[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4978 Introduced in House (IH)]

<DOC>






116th CONGRESS
  1st Session
                                H. R. 4978

   To provide for individual rights relating to privacy of personal 
information, to establish privacy and security requirements for covered 
 entities relating to personal information, and to establish an agency 
to be known as the United States Digital Privacy Agency to enforce such 
            rights and requirements, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            November 5, 2019

Ms. Eshoo (for herself and Ms. Lofgren) introduced the following bill; 
  which was referred to the Committee on Energy and Commerce, and in 
    addition to the Committee on the Judiciary, for a period to be 
subsequently determined by the Speaker, in each case for consideration 
  of such provisions as fall within the jurisdiction of the committee 
                               concerned

_______________________________________________________________________

                                 A BILL


 
   To provide for individual rights relating to privacy of personal 
information, to establish privacy and security requirements for covered 
 entities relating to personal information, and to establish an agency 
to be known as the United States Digital Privacy Agency to enforce such 
            rights and requirements, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Online Privacy Act 
of 2019''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. Prohibition on waivers.
Sec. 4. Effective date.
Sec. 5. Journalism protection.
Sec. 6. Small business compliance ramp.
Sec. 7. Criminal prohibition on disclosing personal information.
Sec. 8. Limitation on disclosing nonredacted government records.
                       TITLE I--INDIVIDUAL RIGHTS

Sec. 101. Right of access.
Sec. 102. Right of correction.
Sec. 103. Right of deletion.
Sec. 104. Right of portability.
Sec. 105. Right to human review of automated decisions.
Sec. 106. Right to individual autonomy.
Sec. 107. Right to be informed.
Sec. 108. Right to impermanence.
Sec. 109. Exemptions, exceptions, fees, timelines, and rules of 
                            construction for rights under this title.
  TITLE II--REQUIREMENTS FOR COVERED ENTITIES, SERVICE PROVIDERS, AND 
                             THIRD PARTIES

Sec. 201. Minimization and articulated basis for collection, 
                            processing, and maintenance.
Sec. 202. Minimization and records of access by employees and 
                            contractors.
Sec. 203. Prohibition on the collection or maintenance of personal 
                            information.
Sec. 204. Prohibitions on the disclosure of personal information.
Sec. 205. Disclosure to entities not subject to United States 
                            jurisdiction or not compliant with this 
                            Act.
Sec. 206. Prohibition on reidentification.
Sec. 207. Restrictions on collection, processing, and disclosure of 
                            contents of communications.
Sec. 208. Prohibition on discriminatory processing.
Sec. 209. Restrictions on genetic information.
Sec. 210. Requirements for notice and consent processes and privacy 
                            policies.
Sec. 211. Prohibition on deceptive notice and consent processes and 
                            privacy policies.
Sec. 212. Notice and consent required.
Sec. 213. Privacy policy.
Sec. 214. Information security requirements.
Sec. 215. Notification of data breach or data sharing abuse.
            TITLE III--UNITED STATES DIGITAL PRIVACY AGENCY

Sec. 301. Establishment.
Sec. 302. Executive and administrative powers.
Sec. 303. Rulemaking authority.
Sec. 304. Personnel.
Sec. 305. Complaints of individuals.
Sec. 306. User advisory board.
Sec. 307. Academic and research advisory board.
Sec. 308. Small business and investor advisory board.
Sec. 309. Consultation.
Sec. 310. Reports.
Sec. 311. Grants for developing open-source machine learning training 
                            data.
Sec. 312. Annual audits.
Sec. 313. Inspector General.
Sec. 314. Authorization of appropriations.
                         TITLE IV--ENFORCEMENT

Sec. 401. Definitions.
Sec. 402. Investigations and administrative discovery.
Sec. 403. Hearings and adjudication proceedings.
Sec. 404. Litigation authority.
Sec. 405. Coordination with other Federal agencies.
Sec. 406. Enforcement by States.
Sec. 407. Private rights of action.
Sec. 408. Relief available.
Sec. 409. Referral for criminal proceedings.
Sec. 410. Whistleblower enforcement.
                     TITLE V--RELATION TO OTHER LAW

Sec. 501. Relation to other Federal law.
Sec. 502. Severability.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Agency.--The term ``Agency'' means the United States 
        Digital Privacy Agency established by section 301.
            (2) Behavioral personalization.--
                    (A) In general.--The term ``behavioral 
                personalization'' means the processing of an 
                individual's personal information, using an algorithm, 
                model, or other means built using that individual's 
                personal information collected over a period of time, 
                or an aggregate of the personal information of one or 
                more similarly situated individuals and designed to--
                            (i) alter, influence, guide, or predict an 
                        individual's behavior;
                            (ii) tailor or personalize a product or 
                        service; or
                            (iii) filter, sort, limit, promote, display 
                        or otherwise differentiate between specific 
                        content or categories of content that would 
                        otherwise be accessible to the individual.
                    (B) Exclusions.--The term ``behavioral 
                personalization'' does not include the use of 
                historical personal information to merely prevent the 
                display of or provide additional information about 
                previously accessed content.
            (3) Collect.--The term ``collect'' includes, with respect 
        to personal information or contents of communication, obtaining 
        such information in any manner, except when solely 
        transmitting, routing, providing intermediate storage for, or 
        providing connections for personal information through a system 
        or network.
            (4) Contents.--The term ``contents'', when used with 
        respect to communication, has the meaning given such term in 
        section 2510 of title 18, United States Code.
            (5) Covered entity.--
                    (A) In general.--The term ``covered entity'' means 
                a person who--
                            (i) intentionally collects, processes, or 
                        maintains personal information; and
                            (ii) sends or receives such personal 
                        information over the internet or a similar 
                        communications network.
                    (B) Exclusion.--The term ``covered entity'' does 
                not include a natural person, except to the extent such 
                person is engaged in a commercial activity that is more 
                than de minimis.
            (6) Data breach.--The term ``data breach'' means 
        unauthorized access to or acquisition of personal information 
        or contents of communications maintained by such covered 
        entity.
            (7) Data sharing abuse.--The term ``data sharing abuse'' 
        means processing, by a third party, of personal information or 
        contents of communications disclosed by a covered entity to the 
        third party, for any purpose other than--
                    (A) a purpose specified by the covered entity to 
                the third party at the time of disclosure; or
                    (B) a purpose to which the individual to whom the 
                information relates has consented.
            (8) De-Identified.--
                    (A) In general.--The term ``de-identified'' means 
                information that cannot reasonably identify, relate to, 
                describe, reference, be capable of being associated 
                with, or be linked, directly or indirectly, to a 
                particular individual or device, provided that a 
                business that uses de-identified information--
                            (i) has de-identified the personal 
                        information using best practices for the types 
                        of data the information contains;
                            (ii) has implemented technical safeguards 
                        that prohibit re-identification of the 
                        individual with whom the information was 
                        linked;
                            (iii) has implemented business processes 
                        that specifically prohibit re-identification of 
                        the information;
                            (iv) has implemented business processes to 
                        prevent inadvertent release of de-identified 
                        information; and
                            (v) makes no attempt to re-identify the 
                        information.
                    (B) The Director may determine that a methodology 
                of de-identifying personal information is insufficient 
                for the purposes of this definition.
            (9) Director.--The term ``Director'' means the Director of 
        the Agency.
            (10) Disclose.--The term ``disclose'' means, with respect 
        to personal information or contents of communication, to sell, 
        release, transfer, share, disseminate, make available, or 
        otherwise cause to be communicated such information to a third 
        party.
            (11) Individual.--The term ``individual'' means a natural 
        person residing in the United States.
            (12) Maintain.--The term ``maintain'' means, with respect 
        to personal information or contents of communication, to store, 
        secure, or otherwise cause the retaining of such information, 
        or taking actions necessary for such purposes.
            (13) Personal information.--
                    (A) In general.--The term ``personal information'' 
                means any information maintained by a covered entity 
                that is linked or reasonably linkable to a specific 
                individual or a specific device, including de-
                identified personal information and the means to 
                behavioral personalization created for or linked to a 
                specific individual.
                    (B) Exclusions.--The term ``personal information'' 
                does not include--
                            (i) publicly available information related 
                        to an individual; or
                            (ii) information derived or inferred from 
                        personal information, if the derived or 
                        inferred information is not linked or 
                        reasonably linkable to a specific individual.
            (14) Privacy harm.--The term ``privacy harm'' means adverse 
        consequences or potential adverse consequences to an individual 
        or society arising from the collection, processing, 
        maintenance, or disclosure of personal information, including--
                    (A) direct or indirect financial loss or economic 
                harm;
                    (B) physical harm;
                    (C) psychological harm, including anxiety, 
                embarrassment, fear, and other demonstrable mental 
                trauma;
                    (D) adverse outcomes or decisions with respect to 
                the eligibility of an individual for rights, benefits, 
                or privileges in employment (including hiring, firing, 
                promotion, demotion, and compensation), credit and 
                insurance (including denial of an application or 
                obtaining less favorable terms), housing, education, 
                professional certification, or the provision of health 
                care and related services;
                    (E) stigmatization or reputational harm;
                    (F) price discrimination;
                    (G) other adverse consequences that affect the 
                private life of an individual, including private family 
                matters and actions and communications within the home 
                of such individual or a similar physical, online, or 
                digital location where such individual has a reasonable 
                expectation that personal information will not be 
                collected, processed, or retained;
                    (H) chilling of free expression or action of an 
                individual, group of individuals, or society generally, 
                due to perceived or actual pervasive and excessive 
                collection, processing, disclosure, or maintenance of 
                personal information by a covered entity;
                    (I) impairing the autonomy of an individual, group 
                of individuals, or society generally; and
                    (J) other adverse consequences or potential adverse 
                consequences, consistent with the provisions of this 
                Act, as determined by the Director.
            (15) Privacy preserving computing.--
                    (A) In general.--The term ``privacy preserving 
                computing'' means--
                            (i) the collecting, processing, disclosing, 
                        or maintaining of personal information that has 
                        been encrypted or otherwise rendered 
                        unintelligible using a means that cannot be 
                        reversed by a covered entity, or a covered 
                        entity's service provider, such that--
                                    (I) if such personal information 
                                could be rendered intelligible through 
                                cooperation or sharing of cryptographic 
                                secrets by multiple persons, the 
                                covered entity has both technical 
                                safeguards and business processes to 
                                prevent such cooperation or sharing;
                                    (II) if such personal information 
                                is rendered intelligible within a 
                                hardware processing unit or other means 
                                of performing operations on the 
                                information, there are technical 
                                safeguards that, during the normal 
                                course of operation--
                                            (aa) prevent rendering 
                                        personal information 
                                        intelligible anywhere but 
                                        within the hardware processing 
                                        unit or other means of 
                                        performing operations; and
                                            (bb) make the exporting or 
                                        otherwise observing of such 
                                        intelligible information, or 
                                        the cryptographic secret used 
                                        to protect such information, 
                                        impossible; and
                                    (III) if the result of such 
                                processing of the personal information 
                                is also personal information, such 
                                result must be unintelligible to the 
                                covered entity or service provider and 
                                protected by privacy preserving 
                                computing.
                    (B) Insufficient methodologies.--The Director may 
                determine that a methodology of privacy preserving 
                computing is insufficient for the purposes of this 
                definition.
            (16) Process.--The term ``process'' means to perform or 
        cause to be performed any operation or set of operations on 
        personal information or contents of communication, whether or 
        not by automated means.
            (17) Protected class.--The term ``protected class'' means 
        the actual or perceived race, color, ethnicity, national 
        origin, religion, sex (including sexual orientation and gender 
        identity), familial status, or disability of an individual or 
        group of individuals.
            (18) Publicly available information.--The term ``publicly 
        available information'' means--
                    (A) information that is lawfully made available 
                from Federal, State, or local government records;
                    (B) information about a public individual or 
                official that is made publicly accessible, without 
                restrictions on accessibility other than the general 
                authorization to access the services used to make the 
                information accessible;
                    (C) information made publicly accessible by the 
                individual to whom it pertains, without restrictions on 
                accessibility other than the general authorization to 
                access the services used to make the information 
                accessible, and that such individual has the ability to 
                delete or change without relying on a request under 
                section 102 or 103 of this Act; and
                    (D) does not include--
                            (i) biometric information collected by a 
                        covered entity relating to an individual 
                        without the individual's knowledge;
                            (ii) information used for a purpose that is 
                        not compatible with the purpose for which the 
                        information is maintained and made available in 
                        government records;
                            (iii) information obtained from government 
                        records for the purpose of selling such 
                        information; or
                            (iv) information used to contact or locate 
                        a private individual either physically or 
                        electronically.
            (19) Reasonable mechanism.--The term ``reasonable 
        mechanism'' means, in the case of a mechanism for individuals 
        to exercise a right under title I or interact with a covered 
        entity under title II, that such mechanism--
                    (A) is equivalent in availability and ease of use 
                to that of other mechanisms for communicating or 
                interacting with the covered entity; and
                    (B) includes an online means of exercising such 
                right or engaging in such interaction, if such 
                individuals communicate or interact with such covered 
                entity through an online medium or if such covered 
                entity provides information processing services through 
                a public or widely available application programming 
                interface (or similar mechanism).
            (20) Sell and sale.--
                    (A) In general.--The terms ``sell'' and ``sale'' 
                means the disclosure of personal information for 
                monetary consideration by a covered entity to a third 
                party for the purposes of processing, maintaining or 
                disclosing such personal information at the third 
                party's discretion.
                    (B) Exclusions.--The terms ``sell'' and ``sale'' do 
                not include--
                            (i) the disclosure of personal data to a 
                        third party with which the individual has a 
                        direct relationship for purposes of providing a 
                        product or service requested by the individual 
                        or otherwise in a manner that is consistent 
                        with an individual's reasonable expectations 
                        considering the context in which the individual 
                        provided the personal information to the 
                        covered entity;
                            (ii) the disclosure or transfer of personal 
                        information to a subsidiary or an affiliate of 
                        the covered entity; or
                            (iii) the disclosure or transfer of 
                        personal information to a third party as an 
                        asset that is part of a merger, acquisition, 
                        bankruptcy, or other transaction in which the 
                        third party assumes control of all or part of 
                        the covered entity's assets, unless such assets 
                        are limited to personal information unless 
                        personal information makes up the majority of 
                        the value of such assets.
            (21) Service provider.--
                    (A) In general.--The term ``service provider'' 
                means a covered entity who--
                            (i) processes, discloses, or maintains 
                        personal information, where such person does 
                        not process, disclose, or maintain the personal 
                        information other than in accordance with the 
                        directions and on behalf of another covered 
                        entity;
                            (ii) does not directly collect personal 
                        information from or control the mechanism for 
                        collecting personal information from an 
                        individual;
                            (iii) does not earn revenue from 
                        processing, maintaining, or disclosing personal 
                        information disclosed to the service provider 
                        by a covered entity except by providing 
                        contracted services to another covered entity;
                            (iv) does not disclose personal information 
                        to another covered entity unless it was 
                        provided by that covered entity or resulted 
                        from maintaining or processing performed on 
                        personal information exclusively provide by 
                        that covered entity;
                            (v) does not offer services that allow 
                        another covered entity to target specific 
                        individuals using personal information not 
                        provided by that covered entity;
                            (vi) assists a covered entity on behalf of 
                        which it processes personal information to 
                        comply with title I, with respect to personal 
                        information processed or maintained by the 
                        service provider on behalf of the covered 
                        entity, including providing tools for such 
                        covered entities requirements under title I if 
                        requested; and
                            (vii) does not link the personal 
                        information provided by another covered entity 
                        to personal information from any other source.
                    (B) Any such person, and the personal information 
                they disclose, process, or maintain, shall be treated 
                as a service provider under this Act only to the extent 
                that such person complies with the requirements under 
                (A).
            (22) Significant privacy harm.--The term ``significant 
        privacy harm'' means adverse consequences to an individual 
        arising from the collection, processing, maintenance, or 
        disclosure of personal information, limited to subparagraph 
        (A), (B), or (D) of paragraph (14).
            (23) Small business.--The term ``small business'' means a 
        covered entity that--
                    (A) does not earn revenue from the sale of personal 
                information;
                    (B) earns less than half of annual revenues from 
                the processing of personal information for targeted or 
                personalized advertising;
                    (C) has not, at any time during the preceding 6-
                month period, maintained personal information of 
                250,000 or more individuals;
                    (D) has fewer than 200 employees; and
                    (E) received less than $25,000,000 in gross revenue 
                in the preceding 12-month period.
            (24) State.--The term ``State'' means each State of the 
        United States, the District of Columbia, each commonwealth, 
        territory, or possession of the United States, and each 
        federally recognized Indian Tribe.
            (25) Third party.--The term ``third party'' means, with 
        respect to a covered entity, a person--
                    (A) to whom such covered entity disclosed personal 
                information; and
                    (B) is not--
                            (i) such covered entity;
                            (ii) a subsidiary or corporate affiliate of 
                        such covered entity; or
                            (iii) a service provider of such covered 
                        entity.

