[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 2728 Introduced in Senate (IS)]

<DOC>






115th CONGRESS
  2d Session
                                S. 2728

   To protect the privacy of users of social media and other online 
                               platforms.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             April 23, 2018

 Ms. Klobuchar (for herself and Mr. Kennedy) introduced the following 
 bill; which was read twice and referred to the Committee on Commerce, 
                      Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
   To protect the privacy of users of social media and other online 
                               platforms.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Social Media Privacy Protection and 
Consumer Rights Act of 2018''.

SEC. 2. DEFINITIONS.

    In this Act--
            (1) the term ``Commission'' means the Federal Trade 
        Commission;
            (2) the term ``covered online platform'' means an online 
        platform that collects personal data during the online behavior 
        of a user of the online platform;
            (3) the term ``geolocation information'' means, with 
        respect to an individual, any information that is not the 
        content of a communication, concerning the location of a 
        wireless communication device that--
                    (A) in whole or in part, is generated by or derived 
                from the operation of that device; and
                    (B) could be used to determine or infer information 
                regarding the location of the individual;
            (4) the term ``online platform''--
                    (A) means any public-facing website, web 
                application, or digital application (including a mobile 
                application); and
                    (B) includes a social network, an ad network, a 
                mobile operating system, a search engine, an email 
                service, or an Internet access service;
            (5) the term ``operator'' has the meaning given the term in 
        section 1302 of the Children's Online Privacy Protection Act of 
        1998 (15 U.S.C. 6501); and
            (6) the term ``personal data'' means individually 
        identifiable information about an individual collected online, 
        including--
                    (A) location information sufficient to identify the 
                name of a street and a city or town, including a 
                physical address;
                    (B) an e-mail address;
                    (C) a telephone number;
                    (D) a government identifier, such as a Social 
                Security number;
                    (E) geolocation information;
                    (F) the content of a message;
                    (G) protected health information, as defined in 
                section 160.103 of title 45, Code of Federal 
                Regulations, or any successor regulation; and
                    (H) nonpublic personal information, as defined in 
                section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 
                6809).

SEC. 3. PRIVACY PROTECTIONS.

