[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 2637 Introduced in Senate (IS)]

<DOC>






116th CONGRESS
  1st Session
                                S. 2637

To amend the Federal Trade Commission Act to establish requirements and 
   responsibilities for entities that use, store, or share personal 
 information, to protect personal information, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            October 17, 2019

   Mr. Wyden introduced the following bill; which was read twice and 
                  referred to the Committee on Finance

_______________________________________________________________________

                                 A BILL


 
To amend the Federal Trade Commission Act to establish requirements and 
   responsibilities for entities that use, store, or share personal 
 information, to protect personal information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Mind Your Own Business Act of 
2019''.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Automated decision system.--The term ``automated 
        decision system'' means a computational process, including one 
        derived from machine learning, statistics, or other data 
        processing or artificial intelligence techniques, that makes a 
        decision or facilitates human decision making, that impacts 
        consumers.
            (2) Automated decision system impact assessment.--The term 
        ``automated decision system impact assessment'' means a study 
        evaluating an automated decision system and the automated 
        decision system's development process, including the design and 
        training data of the automated decision system, for impacts on 
        accuracy, fairness, bias, discrimination, privacy, and security 
        that includes, at a minimum--
                    (A) a detailed description of the automated 
                decision system, its design, its training, data, and 
                its purpose;
                    (B) an assessment of the relative benefits and 
                costs of the automated decision system in light of its 
                purpose, taking into account relevant factors, 
                including--
                            (i) data minimization practices;
                            (ii) the duration for which personal 
                        information and the results of the automated 
                        decision system are stored;
                            (iii) what information about the automated 
                        decision system is available to consumers;
                            (iv) the extent to which consumers have 
                        access to the results of the automated decision 
                        system and may correct or object to its 
                        results; and
                            (v) the recipients of the results of the 
                        automated decision system;
                    (C) an assessment of the risks posed by the 
                automated decision system to the privacy or security of 
                personal information of consumers and the risks that 
                the automated decision system may result in or 
                contribute to inaccurate, unfair, biased, or 
                discriminatory decisions impacting consumers; and
                    (D) the measures the covered entity will employ to 
                minimize the risks described in subparagraph (C), 
                including technological and physical safeguards.
            (3) Commission.--The term ``Commission'' means Federal 
        Trade Commission.
            (4) Consumer.--The term ``consumer'' means an individual.
            (5) Covered entity.--The term ``covered entity''--
                    (A) means any person, partnership, or corporation 
                over which the Commission has jurisdiction under 
                section 5(a)(2) of the Federal Trade Commission Act (15 
                U.S.C. 45(a)(2)) that--
                            (i) had greater than $50,000,000 in average 
                        annual gross receipts for the 3-taxable-year 
                        period preceding the most recent fiscal year, 
                        as determined in accordance with paragraphs (2) 
                        and (3) of section 448(c) of the Internal 
                        Revenue Code of 1986;
                            (ii) possesses or controls personal 
                        information on more than--
                                    (I) 1,000,000 consumers; or
                                    (II) 1,000,000 consumer devices;
                            (iii) is substantially owned, operated, or 
                        controlled by a person, partnership, or 
                        corporation that meets the requirements under 
                        clauses (i) or (ii); or
                            (iv) is a data broker or other commercial 
                        entity that, as a substantial part of their 
                        business, collects, assembles, or maintains 
                        personal information concerning an individual 
                        who is not a customer or an employee of that 
                        entity in order to sell or trade the 
                        information or provide third-party access to 
                        the information.
            (6) Data protection impact assessment.--The term ``data 
        protection impact assessment'' means a study evaluating the 
        extent to which an information system protects the privacy and 
        security of personal information the system processes.
            (7) Executive capacity.--The term ``executive capacity'' 
        means an assignment within an organization in which the 
        employee primarily--
                    (A) directs the management of the organization or a 
                major component or function of the organization;
                    (B) establishes the goals and policies of the 
                organization, component, or function;
                    (C) exercises wide latitude in discretionary 
                decision making; and
                    (D) receives only general supervision or direction 
                from higher level executives, the board of directors, 
                or stockholders of the organization.
            (8) High-risk automated decision system.--The term ``high-
        risk automated decision system'' means an automated decision 
        system that--
                    (A) taking into account the novelty of the 
                technology used and the nature, scope, context, and 
                purpose of the automated decision system, poses a 
                significant risk--
                            (i) to the privacy or security of personal 
                        information of consumers; or
                            (ii) of resulting in or contributing to 
                        inaccurate, unfair, biased, or discriminatory 
                        decisions impacting consumers;
                    (B) makes decisions, or facilitates human decision 
                making, based on systematic and extensive evaluations 
                of consumers, including attempts to analyze or predict 
                sensitive aspects of their lives, such as their work 
                performance, economic situation, health, personal 
                preferences, interests, behavior, location, or 
                movements, that--
                            (i) alter legal rights of consumers; or
                            (ii) otherwise significantly impact 
                        consumers;
                    (C) involves the personal information of a 
                significant number of consumers regarding race, color, 
                national origin, political opinions, religion, trade 
                union membership, genetic data, biometric data, health, 
                gender, gender identity, sexuality, sexual orientation, 
                criminal convictions, or arrests;
                    (D) systematically monitors a large, publicly 
                accessible physical place; or
                    (E) meets any other criteria established by the 
                Commission in regulations issued under section 7(b)(1).
            (9) High-risk information system.--The term ``high-risk 
        information system'' means an information system that--
                    (A) taking into account the novelty of the 
                technology used and the nature, scope, context, and 
                purpose of the information system, poses a significant 
                risk to the privacy or security of personal information 
                of consumers;
                    (B) involves the personal information of a 
                significant number of consumers regarding race, color, 
                national origin, political opinions, religion, trade 
                union membership, genetic data, biometric data, health, 
                gender, gender identity, sexuality, sexual orientation, 
                criminal convictions, or arrests;
                    (C) systematically monitors a large, publicly 
                accessible physical place; or
                    (D) meets any other criteria established by the 
                Commission in regulations issued under section 7(b)(1).
            (10) Information system.--The term ``information system''--
                    (A) means a process, automated or not, that 
                involves personal information, such as the collection, 
                recording, organization, structuring, storage, 
                alteration, retrieval, consultation, use, sharing, 
                disclosure, dissemination, combination, restriction, 
                erasure, or destruction of personal information; and
                    (B) does not include automated decision systems.
            (11) Journalism.--The term ``journalism'' means the 
        gathering, preparing, collecting, photographing, recording, 
        writing, editing, reporting, or publishing of news or 
        information that concerns local, national, or international 
        events or other matters of public interest for dissemination to 
        the public.
            (12) Personal information.--The term ``personal 
        information'' means any information, regardless of how the 
        information is collected, inferred, or obtained that is 
        reasonably linkable to a specific consumer or consumer device.
            (13) Share.--The term ``share''--
                    (A) means the actions of a person, partnership, or 
                corporation transferring information to another person, 
                partnership, or corporation; and
                    (B) includes actions to knowingly--
                            (i) share, exchange, transfer, sell, lease, 
                        rent, provide, disclose, or otherwise permit 
                        access to information;
                            (ii) enable or facilitate the collection of 
                        personal information by a third party; or
                            (iii) use personal information 
                        substantially at the direction of or 
                        substantially for the benefit of a third party.
            (14) Store.--The term ``store''--
                    (A) means the actions of a person, partnership, or 
                corporation to retain information; and
                    (B) includes actions to store, collect, assemble, 
                possess, control, or maintain information.
            (15) Third party.--The term ``third party'' means any 
        person, partnership, or corporation that is not--
                    (A) the person, partnership, or corporation, 
                whether a covered entity or not, that is sharing the 
                personal information;
                    (B) solely performing an outsourced function of the 
                person, partnership, or corporation sharing the 
                personal information if--
                            (i) the person, partnership, or corporation 
                        is contractually or legally prohibited from 
                        using, storing, or sharing the personal 
                        information after the conclusion of the 
                        outsourced function; and
                            (ii) the person, partnership, or 
                        corporation is complying with regulations 
                        promulgated under subparagraphs (A) and (B) of 
                        section 7(b)(1), regardless of whether the 
                        person, partnership, or corporation is a 
                        covered entity; or
                    (C) a person, partnership, or corporation for whom 
                the consumer gave opt-in consent for the covered entity 
                to disclose the personal information of the consumer.
            (16) Use.--The term ``use'' means the actions of a person, 
        partnership, or corporation in using information, including 
        actions to use, process, or access information.