SEC. 3. PROHIBITION ON WAIVERS.

    (a) In General.--The provisions under this Act may not be waived. 
Any agreement purporting to waive compliance with or modify any 
provision of this Act shall be void as contrary to public policy.
    (b) Prohibition on Predispute Arbitration Agreements.--No 
predispute arbitration agreement shall be valid or enforceable with 
respect to any claims under this Act.

SEC. 4. EFFECTIVE DATE.

    (a) In General.--This Act shall apply beginning on the date that is 
1 year after the date of the enactment of this Act.
    (b) Authority To Promulgate Regulations and Take Certain Other 
Actions.--Nothing in subsection (a) affects the authority to take an 
action expressly required by a provision of this Act to be taken before 
the effective date described in such subsection.

SEC. 5. JOURNALISM PROTECTION.

    (a) In General.--Covered entities engaged in journalism shall not 
be subject to the obligations imposed under this Act to the extent that 
those obligations directly infringe on the journalism rather than the 
business practices of the covered entity, so long as, the covered 
entity has technical safeguards and business processes that prevent the 
collection, processing, maintaining, or disclosure of such personal 
information for business practices other than journalism.
    (b) Journalism.--The term ``journalism'' includes the collecting, 
maintaining, processing, and disclosing of personal information about a 
public individual or official, or that otherwise concerns matters of 
public interest, for dissemination to the public.

SEC. 6. SMALL BUSINESS COMPLIANCE RAMP.

    Upon losing its status as a small business, a covered entity shall 
have nine months to comply with provisions of this Act that a small 
business is exempt from complying with.

SEC. 7. CRIMINAL PROHIBITION ON DISCLOSING PERSONAL INFORMATION.

    Chapter 41 of title 18, United States Code, is amended by adding at 
the end the following:
``Sec. 881. Disclosure of personal information with the intent to cause 
              harm
    ``Whoever uses a channel of interstate or foreign commerce to 
knowingly disclose an individual's personal information--
            ``(1) with the intent to threaten, intimidate, or harass 
        any person, incite or facilitate the commission of a crime of 
        violence against any person, or place any person in reasonable 
        fear of death or serious bodily injury; or
            ``(2) with the intent that the information will be used to 
        threaten, intimidate, or harass any person, incite or 
        facilitate the commission of a crime of violence against any 
        person, or place any person in reasonable fear of death or 
        serious bodily injury,
shall be fined under this title or imprisoned not more than 5 years, or 
both.''.

SEC. 8. LIMITATION ON DISCLOSING NONREDACTED GOVERNMENT RECORDS.

    (a) In General.--A Federal or State government entity may not use a 
channel of interstate commerce to disclose the personal information of 
an individual in a government record without an agreement prohibiting 
the recipient of such information from selling the information without 
the express consent of the individual for each disclosure.
    (b) Exception.--Notwithstanding subsection (a), nothing in this 
section shall prohibit the disclosure of personal information using a 
channel of interstate commerce to another government entity without 
consent of the individual.

                       TITLE I--INDIVIDUAL RIGHTS

SEC. 101. RIGHT OF ACCESS.

    (a) In General.--A covered entity shall make available a reasonable 
mechanism by which an individual may access--
            (1) the categories of personal information and contents of 
        communications of such individual that is maintained by such 
        covered entity, including, in the case of personal information 
        that such covered entity did not collect from such individual, 
        how and from whom such covered entity obtained such personal 
        information;
            (2) a list of the third parties, subsidiaries, and 
        corporate affiliates, to which such covered entity has 
        disclosed and from which such covered entity has, at any time 
        on or after the effective date specified in section 4(a), 
        obtained the personal information of such individual;
            (3) a concise and clear description of the business or 
        commercial purposes of such covered entity--
                    (A) for collecting, processing, or maintaining the 
                personal information of such individual; and
                    (B) for disclosing to a third party the personal 
                information of such individual; and
            (4) a list of automated decision-making processes that an 
        individual has a right to request human review of under section 
        105 with a concise and clear description of the implications 
        and intended effects of such process.
    (b) Exception for Publicly Accessibly Information.--A covered 
entity that makes available information required in subsection (a) 
shall be considered in compliance with such requirements if the covered 
entity provides an individual instructions on how to access a public 
posting of such information, including in a privacy policy, if the 
instructions are easy and do not require payment.
    (c) Small Businesses Excluded.--Subsection (a)(3) does not apply to 
a small business.

SEC. 102. RIGHT OF CORRECTION.

    (a) Dispute by Individual.--A covered entity shall make available a 
reasonable mechanism by which an individual may dispute the accuracy or 
completeness of personal information linked to such individual that is 
maintained by such covered entity if such information is processed in 
any way, by such covered entity, a third party of such covered entity, 
or a service provider of such covered entity that may increase 
reasonably foreseeable significant privacy harms.
    (b) Correction by Covered Entity.--A covered entity receiving a 
dispute under subsection (a) shall--
            (1) correct or complete (as the case may be) the disputed 
        information and notify such individual that the correction or 
        completion has been made; or
            (2) notify such individual that--
                    (A) the disputed information is correct or 
                complete;
                    (B) such covered entity lacks sufficient 
                information to correct or complete the disputed 
                information; or
                    (C) such covered entity is denying the request for 
                correction or completion in reliance on an exemption or 
                exception provided by section 109(g) (with the 
                notification containing an identification of the 
                specific exemption or exception relied upon).
    (c) Small Businesses Excluded.--This section does not apply to a 
small business.

SEC. 103. RIGHT OF DELETION.

    (a) Request by Individual.--A covered entity shall make available a 
reasonable mechanism by which an individual may request the deletion of 
personal information and contents of communications of such individual 
maintained by such covered entity, including any such information that 
such covered entity acquired from a third party or inferred from other 
information maintained by such covered entity.
    (b) Deletion by Covered Entity.--A covered entity receiving a 
request for deletion under subsection (a) shall--
            (1) delete such information and notify such individual that 
        such information has been deleted; or
            (2) notify such individual that such covered entity is 
        denying the request for deletion in reliance on an exemption or 
        exception provided by section 109(g) (with the notification 
        containing an identification of the specific exemption or 
        exception relied upon).

SEC. 104. RIGHT OF PORTABILITY.

    (a) Determination of Portable Categories.--
            (1) Annual determination.--Not less frequently than once 
        per year, the Director shall--
                    (A) establish categories of products and services 
                offered by covered entities, based on similarities in 
                the products and services;
                    (B) determine which categories established under 
                subparagraph (A) are portable categories; and
                    (C) publish in the Federal Register a list of 
                portable categories determined under subparagraph (B).
            (2) Opportunity for public comment.--Before publishing the 
        final list under paragraph (1)(C), the Director shall--
                    (A) publish a draft of such list in the Federal 
                Register; and
                    (B) provide for an opportunity for public comment 
                on such draft list.
    (b) Exercise of Right.--
            (1) In general.--A covered entity that offers a product or 
        service in a portable category shall make available to an 
        individual whose personal information or contents of 
        communications such entity maintains a reasonable mechanism by 
        which such individual may--
                    (A) download, in a format that is structured, 
                commonly used, and machine-readable--
                            (i) any personal information of such 
                        individual that such individual has provided to 
                        such covered entity, with the option to 
                        download such information by category that is 
                        accessible under section 101 of this Act; and
                            (ii) any contents of communications; and
                    (B) using a real-time application programming 
                interface, or similar mechanism, transmit all personal 
                information and contents of communications of or 
                related to such individual (whether or not provided to 
                such covered entity by such individual) from such 
                covered entity to another covered entity in accordance 
                with subsection (c).
            (2) Requirements for application programming interface.--
        The application programming interface, or similar mechanism, 
        required by paragraph (1)(B) shall--
                    (A) be publicly documented;
                    (B) allow the option of data to be obtained by 
                category that is accessible under section 101;
                    (C) include a publicly available, fully functional 
                test version for development purposes; and
                    (D) be of similar quality to mechanisms used 
                internally by the covered entity.
    (c) Requirements for Access to Application Programming Interface.--
            (1) Access.--A covered entity shall provide access to the 
        application programming interface or similar mechanism required 
        by subsection (b)(1)(B) upon the request of another covered 
        entity if the requesting covered entity has self-certified, 
        using the procedures established by the Director under 
        paragraph (3)(A), that such requesting covered entity--
                    (A) is a covered entity;
                    (B) can have personal information disclosed to it 
                under section 205 of this Act;
                    (C) is, at the time of the self-certification, in 
                compliance with all requirements of this Act (including 
                provisions a small business is otherwise exempt from 
                complying with);
                    (D) will continue to comply with all requirements 
                of this Act; and
                    (E) will only use such application programming 
                interface or similar mechanism at the express request 
                of an individual.
            (2) Denial of access.--
                    (A) In general.--A covered entity may deny access 
                to the application programming interface or similar 
                mechanism required by subsection (b)(1)(B) if such 
                covered entity has an objective, reasonable belief that 
                the requesting covered entity has failed to meet the 
                requirements for self-certification under paragraph 
                (1).
                    (B) Review.--In accordance with the procedures 
                established under paragraph (3)(B), a covered entity 
                the request of which is denied under subparagraph (A) 
                may petition the Director for review of the denial. If 
                the Director finds that such denial is unreasonable, 
                the Director may impose a penalty, to be established in 
                such procedures, on the covered entity that denied the 
                request.
            (3) Certification and review procedures.--The Director 
        shall establish--
                    (A) procedures for a covered entity to self-certify 
                under paragraph (1); and
                    (B) procedures for the review of petitions under 
                paragraph (2)(B), including penalties for unreasonable 
                denials.
    (d) Small Businesses Excluded.--This section does not apply to a 
small business.
    (e) Definitions.--In this section:
            (1) Portable category.--The term ``portable category'' 
        means a category of products and services established by the 
        Director under subsection (a)(1)(A)--
                    (A) for which the sum obtained by adding the number 
                of users or estimated users of each product or service 
                in such category is greater than 10,000,000; and
                    (B) that--
                            (i) has an estimated Herfindahl-Hirschman 
                        Index of 2,000 or greater;
                            (ii) the total number of covered entities 
                        offering products and services in such category 
                        is 3 or less; or
                            (iii) the Director otherwise determines 
                        that a category would benefit from encouraging 
                        increased competition.
            (2) Users.--The term ``users'' means, with respect to a 
        product or service, the monthly active users, subscribers, or 
        customers (or a reasonable proxy or substitute therefor 
        determined by the Director) of such product or service.

SEC. 105. RIGHT TO HUMAN REVIEW OF AUTOMATED DECISIONS.

    For any decision by a covered entity based solely on automated 
processing of personal information of an individual, if such processing 
increases reasonably foreseeable significant privacy harms for such 
individual, such covered entity shall--
            (1) inform such individual of what personal information is 
        or may be used for such decision;
            (2) make available a reasonable mechanism by which such 
        individual may request human review of such decision; and
            (3) if such individual requests such a review, conduct such 
        review within a reasonable amount of time after such request.

SEC. 106. RIGHT TO INDIVIDUAL AUTONOMY.

    (a) In General.--A covered entity shall not collect, process, 
maintain, or disclose an individual's personal information to:
            (1) create, improve upon, or maintain;
            (2) process with; or
            (3) otherwise link an individual with;
an algorithm, model, or other means designed for behavioral 
personalization, without the affirmative express consent of that 
individual.
    (b) Consent.--A covered entity must obtain express affirmative 
consent from an individual before it may provide a behaviorally 
personalized version of a product or service. Where consent is denied, 
a covered entity must provide the product or service without behavioral 
personalization.
    (c) Exceptions to Providing Product or Service.--
            (1) Where the offering of a substantially similar product 
        or service without behavioral personalization is infeasible, a 
        covered entity shall provide, to the greatest extent feasible, 
        a core aspect or part of the product or service that can be 
        offered without behavioral personalization.
            (2) Where no core aspect or part of the product or service 
        can function in a substantially similar function without 
        behavioral personalization, a covered entity may deny providing 
        an individual use of such product or service if such individual 
        does not consent to behavioral personalization as required in 
        subsection (a).
    (d) Exception to Behavioral Processing.--Notwithstanding 
subsections (a) and (b), a covered entity may create or process using 
behavioral personalization algorithms, models, or other mechanisms for 
the purpose of increasing the usability of the product or service 
provided by a covered entity that--
            (1) are built using aggregated personal information that is 
        representative of all the personal information the covered 
        entity maintains; and
            (2) have an output that is both uniform across the 
        individuals that use the product or service and independent of 
        a specific individual's inherent or behavioral characteristics.
    (e) Usability.--The term ``usability'' as used in subsection (d) 
does not include optimizations or other alterations to the product or 
service that are made with the primary purpose of increasing the amount 
of time an individual engages with or uses the product or service, 
unless such increase benefits the individual
    (f) Small Businesses Excluded.--This section does not apply to a 
small business.

SEC. 107. RIGHT TO BE INFORMED.

    A covered entity that collects personal information of an 
individual with whom such covered entity does not have an existing 
relationship (as of the time of the collection), if such personal 
information includes contact information, shall notify such individual 
within 30 days, in writing if possible and at no charge to the 
individual, that such covered entity has collected the personal 
information of such individual.

SEC. 108. RIGHT TO IMPERMANENCE.

