[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 4626 Introduced in Senate (IS)]

<DOC>






116th CONGRESS
  2d Session
                                S. 4626

 To establish data privacy and data security protections for consumers 
                         in the United States.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           September 17, 2020

 Mr. Wicker (for himself, Mr. Thune, Mrs. Blackburn, and Mrs. Fischer) 
introduced the following bill; which was read twice and referred to the 
           Committee on Commerce, Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
 To establish data privacy and data security protections for consumers 
                         in the United States.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Setting an 
American Framework to Ensure Data Access, Transparency, and 
Accountability Act'' or the ``SAFE DATA Act''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. Effective date.
                TITLE I--INDIVIDUAL CONSUMER DATA RIGHTS

Sec. 101. Consumer loyalty.
Sec. 102. Transparency.
Sec. 103. Individual control.
Sec. 104. Rights to consent.
Sec. 105. Minimizing data collection, processing, and retention.
Sec. 106. Service providers and third parties.
Sec. 107. Privacy impact assessments.
Sec. 108. Scope of coverage.
          TITLE II--DATA TRANSPARENCY, INTEGRITY, AND SECURITY

Sec. 201. Algorithm bias, detection, and mitigation.
Sec. 202. Digital content forgeries.
Sec. 203. Data brokers.
Sec. 204. Protection of covered data.
Sec. 205. Filter bubble transparency.
Sec. 206. Unfair and deceptive acts and practices relating to the 
                            manipulation of user interfaces.
                  TITLE III--CORPORATE ACCOUNTABILITY

Sec. 301. Designation of data privacy officer and data security 
                            officer.
Sec. 302. Internal controls.
Sec. 303. Whistleblower protections.
            TITLE IV--ENFORCEMENT AUTHORITY AND NEW PROGRAMS