SEC. 3. NONECONOMIC INJURY.

    The first sentence of section 5(n) of the Federal Trade Commission 
Act (15 U.S.C. 45(n)) is amended by inserting ``, including those 
involving noneconomic impacts and those creating a significant risk of 
unjustified exposure of personal information,'' after ``cause 
substantial injury''.

SEC. 4. CIVIL PENALTY AUTHORITY.

    Section 5 of the Federal Trade Commission Act (15 U.S.C. 45) is 
amended--
            (1) in subsection (b)--
                    (A) in the fifth sentence, by inserting ``, and it 
                may, in its discretion depending on the nature and 
                severity of the violation, include in the cease and 
                desist order an assessment of a civil penalty, which 
                shall be not more than an amount that is the greater of 
                $50,000 per violation, taken as an aggregate sum of all 
                violations, and 4 percent of the total annual gross 
                revenue of the person, partnership, or corporation for 
                the prior fiscal year'' before the period at the end;
            (2) in subsection (l)--
                    (A) in the first sentence, by striking ``of not 
                more than $10,000 for each violation'' and inserting 
                ``, which shall be not more than an amount that is the 
                greater of $50,000 per violation, taken as an aggregate 
                sum of all violations, and 4 percent of the total 
                annual gross revenue of the person, partnership, or 
                corporation for the prior fiscal year''; and
            (3) in subsection (m)(1)--
                    (A) in subparagraph (A), in the second sentence, by 
                striking ``of not more than $10,000 for each 
                violation'' and inserting ``, which shall be not more 
                than an amount that is the greater of $50,000 per 
                violation, taken as an aggregate sum of all violations, 
                and 4 percent of the total annual gross revenue of the 
                person, partnership, or corporation for the prior 
                fiscal year''; and
                    (B) in subparagraph (B), in the matter following 
                paragraph (2), by striking ``of not more than $10,000 
                for each violation'' and inserting ``, which shall be 
                not more than an amount that is the greater of $50,000 
                per violation, taken as an aggregate sum of all 
                violations, and 4 percent of the total annual gross 
                revenue of the person, partnership, or corporation for 
                the prior fiscal year''.

