[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 142 Introduced in Senate (IS)]

<DOC>






116th CONGRESS
  1st Session
                                 S. 142

   To impose privacy requirements on providers of internet services 
   similar to the requirements imposed on Federal agencies under the 
                          Privacy Act of 1974.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            January 16, 2019

   Mr. Rubio introduced the following bill; which was read twice and 
   referred to the Committee on Commerce, Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
   To impose privacy requirements on providers of internet services 
   similar to the requirements imposed on Federal agencies under the 
                          Privacy Act of 1974.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``American Data Dissemination Act of 
2019'' or the ``ADD Act''.

SEC. 2. DEFINITIONS.

    (a) In General.--In this Act--
            (1) the term ``agency'' has the meaning given the term in 
        section 552a of title 5, United States Code;
            (2) the term ``appropriate committees of Congress'' means--
                    (A) the Committee on Commerce, Science, and 
                Transportation of the Senate; and
                    (B) the Committee on Energy and Commerce of the 
                House of Representatives;
            (3) the term ``collect'' means to buy, rent, gather, 
        obtain, receive, or access information about an individual by 
        any means, including by--
                    (A) receiving information from the individual, 
                either actively or passively; or
                    (B) observing the behavior of the individual;
            (4) the term ``Commission'' means the Federal Trade 
        Commission;
            (5) the term ``covered provider'' means a person that--
                    (A) provides a service that uses the internet; and
                    (B) in providing the service under subparagraph 
                (A), collects records;
            (6) the term ``disclose'' means to release, disseminate, 
        make available, transfer, or otherwise communicate orally, in 
        writing, or by electronic or other means;
            (7) the term ``maintain'' includes maintain, collect, use, 
        disclose, or process;
            (8) the term ``Privacy Act of 1974'' means section 552a of 
        title 5, United States Code;
            (9) the term ``process'' means to perform an operation or 
        set of operations on information or on sets of information, 
        whether or not by automated means;
            (10) subject to subsection (b), the term ``record'' means 
        any item, collection, or grouping of information about an 
        individual that--
                    (A) is maintained by a covered provider, including 
                the education, financial transactions, medical history, 
                and criminal or employment history of the individual; 
                and
                    (B) contains any name or number that may be used, 
                alone or in conjunction with any other information, to 
                identify a specific individual, including any--
                            (i) name, social security number, date of 
                        birth, official driver's license or 
                        identification number issued by a State, alien 
                        registration number, government passport 
                        number, or employer or taxpayer identification 
                        number;
                            (ii) unique biometric data, such as 
                        fingerprint, voice print, retina or iris image, 
                        or other unique physical representation;
                            (iii) unique electronic identification 
                        number, address, or routing code;
                            (iv) telecommunication identifying 
                        information or access device (as those terms 
                        are defined in section 1029(e) of title 18, 
                        United States Code); or
                            (v) user-generated content; and
            (11) the term ``sell'' means to disclose information about 
        an individual to another person for monetary or other valuable 
        consideration.
    (b) Modification of Definition.--If the Commission promulgates 
regulations under section 4(a), the Commission may modify, at any time, 
the definition of the term ``record'' under subsection (a) of this 
section as necessary to conform to new Federal laws or regulations.

SEC. 3. RECOMMENDED PRIVACY REQUIREMENTS FOR PROVIDERS OF INTERNET 
              SERVICES.

    (a) In General.--Not later than 180 days after the date of 
enactment of this Act, the Commission shall submit to the appropriate 
committees of Congress detailed recommendations for privacy 
requirements that Congress could impose on covered providers that would 
be substantially similar, to the extent practicable, to the 
requirements applicable to agencies under the Privacy Act of 1974.
    (b) Subjects for Recommendations.--The recommendations under 
subsection (a) shall address the issues described in section 4.

SEC. 4. REGULATIONS IMPOSING PRIVACY REQUIREMENTS ON PROVIDERS OF 
              INTERNET SERVICES.

