116 S4626 IS: Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act
U.S. Senate
2020-09-17
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.
1.Short title; table of contents
(a)This Act may be cited as the Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act
or the SAFE DATA Act
. (b)The table of contents for this Act is as follows:
Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. Effective date.
TITLE I—Individual consumer data rights
Sec. 101. Consumer loyalty.
Sec. 102. Transparency.
Sec. 103. Individual control.
Sec. 104. Rights to consent.
Sec. 105. Minimizing data collection, processing, and retention.
Sec. 106. Service providers and third parties.
Sec. 107. Privacy impact assessments.
Sec. 108. Scope of coverage.
TITLE II—Data transparency, integrity, and security
Sec. 201. Algorithm bias, detection, and mitigation.
Sec. 202. Digital content forgeries.
Sec. 203. Data brokers.
Sec. 204. Protection of covered data.
Sec. 205. Filter bubble transparency.
Sec. 206. Unfair and deceptive acts and practices relating to the manipulation of user interfaces.
TITLE III—Corporate accountability
Sec. 301. Designation of data privacy officer and data security officer.
Sec. 302. Internal controls.
Sec. 303. Whistleblower protections.
TITLE IV—Enforcement authority and new programs
Sec. 401. Enforcement by the Federal Trade Commission.
Sec. 402. Enforcement by State attorneys general.
Sec. 403. Authority of Commission to seek permanent injunction and other equitable remedies.
Sec. 404. Approved certification programs.
Sec. 405. Relationship between Federal and State law.
Sec. 406. Constitutional avoidance.
Sec. 407. Severability.
2.In this Act: (1)Affirmative express consentThe term affirmative express consent means, upon being presented with a clear and conspicuous description of an act or practice for which consent is sought, an affirmative act by the individual clearly communicating the individual’s authorization for the act or practice.
(2)The term algorithm means a computational process derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that processes covered data for the purpose of making a decision or facilitating human decision making. (3)Algorithmic ranking systemThe term algorithmic ranking system means a computational process, including one derived from algorithmic decision making, machine learning, statistical analysis, or other data processing or artificial intelligence techniques, used to determine the order or manner that a set of information is provided to a user on a covered internet platform, including the ranking of search results, the provision of content recommendations, the display of social media posts, or any other method of automated content selection.
(4)Behavioral or psychological experiments or researchThe term behavioral or psychological experiments or research means the study, including through human experimentation, of overt or observable actions and mental phenomena inferred from behavior, including interactions between and among individuals and the activities of social groups. (5)The term collection means buying, renting, gathering, obtaining, receiving, or accessing any covered data of an individual by any means.
(6)The term Commission means the Federal Trade Commission. (7)The term common branding means a shared name, servicemark, or trademark.
(8)The term compulsive usage means any response stimulated by external factors that causes an individual to engage in repetitive, purposeful, and intentional behavior causing psychological distress, loss of control, anxiety, depression, or harmful stress responses. (9)For purposes of paragraphs (20) and (37), the term connected device means a physical object that—
(A)is capable of connecting to the internet, either directly or indirectly through a network, to communicate information at the direction of an individual; and (B)has computer processing capabilities for collecting, sending, receiving, or analyzing data.
(10)
(A)The term covered data means information that identifies or is linked or reasonably linkable to an individual or a device that is linked or reasonably linkable to an individual. (B)Linked or reasonably linkableFor purposes of subparagraph (A), information held by a covered entity is linked or reasonably linkable to an individual or a device if, as a practical matter, it can be used on its own or in combination with other information held by, or readily accessible to, the covered entity to identify such individual or such device.
(C)Such term does not include— (i)aggregated data;
(ii)de-identified data; (iii)employee data; or
(iv)publicly available information. (D)For purposes of subparagraph (C), the term aggregated data means information that relates to a group or category of individuals or devices that does not identify and is not linked or reasonably linkable to any individual.
(E)For purposes of subparagraph (C), the term de-identified data means information held by a covered entity that— (i)does not identify, and is not linked or reasonably linkable to, an individual or device;
(ii)does not contain any persistent identifier or other information that could readily be used to re-identify the individual to whom, or the device to which, the identifier or information pertains; (iii)is subject to a public commitment by the covered entity—
(I)to refrain from attempting to use such information to identify any individual or device; and (II)to adopt technical and organizational measures to ensure that such information is not linked to any individual or device; and
(iv)is not disclosed by the covered entity to any other party unless the disclosure is subject to a contractually or other legally binding requirement that— (I)the recipient of the information shall not use the information to identify any individual or device; and
(II)all onward disclosures of the information shall be subject to the requirement described in subclause (I). (F)For purposes of subparagraph (C), the term employee data means—
(i)information relating to an individual collected by a covered entity in the course of the individual acting as a job applicant to, or employee (regardless of whether such employee is paid or unpaid, or employed on a temporary basis), owner, director, officer, staff member, trainee, vendor, visitor, volunteer, intern, or contractor of, the entity, provided that such information is collected, processed, or transferred by the covered entity solely for purposes related to the individual’s status as a current or former job applicant to, or an employee, owner, director, officer, staff member, trainee, vendor, visitor, volunteer, intern, or contractor of, that covered entity; (ii)business contact information of an individual, including the individual's name, position or title, business telephone number, business address, business email address, qualifications, and other similar information, that is provided to a covered entity by an individual who is acting in a professional capacity, provided that such information is collected, processed, or transferred solely for purposes related to such individual's professional activities;
(iii)emergency contact information collected by a covered entity that relates to an individual who is acting in a role described in clause (i) with respect to the covered entity, provided that such information is collected, processed, or transferred solely for the purpose of having an emergency contact on file for the individual; or (iv)information relating to an individual (or a relative or beneficiary of such individual) that is necessary for the covered entity to collect, process, or transfer for the purpose of administering benefits to which such individual (or relative or beneficiary of such individual) is entitled on the basis of the individual acting in a role described in clause (i) with respect to the entity, provided that such information is collected, processed, or transferred solely for the purpose of administering such benefits.
(G)Publicly available information
(i)For the purposes of subparagraph (C), the term publicly available information means any information that a covered entity has a reasonable basis to believe— (I)has been lawfully made available to the general public from Federal, State, or local government records;
(II)is widely available to the general public, including information from— - (aa)a telephone book or online directory;
- (bb)television, internet, or radio content or programming; or
- (cc)the news media or a website that is lawfully available to the general public on an unrestricted basis (for purposes of this subclause a website is not restricted solely because there is a fee or log-in requirement associated with accessing the website); or
(III)is a disclosure to the general public that is required to be made by Federal, State, or local law. (ii)Such term does not include an obscene visual depiction (as defined for purposes of section 1460 of title 18, United States Code).
(11)The term covered entity means any person that— (A)is subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq.) or is—
(i)a common carrier described in section 5(a)(2) of such Act (15 U.S.C. 45(a)(2)); or (ii)an organization not organized to carry on business for their own profit or that of their members;
(B)collects, processes, or transfers covered data; and (C)determines the purposes and means of such collection, processing, or transfer.
(12)Covered internet platform
(A)The term covered internet platform means any public-facing website, internet application, or mobile application, including a social network site, video sharing service, search engine, or content aggregation service. (B)Such term shall not include a platform that—
(i)is wholly owned, controlled, and operated by a person that— (I)for the most recent 6-month period, did not employ more than 500 employees;
(II)for the most recent 3-year period, averaged less than $50,000,000 in annual gross receipts; and (III)collects or processes on an annual basis the personal data of less than 1,000,000 individuals; or
(ii)is operated for the sole purpose of conducting research that is not made for profit either directly or indirectly. (13) (A)The term data broker means a covered entity whose principal source of revenue is derived from processing or transferring the covered data of individuals with whom the entity does not have a direct relationship on behalf of third parties for such third parties' use.
(B)Such term does not include a service provider. (14)The term delete means to remove or destroy information such that it is not maintained in human or machine readable form and cannot be retrieved or utilized in such form in the normal course of business.
(15)The term Executive agency has the meaning set forth in section 105 of title 5, United States Code. (16)The term independent review board means a board, committee, or other group formally designated by a large online operator to review, to approve the initiation of, and to conduct periodic review of, any research by, or at the direction or discretion of a large online operator, involving human subjects.
(17)The term individual means a natural person residing in the United States. (18)The term inferred data means information that is created by a covered entity through the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.
(19)For purposes of section 206, the term informed consent— (A)means a process by which a research subject is provided adequate information prior to being included in any experiment or study to allow for an informed decision about voluntary participation in a behavioral or psychological research experiment or study, while ensuring the understanding of the potential participant of the furnished information and any associated benefits, risks, or consequences of participation prior to obtaining the voluntary agreement to participate by the participant; and
(B)does not include— (i)the consent of an individual under the age of 13; or
(ii)the consent to a provision contained in a general contract or service agreement. (20)Input-transparent algorithm (A)For purposes of section 205, the term input-transparent algorithm means an algorithmic ranking system that does not use the user-specific data of a user to determine the order or manner that information is furnished to such user on a covered internet platform, unless the user-specific data is expressly provided to the platform by the user for such purpose.
(B)Inclusion of age-appropriate content filtersSuch term shall include an algorithmic ranking system that uses user-specific data to determine whether a user is old enough to access age-restricted content on a covered internet platform, provided that the system otherwise meets the requirements of subparagraph (A). (C)Data provided for express purpose of interaction with platformFor purposes of subparagraph (A), user-specific data that is provided by a user for the express purpose of determining the order or manner that information is furnished to a user on a covered internet platform—
(i)shall include user-supplied search terms, filters, speech patterns (if provided for the purpose of enabling the platform to accept spoken input or selecting the language in which the user interacts with the platform), saved preferences, and the user's current geographical location; (ii)shall include data supplied to the platform by the user that expresses the user's desire that information be furnished to them, such as the social media profiles the user follows, the video channels the user subscribes to, or other sources of content on the platform the user follows;
(iii)shall not include the history of the user's connected device, including the user's history of web searches and browsing, geographical locations, physical activity, device interaction, and financial transactions; and (iv)shall not include inferences about the user or the user's connected device, without regard to whether such inferences are based on data described in clause (i).
(21)The term large data holder means a covered entity that in the most recent calendar year— (A)processed or transferred the covered data of more than 8,000,000 individuals; or
(B)processed or transferred the sensitive covered data of more than 300,000 individuals or devices that are linked or reasonably linkable to an individual (excluding any instance where the covered entity processes the log-in information of an individual or device to allow the individual or device to log in to an account administered by the covered entity). (22)For purposes of section 206, the term large online operator means any person that—
(A)provides an online service; (B)has more than 100,000,000 authenticated users of an online service in any 30-day period; and
(C)is subject to the jurisdiction of the Commission under the Federal Trade Commission Act (15 U.S.C. 41 et seq.). (23)The term material means, with respect to an act, practice, or representation of a covered entity (including a representation made by the covered entity in a privacy policy or similar disclosure to individuals), that such act, practice, or representation is likely to affect an individual's decision or conduct regarding a product or service.
(24)For purposes of section 206, the term online service means a website or a service, other than an internet access service, that is made available to the public over the internet, including a social network, a search engine, or email service. (25) (A)The term opaque algorithm means an algorithmic ranking system that determines the order or manner that information is furnished to a user on a covered internet platform based, in whole or part, on user-specific data that was not expressly provided by the user to the platform for such purpose.
(B)Exception for age-appropriate content filtersSuch term shall not include an algorithmic ranking system used by a covered internet platform if— (i)the only user-specific data (including inferences about the user) that the system uses is information relating to the age of the user; and
(ii)such information is only used to restrict a user's access to content on the basis that the individual is not old enough to access such content. (26)The term process means any operation or set of operations performed on covered data including analysis, organization, structuring, retaining, using, or otherwise handling covered data.
(27)The term processing purpose means a reason for which a covered entity processes covered data. (28)The term research means the scientific analysis of information, including covered data, by a covered entity or those with whom the covered entity is cooperating or others acting at the direction or on behalf of the covered entity, that is conducted for the primary purpose of advancing scientific knowledge and may be for the commercial benefit of the covered entity.
(29)Search syndication contract; upstream provider; downstream provider
(A)Search syndication contractThe term search syndication contract means a contract or subcontract for the sale, license, or other right to access an index of web pages on the internet for the purpose of operating an internet search engine. (B)The term upstream provider means, with respect to a search syndication contract, the person that grants access to an index of web pages on the internet to a downstream provider under the contract.