    (a) Limitation on Maintenance of Personal Information.--A covered 
entity shall not maintain personal information for more time than 
expressly consented to by an individual whose personal information is 
being maintained.
    (b) Consent.--A covered entity must obtain express affirmative 
consent from an individual before maintaining the personal information 
of such individual for any duration. Such consent may be obtained for 
categories of personal information and shall give an individual options 
to affirmatively choose granting a covered entity consent for various 
durations, at least including--
            (1) for no longer than needed to complete the specific 
        request or transaction (including a reasonable estimate of such 
        duration by the covered entity);
            (2) until consent is revoked; and
            (3) one or more additional durations based on reasonable 
        expectations and norms for the maintenance of the category of 
        personal information being maintained.
    (c) Exception for Implied Consent.--Where the long-term maintenance 
of personal information is, on its face, obvious and a core feature of 
the product or service at the request of the individual, and the 
personal information is maintained only to provide such product or 
service, subsections (a) and (b) shall not apply.

SEC. 109. EXEMPTIONS, EXCEPTIONS, FEES, TIMELINES, AND RULES OF 
              CONSTRUCTION FOR RIGHTS UNDER THIS TITLE.

    (a) Exemptions for Personal Information for Particular Purposes.--
            (1) In general.--This title does not apply with respect to 
        personal information that is collected, processed, maintained, 
        or disclosed for any of the following purposes (or a 
        combination of such purposes), where a covered entity has 
        technical safeguards and business processes that limit the 
        collection, processing, maintaining, or disclosure of such 
        personal information to the following purposes:
                    (A) Detecting, responding to, or preventing 
                security incidents or threats.
                    (B) Protecting against malicious, deceptive, 
                fraudulent, or illegal activity.
                    (C) Complying with specific law enforcement 
                requests or court orders.
                    (D) Protecting a legally recognized privilege or 
                other legal right.
                    (E) Protecting public safety.
                    (F) Collection, processing, or maintenance by an 
                employer pursuant to an employer-employee relationship 
                of records about employees or employment status, 
                except--
                            (i) where the information would not be 
                        reasonably expected to be collected in the 
                        context of an employee's regular duties; or
                            (ii) was disclosed to the employer by a 
                        third party.
                    (G) Preventing prospective abuses of a service by 
                an individual whose account has been previously 
                terminated.
                    (H) Routing a communication through a 
                communications network or resolving the location of a 
                host or client on a communications network.
                    (I) Providing transparency in advertising or 
                origination of user generated content.
            (2) Reidentification.--Where compliance with this title 
        would require the reidentification of de-identified personal 
        information, and the covered entity does not already maintain 
        the information necessary for such reidentification, the 
        covered entity shall be exempt from such compliance, except for 
        with section 106.
            (3) Disclosure.--A covered entity relying on an exemption 
        under paragraph (1) with respect to personal information shall 
        disclose in the privacy policy maintained by such entity under 
        section 213--
                    (A) the reason for which such information is 
                collected, processed, maintained, or disclosed; and
                    (B) a description of the rights provided by this 
                title that are not available with respect to such 
                personal information by reason of such exemption.
    (b) Exceptions for Particular Requests.--
            (1) In general.--A covered entity may deny the request of 
        an individual under this title if--
                    (A) such covered entity cannot confirm the identity 
                of such individual;
                    (B) such covered entity determines that granting 
                the request of such individual would create a 
                legitimate risk to the privacy, security, safety, or 
                other rights of another individual;
                    (C) such covered entity determines that granting 
                the request of such individual would create a 
                legitimate risk to free expression; or
                    (D) the personal information requested to be 
                corrected under section 102 or deleted under section 
                103--
                            (i) is necessary to the completion of a 
                        transaction initiated before such request was 
                        made or the performance of a contract entered 
                        into before such request was made;
                            (ii) was collected specifically for the 
                        completion of such transaction or the 
                        performance of such contract; and
                            (iii) would undermine the integrity of a 
                        legally significant transaction.
            (2) Limitations on requests for additional information to 
        confirm identity.--A covered entity may not deny a request of 
        an individual under paragraph (1)(A) on the basis of the 
        refusal of such individual to provide additional personal 
        information to such covered entity to confirm the identity of 
        such individual--
                    (A) if the identity of such individual can 
                reasonably be confirmed using personal information of 
                such individual that such covered entity (as of the 
                time of the request) already maintains; or
                    (B) if such individual has an existing relationship 
                (as of the time of the request) with such covered 
                entity, such individual has confirmed the identity of 
                such individual to such covered entity in the same 
                manner as for other transactions of a similar 
                sensitivity.
    (c) Exemption for Service Providers.--This title does not apply to 
a service provider.
    (d) Exemption for Privacy Preserving Computing.--Except for 
sections 101, 105, 106, and 109, this title does not apply to personal 
information secured using privacy preserving computing.
    (e) Timeline for Complying With a Request.--Without undue delay but 
not longer than 30 days after the request, a covered that receives a 
request under this title must--
            (1) comply with such request; or
            (2) inform such individual of the reason for denying such 
        request, as allowed under subsections (a) or (b) of this 
        section.
    (f) Fees Prohibited.--
            (1) In general.--Except as provided in paragraph (2), a 
        covered entity may not charge a fee to an individual for a 
        request made under this title.
            (2) Unfounded or excessive requests.--If a request under 
        this title is unfounded or excessive, a covered entity may 
        charge a reasonable fee that reflects the estimated 
        administrative costs of complying with such request.
            (3) Agency notice.--If a covered entity plans to charge fee 
        under paragraph (2), it must notify the Agency at least 7 days 
        before charging such fee.
            (4) Agency review.--The Director may reject any fee that a 
        covered entity plans to charge for a request made under this 
        title if the Agency finds--
                    (A) such fee to be unreasonable relative to 
                reasonable administrative costs of complying with a 
                request under this title; or
                    (B) such request is not unfounded or excessive.
    (g) Rules of Construction.--Nothing in this title shall be 
construed to require a covered entity to--
            (1) take an action that would convert information that is 
        not personal information into personal information;
            (2) collect or maintain personal information or contents of 
        communication that the covered entity would otherwise not 
        maintain; or
            (3) maintain personal information or contents of 
        communication longer than the covered entity would otherwise 
        maintain such personal information.
    (h) Regulations.--The Director shall promulgate regulations to 
implement this section.

  TITLE II--REQUIREMENTS FOR COVERED ENTITIES, SERVICE PROVIDERS, AND 
                             THIRD PARTIES

SEC. 201. MINIMIZATION AND ARTICULATED BASIS FOR COLLECTION, 
              PROCESSING, AND MAINTENANCE.

    (a) Articulated Basis.--A covered entity shall have a reasonable, 
articulated basis for the collection, processing, disclosure, and 
maintenance of personal information that takes into account the 
reasonable business needs of the covered entity and minimum amount of 
personal information necessary for providing the service, balanced with 
the intrusion on the privacy of, potential privacy harms to, and 
reasonable expectations of individuals to whom the personal information 
relates.
    (b) Minimization of Collection, Processing, Disclosure, and 
Maintenance.--
            (1) Collection.--A covered entity may not collect more 
        personal information than is reasonably needed to provide a 
        product or service that an individual has requested.
            (2) Processing.--A covered entity may not process personal 
        information for a purpose other than the purpose for which such 
        information was originally collected from the individual or in 
        the case of a service provider, a purpose other than that which 
        is in accordance with the directions of a covered entity.
            (3) Disclosure.--A covered entity may not disclose personal 
        information for a purpose other than the purpose for which such 
        information was originally collected from the individual or in 
        the case of a service provider, a purpose other than that which 
        is in accordance with the directions of a covered entity.
            (4) Maintenance.--A covered entity may not maintain 
        personal information once such information is no longer needed 
        for the purpose for which such information was originally 
        collected from the individual or in the case of a service 
        provider, a purpose other than that which is in accordance with 
        the directions of a covered entity.
    (c) Ancillary Collection, Processing, Disclosure, and 
Maintenance.--Notwithstanding subsection (b), a covered entity may 
engage in collection, processing, disclosure, or maintenance of 
personal information beyond limitations under subsection (b) only if 
such covered entity complies with this subsection.
            (1) No notice or consent required.--A covered entity may 
        engage in collection, processing, or maintenance of personal 
        information without additional notice or consent if the purpose 
        for such collection, processing, or maintenance is 
        substantially similar to the type of personal information and 
        purpose for which such personal information was originally 
        collected and such ancillary collection, processing, or 
        maintenance will not result in additional or increased privacy 
        harms.
            (2) Notice required.--A covered entity shall provide notice 
        of ancillary collection, processing, disclosure or maintenance 
        of personal information in the case of one, but not more than 
        one, of the following:
                    (A) Such ancillary collection, processing, 
                disclosure, or maintenance may result in additional or 
                increased privacy harms (but not increased significant 
                privacy harms), and is substantially similar to the 
                purpose for which such personal information was 
                originally collected.
                    (B) The purpose for such ancillary collection, 
                processing, disclosure, or maintenance is not 
                substantially similar to the purpose for which such 
                personal information was originally collected, but will 
                not result in additional or increased privacy harms.
                    (C) Such ancillary collection, processing, 
                disclosure, or maintenance may result in additional or 
                increased privacy harms (but not increased significant 
                privacy harms) and the purpose is not substantially 
                similar to the purpose for which such personal 
                information was originally collected, so long as, the 
                personal information is secured using privacy 
                preserving computing.
            (3) Notice and consent required.--For scenarios not covered 
        under paragraph (1) or (2), and notwithstanding section 
        212(b)(2) and (3), a covered entity shall provide notice of and 
        obtain consent for ancillary collection, processing, disclosure 
        or maintenance of personal information.
    (d) Substitution.--In cases in which personal information can be 
replaced with artificial personal information, personal information 
that has been de-identified, or the random personal information of a 
one or more individuals without substantially reducing the utility of 
the data or requiring an unreasonable amount of effort, such a 
replacement shall take place.

SEC. 202. MINIMIZATION AND RECORDS OF ACCESS BY EMPLOYEES AND 
              CONTRACTORS.

    (a) Minimization.--A covered entity shall restrict access to 
personal information and contents of communications by the employees or 
contractors of such covered entity based on an articulated balance 
between the potential for privacy harm, reasonable expectations of 
individuals to whom the personal information relates, and reasonable 
business needs.
    (b) Records of Access.--
            (1) In general.--A covered entity shall maintain records 
        identifying each instance in which an employee or a contractor 
        of such covered entity accesses personal information or 
        contents of communications if disclosure of, or a data breach 
        or data sharing abuse involving, such personal information or 
        contents may foreseeably result in increased privacy harms.
            (2) Information required.--The records required by 
        paragraph (1) shall include the following:
                    (A) A unique identifier for the employee or 
                contractor accessing personal information or contents 
                of communications.
                    (B) The date and time of access.
                    (C) The fields of information accessed.
                    (D) The individuals whose personal information was 
                accessed or the contents of whose communications were 
                accessed.
            (3) Small businesses excluded.--This subsection does not 
        apply to a small business.

SEC. 203. PROHIBITION ON THE COLLECTION OR MAINTENANCE OF PERSONAL 
              INFORMATION.

    A covered entity may not collect or maintain personal information 
using a channel of interstate commerce unless such covered entity is in 
compliance with all requirements of this Act.

SEC. 204. PROHIBITIONS ON THE DISCLOSURE OF PERSONAL INFORMATION.

    (a) Consent for Disclosure Required.--
            (1) In general.--A covered entity may not intentionally 
        disclose personal information unless the covered entity obtains 
        consent of the individual whose personal information is being 
        disclosed for each category of third party to which such 
        personal information will be disclosed. Such covered entity 
        must also provide such individual with notice of--
                    (A) each category of third party;
                    (B) the personal information to be disclosed; and
                    (C) a concise and clear description of the business 
                or commercial purpose for such disclosure.
            (2) Additional requirements for sale of personal 
        information.--
                    (A) In general.--A covered entity may not 
                intentionally sell personal information unless the 
                covered entity--
                            (i) obtains the consent required by 
                        paragraph (1) for each individual disclosure of 
                        such person information; and
                            (ii) and provides the individual to whom 
                        such personal information relates with the 
                        identity of the specific third party to which 
                        such personal information will be disclosed.
                    (B) Disclosure services.--Subparagraph (A) shall 
                not apply to a covered entity in a case in which an 
                individual is directing the covered entity to disclose 
                the personal information of such individual for the 
                sole purpose of procuring goods or services, or offers 
                for goods or services, for such individual, if there is 
                a reasonable mechanism for the individual to withdraw 
                consent.
            (3) Requirement to include original purpose of 
        collection.--A covered entity may not intentionally disclose 
        personal information without including the purpose for which 
        the personal information was originally collected.
            (4) Exception for privacy preserving computing.--
        Notwithstanding paragraph (1), consent is not required for a 
        disclosure (not including sale) of personal information secured 
        using privacy preserving computing.
            (5) Exception for de-identified personal information.--
        Notwithstanding paragraph (1), consent is not required for a 
        disclosure (not including sale) of de-identified personal 
        information where the disclosed personal information is limited 
        to the narrowest possible scope likely to yield the intended 
        benefit and contractual obligations are in place that 
        prohibit--
                    (A) re-identification of the disclosed personal 
                information; and
                    (B) the processing of additional personal 
                information in combination with the disclosed personal 
                information that would allow for the reidentification 
                of the disclosed personal information.
    (b) Disclosure for Advertising or Marketing Purposes.--
            (1) In general.--A covered entity may not intentionally 
        disclose for advertising or marketing purposes a unique 
        identifier or any other personal information that would allow 
        the disclosure of such information to be linked to past or 
        future disclosures of information relating to the same 
        individual or device.
            (2) Treatment of certain types of information.--A 
        disclosure for advertising or marketing purposes may not be 
        treated as violating subparagraph (1) by reason of including 
        any or all of the following:
                    (A) Internet Protocol addresses truncated to no 
                more than the first 24 bits for Internet Protocol 
                version 4 and the first 48 bits for Internet Protocol 
                version 6, or for a successor protocol truncated to 
                limit the precision of the identifier to a network 
                address of the internet access provider.
                    (B) Geolocation information truncated to allow no 
                more than the equivalent of two decimal degrees of 
                precision at the equator or prime meridian, or an 
                equivalent precision in another geolocation standard.
                    (C) A general description of a device, browser, or 
                operating system, or any combination thereof.
                    (D) An identifier that is unique for each 
                disclosure.

SEC. 205. DISCLOSURE TO ENTITIES NOT SUBJECT TO UNITED STATES 
              JURISDICTION OR NOT COMPLIANT WITH THIS ACT.

