with Federal regulations.</text></subparagraph></paragraph><paragraph id="H536CE9FCD25246E29AA327EC7BC4D449"><enum>(8)</enum><text>To transfer assets to a third party in the context of a merger, acquisition, bankruptcy, or similar transaction, with respect to which the third party assumes control, in whole or in part, of the assets of the covered entity, but only if the covered entity, in a reasonable time prior to such transfer, provides each affected individual with—</text><subparagraph id="H2A22294F95FA40E4945B50D6A634D8A4"><enum>(A)</enum><text>a notice describing such transfer, including the name of the entity or entities receiving the covered data of the individual and the privacy policies of such entity or entities as described in section 104; and</text></subparagraph><subparagraph id="H3007C1AF989144D0BB9EECF117E8965B"><enum>(B)</enum><text>a reasonable opportunity to—</text><clause id="H2767AFC4B3224A55930EBC4F72E57BD4"><enum>(i)</enum><text>withdraw any previously provided consent in accordance with the requirements of affirmative express consent under this title related to the covered data of the individual; and</text></clause><clause id="H2EF7EA082F3B4060A647C82D679BE042"><enum>(ii)</enum><text>request the deletion of the covered data of the individual, as described in section 105.</text></clause></subparagraph></paragraph><paragraph id="H770990EA940F4299B3FF2191A49A7D0B"><enum>(9)</enum><text>With respect to a covered entity or service provider that is a telecommunications carrier or a provider of a mobile service, interconnected VoIP service, or non-interconnected VoIP service (as such terms are defined in section 3 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/153">47 U.S.C. 153</external-xref>)), to provide call location information in a manner described in subparagraph (A) or (C) of section 222(d)(4) of such Act (<external-xref legal-doc="usc" parsable-cite="usc/47/222">47 U.S.C. 222(d)(4)</external-xref>).</text></paragraph><paragraph id="H149D3BC8FD2F4B91B4061FC0DF55B0ED"><enum>(10)</enum><text>To prevent, detect, protect against, investigate, or respond to fraud, excluding the transfer of covered data for payment or other valuable consideration to a government entity.</text></paragraph><paragraph id="H53FFE180FEB54D6797FE54ACCEB741D9"><enum>(11)</enum><text>To prevent, detect, protect against, investigate, or respond to an ongoing or imminent security incident relating to network security or physical security, including an intrusion or trespass, medical alert or request for a medical response, fire alarm or request for a fire response, or access control.</text></paragraph><paragraph id="H182F70B08B644A6FBF737B73DC403FD4"><enum>(12)</enum><text>To prevent, detect, protect against, investigate, or respond to an imminent or ongoing public safety incident (such as a mass casualty event, natural disaster, or national security incident), excluding the transfer of covered data for payment or other valuable consideration to a government entity.</text></paragraph><paragraph id="H6ACDE3B5B8E64AA9AF5EE4682C6AD195"><enum>(13)</enum><text>Except with respect to health information, to prevent, detect, protect against, investigate, or respond to criminal activity or harassment, excluding the transfer of covered data for payment or other valuable consideration to a government entity.</text></paragraph><paragraph id="H31DE311F905D4C3F95C4F3F3C13076D7"><enum>(14)</enum><text display-inline="yes-display-inline">Except with respect to sensitive covered data, and only with respect to covered data previously collected in accordance with this title, to process or transfer such data to provide first-party advertising or contextual advertising or to measure and report on marketing performance or media performance by the covered entity, including processing or transferring covered data for measurement and reporting of frequency, attribution, and performance, including by independent entities, except that this paragraph does not permit the processing or transfer of covered data for first-party advertising to a covered minor as prohibited by section 120.</text></paragraph><paragraph id="H9E5D633D8DF84DDBB9F6818247A2BCC8"><enum>(15)</enum><text display-inline="yes-display-inline">Except with respect to sensitive covered data, and only with respect to covered data previously collected in accordance with this title, to process or transfer such data to provide targeted advertising, direct mail targeted advertising, or email targeted advertising (subject to the CAN-SPAM Act of 2003 (<external-xref legal-doc="usc" parsable-cite="usc/15/7701">15 U.S.C. 7701 et seq.</external-xref>) and the regulations promulgated under such Act) or to measure and report on marketing performance or media performance, including processing or transferring covered data for measurement and reporting of frequency, attribution, and performance, including by independent entities, except that this paragraph does not permit the processing or transfer of covered data for targeted advertising to an individual who has opted out of targeted advertising pursuant to section 106 or to a covered minor as prohibited by section 120.</text></paragraph><paragraph id="HF10A3AA15B474A579E955E7D0809792E"><enum>(16)</enum><text>To conduct a public or peer-reviewed scientific, historical, or statistical research project that—</text><subparagraph id="H60453A08D1A047A2B4A82154E70476EF"><enum>(A)</enum><text>is in the public interest;</text></subparagraph><subparagraph id="H3D6C7C661F4A457B8E16C30A652DD38B"><enum>(B)</enum><text>adheres to all relevant laws and regulations governing such research, including regulations for the protection of human subjects, if applicable;</text></subparagraph><subparagraph id="HE9ED642AC34C46489D5946893C4C6292" commented="no"><enum>(C)</enum><text>limits transfers to third parties of sensitive covered data to only those transfers necessary, proportionate, and limited to carry out the research; and</text></subparagraph><subparagraph id="H53339E7CFC8C405391DD85244DDD576D"><enum>(D)</enum><text>prohibits the transfer of covered data to a data broker.</text></subparagraph></paragraph><paragraph id="HC354D32EE3F6404BA7D848EB889A49F1"><enum>(17)</enum><text>To conduct medical research in compliance with part 46 of title 45, Code of Federal Regulations, or parts 50 and 56 of title 21, Code of Federal Regulations. </text></paragraph></subsection><subsection id="H496E55D8469C41C4AD603B36362BA8D4"><enum>(e)</enum><header>Guidance</header><text>Not later than 180 days after the date of the enactment of this Act, the Commission shall issue guidance regarding what is necessary, proportionate, and limited to comply with this section.</text></subsection><subsection id="H0D4A93D746FC493DB864074335A18DB0"><enum>(f)</enum><header>Journalism</header><text>Nothing in this title may be construed to limit or diminish journalism, including gathering, preparing, collecting, photographing, recording, writing, editing, reporting, or investigating news or information that concerns local, national, or international events or other matters of public interest for dissemination to the public.</text></subsection></section><section id="H6B7B7FFA4CCC424682660176A41583B3"><enum>103.</enum><header>Privacy by design</header><subsection id="HBF1A4BAF42F24053B96A2E12F2361AAA"><enum>(a)</enum><header>In general</header><text>Each covered entity and service provider shall establish, implement, and maintain reasonable policies, practices, and procedures that reflect the role of the covered entity or service provider in the collection, processing, retention, and transferring of covered data.</text></subsection><subsection id="H11CD8BCCEF6C43FB8ACBA944E4E3A50C"><enum>(b)</enum><header>Requirements</header><text>The policies, practices, and procedures required by subsection (a) shall—</text><paragraph id="HE41BAFCBA1134BB7AF52BBB424B35414" commented="no"><enum>(1)</enum><text>identify, assess, and mitigate privacy risks related to covered minors (including, if applicable, in a manner that considers the developmental needs of different age ranges of covered minors), individuals living with disabilities, and individuals over the age of 65;</text></paragraph><paragraph id="H21A73D26997A4BE1AC90F09DA7B40B04"><enum>(2)</enum><text>mitigate privacy risks related to the products and services of the covered entity or service provider, including in the design, development, and implementation of such products and services, taking into account the role of the covered entity or service provider and the information available to the covered entity or service provider; and</text></paragraph><paragraph id="H94B50329229144CC8829C820A6728661"><enum>(3)</enum><text>implement reasonable internal training and safeguards to promote compliance with this title and to mitigate privacy risks, taking into account the role of the covered entity or service provider and the information available to the covered entity or service provider.</text></paragraph></subsection><subsection id="H473F35FAD5784481898E837D4C7ED65F"><enum>(c)</enum><header>Factors to consider</header><text>The policies, practices, and procedures established by a covered entity or service provider under subsection (a) shall align with, as applicable—</text><paragraph id="H3704109DE5F140CA89650D66860331F2"><enum>(1)</enum><text>the nature, scope, and complexity of the activities engaged in by the covered entity or service provider, including whether the covered entity or service provider is a large data holder, nonprofit organization, or data broker, taking into account the role of the covered entity or service provider and the information available to the covered entity or service provider;</text></paragraph><paragraph id="HFD67BF9A74F244198DC829AF9512EFC8"><enum>(2)</enum><text>the sensitivity of the covered data collected, processed, retained, or transferred by the covered entity or service provider;</text></paragraph><paragraph id="H2CF395C0A26646099B8DAD044299940D"><enum>(3)</enum><text>the volume of covered data collected, processed, retained, or transferred by the covered entity or service provider;</text></paragraph><paragraph id="HE6A8E004D00C4067BDC3BE94A3804602"><enum>(4)</enum><text>the number of individuals and devices to which the covered data collected, processed, retained, or transferred by the covered entity or service provider relates;</text></paragraph><paragraph id="H837F5C3714504A1C8070415040934F8F"><enum>(5)</enum><text>state-of-the-art administrative, technological, and organizational measures that, by default, serve the purpose of protecting the privacy and security of covered data as required by this title; and</text></paragraph><paragraph id="H4EE7D913175345978BA668E24A7983C8"><enum>(6)</enum><text>the cost of implementing such policies, practices, and procedures in relation to the risks and nature of the covered data involved.</text></paragraph></subsection><subsection id="H6AB44328618B4361A65833BD05CE9DCB"><enum>(d)</enum><header>Commission guidance</header><text>Not later than 1 year after the date of the enactment of this Act, the Commission shall issue guidance with respect to what constitutes reasonable policies, practices, and procedures as required by subsection (a). In issuing such guidance, the Commission shall consider unique circumstances applicable to nonprofit organizations, service providers, and data brokers.</text></subsection></section><section id="H69055538B64F4AA5839B38CF5906C29C"><enum>104.</enum><header>Transparency</header><subsection id="H05A175CFBE53466CB975E8EA206E4487"><enum>(a)</enum><header>In general</header><text>Each covered entity and service provider shall make publicly available a clear and conspicuous, not misleading, and easy-to-read privacy policy that provides a detailed and accurate representation of the data collection, processing, retention, and transfer activities of the covered entity or service provider.</text></subsection><subsection id="H2AE421A298474715A9676C5AE346E98A"><enum>(b)</enum><header>Content of privacy policy</header><text>The privacy policy required under subsection (a) shall include, at a minimum, the following:</text><paragraph id="H82004EB091C7407EA45877A0AF34A0EE"><enum>(1)</enum><text>The identity and the contact information of—</text><subparagraph id="H4AE3016DEC4245E1A899A67CB35B3BA2"><enum>(A)</enum><text>the covered entity or service provider to which the privacy policy applies, including a point of contact and a monitored email address or other monitored online contact mechanism, as applicable, specific to data privacy and data security inquiries; and</text></subparagraph><subparagraph id="H8DB0996C5F0844D89B327D7B39FA559F"><enum>(B)</enum><text>any affiliate within the same corporate structure as the covered entity or service provider, to which the covered entity or service provider may transfer data, that—</text><clause id="H7AF67FB0397544EE93CCB8E1868708F4"><enum>(i)</enum><text>is not under common branding with the covered entity or service provider; or</text></clause><clause id="H46AD57400DA84F01BD24F0A0DB6FAD60"><enum>(ii)</enum><text>has different contact information than the covered entity or service provider.</text></clause></subparagraph></paragraph><paragraph id="H6D54D216C6034AED8EEF1122FC696E26"><enum>(2)</enum><text>With respect to the collection, processing, and retention of covered data—</text><subparagraph id="HE8C1CEAA3DA24A7F88558D7E9C49EDC9"><enum>(A)</enum><text>the categories of covered data the covered entity or service provider collects, processes, or retains; and</text></subparagraph><subparagraph id="HF1094C589705478C93FC88EDC4B6D085"><enum>(B)</enum><text>the processing purposes for each such category of covered data.</text></subparagraph></paragraph><paragraph id="H60B4EE51F671410F880CD1FCC68EE7DA"><enum>(3)</enum><text>Whether the covered entity or service provider transfers covered data and, if so—</text><subparagraph id="HE0F6B0148FFF413AAD301ABDB1018482"><enum>(A)</enum><text>each category of service provider or third party to which the covered entity or service provider transfers covered data;</text></subparagraph><subparagraph id="H4A2B4EDA2A2A48F18FB12171B4DD3844"><enum>(B)</enum><text>the name of each data broker to which the covered entity or service provider transfers covered data; and</text></subparagraph><subparagraph id="H5A972200FAD04532805718BCA57BD47C"><enum>(C)</enum><text>the purposes for which such data is transferred.</text></subparagraph></paragraph><paragraph id="H6AA0A3EEABFF40B4BA8838E169571447"><enum>(4)</enum><text>The length of time the covered entity or service provider intends to retain each category of covered data or, if it is not possible to identify the length of time, the criteria used to determine the length of time the covered entity or service provider intends to retain each category of covered data.</text></paragraph><paragraph id="H9DDA01986169479FBBCB5F7D2AFC9E10"><enum>(5)</enum><text>A prominent description of how an individual may exercise the rights, as applicable, of the individual under this title.</text></paragraph><paragraph id="H919FD2F458DC4DC9B03B147E03E05A3A"><enum>(6)</enum><text>A description of how the covered entity treats data collected from covered minors differently than data collected from other individuals, if the covered entity has knowledge that the covered entity has collected data from covered minors.</text></paragraph><paragraph id="H6FAC1893435D449B8D7615FB09728D86"><enum>(7)</enum><text>A general description of the data security practices of the covered entity or service provider.</text></paragraph><paragraph id="H2F5055B8730D4C7CB2CDDDE4CAB2BA0A"><enum>(8)</enum><text>The effective date of the privacy policy.</text></paragraph><paragraph id="HDFB76BC9633C4208B2361F96AB346CD8"><enum>(9)</enum><text>Whether any covered data collected by the covered entity or service provider is transferred to, processed in, retained in, or otherwise accessible to a foreign adversary (as determined by the Secretary of Commerce and specified in section 7.4 of title 15, Code of Federal Regulations (or any successor regulation)).</text></paragraph></subsection><subsection id="H1B83566D531447BB8FBD73E8F3FEAAF6"><enum>(c)</enum><header>Languages</header><text>A privacy policy required under subsection (a) shall be made available to the public—</text><paragraph id="H4D90CA97A13241059CCDB4C127A68122"><enum>(1)</enum><text>in the 10 most-used languages in which a covered entity or service provider provides products or services or carries out activities related to such products or services; or</text></paragraph><paragraph id="H3C28F87756014040B3273D78496F0AC8"><enum>(2)</enum><text>if the covered entity or service provider provides products or services in fewer than 10 languages, in the languages in which the covered entity or service provider provides products or services or carries out activities related to such products or services.</text></paragraph></subsection><subsection id="H14027D7BFF8A4BB7930739CD167A8954"><enum>(d)</enum><header>Accessibility</header><text>A covered entity or service provider shall provide the disclosures required under this section in a manner that is reasonably accessible to and usable by individuals living with disabilities.</text></subsection><subsection id="H7E3470F3AC4C4DAD81BCD21079344661"><enum>(e)</enum><header>Material changes</header><paragraph id="HA415F062724442B2B3A13CF40EBB8C2A"><enum>(1)</enum><header>Notice and opt out</header><text>A covered entity that makes a material change to the privacy policy or practices of the covered entity shall—</text><subparagraph id="H53366BE8412640138BDA865968189115"><enum>(A)</enum><text>provide to each affected individual, in a clear and conspicuous manner—</text><clause id="H536BCA7403FA41018795440CB504E71F"><enum>(i)</enum><text>advance notice of such material change; and</text></clause><clause id="HA93085473F864020862CF0620C77706C"><enum>(ii)</enum><text>a means to opt out of the collection, processing, retention, or transfer of any covered data of such individual pursuant to such material change; and</text></clause></subparagraph><subparagraph id="H92EED59281504211B0ACF9F7781DEE8C"><enum>(B)</enum><text>with respect to the covered data of any individual who opts out using the means described in subparagraph (A)(ii), discontinue the collection, processing, retention, or transfer of such covered data, unless such collection, processing, retention, or transfer is necessary, proportionate, and limited to provide or maintain a product or service specifically requested by the individual.</text></subparagraph></paragraph><paragraph id="H54D1768C11264F7B8913AFBA10B0F041"><enum>(2)</enum><header>Direct notification</header><text display-inline="yes-display-inline">A covered entity shall take all reasonable electronic measures to provide direct notification, if possible, to each affected individual regarding material changes to the privacy policy of the covered entity, and such notification shall be provided in each language in which the privacy policy is made available, taking into account available technology and the nature of the relationship between the covered entity and the individual.</text></paragraph><paragraph id="H484DF6CF96F141F5A96BC17BAC8D70C8"><enum>(3)</enum><header>Clarification</header><text>Except as provided in paragraph (1)(B), nothing in this subsection may be construed to affect the requirements for covered entities under sections 102, 105, and 106.</text></paragraph></subsection><subsection id="HA24F505178024FB1AE19FA04D721BDB1"><enum>(f)</enum><header>Transparency requirements for large data holders</header><paragraph id="H430892A8E46744F18E19B430A88C6840"><enum>(1)</enum><header>Retention of privacy policies; log of material changes</header><subparagraph id="HB40E94DFB8C84F66BFE2A8705FE411DE"><enum>(A)</enum><header>In general</header><text>Beginning on the date that is 180 days after the date of the enactment of this Act, each large data holder shall—</text><clause id="HCB3EB9142B204E1884A712FA1CC20033"><enum>(i)</enum><text>retain and publish on the website of the large data holder a copy of each version of the privacy policy of the large data holder required under subsection (a) for not less than 10 years; and</text></clause><clause id="H0DE28B98F2ED4F41A8CD4943D03F6777"><enum>(ii)</enum><text>make publicly available on the website of the large data holder, in a clear and conspicuous manner, a log that describes the date and nature of each material change to the privacy policy of the large data holder during the preceding 10-year period in a manner that is sufficient for a reasonable individual to understand the effect of each material change.</text></clause></subparagraph><subparagraph id="HA3D14D00B53C44E5A84DE6C87F026B3F"><enum>(B)</enum><header>Exclusion</header><text>This paragraph does not apply to material changes to previous versions of the privacy policy of a large data holder that precede the date that is 180 days after the date of the enactment of this Act.</text></subparagraph></paragraph><paragraph id="H5B93A7F07A334BDCA527C86C259E00F8"><enum>(2)</enum><header>Short form notice to consumers</header><subparagraph id="H9259FD6663C84A7D8C51803A6FF1164C"><enum>(A)</enum><header>In general</header><text>In addition to the privacy policy required under subsection (a), a large data holder shall provide a short-form notice of the covered data practices of the large data holder in a manner that—</text><clause id="HB33FCFC814EE414C9C7CAF27FD237774"><enum>(i)</enum><text>is concise;</text></clause><clause id="HA9D4760956A34768B76D4CC647A186EF"><enum>(ii)</enum><text>is clear and conspicuous;</text></clause><clause id="H8446D0C26BC74A4CA4412CB522005562"><enum>(iii)</enum><text>is readily accessible to an individual, based on the manner in which the individual interacts with the large data holder and the products or services of the large data holder and what is reasonably anticipated within the context of the relationship between the individual and the large data holder;</text></clause><clause id="H69BF270F251E4A45BEB50EEE974D9EA9"><enum>(iv)</enum><text>includes an overview of individual rights and disclosures to reasonably draw attention to data practices that may be unexpected or that involve sensitive covered data; and</text></clause><clause id="HA84B5E59A6CA4DEDA1597F7E3F5484F8"><enum>(v)</enum><text>is not more than 500 words in length in the English language or, if in a language other than English, not more than 550 words in length.</text></clause></subparagraph><subparagraph id="H489709C7852A4B67AF02C0E04F7A27C4"><enum>(B)</enum><header>Guidance</header><text>Not later than 180 days after the date of the enactment of this Act, the Commission shall issue guidance establishing the minimum disclosures necessary for the short-form notice described in this paragraph and shall include templates or models for such notice.</text></subparagraph></paragraph></subsection></section><section id="HFF43E2FA96A84E0792BB05CBE60CCEDA"><enum>105.</enum><header>Individual control over covered data</header><subsection id="HD6189F35F9EF4CB8A75221E742EF575B"><enum>(a)</enum><header>Access to, and correction, deletion, and portability of, covered data</header><text>After receiving a verified request from an individual, including a parent acting on behalf of a child of the parent, a covered entity shall provide the individual with the right to—</text><paragraph id="H3ACF7914FDB04F5C8E33434678A20A28"><enum>(1)</enum><text>access—</text><subparagraph id="H0208433AD793440F80CB612DAC50BA43"><enum>(A)</enum><text>in a format that can be naturally read by a human, the covered data of the individual or child (as applicable) (or an accurate representation of the covered data of the individual or child (as applicable), if the covered data is no longer in the possession of the covered entity or a service provider acting on behalf of the covered entity) that is collected, processed, or retained by the covered entity or any service provider of the covered entity;</text></subparagraph><subparagraph id="HCA0478A5848F4DF98E13C08F224AE653"><enum>(B)</enum><text>the name of any third party or service provider to whom the covered entity has transferred the covered data, as well as the categories of sources from which the covered data was collected; and</text></subparagraph><subparagraph id="H1F727A71B46246528F23C6116DE68F41"><enum>(C)</enum><text>a description of the purpose for which the covered entity transferred any covered data of the individual or child (as applicable) to a third party or service provider;</text></subparagraph></paragraph><paragraph id="HAD43E4BBE1574FC89E27D54F8EA486F6"><enum>(2)</enum><text>correct any inaccuracy or incomplete information with respect to the covered data of the individual or child (as applicable) that is collected, processed, or retained by the covered entity and, for covered data that has been transferred, request the covered entity to notify any third party or service provider to which the covered entity transferred such covered data of the corrected information, including so that service providers may provide the assistance required by section 111(a)(1)(C);</text></paragraph><paragraph id="H1EF2A356158344FA989A6D1676639AE6"><enum>(3)</enum><text>delete covered data of the individual or child (as applicable) that is retained by the covered entity and, for covered data that has been transferred, request that the covered entity notify any third party or service provider to which the covered entity transferred such covered data of the deletion request, including so that service providers may provide the assistance required by section 111(a)(1)(C); </text></paragraph><paragraph id="HF09BC489AB4941B78D5B6C06A10C2B19"><enum>(4)</enum><text>to the extent technically feasible, have exported covered data of the individual or child (as applicable) that is collected, processed, or retained by the covered entity, without licensing restrictions that unreasonably limit such transfers, in—</text><subparagraph id="H7C6875F094834A51977BC21C9CABAE5D"><enum>(A)</enum><text>a format that can be naturally read by a human; and</text></subparagraph><subparagraph id="H63C75A1D38BB403D822A6C09B8CEBD60"><enum>(B)</enum><text>a format that is portable, structured, interoperable, and machine-readable; and</text></subparagraph></paragraph><paragraph id="HC5873A99A6E54F45BFFAEC60B74DEFD5"><enum>(5)</enum><text display-inline="yes-display-inline">delete any content or information submitted to the covered entity by the individual when a covered minor and, for any such content or information that has been transferred, request that the covered entity notify any third party or service provider to which the covered entity transferred such content or information of the deletion request, including so that service providers may provide the assistance required by section 111(a)(1)(C).