(C)The term downstream provider means, with respect to a search syndication contract, the person that receives access to an index of web pages on the internet from an upstream provider under such contract. (30) (A)The term sensitive covered data means any of the following forms of covered data of an individual:
(i)A unique, government-issued identifier, such as a Social Security number, passport number, or driver’s license number, that is not required to be displayed to the public. (ii)Any covered data that describes or reveals the diagnosis or treatment of the past, present, or future physical health, mental health, or disability of an individual.
(iii)A financial account number, debit card number, credit card number, or any required security or access code, password, or credentials allowing access to any such account. (iv)Covered data that is biometric information.
(v)A persistent identifier. (vi)Precise geolocation information.
(vii)The contents of an individual’s private communications, such as emails, texts, direct messages, or mail, or the identity of the parties subject to such communications, unless the covered entity is the intended recipient of the communication. (viii)Account log-in credentials such as a user name or email address, in combination with a password or security question and answer that would permit access to an online account.
(ix)Covered data revealing an individual’s racial or ethnic origin, or religion in a manner inconsistent with the individual’s reasonable expectation regarding the processing or transfer of such information. (x)Covered data revealing the sexual orientation or sexual behavior of an individual in a manner inconsistent with the individual’s reasonable expectation regarding the processing or transfer of such information.
(xi)Covered data about the online activities of an individual that addresses or reveals a category of covered data described in another subparagraph of this paragraph. (xii)Covered data that is calendar information, address book information, phone or text logs, photos, or videos maintained for private use on an individual’s device.
(xiii)Any covered data collected or processed by a covered entity for the purpose of identifying covered data described in another clause of this paragraph. (xiv)Any other category of covered data designated by the Commission pursuant to a rulemaking under section 553 of title 5, United States Code.
(B)For purposes of subparagraph (A), the term biometric information— (i)means the physiological or biological characteristics of an individual, including deoxyribonucleic acid, that are used, singly or in combination with each other or with other identifying data, to establish the identity of an individual; and
(ii)includes— (I)imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted; and
(II)keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information. (C)For purposes of subparagraph (A), the term persistent identifier means a technologically derived identifier that identifies an individual, or is linked or reasonably linkable to an individual over time and across services and platforms, which may include a customer number held in a cookie, a static Internet Protocol address, a processor or device serial number, or another unique device identifier.
(D)Precise geolocation informationFor purposes of subparagraph (A), the term precise geolocation information means technologically derived information capable of determining the past or present actual physical location of an individual or an individual’s device at a specific point in time to within 1,750 feet. (31)The term service provider means, with respect to a set of covered data, a covered entity that processes or transfers such covered data for the purpose of performing one or more services or functions on behalf of, and at the direction of, another covered entity that—
(A)is not related to the covered entity providing the service or function by common ownership or corporate control; and (B)does not share common branding with the covered entity providing the service or function.
(32)The term service provider data means, with respect to a set of covered data and a service provider, covered data that is collected by the service provider on behalf of a covered entity or transferred to the service provider by a covered entity for the purpose of allowing the service provider to perform a service or function on behalf of, and at the direction of, such covered entity. (33)The term third party means, with respect to a set of covered data, a covered entity—
(A)that is not a service provider with respect to such covered data; and (B)that received such covered data from another covered entity—
(i)that is not related to the covered entity by common ownership or corporate control; and (ii)that does not share common branding with the covered entity.
(34)The term third party data means, with respect to a third party, covered data that has been transferred to the third party by a covered entity. (35)The term transfer means to disclose, release, share, disseminate, make available, or license in writing, electronically, or by any other means for consideration of any kind or for a commercial purpose.
(36)For purposes of section 206, the term user data means any information relating to an identified or identifiable individual user, whether directly submitted to the large online operator by the user, or derived from the observed activity of the user by the large online operator. (37)For purposes of section 205, the term user-specific data means information relating to an individual or a specific connected device that would not necessarily be true of every individual or device.
3.Except as otherwise provided in this Act, this Act shall take effect 18 months after the date of enactment of this Act. <enum>I</enum><header>Individual consumer data rights</header> <section id="id1dda87b3f5df4e9385a26895ceb178b1"><enum>101.</enum><header>Consumer loyalty</header> <subsection id="id43DB160F728C48C5A84A72F2EE8EC5E8"><enum>(a)</enum><header>Prohibition on the denial of products or services</header> <paragraph id="id3A09AAD764A745678F9A6E2FE3C2F574"><enum>(1)</enum><header>In general</header><text>Subject to paragraph (2), a covered entity shall not deny products or services to an individual because the individual exercises a right established under subparagraph (A), (B), or (D) of section 103(a)(1).</text></paragraph>
<paragraph id="id2AAEB47B882F4BBB8EAA1B1199841A88"><enum>(2)</enum><header>Rules of application</header><text>A covered entity—</text> <subparagraph id="id3965DE4CE57B4118B3528E93F0A246F4"><enum>(A)</enum><text>shall not be in violation of paragraph (1) with respect to a product or service and an individual if the exercise of a right described in such paragraph by the individual precludes the covered entity from providing such product or service to such individual; and</text></subparagraph>
<subparagraph id="id20FC7DD36D834F8BB0BFCE1B4275BB88"><enum>(B)</enum><text>may offer different types of pricing and functionalities with respect to a product or service based on an individual's exercise of a right described in such paragraph.</text></subparagraph></paragraph></subsection> <subsection id="id7E1E4B2A23DE4B72AAF75C8BB9CF8560"><enum>(b)</enum><header>No waiver of individual controls</header><text>The rights and obligations created under section 103 may not be waived in an agreement between a covered entity and an individual.</text></subsection></section>
<section id="idc45c9d45e655496e8bccde3df1e5dd98"><enum>102.</enum><header>Transparency</header>
<subsection id="idd69951a4e9e5476dbdfa9f48d394ff19"><enum>(a)</enum><header>In general</header><text>A covered entity that processes covered data shall, with respect to such data, publish a privacy policy that is—</text> <paragraph id="id660C960A884841DCA274252BD8653A05" commented="no"><enum>(1)</enum><text>disclosed, in a clear and conspicuous manner, to an individual prior to or at the point of the collection of covered data from the individual; and</text></paragraph>
<paragraph id="id650772EF93204D80A939C7D89689585C"><enum>(2)</enum><text>made available, in a clear and conspicuous manner, to the public.</text></paragraph></subsection> <subsection id="id7B5771D01BF04FDC9AE88E37363790CC"><enum>(b)</enum><header>Content of privacy policy</header><text>The privacy policy required under subsection (a) shall include the following:</text>
<paragraph id="ide62ef96be36d405caa826a663ba2445c"><enum>(1)</enum><text>The identity and the contact information of the covered entity (including the covered entity's points of contact for privacy and data security inquiries) and the identity of any affiliate to which covered data may be transferred by the covered entity.</text></paragraph> <paragraph id="ided9dd33b39c948b88541a8368b0546c5"><enum>(2)</enum><text>The categories of covered data the covered entity collects.</text></paragraph>
<paragraph id="idd5a37455a8b3479f9dcb91a9badf9b6a"><enum>(3)</enum><text>The processing purposes for each category of covered data the covered entity collects.</text></paragraph> <paragraph id="idb7de137963c1489f9cfb9503274d27e2"><enum>(4)</enum><text>Whether the covered entity transfers covered data, the categories of recipients to whom the covered entity transfers covered data, and the purposes of the transfers.</text></paragraph>
<paragraph id="id596e04e976a644749dea30def95ec0ab"><enum>(5)</enum><text>A general description of the covered entity’s data retention practices for covered data and the purposes for such retention.</text></paragraph> <paragraph id="idbbc0e54eb15b4e47bee92532abc7833d"><enum>(6)</enum><text>How individuals can exercise their rights under section 103.</text></paragraph>
<paragraph id="id5331ff556f064377ab73d6d9b9995c28"><enum>(7)</enum><text>A general description of the covered entity’s data security practices.</text></paragraph> <paragraph id="id14e7c3fcb22c422a89a3e916d5c09fd4"><enum>(8)</enum><text>The effective date of the privacy policy.</text></paragraph></subsection>
<subsection id="id1e2dfaed858e43de8386fae8fbb6df01"><enum>(c)</enum><header>Languages</header><text>A privacy policy required under subsection (a) shall be made available in all of the languages in which the covered entity provides a product or service that is subject to the policy, or carries out activities related to such product or service.</text></subsection> <subsection id="idd861648ce4a740a5b1cbaaaf0b6a6f7e" commented="no"><enum>(d)</enum><header>Material changes</header><text>If a covered entity makes a material change to its privacy policy, it shall notify the individuals affected before further processing or transferring of previously collected covered data and provide an opportunity to withdraw consent to further processing or transferring of the covered data under the changed policy. The covered entity shall provide direct notification, where possible, regarding a material change to the privacy policy to affected individuals, taking into account available technology and the nature of the relationship. </text></subsection>
<subsection commented="no" id="id1628D9086E954B6B951D1969E5F02D4F"><enum>(e)</enum><header>Application to indirect transfers</header><text>Where the ownership of an individual’s device is transferred directly from one individual to another individual, a covered entity may satisfy its obligation to disclose a privacy policy prior to or at the point of collection of covered data by making the privacy policy available under subsection (a)(2).</text></subsection></section> <section id="id8d36255b94534d33b5cb3fd8c9d1cd6e"><enum>103.</enum><header>Individual control</header> <subsection id="id64db507da3314aa58376e95ff9c68f05"><enum>(a)</enum><header>Access to, and correction, deletion, and portability of, covered data</header> <paragraph id="idcd30785642d24399806ef3195e6e6c33"><enum>(1)</enum><header>In general</header><text>Subject to paragraphs (2) and (3), a covered entity shall provide an individual, immediately or as quickly as possible and in no case later than 90 days after receiving a verified request from the individual, with the right to reasonably—</text>
<subparagraph id="id616439f7c6f74be4be1ad5625dc9a1a2"><enum>(A)</enum><text>access—</text> <clause id="id94f889a750424e3db470f8da21f4357e"><enum>(i)</enum><text>the covered data of the individual, or an accurate representation of the covered data of the individual, that is or has been processed by the covered entity or any service provider of the covered entity;</text></clause>
<clause id="id5dc9563010be46de863e160d77125b5a"><enum>(ii)</enum><text>if applicable, a list of categories of third parties and service providers to whom the covered entity has transferred the covered data of the individual; and</text></clause> <clause id="iddb5c39208e9e4fb88016788b2ec20314"><enum>(iii)</enum><text>if a covered entity transfers covered data, a description of the purpose for which the covered entity transferred the covered data of the individual to a service provider or third party;</text></clause></subparagraph>
<subparagraph id="ide334e75aafc8437980d3ade3676b8629"><enum>(B)</enum><text>request that the covered entity— </text> <clause id="id56F3AB1AAF0C4D3A812EA5AF17371CF9"><enum>(i)</enum><text>correct material inaccuracies or materially incomplete information with respect to the covered data of the individual that is maintained by the covered entity; and </text></clause>
<clause id="id389A62CC6EF543249FBB8CCD08C71FF2"><enum>(ii)</enum><text>notify any service provider or third party to which the covered entity transferred such covered data of the corrected information;</text></clause></subparagraph> <subparagraph id="ida31dffc147a248ab8ed3167a5b041c65"><enum>(C)</enum><text>request that the covered entity— </text>