    (a) Prohibition.--A covered entity may not intentionally disclose 
personal information to any entity that--
            (1) is not subject to the jurisdiction of the United 
        States; or
            (2) is not in compliance with all requirements of this Act.
    (b) Exception.--Notwithstanding subsection (a), a covered entity 
may disclose personal information where that personal information is 
limited to an identifier created primarily for the purpose of sending 
or receiving electronic communications and the sole purpose of the 
disclosure is to send or receive an electronic communication at the 
request of the individual whose personal information is being 
disclosed.
    (c) Disclosure Safe Harbors.--Notwithstanding subsection (a), a 
covered entity may disclose personal information to another covered 
entity (the receiving covered entity) that is not subject to the 
jurisdiction of the United States if either--
            (1) the receiving covered entity has entered into an 
        agreement, as described in subsection (e), with the Agency, 
        and--
                    (A) the covered entity has a reasonable belief that 
                the receiving covered entity is sufficiently solvent to 
                compensate victims or pay fines for violations of this 
                Act;
                    (B) a contract between the covered entity and 
                receiving covered entity requires that the receiving 
                covered entity complies with this Act, and the covered 
                entity has reason to believe the receiving covered 
                entity is compliant with this Act; and
                    (C) a contract between the covered entity and the 
                receiving covered entity prohibits the receiving 
                covered entity from using the disclosed personal 
                information for any purpose other than provided in the 
                contract; or
            (2) the covered entity has--
                    (A) entered into an agreement with the receiving 
                covered entity that--
                            (i) requires the receiving covered entity 
                        to comply with this Act;
                            (ii) prohibits the receiving covered entity 
                        from using the disclosed personal information 
                        for any purpose other than provided in the 
                        contract;
                            (iii) requires the receiving covered entity 
                        to indemnify the covered entity against 
                        violations of this Act committed by the 
                        receiving covered entity for any amount the 
                        covered entity is unable to pay of a judgment 
                        for such violation;
                            (iv) grants the covered entity the 
                        authority to audit, including physical access 
                        to electronic devices and data, the receiving 
                        covered entity's compliance with this Act and 
                        the contract; and
                            (v) requires the receiving covered entity 
                        to assist the covered entity in responding to 
                        and complying with any court orders, Agency 
                        orders, or the exercising of an individual's 
                        rights under this Act;
                    (B) actual knowledge that the receiving covered 
                entity is in compliance with this Act and not using 
                personal information contrary to their agreement;
                    (C) actual knowledge that the receiving covered 
                entity is sufficiently solvent to compensate victims or 
                pay fines for violations of this Act;
                    (D) an auditing and compliance program to ensure 
                the receiving covered entity's continued compliance 
                with this Act and contract terms;
                    (E) filed with the Agency the terms of said 
                contract, proof of its actual knowledge of the 
                receiving covered entity's compliance with this Act and 
                contract terms, and documents detailing its auditing 
                and compliance program for approval and publication by 
                the Agency; and
                    (F) the covered entity has entered into an 
                agreement with the Agency where it agrees to accept, 
                respond to, or comply with a court order, agency order, 
                or request by an individual regarding actions taken by 
                the receiving covered entity with respect to the data 
                it has disclosed.
    (d) For the purposes of subsection (c)(2), the covered entity shall 
be jointly liable for a violation of this Act by the receiving covered 
entity regarding the data the covered entity disclosed, except where 
the covered entity was the first to notify the Agency of the violation, 
in which case, it shall be severally liable. Where the covered entity 
should reasonably have known of a violation of this Act by the 
receiving covered entity and fails to disclose the violation to the 
Agency, each day of continuance of the failure to report such violation 
shall be treated as a separate violation.
    (e) Agency Agreements.--Upon the request of a covered entity not 
subject to the jurisdiction of the United States, the Agency shall 
enter into an agreement with the covered entity that includes, but is 
not limited to, the following conditions:
            (1) The principle place of business for the covered entity 
        must be in a country that allows for the domestication of a 
        United States court decision for civil fines payable to a 
        government entity and injunctive relief. Where a foreign court 
        refuses to enforce a United States court decision under this 
        Act, the agreement, and all other agreements with covered 
        entities with a principle place of business in the same 
        jurisdiction, shall be void.
            (2) The covered entity agrees to comply with this Act.
            (3) The covered entity agrees to be subject to this Act 
        with choice of venue being a United States court.
            (4) The covered entity agrees to comply with Agency 
        investigative requests or orders, and United States court 
        orders or decisions under this Act.
            (5) The covered entity consents to United States Federal 
        court personal jurisdiction for the sole purpose of enforcing 
        this Act.
            (6) Where enforcement of the decision requires the use of a 
        foreign court, the covered entity agrees to pay reasonable 
        attorney fees necessary to enforce the judgment.
            (7) A default judgment, failure to comply with Agency 
        investigative requests or orders, or failure to comply with 
        United States court orders or decisions shall result in the 
        immediate termination of the agreement.
    (f) Rule of Construction Against Data Localization.--Nothing in 
this section shall be construed to require the localization of 
processing or maintaining personal information by a covered entity to 
within the United State, or limit internal disclosure of personal 
information within a covered entity or to subsidiary or corporate 
affiliate of such covered entity, regardless of the country in which 
the covered entity will process, disclose, or maintain that personal 
information.

SEC. 206. PROHIBITION ON REIDENTIFICATION.

    (a) In General.--Except as required under title I, a covered entity 
shall not use personal information collected from an individual, 
acquired from a third party, or acquired from a publicly available 
information to reidentify an individual from de-identified information.
    (b) Third-Party Prohibition.--A covered entity that discloses de-
identified information to a third party shall prohibit such third party 
from reidentifying an individual using such de-identified information.
    (c) Exception.--Subsection (a) shall not apply to qualified 
research entities, as determined by the Director, conducting research 
not for commercial purposes.

SEC. 207. RESTRICTIONS ON COLLECTION, PROCESSING, AND DISCLOSURE OF 
              CONTENTS OF COMMUNICATIONS.

    (a) In General.--A covered entity may not collect, process, 
maintain, or disclose the contents of any communication, regardless of 
whether the sender or intended recipient of the communication is an 
individual, other person, or an electronic device, for any purpose 
other than--
            (1) transmission or display of the communication to any 
        intended recipient or the original sender, or maintenance of 
        such communications for such purposes;
            (2) detecting, responding to, or preventing security 
        incidents or threats;
            (3) providing services to assist in the drafting or 
        creation of the content of a communication;
            (4) processing expressly requested by the sender or 
        intended recipient, if the sender or intended recipient can 
        terminate such processing using a reasonable mechanism;
            (5) a disclosure otherwise required by law;
            (6) the filtering of a communication where primary purpose 
        of the communication is the commercial advertisement or 
        promotion of a commercial product or service; or
            (7) detecting or enforcing an abuse or violation of the 
        service's terms of service that would result in either a 
        temporary or permanent ban from using the service.
    (b) Intended Recipient.--A covered entity is not considered an 
intended recipient of a communication, or any communication used in the 
creation of the content of said communication, where--
            (1) at least one intended recipient is a natural person 
        other than an employee or contractor of the covered entity;
            (2) at least one intended recipient is a person other than 
        the covered entity; or
            (3) a purpose of the covered entity's service is to 
        maintain, at the direction of the sender, the content of said 
        communication for more than a transitory period.
    (c) Sender.--The sender of a communication is the person for whom 
the communication, and its content, is disclosed at the direction of 
and on behalf of.
            (1) Where the sender is a natural person, they shall be the 
        sender of the entire content of the communication, regardless 
        of the original author of any portion of the content.
            (2) Otherwise, a sender shall be the sender of only the 
        content it was an original author of, or content it received as 
        an intended recipient.
    (d) Exception for Publicly Available Communications.--Subsection 
(a) shall not apply where the contents of communication that are made 
publicly accessible by the sender without restrictions on accessibility 
other than the general authorization to access the services used to 
make the information accessible.
    (e) Encryption Protection.--A covered entity shall not--
            (1) prohibit or prevent a person from encrypting or 
        otherwise rendering unintelligible the content of a 
        communication using a means that prevents the covered entity 
        from being able to decrypt or otherwise render intelligible 
        said content; and
            (2) require or cause a person to disclose or circumvent the 
        means described in paragraph (1) to the covered entity that 
        would allow it to render the content intelligible.
    (f) Service Providers Safe Harbor.--A service provider shall not be 
held liable for a violation of this section if such service provider is 
acting at the direction of and on behalf of a covered entity and has a 
reasonable belief that the covered entity's directions are in 
compliance with this section.

SEC. 208. PROHIBITION ON DISCRIMINATORY PROCESSING.

    (a) Discrimination in Economic Opportunities.--A covered entity 
shall not process personal information or contents of communication for 
advertising, marketing, soliciting, offering, selling, leasing, 
licensing, renting, or otherwise commercially contracting for 
employment, finance, healthcare, credit, insurance, housing, or 
education opportunities in a manner that discriminates against or 
otherwise makes opportunities unavailable on the basis of an 
individual's protected class status.
    (b) Public Accommodations.--A covered entity shall not process 
personal information in a manner that segregates, discriminates in, or 
otherwise makes unavailable the goods, services, facilities, 
privileges, advantages, or accommodations of any place of public 
accommodation on the basis of a person's or a group's protected class 
status.
    (c) The Director shall promulgate regulations to implement this 
section.

SEC. 209. RESTRICTIONS ON GENETIC INFORMATION.

    (a) In General.--A covered entity may not collect, process, 
maintain, or disclose genetic information for any purpose other than--
            (1) providing medical treatment or testing to the 
        individual whose genetic information is being collected, 
        processed, maintained, or disclosed;
            (2) research and services related to medical, historical, 
        or population uses of genetic information, if, in the case of 
        disclosure of genetic information--
                    (A) such genetic information is only disclosed to 
                qualified research entities, as determined by the 
                Director;
                    (B) additional personal information disclosed with 
                such genetic information is limited to the narrowest 
                possible scope likely to yield the intended benefit; 
                and
                    (C) the covered entity limits, through contractual 
                obligations, additional types of personal information 
                that can be processed with the disclosed genetic 
                information and personal information.
            (3) a purpose specified by the Director by regulation, 
        taking into account the potential privacy harms and potential 
        benefits of such collection, processing, maintenance, or 
        disclosure; or
            (4) to comply with a Federal criminal investigation request 
        or order.
    (b) Genetic Information Defined.--In this section, the term 
``genetic information'' has the meaning given such term in section 201 
of the Genetic Information Nondiscrimination Act of 2008 (42 U.S.C. 
2000ff).
    (c) Service Providers Safe Harbor.--A service provider shall not be 
held liable for a violation of this section if such service provider is 
acting at the direction of and on behalf of a covered entity and has a 
reasonable belief that is the covered entity's directions are in 
compliance with this section.

SEC. 210. REQUIREMENTS FOR NOTICE AND CONSENT PROCESSES AND PRIVACY 
              POLICIES.

    (a) Minimum Threshold.--The Director shall establish a minimum 
threshold that a covered entity must meet for the percentage of 
individuals who read and understand a notice or consent process or 
privacy policy required by this Act. In establishing such minimum 
thresholds, the Director shall take into account expectations of 
individuals, potential privacy harms, and individuals' awareness of 
privacy harms.
    (b) Consent Revocation.--A covered entity shall make available a 
reasonable mechanism by which an individual may revoke consent for any 
consent given under this Act.
    (c) Safe Harbor.--
            (1) Approval procedures.--The Director shall develop 
        procedures for analyzing and approving data submitted by a 
        covered entity to establish that a notice and consent process 
        or privacy policy of such covered entity meets the threshold 
        established under subsection (a).
            (2) Presumption.--If a covered entity submits testing data 
        to and receives an approval from the Director under paragraph 
        (1) establishing that a notice or consent process or privacy 
        policy of such covered entity meets the threshold established 
        under subsection (a), such notice or consent process or privacy 
        policy shall be presumed to have met such threshold. Such 
        presumption may be rebutted by clear and convincing evidence.
            (3) Public availability of approved processes and policies 
        and associated testing data.--The Director shall make publicly 
        available online the notice and consent processes and privacy 
        policies and associated testing data that the Director approves 
        under paragraph (1).
            (4) Small business adoption of notice or consent process of 
        another covered entity.--
                    (A) In general.--If a small business adopts a 
                notice or consent process of another covered entity 
                that collects, processes, maintains, or discloses 
                personal information in substantially the same way as 
                such small business, if the process of such other 
                covered entity has been approved under paragraph (1), 
                the process of such small business shall receive the 
                presumption under paragraph (2).
                    (B) Ability to freely use approved process.--A 
                covered entity whose notice or consent process is 
                approved under paragraph (1) shall permit a small 
                business to freely use such process, or a derivative 
                thereof, as described in subparagraph (A).
                    (C) No published process.--In the case of a small 
                business for which there is no approved notice or 
                consent process published under paragraph (3) of a 
                covered entity that collects, processes, maintains, or 
                discloses personal information in substantially the 
                same way as such small business, any requirement under 
                this title for a notice or consent process to be 
                objectively shown to meet the threshold established by 
                the Director under subsection (a) shall not apply to 
                such small business. Nothing in the preceding sentence 
                exempts a small business from the requirement to use 
                such notice or consent process or that such process be 
                concise and clear.
                    (D) Inapplicability to privacy policy.--Paragraph 
                (4) does not apply with respect to a privacy policy.
            (5) Minor changes.--A covered entity may make minor changes 
        in a notice or consent process or privacy policy approved under 
        paragraph (1) and retain the presumption under paragraph (2) 
        for such process or policy without retesting or resubmission of 
        testing data to the Director.

SEC. 211. PROHIBITION ON DECEPTIVE NOTICE AND CONSENT PROCESSES AND 
              PRIVACY POLICIES.

    In providing notice, obtaining consent, or maintaining a privacy 
policy as required by this title, a covered entity may not 
intentionally take any action that substantially impairs, obscures, or 
subverts the ability of an individual to--
            (1) understand the contents of such notice or such privacy 
        policy;
            (2) understand the process for granting such consent;
            (3) make a decision regarding whether to grant or withdraw 
        such consent; or
            (4) act on any such decision.

SEC. 212. NOTICE AND CONSENT REQUIRED.

    (a) Notice.--A covered entity shall provide an individual with 
notice of the personal information such covered entity collects, 
processes, maintains, and discloses through a process that is concise 
and clear and can be objectively shown to meet the threshold 
established by the Director under section 210(a).
    (b) Consent.--
            (1) Express consent required.--Except as provided in 
        paragraphs (2) and (3), a covered entity may not collect from 
        an individual personal information that creates or increases 
        the risk of foreseeable privacy harms, or process or maintain 
        any such personal information collected from an individual, 
        unless such entity obtains the express consent of such 
        individual to the collection, processing, or maintenance (or 
        any combination thereof) of such information through a process 
        that is concise and clear and can be objectively shown to meet 
        the threshold established by the Director under section 210(a).
            (2) Exception for implied consent.--Notwithstanding 
        paragraph (1), express consent is not required for collection, 
        processing, or maintenance of personal information if the 
        collection, processing, or maintenance is, on its face, obvious 
        and necessary to provide a service at the request of the 
        individual and the personal information is collected, 
        processed, or maintained only for such request. Nothing in this 
        paragraph shall be construed to exempt the covered entity from 
        the requirement of subsection (a) to provide notice to such 
        individual with respect to such collection, processing, or 
        maintenance.
            (3) Exemption for privacy preserving computing.--
        Notwithstanding paragraph (1), except with regard to consent 
        for purposes of section 106, express consent is not required 
        for collection, processing, or maintenance of personal 
        information secured using privacy preserving computing. Nothing 
        in this paragraph shall be construed to exempt the covered 
        entity from the requirement of subsection (a) to provide notice 
        to such individual with respect to such collection, processing, 
        or maintenance.
    (c) Service Providers Excluded.--This section does not apply to a 
service provider if such service provider has a reasonable belief that 
a covered entity for which it processes, maintains, or discloses 
personal information is in compliance with this section.

SEC. 213. PRIVACY POLICY.