Sec. 401. Enforcement by the Federal Trade Commission.
Sec. 402. Enforcement by State attorneys general.
Sec. 403. Authority of Commission to seek permanent injunction and 
                            other equitable remedies.
Sec. 404. Approved certification programs.
Sec. 405. Relationship between Federal and State law.
Sec. 406. Constitutional avoidance.
Sec. 407. Severability.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Affirmative express consent.--The term ``affirmative 
        express consent'' means, upon being presented with a clear and 
        conspicuous description of an act or practice for which consent 
        is sought, an affirmative act by the individual clearly 
        communicating the individual's authorization for the act or 
        practice.
            (2) Algorithm.--The term ``algorithm'' means a 
        computational process derived from machine learning, 
        statistics, or other data processing or artificial intelligence 
        techniques, that processes covered data for the purpose of 
        making a decision or facilitating human decision making.
            (3) Algorithmic ranking system.--The term ``algorithmic 
        ranking system'' means a computational process, including one 
        derived from algorithmic decision making, machine learning, 
        statistical analysis, or other data processing or artificial 
        intelligence techniques, used to determine the order or manner 
        that a set of information is provided to a user on a covered 
        internet platform, including the ranking of search results, the 
        provision of content recommendations, the display of social 
        media posts, or any other method of automated content 
        selection.
            (4) Behavioral or psychological experiments or research.--
        The term ``behavioral or psychological experiments or 
        research'' means the study, including through human 
        experimentation, of overt or observable actions and mental 
        phenomena inferred from behavior, including interactions 
        between and among individuals and the activities of social 
        groups.
            (5) Collection.--The term ``collection'' means buying, 
        renting, gathering, obtaining, receiving, or accessing any 
        covered data of an individual by any means.
            (6) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (7) Common branding.--The term ``common branding'' means a 
        shared name, servicemark, or trademark.
            (8) Compulsive usage.--The term ``compulsive usage'' means 
        any response stimulated by external factors that causes an 
        individual to engage in repetitive, purposeful, and intentional 
        behavior causing psychological distress, loss of control, 
        anxiety, depression, or harmful stress responses.
            (9) Connected device.--For purposes of paragraphs (20) and 
        (37), the term ``connected device'' means a physical object 
        that--
                    (A) is capable of connecting to the internet, 
                either directly or indirectly through a network, to 
                communicate information at the direction of an 
                individual; and
                    (B) has computer processing capabilities for 
                collecting, sending, receiving, or analyzing data.
            (10) Covered data.--
                    (A) In general.--The term ``covered data'' means 
                information that identifies or is linked or reasonably 
                linkable to an individual or a device that is linked or 
                reasonably linkable to an individual.
                    (B) Linked or reasonably linkable.--For purposes of 
                subparagraph (A), information held by a covered entity 
                is linked or reasonably linkable to an individual or a 
                device if, as a practical matter, it can be used on its 
                own or in combination with other information held by, 
                or readily accessible to, the covered entity to 
                identify such individual or such device.
                    (C) Exclusions.--Such term does not include--
                            (i) aggregated data;
                            (ii) de-identified data;
                            (iii) employee data; or
                            (iv) publicly available information.
                    (D) Aggregated data.--For purposes of subparagraph 
                (C), the term ``aggregated data'' means information 
                that relates to a group or category of individuals or 
                devices that does not identify and is not linked or 
                reasonably linkable to any individual.
                    (E) De-identified data.--For purposes of 
                subparagraph (C), the term ``de-identified data'' means 
                information held by a covered entity that--
                            (i) does not identify, and is not linked or 
                        reasonably linkable to, an individual or 
                        device;
                            (ii) does not contain any persistent 
                        identifier or other information that could 
                        readily be used to re-identify the individual 
                        to whom, or the device to which, the identifier 
                        or information pertains;
                            (iii) is subject to a public commitment by 
                        the covered entity--
                                    (I) to refrain from attempting to 
                                use such information to identify any 
                                individual or device; and
                                    (II) to adopt technical and 
                                organizational measures to ensure that 
                                such information is not linked to any 
                                individual or device; and
                            (iv) is not disclosed by the covered entity 
                        to any other party unless the disclosure is 
                        subject to a contractually or other legally 
                        binding requirement that--
                                    (I) the recipient of the 
                                information shall not use the 
                                information to identify any individual 
                                or device; and
                                    (II) all onward disclosures of the 
                                information shall be subject to the 
                                requirement described in subclause (I).
                    (F) Employee data.--For purposes of subparagraph 
                (C), the term ``employee data'' means--
                            (i) information relating to an individual 
                        collected by a covered entity in the course of 
                        the individual acting as a job applicant to, or 
                        employee (regardless of whether such employee 
                        is paid or unpaid, or employed on a temporary 
                        basis), owner, director, officer, staff member, 
                        trainee, vendor, visitor, volunteer, intern, or 
                        contractor of, the entity, provided that such 
                        information is collected, processed, or 
                        transferred by the covered entity solely for 
                        purposes related to the individual's status as 
                        a current or former job applicant to, or an 
                        employee, owner, director, officer, staff 
                        member, trainee, vendor, visitor, volunteer, 
                        intern, or contractor of, that covered entity;
                            (ii) business contact information of an 
                        individual, including the individual's name, 
                        position or title, business telephone number, 
                        business address, business email address, 
                        qualifications, and other similar information, 
                        that is provided to a covered entity by an 
                        individual who is acting in a professional 
                        capacity, provided that such information is 
                        collected, processed, or transferred solely for 
                        purposes related to such individual's 
                        professional activities;
                            (iii) emergency contact information 
                        collected by a covered entity that relates to 
                        an individual who is acting in a role described 
                        in clause (i) with respect to the covered 
                        entity, provided that such information is 
                        collected, processed, or transferred solely for 
                        the purpose of having an emergency contact on 
                        file for the individual; or
                            (iv) information relating to an individual 
                        (or a relative or beneficiary of such 
                        individual) that is necessary for the covered 
                        entity to collect, process, or transfer for the 
                        purpose of administering benefits to which such 
                        individual (or relative or beneficiary of such 
                        individual) is entitled on the basis of the 
                        individual acting in a role described in clause 
                        (i) with respect to the entity, provided that 
                        such information is collected, processed, or 
                        transferred solely for the purpose of 
                        administering such benefits.
                    (G) Publicly available information.--
                            (i) In general.--For the purposes of 
                        subparagraph (C), the term ``publicly available 
                        information'' means any information that a 
                        covered entity has a reasonable basis to 
                        believe--
                                    (I) has been lawfully made 
                                available to the general public from 
                                Federal, State, or local government 
                                records;
                                    (II) is widely available to the 
                                general public, including information 
                                from--
                                            (aa) a telephone book or 
                                        online directory;
                                            (bb) television, internet, 
                                        or radio content or 
                                        programming; or
                                            (cc) the news media or a 
                                        website that is lawfully 
                                        available to the general public 
                                        on an unrestricted basis (for 
                                        purposes of this subclause a 
                                        website is not restricted 
                                        solely because there is a fee 
                                        or log-in requirement 
                                        associated with accessing the 
                                        website); or
                                    (III) is a disclosure to the 
                                general public that is required to be 
                                made by Federal, State, or local law.
                            (ii) Exclusions.--Such term does not 
                        include an obscene visual depiction (as defined 
                        for purposes of section 1460 of title 18, 
                        United States Code).
            (11) Covered entity.--The term ``covered entity'' means any 
        person that--
                    (A) is subject to the Federal Trade Commission Act 
                (15 U.S.C. 41 et seq.) or is--
                            (i) a common carrier described in section 
                        5(a)(2) of such Act (15 U.S.C. 45(a)(2)); or
                            (ii) an organization not organized to carry 
                        on business for their own profit or that of 
                        their members;
                    (B) collects, processes, or transfers covered data; 
                and
                    (C) determines the purposes and means of such 
                collection, processing, or transfer.
            (12) Covered internet platform.--
                    (A) In general.--The term ``covered internet 
                platform'' means any public-facing website, internet 
                application, or mobile application, including a social 
                network site, video sharing service, search engine, or 
                content aggregation service.
                    (B) Exclusions.--Such term shall not include a 
                platform that--
                            (i) is wholly owned, controlled, and 
                        operated by a person that--
                                    (I) for the most recent 6-month 
                                period, did not employ more than 500 
                                employees;
                                    (II) for the most recent 3-year 
                                period, averaged less than $50,000,000 
                                in annual gross receipts; and
                                    (III) collects or processes on an 
                                annual basis the personal data of less 
                                than 1,000,000 individuals; or
                            (ii) is operated for the sole purpose of 
                        conducting research that is not made for profit 
                        either directly or indirectly.
            (13) Data broker.--
                    (A) In general.--The term ``data broker'' means a 
                covered entity whose principal source of revenue is 
                derived from processing or transferring the covered 
                data of individuals with whom the entity does not have 
                a direct relationship on behalf of third parties for 
                such third parties' use.
                    (B) Exclusion.--Such term does not include a 
                service provider.
            (14) Delete.--The term ``delete'' means to remove or 
        destroy information such that it is not maintained in human or 
        machine readable form and cannot be retrieved or utilized in 
        such form in the normal course of business.
            (15) Executive agency.--The term ``Executive agency'' has 
        the meaning set forth in section 105 of title 5, United States 
        Code.
            (16) Independent review board.--The term ``independent 
        review board'' means a board, committee, or other group 
        formally designated by a large online operator to review, to 
        approve the initiation of, and to conduct periodic review of, 
        any research by, or at the direction or discretion of a large 
        online operator, involving human subjects.
            (17) Individual.--The term ``individual'' means a natural 
        person residing in the United States.
            (18) Inferred data.--The term ``inferred data'' means 
        information that is created by a covered entity through the 
        derivation of information, data, assumptions, or conclusions 
        from facts, evidence, or another source of information or data.
            (19) Informed consent.--For purposes of section 206, the 
        term ``informed consent''--
                    (A) means a process by which a research subject is 
                provided adequate information prior to being included 
                in any experiment or study to allow for an informed 
                decision about voluntary participation in a behavioral 
                or psychological research experiment or study, while 
                ensuring the understanding of the potential participant 
                of the furnished information and any associated 
                benefits, risks, or consequences of participation prior 
                to obtaining the voluntary agreement to participate by 
                the participant; and
                    (B) does not include--
                            (i) the consent of an individual under the 
                        age of 13; or
                            (ii) the consent to a provision contained 
                        in a general contract or service agreement.
            (20) Input-transparent algorithm.--
                    (A) In general.--For purposes of section 205, the 
                term ``input-transparent algorithm'' means an 
                algorithmic ranking system that does not use the user-
                specific data of a user to determine the order or 
                manner that information is furnished to such user on a 
                covered internet platform, unless the user-specific 
                data is expressly provided to the platform by the user 
                for such purpose.
                    (B) Inclusion of age-appropriate content filters.--
                Such term shall include an algorithmic ranking system 
                that uses user-specific data to determine whether a 
                user is old enough to access age-restricted content on 
                a covered internet platform, provided that the system 
                otherwise meets the requirements of subparagraph (A).
                    (C) Data provided for express purpose of 
                interaction with platform.--For purposes of 
                subparagraph (A), user-specific data that is provided 
                by a user for the express purpose of determining the 
                order or manner that information is furnished to a user 
                on a covered internet platform--
                            (i) shall include user-supplied search 
                        terms, filters, speech patterns (if provided 
                        for the purpose of enabling the platform to 
                        accept spoken input or selecting the language 
                        in which the user interacts with the platform), 
                        saved preferences, and the user's current 
                        geographical location;
                            (ii) shall include data supplied to the 
                        platform by the user that expresses the user's 
                        desire that information be furnished to them, 
                        such as the social media profiles the user 
                        follows, the video channels the user subscribes 
                        to, or other sources of content on the platform 
                        the user follows;
                            (iii) shall not include the history of the 
                        user's connected device, including the user's 
                        history of web searches and browsing, 
                        geographical locations, physical activity, 
                        device interaction, and financial transactions; 
                        and
                            (iv) shall not include inferences about the 
                        user or the user's connected device, without 
                        regard to whether such inferences are based on 
                        data described in clause (i).
            (21) Large data holder.--The term ``large data holder'' 
        means a covered entity that in the most recent calendar year--
                    (A) processed or transferred the covered data of 
                more than 8,000,000 individuals; or
                    (B) processed or transferred the sensitive covered 
                data of more than 300,000 individuals or devices that 
                are linked or reasonably linkable to an individual 
                (excluding any instance where the covered entity 
                processes the log-in information of an individual or 
                device to allow the individual or device to log in to 
                an account administered by the covered entity).
            (22) Large online operator.--For purposes of section 206, 
        the term ``large online operator'' means any person that--
                    (A) provides an online service;
                    (B) has more than 100,000,000 authenticated users 
                of an online service in any 30-day period; and
                    (C) is subject to the jurisdiction of the 
                Commission under the Federal Trade Commission Act (15 
                U.S.C. 41 et seq.).
            (23) Material.--The term ``material'' means, with respect 
        to an act, practice, or representation of a covered entity 
        (including a representation made by the covered entity in a 
        privacy policy or similar disclosure to individuals), that such 
        act, practice, or representation is likely to affect an 
        individual's decision or conduct regarding a product or 
        service.
            (24) Online service.--For purposes of section 206, the term 
        ``online service'' means a website or a service, other than an 
        internet access service, that is made available to the public 
        over the internet, including a social network, a search engine, 
        or email service.
            (25) Opaque algorithm.--
                    (A) In general.--The term ``opaque algorithm'' 
                means an algorithmic ranking system that determines the 
                order or manner that information is furnished to a user 
                on a covered internet platform based, in whole or part, 
                on user-specific data that was not expressly provided 
                by the user to the platform for such purpose.
                    (B) Exception for age-appropriate content 
                filters.--Such term shall not include an algorithmic 
                ranking system used by a covered internet platform if--
                            (i) the only user-specific data (including 
                        inferences about the user) that the system uses 
                        is information relating to the age of the user; 
                        and
                            (ii) such information is only used to 
                        restrict a user's access to content on the 
                        basis that the individual is not old enough to 
                        access such content.
            (26) Process.--The term ``process'' means any operation or 
        set of operations performed on covered data including analysis, 
        organization, structuring, retaining, using, or otherwise 
        handling covered data.
            (27) Processing purpose.--The term ``processing purpose'' 
        means a reason for which a covered entity processes covered 
        data.
            (28) Research.--The term ``research'' means the scientific 
        analysis of information, including covered data, by a covered 
        entity or those with whom the covered entity is cooperating or 
        others acting at the direction or on behalf of the covered 
        entity, that is conducted for the primary purpose of advancing 
        scientific knowledge and may be for the commercial benefit of 
        the covered entity.
            (29) Search syndication contract; upstream provider; 
        downstream provider.--
                    (A) Search syndication contract.--The term ``search 
                syndication contract'' means a contract or subcontract 
                for the sale, license, or other right to access an 
                index of web pages on the internet for the purpose of 
                operating an internet search engine.
                    (B) Upstream provider.--The term ``upstream 
                provider'' means, with respect to a search syndication 
                contract, the person that grants access to an index of 
                web pages on the internet to a downstream provider 
                under the contract.
                    (C) Downstream provider.--The term ``downstream 
                provider'' means, with respect to a search syndication 
                contract, the person that receives access to an index 
                of web pages on the internet from an upstream provider 
                under such contract.
            (30) Sensitive covered data.--
                    (A) In general.--The term ``sensitive covered 
                data'' means any of the following forms of covered data 
                of an individual:
                            (i) A unique, government-issued identifier, 
                        such as a Social Security number, passport 
                        number, or driver's license number, that is not 
                        required to be displayed to the public.
                            (ii) Any covered data that describes or 
                        reveals the diagnosis or treatment of the past, 
                        present, or future physical health, mental 
                        health, or disability of an individual.
                            (iii) A financial account number, debit 
                        card number, credit card number, or any 
                        required security or access code, password, or 
                        credentials allowing access to any such 
                        account.
                            (iv) Covered data that is biometric 
                        information.
                            (v) A persistent identifier.
                            (vi) Precise geolocation information.
                            (vii) The contents of an individual's 
                        private communications, such as emails, texts, 
                        direct messages, or mail, or the identity of 
                        the parties subject to such communications, 
                        unless the covered entity is the intended 
                        recipient of the communication.
                            (viii) Account log-in credentials such as a 
                        user name or email address, in combination with 
                        a password or security question and answer that 
                        would permit access to an online account.
                            (ix) Covered data revealing an individual's 
                        racial or ethnic origin, or religion in a 
                        manner inconsistent with the individual's 
                        reasonable expectation regarding the processing 
                        or transfer of such information.
                            (x) Covered data revealing the sexual 
                        orientation or sexual behavior of an individual 
                        in a manner inconsistent with the individual's 
                        reasonable expectation regarding the processing 
                        or transfer of such information.
                            (xi) Covered data about the online 
                        activities of an individual that addresses or 
                        reveals a category of covered data described in 
                        another subparagraph of this paragraph.
                            (xii) Covered data that is calendar 
                        information, address book information, phone or 
                        text logs, photos, or videos maintained for 
                        private use on an individual's device.
                            (xiii) Any covered data collected or 
                        processed by a covered entity for the purpose 
                        of identifying covered data described in 
                        another clause of this paragraph.
                            (xiv) Any other category of covered data 
                        designated by the Commission pursuant to a 
                        rulemaking under section 553 of title 5, United 
                        States Code.
                    (B) Biometric information.--For purposes of 
                subparagraph (A), the term ``biometric information''--
                            (i) means the physiological or biological 
                        characteristics of an individual, including 
                        deoxyribonucleic acid, that are used, singly or 
                        in combination with each other or with other 
                        identifying data, to establish the identity of 
                        an individual; and
                            (ii) includes--
                                    (I) imagery of the iris, retina, 
                                fingerprint, face, hand, palm, vein 
                                patterns, and voice recordings, from 
                                which an identifier template, such as a 
                                faceprint, a minutiae template, or a 
                                voiceprint, can be extracted; and
                                    (II) keystroke patterns or rhythms, 
                                gait patterns or rhythms, and sleep, 
                                health, or exercise data that contain 
                                identifying information.
                    (C) Persistent identifier.--For purposes of 
                subparagraph (A), the term ``persistent identifier'' 
                means a technologically derived identifier that 
                identifies an individual, or is linked or reasonably 
                linkable to an individual over time and across services 
                and platforms, which may include a customer number held 
                in a cookie, a static Internet Protocol address, a 
                processor or device serial number, or another unique 
                device identifier.
                    (D) Precise geolocation information.--For purposes 
                of subparagraph (A), the term ``precise geolocation 
                information'' means technologically derived information 
                capable of determining the past or present actual 
                physical location of an individual or an individual's 
                device at a specific point in time to within 1,750 
                feet.
            (31) Service provider.--The term ``service provider'' 
        means, with respect to a set of covered data, a covered entity 
        that processes or transfers such covered data for the purpose 
        of performing one or more services or functions on behalf of, 
        and at the direction of, another covered entity that--
                    (A) is not related to the covered entity providing 
                the service or function by common ownership or 
                corporate control; and
                    (B) does not share common branding with the covered 
                entity providing the service or function.
            (32) Service provider data.--The term ``service provider 
        data'' means, with respect to a set of covered data and a 
        service provider, covered data that is collected by the service 
        provider on behalf of a covered entity or transferred to the 
        service provider by a covered entity for the purpose of 
        allowing the service provider to perform a service or function 
        on behalf of, and at the direction of, such covered entity.
            (33) Third party.--The term ``third party'' means, with 
        respect to a set of covered data, a covered entity--
                    (A) that is not a service provider with respect to 
                such covered data; and
                    (B) that received such covered data from another 
                covered entity--
                            (i) that is not related to the covered 
                        entity by common ownership or corporate 
                        control; and
                            (ii) that does not share common branding 
                        with the covered entity.
            (34) Third party data.--The term ``third party data'' 
        means, with respect to a third party, covered data that has 
        been transferred to the third party by a covered entity.
            (35) Transfer.--The term ``transfer'' means to disclose, 
        release, share, disseminate, make available, or license in 
        writing, electronically, or by any other means for 
        consideration of any kind or for a commercial purpose.
            (36) User data.--For purposes of section 206, the term 
        ``user data'' means any information relating to an identified 
        or identifiable individual user, whether directly submitted to 
        the large online operator by the user, or derived from the 
        observed activity of the user by the large online operator.
            (37) User-specific data.--For purposes of section 205, the 
        term ``user-specific data'' means information relating to an 
        individual or a specific connected device that would not 
        necessarily be true of every individual or device.