<clause id="id4996E077595149AB8893E2AD2414EF5D"><enum>(i)</enum><text>either delete or de-identify covered data of the individual that is or has been maintained by the covered entity; and </text></clause> <clause id="id1D694856ECCC4D4F90AB8956CF0D5BF1"><enum>(ii)</enum><text>notify any service provider or third party to which the covered entity transferred such covered data of the individual’s request, unless the transfer of such data to the third party was made at the direction of the individual; and</text></clause></subparagraph>
<subparagraph id="id382731afb0134d6e8e93cea400b87a07"><enum>(D)</enum><text>to the extent that is technically feasible, provide covered data of the individual that is or has been generated and submitted to the covered entity by the individual and maintained by the covered entity in a portable, structured, and machine-readable format that is not subject to licensing restrictions.</text></subparagraph></paragraph> <paragraph id="id95a118cc24be45ad86b10f17a4d40dfa"><enum>(2)</enum><header>Frequency and cost of access</header><text>A covered entity shall—</text>
<subparagraph id="id0537F51133724200B5134214AD34FFE0"><enum>(A)</enum><text>provide an individual with the opportunity to exercise the rights described in paragraph (1) not less than twice in any 12-month period; and</text></subparagraph> <subparagraph id="id882D11D549D9401984081940F2C13BFD"><enum>(B)</enum><text>with respect to the first 2 times that an individual exercises the rights described in paragraph (1) in any 12-month period, allow the individual to exercise such rights free of charge.</text></subparagraph></paragraph>
<paragraph id="id193cd40024094138aec1d3077c5d1fa3"><enum>(3)</enum><header>Exceptions</header><text>A covered entity— </text> <subparagraph id="id00400511E8D3493DA69BCD3247A560AF" commented="no"><enum>(A)</enum><text>shall not comply with a request to exercise the rights described in paragraph (1) if the covered entity cannot verify that the individual making the request is the individual to whom the covered data that is the subject of the request relates; </text></subparagraph>
<subparagraph id="idE03000532FA642CF868D8CE011538D93"><enum>(B)</enum><text>may decline to comply with a request that would—</text> <clause id="id13f213945c8244e8979d5e39da9e4f2d"><enum>(i)</enum><text>require the covered entity to retain any covered data for the sole purpose of fulfilling the request; </text></clause>
<clause id="idf4f06b571a264eb69dafef58bb608a8c"><enum>(ii)</enum><text>be impossible or demonstrably impracticable to comply with; or </text></clause> <clause id="idD7C3E8CA198D4924B29FD805B9FC03FD"><enum>(iii)</enum><text>require the covered entity to combine, relink, or otherwise re-identify covered data that has been de-identified;</text></clause>
<clause id="id91423ce686f04505ba63c47eb7f5a70a"><enum>(iv)</enum><text>result in the release of trade secrets, or other proprietary or confidential data or business practices;</text></clause> <clause id="id3098b1be763347bfbd958bc4d178bdc2"><enum>(v)</enum><text>interfere with law enforcement, judicial proceedings, investigations, or reasonable efforts to guard against, detect, or investigate malicious or unlawful activity, or enforce contracts;</text></clause>
<clause id="idf3449642e1c34ab8a80aa63f71647d78"><enum>(vi)</enum><text>require disproportionate effort, taking into consideration available technology, or would not be reasonably feasible on technical grounds;</text></clause> <clause id="id7bd14e15311048d3b75b622ce042ee9c"><enum>(vii)</enum><text>compromise the privacy, security, or other rights of the covered data of another individual;</text></clause>
<clause id="id2f8893c89c0545119741d695d9a47f5a"><enum>(viii)</enum><text>be excessive or abusive to another individual; or</text></clause> <clause id="id1ab403e727b64c63893bfd88e69ff490"><enum>(ix)</enum><text>violate Federal or State law or the rights and freedoms of another individual, including under the Constitution of the United States; and</text></clause></subparagraph>
<subparagraph id="id8B78A527324E45D1B3572A917C7444AF"><enum>(C)</enum><text>may delete covered data instead of providing access and correction rights under subparagraphs (A) and (B) of paragraph (1) if such covered data— </text> <clause id="idBEDAC563C69C48BC819B0C30DE49B4AF"><enum>(i)</enum><text>is not sensitive covered data; and </text></clause>
<clause id="id5C49B2E8B4E74C5E94A79AB31B6C1C85"><enum>(ii)</enum><text>is used only for the purposes of contacting individuals with respect to marketing communications. </text></clause></subparagraph></paragraph></subsection> <subsection id="id4350a1da1a944c3f8b97298e62ccf03e"><enum>(b)</enum><header>Regulations</header><text display-inline="yes-display-inline">Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, establishing requirements for covered entities with respect to the verification of requests to exercise rights described in subsection (a)(1).</text></subsection></section>
<section id="id8f91ded1932c450eacef4070db8d83ac"><enum>104.</enum><header>Rights to consent</header>
<subsection id="id2b41d119138b4c889b74a4668524921e"><enum>(a)</enum><header>Consent</header><text>Except as provided in section 108, a covered entity shall not, without the prior, affirmative express consent of an individual—</text> <paragraph id="id28c12fc302e64d2598bb755d05d1d87b"><enum>(1)</enum><text>transfer sensitive covered data of the individual to a third party; or</text></paragraph>
<paragraph id="id9de24ea0b092463bb9de6e9ba1a0bb6e"><enum>(2)</enum><text>process sensitive covered data of the individual.</text></paragraph></subsection> <subsection id="ideddcd6d77a9246f1a1cd9da29786d982" commented="no"><enum>(b)</enum><header>Requirements for affirmative express consent</header><text>In obtaining the affirmative express consent of an individual to process the sensitive covered data of the individual as required under subsection (a)(2), a covered entity shall provide the individual with notice that shall—</text>
<paragraph commented="no" id="id3447C730D4844DFDBA9716E90C7A8F0F"><enum>(1)</enum><text>include a clear description of the processing purpose for which the sensitive covered data will be processed;</text></paragraph> <paragraph commented="no" id="id2937D62D08D8403588A306474AC6EE7C"><enum>(2)</enum><text>clearly identify any processing purpose that is necessary to fulfill a request made by the individual;</text></paragraph>
<paragraph id="id12a7e370227c437497bc2a141132c39b" commented="no"><enum>(3)</enum><text>include a prominent heading that would enable a reasonable individual to easily identify the processing purpose for which consent is sought; and</text></paragraph> <paragraph id="idb43243bee33e4871bddb3882ce67c9cb" commented="no"><enum>(4)</enum><text>clearly explain the individual’s right to provide or withhold consent.</text></paragraph></subsection>
<subsection id="idf49099d5f8bc489188a2a9837fe4c03d" commented="no"><enum>(c)</enum><header>Requirements related to minors</header><text display-inline="yes-display-inline">A covered entity shall not transfer the covered data of an individual to a third party without affirmative express consent from the individual or the individual’s parent or guardian if the covered entity has actual knowledge that the individual is between 13 and 16 years of age. </text></subsection> <subsection id="idc9462f99753549d689973bbfecc9eb8b"><enum>(d)</enum><header>Right To opt out</header><text>Except as provided in section 108, a covered entity shall provide an individual with the ability to opt out of the collection, processing, or transfer of such individual’s covered data before such collection, processing, or transfer occurs.</text></subsection>
<subsection id="id4fdff3569223467ca77aa85cc61215b6" commented="no"><enum>(e)</enum><header>Prohibition on inferred consent</header><text>A covered entity shall not infer that an individual has provided affirmative express consent to a processing purpose from the inaction of the individual or the individual's continued use of a service or product provided by the covered entity.</text></subsection> <subsection id="ide839bdf086a94facb0df71fe67384a3a"><enum>(f)</enum><header>Withdrawal of consent</header><text display-inline="yes-display-inline">A covered entity shall provide an individual with a clear and conspicuous means to withdraw affirmative express consent.</text></subsection>
<subsection id="ida6edf258c55448069e8e3ee010c61f07"><enum>(g)</enum><header>Rulemaking</header><text display-inline="yes-display-inline">The Commission may promulgate regulations under section 553 of title 5, United States Code, to establish requirements for covered entities regarding clear and conspicuous procedures for allowing individuals to provide or withdraw affirmative express consent for the collection of sensitive covered data. </text></subsection></section> <section id="idbc9a9f0301ca4522852a982abc585ce0"><enum>105.</enum><header>Minimizing data collection, processing, and retention</header> <subsection id="idcfad51354ba84e88a2846ffc0b9932b5"><enum>(a)</enum><header>In general</header><text>A covered entity shall not collect, process, or transfer covered data beyond—</text>
<paragraph id="idd9b7f03894e04b1993feeb9601e05b50"><enum>(1)</enum><text>what is reasonably necessary, proportionate, and limited to provide or improve a product, service, or a communication about a product or service, including what is reasonably necessary, proportionate, and limited to provide a product or service specifically requested by an individual or reasonably anticipated within the context of the covered entity’s ongoing relationship with an individual; </text></paragraph> <paragraph id="id7b4c7a79abc7430694ce63f61bb927f5"><enum>(2)</enum><text>what is reasonably necessary, proportionate, or limited to otherwise process or transfer covered data in a manner that is described in the privacy policy that the covered entity is required to publish under section 102(a); or</text></paragraph>
<paragraph id="id6D24CDE6157E4ED080D0C1D48673B709"><enum>(3)</enum><text>what is expressly permitted by this Act or any other applicable Federal law.</text></paragraph></subsection> <subsection id="id396387587a474c2bac75e8a552369a5a"><enum>(b)</enum><header>Best practices</header><text>Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidelines recommending best practices for covered entities to minimize the collection, processing, and transfer of covered data in accordance with this section.</text></subsection>
<subsection id="id5d85e9f524954032b23d20476327258c"><enum>(c)</enum><header>Rule of construction</header><text>Notwithstanding section 405 of this Act, nothing in this section supersedes any other provision of this Act or other applicable Federal law.</text></subsection></section> <section id="id22bcb5ce73734d63a5c62d23e522a120"><enum>106.</enum><header>Service providers and third parties</header> <subsection id="id2c3ee51afe1b488f869b405c8f93b2be"><enum>(a)</enum><header>Service providers</header><text>A service provider—</text>
<paragraph id="id9e03dcb498ed4b7a83b46d655f9c21e5"><enum>(1)</enum><text>shall not process service provider data for any processing purpose that is not performed on behalf of, and at the direction of, the covered entity that transferred the data to the service provider; </text></paragraph> <paragraph id="id7f8aea896fd64ebfacacd906b9473a17"><enum>(2)</enum><text>shall not transfer service provider data to a third party for any purpose other than a purpose performed on behalf of, or at the direction of, the covered entity that transferred the data to the service provider without the affirmative express consent of the individual to whom the service provider data relates;</text></paragraph>
<paragraph id="id2be4ecd5c7bd43c5a867838c672655b3"><enum>(3)</enum><text>at the direction of the covered entity that transferred service provider data to the service provider, shall delete or de-identify such data— </text> <subparagraph id="idC70A6F0D0AE845DCACCE09FBC3C97ECA" commented="no"><enum>(A)</enum><text>as soon as practicable after the service provider has completed providing the service or function for which the data was transferred to the service provider; or</text></subparagraph>
<subparagraph id="idC6E04C7BBE8C4A78B3BED6FBC8830F76" commented="no"><enum>(B)</enum><text>as soon as practicable after the end of the period during which the service provider is to provide services with respect to such data, as agreed to by the service provider and the covered entity that transferred the data;</text></subparagraph></paragraph> <paragraph id="idc267c48bfa1b494b8c814a5425d05a5a"><enum>(4)</enum><text>is exempt from the requirements of section 103 with respect to service provider data, but shall, to the extent practicable—</text>
<subparagraph id="id4902B12B40124C75A098E7A8CE46AB7E"><enum>(A)</enum><text>assist the covered entity from which it received the service provider data in fulfilling requests to exercise rights under section 103(a); and</text></subparagraph> <subparagraph id="id9A47921D8DAC4E8BA7EB7A1364C6CEB8"><enum>(B)</enum><text>upon receiving notice from a covered entity of a verified request made under section 103(a)(1) to delete, de-identify, or correct service provider data held by the service provider, delete, de-identify, or correct such data; and</text></subparagraph></paragraph>
<paragraph id="id334a8139a09643af86b565dd6c86b879"><enum>(5)</enum><text>is exempt from the requirements of sections 104 and 105.</text></paragraph></subsection> <subsection id="idabdc604f00494fd196dd0246b7b735c9"><enum>(b)</enum><header>Third parties</header><text>A third party—</text>