</text></paragraph></subsection><subsection id="HB1066E23EB03429AAAC86C77994BD313"><enum>(b)</enum><header>Frequency and cost</header><text>A covered entity—</text><paragraph id="H82E5E2CBBCEA462289F529FF32C13BD4"><enum>(1)</enum><text>shall provide an individual with the opportunity to exercise each of the rights described in subsection (a); and</text></paragraph><paragraph id="H0A29A15F9CA940A8B8D18B639D348900"><enum>(2)</enum><text>with respect to—</text><subparagraph id="H44E98F439D55496EB0EEFC8B4C2379FA"><enum>(A)</enum><text>the first 3 instances that an individual exercises any right described in subsection (a) during any 12-month period, shall allow the individual to exercise such right free of charge; and</text></subparagraph><subparagraph id="HF3E5ED916BD14E1A925758D861A495AE"><enum>(B)</enum><text>any instance beyond the first 3 instances described in subparagraph (A), may charge a reasonable fee for each additional request to exercise any such right during such 12-month period.</text></subparagraph></paragraph></subsection><subsection id="H9563B48FD9BF460BBE5E70A815E927B7"><enum>(c)</enum><header>Timing</header><paragraph id="HB885A630C4AA42F1B2DC3BF2F7599EAC"><enum>(1)</enum><header>In general</header><text>Subject to subsections (b), (d), and (e), each request under subsection (a) shall be completed—</text><subparagraph id="H7EFE1F2FCD5240FCAFCEE93E2A6198CD"><enum>(A)</enum><text>by any covered entity that is a large data holder or data broker, not later than 30 calendar days after receiving such request from an individual, unless it is impossible or demonstrably impracticable to verify the individual; or</text></subparagraph><subparagraph id="H01BACBA224E740B5A37FD5B744E4562B"><enum>(B)</enum><text display-inline="yes-display-inline">by a covered entity that is not a large data holder or data broker, not later than 45 calendar days after receiving such request from an individual, unless it is impossible or demonstrably impracticable to verify the individual.</text></subparagraph></paragraph><paragraph id="H864E9E531FFA422E8F829E11BBD39FB2"><enum>(2)</enum><header>Extension</header><text>A response period required under paragraph (1) may be extended once, by not more than the applicable time period described in such paragraph, when reasonably necessary, considering the complexity and number of requests from the individual, if the covered entity informs the individual of any such extension, and the reason for the extension, within the initial response period.</text></paragraph></subsection><subsection id="HBCA7813D282C4B53912E4A925B208B7A"><enum>(d)</enum><header>Verification</header><paragraph id="H538B654AFBAA4C72B6552B3582F11ACF"><enum>(1)</enum><header>In general</header><text>A covered entity shall reasonably verify that an individual making a request to exercise a right described in subsection (a) is—</text><subparagraph id="H6AD8ECA83DE24A5DA0704051C8E72A99"><enum>(A)</enum><text>the individual whose covered data is the subject of the request;</text></subparagraph><subparagraph id="H5C60B94A3AB645EB8E937DA219097A75"><enum>(B)</enum><text>the parent of the child whose covered data (or, with respect to a request under subsection (a)(5), whose content or other information) is the subject of the request; or</text></subparagraph><subparagraph id="H558CCBDA6EDA4301877115264F81D937"><enum>(C)</enum><text>another individual who is a natural person who is authorized to make such a request on behalf of the individual whose covered data is the subject of the request.</text></subparagraph></paragraph><paragraph id="H31F0385CFA5E45BCB47EB7B60D8016BB" commented="no"><enum>(2)</enum><header>Additional information</header><text>If a covered entity cannot make the verification described in paragraph (1), the covered entity may request that the individual making the request provide any additional information necessary for the sole purpose of making such verification, except that—</text><subparagraph id="HD4943D4E01F242849BE0229660ED72F2" commented="no"><enum>(A)</enum><text>the request of the covered entity may not be burdensome on the individual; and</text></subparagraph><subparagraph id="HEC368F8FFFD149F9B6184DDBDBC995D2" commented="no"><enum>(B)</enum><text>the covered entity may not process, retain, or transfer such additional information for any other purpose.</text></subparagraph></paragraph></subsection><subsection id="HEA7E1490D83041629BB5931E6B85C43B"><enum>(e)</enum><header>Exceptions</header><paragraph id="H123EE8BB6B4C4C318836B5D04B82F66D"><enum>(1)</enum><header>Required exceptions</header><text>A covered entity may not permit an individual to exercise a right described in subsection (a), in whole or in part, if the covered entity—</text><subparagraph id="HE51216BE05734042AB668CA29E3FB0A5"><enum>(A)</enum><text>cannot reasonably make the verification described in subsection (d)(1);</text></subparagraph><subparagraph id="HE18B9B2DD476406B9E60529131617D4C"><enum>(B)</enum><text>determines that exercise of the right would require access to, or the correction or deletion of, the sensitive covered data of an individual other than the individual whose covered data is the subject of the request;</text></subparagraph><subparagraph id="H35FABE408A54483EBC4CB1B481290EDA"><enum>(C)</enum><text>determines that exercise of the right would require correction or deletion of covered data subject to a warrant, lawfully executed subpoena, or litigation hold notice or equivalent preservation notice in connection with such warrant or subpoena or issued in a matter in which the covered entity is a named party;</text></subparagraph><subparagraph id="HEADDF4960D3D4344AD95D7DA4C031EA6"><enum>(D)</enum><text>determines that exercise of the right would violate a Federal, State, Tribal, or local law that is not preempted by this title;</text></subparagraph><subparagraph id="H51604307B00E44858EB06CA942AE1D1B"><enum>(E)</enum><text>determines that exercise of the right would violate the professional ethical obligations of the covered entity;</text></subparagraph><subparagraph id="H68D1FA8EF0724A5F92721B7D3F44651E"><enum>(F)</enum><text>reasonably believes that the request is made to further fraud;</text></subparagraph><subparagraph id="H8C002FA5329E4FD080296AFC75CF5339"><enum>(G)</enum><text>except with respect to health information, reasonably believes that the request is made in furtherance of criminal activity; or</text></subparagraph><subparagraph id="H0DC9F740C4D4444F83989CE0003F15BB"><enum>(H)</enum><text>reasonably believes that complying with the request would threaten data security or network security.</text></subparagraph></paragraph><paragraph id="H30F943676571419B953F82DB59195C2F"><enum>(2)</enum><header>Permissive exceptions</header><text>A covered entity may decline, in whole or in part, to comply with a request to exercise a right described in subsection (a), with adequate explanation to the individual making the request, if compliance with the request would—</text><subparagraph id="H5FD8674BE4804FCEB7E1DAD5D1A96218"><enum>(A)</enum><text>be demonstrably impracticable due to technological limitations or prohibitive cost, and if the covered entity provides a detailed description to the individual regarding the inability to comply with the request due to technological limitations or prohibitive cost;</text></subparagraph><subparagraph id="H02B00A7099774DF49ECC5EF6D23FAC4C"><enum>(B)</enum><text>delete covered data necessary to perform a contract between the covered entity and the individual;</text></subparagraph><subparagraph id="H97284F05AB454D18BC6F8EA450A1AD89"><enum>(C)</enum><text>with respect to a right described in paragraph (1) or (4) of subsection (a), require the covered entity to release trade secrets or other privileged, proprietary, or confidential business information;</text></subparagraph><subparagraph id="HE770CB6C2E9F43B380F6CCA54150B92E"><enum>(D)</enum><text>prevent a covered entity from being able to maintain a confidential record of opt-out requests pursuant to this title that is maintained solely for the purpose of preventing covered data of an individual from being collected, processed, retained, or transferred after the individual submits an opt-out request; </text></subparagraph><subparagraph id="H728FF47187334D3AB0E84A4E12398F96"><enum>(E)</enum><text>with respect to a deletion request, require a private elementary or secondary school (as determined under State law) or a private institution of higher education (as defined in title I of the Higher Education Act of 1965 (<external-xref legal-doc="usc" parsable-cite="usc/20/1001">20 U.S.C. 1001 et seq.</external-xref>)) to delete covered data, if the deletion would unreasonably interfere with the provision of education services by, or the ordinary operation of, the school or institution;</text></subparagraph><subparagraph id="HC28310D140FE48BE954437DA3D884B35"><enum>(F)</enum><text>delete covered data that relates to a public figure regarding a matter of legitimate public interest and for which the requesting individual has no reasonable expectation of privacy; or</text></subparagraph><subparagraph id="HC6B09A63745F40B4B765B915E0447EB9"><enum>(G)</enum><text>delete covered data that the covered entity reasonably believes may be evidence of an abuse of the products or services of the covered entity, including a violation of terms of service.</text></subparagraph></paragraph><paragraph id="H23AF784E5EB04BD88226691CA9B2401D"><enum>(3)</enum><header>Rule of construction</header><text>This section may not be construed to require a covered entity or service provider acting on behalf of a covered entity to—</text><subparagraph id="H902767CB92934AF29B72310FFF21B043"><enum>(A)</enum><text>retain covered data collected for a 1-time transaction, if such covered data is not processed or transferred by the covered entity for any purpose other than completing such transaction;</text></subparagraph><subparagraph id="HD27AD1D21D9D46C38601BED9182980A7"><enum>(B)</enum><text>re-identify, or attempt to re-identify, de-identified data; or</text></subparagraph><subparagraph id="H559C9F4CD4014847A749E53D2F47312D"><enum>(C)</enum><text>collect or retain any data in order to be capable of associating a request with the covered data that is the subject of the request.</text></subparagraph></paragraph><paragraph id="HB8BB4CA0BDFF4BF7BC8B90CC534A1EBE"><enum>(4)</enum><header>Partial compliance</header><text>In the event a covered entity declines a request under paragraph (2), the covered entity shall comply with the remainder of the request if partial compliance is possible and not unduly burdensome.</text></paragraph><paragraph id="H8370654534714DD1AABF3A6C8678B050"><enum>(5)</enum><header>Number of requests</header><text>For purposes of paragraph (2)(A), the receipt of a large number of verified requests, on its own, may not be considered to render compliance with a request demonstrably impracticable.</text></paragraph><paragraph id="H03FEB3A6DCFB4601AF886C393AA6CCFF"><enum>(6)</enum><header>Additional exceptions</header><subparagraph id="H27793F516A29457A9760F609A4B1CB1D"><enum>(A)</enum><header>In general</header><text>The Commission may promulgate regulations, in accordance with section 553 of title 5, United States Code, to establish additional permissive exceptions to subsection (a) necessary to protect the rights of individuals, to alleviate undue burdens on covered entities, to prevent unjust or unreasonable outcomes from the exercise of access, correction, deletion, or portability rights, or to otherwise fulfill the purposes of this section.</text></subparagraph><subparagraph id="H33968F26BFF042118002004F223BE4C9"><enum>(B)</enum><header>Considerations</header><text>In establishing any exceptions under subparagraph (A), the Commission shall consider any relevant changes in technology, means for protecting privacy and other rights, and beneficial uses of covered data by covered entities.</text></subparagraph><subparagraph id="H8CED5881FD5B4A848748DD9408D29412"><enum>(C)</enum><header>Clarification</header><text>A covered entity may decline to comply with a request of an individual to exercise a right under this section pursuant to an exception the Commission establishes under this paragraph.</text></subparagraph></paragraph></subsection><subsection id="H8A3F6C9FE8BE485FAD73459C18F8D463"><enum>(f)</enum><header>Large data holder metrics reporting</header><text>With respect to each calendar year for which an entity is a large data holder, such entity shall comply with the following requirements:</text><paragraph id="H419DD712E2424B04ADCAE92F86D24CAC"><enum>(1)</enum><header>Required metrics</header><text>Compile the following information for such calendar year:</text><subparagraph id="HE77D167CE9D849128EE3C02CF72BE058"><enum>(A)</enum><text>The number of verified access requests under subsection (a)(1).</text></subparagraph><subparagraph id="HA4D1F0DC253C4CC8B40A5EBD825B4310"><enum>(B)</enum><text>The number of verified deletion requests under subsection (a)(3).</text></subparagraph><subparagraph id="H674A6A6B1F504B2E9B2B6E11278548C4"><enum>(C)</enum><text>The number of verified deletion requests under subsection (a)(5).</text></subparagraph><subparagraph id="H29F4000A353B4C09B34051D15A7E4859"><enum>(D)</enum><text>The number of verified requests to opt out of covered data transfers under section 106(a)(1).</text></subparagraph><subparagraph id="HAC59CC7395EA435F9DD95EF27A119EC2"><enum>(E)</enum><text>The number of verified requests to opt out of targeted advertising under section 106(a)(2).</text></subparagraph><subparagraph id="H6C089545AECE4DE68461B297B4528881"><enum>(F)</enum><text>For each category of request described in subparagraphs (A) through (E), the number of such requests that the large data holder complied with in whole or in part.</text></subparagraph><subparagraph id="H1CC5A98560E94CEAA2587970CF1DF532"><enum>(G)</enum><text display-inline="yes-display-inline">For each category of request described in subparagraphs (A) through (E), the average number of days within which the large data holder substantively responded to the requests.</text></subparagraph></paragraph><paragraph id="HEAEF73380AC344C1B67B6604DEE86905"><enum>(2)</enum><header>Public disclosure</header><text>Not later than July 1 of each calendar year, disclose the information compiled under paragraph (1) for the previous calendar year—</text><subparagraph id="HE3F9B82B4F47425D84378ADA63CE040D"><enum>(A)</enum><text>in the privacy policy of the large data holder; or</text></subparagraph><subparagraph id="HF3C4155353C441C295E5D65B91E0A4D8"><enum>(B)</enum><text>on a publicly available website of the large data holder that is accessible from a hyperlink included in the privacy policy.</text></subparagraph></paragraph></subsection><subsection id="H7464398CE2A34EF9AF52F6881B9A2715"><enum>(g)</enum><header>Guidance</header><text>Not later than 1 year after the date of the enactment of this Act, the Commission shall issue guidance to clarify or explain the provisions of this section and establish practices by which a covered entity may verify a request to exercise a right described in subsection (a).</text></subsection><subsection id="HE22D5D0F468A4E15976B66DF419F9A7B"><enum>(h)</enum><header>Accessibility</header><paragraph id="H43B9689B822B4CC8BB77098B0200DF5F"><enum>(1)</enum><header>Language</header><text>A covered entity shall facilitate the ability of individuals to make requests to exercise rights described in subsection (a) in any language in which the covered entity provides a product or service.</text></paragraph><paragraph id="HD4D3216A8E93451CAEC13A840F825975"><enum>(2)</enum><header>Individuals living with disabilities</header><text>The mechanisms by which a covered entity enables individuals to make a request to exercise a right described in subsection (a) shall be readily accessible and usable by individuals living with disabilities.</text></paragraph></subsection></section><section id="H91B7618FF33046489E4F3CE0F1691C77"><enum>106.</enum><header>Opt-out rights and universal mechanisms</header><subsection id="HE77AFFF5C25B46C68A1D7F71A43709FF"><enum>(a)</enum><header>In general</header><text>A covered entity shall provide to an individual the following opt-out rights with respect to the covered data of the individual:</text><paragraph id="HAF67A2996B7C43F5B8F8DF925761EF89"><enum>(1)</enum><header>Right to opt out of covered data transfers to third parties</header><text>A covered entity—</text><subparagraph id="H2563AF0F0F51445F98C3C9001F21A3D6"><enum>(A)</enum><text>shall provide an individual with a clear and conspicuous means to opt out of the transfer of the covered data of the individual to a third party;</text></subparagraph><subparagraph id="H30760674DCDC4E2B83A7808BDE7A81AA"><enum>(B)</enum><text>upon establishment of an opt out mechanism that meets the requirements and technical specifications promulgated under subsection (b), shall allow an individual to make an opt-out designation pursuant to subparagraph (A) through the opt out mechanism;</text></subparagraph><subparagraph id="H561F9BA5ACAF4AE7920A7DA8E7151F28"><enum>(C)</enum><text>shall abide by an opt-out designation made pursuant to subparagraph (A) and communicate such designation to all relevant service providers and third parties; and</text></subparagraph><subparagraph id="H8CE5785634F14C19A317B1088010E786"><enum>(D)</enum><text>except as provided in subsection (b) or (c)(4) of section 102, paragraph (3) or (4) of section 112(c), or section 120(b), need not allow an individual to opt out of a transfer of covered data made pursuant to a permissible purpose described in paragraph (1), (2), (3), (4), (5), (6), (7), (8), (9), (10), (11), (12), (13), or (14) of section 102(d).</text></subparagraph></paragraph><paragraph id="HF5367BB149E6438B8BED540B217AE295"><enum>(2)</enum><header>Right to opt out of targeted advertising</header><text>A covered entity that engages in targeted advertising shall—</text><subparagraph id="H17535DA73FFB4E4C820BACD6BA255222"><enum>(A)</enum><text>provide an individual with a clear and conspicuous means to opt out of the processing and transfer of covered data of the individual in furtherance of targeted advertising;</text></subparagraph><subparagraph id="HFE073D4643C646618D9985142CC00A3D"><enum>(B)</enum><text>upon establishment of an opt out mechanism that meets the requirements and technical specifications promulgated under subsection (b), allow an individual to make an opt-out designation with respect to targeted advertising through the opt-out mechanism; and</text></subparagraph><subparagraph id="HD6A15BEB67B0437887F8828686720FE3"><enum>(C)</enum><text>abide by any such opt-out designation made by an individual and communicate such designation to all relevant service providers and third parties.</text></subparagraph></paragraph></subsection><subsection id="H594A1832A40F4BD88D47CFCF5CB9CA3B"><enum>(b)</enum><header>Universal opt-out mechanisms</header><paragraph id="H1B166954FEFF4DCE90F08DF575461805"><enum>(1)</enum><header>In general</header><text>Not later than 2 years after the date of the enactment of this Act, the Commission shall, in consultation with the Secretary of Commerce, promulgate regulations, in accordance with section 553 of title 5, United States Code, to establish requirements and technical specifications for 1 or more opt-out mechanisms (including global privacy signals, such as browser or device privacy settings) for individuals to exercise the opt-out rights established under this title through a single interface that—</text><subparagraph id="H0B7132DA761B4E1DBD39BCA02ADA368F"><enum>(A)</enum><text>ensures that the opt-out preference signal—</text><clause id="H01E74B82C06A43F9B07C16248926EC64"><enum>(i)</enum><text>is clearly described, and easy-to-use by a reasonable individual;</text></clause><clause id="H1CA17D095E124E0F9B4EE105C9FCDF41"><enum>(ii)</enum><text>does not require that an individual provide additional information beyond what is necessary to indicate such preference;</text></clause><clause id="H5C91402C333C42D887AD15425F2ADF21"><enum>(iii)</enum><text>clearly represents the preference of an individual;</text></clause><clause id="H650EFBA0719844ECA50177CB2B952812"><enum>(iv)</enum><text>is provided—</text><subclause id="HEA3922AD2F7745F881AA2C5FC55417A3"><enum>(I)</enum><text>in the 10 most-used languages in which a covered entity provides products or services subject to the opt-out; or</text></subclause><subclause id="H287F1C4DE92A48B5B4CB526E2D80A03B"><enum>(II)</enum><text>if the covered entity provides products or services subject to the opt-out in fewer than 10 languages, in the languages in which the covered entity provides such products or services; and</text></subclause></clause><clause id="HB7A998905CED4F09AB8C6C75E141120D"><enum>(v)</enum><text>is provided in a manner that is reasonably accessible to and usable by individuals living with disabilities;</text></clause></subparagraph><subparagraph id="H1681F424A8794D71B799929971D0E550"><enum>(B)</enum><text>provides a mechanism for an individual to selectively opt out of the collection, processing, retention, or transfer of covered data by a covered entity, without affecting the preferences of the individual with respect to other entities or disabling the opt-out preference signal globally;</text></subparagraph><subparagraph id="H8AFAC17125554C96A33BA8F5AD42F710"><enum>(C)</enum><text>states that, in the case of a page or setting view that the individual accesses to set the opt-out preference signal, the individual should see up to 2 choices, corresponding to the rights established under subsection (a); and</text></subparagraph><subparagraph id="HD2739C3587714C6CAA16CADD42ACACBB"><enum>(D)</enum><text>ensures that the opt-out preference signal will be registered and set only by the individual or by another individual who is a natural person on behalf of the individual.</text></subparagraph></paragraph><paragraph id="H93A75623BBCD4C859BC26F787DE21367"><enum>(2)</enum><header>Effect of designations</header><text>A covered entity shall abide by any designation made by an individual through any mechanism that meets the requirements and technical specifications promulgated under paragraph (1).</text></paragraph></subsection></section><section id="HF11D4B9D99F1401295EF70D05B169305"><enum>107.</enum><header>Interference with consumer rights</header><subsection id="H02F6077FB8154C8A8F324224E8697A2F"><enum>(a)</enum><header>Dark patterns prohibited</header><paragraph id="H456A4641FA8848B6B060479E2F5033E2"><enum>(1)</enum><header>In general</header><text>A covered entity may not use dark patterns to—</text><subparagraph id="HACDC1C1308F7432A8717E7613A60F443"><enum>(A)</enum><text>divert the attention of an individual from any notice required under this title;</text></subparagraph><subparagraph id="H7F5975C44CCB43B985C6FE870A775B0E"><enum>(B)</enum><text>impair the ability of an individual to exercise any right under this title; or</text></subparagraph><subparagraph id="H8F1CF52A3FDD4E54B8A9C61A863A1F28"><enum>(C)</enum><text>obtain, infer, or facilitate the consent of an individual for any action that requires the consent of an individual under this title.</text></subparagraph></paragraph><paragraph id="H844CCA9A2D0E42A6A844451926DBDF14"><enum>(2)</enum><header>Clarification</header><text>Any agreement by an individual that is obtained, inferred, or facilitated through dark patterns does not constitute consent for any purpose under this title.</text></paragraph></subsection><subsection id="HE8C30CBCCCBA4417B57EFA1EC09C9AC4"><enum>(b)</enum><header>Individual autonomy</header><text>A covered entity may not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of a right described in this title through the use of any false, fictitious, fraudulent, or materially misleading statement or representation.</text></subsection></section><section id="H67176B0ABFC84A7D91E322AB1F70234C"><enum>108.</enum><header>Prohibition on denial of service and waiver of rights</header><subsection id="HAC4AE28EB10E4ECAAA7ADBDF6A99F869"><enum>(a)</enum><header>Retaliation through service or pricing prohibited</header><text>A covered entity may not retaliate against an individual for exercising any of the rights established under this title, or any regulations promulgated under this title, including by denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services.