SEC. 3. EFFECTIVE DATE.

    Except as otherwise provided in this Act, this Act shall take 
effect 18 months after the date of enactment of this Act.

                TITLE I--INDIVIDUAL CONSUMER DATA RIGHTS

SEC. 101. CONSUMER LOYALTY.

    (a) Prohibition on the Denial of Products or Services.--
            (1) In general.--Subject to paragraph (2), a covered entity 
        shall not deny products or services to an individual because 
        the individual exercises a right established under subparagraph 
        (A), (B), or (D) of section 103(a)(1).
            (2) Rules of application.--A covered entity--
                    (A) shall not be in violation of paragraph (1) with 
                respect to a product or service and an individual if 
                the exercise of a right described in such paragraph by 
                the individual precludes the covered entity from 
                providing such product or service to such individual; 
                and
                    (B) may offer different types of pricing and 
                functionalities with respect to a product or service 
                based on an individual's exercise of a right described 
                in such paragraph.
    (b) No Waiver of Individual Controls.--The rights and obligations 
created under section 103 may not be waived in an agreement between a 
covered entity and an individual.

SEC. 102. TRANSPARENCY.

    (a) In General.--A covered entity that processes covered data 
shall, with respect to such data, publish a privacy policy that is--
            (1) disclosed, in a clear and conspicuous manner, to an 
        individual prior to or at the point of the collection of 
        covered data from the individual; and
            (2) made available, in a clear and conspicuous manner, to 
        the public.
    (b) Content of Privacy Policy.--The privacy policy required under 
subsection (a) shall include the following:
            (1) The identity and the contact information of the covered 
        entity (including the covered entity's points of contact for 
        privacy and data security inquiries) and the identity of any 
        affiliate to which covered data may be transferred by the 
        covered entity.
            (2) The categories of covered data the covered entity 
        collects.
            (3) The processing purposes for each category of covered 
        data the covered entity collects.
            (4) Whether the covered entity transfers covered data, the 
        categories of recipients to whom the covered entity transfers 
        covered data, and the purposes of the transfers.
            (5) A general description of the covered entity's data 
        retention practices for covered data and the purposes for such 
        retention.
            (6) How individuals can exercise their rights under section 
        103.
            (7) A general description of the covered entity's data 
        security practices.
            (8) The effective date of the privacy policy.
    (c) Languages.--A privacy policy required under subsection (a) 
shall be made available in all of the languages in which the covered 
entity provides a product or service that is subject to the policy, or 
carries out activities related to such product or service.
    (d) Material Changes.--If a covered entity makes a material change 
to its privacy policy, it shall notify the individuals affected before 
further processing or transferring of previously collected covered data 
and provide an opportunity to withdraw consent to further processing or 
transferring of the covered data under the changed policy. The covered 
entity shall provide direct notification, where possible, regarding a 
material change to the privacy policy to affected individuals, taking 
into account available technology and the nature of the relationship.
    (e) Application to Indirect Transfers.--Where the ownership of an 
individual's device is transferred directly from one individual to 
another individual, a covered entity may satisfy its obligation to 
disclose a privacy policy prior to or at the point of collection of 
covered data by making the privacy policy available under subsection 
(a)(2).

SEC. 103. INDIVIDUAL CONTROL.

    (a) Access to, and Correction, Deletion, and Portability of, 
Covered Data.--
            (1) In general.--Subject to paragraphs (2) and (3), a 
        covered entity shall provide an individual, immediately or as 
        quickly as possible and in no case later than 90 days after 
        receiving a verified request from the individual, with the 
        right to reasonably--
                    (A) access--
                            (i) the covered data of the individual, or 
                        an accurate representation of the covered data 
                        of the individual, that is or has been 
                        processed by the covered entity or any service 
                        provider of the covered entity;
                            (ii) if applicable, a list of categories of 
                        third parties and service providers to whom the 
                        covered entity has transferred the covered data 
                        of the individual; and
                            (iii) if a covered entity transfers covered 
                        data, a description of the purpose for which 
                        the covered entity transferred the covered data 
                        of the individual to a service provider or 
                        third party;
                    (B) request that the covered entity--
                            (i) correct material inaccuracies or 
                        materially incomplete information with respect 
                        to the covered data of the individual that is 
                        maintained by the covered entity; and
                            (ii) notify any service provider or third 
                        party to which the covered entity transferred 
                        such covered data of the corrected information;
                    (C) request that the covered entity--
                            (i) either delete or de-identify covered 
                        data of the individual that is or has been 
                        maintained by the covered entity; and
                            (ii) notify any service provider or third 
                        party to which the covered entity transferred 
                        such covered data of the individual's request, 
                        unless the transfer of such data to the third 
                        party was made at the direction of the 
                        individual; and
                    (D) to the extent that is technically feasible, 
                provide covered data of the individual that is or has 
                been generated and submitted to the covered entity by 
                the individual and maintained by the covered entity in 
                a portable, structured, and machine-readable format 
                that is not subject to licensing restrictions.
            (2) Frequency and cost of access.--A covered entity shall--
                    (A) provide an individual with the opportunity to 
                exercise the rights described in paragraph (1) not less 
                than twice in any 12-month period; and
                    (B) with respect to the first 2 times that an 
                individual exercises the rights described in paragraph 
                (1) in any 12-month period, allow the individual to 
                exercise such rights free of charge.
            (3) Exceptions.--A covered entity--
                    (A) shall not comply with a request to exercise the 
                rights described in paragraph (1) if the covered entity 
                cannot verify that the individual making the request is 
                the individual to whom the covered data that is the 
                subject of the request relates;
                    (B) may decline to comply with a request that 
                would--
                            (i) require the covered entity to retain 
                        any covered data for the sole purpose of 
                        fulfilling the request;
                            (ii) be impossible or demonstrably 
                        impracticable to comply with; or
                            (iii) require the covered entity to 
                        combine, relink, or otherwise re-identify 
                        covered data that has been de-identified;
                            (iv) result in the release of trade 
                        secrets, or other proprietary or confidential 
                        data or business practices;
                            (v) interfere with law enforcement, 
                        judicial proceedings, investigations, or 
                        reasonable efforts to guard against, detect, or 
                        investigate malicious or unlawful activity, or 
                        enforce contracts;
                            (vi) require disproportionate effort, 
                        taking into consideration available technology, 
                        or would not be reasonably feasible on 
                        technical grounds;
                            (vii) compromise the privacy, security, or 
                        other rights of the covered data of another 
                        individual;
                            (viii) be excessive or abusive to another 
                        individual; or
                            (ix) violate Federal or State law or the 
                        rights and freedoms of another individual, 
                        including under the Constitution of the United 
                        States; and
                    (C) may delete covered data instead of providing 
                access and correction rights under subparagraphs (A) 
                and (B) of paragraph (1) if such covered data--
                            (i) is not sensitive covered data; and
                            (ii) is used only for the purposes of 
                        contacting individuals with respect to 
                        marketing communications.
    (b) Regulations.--Not later than 1 year after the date of enactment 
of this Act, the Commission shall promulgate regulations under section 
553 of title 5, United States Code, establishing requirements for 
covered entities with respect to the verification of requests to 
exercise rights described in subsection (a)(1).

SEC. 104. RIGHTS TO CONSENT.