<paragraph id="idbe09dacfeb71489d93249771f543f5cf"><enum>(1)</enum><text>shall not process third party data for a processing purpose inconsistent with the reasonable expectation of the individual to whom such data relates;</text></paragraph> <paragraph id="idC1F2BF8B2CA14EF5A85431C330CD7390"><enum>(2)</enum><text>for purposes of paragraph (1), may reasonably rely on representations made by the covered entity that transferred third party data regarding the reasonable expectations of individuals to whom such data relates, provided that the third party conducts reasonable due diligence on the representations of the covered entity and finds those representations to be credible; and</text></paragraph>
<paragraph id="id09ddf55547cf4396a9e85d16c8fd6c64"><enum>(3)</enum><text>is exempt from the requirements of sections 104 and 105. </text></paragraph></subsection> <subsection id="id1e157a77ceab4007b12e9b3e47e1397c"><enum>(c)</enum><header>Bankruptcy</header><text>In the event that a covered entity enters into a bankruptcy proceeding which would lead to the disclosure of covered data to a third party, the covered entity shall in a reasonable time prior to the disclosure—</text>
<paragraph id="ide0e06e14b7dc4de69b959233585bedd2"><enum>(1)</enum><text>provide notice of the proposed disclosure of covered data, including the name of the third party and their policies and practices with respect to the covered data, to all affected individuals; and</text></paragraph> <paragraph id="id630fe6822b9d4762a4418d7fcfa7d8be"><enum>(2)</enum><text>provide each affected individual with the opportunity to withdraw any previous affirmative express consent related to the covered data of the individual or request the deletion or de-identification of the covered data of the individual.</text></paragraph></subsection>
<subsection id="idd39c0bd9d3db46e9ac047b3ad26890d1"><enum>(d)</enum><header>Additional obligations on covered entities</header>
<paragraph id="idB9D6265E06FD47448051BD5704755E76"><enum>(1)</enum><header>In general</header><text>A covered entity shall exercise reasonable due diligence to ensure compliance with this section before— </text> <subparagraph id="id001D1D3947574FE6AC422BFBD29F7680"><enum>(A)</enum><text>selecting a service provider; or</text></subparagraph>
<subparagraph id="id184f225f19364074b6eb660acca76d3c"><enum>(B)</enum><text>deciding to transfer covered data to a third party. </text></subparagraph></paragraph> <paragraph id="id4597892E43A441E0A415EA7216CF2B4D"><enum>(2)</enum><header>Guidance</header><text>Not later than 2 years after the effective date of this Act, the Commission shall publish guidance regarding compliance with this subsection. Such guidance shall, to the extent practicable, minimize unreasonable burdens on small- and medium-sized covered entities.</text></paragraph></subsection></section>
<section id="ID18a3f80471a241c3813518db5af93fc2"><enum>107.</enum><header>Privacy impact assessments</header>
<subsection id="IDc5c50502a02642379b5eeaecfe38f52d"><enum>(a)</enum><header>Privacy impact assessments of new or material changes to processing of covered data</header>
<paragraph id="id0183A229D5124E09B900F14E7065628F"><enum>(1)</enum><header>In general</header><text>Not later than 1 year after the date of enactment of this Act (or, if later, not later than 1 year after a covered entity first meets the definition of a large data holder (as defined in section 2)), each covered entity that is a large data holder shall conduct a privacy impact assessment of each of their processing activities involving covered data that present a heightened risk of harm to individuals, and each such assessment shall weigh the benefits of the covered entity's covered data collection, processing, and transfer practices against the potential adverse consequences to individual privacy of such practices. </text></paragraph> <paragraph id="ID07f235eab214458a968cc8f0fe5d51f9"><enum>(2)</enum><header>Assessment requirements</header><text>A privacy impact assessment required under paragraph (1)—</text>
<subparagraph id="id42490D42A9E648B4A2EA87ECC386B99F"><enum>(A)</enum><text>shall be reasonable and appropriate in scope given— </text> <clause id="id448A8B499557497A94FF316517E9F94B"><enum>(i)</enum><text>the nature of the covered data collected, processed, or transferred by the covered entity;</text></clause>
<clause id="idCFC263FADE1449EBA5C1AC9DD32B1E10"><enum>(ii)</enum><text>the volume of the covered data collected, processed, or transferred by the covered entity; </text></clause> <clause id="id2FD0AE53233C40DC845B02E0BA8B116C"><enum>(iii)</enum><text>the size of the covered entity; and</text></clause>
<clause id="idD901F6866CDE48DBAA810A578BEE95A7"><enum>(iv)</enum><text>the potential risks posed to the privacy of individuals by the collection, processing, or transfer of covered data by the covered entity;</text></clause></subparagraph> <subparagraph id="id82443A62D78A4169A58FD35AD21975C4"><enum>(B)</enum><text>shall be documented in written form and maintained by the covered entity unless rendered out of date by a subsequent assessment conducted under subsection (b); and</text></subparagraph>
<subparagraph display-inline="no-display-inline" commented="no" id="idD44CB21DCF9B46B4A51490043A1C545F"><enum>(C)</enum><text>shall be approved by the data privacy officer of the covered entity.</text></subparagraph></paragraph></subsection> <subsection id="IDbc65a5f3630c40a182e3129925b77af0"><enum>(b)</enum><header>Ongoing privacy impact assessments</header> <paragraph id="idB3406F76A0AD45668F9CFB14C94E27F2"><enum>(1)</enum><header>In general</header><text>A covered entity that is a large data holder shall, not less frequently than once every 2 years after the covered entity conducted the privacy impact assessment required under subsection (a), conduct a privacy impact assessment of the collection, processing, and transfer of covered data by the covered entity to assess the extent to which—</text>
<subparagraph id="IDc8c20cce79d4491ba7600a1296fe46c1"><enum>(A)</enum><text>the ongoing practices of the covered entity are consistent with the covered entity's published privacy policies and other representations that the covered entity makes to individuals;</text></subparagraph> <subparagraph id="IDda1ff7acd33e43e2a0e00e0328d345d4"><enum>(B)</enum><text>any customizable privacy settings included in a service or product offered by the covered entity are adequately accessible to individuals who use the service or product and are effective in meeting the privacy preferences of such individuals;</text></subparagraph>
<subparagraph id="IDfea86a1cafa74a9ba219c3e5e94f2628"><enum>(C)</enum><text>the practices and privacy settings described in subparagraphs (A) and (B), respectively— </text> <clause id="idA41FB7F8E9FE4337805580F56F9B4FC7"><enum>(i)</enum><text>meet the expectations of a reasonable individual; and</text></clause>
<clause id="IDcea2cdcb8a7148e0a0f4dc8cbde5576b"><enum>(ii)</enum><text>provide an individual with adequate control over the individual's covered data;</text></clause></subparagraph> <subparagraph id="IDa182778bb2374cf0903ec072d6fb7d29"><enum>(D)</enum><text>the covered entity could enhance the privacy and security of covered data through technical or operational safeguards such as encryption, de-identification, and other privacy-enhancing technologies; and</text></subparagraph>
<subparagraph id="ID7245df3dc60c4c2f8eae17f4e8969de1"><enum>(E)</enum><text>the processing of covered data is compatible with the stated purposes for which it was collected.</text></subparagraph></paragraph> <paragraph id="idEED8AB401A4E4CDF87BC2517A2B11F20"><enum>(2)</enum><header>Approval by data privacy officer</header><text>The data privacy officer of a covered entity shall approve the findings of an assessment conducted by the covered entity under this subsection.</text></paragraph></subsection></section>
<section id="ID804775b688bf47a7ad5d9b045b4d1704"><enum>108.</enum><header>Scope of coverage</header>
<subsection id="ID3de02efa4be54d449fa321e496d5edd2"><enum>(a)</enum><header>General exceptions</header><text>Notwithstanding any provision of this title other than subsections (a) through (c) of section 102, a covered entity may collect, process or transfer covered data for any of the following purposes, provided that the collection, processing, or transfer is reasonably necessary, proportionate, and limited to such purpose:</text> <paragraph id="id71128e6933d3400c9d77f676c28b65ed"><enum>(1)</enum><text>To initiate or complete a transaction or to fulfill an order or provide a service specifically requested by an individual, including associated routine administrative activities such as billing, shipping, financial reporting, and accounting.</text></paragraph>
<paragraph id="id7b8926edf453453abbd082eb089ad8f4"><enum>(2)</enum><text>To perform internal system maintenance, diagnostics, product or service management, inventory management, and network management.</text></paragraph> <paragraph id="id6a472499ba744ea3b2d2a510647ac0c5"><enum>(3)</enum><text>To prevent, detect, or respond to a security incident or trespassing, provide a secure environment, or maintain the safety and security of a product, service, or individual.</text></paragraph>
<paragraph id="idb5122c12531042699761e6adc79a6846"><enum>(4)</enum><text>To protect against malicious, deceptive, fraudulent, or illegal activity.</text></paragraph> <paragraph id="id58ad7cd554984bc2a25bb081c159d440"><enum>(5)</enum><text>To comply with a legal obligation or the establishment, exercise, analysis, or defense of legal claims or rights, or as required or specifically authorized by law.</text></paragraph>
<paragraph id="id2e7ae7553b0b4c618208066f91633047"><enum>(6)</enum><text>To comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by an Executive agency.</text></paragraph> <paragraph id="id8f7de51ef23c4b08acef1ae7fc29b923"><enum>(7)</enum><text>To cooperate with an Executive agency or a law enforcement official acting under the authority of an Executive or State agency concerning conduct or activity that the Executive agency or law enforcement official reasonably and in good faith believes may violate Federal, State, or local law, or pose a threat to public safety or national security.</text></paragraph>
<paragraph id="id3cb7f134cda944cc9ddf448cebe245f9"><enum>(8)</enum><text>To address risks to the safety of an individual or group of individuals, or to ensure customer safety, including by authenticating individuals in order to provide access to large venues open to the public.</text></paragraph> <paragraph id="id5dcb1ab9ae724256aaf16d39a3e8eae9"><enum>(9)</enum><text>To effectuate a product recall pursuant to Federal or State law.</text></paragraph>
<paragraph id="id0b6d6a7eb69e4135817c1fd7afd43f70"><enum>(10)</enum><text>To conduct public or peer-reviewed scientific, historical, or statistical research that—</text> <subparagraph id="id985b8a8a3da14b01b95837485df3bc74"><enum>(A)</enum><text>is in the public interest;</text></subparagraph>
<subparagraph id="id1207ec29a4674db2868e19f6e4a53f4d"><enum>(B)</enum><text>adheres to all applicable ethics and privacy laws; and</text></subparagraph> <subparagraph id="id98464c5f674a4c6397717feea3e7b5d1"><enum>(C)</enum><text>is approved, monitored, and governed by an institutional review board or other oversight entity that meets standards promulgated by the Commission pursuant to section 553 of title 5, United States Code.</text></subparagraph></paragraph>
<paragraph id="ida8e2287febda42c4be118d2f2ec16a0d"><enum>(11)</enum><text>To transfer covered data to a service provider. </text></paragraph> <paragraph id="id511B285A7E4D4648AB385A2F9723B279"><enum>(12)</enum><text>For a purpose identified by the Commission pursuant to a regulation promulgated under subsection (b).</text></paragraph></subsection>
<subsection id="idc830aeeff9ea4bc99fe8b825074703ba"><enum>(b)</enum><header>Additional purposes</header><text>The Commission may promulgate regulations under section 553 of title 5, United States Code, identifying additional purposes for which a covered entity may collect, process or transfer covered data. </text></subsection> <subsection id="id7B2903798EBB420785200C02FD5C4124"><enum>(c)</enum><header>Small business exception</header><text>Sections 103, 105, and 301 shall not apply in the case of a covered entity that can establish that, for the 3 preceding calendar years (or for the period during which the covered entity has been in existence if such period is less than 3 years)—</text>
<paragraph id="idBC0047563541404E99A65A3F2CC7AD65"><enum>(1)</enum><text>the covered entity's average annual gross revenues did not exceed $50,000,000;</text></paragraph> <paragraph id="id2941B52703B448EE88D219F8214D0E94"><enum>(2)</enum><text>on average, the covered entity annually processed the covered data of less than 1,000,000 individuals; </text></paragraph>
<paragraph id="id4e0a766f5cd14602b8117c0272f6a229" commented="no" display-inline="no-display-inline"><enum>(3)</enum><text>the covered entity never employed more than 500 individuals at any one time; and</text></paragraph> <paragraph commented="no" display-inline="no-display-inline" id="id74689DAB428845DCA4010B9E981F56B6"><enum>(4)</enum><text>the covered entity derived less than 50 percent of its revenues from transferring covered data. </text></paragraph></subsection></section>
<enum>II</enum><header>Data transparency, integrity, and security</header>
<section id="id13c2cbd52cab49d3abf318965777b77f"><enum>201.</enum><header>Algorithm bias, detection, and mitigation</header>
<subsection id="id8a1302289df8456b9236e151a5129c52"><enum>(a)</enum><header>FTC enforcement assistance</header>