SEC. 5. ANNUAL DATA PROTECTION REPORTS.

    (a) Reports.--
            (1) In general.--Each covered entity that has not less than 
        $1,000,000,000 per year in revenue and stores, shares, or uses 
        personal information on more than 1,000,000 consumers or 
        consumer devices or any covered entity that stores, shares, or 
        uses personal information on more than 50,000,000 consumers or 
        consumer devices shall submit to the Commission an annual data 
        protection report describing in detail whether, during the 
        reporting period, the covered entity complied with the 
        regulations promulgated in accordance with subparagraphs (A) 
        and (B) of section 7(b)(1). To the extent that the covered 
        entity did not comply with these regulations, this statement 
        shall include a description of which regulations were violated 
        and the number of consumers whose personal information was 
        impacted.
            (2) Regulations.--Not later than 2 years after the date of 
        enactment of this Act, the Federal Trade Commission shall 
        promulgate regulations in accordance with section 553 of title 
        5, United States Code, carrying out this subsection.
    (b) Failure of Corporate Officers To Certify Privacy and Data 
Security Reports.--
            (1) In general.--Chapter 63 of title 18, United States 
        Code, is amended by adding at the end the following:
``Sec. 1352. Failure of corporate officers to certify data protection 
              reports
    ``(a) Definitions.--In this section:
            ``(1) Covered entity.--The term `covered entity' has the 
        meaning given the term in section 2 of the Mind Your Own 
        Business Act of 2019.
            ``(2) Willfully.--The term `willfully' means the voluntary, 
        intentional violation of a known legal duty.
    ``(b) Certification of Annual Data Protection Reports.--Each annual 
report filed by a company with the Federal Trade Commission pursuant to 
section 5(a) of the Mind Your Own Business Act of 2019 shall be 
accompanied by a written statement by the chief executive officer and 
chief privacy officer (or equivalent thereof) of the company.
    ``(c) Content.--The statement required under subsection (b) shall 
certify that the annual report fully complies with the requirements of 
section 5(a) of the Mind Your Own Business Act of 2019.
    ``(d) Criminal Penalties.--Whoever--
            ``(1) certifies any statement as set forth in subsections 
        (b) and (c) of this section knowing that the annual report 
        accompanying the statement does not comport with all the 
        requirements set forth in this section shall be fined not more 
        than the greater of $1,000,000 or 5 percent of the largest 
        amount of annual compensation the person received during the 
        previous 3-year period from the covered entity, imprisoned not 
        more than 10 years, or both; or
            ``(2) willfully certifies any statement as set forth in 
        subsections (b) and (c) of this section knowing that the annual 
        report accompanying the statement does not comport with all the 
        requirements set forth in this section shall be fined not more 
        than $5,000,000 or 25 percent of the largest amount of annual 
        compensation the person received during the previous 3-year 
        period from the covered entity, imprisoned not more than 20 
        years, or both.''.
            (2) Technical and conforming amendment.--The table of 
        sections for chapter 63 of title 18, United States Code, is 
        amended by adding at the end the following:

``1352. Failure of corporate officers to certify data protection 
                            reports.''.

SEC. 6. ``DO NOT TRACK'' DATA SHARING OPT OUT.