</text></subsection><subsection id="HD090B90B8C904ABA813570CF5BA812C2"><enum>(b)</enum><header>Rules of construction</header><paragraph id="H80490E9DF1C0463DBA9ADD3AA3A25DF9"><enum>(1)</enum><header>Bona fide loyalty programs</header><subparagraph id="HCCA1B73D79454D2199C6C4A1BB6BBB2E"><enum>(A)</enum><header>In general</header><text>Nothing in subsection (a) may be construed to prohibit a covered entity from offering—</text><clause id="HD056D1712F2A442CA330AE34CBB1D4BE"><enum>(i)</enum><text display-inline="yes-display-inline">to an individual different prices, rates, levels, qualities, or selections of goods or services, or functionalities with respect to a product or service, including offering goods or services for no fee, if the offering is in connection with the voluntary participation of the individual in a bona fide loyalty program, and if—</text><subclause id="HFC4F0ADF25FA43C8BC33A90DDF5799D2"><enum>(I)</enum><text>the individual provided affirmative express consent to participate in such bona fide loyalty program;</text></subclause><subclause id="H8DC14247B5FA4B029AA8EB34CF825A99"><enum>(II)</enum><text>the covered entity abides by the exercise by the individual of any right provided by subsection (b) or (c) of section 102, section 105, or section 106; and</text></subclause><subclause id="H0EDFFEA15F394FEC9DA7E72E30D23A58"><enum>(III)</enum><text>the sale of covered data is not a condition of participation in the bona fide loyalty program; or</text></subclause></clause><clause id="H70D0FAC4DD6E4C92A27F119C56AC7F9D"><enum>(ii)</enum><text>to an individual different prices, rates, levels, qualities, or selections of goods or services, or functionalities with respect to a product or service, based on the decision of the individual to terminate membership in a bona fide loyalty program or to exercise a right under section 105(a)(3) to delete covered data that is necessary for participation in the bona fide loyalty program.</text></clause></subparagraph><subparagraph id="H036217D25AEA423B841085DBB3C98363"><enum>(B)</enum><header>Bona fide loyalty program defined</header><text>For purposes of this section, the term <quote>bona fide loyalty program</quote>—</text><clause id="H9369207105A74B1BB88A2B216D70015B"><enum>(i)</enum><text>includes rewards, premium features, discounts, and club card programs offered by a covered entity; and</text></clause><clause id="HB2124B2000F049EE818921D9D8589373"><enum>(ii)</enum><text>excludes such programs offered by a covered high-impact social media company or data broker.</text></clause></subparagraph></paragraph><paragraph id="HBC5043660CAA4A60B2A04992AC148286"><enum>(2)</enum><header>Market research</header><text>Nothing in subsection (a) may be construed to prohibit a covered entity from offering a financial incentive or other consideration to an individual for participation in market research.</text></paragraph><paragraph id="HD5A8EFA3BF2D4741AE38D1B6C077B52C"><enum>(3)</enum><header>Declining a product or service</header><text>Nothing in subsection (a) may be construed to prohibit a covered entity from declining to provide a product or service or a bona fide loyalty program to an individual, if any collection, processing, retention, or transfer affected by the individual exercising a right established under this title is necessary, proportionate, and limited to providing such product or service.</text></paragraph></subsection></section><section id="HE61AE3852A9245029E1700E911F4E9C8"><enum>109.</enum><header>Data security and protection of covered data</header><subsection id="HD7AFF1F1966A4FB7B5DCAD6E8EA7B622"><enum>(a)</enum><header>Establishment of data security practices</header><paragraph id="HCF368AB839B04DD48B3F1FFD79D8A12C"><enum>(1)</enum><header>In general</header><text>Each covered entity or service provider shall establish, implement, and maintain reasonable data security practices to protect—</text><subparagraph id="HAD26EF83EDB14992BB99C737C5B3B439"><enum>(A)</enum><text>the confidentiality, integrity, and availability of covered data; and</text></subparagraph><subparagraph id="H96AA283070D64F3682AEE46837AAF666"><enum>(B)</enum><text>covered data against unauthorized access.</text></subparagraph></paragraph><paragraph id="H46D345D0EDCE42BEB26E829C32F79841"><enum>(2)</enum><header>Considerations</header><text>The data security practices required under paragraph (1) shall be appropriate to—</text><subparagraph id="HA1DEEB05593A45369DA9E9596CD59AA6"><enum>(A)</enum><text>the size and complexity of the covered entity or service provider;</text></subparagraph><subparagraph id="HF13B649EDA944EE1828AB5D1D90F9FB5"><enum>(B)</enum><text>the nature and scope of the relevant collecting, processing, retaining, or transferring of covered data, taking into account changing business operations with respect to covered data;</text></subparagraph><subparagraph id="H62EEACDBB683423091AFFD5189B9B6F8"><enum>(C)</enum><text>the volume, nature, and sensitivity of the covered data; and</text></subparagraph><subparagraph id="H00C2BA75214B4F30984FF47EE3FE3DCE"><enum>(D)</enum><text>the state-of-the-art (and limitations thereof) in administrative, technical, and physical safeguards for protecting covered data.</text></subparagraph></paragraph></subsection><subsection id="H2758712AE09049EDB71B505191BF20B2"><enum>(b)</enum><header>Specific requirements</header><text>The data security practices required under subsection (a) shall include, at a minimum, the following:</text><paragraph id="H16566A4F88D341AC9912BCEB1D238CC9"><enum>(1)</enum><header>Assess vulnerabilities</header><text display-inline="yes-display-inline">Routinely identifying and assessing any reasonably foreseeable internal or external risk to, or vulnerability in, each system maintained by the covered entity or service provider that collects, processes, retains, or transfers covered data, including unauthorized access to or corruption of such covered data, human vulnerabilities, access rights, and the use of service providers. Such activities shall include developing and implementing a plan for receiving and considering unsolicited reports of vulnerability by any entity and, if such a report is reasonably credible, performing a reasonable and timely investigation of such report and taking appropriate action to protect covered data against the vulnerability.</text></paragraph><paragraph id="HB2F2175FAE15453CA88FCC1E5304CDB6"><enum>(2)</enum><header>Preventive and corrective action</header><subparagraph id="H6EC801E5E4404AB48AEFEB49369043A5"><enum>(A)</enum><header>In general</header><text>Taking preventive and corrective action to mitigate any reasonably foreseeable internal or external risk to, or vulnerability of, covered data identified by the covered entity or service provider, consistent with the nature of such risk or vulnerability and the role of the covered entity or service provider in collecting, processing, retaining, or transferring the data, which may include implementing administrative, technical, or physical safeguards or changes to data security practices or the architecture, installation, or implementation of network or operating software.</text></subparagraph><subparagraph id="H09E62432BAFC419C9D89044C6DA17D93"><enum>(B)</enum><header>Evaluation of preventative and corrective action</header><text display-inline="yes-display-inline">Evaluating and making reasonable adjustments to the action described in subparagraph (A) in light of any material changes in state-of-the-art technology, internal or external threats to covered data, and changing business operations with respect to covered data.</text></subparagraph></paragraph><paragraph id="H908825C103CC4E23836F86A05BFB11CE"><enum>(3)</enum><header>Information retention and disposal</header><text display-inline="yes-display-inline">Disposing of covered data (either by or at the direction of the covered entity) that is required to be deleted by law or is no longer necessary for the purpose for which the data was collected, processed, retained, or transferred, unless a permitted purpose under section 102(d) applies, except that retention and disposal of biometric information shall be governed by section 102(c)(3). Such disposal shall include destroying, permanently erasing, or otherwise modifying the covered data to make such data permanently unreadable or indecipherable and unrecoverable to ensure ongoing compliance with this section.</text></paragraph><paragraph id="HAF0CECA0ECB04C829FC4E1460F744984"><enum>(4)</enum><header>Retention schedule</header><text>Developing, maintaining, and adhering to a retention schedule for covered data consistent with paragraph (3).</text></paragraph><paragraph id="H5BC4714582244C32A48BEF5937EF2E03"><enum>(5)</enum><header>Training</header><text>Training each employee with access to covered data on how to safeguard covered data, and updating such training as necessary.</text></paragraph><paragraph id="H063F4252C69B41FC99E7D257C7A42859"><enum>(6)</enum><header>Incident response</header><text>Implementing procedures to detect, respond to, and recover from data security incidents, including breaches.</text></paragraph></subsection><subsection id="HAB343489ECDB4676BCE9749E18EF76DB"><enum>(c)</enum><header>Regulations</header><text>The Commission may, in consultation with the Secretary of Commerce, promulgate, in accordance with section 553 of title 5, United States Code, technology-neutral, process-based regulations to carry out this section.</text></subsection></section><section id="HC120FFA22AE044F6830A896676534CBF"><enum>110.</enum><header>Executive responsibility</header><subsection id="HDAB14CAAB3FF4F7EBF4CFD3EF7BA1851"><enum>(a)</enum><header>Designation of privacy and data security officers</header><paragraph id="H8332CB81A0B44E6EBC91351DFA13A203"><enum>(1)</enum><header>In general</header><text>A covered entity or service provider (except for a large data holder) shall designate 1 or more qualified employees to serve as privacy and data security officers.</text></paragraph><paragraph id="HBC7B06EAD0874C6F8D8688764DFA1541"><enum>(2)</enum><header>Requirements for officers</header><text>An employee who is designated by a covered entity or service provider as a privacy and data security officer shall, at a minimum—</text><subparagraph id="H1F0B80A50883458FBD69D041D18993DC"><enum>(A)</enum><text>implement a data privacy program and a data security program to safeguard the privacy and security of covered data in compliance with the requirements of this title; and</text></subparagraph><subparagraph id="H1234943488344B8F9F512DCE3A94E483"><enum>(B)</enum><text>facilitate the ongoing compliance of the covered entity or service provider with this title.</text></subparagraph></paragraph></subsection><subsection id="HD6F7A2EB057147469644BE4686FD716C"><enum>(b)</enum><header>Requirements for large data holders</header><paragraph id="H945656F4E01748129FC3BE68D34C8235"><enum>(1)</enum><header>Designation</header><text>A covered entity or service provider that is a large data holder shall designate 1 qualified employee to serve as a privacy officer and 1 qualified employee to serve as a data security officer.</text></paragraph><paragraph id="H786B7D3F4B0D4CAABE0C85211F940866"><enum>(2)</enum><header>Annual certification</header><subparagraph id="HE0CCDCD6E6764BA88790D33BAD4A464A"><enum>(A)</enum><header>In general</header><text display-inline="yes-display-inline">Beginning on the date that is 1 year after the date of the enactment of this Act, the chief executive officer of a large data holder (or, if the large data holder does not have a chief executive officer, the highest ranking officer of the large data holder) and each privacy officer and data security officer of such large data holder designated under paragraph (1), shall annually certify to the Commission, in a manner specified by the Commission, that the large data holder implements and maintains—</text><clause id="HEE035CA6511E4FC1AB0E0FD0D5859893"><enum>(i)</enum><text>internal controls reasonably designed, implemented, maintained, and monitored to comply with this title; and</text></clause><clause id="HF52EA1EE9E534B6AA209E2779DFFE35B"><enum>(ii)</enum><text>internal reporting structures (as described in paragraph (3)) to ensure that such certifying officers are involved in, and responsible for, decisions that impact compliance by the large data holder with this title.</text></clause></subparagraph><subparagraph id="H137E57BDE2FF4B6685AB6C8FAD3D1BAC"><enum>(B)</enum><header>Requirements</header><text>A certification submitted under subparagraph (A) shall be based on a review of the effectiveness of the internal controls and reporting structures of the large data holder that is conducted by the certifying officers not more than 90 days before the submission of the certification.</text></subparagraph></paragraph><paragraph id="HF5ED7778FEDB48D387E56047C5AEE4E5"><enum>(3)</enum><header>Internal reporting structure requirements</header><text>At least 1 of the officers designated under paragraph (1) shall, either directly or through a supervised designee—</text><subparagraph id="HA9E3394F715A49B3A4F59A5F433ACD16"><enum>(A)</enum><text>establish practices to periodically review and update, as necessary, the privacy and security policies, practices, and procedures of the large data holder;</text></subparagraph><subparagraph id="HDEBC651E0FD24763BF043454FB621EED"><enum>(B)</enum><text>conduct biennial and comprehensive audits to ensure the policies, practices, and procedures of the large data holder comply with this title and, upon request, make such audits available to the Commission;</text></subparagraph><subparagraph id="H1B2CF5FAD0B644CDB1CE16F5C53FD2FF"><enum>(C)</enum><text>develop a program to educate and train employees about the requirements of this title;</text></subparagraph><subparagraph id="H1C33B0CA9D7940F4B18281DF1E22789E"><enum>(D)</enum><text>maintain updated, accurate, clear, and understandable records of all significant privacy and data security practices of the large data holder; and</text></subparagraph><subparagraph id="H78C1E103A0D148778211E5F55D588B57"><enum>(E)</enum><text>serve as the point of contact between the large data holder and enforcement authorities.</text></subparagraph></paragraph><paragraph id="H058353BFC0CF455887237A514CBBAE57"><enum>(4)</enum><header>Privacy impact assessments</header><subparagraph id="H4A78D6CC8D84497AA1AFE5DBD0A9280F"><enum>(A)</enum><header>In general</header><text display-inline="yes-display-inline">Not later than 1 year after the date of the enactment of this Act or 1 year after the date on which an entity first meets the definition of the term <quote>large data holder</quote>, whichever is earlier, and biennially thereafter, each large data holder shall conduct a privacy impact assessment that weighs the benefits of the covered data collection, processing, retention, and transfer practices of the entity against the potential adverse consequences of such practices to individual privacy.</text></subparagraph><subparagraph id="H97D5A4CB2F47412E98F71AD49E523012"><enum>(B)</enum><header>Assessment requirements</header><text>A privacy impact assessment required under subparagraph (A) shall be—</text><clause id="H3CDBCAD34D454A8983077D46C2FB9993"><enum>(i)</enum><text>reasonable and appropriate in scope given—</text><subclause id="H6B7B18B341FA419BB4CA61A899087560"><enum>(I)</enum><text>the nature and volume of the covered data collected, processed, retained, or transferred by the large data holder; and</text></subclause><subclause id="H0CC32E0482DA45DB9801A0DFF6B5327E"><enum>(II)</enum><text>the potential risks posed to the privacy of individuals by the collection, processing, retention, and transfer of covered data by the large data holder;</text></subclause></clause><clause id="H038D6621A1594EDAA49873C1A868BAE2"><enum>(ii)</enum><text>documented in written form and maintained by the large data holder for as long as the relevant privacy policy is required to be retained under section 104(f)(1); and</text></clause><clause id="H18EE8BC8DE9C4EA0A58FA74A7F353C9C"><enum>(iii)</enum><text>approved by the privacy officer of the large data holder.</text></clause></subparagraph><subparagraph id="H11BA4D0031D1485E8CA87432E9AF7525"><enum>(C)</enum><header>Additional factors to include in assessment</header><text display-inline="yes-display-inline">In assessing privacy risks for purposes of an assessment conducted under subparagraph (A), including significant risks of harm to the privacy of an individual or the security of covered data, the large data holder shall include reviews of the means by which technologies, including blockchain and distributed ledger technologies and other emerging technologies, including privacy enhancing technologies, are used to secure covered data.</text></subparagraph></paragraph></subsection></section><section id="H08A19F443E6D4145A1B8C81E412B1694"><enum>111.</enum><header>Service providers and third parties</header><subsection id="H4AF96AFEBF0949599437F12574D54DD1"><enum>(a)</enum><header>Service providers</header><paragraph id="HE258E8CD641B4A608D6BB98B211E5BC7"><enum>(1)</enum><header>In general</header><text>A service provider that collects, processes, retains, or transfers covered data on behalf of or at the direction of a covered entity or another service provider—</text><subparagraph id="HD15ED6ED2AAE4D8BBB1D597311BC18C4"><enum>(A)</enum><text display-inline="yes-display-inline">shall adhere to the instructions of the covered entity or other service provider and collect, process, retain, or transfer covered data only to the extent necessary, proportionate, and limited to provide a service requested by the covered entity or other service provider, as set out in the contract described in paragraph (2);</text></subparagraph><subparagraph id="HF46C57AA1CA745B5A7E1A534702535AF"><enum>(B)</enum><text display-inline="yes-display-inline">may not collect, process, retain, or transfer covered data if the service provider has actual knowledge that the covered entity or other service provider violated this title with respect to such data;</text></subparagraph><subparagraph id="HD8C2D6C820964CAE91F79D390740601D"><enum>(C)</enum><text display-inline="yes-display-inline">shall assist the covered entity or other service provider in fulfilling the obligations of the covered entity or other service provider to respond to consumer rights requests pursuant to this title by—</text><clause id="H1016EE1DDCEE431F9F0EDD939CF01EA0"><enum>(i)</enum><text>providing appropriate technical and organizational support, taking into account the nature of the processing and the information reasonably available to the service provider; or</text></clause><clause id="HF2D08F1C14A6420E867947BD3A03110C"><enum>(ii)</enum><text display-inline="yes-display-inline">fulfilling a request by the covered entity or other service provider to execute a consumer rights request that the covered entity or other service provider has determined should be compiled with, by either—</text><subclause id="H33473E6F1C3A44C2A745D4C11EEEED1B"><enum>(I)</enum><text display-inline="yes-display-inline">complying with the request pursuant to the instructions of the covered entity or other service provider; or</text></subclause><subclause id="HAE5FDDC7C2B84FE28E30D0544964FBCA"><enum>(II)</enum><text display-inline="yes-display-inline">providing written verification to the covered entity or other service provider that the service provider does not hold data related to the request, that complying with the request would be inconsistent with the legal obligations of the service provider, or that the request falls within an exception pursuant to this title;</text></subclause></clause></subparagraph><subparagraph id="HE201F4DFE8BD49BBBDB6055CAA5116C6"><enum>(D)</enum><text display-inline="yes-display-inline">shall, upon the reasonable request of the covered entity or other service provider, make available to the covered entity or other service provider all information necessary to demonstrate the compliance of the service provider with the requirements of this title;</text></subparagraph><subparagraph id="H133083DA0EEB479DB5DA99ECA5187056"><enum>(E)</enum><text display-inline="yes-display-inline">shall delete or return, as directed by the covered entity or other service provider, all covered data as soon as practicable after the contractually agreed upon end of the provision of services, unless the retention by the service provider of covered data is required by law;</text></subparagraph><subparagraph id="HDFBD6B513D114685918F8AB2B77B2B61"><enum>(F)</enum><text display-inline="yes-display-inline">may engage another service provider for purposes of processing or retaining covered data on behalf of the covered entity or other service provider only after exercising reasonable care in selecting another service provider as required by subsection (d), providing the covered entity or other service provider with written notice of the engagement, and entering into a written contract that requires the other service provider to satisfy the requirements of this title with respect to covered data; and</text></subparagraph><subparagraph id="H2819C73319054E08B8126000969F3B8A"><enum>(G)</enum><text>shall—</text><clause id="HC8916D818359459A906690A72D7D88E0"><enum>(i)</enum><text display-inline="yes-display-inline">allow and cooperate with reasonable assessments by the covered entity or other service provider at least annually; or</text></clause><clause id="HF2488C9367EE4DB7A79FCB74D93C6C92"><enum>(ii)</enum><text display-inline="yes-display-inline">arrange for a qualified and independent assessor to conduct an assessment of the policies and technical and organizational measures of the service provider in support of the obligations of the service provider under this title at least annually, using an appropriate and accepted control standard or framework and assessment procedure for such assessments, and report the results of such assessment to the covered entity or other service provider.</text></clause></subparagraph></paragraph><paragraph id="HBA108ED97E3446A2A852B694AB2EA485"><enum>(2)</enum><header>Contract requirements</header><text>An entity may only operate as a service provider pursuant to a contract between a covered entity and a service provider. Such contract—</text><subparagraph id="HC7759A5928A64D0CBD97B9D6A9C9B589"><enum>(A)</enum><text>shall govern the data processing procedures of the service provider with respect to any collection, processing, retention, or transfer performed on behalf of the covered entity;</text></subparagraph><subparagraph id="H0E404BC6201347FD907799367ECD196F"><enum>(B)</enum><text>shall clearly set forth—</text><clause id="HC8B388ACEC14456FB4DC1A869F1BE928"><enum>(i)</enum><text>instructions for collecting, processing, retaining, or transferring data;</text></clause><clause id="HCB6A00234618472FAC2AB77133C83F5A"><enum>(ii)</enum><text>the nature and purpose of the collection, processing, retention, or transfer;</text></clause><clause id="HA5BF9168A3964B9D878AC139FC5997BF"><enum>(iii)</enum><text>the type of data subject to collection, processing, retention, or transfer;</text></clause><clause id="HE7D38155515543669FDA611E7F0F4637"><enum>(iv)</enum><text>the duration of the processing or retention; and</text></clause><clause id="H42B52AE20EBF430EA5E28F16B47B4C0F"><enum>(v)</enum><text>the rights and obligations of both parties;</text></clause></subparagraph><subparagraph id="HCC9F3E203C1D4518984A2E9E247EA6E1"><enum>(C)</enum><text>may not relieve the covered entity or service provider of any obligation under this title; and</text></subparagraph><subparagraph id="HD1270B584B3448E79E8A90AA4E17D3C5"><enum>(D)</enum><text>shall prohibit—</text><clause id="HB45D1D8C8AD64B1D9B7093BFC7695795"><enum>(i)</enum><text>the collection, processing, retention, or transfer of covered data in a manner that does not comply with the requirements of paragraph (1); and</text></clause><clause id="H547E911E29194B7AB91E40C11553B793"><enum>(ii)</enum><text>combining covered data that the service provider receives from or on behalf of a covered entity with covered data that the service provider receives from or on behalf of another entity or collects from the interaction of the service provider with an individual, unless such combining is necessary for a purpose described in section 102(d), other than a purpose described in paragraph (7), (14), (15), or (16) of such section, and is otherwise permitted under the contract.</text></clause></subparagraph></paragraph></subsection><subsection id="H3BE0848F7D894AB58B5D7466F5001462"><enum>(b)</enum><header>Third parties</header><paragraph id="HBBF076A7A98847268C1FEA1C41E7D0C9" commented="no"><enum>(1)</enum><header>In general</header><text>A third party may not process, retain, or transfer third-party data for a purpose other than—</text><subparagraph id="H67B7B23A26B34A049EB258C6561BF4B3" commented="no"><enum>(A)</enum><text>in the case of sensitive covered data—</text><clause id="H0B725938059B4458A455FC8B21527F34" commented="no"><enum>(i)</enum><text>except as provided in clause (ii), a purpose for which an individual gave affirmative express consent pursuant to subsection (b) or (c) of section 102; or</text></clause><clause id="H5691F8F7AC0E4D9BAEA5A3B8AE8D5E72" commented="no"><enum>(ii)</enum><text display-inline="yes-display-inline">in the case of sensitive covered data with respect to which affirmative express consent is not required pursuant to subsection (b) of section 102, a purpose for which the covered entity or service provider made a disclosure pursuant to section 104; or</text></clause></subparagraph><subparagraph id="H9085C4830C4A4E0C80110F1ACBA4C32D" commented="no"><enum>(B)</enum><text>in the case of covered data that is not sensitive covered data, a purpose for which the covered entity or service provider made a disclosure pursuant to section 104.