<paragraph id="id247785312cc6410c9c36d94c2c9dabe1"><enum>(1)</enum><header>In general</header><text>Whenever the Commission obtains information that a covered entity may have processed or transferred covered data in violation of Federal anti-discrimination laws, the Commission shall transmit such information (excluding any such information that is a trade secret as defined by section 1839 of title 18, United States Code) to the appropriate Executive agency or State agency with authority to initiate proceedings relating to such violation. </text></paragraph> <paragraph id="idc97e120db78d400f88b21cd75b09f68e"><enum>(2)</enum><header>Annual report</header><text>Beginning in 2021, the Commission shall submit an annual report to Congress that includes—</text>
<subparagraph id="idEDE81EF7C7EB43FBBE287A0034710F86"><enum>(A)</enum><text>a summary of the types of information the Commission transmitted to Executive agencies or State agencies during the preceding year pursuant to this subsection; and </text></subparagraph> <subparagraph id="id19021F264F1E4903A8178D4DAADCAE19"><enum>(B)</enum><text>a summary of how such information relates to Federal anti-discrimination laws. </text></subparagraph></paragraph>
<paragraph id="idba80eef138c84f90b48aebb7a4e5abe2"><enum>(3)</enum><header>Cooperation with other agencies</header><text>The Commission may implement this subsection by executing agreements or memoranda of understanding with the appropriate Executive agencies.</text></paragraph> <paragraph id="id532d3e7d47504bd3a0e0cfa2a6571354" commented="no"><enum>(4)</enum><header>Relationship to other laws</header><text>Notwithstanding section 405, nothing in this subsection shall supersede any other provision of law. </text></paragraph></subsection>
<subsection id="id26dbe3735f034ca3963081f3ab557446"><enum>(b)</enum><header>Algorithm transparency reports</header>
<paragraph id="id52A302CF639D4C948F52AB0520FF8019"><enum>(1)</enum><header>Study and report</header>
<subparagraph id="id12CD440A8F4A44E9935C887F50BF4F97"><enum>(A)</enum><header>Study</header><text>The Commission shall conduct a study, using the Commission's authority under section 6(b) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/46">15 U.S.C. 46(b)</external-xref>), examining the use of algorithms to process covered data in a manner that may violate Federal anti-discrimination laws. </text></subparagraph> <subparagraph id="id2884003B34B34D04AFE58F3B0868DE38"><enum>(B)</enum><header>Report</header><text>Not later than 3 years after the date of enactment of this Act, the Commission shall publish a report containing the results of the study required under subparagraph (A).</text></subparagraph>
<subparagraph id="id6cdb1e0be3b84c818a9ff353454c266f"><enum>(C)</enum><header>Guidance</header><text>The Commission shall use the results of the study described in paragraph (A) to develop guidance to assist covered entities in avoiding the discriminatory use of algorithms. </text></subparagraph></paragraph> <paragraph id="idC71CDA23AD164BF8AB84B27BC1C7789F"><enum>(2)</enum><header>Updated report</header><text>Not later than 5 years after the publication of the report required under paragraph (1), the Commission shall publish an updated report.</text></paragraph></subsection></section>
<section id="id8df84a8b96184d80b09cc9752213ce81"><enum>202.</enum><header>Digital content forgeries</header>
<subsection id="ida9efbe75b32e43eea0a4304b031a149f"><enum>(a)</enum><header>Definition</header><text>Not later than 6 months after the date of enactment of this Act, the National Institute of Standards and Technology shall develop and publish a definition of <term>digital content forgery</term> and accompanying explanatory materials.</text></subsection> <subsection id="id37cf5e51a61f4dcc88f22ad86ee70073"><enum>(b)</enum><header>Elements of definition</header><text>In developing a definition of <term>digital content forgery</term> under subsection (a), the National Institute of Standards and Technology shall consider the following factors:</text>
<paragraph id="ide3ea1cf7e2c84c1faf85bd2bce583ce4"><enum>(1)</enum><text>Whether the content is created with the intent to deceive an individual into believing the content was genuine.</text></paragraph> <paragraph id="id14db71652e94463ba611163ddf70bc92"><enum>(2)</enum><text>Whether the content is genuine or manipulated.</text></paragraph>
<paragraph id="id957bcfa12c11499bbbeb24c172d377b9"><enum>(3)</enum><text>The impression the content makes on a reasonable individual that observes the content.</text></paragraph> <paragraph id="idda1a1f53ee1c4530b8aa1fd25245569a"><enum>(4)</enum><text>Whether the production of the content was substantially dependent upon technical means, rather than the ability of another individual to physically or verbally impersonate such individual.</text></paragraph>
<paragraph id="id5cf9212ad8874feb92a27b5182d9fc0e"><enum>(5)</enum><text>The scope of technologies that may be utilized during the creation or publication of digital content forgeries, including—</text> <subparagraph id="id632D72325B894A4783F3016C48082A5F"><enum>(A)</enum><text>video recording or film;</text></subparagraph>
<subparagraph id="id3D4C62CE3CA141ECAFEE4FD32F5AF35C"><enum>(B)</enum><text>sound recording;</text></subparagraph> <subparagraph id="idE476CAA7108D47548C351CCD0150C1BA"><enum>(C)</enum><text>electronic image or photograph; or</text></subparagraph>
<subparagraph id="id08239B1594A649CDB8952379EDD23BB4" commented="no" display-inline="no-display-inline"><enum>(D)</enum><text>any digital representation of speech or conduct.</text></subparagraph></paragraph></subsection> <subsection id="id9a0fc137bf1a45f9a61d579d67d9a409" commented="no"><enum>(c)</enum><header>Scope of definition</header><text>The definition published by the National Institute of Standards and Technology under subsection (a) shall not supersede any other provision of law or be construed to limit the authority of any Executive agency related to digital content forgeries.</text></subsection>
<subsection id="ideaf0bcc861f14968aa9a618cf97166fd"><enum>(d)</enum><header>Commission reports</header>
<paragraph id="id389229C67B044BF8A228F118F8335FFC"><enum>(1)</enum><header>Initial report</header><text>Not later than 1 year after the National Institute of Standards and Technology publishes the definition and materials required under subsection (a), the Commission shall publish a report regarding the impact of digital content forgeries on individuals and competition. </text></paragraph> <paragraph id="idD72E8D6E56D14CB99C75109230940046"><enum>(2)</enum><header>Subsequent reports</header><text>Not later than 2 years after the publication of the report required under paragraph (1), and as often as the Commission shall deem necessary thereafter, the Commission shall publish an updated version of such report.</text></paragraph>
<paragraph id="id73A231772CBA44F5979BE64386D8BD85"><enum>(3)</enum><header>Content of reports</header><text>Each report required under this subsection shall include—</text> <subparagraph id="id36735777DBBB4406A457EF3A86FD0D52"><enum>(A)</enum><text>a description of the types of digital content forgeries, including those used to commit fraud, cause adverse consequences, violate any provision of law enforced by the Commission, or violate civil rights recognized under Federal law;</text></subparagraph>
<subparagraph id="id6bc889b574104dfa858d54c20bd93f15"><enum>(B)</enum><text>a description of the common sources in the United States of digital content forgeries and commercial sources of digital content forgery technologies;</text></subparagraph> <subparagraph id="ide13632ba31a2440e943b6493fdf6519d"><enum>(C)</enum><text>an assessment of the uses, applications, and adverse consequences of digital content forgeries, including the impact of digital content forgeries on individuals, digital identity, and competition;</text></subparagraph>
<subparagraph id="iddb05f3aa79f1465bb27a4b2941ba593d"><enum>(D)</enum><text>an analysis of the methods available to individuals to identify digital content forgeries as well as a description of commercial technological countermeasures that are, or could be, used to address concerns with digital content forgeries, which may include countermeasures that warn individuals of suspect content;</text></subparagraph> <subparagraph id="id8f280c6def4a4193a2eca01ed31c27d3"><enum>(E)</enum><text>a description of any remedies available to protect an individual’s identity and reputation from adverse consequences caused by digital content forgeries, such as protections or remedies available under the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41</external-xref> et seq.) or any other law; and</text></subparagraph>
<subparagraph id="id7e9ae9a1263b4fa1b77da662ea1ba6ae"><enum>(F)</enum><text>any additional information the Commission determines appropriate.</text></subparagraph></paragraph></subsection> <subsection id="id4e98e8774cbe4a0a86a93f847949ea92"><enum>(e)</enum><header>Establishment of digital content forgery prize competition</header><text>Not later than 1 year after the date of enactment of this Act, the Director of the National Institute of Standards and Technology, in coordination with the Commission, shall establish under section 24 of the Stevenson-Wydler Technology Innovation Act of 1980 (<external-xref legal-doc="usc" parsable-cite="usc/15/3719">15 U.S.C. 3719</external-xref>) a prize competition to spur the development of technical solutions to assist individuals and the public in identifying digital content forgeries and related technologies.</text></subsection></section>
<section id="id134576dc057b41d9adc4a94f87401241"><enum>203.</enum><header>Data brokers</header>
<subsection id="id42f49ddde0d1493ba344e0a904d6fc04"><enum>(a)</enum><header>In general</header><text>Not later than January 31 of each calendar year that follows a calendar year during which a covered entity acted as a data broker, such covered entity shall register with the Commission pursuant to the requirements of this section.</text></subsection> <subsection id="id06CDA7D3997A4B34837153600F277FD5"><enum>(b)</enum><header>Registration requirements</header><text>In registering with the Commission as required under subsection (a), a data broker shall do the following:</text>
<paragraph id="id4de2515f98d5421e8c97f63cf62a4cc8"><enum>(1)</enum><text>Pay to the Commission a registration fee of $100.</text></paragraph> <paragraph id="idea21bac1f7c24b26b61eddbf6b6e428b"><enum>(2)</enum><text>Provide the Commission with the following information: </text>
<subparagraph id="ida9849c2946ae4568ac822622b12c0016"><enum>(A)</enum><text>The name and primary physical, email, and internet addresses of the data broker.</text></subparagraph> <subparagraph id="id4b358b1e300c49b3b5cc28f03bd9c7a9"><enum>(B)</enum><text>Any additional information or explanation the data broker chooses to provide concerning its data collection and processing practices.</text></subparagraph></paragraph></subsection>
<subsection id="id2d25dbd2a7dd45299458ab023d0dd268"><enum>(c)</enum><header>Penalties</header><text>A data broker that fails to register as required under subsection (a) shall be liable for—</text> <paragraph id="idb8ea9d97d4d04eb6817fe38158345862"><enum>(1)</enum><text>a civil penalty of $50 for each day it fails to register, not to exceed a total of $10,000 for each year; and</text></paragraph>
<paragraph id="id4a611d4d9ceb402aa930c7654fa3f1bc"><enum>(2)</enum><text>an amount equal to the fees due under this section for each year that it failed to register as required under subsection (a).</text></paragraph></subsection> <subsection id="id3cc45fb23b7e4350afe4cae59080999f"><enum>(d)</enum><header>Publication of registration information</header><text>The Commission shall publish on the internet website of the Commission the registration information provided by data brokers under this section.</text></subsection></section>
<section id="id664b65bd9e5341f1972b0c095e405b29"><enum>204.</enum><header>Protection of covered data</header>
<subsection id="ida9348cb7de25462b97646669a536a436"><enum>(a)</enum><header>In general</header><text>A covered entity shall establish, implement, and maintain reasonable administrative, technical, and physical data security policies and practices to protect against risks to the confidentiality, security, and integrity of covered data. </text></subsection> <subsection id="id8DB9C2DF39574AC49AF3ADF319752D8B"><enum>(b)</enum><header>Data security requirements</header><text>The data security policies and practices required under subsection (a) shall be—</text>
<paragraph id="id0442ae7584c14addaa3897fb037a9315"><enum>(1)</enum><text>appropriate to the size and complexity of the covered entity, the nature and scope of the covered entity’s collection or processing of covered data, the volume and nature of the covered data at issue, and the cost of available tools to improve security and reduce vulnerabilities; and</text></paragraph> <paragraph id="idbfc62c7d4f6145cbae859337671fd71e"><enum>(2)</enum><text>designed to—</text>
<subparagraph id="idb74bd6d41b004256a47e0f1ae7153088"><enum>(A)</enum><text>identify and assess vulnerabilities to covered data;</text></subparagraph> <subparagraph id="id19c6f4972442488cb24c5a41ba608a5f"><enum>(B)</enum><text>take reasonable preventative and corrective action to address known vulnerabilities to covered data; and</text></subparagraph>
<subparagraph id="idC63CC420C73A42399EDE52D8758328BD"><enum>(C)</enum><text>detect, respond to, and recover from cybersecurity incidents related to covered data.</text></subparagraph></paragraph></subsection> <subsection id="id44487cdc2f4b4152931907b085c3a9c5"><enum>(c)</enum><header>Rulemaking and guidance</header> <paragraph id="idf60c858ba44f4ff09cc33fe6e7980d4d"><enum>(1)</enum><header>Rulemaking authority and scope</header> <subparagraph id="idcfe4de1923e04d4396c549838bd34b28"><enum>(A)</enum><header>In general</header><text>The Commission may, pursuant to a proceeding in accordance with section 553 of title 5, United States Code, issue regulations to identify processes for receiving and assessing information regarding vulnerabilities to covered data that are reported to the covered entity.</text></subparagraph>