    (a) Regulations.--Not later than 2 years after the date of 
enactment of this Act, the Commission shall promulgate regulations, in 
accordance with section 553 of title 5, United States Code, to--
            (1) implement and maintain a ``Do Not Track'' data sharing 
        opt-out website--
                    (A) that allows consumers to opt out of data 
                sharing with 1 click after the consumer is logged into 
                the website, view their opt-out status, and change 
                their opt-out status;
                    (B) the effect of which opt out is to prevent--
                            (i) covered entities from sharing the 
                        personal information of the consumer with third 
                        parties, including personal information shared 
                        with or stored by the covered entity prior to 
                        the opt out unless--
                                    (I) the sharing is necessary for 
                                the primary purpose for which the 
                                consumer provided the personal 
                                information; and
                                    (II) the third party with whom the 
                                personal information was shared does 
                                not retain or use the personal 
                                information for secondary purposes; and
                            (ii) covered entities from storing or using 
                        personal information of the consumer that has 
                        been shared with them by non-covered entities, 
                        not including personal information shared with 
                        or stored by the covered entity prior to the 
                        opt out;
                    (C) that is reasonably accessible and usable by 
                consumers; and
                    (D) that enables consumers to make use of the 
                features described in subparagraph (A) through an 
                Application Programming Interface;
            (2) as part of the implementation of the opt-out website 
        described in paragraph (1)--
                    (A) maintain a record of the opt-out status of 
                consumers enrolled through the opt-out website, 
                including the date and time when the consumer opted 
                out;
                    (B) enable consumers to convey their opt-out status 
                to covered entities in 1 or more privacy-protecting 
                ways through technological means determined by the 
                Commission, such as through a consumer's web browser or 
                operating system;
                    (C) enable covered entities to determine whether a 
                particular consumer is enrolled in the opt-out website 
                in a privacy-preserving way that does not result in the 
                disclosure of any personal information other than a 
                consumer's opt-out status to that covered entity; and
                    (D) enable covered entities to make use of the 
                mechanism described in subparagraph (C) through an 
                Application Programming Interface, for which the 
                Commission may charge a reasonable fee to cover the 
                costs of operating the opt-out registry and access to 
                the system;
            (3) require that a covered entity be bound by the opt out 
        of a consumer when the opt out is conveyed through the opt-out 
        website implemented and maintained by the Commission--
                    (A) immediately for new customers; and
                    (B) within 30 days for existing customers or 
                consumers who are not customers, unless, after the 
                consumer has opted out in the manner described in 
                paragraph (1)(A), the covered entity receives, in 
                accordance with the procedures described in paragraph 
                (10), consent from the consumer to not be bound by the 
                consumer's opt out;
            (4) require covered entities that store or use personal 
        data on consumers with which they--
                    (A) do not have a direct relationship; or
                    (B) otherwise do not have the ability to determine 
                the consumer's opt-out preference through one of the 
                technological means established pursuant to paragraph 
                (2)(B),
        to make a good-faith effort to determine the consumer's opt-out 
        status at least as frequently as determined by the Commission, 
        through the Application Programming Interface maintained by the 
        Commission pursuant to paragraph (2)(D);
            (5) permit covered entities to not be bound by the 
        consumer's opt out for--
                    (A) disclosures made to the government that are 
                either required or permitted by law;
                    (B) disclosures made pursuant to an order of a 
                court or administrative tribunal;
                    (C) disclosures made in response to a subpoena, 
                discovery request, or other lawful process provided 
                that such process is accompanied by a protective order 
                that--
                            (i) prohibits the parties from using or 
                        disclosing the personal information for any 
                        purpose other than the litigation or proceeding 
                        for which such personal information was 
                        requested; and
                            (ii) requires the return to the covered 
                        entity or destruction of the personal 
                        information (including all copies made) at the 
                        end of the litigation or proceeding; or
                    (D) disclosures made to investigate, protect 
                themselves and their customers from, or recover from 
                fraud, cyber attacks, or other unlawful activity;
            (6) establish standards and procedures, including through 
        an Application Programming Interface, for a covered entity to 
        request, not more frequently than once per calendar year unless 
        a consumer is signing up for a product or service, and obtain 
        consent from a consumer who has opted out in the manner 
        described in paragraph (1)(A) for the covered entity to not be 
        bound by the opt out, provided such standards and procedures--
                    (A) require the covered entity to provide the 
                consumer, at the time the covered entity is seeking 
                consent, in accordance with paragraph (10), and in a 
                form that is understandable to a reasonable consumer--
                            (i) a list of each third party with whom 
                        the personal information of the consumer will 
                        or may be shared by the covered entity;
                            (ii) a description of the personal 
                        information of that consumer that will or may 
                        be shared; and
                            (iii) a description of the purposes for 
                        which the personal information of that consumer 
                        will or may be shared;
                    (B) if the covered entity requires consent as a 
                condition for providing a product or service, require 