    (a) Consent.--Except as provided in section 108, a covered entity 
shall not, without the prior, affirmative express consent of an 
individual--
            (1) transfer sensitive covered data of the individual to a 
        third party; or
            (2) process sensitive covered data of the individual.
    (b) Requirements for Affirmative Express Consent.--In obtaining the 
affirmative express consent of an individual to process the sensitive 
covered data of the individual as required under subsection (a)(2), a 
covered entity shall provide the individual with notice that shall--
            (1) include a clear description of the processing purpose 
        for which the sensitive covered data will be processed;
            (2) clearly identify any processing purpose that is 
        necessary to fulfill a request made by the individual;
            (3) include a prominent heading that would enable a 
        reasonable individual to easily identify the processing purpose 
        for which consent is sought; and
            (4) clearly explain the individual's right to provide or 
        withhold consent.
    (c) Requirements Related to Minors.--A covered entity shall not 
transfer the covered data of an individual to a third party without 
affirmative express consent from the individual or the individual's 
parent or guardian if the covered entity has actual knowledge that the 
individual is between 13 and 16 years of age.
    (d) Right To Opt Out.--Except as provided in section 108, a covered 
entity shall provide an individual with the ability to opt out of the 
collection, processing, or transfer of such individual's covered data 
before such collection, processing, or transfer occurs.
    (e) Prohibition on Inferred Consent.--A covered entity shall not 
infer that an individual has provided affirmative express consent to a 
processing purpose from the inaction of the individual or the 
individual's continued use of a service or product provided by the 
covered entity.
    (f) Withdrawal of Consent.--A covered entity shall provide an 
individual with a clear and conspicuous means to withdraw affirmative 
express consent.
    (g) Rulemaking.--The Commission may promulgate regulations under 
section 553 of title 5, United States Code, to establish requirements 
for covered entities regarding clear and conspicuous procedures for 
allowing individuals to provide or withdraw affirmative express consent 
for the collection of sensitive covered data.

SEC. 105. MINIMIZING DATA COLLECTION, PROCESSING, AND RETENTION.

    (a) In General.--A covered entity shall not collect, process, or 
transfer covered data beyond--
            (1) what is reasonably necessary, proportionate, and 
        limited to provide or improve a product, service, or a 
        communication about a product or service, including what is 
        reasonably necessary, proportionate, and limited to provide a 
        product or service specifically requested by an individual or 
        reasonably anticipated within the context of the covered 
        entity's ongoing relationship with an individual;
            (2) what is reasonably necessary, proportionate, or limited 
        to otherwise process or transfer covered data in a manner that 
        is described in the privacy policy that the covered entity is 
        required to publish under section 102(a); or
            (3) what is expressly permitted by this Act or any other 
        applicable Federal law.
    (b) Best Practices.--Not later than 1 year after the date of 
enactment of this Act, the Commission shall issue guidelines 
recommending best practices for covered entities to minimize the 
collection, processing, and transfer of covered data in accordance with 
this section.
    (c) Rule of Construction.--Notwithstanding section 405 of this Act, 
nothing in this section supersedes any other provision of this Act or 
other applicable Federal law.

SEC. 106. SERVICE PROVIDERS AND THIRD PARTIES.

    (a) Service Providers.--A service provider--
            (1) shall not process service provider data for any 
        processing purpose that is not performed on behalf of, and at 
        the direction of, the covered entity that transferred the data 
        to the service provider;
            (2) shall not transfer service provider data to a third 
        party for any purpose other than a purpose performed on behalf 
        of, or at the direction of, the covered entity that transferred 
        the data to the service provider without the affirmative 
        express consent of the individual to whom the service provider 
        data relates;
            (3) at the direction of the covered entity that transferred 
        service provider data to the service provider, shall delete or 
        de-identify such data--
                    (A) as soon as practicable after the service 
                provider has completed providing the service or 
                function for which the data was transferred to the 
                service provider; or
                    (B) as soon as practicable after the end of the 
                period during which the service provider is to provide 
                services with respect to such data, as agreed to by the 
                service provider and the covered entity that 
                transferred the data;
            (4) is exempt from the requirements of section 103 with 
        respect to service provider data, but shall, to the extent 
        practicable--
                    (A) assist the covered entity from which it 
                received the service provider data in fulfilling 
                requests to exercise rights under section 103(a); and
                    (B) upon receiving notice from a covered entity of 
                a verified request made under section 103(a)(1) to 
                delete, de-identify, or correct service provider data 
                held by the service provider, delete, de-identify, or 
                correct such data; and
            (5) is exempt from the requirements of sections 104 and 
        105.
    (b) Third Parties.--A third party--
            (1) shall not process third party data for a processing 
        purpose inconsistent with the reasonable expectation of the 
        individual to whom such data relates;
            (2) for purposes of paragraph (1), may reasonably rely on 
        representations made by the covered entity that transferred 
        third party data regarding the reasonable expectations of 
        individuals to whom such data relates, provided that the third 
        party conducts reasonable due diligence on the representations 
        of the covered entity and finds those representations to be 
        credible; and
            (3) is exempt from the requirements of sections 104 and 
        105.
    (c) Bankruptcy.--In the event that a covered entity enters into a 
bankruptcy proceeding which would lead to the disclosure of covered 
data to a third party, the covered entity shall in a reasonable time 
prior to the disclosure--
            (1) provide notice of the proposed disclosure of covered 
        data, including the name of the third party and their policies 
        and practices with respect to the covered data, to all affected 
        individuals; and
            (2) provide each affected individual with the opportunity 
        to withdraw any previous affirmative express consent related to 
        the covered data of the individual or request the deletion or 
        de-identification of the covered data of the individual.
    (d) Additional Obligations on Covered Entities.--
            (1) In general.--A covered entity shall exercise reasonable 
        due diligence to ensure compliance with this section before--
                    (A) selecting a service provider; or
                    (B) deciding to transfer covered data to a third 
                party.
            (2) Guidance.--Not later than 2 years after the effective 
        date of this Act, the Commission shall publish guidance 
        regarding compliance with this subsection. Such guidance shall, 
        to the extent practicable, minimize unreasonable burdens on 
        small- and medium-sized covered entities.

SEC. 107. PRIVACY IMPACT ASSESSMENTS.

    (a) Privacy Impact Assessments of New or Material Changes to 
Processing of Covered Data.--
            (1) In general.--Not later than 1 year after the date of 
        enactment of this Act (or, if later, not later than 1 year 
        after a covered entity first meets the definition of a large 
        data holder (as defined in section 2)), each covered entity 
        that is a large data holder shall conduct a privacy impact 
        assessment of each of their processing activities involving 
        covered data that present a heightened risk of harm to 
        individuals, and each such assessment shall weigh the benefits 
        of the covered entity's covered data collection, processing, 
        and transfer practices against the potential adverse 
        consequences to individual privacy of such practices.
            (2) Assessment requirements.--A privacy impact assessment 
        required under paragraph (1)--
                    (A) shall be reasonable and appropriate in scope 
                given--
                            (i) the nature of the covered data 
                        collected, processed, or transferred by the 
                        covered entity;
                            (ii) the volume of the covered data 
                        collected, processed, or transferred by the 
                        covered entity;
                            (iii) the size of the covered entity; and
                            (iv) the potential risks posed to the 
                        privacy of individuals by the collection, 
                        processing, or transfer of covered data by the 
                        covered entity;
                    (B) shall be documented in written form and 
                maintained by the covered entity unless rendered out of 
                date by a subsequent assessment conducted under 
                subsection (b); and
                    (C) shall be approved by the data privacy officer 
                of the covered entity.
    (b) Ongoing Privacy Impact Assessments.--
            (1) In general.--A covered entity that is a large data 
        holder shall, not less frequently than once every 2 years after 
        the covered entity conducted the privacy impact assessment 
        required under subsection (a), conduct a privacy impact 
        assessment of the collection, processing, and transfer of 
        covered data by the covered entity to assess the extent to 
        which--
                    (A) the ongoing practices of the covered entity are 
                consistent with the covered entity's published privacy 
                policies and other representations that the covered 
                entity makes to individuals;
                    (B) any customizable privacy settings included in a 
                service or product offered by the covered entity are 
                adequately accessible to individuals who use the 
                service or product and are effective in meeting the 
                privacy preferences of such individuals;
                    (C) the practices and privacy settings described in 
                subparagraphs (A) and (B), respectively--
                            (i) meet the expectations of a reasonable 
                        individual; and
                            (ii) provide an individual with adequate 
                        control over the individual's covered data;
                    (D) the covered entity could enhance the privacy 
                and security of covered data through technical or 
                operational safeguards such as encryption, de-
                identification, and other privacy-enhancing 
                technologies; and
                    (E) the processing of covered data is compatible 
                with the stated purposes for which it was collected.
            (2) Approval by data privacy officer.--The data privacy 
        officer of a covered entity shall approve the findings of an 
        assessment conducted by the covered entity under this 
        subsection.

SEC. 108. SCOPE OF COVERAGE.

    (a) General Exceptions.--Notwithstanding any provision of this 
title other than subsections (a) through (c) of section 102, a covered 
entity may collect, process or transfer covered data for any of the 
following purposes, provided that the collection, processing, or 
transfer is reasonably necessary, proportionate, and limited to such 
purpose:
            (1) To initiate or complete a transaction or to fulfill an 
        order or provide a service specifically requested by an 
        individual, including associated routine administrative 
        activities such as billing, shipping, financial reporting, and 
        accounting.
            (2) To perform internal system maintenance, diagnostics, 
        product or service management, inventory management, and 
        network management.
            (3) To prevent, detect, or respond to a security incident 
        or trespassing, provide a secure environment, or maintain the 
        safety and security of a product, service, or individual.
            (4) To protect against malicious, deceptive, fraudulent, or 
        illegal activity.
            (5) To comply with a legal obligation or the establishment, 
        exercise, analysis, or defense of legal claims or rights, or as 
        required or specifically authorized by law.
            (6) To comply with a civil, criminal, or regulatory 
        inquiry, investigation, subpoena, or summons by an Executive 
        agency.
            (7) To cooperate with an Executive agency or a law 
        enforcement official acting under the authority of an Executive 
        or State agency concerning conduct or activity that the 
        Executive agency or law enforcement official reasonably and in 
        good faith believes may violate Federal, State, or local law, 
        or pose a threat to public safety or national security.
            (8) To address risks to the safety of an individual or 
        group of individuals, or to ensure customer safety, including 
        by authenticating individuals in order to provide access to 
        large venues open to the public.
            (9) To effectuate a product recall pursuant to Federal or 
        State law.
            (10) To conduct public or peer-reviewed scientific, 
        historical, or statistical research that--
                    (A) is in the public interest;
                    (B) adheres to all applicable ethics and privacy 
                laws; and
                    (C) is approved, monitored, and governed by an 
                institutional review board or other oversight entity 
                that meets standards promulgated by the Commission 
                pursuant to section 553 of title 5, United States Code.
            (11) To transfer covered data to a service provider.
            (12) For a purpose identified by the Commission pursuant to 
        a regulation promulgated under subsection (b).
    (b) Additional Purposes.--The Commission may promulgate regulations 
under section 553 of title 5, United States Code, identifying 
additional purposes for which a covered entity may collect, process or 
transfer covered data.
    (c) Small Business Exception.--Sections 103, 105, and 301 shall not 
apply in the case of a covered entity that can establish that, for the 
3 preceding calendar years (or for the period during which the covered 
entity has been in existence if such period is less than 3 years)--
            (1) the covered entity's average annual gross revenues did 
        not exceed $50,000,000;
            (2) on average, the covered entity annually processed the 
        covered data of less than 1,000,000 individuals;
            (3) the covered entity never employed more than 500 
        individuals at any one time; and
            (4) the covered entity derived less than 50 percent of its 
        revenues from transferring covered data.