</text></subparagraph></paragraph><paragraph id="HDE1D1499F4FD4A179AD95EA45DEEAD6F"><enum>(2)</enum><header>Contract requirements</header><text display-inline="yes-display-inline">Before transferring covered data to a third party, a covered entity or service provider shall enter into a contract with the third party that—</text><subparagraph id="HF3290E51760E4CF5B12614E953820BDA"><enum>(A)</enum><text>identifies the purposes for which covered data is being transferred;</text></subparagraph><subparagraph id="H13995A730B734886914EA8F716AE8032"><enum>(B)</enum><text>specifies that the third party may only use the covered data for such purposes;</text></subparagraph><subparagraph id="H1BD48285648C4793A0817503C777FAEC"><enum>(C)</enum><text>with respect to the covered data transferred, requires the third party to comply with all applicable provisions of, and regulations promulgated under, this title;</text></subparagraph><subparagraph id="H8609FACE05CF4AE887E5203CE50668FE"><enum>(D)</enum><text>requires the third party to notify the covered entity or service provider if the third party makes a determination that the third party can no longer meet the obligations of the third party under this title; and</text></subparagraph><subparagraph id="HF7434D04B76B48C0AF10BBD999B72F19"><enum>(E)</enum><text>grants the covered entity or service provider the right, upon notice (including under subparagraph (D)), to take reasonable and appropriate steps to stop and remediate unauthorized use of covered data by the third party.</text></subparagraph></paragraph></subsection><subsection id="H8AC55A30CA0E460B902D1D154D47FECC"><enum>(c)</enum><header>Rules of construction</header><paragraph id="H197B0D5B3B994C2C94C93A1B8CB461FE"><enum>(1)</enum><header>Successive actor violations</header><subparagraph id="H7F1295127A0C42B6878B0DEE16C0E942"><enum>(A)</enum><header>In general</header><text>With respect to a violation of this title by a service provider or third party regarding covered data received by the service provider or third party from a covered entity or another service provider, the covered entity or service provider that transferred such covered data may not be considered to be in violation of this title if the covered entity or service provider transferred the covered data in compliance with the requirements of this title and, at the time of transferring such covered data, did not have actual knowledge, or reason to believe, that the service provider or third party to which the covered data was transferred intended to violate this title.</text></subparagraph><subparagraph id="HB5A51098FC5C4936B609291C2764C2D1"><enum>(B)</enum><header>Knowledge of violation</header><text>A covered entity or service provider that transfers covered data to a service provider or third party and has actual knowledge, or reason to believe, that such service provider or third party is violating, or is about to violate, the requirements of this title shall immediately cease the transfer of covered data to such service provider or third party.</text></subparagraph></paragraph><paragraph id="HDD41A02215C44AD5817B68A9665CFAB7"><enum>(2)</enum><header>Prior actor violations</header><text>An entity that collects, processes, retains, or transfers covered data in compliance with the requirements of this title may not be considered to be in violation of this title as a result of a violation by an entity from which it receives, or on whose behalf it collects, processes, retains, or transfers, covered data.</text></paragraph></subsection><subsection id="H9B0C0DD3079D4C4E8DB8CB156161E7D1"><enum>(d)</enum><header>Reasonable care</header><paragraph id="H338D2223FB1B469D9B3F7B6270AEE614"><enum>(1)</enum><header>Service provider selection</header><text>A covered entity or service provider shall exercise reasonable care in selecting a service provider.</text></paragraph><paragraph id="H1DEDE832CBE340B3A499A9905D1A5304"><enum>(2)</enum><header>Transfer to third party</header><text>A covered entity or service provider shall exercise reasonable care in deciding to transfer covered data to a third party.</text></paragraph><paragraph id="HDC1751487FDB47BF8560717B8C7EBF94"><enum>(3)</enum><header>Guidance</header><text>Not later than 2 years after the date of the enactment of this Act, the Commission shall publish guidance regarding compliance with this subsection.</text></paragraph></subsection><subsection id="HF921CA1025604840BC76D9D8291DDE46"><enum>(e)</enum><header>Rule of construction</header><text>Solely for purposes of this section, the requirements under this section for service providers to contract with, assist, and follow the instructions of covered entities shall also apply to any entity that collects, processes, retains, or transfers covered data for the purpose of performing services on behalf of, or at the direction of, a government entity, as though such government entity were a covered entity.</text></subsection></section><section id="HC61D99C5F8DA42C3ADD0F8CE27E55646"><enum>112.</enum><header>Data brokers</header><subsection id="H8344E03557CA46C09EA51CB1EA3A0FC2"><enum>(a)</enum><header>Notice</header><text>A data broker shall—</text><paragraph id="H5B09B3CB4CB44C52A7C00405E3DDFC3D"><enum>(1)</enum><text>establish and maintain a publicly available website; and</text></paragraph><paragraph id="H2A4E452D83C44983B6C06FE40A3404B6"><enum>(2)</enum><text>place a clear and conspicuous, and not misleading, notice on such publicly available website, and any mobile application of the data broker, that—</text><subparagraph id="HBE81D1056C1E4A61B902839E96E13FF3"><enum>(A)</enum><text>states that the entity is a data broker;</text></subparagraph><subparagraph id="HF61673A484814261982DF89E5BF2472E"><enum>(B)</enum><text>states that an individual may exercise a right described in section 105 or 106, and includes a link or other tool to allow an individual to exercise such right;</text></subparagraph><subparagraph id="H486572C5B44743D8B1FB858BCE530223"><enum>(C)</enum><text>includes a link to the website described in subsection (c)(3);</text></subparagraph><subparagraph id="H9B87BF349AF747D19E780768ED9944CE"><enum>(D)</enum><text>is reasonably accessible to and usable by individuals living with disabilities; and</text></subparagraph><subparagraph id="H81A6EC42C9DE4D1389E2FC0A791AC784"><enum>(E)</enum><text>is provided in any language in which the data broker provides products or services.</text></subparagraph></paragraph></subsection><subsection id="H87C435BCEB5844EE8EF1ABE8D579917B"><enum>(b)</enum><header>Prohibited practices</header><text>A data broker may not—</text><paragraph id="H86C33C09809143A1B785166D55F91DAF"><enum>(1)</enum><text>advertise or market access to, or the transfer of, covered data for the purposes of—</text><subparagraph id="H581C91053EFF43C784EB38E14A003ADF"><enum>(A)</enum><text>stalking or harassing an individual; or</text></subparagraph><subparagraph id="H4330B8EDC15042C29FEAB51F68940FA2"><enum>(B)</enum><text>engaging in fraud, identity theft, or unfair or deceptive acts or practices; or</text></subparagraph></paragraph><paragraph id="H418550D38BFC4F3489E62DDF4DB4CA84"><enum>(2)</enum><text>misrepresent the business practices of the data broker.</text></paragraph></subsection><subsection id="H910F949D34DA4933BDA1E5B5AB3E3CCE"><enum>(c)</enum><header>Data broker registration</header><paragraph id="H38C130A562D345BAA065675C6F94D567"><enum>(1)</enum><header>In general</header><text>Not later than January 31 of each calendar year that follows a calendar year during which an entity acted as a data broker with respect to more than 5,000 individuals or devices that identify or are linked or reasonably linkable to an individual, such entity shall register with the Commission in accordance with this subsection.</text></paragraph><paragraph id="HA6DC4A1519AF400D99A6B0026919A54B"><enum>(2)</enum><header>Registration requirements</header><text>In registering with the Commission as required under paragraph (1), a data broker shall do the following:</text><subparagraph id="HED46714111B4458DB4423B6AC23E1646"><enum>(A)</enum><text>Pay to the Commission a registration fee of $100.</text></subparagraph><subparagraph id="HB87CDF76F72C47309BDBA8008A1A92FE"><enum>(B)</enum><text>Provide the Commission with the following information:</text><clause id="H8F90435F534C43988802560962C89CA4"><enum>(i)</enum><text>The legal name and primary valid physical postal address, email address, and internet address of the data broker.</text></clause><clause id="H9DA77D713320476EA1BC319B4ECD9BEC"><enum>(ii)</enum><text>A description of the categories of covered data the data broker collects, processes, retains, or transfers.</text></clause><clause id="H331A8D93303344DDAC734A6AFD5B7D8A"><enum>(iii)</enum><text>The contact information of the data broker, including the name of a contact person, a human-monitored telephone number, a human-monitored e-mail address, a website, and a physical mailing address.</text></clause><clause id="H96FB6BB25D454F4795D1DAA5EADC2A23"><enum>(iv)</enum><text>A link to a website through which an individual may easily exercise the rights described in sections 105 and 106.</text></clause></subparagraph></paragraph><paragraph id="H47CA88ACFA8A416E963590BCD8C0F798"><enum>(3)</enum><header>Data broker registry</header><subparagraph id="H639B932BF33F44E7A3068B766F7449DB"><enum>(A)</enum><header>Establishment</header><text>The Commission shall establish and maintain on a publicly available website a searchable list of data brokers that are registered with the Commission under this subsection.</text></subparagraph><subparagraph id="HE6DF85FEA4E94FA2B10B83D37634E171"><enum>(B)</enum><header>Requirements</header><text>The registry established under subparagraph (A) shall—</text><clause id="H18F58978C69D4CF58B4F6F7FFB349543"><enum>(i)</enum><text>allow members of the public to search for and identify data brokers;</text></clause><clause id="H8D3C588203174B1EA01288B6BFE4B97A"><enum>(ii)</enum><text>include the information required under paragraph (2)(B) for each data broker;</text></clause><clause id="HDC58BF725E2A49559AF3E4B6A4638B2B"><enum>(iii)</enum><text>include a mechanism by which an individual, including a parent acting on behalf of a child of the parent, may submit to all registered data brokers a <quote>Do Not Collect</quote> request that results in registered data brokers no longer collecting covered data related to such individual or child (as applicable) without the affirmative express consent of such individual; and</text></clause><clause id="H0C0272A9433C4275BADC4E0E5AD00517"><enum>(iv)</enum><text display-inline="yes-display-inline">include a mechanism by which an individual, including a parent acting on behalf of a child of the parent, may submit to all registered data brokers a <quote>Delete My Data</quote> request that results in registered data brokers deleting all covered data related to such individual or child (as applicable) that the data broker did not collect directly from such individual or when acting as a service provider.</text></clause></subparagraph><subparagraph id="H59467238B3C54B0BA696FD9B76EB22B1"><enum>(C)</enum><header>Affordability</header><text>A data broker may not charge an individual a fee to exercise a right under this paragraph.</text></subparagraph></paragraph><paragraph id="HD7AAD297C8C046FB876DBF300D5B1079"><enum>(4)</enum><header>Do not collect and delete my data requests</header><subparagraph id="H9B2BE7496C5B4D44996D149B0A1C5C75"><enum>(A)</enum><header>Compliance</header><text display-inline="yes-display-inline">Subject to subparagraph (B), each data broker that receives a request from an individual, including a parent acting on behalf of a child of the parent, using the mechanism established under paragraph (3)(B)(iii) or paragraph (3)(B)(iv) shall comply with such request not later than 30 days after the date on which the request is received by the data broker.</text></subparagraph><subparagraph id="H2D8289815949489EBE7FB53FB39E31F4"><enum>(B)</enum><header>Exception</header><text>A data broker may decline to fulfill a request from an individual, if—</text><clause id="HCBBA0F9DD9E348408A4CE56121F64184"><enum>(i)</enum><text>the data broker has actual knowledge that the individual has been convicted of a crime related to the abduction or sexual exploitation of a child; and</text></clause><clause id="H402B707148CA495CBF253F008D7FCD7D"><enum>(ii)</enum><text>the data collected by the data broker is necessary—</text><subclause id="HA5853BC93EA949ED925B902B81CC6059"><enum>(I)</enum><text>to carry out a national or State-run sex offender registry; or</text></subclause><subclause id="H0138277D061043D0985C8EB68360E219"><enum>(II)</enum><text>for the National Center for Missing and Exploited Children.</text></subclause></clause></subparagraph></paragraph></subsection></section><section id="H72264840D6C34DCCB9F9EFE415FC4BBD"><enum>113.</enum><header>Commission-approved compliance guidelines</header><subsection id="H4D1AC0D4ABAB41E1A145521FD96DF300"><enum>(a)</enum><header>Application for compliance guideline approval</header><paragraph id="H61EB404EDFED46E68FDF089D68C508C5"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">A covered entity that is not a data broker and is not a large data holder, or a group of such covered entities, may apply to the Commission for approval of 1 or more sets of compliance guidelines governing the collection, processing, retention, or transfer of covered data by the covered entity or covered entities.</text></paragraph><paragraph id="HAF288B94204443A181412379A275629B"><enum>(2)</enum><header>Application requirements</header><text>An application under paragraph (1) shall include—</text><subparagraph id="HB00A254ED2414ECD99F2CF0CCCBF9914"><enum>(A)</enum><text>a description of how the proposed guidelines will meet or exceed the applicable requirements of this title;</text></subparagraph><subparagraph id="HB61674B3ADF84E9490C4C255005AAE1E"><enum>(B)</enum><text>a description of the entities or activities the proposed guidelines are designed to cover;</text></subparagraph><subparagraph id="HCEFF651B650948A9BBA0204D0BB1A4BB"><enum>(C)</enum><text>a list of the covered entities, to the extent known at the time of application, that intend to adhere to the proposed guidelines;</text></subparagraph><subparagraph id="H5CFFE36241634B36A93CAE2E93741472"><enum>(D)</enum><text>a description of an independent organization, not associated with any of the intended adhering covered entities, that will administer the proposed guidelines; and</text></subparagraph><subparagraph id="H61ED03A052DB44989ED5F1CA5FD3DCF5"><enum>(E)</enum><text>a description of how such intended adhering entities will be assessed for adherence to the proposed guidelines by the independent organization described in subparagraph (D).</text></subparagraph></paragraph><paragraph id="H35F4935628064256854A539700057ABD"><enum>(3)</enum><header>Commission review</header><subparagraph id="HCF5FFA551FE24B9FA2371509DE9687EC"><enum>(A)</enum><header>Initial approval</header><clause id="H0065ABB1AE88493A87422CCEBB8D80C7"><enum>(i)</enum><header>Public comment period</header><text>Not later than 90 days after receipt of an application regarding proposed guidelines submitted pursuant to paragraph (1), the Commission shall publish the application and provide an opportunity for public comment on such proposed guidelines.</text></clause><clause id="H0EE89AEE7CD64C0787BDB39C47AA8C93"><enum>(ii)</enum><header>Approval criteria</header><text>The Commission shall approve an application regarding proposed guidelines submitted pursuant to paragraph (1), including the independent organization that will administer the guidelines, if the applicant demonstrates that the proposed guidelines—</text><subclause id="HC8904D168F8742C9A8CCC3D93B171DCC"><enum>(I)</enum><text>meet or exceed the applicable requirements of this title;</text></subclause><subclause id="HB5874051E94A4E90A30E5237399C8415"><enum>(II)</enum><text>provide for regular review and validation by an independent organization to ensure that the covered entity or covered entities adhering to the guidelines continue to meet or exceed the applicable requirements of this title; and</text></subclause><subclause id="H43A7CEAAB5964D96B84100DFBF547263"><enum>(III)</enum><text>include a means of enforcement if a covered entity does not meet or exceed the requirements in the guidelines, which may include referral to the Commission for enforcement under section 115 or referral to the appropriate State attorney general for enforcement under section 116.</text></subclause></clause><clause id="HE514334933174A798A64E1A9B63E38F2"><enum>(iii)</enum><header>Timeline</header><text>Not later than 1 year after the date on which the Commission receives an application regarding proposed guidelines pursuant to paragraph (1), the Commission shall issue a determination approving or denying the application, including the relevant independent organization, and providing the reasons for approving or denying the application.</text></clause></subparagraph><subparagraph id="H0654E4F6BCA1406AB8AA057EEEDFCFF7"><enum>(B)</enum><header>Approval of modifications</header><clause id="HE3823B1B6E40407C8C72765423D6C9BE"><enum>(i)</enum><header>In general</header><text display-inline="yes-display-inline">If the independent organization administering a set of guidelines approved under subparagraph (A) makes significant changes to the guidelines, the independent organization shall submit the updated guidelines to the Commission for approval. As soon as feasible, the Commission shall publish the updated guidelines and provide an opportunity for public comment.</text></clause><clause id="H9C5E70A72D9E4F2AA427B0FED1D4AC68"><enum>(ii)</enum><header>Timeline</header><text display-inline="yes-display-inline">The Commission shall approve or deny any significant change to guidelines submitted under clause (i) not later than 180 days after the date on which the Commission receives the submission for approval.</text></clause></subparagraph></paragraph></subsection><subsection id="HF4F9D05B7D8A4E7B94C9C7C9887D405D"><enum>(b)</enum><header>Withdrawal of approval</header><paragraph id="H95955079936441D5BEA5AF78A9ECE942"><enum>(1)</enum><header>In general</header><text>If at any time the Commission determines that guidelines previously approved under this section no longer meet the applicable requirements of this title or that compliance with the approved guidelines is insufficiently enforced by the independent organization administering the guidelines, the Commission shall notify the relevant covered entity or group of covered entities and the independent organization of the determination of the Commission to withdraw approval of the guidelines, including the basis for the determination.</text></paragraph><paragraph id="HB53CAA3273BF4DAEA810F2942EB1D1B1"><enum>(2)</enum><header>Opportunity to cure</header><subparagraph id="HCA5E818FD9DE4355B8048691B58B8312"><enum>(A)</enum><header>In general</header><text>Not later than 180 days after receipt of a notice under paragraph (1), the covered entity or group of covered entities and the independent organization may cure any alleged deficiency with the guidelines or the enforcement of the guidelines and submit each proposed cure to the Commission.</text></subparagraph><subparagraph id="HD1E786EB88B84F93A21BC5BECD4AFC7C"><enum>(B)</enum><header>Effect on withdrawal of approval</header><text>If the Commission determines that cures proposed under subparagraph (A) eliminate alleged deficiencies in the guidelines, the Commission may not withdraw the approval of such guidelines on the basis of such deficiencies.</text></subparagraph></paragraph></subsection><subsection id="H04AA8DF0C0904A818F4FBECBBAD3B38E"><enum>(c)</enum><header>Certification</header><text>A covered entity with guidelines approved by the Commission under this section shall—</text><paragraph id="H708723A4E8F941C5878BFFE7E4FE732A"><enum>(1)</enum><text>publicly self-certify that the covered entity is in compliance with the guidelines; and</text></paragraph><paragraph id="HE05B471C6D314D7FB4283AE83F92A0AE"><enum>(2)</enum><text>as part of the self-certification under paragraph (1), indicate the independent organization responsible for assessing compliance with the guidelines.</text></paragraph></subsection><subsection id="HE427A0C255C5440EA85D56F31FEA8011"><enum>(d)</enum><header>Rebuttable presumption of compliance</header><text>A covered entity that is eligible to participate in guidelines approved under this section, participates in the guidelines, and is in compliance with the guidelines shall be entitled to a rebuttable presumption that the covered entity is in compliance with the relevant provisions of this title to which the guidelines apply.</text></subsection><subsection id="H0B66D5E551364E16ABC904489673F01E" commented="no"><enum>(e)</enum><header>Eligibility of service providers</header><text display-inline="yes-display-inline">This section shall apply to a service provider that is not a large data holder, or a group of such service providers, in the same manner as this section applies to a covered entity or group of covered entities. Such a service provider or group of service providers may apply for approval of, and participate in, the same guidelines as a covered entity or group of covered entities.</text></subsection></section><section id="H7208E37F05084C85899B069002426A23"><enum>114.</enum><header>Privacy-enhancing technology pilot program</header><subsection id="H218A74D35613460F9A546009E192AF02"><enum>(a)</enum><header>Privacy-Enhancing technology defined</header><text>In this section, the term <quote>privacy-enhancing technology</quote>—</text><paragraph id="H377EEE82907447DBBE6A94936367AC4D"><enum>(1)</enum><text>means any software or hardware solution, cryptographic algorithm, or other technical process of extracting the value of information without substantially reducing the privacy and security of the information; and</text></paragraph><paragraph id="H28DCCDC1771C451F95E83E0BD1A94B22"><enum>(2)</enum><text>includes technologies with functionality similar to homomorphic encryption, differential privacy, zero-knowledge proofs, synthetic data generation, federated learning, and secure multi-party computation.</text></paragraph></subsection><subsection id="H046BDBF3ED3F40068A40DFA93BED0D39"><enum>(b)</enum><header>Establishment</header><text>Not later than 1 year after the date of the enactment of this Act, the Commission shall establish and carry out a pilot program to encourage private sector use of privacy-enhancing technologies for the purposes of protecting covered data to comply with section 109.</text></subsection><subsection id="H2EEF4CCCC8034A14B6F630E4A3EC8A93"><enum>(c)</enum><header>Purposes</header><text>Under the pilot program established under subsection (b), the Commission shall—</text><paragraph id="HFF5395D9BBA74CD38AFB5E5896149F0D"><enum>(1)</enum><text>develop and implement a petition process for covered entities to request to be a part of the pilot program; and</text></paragraph><paragraph id="HAF144F5AEF374CBCAECB17CE399BA303"><enum>(2)</enum><text>build an auditing system that leverages privacy-enhancing technologies to support the enforcement actions of the Commission.</text></paragraph></subsection><subsection id="HF09F3A5163E34CE3A743F666C2FA86A6"><enum>(d)</enum><header>Petition process</header><text>A covered entity wishing to be accepted into the pilot program established under subsection (b) shall demonstrate to the Commission that the privacy-enhancing technologies to be used under the pilot program by the covered entity will establish data security practices that meet or exceed all or some of the requirements in section 109. If the covered entity demonstrates the privacy-enhancing technologies meet or exceed the requirements in section 109, the Commission may accept the covered entity to be a part of the pilot program. If the Commission does not accept a covered entity to be a part of the pilot program, the Commission shall provide an adequate response to the covered entity detailing why the covered entity was not accepted, and the covered entity may subsequently revise the petition of the covered entity to address any deficiencies indicated by the Commission in the response of the Commission to the covered entity.</text></subsection><subsection id="HB18F29BCCFF942B0A0F55AFCE508DFDF"><enum>(e)</enum><header>Requirements</header><text>In carrying out the pilot program established under subsection (b), the Commission shall—</text><paragraph id="HDDDF7CE2DCB0431C9CC17470D79DDF1E"><enum>(1)</enum><text>receive input from private, public, and academic stakeholders; and</text></paragraph><paragraph id="H267B920BBF8E449A95A8F3A7BC41E716"><enum>(2)</enum><text>develop ongoing public and private sector engagement, in consultation with the Secretary of Commerce, to disseminate voluntary, consensus-based resources to increase the integration of privacy-enhancing technologies in data collection, sharing, and analytics by the public and private sectors.</text></paragraph></subsection><subsection id="HB1DC751C407E442CBD174AB1B1C58E46"><enum>(f)</enum><header>Conclusion of pilot program</header><text>The Commission shall terminate the pilot program established under subsection (b) not later than 10 years after the commencement of the program.</text></subsection><subsection id="H699218A84C254D5E94A72C665223214A"><enum>(g)</enum><header>Study required</header><paragraph id="HAB106AD9811049B8B6020C7E9C8511A0"><enum>(1)</enum><header>In general</header><text>The Comptroller General of the United States shall conduct a study—</text><subparagraph id="H397357DA225445EBBD9339571916050D"><enum>(A)</enum><text>to assess the progress of the pilot program established under subsection (b);</text></subparagraph><subparagraph id="H52340A9D570E4951BEBEE116BBDDF68D"><enum>(B)</enum><text>to determine the effectiveness of using privacy-enhancing technologies at the Commission to support oversight of the data security practices of covered entities; and</text></subparagraph><subparagraph id="H85EA73C448374872B79749F54FF761A0"><enum>(C)</enum><text>to develop recommendations to improve and advance privacy-enhancing technologies, including by improving communication and coordination between covered entities and the Commission to increase implementation of privacy-enhancing technologies by such entities and the Commission.</text></subparagraph></paragraph><paragraph id="HB69007BD965445C792D091B989A9C7EE"><enum>(2)</enum><header>Initial briefing</header><text>Not later than 3 years after the date of the enactment of this Act, the Comptroller General shall brief the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate on the initial results of the study conducted under paragraph (1).