<subparagraph id="id9a1a0bbe227e4c8a9c28acc40020a40b"><enum>(B)</enum><header>Consultation with NIST</header><text>In promulgating regulations under this paragraph, the Commission shall consult with, and take into consideration guidance from, the National Institute for Standards and Technology</text></subparagraph></paragraph> <paragraph id="ide2bfd98eca07464591d62785c58f7cb4"><enum>(2)</enum><header>Guidance</header><text>Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance to covered entities on how to—</text>
<subparagraph id="id23a4f6a82db042a7ab1f33e5e7cfa408"><enum>(A)</enum><text>identify and assess vulnerabilities to covered data, including—</text> <clause id="id80b01500a9d14a3c90b4370140ae1d6c"><enum>(i)</enum><text>the potential for unauthorized access to covered data;</text></clause>
<clause id="id2a0ca6e0fcab4ccf9a9d77fafb6167fa"><enum>(ii)</enum><text>vulnerabilities in the covered entity’s collection or processing of covered data;</text></clause> <clause id="id0e9d31e3a43142ddbdd3d0c636db6d5d"><enum>(iii)</enum><text>the management of access rights; and</text></clause>
<clause id="idec455f7dc28f43e0a1383217136e4dfa"><enum>(iv)</enum><text>the use of service providers to process covered data;</text></clause></subparagraph> <subparagraph id="id8af7cec27341405398904c85d9b00a04"><enum>(B)</enum><text>take reasonable preventative and corrective action to address vulnerabilities to covered data; and</text></subparagraph>
<subparagraph id="id7B3C3D027F944C598315FD4CAE7CDC5B"><enum>(C)</enum><text>detect, respond to, and recover from cybersecurity incidents and events.</text></subparagraph></paragraph></subsection> <subsection id="ide1938b0f524b421889583312051faca9"><enum>(d)</enum><header>Applicability of other information security laws</header><text display-inline="yes-display-inline">A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6801">15 U.S.C. 6801</external-xref> et seq.) or the Health Information Technology for Economic and Clinical Health Act (<external-xref legal-doc="usc" parsable-cite="usc/42/17931">42 U.S.C. 17931</external-xref> et seq.), and is in compliance with the information security requirements of such Act, shall be deemed to be in compliance with the requirements of this section with respect to covered data that is subject to the requirements of such Act.</text></subsection></section>
<section id="id48FF5A1D7E4A49D391C19B7A3B70B7D7"><enum>205.</enum><header>Filter bubble transparency</header>
<subsection id="idDB6692F9162341BF9C4BB0D8DF901227"><enum>(a)</enum><header>In general</header><text>Beginning on the date that is 1 year after the date of enactment of this Act, it shall be unlawful—</text> <paragraph id="idA02D2BC1694B4C7D98AE2A1A238F93BD"><enum>(1)</enum><text>for any person to operate a covered internet platform that uses an opaque algorithm unless the person complies with the requirements of subsection (b); or</text></paragraph>
<paragraph id="id33EDDE22BD634C888670C3EBA11A6FBC"><enum>(2)</enum><text>for any upstream provider to grant access to an index of web pages on the internet under a search syndication contract that does not comply with the requirements of subsection (c).</text></paragraph></subsection> <subsection id="id1DF0303BA82E4ED2AE83CB2FA79A8A49"><enum>(b)</enum><header>Opaque algorithm requirements</header> <paragraph id="id54E77957AC7D4CE78751E94731B6D6A3"><enum>(1)</enum><header>In general</header><text>The requirements of this subsection with respect to a person that operates a covered internet platform that uses an opaque algorithm are the following:</text>
<subparagraph id="id6CD67BB003D04EF58FE51F7278703276"><enum>(A)</enum><text>The person provides notice to users of the platform that the platform uses an opaque algorithm that makes inferences based on user-specific data to select the content the user sees. Such notice shall be presented in a clear, conspicuous manner on the platform whenever the user interacts with an opaque algorithm for the first time, and may be a one-time notice that can be dismissed by the user.</text></subparagraph> <subparagraph id="id30A6D65CC3CB4F339561DE38E68D621D"><enum>(B)</enum><text>The person makes available a version of the platform that uses an input-transparent algorithm and enables users to easily switch between the version of the platform that uses an opaque algorithm and the version of the platform that uses the input-transparent algorithm by selecting a prominently placed icon, which shall be displayed wherever the user interacts with an opaque algorithm.</text></subparagraph></paragraph>
<paragraph id="idE00A137EFDAB454D9C6F970958D589EF"><enum>(2)</enum><header>Nonapplication to certain downstream providers</header><text>Paragraph (1) shall not apply with respect to an internet search engine if—</text> <subparagraph id="id283758F1F72047EDB453C23EA91DA4B1"><enum>(A)</enum><text>the search engine is operated by a downstream provider with fewer than 1,000 employees; and</text></subparagraph>
<subparagraph id="id2A6904DFE40A4900A7C40F6FB821F764"><enum>(B)</enum><text>the search engine uses an index of web pages on the internet to which such provider received access under a search syndication contract.</text></subparagraph></paragraph></subsection> <subsection id="idCC2B524AFA0F44C49A957EFF8FA7B4DA"><enum>(c)</enum><header>Search syndication contract requirement</header><text>The requirements of this subsection with respect to a search syndication contract are that—</text>
<paragraph id="idFD655A37E9BF4C10A13C8D516A2E524C"><enum>(1)</enum><text>as part of the contract, the upstream provider makes available to the downstream provider the same input-transparent algorithm used by the upstream provider for purposes of complying with subsection (b)(1)(B); and</text></paragraph> <paragraph id="id6E4A9123603F4C9DBEA3DACAC5EAE8F8"><enum>(2)</enum><text>the upstream provider does not impose any additional costs, degraded quality, reduced speed, or other constraint on the functioning of such algorithm when used by the downstream provider to operate an internet search engine relative to the performance of such algorithm when used by the upstream provider to operate an internet search engine.</text></paragraph></subsection></section>
<section id="id98a5780e31e74834819b7a5becb4bd7d"><enum>206.</enum><header>Unfair and deceptive acts and practices relating to the manipulation of user interfaces</header>
<subsection id="id5eaff27a2d214f9c8e54f5ef0fb8d990"><enum>(a)</enum><header>Conduct prohibited</header>
<paragraph id="id3378957b4a764639a93d75cfc7585d62"><enum>(1)</enum><header>In general</header><text>It shall be unlawful for any large online operator—</text> <subparagraph id="id546EE5A057714E9F9C0F191CF69E821B"><enum>(A)</enum><text>to design, modify, or manipulate a user interface with the purpose or substantial effect of obscuring, subverting, or impairing user autonomy, decision making, or choice to obtain consent or user data;</text></subparagraph>
<subparagraph id="idD799EF1CC3A646B2BCC137F60EE68512"><enum>(B)</enum><text>to subdivide or segment consumers of online services into groups for the purposes of behavioral or psychological experiments or studies, except with the informed consent of each user involved; or</text></subparagraph> <subparagraph id="id090CD4C2F3334129933A5039B73ED141"><enum>(C)</enum><text>to design, modify, or manipulate a user interface on a website or online service, or portion thereof, that is directed to an individual under the age of 13, with the purpose or substantial effect of cultivating compulsive usage, including video auto-play functions initiated without the consent of a user.</text></subparagraph></paragraph></subsection>
<subsection id="id3ed571f8f1b640fabcb99e5dab392c4c"><enum>(b)</enum><header>Duties of large online operators</header><text>Any large online operator that engages in any form of behavioral or psychological research based on the activity or data of its users shall—</text> <paragraph id="id0c77aaa4eaa248f0abbefd8a49aef32c"><enum>(1)</enum><text>disclose to its users on a routine basis, but not less than once each 90 days, any experiments or studies that a user was subjected to or enrolled in with the purpose of promoting engagement or product conversion;</text></paragraph>
<paragraph id="idf8e9237f06c345ccaea8c47eb2122cd3"><enum>(2)</enum><text>disclose to the public on a routine basis, but not less than once each 90 days, any experiments or studies with the purposes of promoting engagement or product conversion being currently undertaken, or concluded since the prior disclosure;</text></paragraph> <paragraph id="id1dbe6c36086d4e08845591ccc3303d3a"><enum>(3)</enum><text>shall present the disclosures in paragraphs (1) and (2) in a manner that—</text>
<subparagraph id="id1B71DE37386749C89A395F6E42567E1E"><enum>(A)</enum><text>is clear, conspicuous, context appropriate, and easily accessible; and</text></subparagraph> <subparagraph id="id0CA77747E46E45978D499A8932B21854"><enum>(B)</enum><text>is not deceptively obscured;</text></subparagraph></paragraph>
<paragraph id="idd68db82f172a47d1a4dbbdfef93fd3c3"><enum>(4)</enum><text>establish an Independent Review Board for any behavioral or psychological research, of any purpose, conducted on users or on the basis of user activity or data, which shall review and have authority to approve, require modification in, or disapprove all behavioral or psychological experiments or research; and</text></paragraph> <paragraph id="id3df09e91ca50433cab1841d1f2c357e6"><enum>(5)</enum><text>ensure that any Independent Review Board established under paragraph (4) shall register with the Commission, including providing to the Commission—</text>
<subparagraph id="idF3466E5F2E8243A3989998DE3F7C33E9"><enum>(A)</enum><text>the names and resumes of every board member;</text></subparagraph> <subparagraph id="idF293B503587B4F22A3D0A6FAD3C6EEE1"><enum>(B)</enum><text>the composition and reporting structure of the Board to the management of the operator;</text></subparagraph>
<subparagraph id="idF489606B5B5148339358033CD34EB318"><enum>(C)</enum><text>the process by which the Board is to be notified of proposed studies or modifications along with the processes by which the Board is capable of vetoing or amending such proposals;</text></subparagraph> <subparagraph id="idADE3984FAF7B449693E4E673D74378EA"><enum>(D)</enum><text>any compensation provided to board members; and</text></subparagraph>
<subparagraph id="id60FD169EC27146DDB9F87FA0EB3BE5F4"><enum>(E)</enum><text>any conflict of interest that might exist concerning a board member's participation in the Board.</text></subparagraph></paragraph></subsection> <subsection id="idc817fe65f69e46f1ace5caca2de7e2cf"><enum>(c)</enum><header>Registered professional standards body</header> <paragraph id="id172d6e80fa824af88ef241646832f673"><enum>(1)</enum><header>In general</header><text>An association of large online operators may register as a professional standards body by filing with the Commission an application for registration in such form as the Commission, by rule, may prescribe containing the rules of the association and such other information and documents as the Commission, by rule, may prescribe as necessary or appropriate in the public interest or for protecting the welfare of users of large online operators.</text></paragraph>
<paragraph id="id5e5cf3c8620e4538913262f3b18ad013"><enum>(2)</enum><header>Professional standards body</header><text>An association of large online operators may not register as a professional standards body unless the Commission determines that—</text> <subparagraph id="id9E423D9A545A4BB8BCA61D2ECEE6F52B"><enum>(A)</enum><text>the association is so organized and has the capacity to enforce compliance by its members and persons associated with its members, with the provisions of this Act;</text></subparagraph>
<subparagraph id="id9D040CCEADE64A27BF879DC8238A63FB"><enum>(B)</enum><text>the rules of the association provide that any large online operator may become a member of such association;</text></subparagraph> <subparagraph id="id55DBDB6C091A47C8AEF3E464FE72AB6D"><enum>(C)</enum><text>the rules of the association ensure a fair representation of its members in the selection of its directors and administration of its affairs and provide that one or more directors shall be representative of users and not be associated with, or receive any direct or indirect funding from, a member of the association or any large online operator;</text></subparagraph>
<subparagraph id="idB6189F31199148D7968338FFFDEDE3CE"><enum>(D)</enum><text>the rules of the association are designed to prevent exploitative and manipulative acts or practices, to promote transparent and fair principles of technology development and design, to promote research in keeping with best practices of study design and informed consent, and to continually evaluate industry practices and issue binding guidance consistent with the objectives of this Act;</text></subparagraph> <subparagraph id="id1A26A7D6F0C74EF9A21E415DD6E78C07"><enum>(E)</enum><text>the rules of the association provide that its members and persons associated with its members shall be appropriately disciplined for violation of any provision of this Act, the rules or regulations thereunder, or the rules of the association, by expulsion, suspension, limitation of activities, functions, fine, censure, being suspended or barred from being associated with a member, or any other appropriate sanction; and</text></subparagraph>