          TITLE II--DATA TRANSPARENCY, INTEGRITY, AND SECURITY

SEC. 201. ALGORITHM BIAS, DETECTION, AND MITIGATION.

    (a) FTC Enforcement Assistance.--
            (1) In general.--Whenever the Commission obtains 
        information that a covered entity may have processed or 
        transferred covered data in violation of Federal anti-
        discrimination laws, the Commission shall transmit such 
        information (excluding any such information that is a trade 
        secret as defined by section 1839 of title 18, United States 
        Code) to the appropriate Executive agency or State agency with 
        authority to initiate proceedings relating to such violation.
            (2) Annual report.--Beginning in 2021, the Commission shall 
        submit an annual report to Congress that includes--
                    (A) a summary of the types of information the 
                Commission transmitted to Executive agencies or State 
                agencies during the preceding year pursuant to this 
                subsection; and
                    (B) a summary of how such information relates to 
                Federal anti-discrimination laws.
            (3) Cooperation with other agencies.--The Commission may 
        implement this subsection by executing agreements or memoranda 
        of understanding with the appropriate Executive agencies.
            (4) Relationship to other laws.--Notwithstanding section 
        405, nothing in this subsection shall supersede any other 
        provision of law.
    (b) Algorithm Transparency Reports.--
            (1) Study and report.--
                    (A) Study.--The Commission shall conduct a study, 
                using the Commission's authority under section 6(b) of 
                the Federal Trade Commission Act (15 U.S.C. 46(b)), 
                examining the use of algorithms to process covered data 
                in a manner that may violate Federal anti-
                discrimination laws.
                    (B) Report.--Not later than 3 years after the date 
                of enactment of this Act, the Commission shall publish 
                a report containing the results of the study required 
                under subparagraph (A).
                    (C) Guidance.--The Commission shall use the results 
                of the study described in paragraph (A) to develop 
                guidance to assist covered entities in avoiding the 
                discriminatory use of algorithms.
            (2) Updated report.--Not later than 5 years after the 
        publication of the report required under paragraph (1), the 
        Commission shall publish an updated report.

SEC. 202. DIGITAL CONTENT FORGERIES.

    (a) Definition.--Not later than 6 months after the date of 
enactment of this Act, the National Institute of Standards and 
Technology shall develop and publish a definition of ``digital content 
forgery'' and accompanying explanatory materials.
    (b) Elements of Definition.--In developing a definition of 
``digital content forgery'' under subsection (a), the National 
Institute of Standards and Technology shall consider the following 
factors:
            (1) Whether the content is created with the intent to 
        deceive an individual into believing the content was genuine.
            (2) Whether the content is genuine or manipulated.
            (3) The impression the content makes on a reasonable 
        individual that observes the content.
            (4) Whether the production of the content was substantially 
        dependent upon technical means, rather than the ability of 
        another individual to physically or verbally impersonate such 
        individual.
            (5) The scope of technologies that may be utilized during 
        the creation or publication of digital content forgeries, 
        including--
                    (A) video recording or film;
                    (B) sound recording;
                    (C) electronic image or photograph; or
                    (D) any digital representation of speech or 
                conduct.
    (c) Scope of Definition.--The definition published by the National 
Institute of Standards and Technology under subsection (a) shall not 
supersede any other provision of law or be construed to limit the 
authority of any Executive agency related to digital content forgeries.
    (d) Commission Reports.--
            (1) Initial report.--Not later than 1 year after the 
        National Institute of Standards and Technology publishes the 
        definition and materials required under subsection (a), the 
        Commission shall publish a report regarding the impact of 
        digital content forgeries on individuals and competition.
            (2) Subsequent reports.--Not later than 2 years after the 
        publication of the report required under paragraph (1), and as 
        often as the Commission shall deem necessary thereafter, the 
        Commission shall publish an updated version of such report.
            (3) Content of reports.--Each report required under this 
        subsection shall include--
                    (A) a description of the types of digital content 
                forgeries, including those used to commit fraud, cause 
                adverse consequences, violate any provision of law 
                enforced by the Commission, or violate civil rights 
                recognized under Federal law;
                    (B) a description of the common sources in the 
                United States of digital content forgeries and 
                commercial sources of digital content forgery 
                technologies;
                    (C) an assessment of the uses, applications, and 
                adverse consequences of digital content forgeries, 
                including the impact of digital content forgeries on 
                individuals, digital identity, and competition;
                    (D) an analysis of the methods available to 
                individuals to identify digital content forgeries as 
                well as a description of commercial technological 
                countermeasures that are, or could be, used to address 
                concerns with digital content forgeries, which may 
                include countermeasures that warn individuals of 
                suspect content;
                    (E) a description of any remedies available to 
                protect an individual's identity and reputation from 
                adverse consequences caused by digital content 
                forgeries, such as protections or remedies available 
                under the Federal Trade Commission Act (15 U.S.C. 41 et 
                seq.) or any other law; and
                    (F) any additional information the Commission 
                determines appropriate.
    (e) Establishment of Digital Content Forgery Prize Competition.--
Not later than 1 year after the date of enactment of this Act, the 
Director of the National Institute of Standards and Technology, in 
coordination with the Commission, shall establish under section 24 of 
the Stevenson-Wydler Technology Innovation Act of 1980 (15 U.S.C. 3719) 
a prize competition to spur the development of technical solutions to 
assist individuals and the public in identifying digital content 
forgeries and related technologies.

SEC. 203. DATA BROKERS.

    (a) In General.--Not later than January 31 of each calendar year 
that follows a calendar year during which a covered entity acted as a 
data broker, such covered entity shall register with the Commission 
pursuant to the requirements of this section.
    (b) Registration Requirements.--In registering with the Commission 
as required under subsection (a), a data broker shall do the following:
            (1) Pay to the Commission a registration fee of $100.
            (2) Provide the Commission with the following information:
                    (A) The name and primary physical, email, and 
                internet addresses of the data broker.
                    (B) Any additional information or explanation the 
                data broker chooses to provide concerning its data 
                collection and processing practices.
    (c) Penalties.--A data broker that fails to register as required 
under subsection (a) shall be liable for--
            (1) a civil penalty of $50 for each day it fails to 
        register, not to exceed a total of $10,000 for each year; and
            (2) an amount equal to the fees due under this section for 
        each year that it failed to register as required under 
        subsection (a).
    (d) Publication of Registration Information.--The Commission shall 
publish on the internet website of the Commission the registration 
information provided by data brokers under this section.

SEC. 204. PROTECTION OF COVERED DATA.

    (a) In General.--A covered entity shall establish, implement, and 
maintain reasonable administrative, technical, and physical data 
security policies and practices to protect against risks to the 
confidentiality, security, and integrity of covered data.
    (b) Data Security Requirements.--The data security policies and 
practices required under subsection (a) shall be--
            (1) appropriate to the size and complexity of the covered 
        entity, the nature and scope of the covered entity's collection 
        or processing of covered data, the volume and nature of the 
        covered data at issue, and the cost of available tools to 
        improve security and reduce vulnerabilities; and
            (2) designed to--
                    (A) identify and assess vulnerabilities to covered 
                data;
                    (B) take reasonable preventative and corrective 
                action to address known vulnerabilities to covered 
                data; and
                    (C) detect, respond to, and recover from 
                cybersecurity incidents related to covered data.
    (c) Rulemaking and Guidance.--
            (1) Rulemaking authority and scope.--
                    (A) In general.--The Commission may, pursuant to a 
                proceeding in accordance with section 553 of title 5, 
                United States Code, issue regulations to identify 
                processes for receiving and assessing information 
                regarding vulnerabilities to covered data that are 
                reported to the covered entity.
                    (B) Consultation with nist.--In promulgating 
                regulations under this paragraph, the Commission shall 
                consult with, and take into consideration guidance 
                from, the National Institute for Standards and 
                Technology
            (2) Guidance.--Not later than 1 year after the date of 
        enactment of this Act, the Commission shall issue guidance to 
        covered entities on how to--
                    (A) identify and assess vulnerabilities to covered 
                data, including--
                            (i) the potential for unauthorized access 
                        to covered data;
                            (ii) vulnerabilities in the covered 
                        entity's collection or processing of covered 
                        data;
                            (iii) the management of access rights; and
                            (iv) the use of service providers to 
                        process covered data;
                    (B) take reasonable preventative and corrective 
                action to address vulnerabilities to covered data; and
                    (C) detect, respond to, and recover from 
                cybersecurity incidents and events.
    (d) Applicability of Other Information Security Laws.--A covered 
entity that is required to comply with title V of the Gramm-Leach-
Bliley Act (15 U.S.C. 6801 et seq.) or the Health Information 
Technology for Economic and Clinical Health Act (42 U.S.C. 17931 et 
seq.), and is in compliance with the information security requirements 
of such Act, shall be deemed to be in compliance with the requirements 
of this section with respect to covered data that is subject to the 
requirements of such Act.

SEC. 205. FILTER BUBBLE TRANSPARENCY.