</text></paragraph><paragraph id="H978F3A65DDC84762B9CBC81849A849CA"><enum>(3)</enum><header>Final report</header><text>Not later than 240 days after the date on which the briefing required by paragraph (2) is conducted, the Comptroller General shall submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a final report setting forth the results of the study conducted under paragraph (1), including the recommendations developed under subparagraph (C) of such paragraph.</text></paragraph></subsection><subsection id="HEC813C0DD24E4F03A72000AA5205B16D"><enum>(h)</enum><header>Audit of covered entities</header><text>The Commission shall, on an ongoing basis, audit covered entities who have been accepted to be part of the pilot program established under subsection (b) to determine whether such a covered entity is maintaining the use and implementation of privacy-enhancing technologies to secure covered data.</text></subsection><subsection id="HE07E9EB60C604FBC8A80910ECED6F928"><enum>(i)</enum><header>Withdrawal from the pilot program</header><text>If at any time the Commission determines that a covered entity accepted to be a part of the pilot program established under subsection (b) is no longer maintaining the use of privacy-enhancing technologies, the Commission shall notify the covered entity of the determination of the Commission to withdraw approval for the covered entity to be a part of the pilot program and the basis for doing so. Not later than 180 days after the date on which a covered entity receives such notice, the covered entity may cure any alleged deficiency with the use of privacy-enhancing technologies and submit each proposed cure to the Commission. If the Commission determines that such cures eliminate alleged deficiencies with the use of privacy-enhancing technologies, the Commission may not withdraw the approval of the covered entity to be a part of the pilot program on the basis of such deficiencies.</text></subsection><subsection id="H37CE9369BCA34D32B221B99F95319B4C"><enum>(j)</enum><header>Limitations on liability</header><text>Any covered entity that petitions, and is accepted, to be part of the pilot program established under subsection (b), actively implements and maintains the use of privacy-enhancing technologies, and is determined by the Commission to be in compliance with the program shall—</text><paragraph id="HD932CCD2D85540C3A9D44C9406DB601F"><enum>(1)</enum><text>for any action under section 115 or 116 for a violation of section 109, be deemed to be in compliance with section 109 with respect to the covered data subject to the privacy-enhancing technologies; and</text></paragraph><paragraph id="HE9321A95EB654997B7343E20AA1823B9"><enum>(2)</enum><text>for any action under section 117 for a violation of section 109, be entitled to a rebuttable presumption that such entity is in compliance with section 109 with respect to the covered data subject to the privacy-enhancing technologies.</text></paragraph></subsection></section><section id="H03D6C7413CF146C7B5917BC44FA9742F"><enum>115.</enum><header>Enforcement by Federal Trade Commission</header><subsection id="HD28C51268BA941FE9DD0D72B32BFB7C1"><enum>(a)</enum><header>New bureau</header><paragraph id="HE2F5CB6EBE8943CABC82B51A1F1ADC16"><enum>(1)</enum><header>In general</header><text>Subject to the availability of appropriations, the Commission shall establish, within the Commission, a new bureau comparable in structure, size, organization, and authority to the existing bureaus within the Commission related to consumer protection and competition.</text></paragraph><paragraph id="HEEBFF98354934D86A62E2286FECF6E87"><enum>(2)</enum><header>Mission</header><text>The mission of the bureau established under this subsection shall be to assist the Commission in exercising the authority of the Commission under this title and related authorities.</text></paragraph><paragraph id="H4278790F142642439C891EAC05034010"><enum>(3)</enum><header>Staff</header><subparagraph id="H52A98E5FF8A34B78A7E92C12AC6BFCAE"><enum>(A)</enum><header>In general</header><text>In staffing the bureau established under this subsection, the Commission shall ensure the allocation of full time employees or full time employee equivalents that include attorneys, economists, investigators, technologists, and mental health professionals with experience in the well-being of children and teens.</text></subparagraph><subparagraph id="H3B0C3A23546049C4ABF101AB114B3AD1"><enum>(B)</enum><header>Technologist defined</header><text>For the purposes of this paragraph, the term <quote>technologist</quote> means an individual with training and expertise with respect to technology, including state-of-the art information technology, network or data security, hardware or software development, privacy-enhancing technologies, cryptography, computer science, data science, advertising technology, web tracking, machine learning, and other related fields and applications.</text></subparagraph></paragraph><paragraph id="H492F7EF71FAA419F9D532632A7A5D750"><enum>(4)</enum><header>Timeline</header><text>The bureau established under this subsection shall be established, staffed, and fully operational not later than 180 days after the date of the enactment of this Act.</text></paragraph></subsection><subsection id="H92A9D45976064E9583A9268D23C266CE"><enum>(b)</enum><header>Enforcement by commission</header><paragraph id="H6F293900904142E999E685AAD14A2DCC"><enum>(1)</enum><header>Unfair or deceptive acts or practices</header><text>A violation of this title or a regulation promulgated under this title shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/57a">15 U.S.C. 57a(a)(1)(B)</external-xref>).</text></paragraph><paragraph id="HFD58381D11DF478283C2B2BED9CF36D3"><enum>(2)</enum><header>Powers of commission</header><subparagraph id="H229114262E8242DE950D6EC1C7D14BD2"><enum>(A)</enum><header>In general</header><text>Except as provided in paragraph (3) or otherwise provided in this title, the Commission shall enforce this title and the regulations promulgated under this title in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>) were incorporated into and made a part of this title.</text></subparagraph><subparagraph id="H62AE0D76E2904169A3A21C6173E9D8A5"><enum>(B)</enum><header>Privileges and immunities</header><text>Any entity that violates this title or a regulation promulgated under this title shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>).</text></subparagraph></paragraph><paragraph id="HE85A712B4DC6462695F77E957E2647D4"><enum>(3)</enum><header>Common carriers and nonprofits</header><text>Notwithstanding section 4, 5(a)(2), or 6 of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/44">15 U.S.C. 44</external-xref>; 45(a)(2); 46) or any jurisdictional limitation of the Commission, the Commission shall also enforce this title, and the regulations promulgated under this title, in the same manner provided in paragraphs (1) and (2) of this subsection with respect to—</text><subparagraph id="H6C4713AFDDA14E07ACB81CC52A610A61"><enum>(A)</enum><text>common carriers subject to title II of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/201">47 U.S.C. 201 et seq.</external-xref>); and</text></subparagraph><subparagraph id="H43F2E44871B6443C9C7AF56ACE2CC419"><enum>(B)</enum><text>organizations not organized to carry on business for their own profit or that of their members.</text></subparagraph></paragraph><paragraph id="H2AC9F5051DDA47AEB37126AE9582607F"><enum>(4)</enum><header>Penalty offset for state or individual actions</header><text>Any amount that a court orders an entity to pay in an action brought under this subsection shall be offset by any amount a court has ordered the entity to pay in an action brought against the entity for the same violation under section 116 or 117.</text></paragraph><paragraph id="HE14B9A51A8AC450184B5A58279006DF6"><enum>(5)</enum><header>Privacy and security victims relief fund</header><subparagraph id="HC410CB8FFDE846B98269EF6085EEA13F"><enum>(A)</enum><header>Establishment of victims relief fund</header><text>There is established in the Treasury of the United States a separate fund to be known as the <quote>Privacy and Security Victims Relief Fund</quote> (in this paragraph referred to as the <quote>Victims Relief Fund</quote>).</text></subparagraph><subparagraph id="HDB4D42957DD44EEEBBC23CCE5617E999"><enum>(B)</enum><header>Deposits</header><text>The Commission or the Attorney General of the United States, as applicable, shall deposit into the Victims Relief Fund the amount of any civil penalty obtained in any civil action the Commission, or the Attorney General on behalf of the Commission, commences to enforce this title or a regulation promulgated under this title.</text></subparagraph><subparagraph id="H63029898FEAA49FC827B72FDBC87B40D"><enum>(C)</enum><header>Use of fund amounts</header><clause id="HF325B437BCE84CD3AB4259205947DE3D"><enum>(i)</enum><header>Availability to the commission</header><text>Notwithstanding section 3302 of title 31, United States Code, amounts in the Victims Relief Fund shall be available to the Commission, without fiscal year limitation, to provide redress, damages, payments or compensation, or other monetary relief to persons affected by an act or practice for which civil penalties, other monetary relief, or any other forms of relief (including injunctive relief) have been ordered in a civil action or administrative proceeding the Commission commences, or in any civil action the Attorney General of the United States commences on behalf of the Commission, to enforce this title or a regulation promulgated under this title.</text></clause><clause id="HA0625DBBC174463FAFFC74AF5216C045"><enum>(ii)</enum><header>Other permissible uses</header><text>To the extent that individuals cannot be located or such redress, damages, payments or compensation, or other monetary relief are otherwise not practicable, the Commission may use amounts in the Victims Relief Fund for the purpose of—</text><subclause id="H040D80891429485ABB82803A2ACA840C"><enum>(I)</enum><text>consumer or business education relating to data privacy or data security; or</text></subclause><subclause id="H69ACF778312F4B3DAB4ACF7376D09DED"><enum>(II)</enum><text>engaging in technological research that the Commission considers necessary to implement this title, including promoting privacy-enhancing technologies that promote compliance with this title.</text></subclause></clause></subparagraph><subparagraph id="H013276B7D4364A9D90A4B6334441B395"><enum>(D)</enum><header>Calculation</header><text>Any amount that the Commission provides to a person as redress, payments or compensation, or other monetary relief under subparagraph (C) with respect to a violation by an entity shall be offset by any amount the person received from an action brought against the entity for the same violation under section 116 or 117.</text></subparagraph><subparagraph id="HC8156C3BD76A42C7B1D49BC58AAD45EC"><enum>(E)</enum><header>Rule of construction</header><text>Amounts collected and deposited in the Victims Relief Fund may not be construed to be Government funds or appropriated monies and may not be subject to apportionment for the purpose of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/31/15">chapter 15</external-xref> of title 31, United States Code, or under any other authority.</text></subparagraph></paragraph></subsection><subsection id="HDA49B11707AA4ABEB59FFA7BBD63A989"><enum>(c)</enum><header>Report</header><paragraph id="H0328ACEC7D3B495D9DAE2D0FF7EAA19D"><enum>(1)</enum><header>In general</header><text>Not later than 4 years after the date of the enactment of this Act, and annually thereafter, the Commission shall submit to Congress a report describing investigations conducted during the prior year with respect to violations of this title, including—</text><subparagraph id="HF4307891B28143BE8A9068609576059E"><enum>(A)</enum><text>the number of such investigations the Commission commenced;</text></subparagraph><subparagraph id="H66235ED2100F47E8948EF0FB92CB923D"><enum>(B)</enum><text>the number of such investigations the Commission closed with no official agency action;</text></subparagraph><subparagraph id="HDACF037B71864748A15EF44C67D0FE2B"><enum>(C)</enum><text>the disposition of such investigations, if such investigations have concluded and resulted in official agency action; and</text></subparagraph><subparagraph id="H170CA5AE348F4475881991FE827547B5"><enum>(D)</enum><text>for each investigation that was closed with no official agency action, the industry sectors of the covered entities subject to each investigation.</text></subparagraph></paragraph><paragraph id="H353E913075F24FB0B92DB0C39D317EC3"><enum>(2)</enum><header>Privacy protections</header><text>A report required under paragraph (1) may not include the identity of any person who is the subject of an investigation or any other information that identifies such a person.</text></paragraph><paragraph id="H97BB1C98D3BA498FAE7F122EF2881B29"><enum>(3)</enum><header>Annual plan</header><text>Not later than 540 days after the date of the enactment of this Act, and annually thereafter, the Commission shall submit to Congress a plan for the next calendar year describing the projected activities of the Commission under this title, including—</text><subparagraph id="H7586EB28C1724A0EB36C756269F39029"><enum>(A)</enum><text>the policy priorities of the Commission and any changes to the previous policy priorities of the Commission;</text></subparagraph><subparagraph id="H09DF5B299DD14173B34007F11B782760"><enum>(B)</enum><text>any rulemaking proceedings projected to be commenced, including any such proceedings to amend or repeal a rule;</text></subparagraph><subparagraph id="H9E49FBD1610E467AA985EC5EC15FAB59"><enum>(C)</enum><text>any plans to develop, update, or withdraw guidelines or guidance required under this title;</text></subparagraph><subparagraph id="H4E2A458F0E2746C9901E5D585101605A"><enum>(D)</enum><text>any plans to restructure the Commission; and</text></subparagraph><subparagraph id="HD67D25A7D3394BC495EC132D7E41D51A"><enum>(E)</enum><text>projected dates and timelines, or changes to projected dates and timelines, associated with any of the requirements under this title.</text></subparagraph></paragraph></subsection></section><section id="H0A3045A8B5854502A2C857049AE2D546"><enum>116.</enum><header>Enforcement by States</header><subsection id="H4D969273207743CD975CA1A80DB7782D"><enum>(a)</enum><header>Civil action</header><paragraph id="H59D042FCF4BB4B22B44F814956D56B14"><enum>(1)</enum><header>In general</header><text>In any case in which the attorney general of a State, the chief consumer protection officer of a State, or an officer or office of a State authorized to enforce privacy or data security laws applicable to covered entities or service providers has reason to believe that an interest of the residents of the State has been or is adversely affected by the engagement of any entity in an act or practice that violates this title or a regulation promulgated under this title, the attorney general, chief consumer protection officer, or other authorized officer or office of the State may bring a civil action in the name of the State, or as parens patriae on behalf of the residents of the State, in an appropriate Federal district court of the United States to—</text><subparagraph id="HC22EC39354F34CFB86E36D10FFA068B9"><enum>(A)</enum><text>enjoin such act or practice;</text></subparagraph><subparagraph id="HB24D3A4CCEB4447A9AB6279B2B844F31"><enum>(B)</enum><text>enforce compliance with this title or the regulations promulgated under this title;</text></subparagraph><subparagraph id="H1D06554D11DD4DB5B40E46590B8588F4"><enum>(C)</enum><text>obtain civil penalties;</text></subparagraph><subparagraph id="H09B1E36D67A14362A44F1945B64AACFA"><enum>(D)</enum><text>obtain damages, restitution, or other compensation on behalf of the residents of the State;</text></subparagraph><subparagraph id="H635224174ACA40E6B73586BF0DDD759A"><enum>(E)</enum><text>obtain reasonable attorney’s fees and other litigation costs reasonably incurred; or</text></subparagraph><subparagraph id="H17C9791DDF844919B440C86EA53805E6"><enum>(F)</enum><text>obtain such other relief as the court may consider to be appropriate.</text></subparagraph></paragraph><paragraph id="H5F6041F2C6584D41B08CED5FB9B70E9C"><enum>(2)</enum><header>Limitation</header><text>In any case with respect to which the attorney general of a State, the chief consumer protection officer of a State, or an officer or office of a State authorized to enforce privacy or data security laws applicable to covered entities or service providers brings an action under paragraph (1), no other officer or office of the same State may institute a civil action under paragraph (1) against the same defendant for the same violation of this title or regulation promulgated under this title.</text></paragraph></subsection><subsection id="H443697236CC54B5F85DAC37C45A00E4F"><enum>(b)</enum><header>Rights of the commission</header><paragraph id="HB257C7F8214D45C3BA9D50C81EB02C40"><enum>(1)</enum><header>In general</header><text>Except if not feasible, a State officer shall notify the Commission in writing prior to initiating a civil action under subsection (a). Such notice shall include a copy of the complaint to be filed to initiate such action. Upon receiving such notice, the Commission may intervene in such action and, upon intervening—</text><subparagraph id="H5751A87D35BD46078707EC87FF2473F1"><enum>(A)</enum><text>be heard on all matters arising in such action; and</text></subparagraph><subparagraph id="HFFD06CA73FE843EC8C744F388F5DDCD4"><enum>(B)</enum><text>file petitions for appeal of a decision in such action.</text></subparagraph></paragraph><paragraph id="H787F8117479546BA908E7A77F651635B"><enum>(2)</enum><header>Notification timeline</header><text>If not feasible for a State officer to provide the notification required by paragraph (1) before initiating a civil action under subsection (a), the State officer shall notify the Commission immediately after initiating the civil action.</text></paragraph></subsection><subsection id="HABDB29DEC7C64573BA29F675D6488FB4"><enum>(c)</enum><header>Actions by the commission</header><text>In any case in which a civil action is instituted by or on behalf of the Commission for a violation of this title or a regulation promulgated under this title, no attorney general of a State, chief consumer protection officer of a State, or officer or office of a State authorized to enforce privacy or data security laws may, during the pendency of such action, institute a civil action against any defendant named in the complaint in the action instituted by or on behalf of the Commission for a violation of this title or a regulation promulgated under this title that is alleged in such complaint.</text></subsection><subsection id="H08C33F2423E14D7A8C8EB4E9920DB1D6"><enum>(d)</enum><header>Investigatory powers</header><text>Nothing in this title may be construed to prevent the attorney general of a State, the chief consumer protection officer of a State, or an officer or office of a State authorized to enforce privacy or data security laws applicable to covered entities or service providers from exercising the powers conferred on such officer or office to conduct investigations, to administer oaths or affirmations, or to compel the attendance of witnesses or the production of documentary or other evidence.</text></subsection><subsection id="H0B638ED0F9FB440080B493E494A9A97A"><enum>(e)</enum><header>Venue; service of process</header><paragraph id="HBFA9DD0869F949FE8AECBEC9A0CB304A"><enum>(1)</enum><header>Venue</header><text>Any action brought under subsection (a) may be brought in any Federal district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.</text></paragraph><paragraph id="H2FCAA9928DDC49EC939D26DA4845C429"><enum>(2)</enum><header>Service of process</header><text>In an action brought under subsection (a), process may be served in any district in which the defendant—</text><subparagraph id="H250B1E6C6B59470BA35CB66473CB001E"><enum>(A)</enum><text>is an inhabitant; or</text></subparagraph><subparagraph id="HFF14163ECEC44E6598807A703D9F5EE1"><enum>(B)</enum><text>may be found.</text></subparagraph></paragraph></subsection><subsection id="HCEFD17D37A4E4D8A88F2206C0495E856"><enum>(f)</enum><header>GAO study</header><paragraph id="H78C5D36A391A4B73B51EF22368E91870"><enum>(1)</enum><header>In general</header><text>The Comptroller General of the United States shall conduct a study of the practice of State attorneys general hiring, or otherwise contracting with, outside firms to assist in enforcement efforts pursuant to this title, which shall include the study of—</text><subparagraph id="H351F46A8B4BB4505AFF113C7871C8A4C"><enum>(A)</enum><text>the frequency with which each State attorney general hires or contracts with outside firms to assist in such enforcement efforts;</text></subparagraph><subparagraph id="H11FA612B41D84158B62F8FE17F4F57F9"><enum>(B)</enum><text>the contingency fees, hourly rates, and other costs of hiring or contracting with outside firms;</text></subparagraph><subparagraph id="H9503A2E4E95A4A5187724206FCD14147"><enum>(C)</enum><text>the types of matters for which outside firms are hired or contracted;</text></subparagraph><subparagraph id="H40F8F8EF07B64017A6AD81B25B01B236"><enum>(D)</enum><text>the bid and selection process for such outside firms, including reviews of conflicts of interest;</text></subparagraph><subparagraph id="H9D69357BCE464CB3BA960F6BBD6A00BB"><enum>(E)</enum><text>the practices State attorneys general set in place to protect sensitive information that would become accessible by outside firms while the outside firms are assisting in such enforcement efforts;</text></subparagraph><subparagraph id="HB4C3494E3188431682C93B2C25EEBC95"><enum>(F)</enum><text>the percentage of monetary recovery that is returned to victims and the percentage of such recovery that is retained by outside firms; and</text></subparagraph><subparagraph id="HCE28FBEF366043BE9935ACCEFA494D56"><enum>(G)</enum><text>the market average for the hourly rate of hired or contracted attorneys in each market.</text></subparagraph></paragraph><paragraph id="H235A4875F65147B49AACEF796CDDD37F"><enum>(2)</enum><header>Report</header><text display-inline="yes-display-inline">Not later than 1 year after the date of the enactment of this Act, the Comptroller General shall submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a report on the results of the study conducted under paragraph (1).</text></paragraph></subsection><subsection id="H28002A8D347E4B948B498D28BDBA8222"><enum>(g)</enum><header>Preservation of state powers</header><text>Except as provided in subsections (a)(2) and (c), no provision of this section may be construed as altering, limiting, or affecting the authority of a State attorney general, the chief consumer protection officer of a State, or an officer or office of a State authorized to enforce laws applicable to covered entities or service providers to—</text><paragraph id="H90E955F1A5FA4B14BD36A50C9645CF90"><enum>(1)</enum><text>bring an action or other regulatory proceeding arising solely under the laws in effect in such State; or</text></paragraph><paragraph id="H9A3853BEDBFD4773B50592B29BA0CA76" commented="no"><enum>(2)</enum><text>exercise the powers conferred on the attorney general, chief consumer protection officer, or officer or office by the laws of such State, including the ability to conduct investigations, to administer oaths or affirmations, or to compel the attendance of witnesses or the production of documentary or other evidence.</text></paragraph></subsection><subsection id="HDAF2189D2C9B4CD38C088D8FD93FF2BA"><enum>(h)</enum><header>Calculation</header><text>Any amount that a court orders an entity to pay to a person under this section shall be offset by any amount the person received from an action brought against the entity for the same violation under section 115 or 117.</text></subsection></section><section id="H1B66737E32494798AC0D4F33A29C4EA4"><enum>117.</enum><header>Enforcement by persons</header><subsection id="HAD56B1DE9D804E49806A28F081D862A5"><enum>(a)</enum><header>Civil action</header><paragraph id="H070F5BE7AD0448BE8E93334F28E47FB2"><enum>(1)</enum><header>In general</header><text>Subject to subsections (b) and (c), a person may bring a civil action against a covered entity or service provider for a violation of subsection (b) or (c) of section 102, subsection (a) or (e) of section 104, section 105, subsection (a) or (b)(2) of section 106, section 107, section 108, section 109 to the extent such action alleges a data breach arising from a violation of subsection (a) of such section, subsection (d) of section 111, or subsection (c)(4) of section 112, or a regulation promulgated thereunder, in an appropriate Federal district court of the United States.</text></paragraph><paragraph id="HC799E4FE66E346D9855BF3DB2F8732D8"><enum>(2)</enum><header>Relief</header><subparagraph id="H00AA0909D1F04D51B827EC65CD92822C"><enum>(A)</enum><header>In general</header><text>In a civil action brought under paragraph (1) in which the plaintiff prevails, the court may award the plaintiff—</text><clause id="HD2B117693A714F6E99C31325C84403FA"><enum>(i)</enum><text>an amount equal to the sum of any actual damages;</text></clause><clause id="HB22457A72CC2423F9C9AD08E4AAB7FDF"><enum>(ii)</enum><text>injunctive relief, including an order that an entity retrieve any covered data transferred in violation of this title;</text></clause><clause id="HC98CBFAA7EC747A6BEF672D82DB0F80B"><enum>(iii)</enum><text>declaratory relief; and</text></clause><clause id="HF0BB099DD57B4E79975B164C4322F236"><enum>(iv)</enum><text>reasonable attorney fees and litigation costs.