<subparagraph id="id7C0581F783E4466982BB29D27A7CD62F"><enum>(F)</enum><text>the rules of the association are in accordance with the provisions of this Act, and, in general, provide a fair procedure for the disciplining of members and persons associated with members, the denial of membership to any person seeking membership therein, the barring of any person from becoming associated with a member thereof, and the prohibition or limitation by the association of any person with respect to access to services offered by the association or a member thereof.</text></subparagraph></paragraph> <paragraph id="idb03c13ea206e453181c45a6ec3de1736"><enum>(3)</enum><header>Responsibilities and activities</header> <subparagraph id="id6B0B1E9E2F7440D5A0B71F29B096FA46"><enum>(A)</enum><header>Bright-line rules</header><text>An association shall develop, on a continuing basis, guidance and bright-line rules for the development and design of technology products of large online operators consistent with subparagraph (B).</text></subparagraph>
<subparagraph id="id47ABDFF9362A42869B64F4E752675CEC"><enum>(B)</enum><header>Safe harbors</header><text>In formulating guidance under subparagraph (A), the association shall define conduct that does not have the purpose or substantial effect of subverting or impairing user autonomy, decision making, or choice, or of cultivating compulsive usage for children such as—</text> <clause id="idCB59B515A5B749058D347F0EA04A38B5"><enum>(i)</enum><text>de minimis user interface changes derived from testing consumer preferences, including different styles, layouts, or text, where such changes are not done with the purpose of obtaining user consent or user data;</text></clause>
<clause id="id0C4E3EA79806479D94A47B0B843AD593"><enum>(ii)</enum><text>algorithms or data outputs outside the control of a large online operator or its affiliates; and</text></clause> <clause id="id4BCE3012BA644824A167CC72E1A2540F"><enum>(iii)</enum><text>establishing default settings that provide enhanced privacy protection to users or otherwise enhance their autonomy and decision-making ability.</text></clause></subparagraph></paragraph></subsection>
<subsection id="id1188b25f9fe04fdf88ca9dc710769307"><enum>(d)</enum><header>Enforcement by the Commission</header>
<paragraph id="id73db0d5d56cb4a3f9ea3a83423fc7654"><enum>(1)</enum><header>Unfair or deceptive acts or practice</header><text>A violation of subsection (a) or (b) shall be treated as a violation of a rule defining an unfair or deceptive act or practice under section 18(a)(1)(B) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/57a">15 U.S.C. 57a(a)(1)(B)</external-xref>).</text></paragraph> <paragraph id="idc9c559c4982142ea80a4f14fcd3ab74a"><enum>(2)</enum><header>Determination</header><text>For purposes of enforcement of this Act, the Commission shall determine an act or practice is unfair or deceptive if the act or practice—</text>
<subparagraph id="id1D002688B23346348172BFB4AF63C376"><enum>(A)</enum><text>has the purpose, or substantial effect, of subverting or impairing user autonomy, decision making, or choice to obtain consent or user data; or</text></subparagraph> <subparagraph id="id399D5F91AB374DCCAA8ABA97A20C43AD"><enum>(B)</enum><text>has the purpose, or substantial effect, of cultivating compulsive usage by a child under 13.</text></subparagraph></paragraph>
<paragraph id="id8252217bed844e6bb518b8237f5a24e6"><enum>(3)</enum><header>Regulations</header><text>Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, that—</text> <subparagraph id="idA0080265054B4C6FB8EA48541B871DCE"><enum>(A)</enum><text>establish rules and procedures for obtaining the informed consent of users;</text></subparagraph>
<subparagraph id="id905AC40914AA47F78087E8BD8A65DA70"><enum>(B)</enum><text>establish rules for the registration, formation, oversight, and management of the independent review boards, including standards that ensure effective independence of such entities from improper or undue influence by a large online operator;</text></subparagraph> <subparagraph id="idDB850E944F804D459073ACD450BED499"><enum>(C)</enum><text>establish rules for the registration, formation, oversight, and management of professional standards bodies, including procedures for the regular oversight of such bodies and revocation of their designation; and</text></subparagraph>
<subparagraph id="id2374527812C74AA99897E45D8CFDB912"><enum>(D)</enum><text>in consultation with a professional standards body established under subsection (c), define conduct that does not have the purpose or substantial effect of subverting or impairing user autonomy, decision making, or choice, or of cultivating compulsive usage for children such as—</text> <clause id="id8C142522A7F14838BA27A8F59F3FCE1E"><enum>(i)</enum><text>de minimis user interface changes derived from testing consumer preferences, including different styles, layouts, or text, where such changes are not done with the purpose of obtaining user consent or user data;</text></clause>
<clause id="id05495C555881400D816B1C874A0612C2"><enum>(ii)</enum><text>algorithms or data outputs outside the control of a large online operator or its affiliates; and</text></clause> <clause commented="no" display-inline="no-display-inline" id="idBC6E85C840D34ADBA136E43445B4F852"><enum>(iii)</enum><text>establishing default settings that provide enhanced privacy protection to users or otherwise enhance their autonomy and decision-making ability.</text></clause></subparagraph></paragraph>
<paragraph id="id563c3580ad3c4823958ace09e772a3f5" commented="no" display-inline="no-display-inline"><enum>(4)</enum><header>Safe harbor</header><text display-inline="yes-display-inline">The Commission may not bring an enforcement action under this section against any large online operator that relied in good faith on the guidance of a professional standards body. </text></paragraph></subsection></section> <enum>III</enum><header>Corporate accountability</header> <section id="id47593885965544c4a91476255e9c66ac"><enum>301.</enum><header>Designation of data privacy officer and data security officer</header> <subsection id="id882a9731d2574669a43c5edca8c41cf3"><enum>(a)</enum><header>In general</header><text>A covered entity shall designate—</text>
<paragraph id="id34ca4bbb1ab644fb863d45fa120bb8ee"><enum>(1)</enum><text>one or more qualified employees or contractors as data privacy officers; and</text></paragraph> <paragraph id="idbcaba9f2d9f44125a09fc500ffdb632d"><enum>(2)</enum><text>one or more qualified employees or contractors (in addition to any employee or contractor designated under paragraph (1)) as data security officers.</text></paragraph></subsection>
<subsection id="id94677755eb8646d6964738c19a1c96bc"><enum>(b)</enum><header>Responsibilities of data privacy officers and data security officers</header><text>An employee or contractor who is designated by a covered entity as a data privacy officer or a data security officer shall be responsible for, at a minimum, coordinating the covered entity's policies and practices regarding—</text> <paragraph id="id306033c75a3242138460ff22daa78942"><enum>(1)</enum><text>in the case of a data privacy officer, compliance with the privacy requirements with respect to covered data under this Act; and</text></paragraph>
<paragraph id="id78A3687EA955491D9C26FED3C083F7E6"><enum>(2)</enum><text>in the case of a data security officer, the security requirements with respect to covered data under this Act. </text></paragraph></subsection></section> <section id="id326f708931b0497a8a8b4efa7b180355"><enum>302.</enum><header>Internal controls</header><text display-inline="no-display-inline">A covered entity shall maintain internal controls and reporting structures to ensure that appropriate senior management officials of the covered entity are involved in assessing risks and making decisions that implicate compliance with this Act.</text></section>
<section id="id43c7896caf44463499837047bad8ca6d"><enum>303.</enum><header>Whistleblower protections</header>
<subsection id="id72ce1eaf14d949ecbbda9794b5cd35c2"><enum>(a)</enum><header>Definitions</header><text>For purposes of this section:</text> <paragraph id="idFE337AFDEAB5426C96A4166734B7AFB1"><enum>(1)</enum><header>Whistleblower</header><text>The term <term>whistleblower</term> means any employee or contractor of a covered entity who voluntarily provides to the Commission original information relating to non-compliance with, or any violation or alleged violation of, this Act or any regulation promulgated under this Act.</text></paragraph>
<paragraph id="id63119496b6da4606b0be85d8b49fe451"><enum>(2)</enum><header>Original Information</header><text>The term <term>original information</term> means information that is provided to the Commission by an individual and—</text> <subparagraph id="idbc24ce8629e144f69e6a711a5e711145"><enum>(A)</enum><text>is derived from the independent knowledge or analysis of an individual;</text></subparagraph>
<subparagraph id="iddf103c2e1c40438d8258f8900c4e590c"><enum>(B)</enum><text>is not known to the Commission from any other source at the time the individual provides the information; and</text></subparagraph> <subparagraph id="idecd88dea21c643298463cbddd36082b4"><enum>(C)</enum><text>is not exclusively derived from an allegation made in a judicial or an administrative action, in a governmental report, a hearing, an audit, or an investigation, or from news media, unless the individual is a source of the allegation.</text></subparagraph></paragraph></subsection>
<subsection id="idF59C6A75C7B048BABB335BD68787D07B"><enum>(b)</enum><header>Effect of whistleblower retaliations on penalties</header><text>In seeking penalties under section 401 for a violation of this Act or a regulation promulgated under this Act by a covered entity, the Commission shall consider whether the covered entity retaliated against an individual who was a whistleblower with respect to original information that led to the successful resolution of an administrative or judicial action brought by the Commission or the Attorney General of the United States under this Act against such covered entity.</text></subsection></section> <enum>IV</enum><header>Enforcement authority and new programs</header> <section id="id2d666c490a654b74b8a2246356ecef0e"><enum>401.</enum><header>Enforcement by the Federal Trade Commission</header> <subsection id="id377d76ed17e748eab47f5a631770cb5f"><enum>(a)</enum><header>Enforcement by the Federal Trade Commission</header> <paragraph id="id024e0cc1533f4361a0c7e150da529ad8"><enum>(1)</enum><header>Unfair or deceptive acts or practices</header><text>A violation of this Act or a regulation promulgated under this Act shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/57a">15 U.S.C. 57a(a)(1)(B)</external-xref>).</text></paragraph>
<paragraph id="id46b6c1bc0dfb43f09e2d5e038515d706"><enum>(2)</enum><header>Powers of commission</header>
<subparagraph id="ideb456c68e6674b299b93b1ee2a63b163"><enum>(A)</enum><header>In general</header><text>Except as provided in paragraphs (3) and (4), the Commission shall enforce this Act and the regulations promulgated under this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41</external-xref> et seq.) were incorporated into and made a part of this Act.</text></subparagraph> <subparagraph id="idfca131346d884e24b252876e7f6b49f4"><enum>(B)</enum><header>Privileges and immunities</header><text>Any person who violates this Act or a regulation promulgated under this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41</external-xref> et seq.).</text></subparagraph>
<subparagraph id="idDB2556B9F3774769BB5885D10864431A"><enum>(C)</enum><header>Limiting certain actions unrelated to this Act; authority preserved</header>
<clause id="idABA7EA29047E4DB99560F8CEB8516139"><enum>(i)</enum><header>In general</header><text>The Commission shall not bring any action to enforce the prohibition in section 5 of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45</external-xref>) on unfair or deceptive acts or practices with respect to the privacy or security of covered data, unless such action is consistent with this Act. </text></clause> <clause id="id7A271F7D3FB743DDB8B72B6733C89F02"><enum>(ii)</enum><header>Rule of construction</header><text>Except as provided in paragraph (1), nothing in this Act shall be construed to limit the authority of the Commission under any other provision of law, or to limit the Commission’s authority to bring actions under section 5 of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45</external-xref>) relating to unfair or deceptive acts or practices to enforce the provisions of this Act and regulations promulgated thereunder, including to ensure that privacy policies required under section 102 are truthful and non-misleading.</text></clause></subparagraph></paragraph>
<paragraph id="id1350a2068a214890a29205c8072b395e"><enum>(3)</enum><header>Common carriers and nonprofit organizations</header><text>Notwithstanding section 4, 5(a)(2), or 6 of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/44">15 U.S.C. 44</external-xref>, 45(a)(2), 46) or any jurisdictional limitation of the Commission, the Commission shall also enforce this Act and the regulations promulgated under this Act, in the same manner provided in paragraphs (1) and (2) of this subsection, with respect to—</text> <subparagraph id="id1c8e29a5d2ff49b4844e0f0fe2f614b4"><enum>(A)</enum><text>common carriers subject to the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/151">47 U.S.C. 151</external-xref> et seq.) and all Acts amendatory thereof and supplementary thereto; and</text></subparagraph>