    (a) In General.--Beginning on the date that is 1 year after the 
date of enactment of this Act, it shall be unlawful--
            (1) for any person to operate a covered internet platform 
        that uses an opaque algorithm unless the person complies with 
        the requirements of subsection (b); or
            (2) for any upstream provider to grant access to an index 
        of web pages on the internet under a search syndication 
        contract that does not comply with the requirements of 
        subsection (c).
    (b) Opaque Algorithm Requirements.--
            (1) In general.--The requirements of this subsection with 
        respect to a person that operates a covered internet platform 
        that uses an opaque algorithm are the following:
                    (A) The person provides notice to users of the 
                platform that the platform uses an opaque algorithm 
                that makes inferences based on user-specific data to 
                select the content the user sees. Such notice shall be 
                presented in a clear, conspicuous manner on the 
                platform whenever the user interacts with an opaque 
                algorithm for the first time, and may be a one-time 
                notice that can be dismissed by the user.
                    (B) The person makes available a version of the 
                platform that uses an input-transparent algorithm and 
                enables users to easily switch between the version of 
                the platform that uses an opaque algorithm and the 
                version of the platform that uses the input-transparent 
                algorithm by selecting a prominently placed icon, which 
                shall be displayed wherever the user interacts with an 
                opaque algorithm.
            (2) Nonapplication to certain downstream providers.--
        Paragraph (1) shall not apply with respect to an internet 
        search engine if--
                    (A) the search engine is operated by a downstream 
                provider with fewer than 1,000 employees; and
                    (B) the search engine uses an index of web pages on 
                the internet to which such provider received access 
                under a search syndication contract.
    (c) Search Syndication Contract Requirement.--The requirements of 
this subsection with respect to a search syndication contract are 
that--
            (1) as part of the contract, the upstream provider makes 
        available to the downstream provider the same input-transparent 
        algorithm used by the upstream provider for purposes of 
        complying with subsection (b)(1)(B); and
            (2) the upstream provider does not impose any additional 
        costs, degraded quality, reduced speed, or other constraint on 
        the functioning of such algorithm when used by the downstream 
        provider to operate an internet search engine relative to the 
        performance of such algorithm when used by the upstream 
        provider to operate an internet search engine.

SEC. 206. UNFAIR AND DECEPTIVE ACTS AND PRACTICES RELATING TO THE 
              MANIPULATION OF USER INTERFACES.

    (a) Conduct Prohibited.--
            (1) In general.--It shall be unlawful for any large online 
        operator--
                    (A) to design, modify, or manipulate a user 
                interface with the purpose or substantial effect of 
                obscuring, subverting, or impairing user autonomy, 
                decision making, or choice to obtain consent or user 
                data;
                    (B) to subdivide or segment consumers of online 
                services into groups for the purposes of behavioral or 
                psychological experiments or studies, except with the 
                informed consent of each user involved; or
                    (C) to design, modify, or manipulate a user 
                interface on a website or online service, or portion 
                thereof, that is directed to an individual under the 
                age of 13, with the purpose or substantial effect of 
                cultivating compulsive usage, including video auto-play 
                functions initiated without the consent of a user.
    (b) Duties of Large Online Operators.--Any large online operator 
that engages in any form of behavioral or psychological research based 
on the activity or data of its users shall--
            (1) disclose to its users on a routine basis, but not less 
        than once each 90 days, any experiments or studies that a user 
        was subjected to or enrolled in with the purpose of promoting 
        engagement or product conversion;
            (2) disclose to the public on a routine basis, but not less 
        than once each 90 days, any experiments or studies with the 
        purposes of promoting engagement or product conversion being 
        currently undertaken, or concluded since the prior disclosure;
            (3) shall present the disclosures in paragraphs (1) and (2) 
        in a manner that--
                    (A) is clear, conspicuous, context appropriate, and 
                easily accessible; and
                    (B) is not deceptively obscured;
            (4) establish an Independent Review Board for any 
        behavioral or psychological research, of any purpose, conducted 
        on users or on the basis of user activity or data, which shall 
        review and have authority to approve, require modification in, 
        or disapprove all behavioral or psychological experiments or 
        research; and
            (5) ensure that any Independent Review Board established 
        under paragraph (4) shall register with the Commission, 
        including providing to the Commission--
                    (A) the names and resumes of every board member;
                    (B) the composition and reporting structure of the 
                Board to the management of the operator;
                    (C) the process by which the Board is to be 
                notified of proposed studies or modifications along 
                with the processes by which the Board is capable of 
                vetoing or amending such proposals;
                    (D) any compensation provided to board members; and
                    (E) any conflict of interest that might exist 
                concerning a board member's participation in the Board.
    (c) Registered Professional Standards Body.--
            (1) In general.--An association of large online operators 
        may register as a professional standards body by filing with 
        the Commission an application for registration in such form as 
        the Commission, by rule, may prescribe containing the rules of 
        the association and such other information and documents as the 
        Commission, by rule, may prescribe as necessary or appropriate 
        in the public interest or for protecting the welfare of users 
        of large online operators.
            (2) Professional standards body.--An association of large 
        online operators may not register as a professional standards 
        body unless the Commission determines that--
                    (A) the association is so organized and has the 
                capacity to enforce compliance by its members and 
                persons associated with its members, with the 
                provisions of this Act;
                    (B) the rules of the association provide that any 
                large online operator may become a member of such 
                association;
                    (C) the rules of the association ensure a fair 
                representation of its members in the selection of its 
                directors and administration of its affairs and provide 
                that one or more directors shall be representative of 
                users and not be associated with, or receive any direct 
                or indirect funding from, a member of the association 
                or any large online operator;
                    (D) the rules of the association are designed to 
                prevent exploitative and manipulative acts or 
                practices, to promote transparent and fair principles 
                of technology development and design, to promote 
                research in keeping with best practices of study design 
                and informed consent, and to continually evaluate 
                industry practices and issue binding guidance 
                consistent with the objectives of this Act;
                    (E) the rules of the association provide that its 
                members and persons associated with its members shall 
                be appropriately disciplined for violation of any 
                provision of this Act, the rules or regulations 
                thereunder, or the rules of the association, by 
                expulsion, suspension, limitation of activities, 
                functions, fine, censure, being suspended or barred 
                from being associated with a member, or any other 
                appropriate sanction; and
                    (F) the rules of the association are in accordance 
                with the provisions of this Act, and, in general, 
                provide a fair procedure for the disciplining of 
                members and persons associated with members, the denial 
                of membership to any person seeking membership therein, 
                the barring of any person from becoming associated with 
                a member thereof, and the prohibition or limitation by 
                the association of any person with respect to access to 
                services offered by the association or a member 
                thereof.
            (3) Responsibilities and activities.--
                    (A) Bright-line rules.--An association shall 
                develop, on a continuing basis, guidance and bright-
                line rules for the development and design of technology 
                products of large online operators consistent with 
                subparagraph (B).
                    (B) Safe harbors.--In formulating guidance under 
                subparagraph (A), the association shall define conduct 
                that does not have the purpose or substantial effect of 
                subverting or impairing user autonomy, decision making, 
                or choice, or of cultivating compulsive usage for 
                children such as--
                            (i) de minimis user interface changes 
                        derived from testing consumer preferences, 
                        including different styles, layouts, or text, 
                        where such changes are not done with the 
                        purpose of obtaining user consent or user data;
                            (ii) algorithms or data outputs outside the 
                        control of a large online operator or its 
                        affiliates; and
                            (iii) establishing default settings that 
                        provide enhanced privacy protection to users or 
                        otherwise enhance their autonomy and decision-
                        making ability.
    (d) Enforcement by the Commission.--
            (1) Unfair or deceptive acts or practice.--A violation of 
        subsection (a) or (b) shall be treated as a violation of a rule 
        defining an unfair or deceptive act or practice under section 
        18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
        57a(a)(1)(B)).
            (2) Determination.--For purposes of enforcement of this 
        Act, the Commission shall determine an act or practice is 
        unfair or deceptive if the act or practice--
                    (A) has the purpose, or substantial effect, of 
                subverting or impairing user autonomy, decision making, 
                or choice to obtain consent or user data; or
                    (B) has the purpose, or substantial effect, of 
                cultivating compulsive usage by a child under 13.
            (3) Regulations.--Not later than 1 year after the date of 
        enactment of this Act, the Commission shall promulgate 
        regulations under section 553 of title 5, United States Code, 
        that--
                    (A) establish rules and procedures for obtaining 
                the informed consent of users;
                    (B) establish rules for the registration, 
                formation, oversight, and management of the independent 
                review boards, including standards that ensure 
                effective independence of such entities from improper 
                or undue influence by a large online operator;
                    (C) establish rules for the registration, 
                formation, oversight, and management of professional 
                standards bodies, including procedures for the regular 
                oversight of such bodies and revocation of their 
                designation; and
                    (D) in consultation with a professional standards 
                body established under subsection (c), define conduct 
                that does not have the purpose or substantial effect of 
                subverting or impairing user autonomy, decision making, 
                or choice, or of cultivating compulsive usage for 
                children such as--
                            (i) de minimis user interface changes 
                        derived from testing consumer preferences, 
                        including different styles, layouts, or text, 
                        where such changes are not done with the 
                        purpose of obtaining user consent or user data;
                            (ii) algorithms or data outputs outside the 
                        control of a large online operator or its 
                        affiliates; and
                            (iii) establishing default settings that 
                        provide enhanced privacy protection to users or 
                        otherwise enhance their autonomy and decision-
                        making ability.
            (4) Safe harbor.--The Commission may not bring an 
        enforcement action under this section against any large online 
        operator that relied in good faith on the guidance of a 
        professional standards body.

                  TITLE III--CORPORATE ACCOUNTABILITY

SEC. 301. DESIGNATION OF DATA PRIVACY OFFICER AND DATA SECURITY 
              OFFICER.

    (a) In General.--A covered entity shall designate--
            (1) one or more qualified employees or contractors as data 
        privacy officers; and
            (2) one or more qualified employees or contractors (in 
        addition to any employee or contractor designated under 
        paragraph (1)) as data security officers.
    (b) Responsibilities of Data Privacy Officers and Data Security 
Officers.--An employee or contractor who is designated by a covered 
entity as a data privacy officer or a data security officer shall be 
responsible for, at a minimum, coordinating the covered entity's 
policies and practices regarding--
            (1) in the case of a data privacy officer, compliance with 
        the privacy requirements with respect to covered data under 
        this Act; and
            (2) in the case of a data security officer, the security 
        requirements with respect to covered data under this Act.

SEC. 302. INTERNAL CONTROLS.

    A covered entity shall maintain internal controls and reporting 
structures to ensure that appropriate senior management officials of 
the covered entity are involved in assessing risks and making decisions 
that implicate compliance with this Act.