                the covered entity to--
                            (i) notify the consumer that he or she can 
                        obtain a substantially similar product or 
                        service in exchange for monetary payment or 
                        other compensation rather than by permitting 
                        the covered entity to share the consumer's 
                        personal information, as provided in subsection 
                        (b)(1)(B); and
                            (ii) with respect to the notice described 
                        in clause (i)--
                                    (I) make the notice in a clear and 
                                conspicuous manner; and
                                    (II) include the cost of the fee, 
                                if any, and instructions for obtaining 
                                the substantially similar product or 
                                service described in clause (i);
                    (C) if the covered entity does not require consent 
                as a condition for providing a product or service, 
                require the covered entity to clearly and conspicuously 
                notify the consumer that the consumer may refuse to 
                provide consent but still obtain the product or 
                service; and
                    (D) require the covered entity to notify the 
                consumer of his or her right, and how to exercise that 
                right, to later withdraw consent for the covered entity 
                to not be bound by the consumer's opt out;
            (7) not less frequently than every 2 years, examine the 
        information that is presented to consumers in accordance with 
        the procedures described in paragraph (6) to make sure that the 
        information is useful, understandable, and to the extent 
        possible, does not result in notification and consent fatigue;
            (8) establish standards and procedures requiring that when 
        a non-covered entity that is not the consumer shares personal 
        information about that consumer with a covered entity, the 
        covered entity shall make reasonable efforts to verify the opt-
        out status of the consumer whose personal information has been 
        shared with the covered entity, after which the covered entity 
        may only store or use that personal information for the benefit 
        of the covered entity--
                    (A) if the consumer has not opted out in the manner 
                described in paragraph (2)(A); or
                    (B)(i) if the non-covered entity knowingly enabled 
                or facilitated the collection of personal information 
                by the covered entity and the covered entity itself 
                receives consent from the consumer to store or use the 
                consumer's personal information in accordance with 
                paragraph (9); or
                    (ii) if the non-covered entity otherwise shares the 
                information with the covered entity and the consumer 
                has given consent in accordance with paragraph (9) to 
                the covered entity or non-covered entity for the non-
                covered entity to share the consumer's personal 
                information with the specific covered entity;
            (9) establish standards and procedures for a person, 
        partnership, or corporation to request and obtain consent from 
        a consumer, in accordance with paragraph (8)(B) that clearly 
        identifies the covered entity that will be storing or using the 
        personal information and provides the consumer, at the time the 
        person, partnership, or corporation is seeking consent, in 
        accordance with paragraph (10), and in a form that is 
        understandable to a reasonable consumer--
                    (A) the name and contact information of the person, 
                partnership, or corporation from whom the personal 
                information of that consumer is to be obtained;
                    (B) a description of the personal information of 
                that consumer that will be shared; and
                    (C) a description of the purposes for which the 
                personal information of that consumer will be shared;
            (10) detail the standardized form and manner in which 
        certain information related to sharing shall be disclosed to 
        consumers, which shall, to the extent that the Commission 
        determines to be practicable and appropriate, be in the form of 
        a table that--
                    (A) contains clear and concise headings for each 
                item of such information; and
                    (B) provides a clear and concise form for stating 
                each item of information required to be disclosed under 
                each such heading; and
            (11) permit a consumer to withdraw his or her consent to a 
        covered entity to not be bound by the consumer's opt out at any 
        time, including through an Application Programming Interface.
    (b) Acts Prohibited.--
            (1) In general.--It shall be unlawful for any covered 
        entity to condition its products or services upon a requirement 
        that consumers--
                    (A) change their opt-out status through the opt-out 
                website maintained by the Commission pursuant to 
                subsection (a)(2); or
                    (B) give the covered entity consent to not be bound 
                by the consumer's opt-out status, unless the consumer 
                is also given an option to pay a fee to use a 
                substantially similar service that is not conditioned 
                upon a requirement that the consumer give the covered 
                entity consent to not be bound by the consumer's opt-
                out status.
            (2) Fee.--
                    (A) Disclosure.--Each covered entity shall disclose 
                to a consumer the amount of the fee described in 
                paragraph (1)(B), including the amount that the covered 
                entity--
                            (i) would have charged the consumer if the 
                        consumer had not opted out; and
                            (ii) the amount that the covered entity is 
                        charging to recoup the cost of providing 
                        service to low-income consumers.
                    (B) Amount.--Except as provided in subparagraph 
                (C), the fee described in paragraph (1)(B) shall not be 
                greater than the amount of monetary gain the covered 
                entity would have earned had the average consumer not 
                opted out.
                    (C) Exception.--No covered entity may charge a fee 
                to any consumer that meets the requirements described 
                in subsection (a) or (b) of section 54.409 of title 47, 
                Code of Federal Regulations (or successor regulation).
                    (D) Rulemaking.--The Commission may promulgate 
                regulations to facilitate and ensure that covered 
                entities are complying with subparagraph (C).
    (c) Enforcement by the Commission.--A violation of subsection (b) 
shall be treated as a violation of a rule defining an unfair or 
deceptive act or practice under section 18(a)(1)(B) of the Federal 
Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).