    (a) Transparency and Terms of Service.--
            (1) Disclosure and obtaining initial consent and privacy 
        preferences.--
                    (A) In general.--Before a user creates an account 
                with, or otherwise begins to use, a covered online 
                platform, the operator of the online platform shall--
                            (i) inform the user that, unless the user 
                        makes an election under clause (ii)(II), 
                        personal data of the user produced during the 
                        online behavior of the user, whether on the 
                        online platform or otherwise, will be collected 
                        and used by the operator and third parties; and
                            (ii) provide the user the option to specify 
                        the privacy preferences of the user, including 
                        by--
                                    (I) agreeing to the terms of 
                                service for use of the online platform, 
                                including, except as provided in 
                                subclause (II), the collection and use 
                                of personal data described in clause 
                                (i); and
                                    (II) prohibiting, if the user so 
                                elects, the collection and use of 
                                personal data described in clause (i), 
                                subject to subparagraph (B).
                    (B) Consequence of prohibition of data 
                collection.--If the election of a user under 
                subparagraph (A)(ii)(II) creates inoperability in the 
                online platform, the operator of the online platform 
                may deny certain services or completely deny access to 
                the user.
                    (C) Form of disclosure.--An operator of a covered 
                online platform shall provide a user of the online 
                platform with the terms of service for use of the 
                online platform, including the collection and use of 
                personal data described in subparagraph (A)(i), in a 
                form that--
                            (i) is--
                                    (I) easily accessible;
                                    (II) of reasonable length; and
                                    (III) clearly distinguishable from 
                                other matters; and
                            (ii) uses language that is clear, concise, 
                        and well organized, and follows other best 
                        practices appropriate to the subject and 
                        intended audience.
                    (D) Privacy or security program.--An operator of a 
                covered online platform shall--
                            (i) establish and maintain a privacy or 
                        security program for the online platform; and
                            (ii) publish a description of the privacy 
                        or security program that--
                                    (I) details how the operator will 
                                use the personal data of a user of the 
                                online platform, including requirements 
                                for how the operator will address 
                                privacy risks associated with the 
                                development of new products and 
                                services; and
                                    (II) includes details of the access 
                                that employees and contractors of the 
                                operator have to the personal data of a 
                                user of the online platform, and 
                                internal policies for the use of that 
                                personal data.
            (2) New products; changes to privacy or security program.--
        An operator of a covered online platform may not introduce a 
        new product, or implement any material change to the privacy or 
        security program of the online platform that overrides the 
        privacy preferences of a user of the online platform, as 
        specified under paragraph (1)(A)(ii), unless the operator has--
                    (A) informed the user that the new product or 
                change will result in the collection and use of 
                personal data described in paragraph (1)(A)(i), if that 
                is the case;
                    (B) provided the user the option under paragraph 
                (1)(A)(ii); and
                    (C) obtained affirmative express consent from the 
                user to the introduction of the new product or the 
                implementation of the change.
            (3) Withdrawal of consent.--An operator of a covered online 
        platform shall ensure that--
                    (A) a user of the online platform is able to 
                withdraw consent to the terms of service for use of the 
                online platform, including the collection and use of 
                personal data described in paragraph (1)(A)(i), as 
                easily as the user is able to give such consent; and
                    (B) except as otherwise required by law, no person 
                is able to access the personal data of a user of the 
                online platform later than 30 days after the date on 
                which the user closes his or her account or otherwise 
                terminates his or her use of the online platform.
    (b) Right to Access.--An operator of a covered online platform 
shall offer a user of the online platform a copy of the personal data 
of the user that the operator has processed, free of charge and in an 
electronic and easily accessible format, including a list of each 
person that received the personal data from the operator for business 
purposes, whether through sale or other means.
    (c) Violations of Privacy.--
            (1) In general.--Not later than 72 hours after an operator 
        of a covered online platform becomes aware that the personal 
        data of a user of the online platform has been transmitted in 
        violation of the privacy or security program of the online 
        platform, including the privacy preferences specified by the 
        user under subsection (a)(1)(A)(ii), the operator shall--
                    (A) notify the user of the transmission;
                    (B) offer the user the option to elect to prohibit 
                the operator from collecting and using the personal 
                data of the user, subject to paragraph (2);
                    (C) except as provided in paragraph (3), offer the 
                user the option to have the operator--
                            (i) erase all personal data of the user 
                        tracked by the operator; and
                            (ii) cease further dissemination of 
                        personal data of the user tracked by the 
                        operator;
                    (D) offer the user a copy of the personal data of 
                the user that the operator has processed, free of 
                charge and in an electronic and easily accessible 
                format, including a list of each person that received 
                the personal data from the operator, whether through 
                sale or other means; and
                    (E) offer the user the option to close his or her 
                account or otherwise terminate his or her use of the 
                online platform.
            (2) Consequence of prohibition of data collection.--If the 
        election of a user under paragraph (1)(B) creates inoperability 
        in the online platform, the operator of the online platform may 
        deny certain services or completely deny access to the user.
            (3) Public safety exception.--If the operator of a covered 
        online platform, in good faith, believes that an emergency 
        involving danger of death or serious physical injury to any 
        individual requires disclosure without delay of specific 
        personal data of a user of the online platform that relates to 
        the emergency, the operator shall--
                    (A) retain the specific personal data; and
                    (B) notify the proper authorities.
    (d) Compliance.--Not less frequently than once every 2 years, the 
operator of a covered online platform shall audit the privacy or 
security program of the online platform.
    (e) Safe Harbor.--Subsections (a), (b), and (c) shall not apply 
with respect to the development of privacy-enhancing technology by an 
operator of an online platform.

SEC. 4. ENFORCEMENT.