SEC. 303. WHISTLEBLOWER PROTECTIONS.

    (a) Definitions.--For purposes of this section:
            (1) Whistleblower.--The term ``whistleblower'' means any 
        employee or contractor of a covered entity who voluntarily 
        provides to the Commission original information relating to 
        non-compliance with, or any violation or alleged violation of, 
        this Act or any regulation promulgated under this Act.
            (2) Original information.--The term ``original 
        information'' means information that is provided to the 
        Commission by an individual and--
                    (A) is derived from the independent knowledge or 
                analysis of an individual;
                    (B) is not known to the Commission from any other 
                source at the time the individual provides the 
                information; and
                    (C) is not exclusively derived from an allegation 
                made in a judicial or an administrative action, in a 
                governmental report, a hearing, an audit, or an 
                investigation, or from news media, unless the 
                individual is a source of the allegation.
    (b) Effect of Whistleblower Retaliations on Penalties.--In seeking 
penalties under section 401 for a violation of this Act or a regulation 
promulgated under this Act by a covered entity, the Commission shall 
consider whether the covered entity retaliated against an individual 
who was a whistleblower with respect to original information that led 
to the successful resolution of an administrative or judicial action 
brought by the Commission or the Attorney General of the United States 
under this Act against such covered entity.

            TITLE IV--ENFORCEMENT AUTHORITY AND NEW PROGRAMS

SEC. 401. ENFORCEMENT BY THE FEDERAL TRADE COMMISSION.

    (a) Enforcement by the Federal Trade Commission.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        this Act or a regulation promulgated under this Act shall be 
        treated as a violation of a rule defining an unfair or 
        deceptive act or practice prescribed under section 18(a)(1)(B) 
        of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
            (2) Powers of commission.--
                    (A) In general.--Except as provided in paragraphs 
                (3) and (4), the Commission shall enforce this Act and 
                the regulations promulgated under this Act in the same 
                manner, by the same means, and with the same 
                jurisdiction, powers, and duties as though all 
                applicable terms and provisions of the Federal Trade 
                Commission Act (15 U.S.C. 41 et seq.) were incorporated 
                into and made a part of this Act.
                    (B) Privileges and immunities.--Any person who 
                violates this Act or a regulation promulgated under 
                this Act shall be subject to the penalties and entitled 
                to the privileges and immunities provided in the 
                Federal Trade Commission Act (15 U.S.C. 41 et seq.).
                    (C) Limiting certain actions unrelated to this act; 
                authority preserved.--
                            (i) In general.--The Commission shall not 
                        bring any action to enforce the prohibition in 
                        section 5 of the Federal Trade Commission Act 
                        (15 U.S.C. 45) on unfair or deceptive acts or 
                        practices with respect to the privacy or 
                        security of covered data, unless such action is 
                        consistent with this Act.
                            (ii) Rule of construction.--Except as 
                        provided in paragraph (1), nothing in this Act 
                        shall be construed to limit the authority of 
                        the Commission under any other provision of 
                        law, or to limit the Commission's authority to 
                        bring actions under section 5 of the Federal 
                        Trade Commission Act (15 U.S.C. 45) relating to 
                        unfair or deceptive acts or practices to 
                        enforce the provisions of this Act and 
                        regulations promulgated thereunder, including 
                        to ensure that privacy policies required under 
                        section 102 are truthful and non-misleading.
            (3) Common carriers and nonprofit organizations.--
        Notwithstanding section 4, 5(a)(2), or 6 of the Federal Trade 
        Commission Act (15 U.S.C. 44, 45(a)(2), 46) or any 
        jurisdictional limitation of the Commission, the Commission 
        shall also enforce this Act and the regulations promulgated 
        under this Act, in the same manner provided in paragraphs (1) 
        and (2) of this subsection, with respect to--
                    (A) common carriers subject to the Communications 
                Act of 1934 (47 U.S.C. 151 et seq.) and all Acts 
                amendatory thereof and supplementary thereto; and
                    (B) organizations not organized to carry on 
                business for their own profit or that of their members.
            (4) Data privacy and security fund.--
                    (A) Establishment of victims relief fund.--There is 
                established in the Treasury of the United States a 
                separate fund to be known as the ``Data Privacy and 
                Security Victims Relief Fund'' (referred to in this 
                paragraph as the ``Victims Relief Fund'').
                    (B) Deposits.--
                            (i) Deposits from the commission.--The 
                        Commission shall deposit into the Victims 
                        Relief Fund the amount of any civil penalty 
                        obtained against any covered entity in any 
                        action the Commission commences to enforce this 
                        Act or a regulation promulgated under this Act.
                            (ii) Deposits from the attorney general.--
                        The Attorney General of the United States shall 
                        deposit into the Victims Relief Fund the amount 
                        of any civil penalty obtained against any 
                        covered entity in any action the Attorney 
                        General commences on behalf of the Commission 
                        to enforce this Act or a regulation promulgated 
                        under this Act.
                    (C) Use of fund amounts.--Amounts in the Victims 
                Relief Fund shall be available to the Commission, 
                without fiscal year limitation, to provide redress, 
                payments or compensation, or other monetary relief to 
                individuals affected by an act or practice for which 
                civil penalties have been imposed under this Act. To 
                the extent that individuals cannot be located or such 
                redress, payments or compensation, or other monetary 
                relief are otherwise not practicable, the Commission 
                may use such funds for the purpose of consumer or 
                business education relating to data privacy and 
                security or for the purpose of engaging in 
                technological research that the Commission considers 
                necessary to enforce this Act.
                    (D) Amounts not subject to apportionment.--
                Notwithstanding any other provision of law, amounts in 
                the Victims Relief Fund shall not be subject to 
                apportionment for purposes of chapter 15 of title 31, 
                United States Code, or under any other authority.
            (5) Authorization of appropriations.--There are authorized 
        to be appropriated to the Commission $100,000,000 to carry out 
        this Act.
    (b) Enforcement of Section 206.--This section shall not apply to a 
violation of section 206 or a regulation promulgated under such 
section, and such section shall be enforced under subsection (d) of 
such section.

SEC. 402. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) Civil Action.--Except as provided in subsection (h), in any 
case in which the attorney general of a State has reason to believe 
that an interest of the residents of that State has been or is 
adversely affected by the engagement of any covered entity in an act or 
practice that violates this Act or a regulation promulgated under this 
Act, the attorney general of the State, as parens patriae, may bring a 
civil action on behalf of the residents of the State in an appropriate 
district court of the United States to--
            (1) enjoin that act or practice;
            (2) enforce compliance with this Act or the regulation;
            (3) obtain damages, civil penalties, restitution, or other 
        compensation on behalf of the residents of the State; or
            (4) obtain such other relief as the court may consider to 
        be appropriate.
    (b) Rights of the Commission.--
            (1) In general.--Except where not feasible, the attorney 
        general of a State shall notify the Commission in writing prior 
        to initiating a civil action under subsection (a). Such notice 
        shall include a copy of the complaint to be filed to initiate 
        such action. Upon receiving such notice, the Commission may 
        intervene in such action and, upon intervening--
                    (A) be heard on all matters arising in such action; 
                and
                    (B) file petitions for appeal of a decision in such 
                action.
            (2) Notification timeline.--Where it is not feasible for 
        the attorney general of a State to provide the notification 
        required by paragraph (2) before initiating a civil action 
        under paragraph (1), the attorney general shall notify the 
        Commission immediately after initiating the civil action.
    (c) Consolidation of Actions Brought by Two or More State Attorneys 
General.--Whenever a civil action under subsection (a) is pending and 
another civil action or actions are commenced pursuant to such 
subsection in a different Federal district court or courts that involve 
one or more common questions of fact, such action or actions shall be 
transferred for the purposes of consolidated pretrial proceedings and 
trial to the United States District Court for the District of Columbia; 
provided however, that no such action shall be transferred if pretrial 
proceedings in that action have been concluded before a subsequent 
action is filed by the attorney general of the State.
    (d) Actions by Commission.--In any case in which a civil action is 
instituted by or on behalf of the Commission for violation of this Act 
or a regulation promulgated under this Act, no attorney general of a 
State may, during the pendency of such action, institute a civil action 
against any defendant named in the complaint in the action instituted 
by or on behalf of the Commission for violation of this Act or a 
regulation promulgated under this Act that is alleged in such 
complaint.
    (e) Investigatory Powers.--Nothing in this section shall be 
construed to prevent the attorney general of a State or another 
authorized official of a State from exercising the powers conferred on 
the attorney general or the State official by the laws of the State to 
conduct investigations, to administer oaths or affirmations, or to 
compel the attendance of witnesses or the production of documentary or 
other evidence.
    (f) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in the district court of the United States that meets 
        applicable requirements relating to venue under section 1391 of 
        title 28, United States Code.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.
    (g) Actions by Other State Officials.--
            (1) In general.--Any State official who is authorized by 
        the State attorney general to be the exclusive authority in 
        that State to enforce this Act may bring a civil action under 
        subsection (a), subject to the same requirements and 
        limitations that apply under this section to civil actions 
        brought under such subsection by State attorneys general.
            (2) Authority preserved.--Nothing in this section shall be 
        construed to prohibit an authorized official of a State from 
        initiating or continuing any proceeding in a court of the State 
        for a violation of any civil or criminal law of the State.
    (h) Exclusion of Section 206.--This section shall not apply to a 
violation of section 206 or a regulation promulgated under such 
section.

SEC. 403. AUTHORITY OF COMMISSION TO SEEK PERMANENT INJUNCTION AND 
              OTHER EQUITABLE REMEDIES.