    (a) Policy Required.--A covered entity shall maintain a privacy 
policy relating to the practices of such entity regarding the 
collection, processing, maintenance, and disclosure of personal 
information.
    (b) Contents.--The privacy policy required by subsection (a) shall 
contain the following:
            (1) A general description of the practices of the covered 
        entity regarding the collection, processing, maintenance, and 
        disclosure of personal information.
            (2) A description of how individuals may exercise the 
        rights provided by title I.
            (3) A clear and concise summary of the following:
                    (A) The categories of personal information 
                collected or otherwise obtained by the covered entity.
                    (B) The business or commercial purposes of the 
                covered entity for collecting, processing, maintaining, 
                or disclosing personal information.
                    (C) The categories and a list of third parties to 
                which the covered entity discloses personal 
                information.
            (4) A description of the personal information that the 
        covered entity maintains that the covered entity does not 
        collect from individuals and how the covered entity obtains 
        such personal information.
            (5) A list of the third parties to which the covered entity 
        has disclosed personal information.
            (6) A list of the third parties from which the covered 
        entity has obtained personal information at any time on or 
        after the effective date specified in section 4(a).
            (7) The articulated basis for the collection, processing, 
        disclosure and maintenance of personal information, as required 
        under section 201(a).
    (c) Exemption for Personal Information for Particular Purposes.--
The privacy policy required by subsection (a) is not required to 
contain information relating to personal information that is collected, 
processed, maintained, or disclosed exclusively for any of the purposes 
described in paragraph (1) of section 109(a) (or a combination of such 
purposes), except as provided in paragraph (2) of such section.
    (d) Availability of Privacy Policy.--
            (1) Form and manner.--The privacy policy required by 
        subsection (a) shall be--
                    (A) clear and in plain language; and
                    (B) made publicly available in a prominent location 
                on an ongoing basis.
            (2) Timing.--The privacy policy required by subsection (a) 
        shall be made available as required by paragraph (1) before any 
        collection of personal information by the covered entity that 
        occurs after the effective date specified in section 4(a).
    (e) Small Businesses Excluded.--Subsections (b)(7) and (d) do not 
apply to a small business.
    (f) Service Providers Excluded.--This section does not apply to a 
service provider if such service provider has a reasonable belief that 
a covered entity for which it processes, maintains, or discloses 
personal information is in compliance with this section.

SEC. 214. INFORMATION SECURITY REQUIREMENTS.

    (a) In General.--A covered entity shall establish and implement 
reasonable information security policies, practices, and procedures for 
the protection of personal information collected, processed, 
maintained, or disclosed by such covered entity, taking into 
consideration--
            (1) the nature, scope, and complexity of the activities 
        engaged in by such covered entity;
            (2) the sensitivity of any personal information at issue;
            (3) the current state of the art in administrative, 
        technical, and physical safeguards for protecting such 
        information; and
            (4) the cost of implementing such administrative, 
        technical, and physical safeguards.
    (b) Point of Contact.--A covered entity shall identify an officer 
or other individual as the point of contact with responsibility for the 
management of information security.
    (c) Specific Policies, Practices, and Procedures.--The policies, 
practices, and procedures required by subsection (a) shall include the 
following:
            (1) A written security policy with respect to the 
        collection, processing, maintenance, and disclosure of personal 
        information. Such policy shall be made publicly available in a 
        prominent location on an ongoing basis, except that the 
        publicly available version is not required to contain 
        information that would compromise a purpose described in 
        paragraph (1) of section 109(a).
            (2) A process for identifying and assessing reasonably 
        foreseeable security vulnerabilities in the system or systems 
        used by such covered entity that contain personal information, 
        which shall include regular monitoring for vulnerabilities or 
        data breaches involving such system or systems.
            (3) A process for taking action designed to mitigate 
        against vulnerabilities identified in the process required by 
        paragraph (2), which may include implementing any changes to 
        security practices and the architecture, installation, or 
        implementation of network or operating software, or for 
        regularly testing or otherwise monitoring the effectiveness of 
        the existing safeguards.
            (4) A process for determining if personal information is no 
        longer needed and disposing of personal information by 
        shredding, permanently erasing, or otherwise modifying the 
        medium on which such personal information is maintained to make 
        such personal information permanently unreadable or 
        indecipherable.
            (5) A process for overseeing persons who have access to 
        personal information, including through network-connected 
        devices.
            (6) A process for employee training and supervision for 
        implementation of the policies, practices, and procedures 
        required by this section.
            (7) A written plan or protocol for internal and public 
        response in the event of a data breach or data sharing abuse.
    (d) Regulations.--The Director, in consultation with the National 
Institute of Standards and Technology, shall promulgate regulations to 
implement this section.
    (e) Small Businesses Assistance.--The Director, in consultation 
with the National Institute of Standards and Technology, the Small 
Business Association, and small businesses, shall develop policy 
templates, toolkits, tip sheets, configuration guidelines for commonly 
used hardware and software, interactive tools, and other materials to 
assist small businesses with complying with this section.

SEC. 215. NOTIFICATION OF DATA BREACH OR DATA SHARING ABUSE.

    (a) Notification of Agency.--
            (1) In general.--In the case of a data breach or data 
        sharing abuse with respect to personal information maintained 
        by a covered entity, such covered entity shall, without undue 
        delay and, if feasible, not later than 72 hours after becoming 
        aware of such data breach or data sharing abuse, notify the 
        Director of such data breach or data sharing abuse, unless such 
        data breach or data sharing abuse is unlikely to create or 
        increase foreseeable privacy harms.
            (2) Reasons for delay.--If the notification required by 
        paragraph (1) is made more than 72 hours after the covered 
        entity becomes aware of the data breach or data sharing abuse, 
        such notification shall be accompanied by a statement of the 
        reasons for the delay.
    (b) Notification of Other Covered Entity.--In the case of a data 
breach or data sharing abuse with respect to personal information 
maintained by a covered entity that such covered entity obtained from 
another covered entity, the covered entity experiencing such data 
breach or data sharing abuse shall, without undue delay and, if 
feasible, not later than 72 hours after becoming aware of such data 
breach or data sharing abuse, notify such other covered entity of such 
data breach or data sharing abuse, unless such data breach or data 
sharing abuse is unlikely to create or increase foreseeable privacy 
harms. A covered entity receiving notice under this subsection of a 
data breach or data sharing abuse shall notify any other covered entity 
from which the covered entity receiving notice obtained personal 
information involved in such data breach or data sharing abuse, in the 
same manner as required under the preceding sentence for the covered 
entity experiencing such data breach or data sharing abuse.
    (c) Notification of Individuals.--
            (1) In general.--In the case of a data breach or data 
        sharing abuse with respect to personal information maintained 
        by a covered entity (or a data breach or data sharing abuse 
        about which a covered entity is notified under subsection (b)), 
        if such covered entity has a relationship with an individual 
        whose personal information was involved or potentially involved 
        in such data breach or data sharing abuse, such covered entity 
        shall notify such individual of such data breach or data 
        sharing abuse not later than 14 days after becoming aware of 
        such data breach or data sharing abuse (or, in the case of a 
        data breach or data sharing abuse about which a covered entity 
        is notified under subsection (b), not later than 14 days after 
        being so notified), if such data breach or data sharing abuse 
        creates or increases foreseeable privacy harms.
            (2) Medium of notification.--A covered entity shall notify 
        an individual as required by paragraph (1) through--
                    (A) the same medium through which such individual 
                routinely interacts with such covered entity; and
                    (B) one additional medium of notification, if such 
                covered entity has the personal information necessary 
                to make a notification through such an additional 
                medium without causing excessive financial burden for 
                such covered entity.
    (d) Rule of Construction.--This section shall not apply to a 
covered entity if a person uses personal information obtained from a 
data breach or data sharing abuse not involving such covered entity.

            TITLE III--UNITED STATES DIGITAL PRIVACY AGENCY

SEC. 301. ESTABLISHMENT.

    (a) Agency Established.--There is established an independent agency 
in the executive branch to be known as the ``United States Digital 
Privacy Agency'', which shall implement and enforce this Act.
    (b) Director and Deputy Director.--
            (1) In general.--There is established the position of the 
        Director, who shall serve as the head of the Agency.
            (2) Appointment.--Subject to paragraph (3), the Director 
        shall be appointed by the President, by and with the advice and 
        consent of the Senate.
            (3) Qualification.--The President shall nominate the 
        Director from among individuals who are citizens of the United 
        States.
            (4) Deputy director.--There is established the position of 
        Deputy Director, who shall--
                    (A) be appointed by the Director; and
                    (B) serve as acting Director in the absence or 
                unavailability of the Director.
    (c) Term.--
            (1) In general.--The Director shall serve for a term of 5 
        years.
            (2) Expiration of term.--An individual may serve as 
        Director after the expiration of the term for which appointed, 
        until a successor has been appointed and qualified.
            (3) Removal for cause.--The President may remove the 
        Director for inefficiency, neglect of duty, or malfeasance in 
        office.
    (d) Service Restriction.--No Director or Deputy Director may hold 
any office, position, or employment in any covered entity during the 
period of service of such person as Director or Deputy Director.
    (e) Offices.--The Director shall establish a principal office and 
field offices of the Agency in locations that have high levels of 
activity by covered entities, as determined by the Director.
    (f) Compensation.--
            (1) In general.--The Director shall be compensated at the 
        rate prescribed for level II of the Executive Schedule under 
        section 5313 of title 5, United States Code.
            (2) Conforming amendment.--Section 5313 of title 5, United 
        States Code, is amended by inserting after the item relating to 
        ``Federal Transit Administrator.'' the following new item: 
        ``Director of the United States Digital Privacy Agency.''.

SEC. 302. EXECUTIVE AND ADMINISTRATIVE POWERS.

    (a) Powers of the Agency.--The Director is authorized to establish 
the general policies of the Agency with respect to all executive and 
administrative functions, including--
            (1) the establishment of rules for conducting the general 
        business of the Agency, in a manner not inconsistent with this 
        Act;
            (2) to bind the Agency and enter into contracts;
            (3) directing the establishment and maintenance of 
        divisions or other offices within the Agency, in order to carry 
        out the responsibilities of the Agency under this Act, and to 
        satisfy the requirements of other applicable law;
            (4) to coordinate and oversee the operation of all 
        administrative, enforcement, and research activities of the 
        Agency;
            (5) to adopt and use a seal;
            (6) to determine the character of and the necessity for the 
        obligations and expenditures of the Agency;
            (7) the appointment and supervision of personnel employed 
        by the Agency;
            (8) the distribution of business among personnel appointed 
        and supervised by the Director and among administrative units 
        of the Agency;
            (9) the use and expenditure of funds;
            (10) implementing this Act through rules, orders, guidance, 
        interpretations, statements of policy, investigations, and 
        enforcement actions; and
            (11) performing such other functions as may be authorized 
        or required by law.
    (b) Delegation of Authority.--The Director may delegate to any duly 
authorized employee, representative, or agent any power vested in the 
Director or the Agency by law, except that the Director may not 
delegate the power to appoint the Deputy Director under section 
301(b)(4)(A).
    (c) Autonomy of Agency Regarding Recommendations and Testimony.--No 
officer or agency of the United States shall have any authority to 
require the Director or any other officer of the Agency to submit 
legislative recommendations, or testimony or comments on legislation, 
to any officer or agency of the United States for approval, comments, 
or review prior to the submission of such recommendations, testimony, 
or comments to the Congress, if such recommendations, testimony, or 
comments to the Congress include a statement indicating that the views 
expressed therein are those of the Director or such officer, and do not 
necessarily reflect the views of the President.

SEC. 303. RULEMAKING AUTHORITY.

    The Director may prescribe rules and issue orders and guidance, as 
may be necessary or appropriate to enable the Agency to administer and 
carry out the purposes and objectives of this Act, and to prevent 
evasions thereof.

SEC. 304. PERSONNEL.

    (a) Appointment.--
            (1) In general.--The Director may fix the number of, and 
        appoint and direct, all employees of the Agency, in accordance 
        with the applicable provisions of title 5, United States Code.
            (2) Employees of the agency.--The Director is authorized to 
        employ technologists, designers, attorneys, investigators, 
        economists, and other employees as the Director considers 
        necessary to conduct the business of the Agency.
    (b) Agency Ombudsman.--
            (1) Establishment required.--The Director shall appoint an 
        ombudsman.
            (2) Duties of ombudsman.--The ombudsman appointed in 
        accordance with paragraph (1) shall--
                    (A) act as a liaison between the Agency and any 
                affected person with respect to any problem that such 
                person may have in dealing with the Agency, resulting 
                from the regulatory activities of the Agency; and
                    (B) assure that safeguards exist to encourage 
                complainants to come forward and preserve 
                confidentiality.

SEC. 305. COMPLAINTS OF INDIVIDUALS.

    (a) In General.--The Director shall establish a unit within the 
Agency the functions of which shall include establishing a single, 
toll-free telephone number, a website, and a database or utilizing an 
existing database to facilitate the centralized collection of, 
monitoring of, and response to complaints of individuals regarding the 
privacy or security of personal information. The Director shall 
coordinate with other Federal agencies with jurisdiction over the 
privacy or security of personal information to route complaints to such 
agencies, where appropriate.
    (b) Routing Complaints to States.--To the extent practicable, State 
agencies may receive appropriate complaints from the systems 
established under subsection (a), if--
            (1) the State agency system has the functional capacity to 
        receive calls or electronic reports routed by the Agency 
        systems;
            (2) the State agency has satisfied any conditions of 
        participation in the system that the Agency may establish, 
        including treatment of personal information and sharing of 
        information on complaint resolution or related compliance 
        procedures and resources; and
            (3) participation by the State agency includes measures 
        necessary to provide for protection of personal information 
        that conform to the standards for protection of the 
        confidentiality of personal information and for data integrity 
        and security that apply to Federal agencies.
    (c) Data Sharing Required.--To facilitate inclusion in the reports 
required by section 310 of the matters regarding complaints of 
individuals required by subsection (b)(4) of such section to be 
included in such reports, investigation and enforcement activities, and 
monitoring of the privacy and security of personal information, the 
Agency shall share information about complaints of individuals with 
Federal and State agencies that have jurisdiction over the privacy or 
security of personal information and State attorneys general, subject 
to the standards applicable to Federal agencies for protection of the 
confidentiality of personal information and for data security and 
integrity. Other Federal agencies that have jurisdiction over the 
privacy or security of personal information shall share data relating 
to complaints of individuals regarding the privacy or security of 
personal information with the Agency, subject to the standards 
applicable to Federal agencies for protection of confidentiality of 
personal information and for data security and integrity.

SEC. 306. USER ADVISORY BOARD.

    (a) Establishment Required.--The Director shall establish a User 
Advisory Board to advise and consult with the Agency in the exercise of 
its functions under this Act, and to provide information on emerging 
practices relating to the treatment of personal information by covered 
entities, including regional trends, concerns, and other relevant 
information.
    (b) Membership.--In appointing the members of the User Advisory 
Board, the Director shall seek to assemble experts in consumer 
protection, privacy, civil rights, and ethics, and seek representation 
of the interests of individuals who use products or services provided 
by covered entities, without regard to party affiliation.
    (c) Meetings.--The User Advisory Board shall meet from time to time 
at the call of the Director, but, at a minimum, shall meet at least 
twice in each year.
    (d) Compensation and Travel Expenses.--Members of the User Advisory 
Board who are not full-time employees of the United States shall--
            (1) be entitled to receive compensation at a rate fixed by 
        the Director while attending meetings of the User Advisory 
        Board, including travel time; and
            (2) receive travel expenses, including per diem in lieu of 
        subsistence, in accordance with applicable provisions under 
        subchapter I of chapter 57 of title 5, United States Code.