</text></clause></subparagraph><subparagraph id="H2DB211A5312B40528719CF91EBCD2033"><enum>(B)</enum><header>Biometric and genetic information</header><text display-inline="yes-display-inline">In a civil action brought under paragraph (1) for a violation of this title with respect to section 102(c), in which the plaintiff prevails, if the conduct underlying the violation occurred primarily and substantially in Illinois, the court may award the plaintiff—</text><clause id="HB0055DA8A62D43A690418AF0085B5B7C"><enum>(i)</enum><text>for a violation involving biometric information, the same relief as set forth in section 20 of the Biometric Information Privacy Act (740 ILCS 14/20), as such statute reads on December 31, 2024; or</text></clause><clause id="HCAFD35437438443594D059F36447ECB1"><enum>(ii)</enum><text display-inline="yes-display-inline">for a violation involving genetic information, the same relief as set forth in section 40 of the Genetic Information Privacy Act (410 ILCS 513/40), as such statute reads on December 31, 2024.</text></clause></subparagraph><subparagraph id="HB78E67AD876C4504BADB0FCF1A775288"><enum>(C)</enum><header>Data security</header><clause id="H2A64A43B89CE4AAAAF7DD941F682B996"><enum>(i)</enum><header>In general</header><text>In a civil action brought under paragraph (1) for a violation of this title alleging unauthorized access of covered information as a result of a violation of section 109(a), in which the plaintiff prevails, the court may award a plaintiff who is a resident of California the same relief as set forth in section 1798.150 of the California Civil Code, as such statute read on January 1, 2024.</text></clause><clause id="HCF4C81F659604FA4A9E778C60455AD6A"><enum>(ii)</enum><header>Covered information defined</header><text>For purposes of this subparagraph, the term <quote>covered information</quote> means the following:</text><subclause id="H147F3BA54F614CDE802E74197D0710F7"><enum>(I)</enum><text>A username, email address, or telephone number of an individual in combination with a password or security question or answer that would permit access to an account held by the individual that contains or provides access to sensitive covered data.</text></subclause><subclause id="H4FE9329AD45E46ABA2EAF68CF8443454"><enum>(II)</enum><text>The first name or first initial of an individual and the last name of the individual in combination with 1 or more of the following categories of sensitive covered data, if either the name or the sensitive covered data are not encrypted or redacted:</text><item id="HC69DD12C10514939AAF2746C8FE89953"><enum>(aa)</enum><text>A government-issued identifier described in section 101(49)(A)(i).</text></item><item id="H3E4884CB19384695AD897E81E62C738F"><enum>(bb)</enum><text>A financial account number described in section 101(49)(A)(iv).</text></item><item id="H2A800D0185844970A208BC1DBF8CBF8C"><enum>(cc)</enum><text>Health information, but only to the extent such information reveals the history of medical treatment or diagnosis by a health care professional of the individual.</text></item><item id="HD073BC0908044253AFD743C0B5174F27"><enum>(dd)</enum><text>Biometric information.</text></item><item id="HDFA0BE35DF2F4EA2BC319A6F43F7B4AA"><enum>(ee)</enum><text>Genetic information.</text></item></subclause></clause></subparagraph><subparagraph id="HD7A1195FCB96463E9EDABFCAB15F3A4D"><enum>(D)</enum><header>Limitations on dual actions</header><text>Any amount that a court orders an entity to pay to a person under subparagraph (A)(i), (B), or (C) shall be offset by any amount the person received from an action brought against the entity for the same violation under section 115 or 116.</text></subparagraph></paragraph></subsection><subsection id="H5F80B2B67EAC4A17881921E67C1D3F59"><enum>(b)</enum><header>Opportunity to cure in actions for injunctive relief</header><paragraph id="H380508C40A9347D6978DAECA10BA2423"><enum>(1)</enum><header>Notice</header><text>Subject to paragraph (3), an action for injunctive relief may be brought by a person under this section only if, prior to initiating such action against an entity, the person provides to the entity written notice identifying the specific provisions of this title the person alleges have been or are being violated.</text></paragraph><paragraph id="H0EA85FF1F8E04929988D569A14C24B21"><enum>(2)</enum><header>Effect of cure</header><text>In the event a cure is possible with respect to a violation alleged in a notice described in paragraph (1) and, not later than 60 days after the date of receipt of such notice, the entity cures such violation and provides the person an express written statement that the violation has been cured and that no further such violations shall occur, an action for injunctive relief may not be permitted with respect to the noticed violation.</text></paragraph><paragraph id="H1DD919ADCEC84F56B633CF146F30DBE7"><enum>(3)</enum><header>Injunctive relief for a substantial privacy harm</header><text>Notice is not required under paragraph (1) prior to bringing an action for injunctive relief for a violation that resulted in a substantial privacy harm.</text></paragraph></subsection><subsection id="HEB087C768C74460A8368E563B1F5F589"><enum>(c)</enum><header>Notice of actions seeking actual damages</header><paragraph id="H8B50FEFF213C4021A59C36F4618390E8"><enum>(1)</enum><header>Notice</header><text>Subject to paragraph (4), an action under this section for actual damages may be brought by a person only if, 60 days prior to initiating such action against an entity, the person provides the entity written notice identifying the specific provisions of this title the person alleges have been or are being violated.</text></paragraph><paragraph id="HDFAF0435E594483091E015613E12E8DA"><enum>(2)</enum><header>Settlement</header><text>An entity that receives a written notice from a person under paragraph (1) may settle with the person who sent the written notice.</text></paragraph><paragraph id="HE3688C466FB64EC58EEB37180787A62C"><enum>(3)</enum><header>Effect of settlement</header><text>In the event of a settlement under paragraph (2), the terms of such settlement shall govern any future action under this section for actual damages between the parties to the settlement that relates to the underlying facts that resulted in the settlement.</text></paragraph><paragraph id="H714734A687F84365BC55720ACC1CC49F"><enum>(4)</enum><header>No notice required for a substantial privacy harm</header><text>Notice is not required under paragraph (1) prior to bringing an action for actual damages for a violation of this title that resulted in a substantial privacy harm, if such action includes a claim for a preliminary injunction or temporary restraining order.</text></paragraph></subsection><subsection id="HD3B58E9912D941C2B6D68FC606ECAA9D"><enum>(d)</enum><header>Pre-Dispute arbitration agreements</header><paragraph id="H5E6C5660ED864EDCBB4F0787DC4FF169"><enum>(1)</enum><header>In general</header><text>Notwithstanding any other provision of law, at the election of the person alleging a violation of this title, no pre-dispute arbitration agreement shall be valid or enforceable with respect to—</text><subparagraph id="H408C9124C07E4A76A54D2EF71DFFCD7D"><enum>(A)</enum><text>a claim alleging a violation involving an individual under the age of 18; or</text></subparagraph><subparagraph id="H809766581B264CB1A86D19D056B04CDD"><enum>(B)</enum><text>a claim alleging a violation that resulted in a substantial privacy harm.</text></subparagraph></paragraph><paragraph id="H1CDA20F18EC041E6AFB8F285E2416DC2"><enum>(2)</enum><header>Determination of applicability</header><text>Any issue as to whether this subsection applies to a dispute shall be determined under Federal law. The applicability of this subsection to an agreement to arbitrate and the validity and enforceability of an agreement to which this subsection applies shall be determined by a Federal court, rather than an arbitrator, irrespective of whether the party resisting arbitration challenges the arbitration agreement specifically or in conjunction with other terms of the contract containing the agreement, and irrespective of whether the agreement purports to delegate the determination to an arbitrator.</text></paragraph><paragraph id="H86B6F3EAD4D3476C8895806C1162EBC3"><enum>(3)</enum><header>Pre-dispute arbitration agreement defined</header><text>For purposes of this subsection, the term <quote>pre-dispute arbitration agreement</quote> means any agreement to arbitrate a dispute that has not arisen at the time of the making of the agreement.</text></paragraph></subsection><subsection id="H1288C04DA80446DF9CCEE36562656D62"><enum>(e)</enum><header>Combined notices</header><text>A person may combine the notices required by subsections (b)(1) and (c)(1) into a single notice, if the single notice complies with the requirements of each such subsection.</text></subsection><subsection id="H5D3C8BF4F1994ACC8C47309A70CDFA13"><enum>(f)</enum><header>Bad faith</header><text>If a person represented by counsel brings a civil action under this section against a covered entity or service provider requesting actual damages from the covered entity or service provider, and fails to provide notice to the covered entity or service provider in accordance with this section, the action may be dismissed without prejudice and may not be reinstated until the person has complied with the notice requirements of this section.</text></subsection></section><section id="H79E7428FDC174676B7525B367E283110"><enum>118.</enum><header>Relation to other laws</header><subsection id="H348E005A2B914E1D92F393BEA085B186"><enum>(a)</enum><header>Preemption of state laws</header><paragraph id="H068C9A3FD1C74014BD4E481368063F9C"><enum>(1)</enum><header>Congressional intent</header><text>The purposes of this section are to—</text><subparagraph id="HE49B0516900D4C368E7FD616186C4782"><enum>(A)</enum><text>establish a uniform national privacy and data security standard in the United States to prevent administrative costs and burdens from being placed on interstate commerce; and</text></subparagraph><subparagraph id="H3FA376514E6B432F9083E2503FFDD2C0"><enum>(B)</enum><text>expressly preempt the laws of a State or political subdivision of a State as provided in this subsection.</text></subparagraph></paragraph><paragraph id="HEC4E3B287557414283252A10723AD0A1"><enum>(2)</enum><header>Preemption</header><text>Except as provided in paragraphs (3) and (4), no State or political subdivision of a State may adopt, maintain, enforce, impose, or continue in effect any law, regulation, rule, requirement, prohibition, standard, or other provision covered by the provisions of this title or a rule, regulation, or requirement promulgated under this title.</text></paragraph><paragraph id="H9EAF90E98D164BE3B75BF34CB30B91A2"><enum>(3)</enum><header>State law preservation</header><text>Paragraph (2) may not be construed to preempt, displace, or supplant the following State laws, rules, regulations, or requirements:</text><subparagraph id="HFBB6B360AA3647F29D8243E9E75A0986"><enum>(A)</enum><text>Consumer protection laws of general applicability, such as laws regulating deceptive, unfair, or unconscionable practices.</text></subparagraph><subparagraph id="H837B7704F2E64231B8BBEEF1E7148665"><enum>(B)</enum><text>Civil rights laws.</text></subparagraph><subparagraph id="H023DA8EF5BD941F49C474662C687AA1B"><enum>(C)</enum><text>Provisions of laws that address the privacy rights or other protections of employees or employee information.</text></subparagraph><subparagraph id="H89B5ADE3F7554D3F85BE243AF94CAAF7"><enum>(D)</enum><text>Provisions of laws that address the privacy rights or other protections of students or student information.</text></subparagraph><subparagraph id="H7260B5F89A2F436B854A08400FD8A23E"><enum>(E)</enum><text>Provisions of laws, insofar as such provisions address notification requirements in the event of a data breach.</text></subparagraph><subparagraph id="HB77B0C7816E84BD494E1E49CE46F6A5C"><enum>(F)</enum><text>Contract or tort law.</text></subparagraph><subparagraph id="H9A1417B4BA5249B292F9B28CB2330E02"><enum>(G)</enum><text>Criminal laws.</text></subparagraph><subparagraph id="H91F017DA87C14037903003C8B666FBEE"><enum>(H)</enum><text>Civil laws regarding—</text><clause id="H66C0F92653E5485593131F49C0646C41"><enum>(i)</enum><text>blackmail;</text></clause><clause id="H445297958F66410B971A9EDCAB24E90A"><enum>(ii)</enum><text>stalking (including cyberstalking);</text></clause><clause id="HBB521AA8FE1E48C5893D6E5B149F5305"><enum>(iii)</enum><text>cyberbullying;</text></clause><clause id="HB6EC7984008B45F5A98B1042C66A3861"><enum>(iv)</enum><text>intimate images (whether authentic or computer-generated) known to be nonconsensual;</text></clause><clause id="H2A7EA7B317CA429B82D0FA29D19958F4"><enum>(v)</enum><text>child abuse;</text></clause><clause id="H4BB6DAC47AF043EBB6EE9A4FA8D1E826"><enum>(vi)</enum><text>child sexual abuse material;</text></clause><clause id="H8B16EA90F5594054A3654F64AA7F613C"><enum>(vii)</enum><text>child abduction or attempted child abduction;</text></clause><clause id="HF5334C2D271C4E3C91056452AE26DCB4"><enum>(viii)</enum><text>child trafficking; or</text></clause><clause id="HC78077EB70474423915078D7D0EF336F"><enum>(ix)</enum><text>sexual harassment.</text></clause></subparagraph><subparagraph id="HE47CB9E475134A29A251FE1EB04C3847"><enum>(I)</enum><text>Public safety or sector-specific laws unrelated to privacy or data security, but only to the extent such laws do not directly conflict with the provisions of this title.</text></subparagraph><subparagraph id="HCF27B06A497143FCB5053FB6FC1B3A5E"><enum>(J)</enum><text>Provisions of laws that address public records, criminal justice information systems, arrest records, mug shots, conviction records, or non-conviction records.</text></subparagraph><subparagraph id="H9DD1CF65135E4D1990B17ADF40A0E516"><enum>(K)</enum><text>Provisions of laws that address banking records, financial records, tax records, Social Security numbers, credit cards, identity theft, credit reporting and investigations, credit repair, credit clinics, or check-cashing services.</text></subparagraph><subparagraph id="HB0DFAC23435E4A4981A27AA31052472E"><enum>(L)</enum><text>Provisions of laws that address electronic surveillance, wiretapping, or telephone monitoring.</text></subparagraph><subparagraph id="H16396BB726584C6C98E9DA6A892885BD"><enum>(M)</enum><text>Provisions of laws that address unsolicited email messages, telephone solicitation, or caller identification.</text></subparagraph><subparagraph id="H9979873CEF5E48EF90886C34103119B6"><enum>(N)</enum><text>Provisions of laws that protect the privacy of health information, healthcare information, medical information, medical records, HIV status, or HIV testing.</text></subparagraph><subparagraph id="H7ECCED19346B4756840C55819C8B1FF1"><enum>(O)</enum><text>Provisions of laws that address the confidentiality of library records.</text></subparagraph><subparagraph id="HB6D8749AB4CF4FDD8FC8DDB1B49436BD"><enum>(P)</enum><text>Provisions of laws that address the use of encryption as a means of providing data security.</text></subparagraph></paragraph><paragraph id="H7B891BE871B04ED1941BD3AB37CE51CB"><enum>(4)</enum><header>Additional preemption limitations</header><text>Notwithstanding paragraph (2), the provisions of this title shall preempt any State law, rule, or regulation that provides protections for children or teens only to the extent that such State law, rule, or regulation conflicts with a provision of this title. Nothing in this title shall be construed to prohibit any State from enacting a law, rule, or regulation that provides greater protection to children or teens than the provisions of this title.</text></paragraph></subsection><subsection id="H1B15E792705844F488D2E2084CB1331E"><enum>(b)</enum><header>Federal law preservation</header><paragraph id="H24842897123143D58B2E77CCBE4FA4E1"><enum>(1)</enum><header>In general</header><text>Nothing in this title or a regulation promulgated under this title may be construed to limit—</text><subparagraph id="HB35FEF2FC836433EAE541C6EDB1B3ACC"><enum>(A)</enum><text>the authority of the Commission, or any other Executive agency, under any other provision of law;</text></subparagraph><subparagraph id="HE03730D4ECC84A7E99030CBCACB95266"><enum>(B)</enum><text>any requirement for a common carrier subject to section 64.2011 of title 47, Code of Federal Regulations (or any successor regulation), regarding information security breaches; or</text></subparagraph><subparagraph id="H2E86EB01F33140D9AA3E102DD7B60BFA"><enum>(C)</enum><text>any other provision of Federal law, except as otherwise provided in this title.</text></subparagraph></paragraph><paragraph id="H8EB3141CC11446099AC8DA293AF1E280"><enum>(2)</enum><header>Antitrust savings clause</header><subparagraph id="H5F211CC7D95040E4B2E7C624F964C0DF"><enum>(A)</enum><header>Antitrust laws defined</header><text>For purposes of this paragraph, the term <quote>antitrust laws</quote>—</text><clause id="HE321E9CCC551472A9855F2A29DB76C1C"><enum>(i)</enum><text>has the meaning given such term in subsection (a) of the first section of the Clayton Act (<external-xref legal-doc="usc" parsable-cite="usc/15/12">15 U.S.C. 12(a)</external-xref>); and</text></clause><clause id="H27544164618447E68FD772A6D6C26740"><enum>(ii)</enum><text>includes section 5 of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45</external-xref>), to the extent such section applies to unfair methods of competition.</text></clause></subparagraph><subparagraph id="H6CB2A3C5A3B14CB5B4E5DC7D50112642"><enum>(B)</enum><header>Full application of the antitrust laws</header><text>Nothing in this title or a regulation promulgated under this title may be construed to modify, impair, supersede the operation of, or preclude the application of the antitrust laws.</text></subparagraph></paragraph><paragraph id="H9E5F1FA0EE0D47B9AF9B7D013CF2309E"><enum>(3)</enum><header>Application of other Federal privacy and data security requirements</header><subparagraph id="HA70AA7F66ECF4EAF89F6B2DBFE311662"><enum>(A)</enum><header>In general</header><text>To the extent that a covered entity or service provider is required to comply with any Federal law or regulation described in subparagraph (B), such covered entity or service provider is not subject to this title with respect to the activities governed by the requirements of such law or regulation.</text></subparagraph><subparagraph id="H5C54FEAB26D247258FF365876C14EDAC"><enum>(B)</enum><header>Laws and regulations described</header><text>The Federal laws and regulations described in this subparagraph are the following:</text><clause id="HBC71AEA9BB264180BC89E41C54BDA916"><enum>(i)</enum><text>Title V of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6801">15 U.S.C. 6801 et seq.</external-xref>).</text></clause><clause id="H3CB1021B559C4C48911C48158B12769B"><enum>(ii)</enum><text>Part C of title XI of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d">42 U.S.C. 1320d et seq.</external-xref>).</text></clause><clause id="H9CE8BDBCDEED40E38A734E2EC659FBBF"><enum>(iii)</enum><text>Subtitle D of the Health Information Technology for Economic and Clinical Health Act (<external-xref legal-doc="usc" parsable-cite="usc/42/17921">42 U.S.C. 17921 et seq.</external-xref>).</text></clause><clause id="H085732DE4DB144C8AE997EFBBFEA27C9"><enum>(iv)</enum><text>The regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-2">42 U.S.C. 1320d–2</external-xref> note).</text></clause><clause id="H8A77DD32EFE745B685FC404807CDBD6F"><enum>(v)</enum><text>The requirements regarding the confidentiality of substance use disorder information under section 543 of the Public Health Service Act (<external-xref legal-doc="usc" parsable-cite="usc/42/290dd-2">42 U.S.C. 290dd–2</external-xref>) or any regulation promulgated under such section.</text></clause><clause id="HCDDE79922C2A41408172314D11EC03AD"><enum>(vi)</enum><text>The Fair Credit Reporting Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1681">15 U.S.C. 1681 et seq.</external-xref>).</text></clause><clause id="H61B0EBECAFD940EE844F0FDD6402B7DD"><enum>(vii)</enum><text>Section 444 of the General Education Provisions Act (commonly known as the <quote>Family Educational Rights and Privacy Act of 1974</quote>) (<external-xref legal-doc="usc" parsable-cite="usc/20/1232g">20 U.S.C. 1232g</external-xref>) and part 99 of title 34, Code of Federal Regulations (or any successor regulation), to the extent a covered entity or service provider is an educational agency or institution (as defined in such section or section 99.3 of title 34, Code of Federal Regulations (or any successor regulation)).</text></clause><clause id="H0C33826A077347F58D100D1EEFFAF897"><enum>(viii)</enum><text>The regulations related to the protection of human subjects under part 46 of title 45, Code of Federal Regulations.</text></clause><clause id="H91EC2DA838594B78B36E4828D1CD723E"><enum>(x)</enum><text>The Health Care Quality Improvement Act of 1986 (<external-xref legal-doc="usc" parsable-cite="usc/42/11101">42 U.S.C. 11101 et seq.</external-xref>).</text></clause><clause id="H9B1161B304EB40CA86A76663A7122176"><enum>(xi)</enum><text>Part C of title IX of the Public Health Service Act (<external-xref legal-doc="usc" parsable-cite="usc/42/299b-21">42 U.S.C. 299b–21 et seq.</external-xref>).</text></clause><clause id="H4F5A80DBF33044178B957AF403405E47"><enum>(xii)</enum><text><external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/18/123">Chapter 123</external-xref> of title 18, United States Code.</text></clause></subparagraph><subparagraph id="H16970FFA6421400A8B97C672EC062043"><enum>(C)</enum><header>Implementation guidance</header><text>Not later than 1 year after the date of the enactment of this Act, the Commission shall issue guidance with respect to the implementation of this paragraph.</text></subparagraph></paragraph></subsection><subsection id="H2AE26694569C4B59BAC60182F146A151"><enum>(c)</enum><header>Preservation of common law or statutory causes of action for civil relief</header><text>Nothing in this title, nor any amendment, standard, rule, requirement, assessment, or regulation promulgated under this title, may be construed to preempt, displace, or supplant any Federal or State common law rights or remedies, or any State statute creating a remedy for civil relief, including any cause of action for personal injury, wrongful death, property damage, or other financial, physical, reputational, or psychological injury based in negligence, strict liability, products liability, failure to warn, an objectively offensive intrusion into the private affairs or concerns of an individual, or any other legal theory of liability under any Federal or State common law, or any State statutory law, except that the fact of a violation of this title or a regulation promulgated under this title may not be pleaded as an element of any violation of such law.</text></subsection><subsection id="HF9936BAAEBAC4822943077985B4BA6B4" commented="no"><enum>(d)</enum><header>Nonapplication of certain provisions of Communications Act of 1934 and Telecommunications Act of 1996 related to FCC privacy and data security laws and regulations</header><paragraph id="HD78F8583CC0049E48BA34BE2A2A2F534" commented="no"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">Except as provided in paragraph (2), sections 201, 202, 222, 338(i), and 631 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/201">47 U.S.C. 201</external-xref>; 202; 222; 338(i); 551) and section 706 of the Telecommunications Act of 1996 (<external-xref legal-doc="usc" parsable-cite="usc/47/1302">47 U.S.C. 1302</external-xref>), and any regulation or order issued by the Federal Communications Commission under any such section, do not apply to any covered entity or service provider with respect to the collection, processing, retention, transfer, or security of covered data (or the equivalent of such data), to the extent that such sections or any regulation or order issued under such sections would otherwise cover the collection, processing, retention, transfer, or security of covered data (or the equivalent of such data) in order to protect consumer privacy or the security of such data, and a covered entity or service provider shall instead be covered by the requirements of this title with respect to the collection, processing, retention, transfer, and security of covered data.</text></paragraph><paragraph id="HB8458C13508F4E0793264CEDBC974DAE"><enum>(2)</enum><header>Exceptions</header><text>Paragraph (1) does not supersede any authority of the Federal Communications Commission with respect to the following:</text><subparagraph id="H7D177A9A60664D8BAF59E2A57DF967A7"><enum>(A)</enum><text display-inline="yes-display-inline">Emergency services (as defined in section 7 of the Wireless Communications and Public Safety Act of 1999 (<external-xref legal-doc="usc" parsable-cite="usc/47/615b">47 U.S.C. 615b</external-xref>)).</text></subparagraph><subparagraph id="H0627B7CA77BC4DEEAED8168C1A298A1D"><enum>(B)</enum><text>Proceedings to implement section 227 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/227">47 U.S.C. 227</external-xref>) or the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (<external-xref legal-doc="public-law" parsable-cite="pl/116/105">Public Law 116–105</external-xref>; 133 Stat. 3274), or any other authority used by the Federal Communications Commission to prevent or reduce unwanted telephone calls or text messages.</text></subparagraph><subparagraph id="HDECDF8E8B4D6491D9E0737B34287976A"><enum>(C)</enum><text>An enforcement action alleging or finding a violation of a section of the Communications Act of 1934 specified in paragraph (1), if such action was adopted by the Federal Communications Commission prior to the date of the enactment of this Act.