    (a) In General.--Section 13 of the Federal Trade Commission Act (15 
U.S.C. 53) is amended--
            (1) in subsection (b)--
                    (A) in paragraph (1), by striking ``is violating, 
                or is about to violate,'' and inserting ``has violated, 
                is violating, or is about to violate'';
                    (B) in paragraph (2)--
                            (i) by inserting ``either (A)'' before 
                        ``the enjoining thereof''; and
                            (ii) by inserting ``or (B) the permanent 
                        enjoining thereof or the ordering of an 
                        equitable remedy under subsection (e)'' after 
                        ``final,''; and
                    (C) in the flush text following paragraph (2)--
                            (i) by striking ``to enjoin any such act or 
                        practice'' and inserting ``to obtain such 
                        injunction or remedy'';
                            (ii) by striking ``Upon a proper showing 
                        that'' and inserting ``In a case brought under 
                        paragraph (2)(A), upon a proper showing that'';
                            (iii) by striking ``such action'' and 
                        inserting ``a temporary restraining order or 
                        preliminary injunction'';
                            (iv) by striking ``without bond'';
                            (v) by striking ``That in proper cases the 
                        Commission may seek, and after proper proof, 
                        the court may issue, a permanent injunction.'' 
                        and inserting the following: ``That in a case 
                        brought under paragraph (2)(B), after proper 
                        proof and upon a showing that a permanent 
                        injunction or equitable remedy under subsection 
                        (e) would be in the public interest, the court 
                        may issue a permanent injunction, an equitable 
                        remedy under subsection (e), or any other 
                        relief as the court determines to be just and 
                        proper, including temporary or preliminary 
                        equitable relief.'';
                            (vi) by inserting ``under paragraph (2)'' 
                        after ``Any suit''; and
                            (vii) by striking ``any suit under this 
                        section'' and inserting ``any such suit''; and
            (2) by adding at the end the following new subsection:
    ``(e) Equitable Remedies.--
            ``(1) Restitution; contract rescission and reformation.--
                    ``(A) In general.--In a suit brought under 
                subsection (b)(2)(B) with respect to a violation of a 
                provision of law enforced by the Commission, the 
                Commission may seek, and the court may order--
                            ``(i) restitution for consumer loss 
                        resulting from such violation;
                            ``(ii) rescission or reformation of 
                        contracts; and
                            ``(iii) the refund of money or return of 
                        property.
                    ``(B) Limitations period.--Relief under this 
                paragraph shall not be available for a claim arising 
                more than 10 years before the filing of the 
                Commission's suit under subsection (b)(2)(B) with 
                respect to the violation that gave rise to the claim.
            ``(2) Disgorgement.--
                    ``(A) In general.--In a suit brought under 
                subsection (b)(2)(B) with respect to a violation of a 
                provision of law enforced by the Commission, the 
                Commission may seek, and the court may order, 
                disgorgement of any unjust enrichment that a person 
                obtained as a result of that violation.
                    ``(B) Calculation.--Any disgorgement that is 
                ordered with respect to a person under subparagraph (A) 
                shall be offset by any amount of restitution that the 
                person is ordered to pay under paragraph (1).
                    ``(C) Limitations period.--Disgorgement under this 
                paragraph shall be limited to any unjust enrichment a 
                person, partnership, or corporation obtained in the 10 
                years preceding the filing of the Commission's suit 
                under subsection (b)(2)(B) with respect to the 
                violation that resulted in such unjust enrichment.
            ``(3) Calculation of limitations periods.--For purposes of 
        calculating any limitations period with respect to a claim for 
        relief under paragraph (1) or a disgorgement order under 
        paragraph (2), any time in which a person, partnership, or 
        corporation against which such relief or order is sought is 
        outside the United States shall not be counted for purposes of 
        calculating such period.''.
    (b) Conforming Amendments.--Section 16(a)(2) of the Federal Trade 
Commission Act (15 U.S.C. 56(a)(2)) is amended--
            (1) in subparagraph (A), by striking ``(relating to 
        injunctive relief)''; and
            (2) in subparagraph (B), by striking ``(relating to 
        consumer redress)''.
    (c) Applicability.--The amendments made by this section shall apply 
with respect to any action or proceeding that is commenced on or after 
the date of enactment of this Act.

SEC. 404. APPROVED CERTIFICATION PROGRAMS.

    (a) In General.--The Commission shall establish a program in which 
the Commission shall approve voluntary consensus standards or 
certification programs that covered entities may use to comply with one 
or more provisions in this Act.
    (b) Effect of Approval.--A covered entity in compliance with a 
voluntary consensus standard approved by the Commission shall be deemed 
to be in compliance with the provisions of this Act.
    (c) Time for Approval.--The Commission shall issue a decision 
regarding the approval of a proposed voluntary consensus standard not 
later than 180 days after a request for approval is submitted.
    (d) Effect of Non-Compliance.--A covered entity that claims 
compliance with an approved voluntary consensus standard and is found 
not to be in compliance with such program by the Commission or in any 
judicial proceeding shall be considered to be in violation of the 
section 5 of the Federal Trade Commission Act (15 U.S.C. 45) 
prohibition on unfair or deceptive acts or practices.
    (e) Rulemaking.--Not later than 120 days after the date of 
enactment of this Act, the Commission shall promulgate regulations 
under section 553 of title 5, United States Code, establishing a 
process for review of requests for approval of proposed voluntary 
consensus standards under this section.
    (f) Requirements.--To be eligible for approval by the Commission, a 
voluntary consensus standard shall meet the requirements for voluntary 
consensus standards set forth in Office of Management and Budget 
Circular A-119, or other equivalent guidance document, ensuring that 
they are the result of due process procedures and appropriately balance 
the interests of all the stakeholders, including individuals, 
businesses, organizations, and other entities making lawful uses of the 
covered data covered by the standard, and--
            (1) specify clear and enforceable requirements for covered 
        entities participating in the program that provide an overall 
        level of data privacy or data security protection that is 
        equivalent to or greater than that provided in the relevant 
        provisions in this Act;
            (2) require each participating covered entity to post in a 
        prominent place a clear and conspicuous public attestation of 
        compliance and a link to the website described in paragraph 
        (4);
            (3) include a process for an independent assessment of a 
        participating covered entity's compliance with the voluntary 
        consensus standard or certification program prior to 
        certification and at reasonable intervals thereafter;
            (4) create a website describing the voluntary consensus 
        standard or certification program's goals and requirements, 
        listing participating covered entities, and providing a method 
        for individuals to ask questions and file complaints about the 
        program or any participating covered entity;
            (5) take meaningful action for non-compliance with the 
        relevant provisions of this Act by any participating covered 
        entity, which shall depend on the severity of the non-
        compliance and may include--
                    (A) removing the covered entity from the program;
                    (B) referring the covered entity to the Commission 
                or other appropriate Federal or State agencies for 
                enforcement;
                    (C) publicly reporting the disciplinary action 
                taken with respect to the covered entity;
                    (D) providing redress to individuals harmed by the 
                non-compliance;
                    (E) making voluntary payments to the United States 
                Treasury; and
                    (F) taking any other action or actions to ensure 
                the compliance of the covered entity with respect to 
                the relevant provisions of this Act; and
            (6) issue annual reports to the Commission and to the 
        public detailing the activities of the program and its 
        effectiveness during the preceding year in ensuring compliance 
        with the relevant provisions of this Act by participating 
        covered entities and taking meaningful disciplinary action for 
        non-compliance with such provisions by such entities.

SEC. 405. RELATIONSHIP BETWEEN FEDERAL AND STATE LAW.

    (a) Relationship to State Law.--No State or political subdivision 
of a State may adopt, maintain, enforce, or continue in effect any law, 
regulation, rule, requirement, or standard related to the data privacy 
or data security and associated activities of covered entities.
    (b) Savings Provision.--Subsection (a) may not be construed to 
preempt State laws that directly establish requirements for the 
notification of consumers in the event of a data breach.
    (c) Relationship to Other Federal Laws.--
            (1) In general.--Except as provided in paragraphs (2) and 
        (3), the requirements of this Act shall supersede any other 
        Federal law or regulation relating to the privacy or security 
        of covered data or associated activities of covered entities.
            (2) Savings provision.--This Act may not be construed to 
        modify, limit, or supersede the operation of the following:
                    (A) The Children's Online Privacy Protection Act 
                (15 U.S.C. 6501 et seq.).
                    (B) The Communications Assistance for Law 
                Enforcement Act (47 U.S.C. 1001 et seq.).
                    (C) Section 227 of the Communications Act of 1934 
                (47 U.S.C. 227).
                    (D) Title V of the Gramm-Leach-Bliley Act (15 
                U.S.C. 6801 et seq.).
                    (E) The Fair Credit Reporting Act (15 U.S.C. 1681 
                et seq.).
                    (F) The Health Insurance Portability and 
                Accountability Act (Public Law 104-191).
                    (G) The Electronic Communications Privacy Act (18 
                U.S.C. 2510 et seq.).
                    (H) Section 444 of the General Education Provisions 
                Act (20 U.S.C. 1232g) (commonly referred to as the 
                ``Family Educational Rights and Privacy Act of 1974'').
                    (I) The Driver's Privacy Protection Act of 1994 (18 
                U.S.C. 2721 et seq.).
                    (J) The Federal Aviation Act of 1958 (49 U.S.C. 
                App. 1301 et seq.).
                    (K) The Health Information Technology for Economic 
                and Clinical Health Act (42 U.S.C. 17931 et seq.).
            (3) Compliance with saved federal laws.--To the extent that 
        the data collection, processing, or transfer activities of a 
        covered entity are subject to a law listed in paragraph (2), 
        such activities of such entity shall not be subject to the 
        requirements of this Act.
            (4) Nonapplication of fcc laws and regulations to covered 
        entities.--Notwithstanding any other provision of law, neither 
        any provision of the Communications Act of 1934 (47 U.S.C. 151 
        et seq.) and all Acts amendatory thereof and supplementary 
        thereto nor any regulation promulgated by the Federal 
        Communications Commission under such Acts shall apply to any 
        covered entity with respect to the collection, use, processing, 
        transferring, or security of individual information, except to 
        the extent that such provision or regulation pertains solely to 
        ``911'' lines or other emergency line of a hospital, medical 
        provider or service office, health care facility, poison 
        control center, fire protection agency, or law enforcement 
        agency.

SEC. 406. CONSTITUTIONAL AVOIDANCE.

    The provisions of this Act shall be construed, to the greatest 
extent possible, to avoid conflicting with the Constitution of the 
United States, including the protections of free speech and freedom of 
the press established under the First Amendment to the Constitution of 
the United States.

SEC. 407. SEVERABILITY.

    If any provision of this Act, or an amendment made by this Act, is 
determined to be unenforceable or invalid, the remaining provisions of 
this Act and the amendments made by this Act shall not be affected.
                                 <all>