    (a) Enforcement by Commission.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        section 3 shall be treated as a violation of a rule defining an 
        unfair or deceptive act or practice prescribed under section 
        18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
        57a(a)(1)(B)).
            (2) Powers of commission.--
                    (A) In general.--Except as provided in subparagraph 
                (C), the Commission shall enforce this Act in the same 
                manner, by the same means, and with the same 
                jurisdiction, powers, and duties as though all 
                applicable terms and provisions of the Federal Trade 
                Commission Act (15 U.S.C. 41 et seq.) were incorporated 
                into and made a part of this Act.
                    (B) Privileges and immunities.--Except as provided 
                in subparagraph (C), any person who violates this Act 
                shall be subject to the penalties and entitled to the 
                privileges and immunities provided in the Federal Trade 
                Commission Act (15 U.S.C. 41 et seq.).
                    (C) Common carriers and nonprofit organizations.--
                Notwithstanding section 4, 5(a)(2), or 6 of the Federal 
                Trade Commission Act (15 U.S.C. 44, 45(a)(2), 46) or 
                any jurisdictional limitation of the Commission, the 
                Commission shall also enforce this Act, in the same 
                manner provided in subparagraphs (A) and (B) of this 
                paragraph, with respect to--
                            (i) common carriers subject to the 
                        Communications Act of 1934 (47 U.S.C. 151 et 
                        seq.) and Acts amendatory thereof and 
                        supplementary thereto; and
                            (ii) organizations not organized to carry 
                        on business for their own profit or that of 
                        their members.
                    (D) Authority preserved.--Nothing in this Act shall 
                be construed to limit the authority of the Commission 
                under any other provision of law.
    (b) Enforcement by States.--
            (1) Authorization.--Subject to paragraph (2), in any case 
        in which the attorney general of a State has reason to believe, 
        based on a legitimate consumer complaint, that an interest of 
        the residents of the State has been or is threatened or 
        adversely affected by the engagement of any person subject to 
        section 3 in a practice that violates that section, the 
        attorney general of the State may, as parens patriae, bring a 
        civil action on behalf of the residents of the State in an 
        appropriate district court of the United States to obtain 
        appropriate relief.
            (2) Rights of federal trade commission.--
                    (A) Notice to federal trade commission.--
                            (i) In general.--Except as provided in 
                        clause (iii), the attorney general of a State 
                        shall notify the Commission in writing that the 
                        attorney general intends to bring a civil 
                        action under paragraph (1) before initiating 
                        the civil action against a person described in 
                        subsection (a)(1).
                            (ii) Contents.--The notification required 
                        by clause (i) with respect to a civil action 
                        shall include a copy of the complaint to be 
                        filed to initiate the civil action.
                            (iii) Exception.--If it is not feasible for 
                        the attorney general of a State to provide the 
                        notification required by clause (i) before 
                        initiating a civil action under paragraph (1), 
                        the attorney general shall notify the 
                        Commission immediately upon instituting the 
                        civil action.
                    (B) Intervention by federal trade commission.--The 
                Commission may--
                            (i) intervene in any civil action brought 
                        by the attorney general of a State under 
                        paragraph (1) against a person described in 
                        subsection (a)(1); and
                            (ii) upon intervening--
                                    (I) be heard on all matters arising 
                                in the civil action; and
                                    (II) file petitions for appeal of a 
                                decision in the civil action.
            (3) Investigatory powers.--Nothing in this subsection may 
        be construed to prevent the attorney general of a State from 
        exercising the powers conferred on the attorney general by the 
        laws of the State to conduct investigations, to administer 
        oaths or affirmations, or to compel the attendance of witnesses 
        or the production of documentary or other evidence.
            (4) Action by federal trade commission.--If the Federal 
        Trade Commission institutes a civil action or an administrative 
        action with respect to a violation of section 3, the attorney 
        general of a State may not, during the pendency of the action, 
        bring a civil action under paragraph (1) against any defendant 
        named in the complaint of the Commission for the violation with 
        respect to which the Commission instituted such action.
            (5) Venue; service of process.--
                    (A) Venue.--Any action brought under paragraph (1) 
                may be brought in--
                            (i) the district court of the United States 
                        that meets applicable requirements relating to 
                        venue under section 1391 of title 28, United 
                        States Code; or
                            (ii) another court of competent 
                        jurisdiction.
                    (B) Service of process.--In an action brought under 
                paragraph (1), process may be served in any district in 
                which the defendant--
                            (i) is an inhabitant; or
                            (ii) may be found.
            (6) Actions by other state officials.--
                    (A) In general.--In addition to civil actions 
                brought by attorneys general under paragraph (1), any 
                other consumer protection officer of a State who is 
                authorized by the State to do so may bring a civil 
                action under paragraph (1), subject to the same 
                requirements and limitations that apply under this 
                subsection to civil actions brought by attorneys 
                general.
                    (B) Savings provision.--Nothing in this subsection 
                may be construed to prohibit an authorized official of 
                a State from initiating or continuing any proceeding in 
                a court of the State for a violation of any civil or 
                criminal law of the State.

SEC. 5. EFFECTIVE DATE.

    (a) In General.--This Act shall take effect 180 days after the date 
of enactment of this Act.
    (b) Applicability to Existing Users of Online Platforms.--An 
individual who becomes a user of a covered online platform before the 
effective date under subsection (a) shall be treated as if he or she 
had become a user of the online platform on that effective date.
    (c) No Retroactive Applicability.--This Act shall not apply to any 
conduct that occurred before the effective date under subsection (a).
                                 <all>