</text></subparagraph><subparagraph id="HED771608D3C34F3CB05EC5B6BB08D24A"><enum>(D)</enum><text>Subsection (a) of section 222 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/222">47 U.S.C. 222</external-xref>), to the extent such subsection imposes a duty on every telecommunications carrier to protect the confidentiality of proprietary information of, and relating to, other telecommunications carriers and equipment manufacturers.</text></subparagraph><subparagraph id="H876BBBA2D7A843928C2F7EF01F34BCC2"><enum>(E)</enum><text>Subsections (b), (d), and (g) of section 222 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/222">47 U.S.C. 222</external-xref>).</text></subparagraph><subparagraph id="H640A8B86B99944619CC7B03AB3AF3EE7"><enum>(F)</enum><text>Any obligation of an international treaty related to the exchange of traffic implemented and enforced by the Federal Communications Commission.</text></subparagraph></paragraph></subsection></section><section id="H4B686BB63CE24BD689FB8A1F0EEB1E93"><enum>119.</enum><header>Children’s Online Privacy Protection Act of 1998</header><text display-inline="no-display-inline">Nothing in this title may be construed to relieve or change any obligation that a covered entity or other person may have under the Children’s Online Privacy Protection Act of 1998 (<external-xref legal-doc="usc" parsable-cite="usc/15/6501">15 U.S.C. 6501 et seq.</external-xref>).</text></section><section id="H544D150523D44CCEA837F39E4C822FD2"><enum>120.</enum><header>Data protections for covered minors</header><subsection id="HF70F7B6E941145E0B3776DAF2FA2A35F"><enum>(a)</enum><header>Prohibition on targeted and first-Party advertising to covered minors</header><text>A covered entity or service provider acting on behalf of a covered entity may not engage in targeted advertising or first-party advertising to an individual if the covered entity has knowledge that the individual is a covered minor, except that a covered entity or service provider may present or display to a covered minor age-appropriate advertisements intended for an audience of covered minors, if the covered entity or service provider does not use any covered data in relation to such advertisements, other than data relating to the status of the individual as a covered minor.</text></subsection><subsection id="HEA0ADE9084374A9E86B8672F0A2B9965"><enum>(b)</enum><header>Data transfer requirements related to covered minors</header><paragraph id="H195EB96AD2154BA98BF4A3785294211F"><enum>(1)</enum><header>In general</header><text>Except as provided in paragraph (2), and notwithstanding section 102(b), a covered entity or a service provider acting on behalf of a covered entity may not transfer or direct a service provider to transfer the covered data of an individual to a third party if the covered entity—</text><subparagraph id="HB8B1179F55CD4B80A26B9B66F80CDAFE"><enum>(A)</enum><text>has knowledge that the individual is a covered minor; and</text></subparagraph><subparagraph id="HEA7071591D054E62B7F776ADBAF5186B"><enum>(B)</enum><text>has not obtained affirmative express consent, unless the transfer is necessary, proportionate, and limited to a purpose expressly permitted by paragraph (2), (3), (4), (8), (9), (11), (12), or (13) of section 102(d).</text></subparagraph></paragraph><paragraph id="H0888113A438245CB8943C3D5BF72CC8A"><enum>(2)</enum><header>Exception</header><text>A covered entity or service provider may collect, process, retain, or transfer covered data of an individual that the covered entity or service provider knows is a covered minor in order to submit information relating to child victimization to law enforcement or to the nonprofit, national resource center and clearinghouse congressionally designated to provide assistance to victims, families, child-serving professionals, and the general public on missing and exploited children issues.</text></paragraph></subsection><subsection id="H28A7DA4C2872483DB82F0792F4B282B8" commented="no"><enum>(c)</enum><header>Rulemaking</header><text>The Commission may conduct a rulemaking pursuant to section 553 of title 5, United States Code, to establish processes for parents and teens to exercise the rights provided in this title with respect to covered entities and data brokers. Any such rulemaking shall take into account—</text><paragraph id="HF5E6FAEE412E4A6591F3FF11A13445AE"><enum>(1)</enum><text>the specific needs of parents, children, and teens;</text></paragraph><paragraph id="HD4605D33DB7B4EA9822D8F12CA76029B"><enum>(2)</enum><text>how best to harmonize the processes provided for under this title with the processes and guidance provided for under the Children’s Online Privacy Protection Act of 1998 (<external-xref legal-doc="usc" parsable-cite="usc/15/6501">15 U.S.C. 6501 et seq.</external-xref>), as amended by title II of this Act, and any regulations promulgated by the Commission thereunder; and</text></paragraph><paragraph id="H3001AD4462E842639C97CD21E100894E"><enum>(3)</enum><text>options for reducing undue burdens on parents, children, teens, covered entities, and data brokers.</text></paragraph></subsection></section><section id="H83CA47A82394450487C4D66B02268496"><enum>121.</enum><header>Termination of FTC rulemaking on commercial surveillance and data security</header><text display-inline="no-display-inline">Beginning on the date of the enactment of this Act, the rulemaking proposed in the advance notice of proposed rulemaking titled <quote>Trade Regulation Rule on Commercial Surveillance and Data Security</quote> and published on August 22, 2022 (87 Fed. Reg. 51273) shall be terminated.</text></section><section id="H78B174699D3D406FA46E0F20FE44297A"><enum>122.</enum><header>Severability</header><text display-inline="no-display-inline">If any provision of this title, or the application thereof to any person or circumstance, is held invalid, the remainder of this title, and the application of such provision to other persons not similarly situated or to other circumstances, may not be affected by the invalidation.</text></section><section id="HB36FB98BF1CB4DF18EA248CFB1DF3E58"><enum>123.</enum><header>Innovation rulemakings</header><text display-inline="no-display-inline">The Commission may conduct a rulemaking pursuant to section 553 of title 5, United States Code—</text><paragraph id="HFF7B2EAB5C0B42248769BB46BDCAFA43"><enum>(1)</enum><text>to include other covered data in the definition of the term <quote>sensitive covered data</quote>, except that the Commission may not expand the category of information described in section 101(49)(A)(ii); and</text></paragraph><paragraph id="HC6CDAF011FF84F37BDFE22BB54F84251"><enum>(2)</enum><text>to include in the list of permitted purposes in section 102(d) other permitted purposes for collecting, processing, retaining, or transferring covered data.</text></paragraph></section><section id="H5BD2DEB8019F4EB3AD5E7CECB18F86FB"><enum>124.</enum><header>Effective date</header><text display-inline="no-display-inline">Unless otherwise specified in this title, this title shall take effect on the date that is 180 days after the date of the enactment of this Act.</text></section><enum>II</enum><header>Children’s Online Privacy Protection Act 2.0</header><section id="H05FDEA64D1E1450D9B0455340BE2556A"><enum>201.</enum><header>Short title</header><text display-inline="no-display-inline">This title may be cited as the <quote><short-title>Children’s Online Privacy Protection Act 2.0</short-title></quote>.</text></section><section id="HC62E2127B6684378BCFC2B95D08DA542"><enum>202.</enum><header>Online collection, use, disclosure, and deletion of personal information of children</header><subsection id="H10B43CD88F0242A29A0BA3F3CB4F0EBB"><enum>(a)</enum><header>Definitions</header><text>Section 1302 of the Children’s Online Privacy Protection Act of 1998 (<external-xref legal-doc="usc" parsable-cite="usc/15/6501">15 U.S.C. 6501</external-xref>) is amended—</text><paragraph id="H62B22586F0C94574A2BBA4E03A8A08D9"><enum>(1)</enum><text>by amending paragraph (2) to read as follows:</text><quoted-block id="HF4276EF386CB46D6B66ABDB1D9860B85" style="OLC"><paragraph id="H1FB0E28A7474483C87A8BB249ACDA82F"><enum>(2)</enum><header>Operator</header><text>The term <quote>operator</quote>—</text><subparagraph id="H4E18AE34146E4FCB8FF31BF9248D522F"><enum>(A)</enum><text>means any person—</text><clause id="H9FE4390846AF462FA1EE980CEF571D0C"><enum>(i)</enum><text>who, for commercial purposes, in interstate or foreign commerce, operates or provides a website on the internet, an online service, an online application, or a mobile application; and</text></clause><clause id="HD03886F989764FA9B653874F818F9771"><enum>(ii)</enum><text>who—</text><subclause id="H140F2A8218B54372B49DA89AA489B9B1"><enum>(I)</enum><text>collects or maintains, either directly or through a service provider, personal information from or about the users of that website, service, or application;</text></subclause><subclause id="HCBF3764523954B14AD0CAE876EDD4D5E"><enum>(II)</enum><text>allows another person to collect personal information directly from users of that website, service, or application (in which case, the operator is deemed to have collected the information); or</text></subclause><subclause id="H715C7F259FFB47338D268897AFF964E4"><enum>(III)</enum><text>allows users of that website, service, or application to publicly disclose personal information (in which case, the operator is deemed to have collected the information); and</text></subclause></clause></subparagraph><subparagraph id="H8A274806D50645DDAD4CE53EF0B6CAC0"><enum>(B)</enum><text>does not include any nonprofit entity that would otherwise be exempt from coverage under section 5 of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45</external-xref>).</text></subparagraph></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></paragraph><paragraph id="H35886693E801439BBEF64CD27FD504D4"><enum>(2)</enum><text>in paragraph (4)—</text><subparagraph id="H44C69E6816F34986A7171E17D3355EB8"><enum>(A)</enum><text>by amending subparagraph (A) to read as follows:</text><quoted-block id="H4EB13193781E49A68B6BD335D2E948B3" style="OLC"><subparagraph id="HD6487264BCA14DA3B707547A9DDE0A18"><enum>(A)</enum><text>the release of personal information collected from a child by an operator for any purpose, except where the personal information is provided to a person other than an operator who—</text><clause id="H201CF11247E848ADA168B420A8C708BA" commented="no"><enum>(i)</enum><text>provides support for the internal operations of a website, online service, online application, or mobile application (as defined in paragraph (8)(C)) of the operator, excluding any activity relating to targeted advertising or first-party advertising (as such terms are defined in section 101 of the American Privacy Rights Act of 2024) to children; and</text></clause><clause id="H45EAC0E06143462695B64A5B049B8D30"><enum>(ii)</enum><text>does not disclose or use that personal information for any other purpose; and</text></clause></subparagraph><after-quoted-block>; and</after-quoted-block></quoted-block></subparagraph><subparagraph id="H36667F6C6082497DA0C98EBFA4DBBE68"><enum>(B)</enum><text>in subparagraph (B)—</text><clause id="H96CCFEC346B642A59B6E1FE1CF445013"><enum>(i)</enum><text>by striking <quote>website or online service</quote> and inserting <quote>website, online service, online application, or mobile application</quote>; and</text></clause><clause id="HB98DBB811E9A4657A7CBB91EAC4D83A8"><enum>(ii)</enum><text>by striking <quote>actual knowledge</quote> and inserting <quote>actual knowledge or knowledge fairly implied on the basis of objective circumstances</quote>;</text></clause></subparagraph></paragraph><paragraph id="HBDF164CCF79F4CE6BB6CE7DB206594EF"><enum>(3)</enum><text>by striking paragraph (8) and inserting the following:</text><quoted-block id="HECF30928D3EB473BB647C0D243555ACA" style="OLC"><paragraph id="H2807007956D54C76952EAD164EAD71E6"><enum>(8)</enum><header>Personal information</header><subparagraph id="HEEECE761509B43FBB5849B858D979973"><enum>(A)</enum><header>In general</header><text>The term <quote>personal information</quote> means individually identifiable information about an individual collected online, including—</text><clause id="HD514C91B1B5341EFB465AB4C82D84BB8"><enum>(i)</enum><text>a first and last name;</text></clause><clause id="H1045C02756D8425CBA762276F72F6D37"><enum>(ii)</enum><text>a home or other physical address including street name and name of a city or town;</text></clause><clause id="H5270C06DF2A8419CA7A917AC8BE86984"><enum>(iii)</enum><text>an e-mail address;</text></clause><clause id="H6290BB071DBD498AB1A232760C735DA0"><enum>(iv)</enum><text>a telephone number;</text></clause><clause id="H4B81BF01A2F34B738D80C0EDA258F31C"><enum>(v)</enum><text>a Social Security number;</text></clause><clause id="H421EB26F9868435F9D9E8EDEAA2B7606"><enum>(vi)</enum><text>any other identifier that the Commission determines permits the physical or online contacting of a specific individual;</text></clause><clause id="HA355BC53D9854730B74C5FD80228F3B5"><enum>(vii)</enum><text>a persistent identifier that can be used to recognize a specific child over time and across different websites, online services, online applications, or mobile applications, including a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or a unique device identifier, but excluding an identifier that is used by an operator solely for providing support for the internal operations of a website, online service, online application, or mobile application;</text></clause><clause id="HEF799B01B42846A8B096AF30EF897D5F"><enum>(viii)</enum><text>a photograph, video, or audio file, if such file contains the image or voice of a specific child;</text></clause><clause id="HB469E20E81594D4EA8E2C79E52398630"><enum>(ix)</enum><text>geolocation information;</text></clause><clause id="H43CB697C832C40588DC87BCC71CD2AAC"><enum>(x)</enum><text>information generated from the measurement or technological processing of the biological, physical, or physiological characteristics of an individual that is used to identify an individual, including—</text><subclause id="HF2F3E7C6FEE24CB592A96D7A037F9EAD"><enum>(I)</enum><text>fingerprints;</text></subclause><subclause id="HDD3DB70E05A24303B7D44DA81B29162E"><enum>(II)</enum><text>voice prints;</text></subclause><subclause id="H704E135F93DB47DCA03F514FECD4DEAD"><enum>(III)</enum><text>iris or retina imagery scans;</text></subclause><subclause id="HD8BC56B8BA4749A4AC10A28B6668A58B"><enum>(IV)</enum><text>facial templates;</text></subclause><subclause id="H0E3349ADE299437B84EC423D0CADC4D3"><enum>(V)</enum><text>deoxyribonucleic acid (DNA) information; or</text></subclause><subclause id="HB83B81CD3A9740D48087A0906B9AC578"><enum>(VI)</enum><text>gait; or</text></subclause></clause><clause id="HD7D07EE16C8E41E2B438C67F7C462AA5"><enum>(xi)</enum><text>information linked or reasonably linkable to a child or the parents of that child (including any unique identifier) that an operator collects online from the child and combines with an identifier described in this subparagraph.</text></clause></subparagraph><subparagraph id="H6FCDAD451D8340C2922F47A9E9A86B49"><enum>(B)</enum><header>Exclusion</header><text>The term <quote>personal information</quote> does not include an audio file that contains the voice of a child, if the operator—</text><clause id="H19B5CD11A93646F5848C26F24ACF698E"><enum>(i)</enum><text>does not request information via voice that would otherwise be considered personal information under this paragraph;</text></clause><clause id="H2C9D7E78AD0A4241A610A1658460E814"><enum>(ii)</enum><text>provides, in the privacy policy of the operator, clear notice of the collection and use of the audio file by the operator and the deletion policy of the operator;</text></clause><clause id="H0DB020D205E347CF9EEDCCADE41EA0B9"><enum>(iii)</enum><text>uses the voice within the audio file solely as a replacement for written words, to perform a task, or to engage with a website, online service, online application, or mobile application, such as to perform a search or fulfill a verbal instruction or request; and</text></clause><clause id="HF1307BF08BB141C0BE580D13195CA405"><enum>(iv)</enum><text>only maintains the audio file long enough to complete the stated purpose and then immediately deletes the audio file and does not make any other use of the audio file prior to deletion.</text></clause></subparagraph><subparagraph id="H754FFEBD16724E099472C743E7BF8AFE"><enum>(C)</enum><header>Support for the internal operations of a website, online service, online application, or mobile application</header><clause id="H13A6193A896E46CC98D18966284CE743"><enum>(i)</enum><header>In general</header><text>For purposes of subparagraph (A)(vii), the term <quote>support for the internal operations of a website, online service, online application, or mobile application</quote> means those activities necessary to—</text><subclause id="H2140839AABDF46A3B6577515D6644D2D"><enum>(I)</enum><text>maintain or analyze the functioning of the website, online service, online application, or mobile application;</text></subclause><subclause id="H912EB80C69FD4EC18E7A339476E49F46"><enum>(II)</enum><text>perform network communications;</text></subclause><subclause id="HDC3DB6A2E009400DAA39E5FB8BBF37F5"><enum>(III)</enum><text>authenticate users of, or personalize the content on, the website, online service, online application, or mobile application;</text></subclause><subclause id="HE77E4166B34E4AF9A53126A70BACFE0A"><enum>(IV)</enum><text>cap the frequency of advertising;</text></subclause><subclause id="HD68EFD2F23794B3C906CEEE832BF3DDB"><enum>(V)</enum><text>protect the security or integrity of the user, website, online service, online application, or mobile application;</text></subclause><subclause id="H97E9797FB7EC46D5B40A6DDB4DA2CB78"><enum>(VI)</enum><text>ensure legal or regulatory compliance; or</text></subclause><subclause id="H7417E82D17454D7F86ECE085B336E999"><enum>(VII)</enum><text>fulfill a request of a child as permitted by subparagraphs (A) through (C) of section 1303(b)(2).</text></subclause></clause><clause id="H89166AC4156F4E84B4AD562D143A0F3D"><enum>(ii)</enum><header>Condition</header><text display-inline="yes-display-inline">Except as specifically permitted under clause (i), information collected for the activities listed in clause (i) may not be used or disclosed to contact a specific individual, including through targeted advertising or first-party advertising (as such terms are defined in section 101 of the American Privacy Rights Act of 2024) to children, to amass a profile on a specific individual, in connection with processes that encourage or prompt use of a website, online service, online application, or mobile application, or for any other purpose.</text></clause></subparagraph></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></paragraph><paragraph id="H96DBB44A5AD64498BAB2207F20DA2BDC"><enum>(4)</enum><text>by amending paragraph (9) to read as follows:</text><quoted-block id="H6DAA28627DDD470DA302BDF92E4D12AC" style="OLC"><paragraph id="H39F03CD0824649BC98FD703BD5AEAFA7"><enum>(9)</enum><header>Verifiable consent</header><text>The term <quote>verifiable consent</quote> means any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure described in the notice, to ensure that a parent of the child—</text><subparagraph id="H35C7E60C52514CE79503915E1CB99EF9"><enum>(A)</enum><text>receives direct notice of the personal information collection, use, and disclosure practices of the operator; and</text></subparagraph><subparagraph id="H39FDFC99CB9E468D87DD36D8A0145A68"><enum>(B)</enum><text>before the personal information of the child is collected, freely and unambiguously authorizes—</text><clause id="H61AA2514C5FF40AC9AE8C7FCDB4071CF"><enum>(i)</enum><text>the collection, use, and disclosure, as applicable, of that personal information; and</text></clause><clause id="HC3B762D3DF17434A98A60CF6E10D74E4"><enum>(ii)</enum><text>any subsequent use of that personal information.</text></clause></subparagraph></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></paragraph><paragraph id="HBF667184CEDE43A0B940A506F6FB0DA7"><enum>(5)</enum><text>in paragraph (10)—</text><subparagraph id="HB1620CF6AD68470EA4668AC4861D1119"><enum>(A)</enum><text>in the paragraph heading, by striking <quote><header-in-text level="paragraph" style="OLC">Website or online service directed to children</header-in-text></quote> and inserting <quote><header-in-text level="paragraph" style="OLC">Website, online service, online application, or mobile application directed to children</header-in-text></quote>;</text></subparagraph><subparagraph id="HEA4DC09480B84399AC87ACE83C426A66"><enum>(B)</enum><text>by striking <quote>website or online service</quote> each place it appears and inserting <quote>website, online service, online application, or mobile application</quote>; and</text></subparagraph><subparagraph id="H7C6FB19D6A1A4148B5F8029361C1AC32"><enum>(C)</enum><text>by adding at the end the following new subparagraph:</text><quoted-block id="H2C01867A2B9B436CB4FB8AB84B356D09" style="OLC"><subparagraph id="H2C525FA05D9F43298D63263CBF77376A"><enum>(C)</enum><header>Rule of construction</header><text>In considering whether a website, online service, online application, or mobile application, or portion thereof, is directed to children, the Commission shall apply a totality of circumstances test and shall also consider competent and reliable empirical evidence regarding audience composition and evidence regarding the intended audience of the website, online service, online application, or mobile application.</text></subparagraph><after-quoted-block>; and</after-quoted-block></quoted-block></subparagraph></paragraph><paragraph id="H8F5EBF5699FB46BEA79580CFF864BD5F"><enum>(6)</enum><text>by adding at the end the following:</text><quoted-block id="H9E7C2202D2CB4125AEF83FD5498DE1AB" style="OLC"><paragraph id="H8E532068143C4831B7BB7B1DFF6382F0"><enum>(13)</enum><header>Connected device</header><text>The term <quote>connected device</quote> has the meaning given such term in section 101 of the American Privacy Rights Act of 2024.</text></paragraph><paragraph id="H276519A9A12C4E7D8DD4DA6FC7CC1F8D"><enum>(14)</enum><header>Educational agency or institution</header><text>The term <quote>educational agency or institution</quote> means a State educational agency or local educational agency as defined under Federal law, as well as an institutional day or residential school, including a public school, charter school, or private school, that provides elementary or secondary education, as determined under State law.</text></paragraph><paragraph id="HBFA5AD209EB5479E93E38468807F333E"><enum>(15)</enum><header>Mobile application</header><text>The term <quote>mobile application</quote> has the meaning given such term in section 101 of the American Privacy Rights Act of 2024.</text></paragraph><paragraph id="HED0FC1E6B75F48709F16D69EA6AEF1C1"><enum>(16)</enum><header>Online application</header><text>The term <quote>online application</quote> has the meaning given such term in section 101 of the American Privacy Rights Act of 2024.</text></paragraph><paragraph id="H2DF21F1210FB42D8ADA6294E6F42189B"><enum>(17)</enum><header>Precise geolocation information</header><text>The term <quote>precise geolocation information</quote> has the meaning given such term in section 101 of the American Privacy Rights Act of 2024.</text></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection><subsection id="H75234E7B3EDE44E7A02722B8386CBC8A"><enum>(b)</enum><header>Online collection, use, disclosure, and deletion of personal information of children</header><text>Section 1303 of the Children’s Online Privacy Protection Act of 1998 (<external-xref legal-doc="usc" parsable-cite="usc/15/6502">15 U.S.C. 6502</external-xref>) is amended—</text><paragraph id="H785224000B0F4D94BB656CB092B7F4DC"><enum>(1)</enum><text>by striking the heading and inserting the following: <quote><header-in-text level="section" style="OLC">Online collection, use, disclosure, and deletion of personal information of children</header-in-text>.</quote>;</text></paragraph><paragraph id="H6A0BF82429254AC9B51C85CB42824DE2"><enum>(2)</enum><text>by amending subsection (a) to read as follows:</text><quoted-block id="H1BABC5722ECC4FA99A2ADA9D3F4FED32" style="OLC"><subsection id="HF76BF0D4D148456FBE7FF12BC887756A"><enum>(a)</enum><header>Acts prohibited</header><text>It is unlawful for an operator of a website, online service, online application, or mobile application directed to children or for any operator of a website, online service, online application, or mobile application with actual knowledge or knowledge fairly implied on the basis of objective circumstances that a user is a child—</text><paragraph id="HD8220A2744CA429A8EB0CDECA888E49A"><enum>(1)</enum><text>to collect personal information from a child in a manner that violates the American Privacy Rights Act of 2024 or the regulations prescribed under subsection (b); or</text></paragraph><paragraph id="H073DE827086E40FD89E521228D36C0AD"><enum>(2)</enum><text>to store or transfer the personal information of a child outside of the United States, unless—</text><subparagraph id="HFE4AB08098B54F6F8A48FF46F8D9BD38"><enum>(A)</enum><text>the operator provides direct notice to the parent of the child that the personal information of the child is being stored or transferred outside of the United States; and</text></subparagraph><subparagraph id="H19F6E99F0A2247BE8A19B71BD186C11A"><enum>(B)</enum><text>with respect to transfer, the operator meets the requirements of section 102(b) of the American Privacy Rights Act of 2024.