SEC. 307. ACADEMIC AND RESEARCH ADVISORY BOARD.

    (a) Establishment Required.--The Director shall establish an 
Academic and Research Advisory Board to advise and consult with the 
Agency in the exercise of its functions under this Act, and to provide 
information on emerging practices relating to the treatment of personal 
information by covered entities, including regional trends, concerns, 
and other relevant information.
    (b) Membership.--In appointing the members of the Academic and 
Research Advisory Board, the Director shall seek to assemble 
individuals with academic and research expertise in privacy, 
cybersecurity, computer science, innovation, economics, law, and public 
policy, without regard to party affiliation.
    (c) Meetings.--The Academic and Research Advisory Board shall meet 
from time to time at the call of the Director, but, at a minimum, shall 
meet at least twice in each year.
    (d) Compensation and Travel Expenses.--Members of the Academic and 
Research Advisory Board who are not full-time employees of the United 
States shall--
            (1) be entitled to receive compensation at a rate fixed by 
        the Director while attending meetings of the Academic and 
        Research Advisory Board, including travel time; and
            (2) receive travel expenses, including per diem in lieu of 
        subsistence, in accordance with applicable provisions under 
        subchapter I of chapter 57 of title 5, United States Code.

SEC. 308. SMALL BUSINESS AND INVESTOR ADVISORY BOARD.

    (a) Establishment Required.--The Director shall establish a Small 
Business and Investor Advisory Board to advise and consult with the 
Agency in the exercise of its functions under this Act, and to provide 
information on emerging practices relating to the treatment of personal 
information by covered entities, including regional trends, concerns, 
and other relevant information.
    (b) Membership.--In appointing the members of the Small Business 
and Investor Advisory Board, the Director shall seek to assemble 
representatives of small businesses and investors in small businesses, 
without regard to party affiliation.
    (c) Meetings.--The Small Business and Investor Advisory Board shall 
meet from time to time at the call of the Director, but, at a minimum, 
shall meet at least twice in each year.
    (d) Compensation and Travel Expenses.--Members of the Small 
Business and Investor Advisory Board who are not full-time employees of 
the United States shall--
            (1) be entitled to receive compensation at a rate fixed by 
        the Director while attending meetings of the Small Business and 
        Investor Advisory Board, including travel time; and
            (2) receive travel expenses, including per diem in lieu of 
        subsistence, in accordance with applicable provisions under 
        subchapter I of chapter 57 of title 5, United States Code.

SEC. 309. CONSULTATION.

    The Director shall consult with Federal and State agencies that 
have jurisdiction over the privacy or security of personal information, 
State attorneys general, international and intergovernmental bodies 
that conduct activities relating to the privacy or security of personal 
information, and agencies of other countries that are similar to the 
Agency, as appropriate, to promote consistent regulatory treatment of 
the activities of covered entities relating to the privacy or security 
of personal information.

SEC. 310. REPORTS.

    (a) Reports Required.--Not later than 6 months after the date of 
the enactment of this Act, and every 6 months thereafter, the Director 
shall submit a report to the President and to the Committee on Energy 
and Commerce, the Committee on the Judiciary, and the Committee on 
Appropriations of the House of Representatives and the Committee on 
Commerce, Science, and Transportation, the Committee on the Judiciary, 
and the Committee on Appropriations of the Senate, and shall publish 
such report on the website of the Agency.
    (b) Contents.--Each report required by subsection (a) shall 
include--
            (1) a discussion of the significant problems faced by 
        individuals with respect to the privacy or security of personal 
        information;
            (2) a justification of the budget request of the Agency for 
        the preceding year, unless a justification for such year was 
        included in the preceding report submitted under such 
        subsection;
            (3) a list of the significant rules and orders adopted by 
        the Agency, as well as other significant initiatives conducted 
        by the Agency, during the preceding 6-month period and the plan 
        of the Agency for rules, orders, or other initiatives to be 
        undertaken during the upcoming 6-month period;
            (4) an analysis of complaints about the privacy or security 
        of personal information that the Agency has received and 
        collected in the database described in section 305(a) during 
        the preceding 6-month period;
            (5) a list, with a brief statement of the issues, of the 
        public enforcement actions to which the Agency was a party 
        during the preceding 6-month period; and
            (6) an assessment of significant actions by State attorneys 
        general or State agencies relating to this Act or the rules 
        prescribed under this Act during the preceding 6-month period.

SEC. 311. GRANTS FOR DEVELOPING OPEN-SOURCE MACHINE LEARNING TRAINING 
              DATA.

    The Director shall establish an Open-Source Machine Learning 
Training Data Program and make grants through the program to support 
the development of open-source, voluntarily disclosed, personal 
information data sets to be used for the training or development of 
machine learning and artificial intelligence algorithms. The Director 
shall promulgate regulations to implement the Program and to consider 
any such data sets are in compliance with this Act balancing any 
intrusion on the privacy of, potential privacy harms to, and reasonable 
expectations of individuals to whom the personal information relates.

SEC. 312. ANNUAL AUDITS.

    The Director shall order an annual independent audit of the 
operations and budget of the Agency.

SEC. 313. INSPECTOR GENERAL.

    Section 12 of the Inspector General Act of 1978 (5 U.S.C. App.) is 
amended--
            (1) in paragraph (1), by inserting the ``Director of the 
        Digital Privacy Agency;'' after ``the President of the Export-
        Import Bank;''; and
            (2) in paragraph (2), by inserting ``the Digital Privacy 
        Agency,'' after ``the Export-Import Bank,''.

SEC. 314. AUTHORIZATION OF APPROPRIATIONS.

    There are authorized to be appropriated to the Director to carry 
out this Act $550,000,000 for each of the fiscal years 2020, 2021, 
2022, 2023, and 2024.

                         TITLE IV--ENFORCEMENT

SEC. 401. DEFINITIONS.

    In this title:
            (1) Agency investigator.--The term ``Agency investigator'' 
        means any attorney or investigator employed by the Agency who 
        is charged with the duty of enforcing or carrying into effect 
        any provision of this Act or a rule or order prescribed under 
        this Act.
            (2) Attorney general.--The term ``attorney general'' means, 
        with respect to a State, the attorney general or chief law 
        enforcement officer of the State, or another official or agency 
        designated by the State to bring civil actions on behalf of the 
        State or the residents of the State.
            (3) Custodian.--The term ``custodian'' means the custodian 
        or any deputy custodian designated by the Agency.
            (4) Documentary material.--The term ``documentary 
        material'' includes the original or any copy of any book, 
        document, record, report, memorandum, paper, communication, 
        tabulation, chart, logs, electronic files, or other data or 
        data compilations stored in any medium.
            (5) Violation.--The term ``violation'' means any act or 
        omission that, if proved, would constitute a violation of any 
        provision of this Act or a rule or order prescribed under this 
        Act.
            (6) Non-public information.--The term ``non-public 
        information'' means information that has not been disclosed in 
        a criminal, civil, or administrative proceeding, in a 
        government investigation, report, or audit, or by the news 
        media or other public source of information, and that was not 
        obtained in violation of the law.

SEC. 402. INVESTIGATIONS AND ADMINISTRATIVE DISCOVERY.

    (a) Joint Investigations.--The Agency or, where appropriate, an 
Agency investigator, may conduct investigations and make requests for 
information, as authorized under this Act, on a joint basis with 
another agency (as defined in section 551 of title 5, United States 
Code).
    (b) Subpoenas.--
            (1) In general.--The Agency or an Agency investigator may 
        issue subpoenas for the attendance and testimony of witnesses 
        and the production of relevant papers, books, documents, or 
        other material in connection with hearings under this Act.
            (2) Failure to obey.--In the case of contumacy or refusal 
        to obey a subpoena issued pursuant to this subsection and 
        served upon any person, the district court of the United States 
        for any district in which such person is found, resides, or 
        transacts business, upon application by the Agency or an Agency 
        investigator and after notice to such person, may issue an 
        order requiring such person to appear and give testimony or to 
        appear and produce documents or other material.
            (3) Contempt.--Any failure to obey an order of the court 
        under paragraph (2) may be punished by the court as a contempt 
        thereof.
    (c) Demands.--
            (1) In general.--Whenever the Agency has reason to believe 
        that any person may be in possession, custody, or control of 
        any documentary material or tangible things, or may have any 
        information, relevant to a violation, the Agency may, before 
        the institution of any proceedings under this Act, issue in 
        writing, and cause to be served upon such person, a civil 
        investigative demand requiring such person to--
                    (A) produce such documentary material for 
                inspection and copying or reproduction in the form or 
                medium requested by the Agency;
                    (B) submit such tangible things;
                    (C) file written reports or answers to questions;
                    (D) give oral testimony concerning documentary 
                material, tangible things, or other information; or
                    (E) furnish any combination of such material, 
                answers, or testimony.
            (2) Requirements.--Each civil investigative demand shall 
        state the nature of the conduct constituting the alleged 
        violation which is under investigation and the provision of law 
        applicable to such violation.
            (3) Production of documents.--Each civil investigative 
        demand for the production of documentary material shall--
                    (A) describe each class of documentary material to 
                be produced under the demand with such definiteness and 
                certainty as to permit such material to be fairly 
                identified;
                    (B) prescribe a return date or dates which will 
                provide a reasonable period of time within which the 
                material so demanded may be assembled and made 
                available for inspection and copying or reproduction; 
                and
                    (C) identify the custodian to whom such material 
                shall be made available.
            (4) Production of things.--Each civil investigative demand 
        for the submission of tangible things shall--
                    (A) describe each class of tangible things to be 
                submitted under the demand with such definiteness and 
                certainty as to permit such things to be fairly 
                identified;
                    (B) prescribe a return date or dates which will 
                provide a reasonable period of time within which the 
                things so demanded may be assembled and submitted; and
                    (C) identify the custodian to whom such things 
                shall be submitted.
            (5) Demand for written reports or answers.--Each civil 
        investigative demand for written reports or answers to 
        questions shall--
                    (A) propound with definiteness and certainty the 
                reports to be produced or the questions to be answered;
                    (B) prescribe a date or dates at which time written 
                reports or answers to questions shall be submitted; and
                    (C) identify the custodian to whom such reports or 
                answers shall be submitted.
            (6) Oral testimony.--Each civil investigative demand for 
        the giving of oral testimony shall--
                    (A) prescribe a date, time, and place at which oral 
                testimony shall be commenced; and
                    (B) identify an Agency investigator who shall 
                conduct the investigation and the custodian to whom the 
                transcript of such investigation shall be submitted.
            (7) Service.--Any civil investigative demand issued, and 
        any enforcement petition filed, under this section may be 
        served--
                    (A) by any Agency investigator at any place within 
                the territorial jurisdiction of any court of the United 
                States; and
                    (B) upon any person who is not found within the 
                territorial jurisdiction of any court of the United 
                States--
                            (i) in such manner as the Federal Rules of 
                        Civil Procedure prescribe for service in a 
                        foreign nation; and
                            (ii) to the extent that the courts of the 
                        United States have authority to assert 
                        jurisdiction over such person, consistent with 
                        due process, the United States District Court 
                        for the District of Columbia shall have the 
                        same jurisdiction to take any action respecting 
                        compliance with this section by such person 
                        that such district court would have if such 
                        person were personally within the jurisdiction 
                        of such district court.
            (8) Method of service.--Service of any civil investigative 
        demand or any enforcement petition filed under this section may 
        be made upon a person by--
                    (A) delivering a duly executed copy of such demand 
                or petition to the individual or to any partner, 
                executive officer, managing agent, or general agent of 
                such person, or to any agent of such person authorized 
                by appointment or by law to receive service of process 
                on behalf of such person;
                    (B) delivering a duly executed copy of such demand 
                or petition to the principal office or place of 
                business of the person to be served; or
                    (C) depositing a duly executed copy in the United 
                States mails, by registered or certified mail, return 
                receipt requested, duly addressed to such person at the 
                principal office or place of business of such person.
            (9) Proof of service.--
                    (A) In general.--A verified return by the 
                individual serving any civil investigative demand or 
                any enforcement petition filed under this section 
                setting forth the manner of such service shall be proof 
                of such service.
                    (B) Return receipts.--In the case of service by 
                registered or certified mail, such return shall be 
                accompanied by the return post office receipt of 
                delivery of such demand or enforcement petition.
            (10) Production of documentary material.--The production of 
        documentary material in response to a civil investigative 
        demand shall be made under a sworn certificate, in such form as 
        the demand designates, by the person, if a natural person, to 
        whom the demand is directed or, if not a natural person, by any 
        person having knowledge of the facts and circumstances relating 
        to such production, to the effect that all of the documentary 
        material required by the demand and in the possession, custody, 
        or control of the person to whom the demand is directed has 
        been produced and made available to the custodian.
            (11) Submission of tangible things.--The submission of 
        tangible things in response to a civil investigative demand 
        shall be made under a sworn certificate, in such form as the 
        demand designates, by the person to whom the demand is directed 
        or, if not a natural person, by any person having knowledge of 
        the facts and circumstances relating to such production, to the 
        effect that all of the tangible things required by the demand 
        and in the possession, custody, or control of the person to 
        whom the demand is directed have been submitted to the 
        custodian.
            (12) Separate answers.--Each reporting requirement or 
        question in a civil investigative demand shall be answered 
        separately and fully in writing under oath, unless it is 
        objected to, in which event the reasons for the objection shall 
        be stated in lieu of an answer, and it shall be submitted under 
        a sworn certificate, in such form as the demand designates, by 
        the person, if a natural person, to whom the demand is directed 
        or, if not a natural person, by any person responsible for 
        answering each reporting requirement or question, to the effect 
        that all information required by the demand and in the 
        possession, custody, control, or knowledge of the person to 
        whom the demand is directed has been submitted.
            (13) Testimony.--
                    (A) In general.--
                            (i) Oath and recordation.--The examination 
                        of any person pursuant to a demand for oral 
                        testimony served under this subsection shall be 
                        taken before an officer authorized to 
                        administer oaths and affirmations by the laws 
                        of the United States or of the place at which 
                        the examination is held. The officer before 
                        whom oral testimony is to be taken shall put 
                        the witness on oath or affirmation and shall 
                        personally, or by any individual acting under 
                        the direction of and in the presence of the 
                        officer, record the testimony of the witness.
                            (ii) Transcription.--The testimony shall be 
                        taken stenographically and transcribed.
                    (B) Parties present.--Any Agency investigator 
                before whom oral testimony is to be taken shall exclude 
                from the place where the testimony is to be taken all 
                other persons, except the person giving the testimony, 
                the attorney for that person, the officer before whom 
                the testimony is to be taken, an investigator or 
                representative of an agency with which the Agency is 
                engaged in a joint investigation, and any stenographer 
                taking such testimony.
                    (C) Location.--The oral testimony of any person 
                taken pursuant to a civil investigative demand shall be 
                taken in the judicial district of the United States in 
                which such person resides, is found, or transacts 
                business, or in such other place as may be agreed upon 
                by the Agency investigator before whom the oral 
                testimony of such person is to be taken and such 
                person.
                    (D) Attorney representation.--
                            (i) In general.--Any person compelled to 
                        appear under a civil investigative demand for 
                        oral testimony pursuant to this subsection may 
                        be accompanied, represented, and advised by an 
                        attorney.
                            (ii) Authority.--The attorney may advise a 
                        person described in clause (i), in confidence, 
                        either upon the request of such person or upon 
                        the initiative of the attorney, with respect to 
                        any question asked of such person.
                            (iii) Objections.--A person described in 
                        clause (i), or the attorney for that person, 
                        may object on the record to any question, in 
                        whole or in part, and such person shall briefly 
                        state for the record the reason for the 
                        objection. An objection may properly be made, 
                        received, and entered upon the record when it 
                        is claimed that such person is entitled to 
                        refuse to answer the question on grounds of any 
                        constitutional or other legal right or 
                        privilege, including the privilege against 
                        self-incrimination, but such person shall not 
                        otherwise object to or refuse to answer any 
                        question, and such person or attorney shall not 
                        otherwise interrupt the oral examination.
                            (iv) Refusal to answer.--If a person 
                        described in clause (i) refuses to answer any 
                        question--
                                    (I) the Agency may petition the 
                                district court of the United States 
                                pursuant to this section for an order 
                                compelling such person to answer such 
                                question; and
                                    (II) if the refusal is on grounds 
                                of the privilege against self-
                                incrimination, the testimony of such 
                                person may be compelled in accordance 
                                with the provisions of section 6004 of 
                                title 18, United States Code.
                    (E) Transcripts.--For purposes of this subsection--
                            (i) after the testimony of any witness is 
                        fully transcribed, the Agency investigator 
                        shall afford the witness (who may be 
                        accompanied by an attorney) a reasonable 
                        opportunity to examine the transcript;
                            (ii) the transcript shall be read to or by 
                        the witness, unless such examination and 
                        reading are waived by the witness;
                            (iii) any changes in form or substance 
                        which the witness desires to make shall be 
                        entered and identified upon the transcript by 
                        the Agency investigator, with a statement of 
                        the reasons given by the witness for making 
                        such changes;
                            (iv) the transcript shall be signed by the 
                        witness, unless the witness in writing waives 
                        the signing, is ill, cannot be found, or 
                        refuses to sign; and
                            (v) if the transcript is not signed by the 
                        witness during the 30-day period following the 
                        date on which the witness is first afforded a 
                        reasonable opportunity to examine the 
                        transcript, the Agency investigator shall sign 
                        the transcript and state on the record the fact 
                        of the waiver, illness, absence of the witness, 
                        or the refusal to sign, together with any 
                        reasons given for the failure to sign.
                    (F) Certification by investigator.--The Agency 
                investigator shall certify on the transcript that the 
                witness was duly sworn by him or her and that the 
                transcript is a true record of the testimony given by 
                the witness, and the Agency investigator shall promptly 
                deliver the transcript or send it by registered or 
                certified mail to the custodian.
                    (G) Copy of transcript.--The Agency investigator 
                shall furnish a copy of the transcript (upon payment of 
                reasonable charges for the transcript) to the witness 
                only, except that the Agency may for good cause limit 
                such witness to inspection of the official transcript 
                of his testimony.
                    (H) Witness fees.--Any witness appearing for the 
                taking of oral testimony pursuant to a civil 
                investigative demand shall be entitled to the same fees 
                and mileage which are paid to witnesses in the district 
                courts of the United States.
    (d) Confidential Treatment of Demand Material.--
            (1) In general.--Documentary materials and tangible things 
        received as a result of a civil investigative demand shall be 
        subject to requirements and procedures regarding 
        confidentiality, in accordance with rules established by the 
        Agency.
            (2) Disclosure to congress.--No rule established by the 
        Agency regarding the confidentiality of materials submitted to, 
        or otherwise obtained by, the Agency shall be intended to 
        prevent disclosure to either House of Congress or to an 
        appropriate committee of the Congress, except that the Agency 
        is permitted to adopt rules allowing prior notice to any party 
        that owns or otherwise provided the material to the Agency and 
        had designated such material as confidential.
    (e) Petition for Enforcement.--
            (1) In general.--Whenever any person fails to comply with 
        any civil investigative demand duly served upon him under this 
        section, or whenever satisfactory copying or reproduction of 
        material requested pursuant to the demand cannot be 
        accomplished and such person refuses to surrender such 
        material, the Agency, through such officers or attorneys as it 
        may designate, may file, in the district court of the United 
        States for any judicial district in which such person resides, 
        is found, or transacts business, and serve upon such person, a 
        petition for an order of such court for the enforcement of this 
        section.
            (2) Service of process.--All process of any court to which 
        application may be made as provided in this subsection may be 
        served in any judicial district.
    (f) Petition for Order Modifying or Setting Aside Demand.--
            (1) In general.--Not later than 20 days after the service 
        of any civil investigative demand upon any person under 
        subsection (c), or at any time before the return date specified 
        in the demand, whichever period is shorter, or within such 
        period exceeding 20 days after service or in excess of such 
        return date as may be prescribed in writing, subsequent to 
        service, by any Agency investigator named in the demand, such 
        person may file with the Agency a petition for an order by the 
        Agency modifying or setting aside the demand.
            (2) Compliance during pendency.--The time permitted for 
        compliance with the demand in whole or in part, as determined 
        proper and ordered by the Agency, shall not run during the 
        pendency of a petition under paragraph (1) at the Agency, 
        except that such person shall comply with any portions of the 
        demand not sought to be modified or set aside.
            (3) Specific grounds.--A petition under paragraph (1) shall 
        specify each ground upon which the petitioner relies in seeking 
        relief, and may be based upon any failure of the demand to 
        comply with the provisions of this section, or upon any 
        constitutional or other legal right or privilege of such 
        person.
    (g) Custodial Control.--At any time during which any custodian is 
in custody or control of any documentary material, tangible things, 
reports, answers to questions, or transcripts of oral testimony given 
by any person in compliance with any civil investigative demand, such 
person may file, in the district court of the United States for the 
judicial district within which the office of such custodian is 
situated, and serve upon such custodian, a petition for an order of 
such court requiring the performance by such custodian of any duty 
imposed upon him by this section or rule promulgated by the Agency.
    (h) Jurisdiction of Court.--
            (1) In general.--Whenever any petition is filed in any 
        district court of the United States under this section, such 
        court shall have jurisdiction to hear and determine the matter 
        so presented, and to enter such order or orders as may be 
        required to carry out the provisions of this section.
            (2) Appeal.--Any final order entered as described in 
        paragraph (1) shall be subject to appeal pursuant to section 
        1291 of title 28, United States Code.