SEC. 7. DATA PROTECTION AUTHORITY.

    (a) Acts Prohibited.--It is unlawful for any covered entity to--
            (1) violate a regulation promulgated under subsection (b); 
        or
            (2) knowingly provide substantial assistance to any person, 
        partnership, or corporation whose actions violate this Act.
    (b) Regulations.--
            (1) In general.--Not later than 2 years after the date of 
        enactment of this section, the Commission shall promulgate 
        regulations, in accordance with section 553 of title 5, United 
        States Code, that--
                    (A) require each covered entity to establish and 
                implement reasonable cyber security and privacy 
                policies, practices, and procedures to protect personal 
                information used, stored, or shared by the covered 
                entity from improper access, disclosure, exposure, or 
                use;
                    (B) require each covered entity to implement 
                reasonable physical, technical, and organizational 
                measures to ensure that technologies or products used, 
                produced, sold, offered, or leased by the covered 
                entity that the covered entity knows or has reason to 
                believe store, process, or otherwise interact with 
                personal information are built and function 
                consistently with reasonable data protection practices;
                    (C) require each covered entity to designate at 
                least 1 employee who reports directly to an employee 
                acting in an executive capacity in the covered entity, 
                to coordinate its efforts to comply with and carry out 
                its responsibilities under this Act, including any 
                request or challenge related to the sharing of personal 
                information;
                    (D) require each covered entity to provide once per 
                calendar year, at no cost, not later than 30 business 
                days after receiving a written request from a verified 
                consumer about whom the covered entity stores personal 
                information--
                            (i) a reasonable means to review any stored 
                        personal information of that verified consumer, 
                        including the manner in which the information 
                        was collected and the date of collection, in a 
                        form that is understandable to a reasonable 
                        consumer;
                            (ii) a reasonable means to challenge the 
                        accuracy of any stored personal information of 
                        that verified consumer, including--
                                    (I) by providing publicly 
                                accessible contact information for any 
                                employee responsible for overseeing 
                                such a challenge; and
                                    (II) implementing a reasonable 
                                process for responding to such 
                                challenges, including the ability of 
                                the covered entity to terminate an 
                                investigation of information disputed 
                                by a consumer under this clause, and 
                                providing notice to the consumer of 
                                such termination, if the covered entity 
                                reasonably determines that the dispute 
                                by the consumer is frivolous or 
                                irrelevant, including by reason of a 
                                failure by a consumer to provide 
                                sufficient information to investigate 
                                the disputed information;
                            (iii) a list of each person, partnership, 
                        or corporation with whom the personal 
                        information of that verified consumer was 
                        shared by the covered entity that--
                                    (I) does not include--
                                            (aa) disclosures to 
                                        governmental entities pursuant 
                                        to a court order or law that 
                                        prohibits the covered entity 
                                        from revealing that disclosure 
                                        to the consumer;
                                            (bb) disclosures of 
                                        personal information to third 
                                        parties when the personal 
                                        information of the consumer was 
                                        made available to and readily 
                                        accessible by the general 
                                        public with the consent of the 
                                        verified consumer and shared 
                                        with the third party through a 
                                        mechanism available to any 
                                        member of the general public; 
                                        or
                                            (cc) disclosures of 
                                        information about the verified 
                                        consumer that the covered 
                                        entity did not obtain from that 
                                        consumer, if revealing that 
                                        disclosure of information would 
                                        expose another consumer to 
                                        likely harm; and
                                    (II) except as provided in 
                                subparagraph (I), includes, at a 
                                minimum--
                                            (aa) the name and contact 
                                        information of each person, 
                                        partnership, or corporation 
                                        with whom the personal 
                                        information of that verified 
                                        consumer was shared;
                                            (bb) a description of the 
                                        personal information of that 
                                        verified consumer that was 
                                        shared, in a form that is 
                                        understandable to a reasonable 
                                        consumer;
                                            (cc) a statement of the 
                                        purposes for which the personal 
                                        information of that verified 
                                        consumer was shared;
                                            (dd) if the covered entity 
                                        claims consent from the 
                                        consumer as the basis for 
                                        sharing, a statement of the 
                                        circumstances surrounding that 
                                        consumer consent, specifically 
                                        when, where, and how the 
                                        consent was obtained and by 
                                        whom the consent was obtained; 
                                        and
                                            (ee) a statement of when 
                                        the personal information of 
                                        that verified consumer was 
                                        shared; and
                            (iv) for any personal information about 
                        that verified consumer stored by the covered 
                        entity that the covered entity did not obtain 
                        directly from that verified consumer, a list 
                        identifying--
                                    (I) the name and contact 
                                information of each person, 
                                partnership, or corporation from whom 
                                the personal information of that 
                                verified consumer was obtained;
                                    (II) a description of the personal 
                                information, in a form that is 
                                understandable to a reasonable 
                                consumer;
                                    (III) a statement of the purposes 
                                for which the personal information of 
                                that verified consumer was obtained by 
                                the covered entity; and
                                    (IV) a statement of the purposes 
                                for which the personal information of 
                                that verified consumer was shared with 
                                the covered entity;
                    (E) detail the standardized form and manner in 
                which the information in subparagraph (D) shall be 
                disclosed to consumers which shall, to the extent the 
                Commission determines to be practicable and 
                appropriate, be in the form of a table that--
                            (i) contains clear and concise headings for 
                        each item of information; and
                            (ii) provides a clear and concise form for 