    (a) Regulations.--
            (1) Proposed regulations.--Not earlier than 1 year after 
        the date on which the Commission submits detailed 
        recommendations for privacy requirements under section 3(a), 
        and not later than 15 months after that date, the Commission 
        shall publish and submit to the appropriate committees of 
        Congress proposed regulations to impose privacy requirements on 
        covered providers that are substantially similar, to the extent 
        practicable, to the requirements applicable to agencies under 
        the Privacy Act of 1974.
            (2) Final regulations.--If a law imposing privacy 
        requirements on covered providers that are substantially 
        similar, to the extent practicable, to the requirements 
        applicable to agencies under the Privacy Act of 1974 is not 
        enacted by the date that is 2 years after the date of enactment 
        of this Act, the Commission shall, not later than 27 months 
        after that date of enactment, promulgate final regulations that 
        impose such privacy requirements.
    (b) Contents.--In promulgating regulations under subsection (a), 
the Commission--
            (1) shall--
                    (A) establish criteria for exempting certain small, 
                newly formed covered providers from the requirements 
                under the regulations, taking into account factors 
                including--
                            (i) the period of time during which the 
                        covered provider has been operating as a 
                        covered provider;
                            (ii) the annual revenue of the covered 
                        provider; and
                            (iii) the number of individuals about whom 
                        the covered provider collects records;
                    (B) restrict disclosure of records maintained by 
                covered providers;
                    (C) provide that--
                            (i) an individual may request access to a 
                        record (or a portion thereof) maintained by a 
                        covered provider that relates to the 
                        individual; and
                            (ii) upon a request under clause (i), the 
                        covered provider shall--
                                    (I) provide the individual with 
                                access to the record (or the relevant 
                                portion thereof); or
                                    (II) if the covered provider so 
                                elects, delete the record (or the 
                                relevant portion thereof), subject to 
                                the requirements to keep and provide an 
                                accounting under subparagraph (G);
                    (D) provide that if an individual demonstrates that 
                a record relating to the individual is not accurate, 
                relevant, timely, or complete (as those terms are 
                defined by the Commission)--
                            (i) the individual may request that the 
                        covered provider amend the record; and
                            (ii) upon a request under clause (i), the 
                        covered provider shall amend the record;
                    (E) establish a process modeled on the process 
                established under section 611(a) of the Fair Credit 
                Reporting Act (15 U.S.C. 1681i(a))--
                            (i) through which an individual and a 
                        covered provider may resolve a dispute under 
                        subparagraph (D) of this paragraph regarding 
                        the assertion that a record relating to the 
                        individual is not accurate, relevant, timely, 
                        or complete; and
                            (ii) that does not require the individual 
                        to incur any expense;
                    (F) in accordance with accepted standards and in 
                consultation with the Secretary of Commerce, establish 
                a code of ``fair information practices'', for the 
                secure collection, maintenance, and dissemination of 
                records, with which a covered provider must comply;
                    (G) require a covered provider, in a manner 
                substantially similar, to the extent practicable, to 
                the requirements applicable to agencies under section 
                552a(c) of title 5, United States Code, to--
                            (i) keep an accounting of certain 
                        disclosures of records for a reasonable period 
                        of time, as determined by the Commission; and
                            (ii) make available to an individual, upon 
                        request, the accounting made under clause (i) 
                        of disclosures of records relating to the 
                        individual, unless the period of time described 
                        in that clause has expired; and
                    (H) to the extent practicable, incorporate the 
                exceptions under paragraphs (1) through (12) of section 
                552a(b) of title 5, United States Code; and
            (2) may promulgate regulations not described in paragraph 
        (1) that are modeled on section 552a of title 5, United States 
        Code, and the regulations promulgated under that section.
    (c) Application With Other Federal Laws.--
            (1) Exemption for persons subject to other federal privacy 
        laws.--To the extent that a person is subject to a Federal 
        privacy law described in paragraph (2) of this subsection, the 
        regulations promulgated under subsection (a) shall not apply to 
        the person with respect to any information or records governed 
        by that Federal privacy law.
            (2) Other federal privacy laws described.--The Federal 
        privacy laws described in this paragraph are as follows:
                    (A) The regulations promulgated under section 
                264(c) of the Health Insurance Portability and 
                Accountability Act of 1996 (42 U.S.C. 1320d-2 note), as 
                those regulations relate to--
                            (i) a person described in section 1172(a) 
                        of the Social Security Act (42 U.S.C. 1320d-
                        1(a)); or
                            (ii) transactions referred to in section 
                        1173(a)(1) of the Social Security Act (42 
                        U.S.C. 1320d-2(a)(1)).
                    (B) Section 444 of the General Education Provisions 
                Act (20 U.S.C. 1232g) (commonly referred to as the 
                ``Family Educational Rights and Privacy Act of 1974'').
                    (C) Section 552a of title 5, United States Code.
            (3) Conflicts.--
                    (A) Children's online privacy protection act.--In 
                the case of a conflict between the regulations 
                promulgated under subsection (a) of this section and 
                the Children's Online Privacy Protection Act of 1998 
                (15 U.S.C. 6501 et seq.) (and any regulations 
                promulgated under that Act), the Commission shall 
                determine which provision of law shall apply.
                    (B) Gramm-Leach-Bliley act.--In the case of a 
                conflict between the regulations promulgated under 
                subsection (a) of this section and title V of the 
                Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 et seq.) 
                (and any regulations promulgated under that Act), the 
                Commission shall determine which provision of law shall 
                apply.

SEC. 5. ENFORCEMENT.

    (a) Unfair or Deceptive Acts or Practices.--A violation of a 
regulation promulgated under section 4(a) shall be treated as a 
violation of a rule defining an unfair or deceptive act or practice 
prescribed under section 18(a)(1)(B) of the Federal Trade Commission 
Act (15 U.S.C. 57a(a)(1)(B)).
    (b) Powers of Commission.--
            (1) In general.--Except as provided in paragraph (3), if 
        the Commission promulgates regulations under section 4(a), the 
        Commission shall enforce this Act in the same manner, by the 
        same means, and with the same jurisdiction, powers, and duties 
        as though all applicable terms and provisions of the Federal 
        Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated 
        into and made a part of this Act.
            (2) Privileges and immunities.--Except as provided in 
        paragraph (3), any person who violates a regulation promulgated 
        under section 4(a) shall be subject to the penalties and 
        entitled to the privileges and immunities provided in the 
        Federal Trade Commission Act (15 U.S.C. 41 et seq.).
            (3) Common carriers.--Notwithstanding section 4, 5(a)(2), 
        or 6 of the Federal Trade Commission Act (15 U.S.C. 44, 
        45(a)(2), 46) or any jurisdictional limitation of the 
        Commission, if the Commission promulgates regulations under 
        section 4(a), the Commission shall also enforce this Act, in 
        the same manner provided in paragraphs (1) and (2) of this 
        subsection, with respect to common carriers subject to the 
        Communications Act of 1934 (47 U.S.C. 151 et seq.) and Acts 
        amendatory thereof and supplementary thereto.
            (4) Authority preserved.--Nothing in this Act shall be 
        construed to limit the authority of the Commission under any 
        other provision of law.

SEC. 6. EFFECT ON STATE LAWS.

    This Act, including any regulations promulgated under section 4(a), 
shall supersede any provision of the law of a State relating to a 
covered provider that is subject to such a regulation, to the extent 
that the provision relates to the maintenance of--
            (1) records covered by this Act; or
            (2) any other personally identifiable information or 
        personal identification information.
                                 <all>