SEC. 403. HEARINGS AND ADJUDICATION PROCEEDINGS.

    (a) In General.--The Agency is authorized to conduct hearings and 
adjudication proceedings with respect to any person in the manner 
prescribed by chapter 5 of title 5, United States Code, in order to 
ensure or enforce compliance with this Act and the rules prescribed 
under this Act.
    (b) Special Rules for Cease-and-Desist Proceedings.--
            (1) Orders authorized.--
                    (A) In general.--If, in the opinion of the Agency, 
                a person is engaging or has engaged in an act or 
                omission that violates any provision of this Act or a 
                rule or order prescribed under this Act, the Agency may 
                issue and serve upon the person a notice of charges in 
                respect thereof.
                    (B) Content of notice.--The notice under 
                subparagraph (A) shall contain a statement of the facts 
                constituting the alleged violation, and shall fix a 
                time and place at which a hearing will be held to 
                determine whether an order to cease and desist should 
                issue against the person, such hearing to be held not 
                earlier than 30 days nor later than 60 days after the 
                date of service of such notice, unless an earlier or a 
                later date is set by the Agency, at the request of any 
                person so served.
                    (C) Consent.--Unless a person served under 
                subparagraph (B) appears at the hearing personally or 
                by a duly authorized representative, the person shall 
                be deemed to have consented to the issuance of the 
                cease-and-desist order.
                    (D) Procedure.--In the event of consent under 
                subparagraph (C), or if, upon the record made at any 
                such hearing, the Agency finds that any violation 
                specified in the notice of charges has been 
                established, the Agency may issue and serve upon the 
                person an order to cease and desist from the violation. 
                Such order may, by provisions which may be mandatory or 
                otherwise, require the person to cease and desist from 
                the subject act or omission, and to take affirmative 
                action to correct the conditions resulting from any 
                such violation.
            (2) Effectiveness of order.--A cease-and-desist order shall 
        become effective at the expiration of 30 days after the date of 
        service of the order under paragraph (1)(D) (except in the case 
        of a cease-and-desist order issued upon consent, which shall 
        become effective at the time specified therein), and shall 
        remain effective and enforceable as provided therein, except to 
        such extent as the order is stayed, modified, terminated, or 
        set aside by action of the Agency or a reviewing court.
            (3) Decision and appeal.--Any hearing provided for in this 
        subsection shall be held in the Federal judicial district or in 
        the territory in which the residence or principal office or 
        place of business of the person is located unless the person 
        consents to another place, and shall be conducted in accordance 
        with the provisions of chapter 5 of title 5, United States 
        Code. After such hearing, and not later than 90 days after the 
        Agency has notified each party to the proceeding that the case 
        has been submitted to the Agency for final decision, the Agency 
        shall render its decision (which shall include findings of fact 
        upon which its decision is predicated) and shall issue and 
        serve upon each such party an order or orders consistent with 
        the provisions of this section. Judicial review of any such 
        order shall be exclusively as provided in this subsection. 
        Unless a petition for review is timely filed in a court of 
        appeals of the United States, as provided in paragraph (4), and 
        thereafter until the record in the proceeding has been filed as 
        provided in paragraph (4), the Agency may at any time, upon 
        such notice and in such manner as the Agency shall determine 
        proper, modify, terminate, or set aside any such order. Upon 
        filing of the record as provided, the Agency may modify, 
        terminate, or set aside any such order with permission of the 
        court.
            (4) Appeal to court of appeals.--Any party to any 
        proceeding under this subsection may obtain a review of any 
        order served pursuant to this subsection (other than an order 
        issued with the consent of the party) by filing in the court of 
        appeals of the United States for the circuit in which the 
        residence or principal office or place of business of the party 
        is located, or in the United States Court of Appeals for the 
        District of Columbia Circuit, within 30 days after the date of 
        service of such order, a written petition praying that the 
        order of the Agency be modified, terminated, or set aside. A 
        copy of such petition shall be forthwith transmitted by the 
        clerk of the court to the Agency, and thereupon the Agency 
        shall file in the court the record in the proceeding, as 
        provided in section 2112 of title 28, United States Code. Upon 
        the filing of such petition, such court shall have 
        jurisdiction, which upon the filing of the record shall, except 
        as provided in the last sentence of paragraph (3), be 
        exclusive, to affirm, modify, terminate, or set aside, in whole 
        or in part, the order of the Agency. Review of such proceedings 
        shall be had as provided in chapter 7 of title 5, United States 
        Code. The judgment and decree of the court shall be final, 
        except that the same shall be subject to review by the Supreme 
        Court of the United States, upon certiorari, as provided in 
        section 1254 of title 28, United States Code.
            (5) No stay.--The commencement of proceedings for judicial 
        review under paragraph (4) shall not, unless specifically 
        ordered by the court, operate as a stay of any order issued by 
        the Agency.
    (c) Special Rules for Temporary Cease-and-Desist Proceedings.--
            (1) In general.--Whenever the Agency determines that the 
        violation specified in the notice of charges served upon a 
        person pursuant to subsection (b), or the continuation thereof, 
        is likely to cause the person to be insolvent or otherwise 
        prejudice the interests of individuals before the completion of 
        the proceedings conducted pursuant to subsection (b), the 
        Agency may issue a temporary order requiring the person to 
        cease and desist from any such violation and to take 
        affirmative action to prevent or remedy such insolvency or 
        other condition pending completion of such proceedings. Such 
        order may include any requirement authorized under this title. 
        Such order shall become effective upon service upon the person 
        and, unless set aside, limited, or suspended by a court in 
        proceedings authorized by paragraph (2), shall remain effective 
        and enforceable pending the completion of the administrative 
        proceedings pursuant to such notice and until such time as the 
        Agency shall dismiss the charges specified in such notice, or 
        if a cease-and-desist order is issued against the person, until 
        the effective date of such order.
            (2) Appeal.--Not later than 10 days after a person has been 
        served with a temporary cease-and-desist order, the person may 
        apply to the United States district court for the judicial 
        district in which the residence or principal office or place of 
        business of the person is located, or the United States 
        District Court for the District of Columbia, for an injunction 
        setting aside, limiting, or suspending the enforcement, 
        operation, or effectiveness of such order pending the 
        completion of the administrative proceedings pursuant to the 
        notice of charges served upon the person under subsection (b), 
        and such court shall have jurisdiction to issue such 
        injunction.
    (d) Special Rules for Enforcement of Orders.--
            (1) In general.--The Agency may in its discretion apply to 
        the United States district court within the jurisdiction of 
        which the residence or principal office or place of business of 
        a person is located, for the enforcement of any effective and 
        outstanding order issued under this section against such 
        person, and such court shall have jurisdiction and power to 
        order and require compliance with such order.
            (2) Exception.--Except as otherwise provided in this 
        section, no court shall have jurisdiction to affect by 
        injunction or otherwise the issuance or enforcement of any 
        order or to review, modify, suspend, terminate, or set aside 
        any such order.
    (e) Rules.--The Agency shall prescribe rules establishing such 
procedures as may be necessary to carry out this section.

SEC. 404. LITIGATION AUTHORITY.

    (a) In General.--If a person violates any provision of this Act or 
a rule or order prescribed under this Act, the Agency may commence a 
civil action against such person to impose a civil penalty or to seek 
all appropriate legal and equitable relief, including a permanent or 
temporary injunction.
    (b) Representation.--Except as provided in subsection (e), the 
Agency may act in its own name and through its own attorneys in any 
action, suit, or other court proceeding to which the Agency is a party.
    (c) Compromise of Actions.--The Agency may compromise or settle any 
action, suit, or other court proceeding to which the Agency is a party 
if such compromise is approved by the court.
    (d) Notice to the Attorney General.--
            (1) In general.--When commencing a civil action under 
        subsection (a), the Agency shall notify the Attorney General.
            (2) Notice and coordination.--
                    (A) Notice of other actions.--In addition to any 
                notice required under paragraph (1), the Agency shall 
                notify the Attorney General concerning any action, 
                suit, or other court proceeding to which the Agency is 
                a party.
                    (B) Coordination.--In order to avoid conflicts and 
                promote consistency regarding litigation of matters 
                under Federal law, the Attorney General and the Agency 
                shall consult regarding the coordination of 
                investigations and proceedings, including by 
                negotiating an agreement for coordination by not later 
                than 180 days after the effective date specified in 
                section 4(a). The agreement under this subparagraph 
                shall include provisions to ensure that parallel 
                investigations and proceedings involving this Act and 
                the rules prescribed under this Act are conducted in a 
                manner that avoids conflicts and does not impede the 
                ability of the Attorney General to prosecute violations 
                of Federal criminal laws.
                    (C) Rule of construction.--Nothing in this 
                paragraph shall be construed to limit the authority of 
                the Agency under this Act, including the authority to 
                interpret this Act.
    (e) Appearance Before the Supreme Court.--The Agency may represent 
itself in its own name before the Supreme Court of the United States, 
if the Agency makes a written request to the Attorney General within 
the 10-day period which begins on the date of entry of the judgment 
which would permit any party to file a petition for writ of certiorari, 
and the Attorney General concurs with such request or fails to take 
action within 60 days of the request of the Agency.
    (f) Forum.--Any civil action brought under subsection (a) may be 
brought in an appropriate district court of the United States or an 
appropriate State court.
    (g) Time for Bringing Action.--Except as otherwise permitted by law 
or equity, no action may be brought under subsection (a) more than 3 
years after the date of discovery of the violation to which the action 
relates.