</text></subparagraph></paragraph></subsection><after-quoted-block>;</after-quoted-block></quoted-block></paragraph><paragraph id="H6D779094AE8D4B9185FD75A0A1AA84CD"><enum>(3)</enum><text>in subsection (b)—</text><subparagraph id="H7D767FC6D9754F268C5CB26CC50882B1"><enum>(A)</enum><text>in paragraph (1)—</text><clause id="HC50DA2BCAFE24FC9A9AF7AD7F94FF76E"><enum>(i)</enum><text>in subparagraph (A)—</text><subclause id="HAB0506C98A2645CEA8BDB28AE5F69807"><enum>(I)</enum><text>in the matter preceding clause (i), by striking <quote>operator of any website</quote> and all that follows through <quote>from a child</quote> and inserting <quote>operator of a website, online service, online application, or mobile application directed to children or that has actual knowledge or knowledge fairly implied on the basis of objective circumstances that a user is a child</quote>;</text></subclause><subclause id="H24247A395841425EA82125934BED39DF"><enum>(II)</enum><text>in clause (i)—</text><item id="HA98CC89B7A21495A8A83B5E7CB17EF37"><enum>(aa)</enum><text>by striking <quote>notice on the website</quote> and inserting <quote>clear and conspicuous notice on the website, service, or application</quote>; and</text></item><item id="HB9802D2BE4484E8082E55679DF2CE7F8"><enum>(bb)</enum><text>by striking <quote>; and</quote> and inserting a semicolon;</text></item></subclause><subclause id="HD50FEF6E16DD4498B58C44E9183B16F5"><enum>(III)</enum><text>in clause (ii)—</text><item id="HEF51A16019A841019B0FDCAB9B093548"><enum>(aa)</enum><text>by striking <quote>verifiable parental consent</quote> and inserting <quote>verifiable consent</quote>; and </text></item><item id="HEF4E492293934DD4B36EF9950DC2D1EC"><enum>(bb)</enum><text>by striking the semicolon at the end and inserting <quote>; and</quote>; and</text></item></subclause><subclause id="HF66D642E307B4DEABDE7A31DB9CC9251"><enum>(IV)</enum><text>by inserting after clause (ii) the following new clause:</text><quoted-block id="H555CDB5508314C7897B1D4EFBBBFF63C" style="OLC"><clause id="HFE32446A2EB04555AF2BDC5388513820"><enum>(iii)</enum><text>to obtain verifiable consent from a parent of a child before using or disclosing personal information of the child for any purpose that is a material change from the original purposes and disclosure practices specified to the parent of the child under clause (i);</text></clause><after-quoted-block>;</after-quoted-block></quoted-block></subclause></clause><clause id="H25AED4004FB44790B7CC5FC4A528D1DD"><enum>(ii)</enum><text>by striking subparagraph (B);</text></clause><clause id="H45C3F99CB7AF458DB7F4BBFE99ACC6E1"><enum>(iii)</enum><text>in subparagraph (C)—</text><subclause id="H829A21C2E174428B8DC6748542182D19"><enum>(I)</enum><text>by striking <quote>reasonably</quote>; and</text></subclause><subclause id="HEC635112B1F540EB9B5BDBD53532C047"><enum>(II)</enum><text>by inserting <quote>, proportionate, and limited</quote> after <quote>necessary</quote>;</text></subclause></clause><clause id="HA73945EDFF1D4F308E1A13E9234BB9C0"><enum>(iv)</enum><text>in subparagraph (D), by striking <quote>website or online service</quote> and inserting <quote>website, online service, online application, or mobile application</quote>; and </text></clause><clause id="H289E1452968D4D888A13EE7D930F6149"><enum>(v)</enum><text>by redesignating subparagraphs (C) and (D) as subparagraphs (B) and (C), respectively;</text></clause></subparagraph><subparagraph id="HFF00235BE59B4C26BBE35A2A163826EF"><enum>(B)</enum><text>in paragraph (2)—</text><clause id="H45CE3483E0FB404392E99A380CB66206"><enum>(i)</enum><text>in the matter preceding subparagraph (A)—</text><subclause id="H35E06771619144D8850448F9ED9993BD"><enum>(I)</enum><text>by striking <quote>verifiable parental consent</quote> and inserting <quote>verifiable consent</quote>; and</text></subclause><subclause id="H09FB7EEA8B62490BB77C229E9B9C2441" commented="no"><enum>(II)</enum><text>by striking <quote>paragraph (1)(A)(ii)</quote> and inserting <quote>clause (ii) or (iii) of paragraph (1)(A)</quote>;</text></subclause></clause><clause id="H28E8804829394E7D8DBD5D0F25B46613"><enum>(ii)</enum><text>in subparagraph (A), by inserting <quote>or to contact another child</quote> after <quote>to recontact the child</quote>;</text></clause><clause id="H0D58FA2BA2F847608C06257F8D024C2A"><enum>(iii)</enum><text>in subparagraph (B)—</text><subclause id="HAA1D1FD3B59B45938036D2AF0FA8A447"><enum>(I)</enum><text>by striking <quote>or child</quote>; and</text></subclause><subclause id="H9047833C8B17439E9A2BECAAE7E66389"><enum>(II)</enum><text>by striking <quote>parental consent</quote> each place the term appears and inserting <quote>verifiable consent</quote>;</text></subclause></clause><clause id="H7C70A00EFFD645C0A98693E35EC6B016"><enum>(iv)</enum><text>in subparagraph (D), in the matter preceding clause (i)—</text><subclause id="H0C547BAB32F5442E9225640F092ADF26"><enum>(I)</enum><text>by striking <quote>reasonably</quote>; and</text></subclause><subclause id="H3CB6BAA79FF14588BE7620881922DC6C"><enum>(II)</enum><text>by inserting <quote>, proportionate, and limited</quote> after <quote>necessary</quote>; and</text></subclause></clause><clause id="HF9C4410C3D2F4682B08ECB145AF792A1"><enum>(v)</enum><text>in subparagraph (E)—</text><subclause id="H291E9E1E06A0488D968CC606125736AB"><enum>(I)</enum><text>in the matter preceding clause (i), by striking <quote>website or online service</quote> and inserting <quote>website, online service, online application, or mobile application</quote>; and</text></subclause><subclause id="HD58E79D2357A4BEA813EEE18864F1F7A" commented="no"><enum>(II)</enum><text>in clause (i), by striking <quote>website</quote> and inserting <quote>website, service, or application</quote>;</text></subclause></clause></subparagraph><subparagraph id="H6DF46737CE524261AB1A3935600258A9"><enum>(C)</enum><text>by redesignating paragraph (3) as paragraph (4) and inserting after paragraph (2) the following new paragraph:</text><quoted-block id="HCB15E6B2E93549EE992E3EBF20228BE4" style="OLC"><paragraph id="HFDEFAAAFFD764B04866BFF44580B4F44"><enum>(3)</enum><header>Application to operators acting under agreements with educational agencies or institutions</header><text display-inline="yes-display-inline">The regulations may provide that verifiable consent under clause (ii) or (iii) of paragraph (1)(A) is not required for an operator that is acting under a written agreement with an educational agency or institution that, at a minimum, requires—</text><subparagraph id="H3D76306D2D524685A49272F0AE1A6260"><enum>(A)</enum><text>the operator to—</text><clause id="HF9216F4BAFF84EA9B6E6D8670FB03528"><enum>(i)</enum><text>limit its collection, use, and disclosure of the personal information from a child to solely educational purposes and for no other commercial purposes;</text></clause><clause id="HF743AE2D541D49B4B346F3A958B8CC70"><enum>(ii)</enum><text>provide the educational agency or institution with a notice of the specific types of personal information the operator will collect from the child, the method by which the operator will obtain the personal information, and the purposes for which the operator will collect, use, disclose, and retain the personal information;</text></clause><clause id="HB10E30E53C78471A9A6381F5F2E93CBA"><enum>(iii)</enum><text>provide the educational agency or institution with a link to the online notice of information practices of the operator as required under paragraph (1)(A)(i); and</text></clause><clause id="HCBFE2F16F24E49CCA7B3C80E802BE821"><enum>(iv)</enum><text>provide the educational agency or institution, upon request, with a means to review the personal information collected from a child, to prevent further use or maintenance or future collection of personal information from a child, and to delete personal information collected from a child or content or information submitted by a child to the website, online service, online application, or mobile application of the operator;</text></clause></subparagraph><subparagraph id="H63EDDF87038A49FA9C39A5EEA1891D07"><enum>(B)</enum><text>a representative of the educational agency or institution to—</text><clause id="H84F809C2914246D5BFD6DA25ADCC58AD"><enum>(i)</enum><text>acknowledge and agree that the representative has authority to authorize the collection, use, and disclosure of personal information from children on behalf of the educational agency or institution; and</text></clause><clause id="HD0C5074E2C2742B9971A660DFF3C9728"><enum>(ii)</enum><text>provide the name of the representative and the title of the representative at the educational agency or institution; and</text></clause></subparagraph><subparagraph id="H21FC02AF97754D779A2EE25D4BE8BF14"><enum>(C)</enum><text>the educational agency or institution to—</text><clause id="H5B857814F1CD49B1BE67B1ADAA5A6775"><enum>(i)</enum><text>provide on the website of the educational agency or institution a notice that identifies the operator with which the educational agency or institution has entered into a written agreement under this paragraph and a link to the online notice of information practices of the operator as required under paragraph (1)(A)(i);</text></clause><clause id="HF0588B5B382A429B80D61E593A448316"><enum>(ii)</enum><text>provide the notice of the operator regarding the information practices of the operator, as required under subparagraph (A)(ii), upon request, to a parent; and</text></clause><clause id="HF369D862DAFE412DB096E391B2F00B9C"><enum>(iii)</enum><text>upon the request of a parent, request the operator provide a means to review the personal information collected from the child of the parent and provide the parent a means to review the personal information.</text></clause></subparagraph></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph><subparagraph id="H4C43CF9A7BFB4D28828F3F453AA98D91"><enum>(D)</enum><text>by amending paragraph (4), as so redesignated, to read as follows:</text><quoted-block id="H6245945E71324F9CA30671608C559542" style="OLC"><paragraph id="H62D0356C67A142DA9CB20076A172A54A"><enum>(4)</enum><header>Termination of service</header><text>The regulations shall permit the operator of a website, online service, online application, or mobile application to terminate service provided to a child whose parent has requested to delete covered data of the child pursuant to section 105 of the American Privacy Rights Act of 2024.</text></paragraph><after-quoted-block>; and</after-quoted-block></quoted-block></subparagraph><subparagraph id="HFB2038E5B22246A1869FD10D04B5BD76"><enum>(E)</enum><text>by adding at the end the following new paragraphs:</text><quoted-block id="HABDE8BEB60D146CDA1C755552517C054" style="OLC"><paragraph id="HE35B2ECD8A6644FDB97B61243D26485B"><enum>(5)</enum><header>Continuation of service</header><text>The regulations shall prohibit an operator from discontinuing service provided to a child on the basis of a request by the parent of the child to delete personal information collected from the child, to the extent that the operator is capable of providing such service without such information.</text></paragraph><paragraph id="HD786ACC92356429EAAB1AAB67D9EB086"><enum>(6)</enum><header>Common verifiable consent mechanism</header><subparagraph id="H5050AF6142C24966BF8D3867D6715072"><enum>(A)</enum><header>In general</header><clause id="H5ED929C166D24F0291D029A487830078"><enum>(i)</enum><header>Feasibility of mechanism</header><text>The Commission shall conduct an assessment, with notice and public comment, of the feasibility of allowing operators the option to use a common verifiable consent mechanism that fully meets the requirements of this title.</text></clause><clause id="H36B1F82773A04002819859D601419E71"><enum>(ii)</enum><header>Requirements</header><text>The feasibility assessment described in clause (i) shall consider whether a single operator could use a common verifiable consent mechanism to obtain verifiable consent, as required under this title, from a parent of a child on behalf of multiple, listed operators that provide a joint or related service.</text></clause></subparagraph><subparagraph id="H0762B3FAD15F4603A807C1DD0D0CBA18"><enum>(B)</enum><header>Report</header><text>Not later than 1 year after the date of the enactment of this paragraph, the Commission shall submit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives a report with the findings of the assessment required by subparagraph (A).</text></subparagraph><subparagraph id="H970A1E3F28E84E018AB722FECDB3B897"><enum>(C)</enum><header>Regulations</header><text>If the Commission finds, in the assessment required by subparagraph (A), that the use of a common verifiable consent mechanism is feasible and would meet the requirements of this title, the Commission shall issue regulations, pursuant to section 553 of title 5, United States Code, to permit the use of a common verifiable consent mechanism in accordance with the findings outlined in the report submitted under subparagraph (B).</text></subparagraph></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph></paragraph><paragraph id="H4BE3C467ADDB4FD3966144D45BEA46F0"><enum>(4)</enum><text>in subsection (c), by striking <quote>a regulation prescribed under subsection (a)</quote> and inserting <quote>paragraph (2) of subsection (a), or of a regulation prescribed under subsection (b),</quote>; and</text></paragraph><paragraph id="HC35A2FBFA6B94D79A211922F10910AB8"><enum>(5)</enum><text>by striking subsection (d) and inserting the following:</text><quoted-block id="HFDAB21023E1F4AEF813311D1FD67193E" style="OLC"><subsection id="H383F624282614217A5FE4300868E0D66" commented="no"><enum>(d)</enum><header>Relationship to State law</header><text>The provisions of this title shall preempt any State law, rule, or regulation only to the extent that such State law, rule, or regulation conflicts with a provision of this title. Nothing in this title may be construed to prohibit any State from enacting a law, rule, or regulation that provides greater protection to children than the provisions of this title.</text></subsection><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection><subsection id="H1E5C33F29DFD4F9098291452F4CD5EB2"><enum>(c)</enum><header>Safe harbors</header><text>Section 1304 of the Children’s Online Privacy Protection Act of 1998 (<external-xref legal-doc="usc" parsable-cite="usc/15/6503">15 U.S.C. 6503</external-xref>) is amended by adding at the end the following:</text><quoted-block id="H5AF8DB60AB964D8B9074806C102AA4D2" style="OLC"><subsection id="HBEB8D290AD74422B979929FF82D87BF1"><enum>(d)</enum><header>Publication</header><paragraph id="HA077422F510E4E86889D524B83791487"><enum>(1)</enum><header>In general</header><text>Subject to the restrictions described in paragraph (2), the Commission shall publish on the website of the Commission any report or documentation required by regulation to be submitted to the Commission to carry out this section.</text></paragraph><paragraph id="HB0E8B105E09848C08055CB9329A6525C"><enum>(2)</enum><header>Restrictions on publication</header><text>The restrictions described in sections 6(f) and 21 of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/46">15 U.S.C. 46(f)</external-xref>; 57b–2) applicable to the disclosure of information obtained by the Commission shall apply in the same manner to the disclosure under this subsection of information obtained by the Commission from a report or documentation described in paragraph (1).</text></paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block></subsection><subsection id="H40DFBE3CAD0147F6A632656E6836E507"><enum>(d)</enum><header>Actions by states</header><text>Section 1305 of the Children’s Online Privacy Protection Act of 1998 (<external-xref legal-doc="usc" parsable-cite="usc/15/6504">15 U.S.C. 6504</external-xref>) is amended—</text><paragraph id="H974E33A96154401A896849417442A358"><enum>(1)</enum><text>in subsection (a)(1)—</text><subparagraph id="HE62FA8D55D0F460B84AF96B5A8C3E341"><enum>(A)</enum><text>in the matter preceding subparagraph (A), by inserting <quote>section 1303(a) or</quote> before <quote>any regulation</quote>; and</text></subparagraph><subparagraph id="HB60DF0F6F9A247499ECDF063AF9EE9FA"><enum>(B)</enum><text>in subparagraph (B), by striking <quote>the regulation</quote> and inserting <quote>such section or regulation</quote>; and</text></subparagraph></paragraph><paragraph id="H31DC117F35FF4A9AAEDA67E78B2AA6B3"><enum>(2)</enum><text>in subsection (d)—</text><subparagraph id="H84077DCF123042C1A85560A291B0CBD0"><enum>(A)</enum><text>by inserting <quote>section 1303(a) or</quote> before <quote>any regulation</quote>; and</text></subparagraph><subparagraph id="HB20723B18103448686DB40C2A6A0AE16"><enum>(B)</enum><text>by striking <quote>that regulation</quote> and inserting <quote>such section or regulation</quote>.</text></subparagraph></paragraph></subsection><subsection id="HFC6CAB93C59D4E27A6F02647AC37C186"><enum>(e)</enum><header>Administration and applicability of act</header><text>Section 1306 of the Children’s Online Privacy Protection Act of 1998 (<external-xref legal-doc="usc" parsable-cite="usc/15/6505">15 U.S.C. 6505</external-xref>) is amended—</text><paragraph id="HC39D610FC8464E7FBB0216D12BDEC949"><enum>(1)</enum><text>in subsection (d)—</text><subparagraph id="HA719A2C4E73744529E130EFD63FF169D"><enum>(A)</enum><text>by inserting <quote>section 1303(a) or</quote> before <quote>a rule</quote>; and</text></subparagraph><subparagraph id="H138F7A57B1004248868E73385CA4AEED"><enum>(B)</enum><text>by striking <quote>such rule</quote> and inserting <quote>section 1303(a) or a rule of the Commission under section 1303</quote>; and</text></subparagraph></paragraph><paragraph id="H052480D8B16247CD824906E214F77784"><enum>(2)</enum><text>by adding at the end the following new subsections:</text><quoted-block id="HDA536D48E9CE49F2BDAF301FF0034EA3" style="OLC"><subsection id="H6FCFECB438BA4E369459292C7F77DA09"><enum>(f)</enum><header>Determination of whether an operator has knowledge fairly implied on the basis of objective circumstances</header><paragraph id="H959142543DE3474D83826932D9CB9F87"><enum>(1)</enum><header>Rule of construction</header><text>For purposes of enforcing this title or a regulation promulgated under this title, in making a determination as to whether an operator has knowledge fairly implied on the basis of objective circumstances that a specific user is a child, the Commission or a State attorney general shall rely on competent and reliable evidence, taking into account the totality of the circumstances, including whether a reasonable and prudent person under the circumstances would have known that the user is a child. Nothing in this title, including a determination described in the preceding sentence, may be construed to require an operator to—</text><subparagraph id="H2D2F45BE24614F43A1484BBDFDC9B02D"><enum>(A)</enum><text>affirmatively collect any personal information with respect to the age of a child that an operator is not already collecting in the normal course of business; or</text></subparagraph><subparagraph id="H3697DDCDBFB34A1DAE0C5279B5AB9BED"><enum>(B)</enum><text>implement an age gating or age verification functionality.</text></subparagraph></paragraph><paragraph id="H8B79E01C73F142A8B41C1733D949578A"><enum>(2)</enum><header>Commission guidance</header><subparagraph id="HFB000F5175974FAEA9D35211702B0E42"><enum>(A)</enum><header>In general</header><text>Not later than 180 days after the date of the enactment of this subsection, the Commission shall issue guidance to provide information, including best practices and examples, for operators to understand the process of the Commission for determining whether an operator has knowledge fairly implied on the basis of objective circumstances that a user is a child.</text></subparagraph><subparagraph id="HCFFB1A0ACBD846EF91C598E7F7BD085B"><enum>(B)</enum><header>Limitation</header><text display-inline="yes-display-inline">No guidance issued by the Commission under subparagraph (A) confers any rights on any person, State, or locality, or operates to bind the Commission or any person, State, or locality to the approach recommended in such guidance. In any enforcement action brought pursuant to this title, the Commission or State attorney general, as applicable, shall allege a specific violation of a provision of this title, and the Commission or State attorney general, as applicable, may not base an enforcement action on, or execute a consent order based on, practices that are alleged to be inconsistent with any such guidance, unless the practices allegedly violate this title.</text></subparagraph></paragraph></subsection><subsection id="H8D0177DE2B1A4F4DB1B61B5115F9BDEC"><enum>(g)</enum><header>Additional requirement</header><text>Any regulations issued under this title shall include a description and analysis of the impact of proposed and final rules on small entities per <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/5/6">chapter 6</external-xref> of title 5, United States Code.</text></subsection><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection></section><section id="HD6722F69505C4F69864D18279619B767"><enum>203.</enum><header>Study and reports on mobile and online application oversight and enforcement</header><subsection id="H7A0418425FE74F398F81D8C922208CF7"><enum>(a)</enum><header>Oversight report</header><text>Not later than 3 years after the date of the enactment of this Act, the Federal Trade Commission shall submit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives a report on the processes of platforms that offer mobile and online applications for ensuring that, for those applications that are websites, online services, online applications, or mobile applications directed to children, the applications operate in accordance with—</text><paragraph id="H086B85F470A1456EAE766699ECE226E3"><enum>(1)</enum><text>this title, the amendments made by this title, and any rules promulgated under this title or the amendments made by this title; and</text></paragraph><paragraph id="HBF21B09E6BD34AC893C7BD253FFDACC4"><enum>(2)</enum><text>rules promulgated by the Commission under section 18 of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/57a">15 U.S.C. 57a</external-xref>) relating to unfair or deceptive acts or practices in marketing.</text></paragraph></subsection><subsection id="H5C5B56267C39437583699EEBC74739F5"><enum>(b)</enum><header>Enforcement report</header><text>Not later than 1 year after the date of the enactment of this Act, and annually thereafter, the Federal Trade Commission shall submit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives a report that addresses, at a minimum—</text><paragraph id="HEC7C46164CC944BFACA715F160814922"><enum>(1)</enum><text>the number of actions brought by the Commission during the reporting year to enforce the Children’s Online Privacy Protection Act of 1998 (<external-xref legal-doc="usc" parsable-cite="usc/15/6501">15 U.S.C. 6501 et seq.</external-xref>) and the outcome of each such action;</text></paragraph><paragraph id="H6EC44A8F3E6F461894389886E00377F8"><enum>(2)</enum><text>the total number of investigations or inquiries into potential violations of such Act commenced during the reporting year;</text></paragraph><paragraph id="HA4A4879FF71B44BC801E5E83FE848711"><enum>(3)</enum><text>the total number of open investigations or inquiries into potential violations of such Act as of the time the report is submitted;</text></paragraph><paragraph id="H6171816FC8894BEBB91EAB739A7FF100"><enum>(4)</enum><text>the number and nature of complaints received by the Commission relating to an allegation of a violation of such Act during the reporting year; and</text></paragraph><paragraph id="H79FC057B473E42258ED77C87F6A81EEC"><enum>(5)</enum><text>policy or legislative recommendations to strengthen online protections for children.</text></paragraph></subsection><subsection id="H4001AB62B6D2462DAA982BB0A4BBCCBC"><enum>(c)</enum><header>Report by the inspector general</header><paragraph id="H8EEAC7FCDA5C485A96C9236190F8E9FC"><enum>(1)</enum><header>In general</header><text>Not later than 2 years after the date of the enactment of this Act, the Inspector General of the Federal Trade Commission shall submit to the Federal Trade Commission and to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives a report regarding the safe harbor provisions in section 1304 of the Children’s Online Privacy Protection Act of 1998 (<external-xref legal-doc="usc" parsable-cite="usc/15/6503">15 U.S.C. 6503</external-xref>), which shall include—</text><subparagraph id="H5CE82B1ACB0D4EFDA03B299EF0343B2F"><enum>(A)</enum><text>an analysis of whether the safe harbor provisions are—</text><clause id="H9EE3E7B6EFA84F0091DD5774235452AE"><enum>(i)</enum><text>operating fairly and effectively; and</text></clause><clause id="HDCEE3B01ED6F48BFBC8BD88E66AFC2CC"><enum>(ii)</enum><text>effectively protecting the interests of children; and</text></clause></subparagraph><subparagraph id="HD0F134AA44CE4FC9B88C9B4B22F897B1"><enum>(B)</enum><text>any proposal or recommendation for policy changes that would improve the effectiveness of the safe harbor provisions.</text></subparagraph></paragraph><paragraph id="H05480F88941D400993D1169A3FA561E2"><enum>(2)</enum><header>Publication</header><text>Not later than 10 days after the date on which a report is submitted under paragraph (1), the Commission shall publish the report on the website of the Commission.</text></paragraph></subsection></section><section id="H009A8094D5504E10832AD42ADCCBA1D6"><enum>204.</enum><header>Severability</header><text display-inline="no-display-inline">If any provision of this title or the amendments made by this title, or the application thereof to any person or circumstance, is held invalid, the remainder of this title and the amendments made by this title, and the application of such provision to other persons not similarly situated or to other circumstances, may not be affected by the invalidation.</text></section>