                        stating each item of information required to be 
                        disclosed under each such heading;
                    (F) require each covered entity to correct the 
                stored personal information of the verified consumer 
                if, after investigating a challenge by a verified 
                consumer under subparagraph (D), the covered entity 
                determines that the personal information is inaccurate;
                    (G) require each covered entity to conduct 
                automated decision system impact assessments of--
                            (i) existing high-risk automated decision 
                        systems, as frequently as the Commission 
                        determines is necessary; and
                            (ii) new high-risk automated decision 
                        systems, prior to implementation,
                provided that a covered entity may evaluate similar 
                high-risk automated decision systems that present 
                similar risks in a single assessment;
                    (H) require each covered entity to conduct data 
                protection impact assessments of--
                            (i) existing high-risk information systems, 
                        as frequently as the Commission determines is 
                        necessary; and
                            (ii) new high-risk information systems, 
                        prior to implementation,
                provided that a covered entity may evaluate similar 
                high-risk information systems that present similar 
                risks in a single assessment;
                    (I) require each covered entity to conduct the 
                impact assessments under subparagraphs (G) and (H), if 
                reasonably possible, in consultation with external 
                third parties, including independent auditors and 
                independent technology experts; and
                    (J) require each covered entity to reasonably 
                address in a timely manner the results of the impact 
                assessments under subparagraphs (G) and (H).
            (2) Consultation.--The Commission shall promulgate 
        regulations under subparagraphs (A) and (B) of paragraph (1) in 
        consultation with the National Institute of Standards and 
        Technology.
            (3) Optional publication of impact assessments.--The impact 
        assessments under subparagraphs (G) and (H) may be made public 
        by the covered entity at its sole discretion.
            (4) Applicability.--The regulations promulgated under 
        subparagraphs (D) and (F) of paragraph (1) shall only apply to 
        information stored by a covered entity for the covered entity 
        and not on behalf of another entity.
            (5) Reasonable fee.--A covered entity may charge a consumer 
        a reasonable fee to cover the cost of any additional request 
        described in paragraph (1)(D).
    (c) Preemption of Private Contracts.--It shall be unlawful for any 
covered entity to commit the acts prohibited in subsection (a), 
regardless of specific agreements between entities or consumers.
    (d) Enforcement by the Commission.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        subsection (a) shall be treated as a violation of a rule 
        defining an unfair or deceptive act or practice under section 
        18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
        57a(a)(1)(B)).
            (2) Powers of the commission.--
                    (A) In general.--The Commission shall enforce this 
                section in the same manner, by the same means, and with 
                the same jurisdiction, powers, and duties as though all 
                applicable terms and provisions of the Federal Trade 
                Commission Act (15 U.S.C. 41 et seq.) were incorporated 
                into and made a part of this section.
                    (B) Privileges and immunities.--Any person who 
                violates subsection (a) shall be subject to the 
                penalties and entitled to the privileges and immunities 
                provided in the Federal Trade Commission Act (15 U.S.C. 
                41 et seq.).
                    (C) Authority preserved.--Nothing in this section 
                shall be construed to limit the authority of the 
                Commission under any other provision of law.
    (e) Enforcement by States.--
            (1) In general.--If the attorney general of a State has 
        reason to believe that an interest of the residents of the 
        State has been or is being threatened or adversely affected by 
        a practice that violates subsection (a), the attorney general 
        of the State may, as parens patriae, bring a civil action on 
        behalf of the residents of the State in an appropriate district 
        court of the United States to obtain appropriate relief.
            (2) Rights of commission.--
                    (A) Notice to commission.--
                            (i) In general.--Except as provided in 
                        clause (iii), the attorney general of a State, 
                        before initiating a civil action under 
                        paragraph (1), shall provide written 
                        notification to the Commission that the 
                        attorney general intends to bring such civil 
                        action.
                            (ii) Contents.--The notification required 
                        under clause (i) shall include a copy of the 
                        complaint to be filed to initiate the civil 
                        action.
                            (iii) Exception.--If it is not feasible for 
                        the attorney general of a State to provide the 
                        notification required under clause (i) before 
                        initiating a civil action under paragraph (1), 
                        the attorney general shall notify the 
                        Commission immediately upon instituting the 
                        civil action.
                    (B) Intervention by commission.--The Commission 
                may--
                            (i) intervene in any civil action brought 
                        by the attorney general of a State under 
                        paragraph (1); and
                            (ii) upon intervening--
                                    (I) be heard on all matters arising 
                                in the civil action; and
                                    (II) file petitions for appeal of a 
                                decision in the civil action.
            (3) Investigatory powers.--Nothing in this subsection may 
        be construed to prevent the attorney general of a State from 
        exercising the powers conferred on the attorney general by the 
        laws of the State to conduct investigations, to administer 
        oaths or affirmations, or to compel the attendance of witnesses 
        or the production of documentary or other evidence.
            (4) Venue; service of process.--
                    (A) Venue.--Any action brought under paragraph (1) 
                may be brought in--
                            (i) the district court of the United States 
                        that meets applicable requirements relating to 
                        venue under section 1391 of title 28, United 
                        States Code; or
                            (ii) another court of competent 
                        jurisdiction.
                    (B) Service of process.--In an action brought under 
                paragraph (1), process may be served in any district in 
                which--
                            (i) the defendant is an inhabitant, may be 
                        found, or transacts business; or
                            (ii) venue is proper under section 1391 of 
                        title 28, United States Code.
            (5) Actions by other state officials.--
                    (A) In general.--In addition to a civil action 
                brought by an attorney general of a State under 
                paragraph (1), any other officer of a State who is 
                authorized by the attorney general of the State to do 
                so may bring a civil action under paragraph (1), 
                subject to the same requirements and limitations that 
                apply under this subsection to civil actions brought by 
                State attorneys general.
                    (B) Savings provision.--Nothing in this subsection 
                may be construed to prohibit an authorized official of 
                a State from initiating or continuing any proceeding in 
                a court of the State for a violation of any civil or 
                criminal law of the State.
    (f) Right of Action by Protection and Advocacy Organizations.--
            (1) In general.--A protection and advocacy organization 
        designated under paragraph (3) may bring a civil action against 
        a covered entity that violates subsection (a) in an appropriate 
        district court of the United States to obtain appropriate 
        relief.
            (2) Grants.--
                    (A) In general.--Of the fines collected by the 
                Commission, the Commission may award grants to 
                protection and advocacy organizations designated under 
                paragraph (3).
                    (B) Allocation.--The Commission shall distribute 
                amounts under this paragraph on the basis of the ratio 
                of the population of each State represented by a 
                designated protection and advocacy organization to the 
                population of all States represented by designated 
                protection and advocacy organizations.
            (3) Designation.--Each State may designate 1 protection and 
        advocacy organization to bring a civil action under paragraph 
        (1).