SEC. 405. COORDINATION WITH OTHER FEDERAL AGENCIES.

    (a) Coordination.--With respect to covered entities and service 
providers, to the extent that Federal law authorizes the Agency and 
another Federal agency to enforce privacy laws, the other Federal 
agency shall coordinate with the Agency to promote consistent 
enforcement of this Act and other Federal privacy laws.
    (b) Referral.--Any Federal agency authorized to enforce a Federal 
privacy law described in section 501 may recommend in writing to the 
Agency that the Agency initiate an enforcement proceeding, as the 
Agency is authorized by that Federal law or by this Act.
    (c) Coordination With the Federal Trade Commission.--
            (1) In general.--The Agency and the Federal Trade 
        Commission shall negotiate an agreement for coordinating with 
        respect to enforcement actions by each agency regarding the 
        provision of a product or service offered by any covered 
        entity. The agreement shall include procedures for notice to 
        the other agency, where feasible, prior to initiating a civil 
        action to enforce any Federal law regarding the privacy of 
        individuals or security of personal information.
            (2) Civil actions.--Whenever a civil action has been filed 
        by, or on behalf of, the Agency or the Federal Trade Commission 
        for any violation of any provision of Federal law described in 
        paragraph (1), or any regulation prescribed under such 
        provision of law--
                    (A) the other agency may not, during the pendency 
                of that action, institute a civil action under such 
                provision of law against any defendant named in the 
                complaint in such pending action for any violation 
                alleged in the complaint; and
                    (B) the Agency or the Federal Trade Commission may 
                intervene as a party in any such action brought by the 
                other agency, and, upon intervening--
                            (i) be heard on all matters arising in such 
                        enforcement action; and
                            (ii) file petitions for appeal in such 
                        actions.
            (3) Agreement terms.--The terms of any agreement negotiated 
        under paragraph (1) may modify or supersede the provisions of 
        paragraph (2).
            (4) Deadline.--The agencies shall reach the agreement 
        required under paragraph (1) not later than 6 months after the 
        designated transfer date.

SEC. 406. ENFORCEMENT BY STATES.

    (a) Civil Action.--In any case in which the attorney general of a 
State has reason to believe that an interest of the residents of such 
State has been or is adversely affected by any person who violates any 
provision of this Act or a rule or order prescribed under this Act, the 
attorney general of the State, as parens patriae, may bring a civil 
action on behalf of the residents of the State in an appropriate State 
court or an appropriate district court of the United States--
            (1) to enjoin further violation of such provision by the 
        defendant;
            (2) to compel compliance with such provision; or
            (3) to obtain relief under section 408.
    (b) Rights of Agency.--Before initiating a civil action under 
subsection (a), the attorney general of a State shall notify the Agency 
in writing of such civil action. Upon receiving notice with respect to 
a civil action, the Agency may--
            (1) intervene in such action; and
            (2) upon intervening--
                    (A) be heard on all matters arising in such civil 
                action; and
                    (B) file petitions for appeal of a decision in such 
                action.
    (c) Preemptive Action by Agency.--If the Agency institutes a civil 
action for violation of any provision of this Act or a rule or order 
prescribed under this Act, no attorney general of a State may bring a 
civil action against any defendant named in the complaint of the Agency 
for a violation of such provision that is alleged in such complaint.

SEC. 407. PRIVATE RIGHTS OF ACTION.

    (a) Injunctive Relief.--A person who is aggrieved by a violation of 
this Act may bring a civil action for declaratory or injunctive relief 
in any court of competent jurisdiction in any State or in an 
appropriate district court.
    (b) Civil Action for Damages.--Except for claims under rule 23 of 
the Federal Rules of Civil Procedure or a similar judicial procedure 
authorizing an action to be brought by 1 or more representatives, a 
person who is aggrieved by a violation of this Act may bring a civil 
action for damages in any court of competent jurisdiction in any State 
or in an appropriate district court.
    (c) Nonprofit Collective Representation.--An individual shall have 
the right to appoint a nonprofit body, organization, or association 
which has been properly constituted in accordance with the law, has 
statutory objectives which are in the public interest, and is active in 
the field of the protection of individual rights and freedoms with 
regard to the protection of their personal data to lodge the complaint 
on his or her behalf, to exercise the rights referred to in this Act on 
his or her behalf.
            (1) A nonprofit may represent a class of aggrieved 
        individuals.
            (2) A prevailing nonprofit shall receive reasonable 
        compensation for expenses, including attorneys fees.
            (3) Individuals shall receive an equally divided share of 
        the total damages.
    (d) State Appointment.--A State may provide that any body, 
organization or association referred to in subsection (c), 
independently of an individual's appointment, has the right to lodge, 
in that State, a complaint with the Agency and to exercise the rights 
referred to in this Act if it considers that the rights of an 
individual under this Act have been infringed.

SEC. 408. RELIEF AVAILABLE.

    (a) Civil Actions and Adjudication Proceedings.--
            (1) Jurisdiction.--In any civil action or any adjudication 
        proceeding brought by the Agency or the attorney general of a 
        State, under any provision of this Act or a rule or order 
        prescribed under this Act, the court or the Agency (as the case 
        may be) shall have jurisdiction to grant any appropriate legal 
        or equitable relief with respect to a violation of such 
        provision.
            (2) Relief.--Relief under this section may include--
                    (A) rescission or reformation of contracts;
                    (B) refund of moneys;
                    (C) restitution;
                    (D) disgorgement or compensation for unjust 
                enrichment;
                    (E) payment of damages or other monetary relief;
                    (F) public notification regarding the violation, 
                including the costs of notification;
                    (G) limits on the activities or functions of the 
                person; and
                    (H) civil money penalties, as provided in 
                subsection (c).
            (3) No exemplary or punitive damages.--Nothing in this 
        subsection shall be construed as authorizing the imposition of 
        exemplary or punitive damages.
    (b) Recovery of Costs.--In any civil action brought by the Agency 
or the attorney general of a State under any provision of this Act or a 
rule or order prescribed under this Act, the Agency or attorney general 
may recover its costs in connection with prosecuting such action if the 
Agency or attorney general is the prevailing party in the action.
    (c) Civil Money Penalty in Court and Adjudication Proceedings.--
            (1) In general.--Any person who violates, through any act 
        or omission, any provision of this Act or a rule or order 
        prescribed under this Act shall forfeit and pay a civil penalty 
        under this subsection.
            (2) Penalty amount.--
                    (A) In general.--The amount of a civil penalty 
                under this subsection may not exceed, for each 
                violation, the product of--
                            (i) the maximum civil penalty for which a 
                        person, partnership, or corporation may be 
                        liable under section 5(m)(1)(A) of the Federal 
                        Trade Commission Act (15 U.S.C. 45(m)(1)(A)) 
                        for a violation of a rule under such Act 
                        respecting unfair or deceptive acts or 
                        practices, as adjusted under the Federal Civil 
                        Penalties Inflation Adjustment Act of 1990 (28 
                        U.S.C. 2461 note); and
                            (ii) the number of individuals the personal 
                        information of which is affected by the 
                        violation.
                    (B) Continuing violations.--In the case of a 
                violation through continuing failure to comply with a 
                provision of this Act or a rule or order prescribed 
                under this Act, each day of continuance of such failure 
                shall be treated as a separate violation for purposes 
                of subparagraph (A).
            (3) Mitigating factors.--In determining the amount of any 
        penalty assessed under paragraph (2), the court or the Agency 
        shall take into account the appropriateness of the penalty with 
        respect to--
                    (A) the size of financial resources and good faith 
                of the person charged;
                    (B) the gravity of the violation;
                    (C) the severity of the privacy harms (including 
                both actual and potential harms) to individuals;
                    (D) any disparate impact of the privacy harms 
                (including both actual and potential harms) on 
                protected classes;
                    (E) the history of previous violations; and
                    (F) such other matters as justice may require.
            (4) Authority to modify or remit penalty.--The Agency or 
        attorney general of a State may compromise, modify, or remit 
        any penalty which may be assessed or has already been assessed 
        under paragraph (2). The amount of such penalty, when finally 
        determined, shall be exclusive of any sums owed by the person 
        to the United States in connection with the costs of the 
        proceeding, and may be deducted from any sums owing by the 
        United States to the person charged.
            (5) Notice and hearing.--No civil penalty may be assessed 
        under this subsection with respect to a violation of any 
        provision of this Act or a rule or order prescribed under this 
        Act, unless--
                    (A) the Agency or attorney general of a State gives 
                notice and an opportunity for a hearing to the person 
                accused of the violation; or
                    (B) the appropriate court has ordered such 
                assessment and entered judgment in favor of the Agency 
                or attorney general of a State.

SEC. 409. REFERRAL FOR CRIMINAL PROCEEDINGS.

    If the Agency obtains evidence that any person, domestic or 
foreign, has engaged in conduct that may constitute a violation of 
Federal criminal law, the Agency shall transmit such evidence to the 
Attorney General of the United States, who may institute criminal 
proceedings under appropriate law. Nothing in this section affects any 
other authority of the Agency to disclose information.

SEC. 410. WHISTLEBLOWER ENFORCEMENT.

    (a) In General.--Any person who becomes aware, based on non-public 
information, that a covered entity has violated this Act may file a 
civil action for civil penalties, if prior to filing such action, the 
person files with the Director a written request for the Director to 
commence the action. The request shall include a clear and concise 
statement of the grounds for believing a cause of action exists. The 
person shall make the non-public information available to the Director 
upon request:
            (1) If the Director files suit within 90 days from receipt 
        of the written request to commence the action, no other action 
        may be brought unless the action brought by the Director is 
        dismissed without prejudice.
            (2) If the Director does not file suit within 90 days from 
        receipt of the written request to commence the action, the 
        person requesting the action may proceed to file a civil 
        action.
            (3) The time period within which a civil action shall be 
        commenced shall be tolled from the date of receipt by the 
        Director of the written request to either the date that the 
        civil action is dismissed without prejudice, or for 150 days, 
        whichever is later, but only for a civil action brought by the 
        person who requested the Director to commence the action.
    (b) Allocation of Civil Penalties.--If a judgment is entered 
against the defendant or defendants in an action brought pursuant to 
this section, or the matter is settled, amounts received as civil 
penalties or pursuant to a settlement of the action shall be allocated 
as follows:
            (1) If the action was brought by the Director upon a 
        request made by a person pursuant to (a), the person who made 
        the request shall be entitled to 15 percent of the civil 
        penalties.
            (2) If the action was brought by the person who made the 
        request pursuant to (a), that person shall receive an amount 
        the court determines is reasonable for collecting the civil 
        penalties on behalf of the government. The amount shall be not 
        less than 25 percent and not more than 50 percent of the 
        proceeds of the action and shall be paid out of the proceeds.

                     TITLE V--RELATION TO OTHER LAW

SEC. 501. RELATION TO OTHER FEDERAL LAW.

    Nothing in this Act shall be construed to--
            (1) modify, limit, or supersede the operation of any 
        privacy or security provision in--
                    (A) section 552a of title 5, United States Code 
                (commonly known as the ``Privacy Act of 1974'');
                    (B) the Right to Financial Privacy Act of 1978 (12 
                U.S.C. 3401 et seq.);
                    (C) the Fair Credit Reporting Act (15 U.S.C. 1681 
                et seq.);
                    (D) the Fair Debt Collection Practices Act (15 
                U.S.C. 1692 et seq.);
                    (E) the Children's Online Privacy Protection Act of 
                1998 (15 U.S.C. 6501 et seq.);
                    (F) title V of the Gramm-Leach-Bliley Act (15 
                U.S.C. 6801 et seq.);
                    (G) chapter 119, 123, or 206 of title 18, United 
                States Code;
                    (H) section 444 of the General Education Provisions 
                Act (20 U.S.C. 1232g) (commonly referred to as the 
                ``Family Educational Rights and Privacy Act of 1974'');
                    (I) section 445 of the General Education Provisions 
                Act (20 U.S.C. 1232h);
                    (J) the Privacy Protection Act of 1980 (42 U.S.C. 
                2000aa et seq.);
                    (K) the regulations promulgated under section 
                264(c) of the Health Insurance Portability and 
                Accountability Act of 1996 (42 U.S.C. 1320d-2 note), as 
                those regulations relate to--
                            (i) a person described in section 1172(a) 
                        of the Social Security Act (42 U.S.C. 1320d-
                        1(a)); or
                            (ii) transactions referred to in section 
                        1173(a)(1) of the Social Security Act (42 
                        U.S.C. 1320d-2(a)(1));
                                    (L) the Communications Assistance 
                                for Law Enforcement Act (47 U.S.C. 1001 
                                et seq.);
                    (M) section 222, 227, 338, or 631 of the 
                Communications Act of 1934 (47 U.S.C. 222, 227, 338, or 
                551);
                    (N) the E-Government Act of 2002 (44 U.S.C. 101 et 
                seq.);
                    (O) the Paperwork Reduction Act of 1995 (44 U.S.C. 
                3501 et seq.);
                    (P) Federal Information Security Management Act of 
                2002 (44 U.S.C. 3541 et seq.);
                    (Q) the Currency and Foreign Transactions Reporting 
                Act of 1970, as amended (commonly known as the Bank 
                Secrecy Act) (12 U.S.C. 1829b and 1951-1959, 31 U.S.C. 
                5311-5314 and 5316-5332), including the International 
                Money Laundering Abatement and Financial Anti-Terrorism 
                Act of 2001, title III of Public Law 107-56, as 
                amended;
                    (R) the National Security Act of 1947 (50 U.S.C. 
                3001 et seq.);
                    (S) the Foreign Intelligence Surveillance Act of 
                1978, as amended (50 U.S.C. 1801 et seq.);
                    (T) the Civil Rights Act of 1964 (Public Law 88-
                352, 78 Stat. 241);
                    (U) the Americans with Disabilities Act (42 U.S.C. 
                12101 et seq.);
                    (V) the Fair Housing Act (42 U.S.C. 3601 et seq.);
                    (W) the Dodd-Frank Wall Street Reform and Consumer 
                Protection Act (Public Law 111-203, 124 Stat. 1376-
                2223);
                    (X) the Equal Credit Opportunity Act (15 U.S.C. 
                1691 et seq.);
                    (Y) the Age Discrimination in Employment Act (29 
                U.S.C. 621 et seq.);
                    (Z) the Genetic Information Nondiscrimination Act 
                (Public Law 110-233, 122 Stat. 881); or
                    (AA) any other privacy or security provision of 
                Federal law; or
            (2) limit the authority of the Federal Communications 
        Commission to promulgate regulations and enforce any privacy 
        law not in contradiction with this Act.

SEC. 502. SEVERABILITY.

    If any provision of this Act, or the application thereof, is held 
unconstitutional or otherwise invalid, the validity of the remainder of 
the Act and the application of such provision shall not be affected 
thereby.
                                 <all>