SEC. 8. BUREAU OF TECHNOLOGY.

    (a) Establishment.--There is established in the Federal Trade 
Commission a bureau to be known as the Bureau of Technology (referred 
to in this section as the ``Bureau'').
    (b) Chief Technologist.--The Bureau shall be headed by a chief 
technologist, who shall be appointed by the Chairman of the Commission.
    (c) Staff.--
            (1) In general.--Except as provided in paragraph (2), the 
        Director of the Bureau may, without regard to the civil service 
        laws (including regulations), appoint and terminate 50 
        additional personnel with expertise in management, technology, 
        digital design, user experience, product management, software 
        engineering, and other related fields to technologist and 
        management positions to enable the Bureau to perform the duties 
        of the Bureau.
            (2) Excepted service.--Not fewer than 40 of the additional 
        personnel appointed under paragraph (1) shall be appointed to 
        positions described in section 213.3102(r) of title 5, Code of 
        Federal Regulations.
    (d) Authorization of Appropriations.--There is authorized to be 
appropriated to the Bureau such sums as are necessary to carry out this 
section.

SEC. 9. ADDITIONAL PERSONNEL IN THE BUREAU OF CONSUMER PROTECTION.

    (a) In General.--Notwithstanding any other provision of law, the 
Director of the Bureau of Consumer Protection of the Federal Trade 
Commission may, without regard to the civil service laws (including 
regulations), appoint--
            (1) 100 additional personnel in the Division of Privacy and 
        Identity Protection of the Bureau of Consumer Protection; and
            (2) 25 additional personnel in the Division of Enforcement 
        of the Bureau of Consumer Protection.
    (b) Authorization of Appropriations.--There is authorized to be 
appropriated to the Director of the Bureau of Consumer Protection such 
sums as may be necessary to carry out this section.

SEC. 10. COMPLAINT RESOLUTION.

    The Commission shall create rules and guidance establishing 
procedures for the resolution of complaints by consumers regarding 
covered entities that improperly use, store, or share the personal 
information of consumers, including procedures to--
            (1) properly process and store complaints;
            (2) provide a consumer with email updates regarding the 
        status of the consumer's complaint;
            (3) create an online portal that allows a consumer to log 
        in and track the status of the consumer's complaint;
            (4) review and forward complaints to the correct person, 
        partnership, corporation, government agency, or other entity; 
        and
            (5) process and store each response from a person, 
        partnership, corporation, government agency, or other entity to 
        which a complaint was forwarded.

SEC. 11. APPLICATION PROGRAMMING INTERFACES.

    The Commission shall, in consultation with the National Institute 
of Standards and Technology and relevant stakeholders, including 
consumer advocates and independent technology experts--
            (1) standardize Application Programming Interfaces 
        necessary to permit consumers and covered entities to 
        programmatically avail themselves of the rights and 
        responsibilities created by this Act;
            (2) permit and enable consumers to securely delegate the 
        ability to make requests on their behalf; and
            (3) require covered entities to implement the Application 
        Programming Interfaces, as appropriate.

SEC. 12. NEWS MEDIA PROTECTIONS.

    Covered entities engaged in journalism shall not be subject to the 
obligations imposed under this Act to the extent that those obligations 
directly infringe on the journalism, rather than the business 
practices, of the covered entity.

SEC. 13. EXCISE TAX.

    (a) In General.--Subtitle D of the Internal Revenue Code of 1986 is 
amended by adding at the end the following new chapter:

       ``CHAPTER 50A--FAILURE TO CERTIFY DATA PROTECTION REPORTS

``Sec. 5000D. Failure to certify data protection reports.

``SEC. 5000D. FAILURE TO CERTIFY DATA PROTECTION REPORTS.

    ``(a) Imposition of Tax.--In the case of any covered reporting 
entity with respect to which a responsible executive has been convicted 
under section 1352(d) of title 18, United States Code, there is imposed 
a tax equal to the amount determined under subsection (b).
    ``(b) Amount of Tax.--
            ``(1) In general.--The amount determined under this 
        subsection is the applicable percentage of the amount 
        determined under paragraph (3).
            ``(2) Applicable percentage.--For purposes of paragraph 
        (1), the applicable percentage is--
                    ``(A) in the case of a covered reporting entity 
                that is a corporation, the highest rate of tax in 
                effect under section 11 for the taxable year which 
                includes the date on which the specified annual data 
                protection report to which the conviction relates is 
                due, and
                    ``(B) in the case of any other covered reporting 
                entity, the highest rate of tax in effect under section 
                1 for such taxable year.
            ``(3) Amount determined.--
                    ``(A) In general.--The amount determined under this 
                paragraph is the sum of the covered compensation 
                amounts of each responsible executive of the covered 
                reporting entity who has been convicted under section 
                1352(d) of title 18, United States Code.
                    ``(B) Covered compensation amount.--For purposes of 
                subparagraph (A), the covered compensation amount with 
                respect to any responsible executive is the largest 
                amount of annual wages (as defined in section 3121(a), 
                determined without regard to any dollar limitation 
                contained in such section) of the responsible executive 
                with respect to services performed for the covered 
                reporting entity during the 3-year period preceding the 
                year to which the specified annual data protection 
                report relates.
    ``(c) Definitions.--For purposes of this section--
            ``(1) Covered reporting entity.--
                    ``(A) In general.--The term `covered reporting 
                entity' means any covered entity (as defined under 
                section 2 of the Mind Your Own Business Act of 2019) 
                which is required to file a specified annual data 
                protection report.
                    ``(B) Aggregation rules.--For purposes of this 
                paragraph, all covered entities who are treated as a 
                single employer under subsection (b), (c), (m), or (o) 
                of section 414 shall be treated as one person.
            ``(2) Responsible executive.--For purposes of this 
        subsection, the term `responsible executive' means, with 
        respect to a covered reporting entity, any of the following 
        officers:
                    ``(A) The chief executive officer.
                    ``(B) The chief privacy officer (or equivalent 
                thereof).
            ``(3) Specified annual data protection report.--The term 
        `specified annual data protection report' means the report 
        required to be filed under section 5(a) of the Mind Your Own 
        Business Act of 2019.''.
    (b) Clerical Amendment.--The table of chapters for subtitle D of 
the Internal Revenue Code of 1986 is amended by adding at the end the 
following new item:

      ``Chapter 50A--Failure To Certify Data Protection Reports''.

SEC. 14. NO PREEMPTION.

    Nothing in this Act may be construed to preempt any State law.
                                 <all>