<subparagraph id="idc6e52cfc98f14da6bf26935f2402c7a8"><enum>(B)</enum><text>organizations not organized to carry on business for their own profit or that of their members.</text></subparagraph></paragraph> <paragraph id="idf2dfa49aa4eb4ca0a9bdd4846306d28d"><enum>(4)</enum><header>Data privacy and security fund</header> <subparagraph id="id52a7e26c6a2545569ef37a20897f1ad1"><enum>(A)</enum><header>Establishment of Victims Relief Fund</header><text>There is established in the Treasury of the United States a separate fund to be known as the <term>Data Privacy and Security Victims Relief Fund</term> (referred to in this paragraph as the <term>Victims Relief Fund</term>).</text></subparagraph>
<subparagraph id="id31aefed6d17a4281a47d2e7e4c8422c2"><enum>(B)</enum><header>Deposits</header>
<clause id="id1dd89ee8913b430ba37da4b3a2e35274"><enum>(i)</enum><header>Deposits from the commission</header><text>The Commission shall deposit into the Victims Relief Fund the amount of any civil penalty obtained against any covered entity in any action the Commission commences to enforce this Act or a regulation promulgated under this Act.</text></clause> <clause id="iddc58a193cf434842a23026f5c9c51eca"><enum>(ii)</enum><header>Deposits from the Attorney General</header><text>The Attorney General of the United States shall deposit into the Victims Relief Fund the amount of any civil penalty obtained against any covered entity in any action the Attorney General commences on behalf of the Commission to enforce this Act or a regulation promulgated under this Act.</text></clause></subparagraph>
<subparagraph id="id0975e0a3c9e942eb9f22891c9a37aacd"><enum>(C)</enum><header>Use of fund amounts</header><text>Amounts in the Victims Relief Fund shall be available to the Commission, without fiscal year limitation, to provide redress, payments or compensation, or other monetary relief to individuals affected by an act or practice for which civil penalties have been imposed under this Act. To the extent that individuals cannot be located or such redress, payments or compensation, or other monetary relief are otherwise not practicable, the Commission may use such funds for the purpose of consumer or business education relating to data privacy and security or for the purpose of engaging in technological research that the Commission considers necessary to enforce this Act.</text></subparagraph> <subparagraph id="id37669be8ad404809a05c8bb048659c64"><enum>(D)</enum><header>Amounts not subject to apportionment</header><text>Notwithstanding any other provision of law, amounts in the Victims Relief Fund shall not be subject to apportionment for purposes of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/31/15">chapter 15</external-xref> of title 31, United States Code, or under any other authority.</text></subparagraph></paragraph>
<paragraph id="id6cc14ed2ca3b450abb21cdf43d7476b0"><enum>(5)</enum><header>Authorization of appropriations</header><text>There are authorized to be appropriated to the Commission $100,000,000 to carry out this Act.</text></paragraph></subsection> <subsection id="id5BCFB4CA43B749A098ECD94572DB7220"><enum>(b)</enum><header>Enforcement of section 206</header><text>This section shall not apply to a violation of section 206 or a regulation promulgated under such section, and such section shall be enforced under subsection (d) of such section.</text></subsection></section>
<section id="id5b1d6bd139474e729d340e362ff05246"><enum>402.</enum><header>Enforcement by State attorneys general</header>
<subsection id="ide8494c878b304f45acc35ee2603270b6"><enum>(a)</enum><header>Civil action</header><text>Except as provided in subsection (h), in any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is adversely affected by the engagement of any covered entity in an act or practice that violates this Act or a regulation promulgated under this Act, the attorney general of the State, as parens patriae, may bring a civil action on behalf of the residents of the State in an appropriate district court of the United States to—</text> <paragraph id="id5c6f1711ae02406e84fac6452aa14668"><enum>(1)</enum><text>enjoin that act or practice;</text></paragraph>
<paragraph id="id947f032061b74cb79b8446ba8b7755e3"><enum>(2)</enum><text>enforce compliance with this Act or the regulation;</text></paragraph> <paragraph id="id62240c7472b04166af543d17385b7ee6"><enum>(3)</enum><text>obtain damages, civil penalties, restitution, or other compensation on behalf of the residents of the State; or</text></paragraph>
<paragraph id="id2ac8ef2a68864c61872de246c3fa7f8d"><enum>(4)</enum><text>obtain such other relief as the court may consider to be appropriate.</text></paragraph></subsection> <subsection id="id6bc0fc53b43c439e985e46193b70f8e6"><enum>(b)</enum><header>Rights of the commission</header> <paragraph id="id1381c9c2312d4dd38792acd959a90a04"><enum>(1)</enum><header>In general</header><text>Except where not feasible, the attorney general of a State shall notify the Commission in writing prior to initiating a civil action under subsection (a). Such notice shall include a copy of the complaint to be filed to initiate such action. Upon receiving such notice, the Commission may intervene in such action and, upon intervening—</text>
<subparagraph id="id94B1EC8CBA13412F8297D6CB77166C1D"><enum>(A)</enum><text>be heard on all matters arising in such action; and</text></subparagraph> <subparagraph id="id1BC1DAEDD52543DCBBB34A7440BC556D"><enum>(B)</enum><text>file petitions for appeal of a decision in such action.</text></subparagraph></paragraph>
<paragraph id="idfb26a9844e2e4bf4bf87a370477f205a" commented="no"><enum>(2)</enum><header>Notification timeline</header><text>Where it is not feasible for the attorney general of a State to provide the notification required by paragraph (2) before initiating a civil action under paragraph (1), the attorney general shall notify the Commission immediately after initiating the civil action.</text></paragraph></subsection> <subsection id="idaf867b138d0143f7983704ef15eee048" commented="no"><enum>(c)</enum><header>Consolidation of actions brought by two or more State attorneys general</header><text>Whenever a civil action under subsection (a) is pending and another civil action or actions are commenced pursuant to such subsection in a different Federal district court or courts that involve one or more common questions of fact, such action or actions shall be transferred for the purposes of consolidated pretrial proceedings and trial to the United States District Court for the District of Columbia; provided however, that no such action shall be transferred if pretrial proceedings in that action have been concluded before a subsequent action is filed by the attorney general of the State.</text></subsection>
<subsection id="idf9648ed1f8564352916c1ad09e7f838a"><enum>(d)</enum><header>Actions by commission</header><text>In any case in which a civil action is instituted by or on behalf of the Commission for violation of this Act or a regulation promulgated under this Act, no attorney general of a State may, during the pendency of such action, institute a civil action against any defendant named in the complaint in the action instituted by or on behalf of the Commission for violation of this Act or a regulation promulgated under this Act that is alleged in such complaint.</text></subsection> <subsection id="id684b4027b5204e47b8f09e6a9d2942c2"><enum>(e)</enum><header>Investigatory powers</header><text>Nothing in this section shall be construed to prevent the attorney general of a State or another authorized official of a State from exercising the powers conferred on the attorney general or the State official by the laws of the State to conduct investigations, to administer oaths or affirmations, or to compel the attendance of witnesses or the production of documentary or other evidence.</text></subsection>
<subsection id="ide419e58adb984a16b0d9d20044eb6712"><enum>(f)</enum><header>Venue; service of process</header>
<paragraph id="id6aea2f45353243c59823f441f84d1f66"><enum>(1)</enum><header>Venue</header><text>Any action brought under subsection (a) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.</text></paragraph> <paragraph id="id95612657df514caaa4d51e26a3395b36"><enum>(2)</enum><header>Service of process</header><text>In an action brought under subsection (a), process may be served in any district in which the defendant—</text>
<subparagraph id="id74394abd0fbb425eaa9abf080355ce3c"><enum>(A)</enum><text>is an inhabitant; or</text></subparagraph> <subparagraph id="id7bf660e1b4be438e835602ec81c38bcc"><enum>(B)</enum><text>may be found.</text></subparagraph></paragraph></subsection>
<subsection id="id9e0f365681454d248ecc6a22c804f79e"><enum>(g)</enum><header>Actions by other State officials</header>
<paragraph id="id99e88998a6ac4c5d9ff398fad1f1d6d2" commented="no"><enum>(1)</enum><header>In general</header><text>Any State official who is authorized by the State attorney general to be the exclusive authority in that State to enforce this Act may bring a civil action under subsection (a), subject to the same requirements and limitations that apply under this section to civil actions brought under such subsection by State attorneys general.</text></paragraph> <paragraph id="idd99b21d8244c4a4594c48b3b7c663006"><enum>(2)</enum><header>Authority preserved</header><text>Nothing in this section shall be construed to prohibit an authorized official of a State from initiating or continuing any proceeding in a court of the State for a violation of any civil or criminal law of the State.</text></paragraph></subsection>
<subsection id="id45804067C278461A8C650E680041A4AB"><enum>(h)</enum><header>Exclusion of section 206</header><text>This section shall not apply to a violation of section 206 or a regulation promulgated under such section.</text></subsection></section> <section id="id98231889D318456083765D20CFBEB37A"><enum>403.</enum><header>Authority of Commission to seek permanent injunction and other equitable remedies</header> <subsection id="id2E7D0F729DF648BD97E0EB9B5B73D371"><enum>(a)</enum><header>In general</header><text>Section 13 of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/53">15 U.S.C. 53</external-xref>) is amended—</text>
<paragraph id="id7D462A9C773B4FBCA1156796A04C8C96"><enum>(1)</enum><text>in subsection (b)—</text> <subparagraph id="idD1A6883F10F04DFD8DAE508020A72872"><enum>(A)</enum><text>in paragraph (1), by striking <quote>is violating, or is about to violate,</quote> and inserting <quote>has violated, is violating, or is about to violate</quote>;</text></subparagraph>
<subparagraph id="idD42B31A519E541E7A8A6D5084A492F52"><enum>(B)</enum><text>in paragraph (2)—</text> <clause id="id04D19B0FAF004CDA9CFA118E59E296FA"><enum>(i)</enum><text>by inserting <quote>either (A)</quote> before <quote>the enjoining thereof</quote>; and</text></clause>
<clause id="id0CEE5BB0F716496DAFD91566CCA043B6"><enum>(ii)</enum><text>by inserting <quote>or (B) the permanent enjoining thereof or the ordering of an equitable remedy under subsection (e)</quote> after <quote>final,</quote>; and</text></clause></subparagraph> <subparagraph id="id80131BBE7B4942A5B5B3062A7ADA9212"><enum>(C)</enum><text>in the flush text following paragraph (2)—</text>
<clause id="id5EB385C89F8D4E72AF2A6EAF7DDB7C9A"><enum>(i)</enum><text>by striking <quote>to enjoin any such act or practice</quote> and inserting <quote>to obtain such injunction or remedy</quote>;</text></clause> <clause id="id94DF1DFD3FFF47F699724D2B97D77D51"><enum>(ii)</enum><text>by striking <quote>Upon a proper showing that</quote> and inserting <quote>In a case brought under paragraph (2)(A), upon a proper showing that</quote>;</text></clause>
<clause id="idF041E677E6D149FD8AA26AADAEB8577B"><enum>(iii)</enum><text>by striking <quote>such action</quote> and inserting <quote>a temporary restraining order or preliminary injunction</quote>;</text></clause> <clause id="id84CE4E1BBF4A4B58BFC0331CE33D7CFD"><enum>(iv)</enum><text>by striking <quote>without bond</quote>;</text></clause>
<clause id="idC4E73053DED2456D9F5266B3AD5CABE3"><enum>(v)</enum><text>by striking <quote>That in proper cases the Commission may seek, and after proper proof, the court may issue, a permanent injunction.</quote> and inserting the following: <quote>That in a case brought under paragraph (2)(B), after proper proof and upon a showing that a permanent injunction or equitable remedy under subsection (e) would be in the public interest, the court may issue a permanent injunction, an equitable remedy under subsection (e), or any other relief as the court determines to be just and proper, including temporary or preliminary equitable relief.</quote>;</text></clause> <clause id="id9250D90640694032B700C9582E356BD1"><enum>(vi)</enum><text>by inserting <quote>under paragraph (2)</quote> after <quote>Any suit</quote>; and</text></clause>
<clause id="id66282C5518864BBBACA30B908624FB8D"><enum>(vii)</enum><text>by striking <quote>any suit under this section</quote> and inserting <quote>any such suit</quote>; and</text></clause></subparagraph></paragraph> <paragraph id="id599216F616774155B8B3AA424A4D8BC8"><enum>(2)</enum><text>by adding at the end the following new subsection:</text>
<quoted-block act-name="" id="idBA2FD404E2C2473C8F1DF14B94C0FEB6" style="OLC">
<subsection id="idDEC2FAD29CF2429497762C602C9E5113"><enum>(e)</enum><header>Equitable remedies</header>
<paragraph id="idFEB79546676A40C79EF2A09AE6EBB27E"><enum>(1)</enum><header>Restitution; contract rescission and reformation</header>
<subparagraph id="id414866CA95674985AA803EFE35706CBF"><enum>(A)</enum><header>In general</header><text>In a suit brought under subsection (b)(2)(B) with respect to a violation of a provision of law enforced by the Commission, the Commission may seek, and the court may order—</text> <clause id="idB8FCE921AC1C47D2842607EDF4057E82"><enum>(i)</enum><text>restitution for consumer loss resulting from such violation;</text></clause>
<clause id="id4E4F98D9C22C4BBEAFD5FB8BB9080956"><enum>(ii)</enum><text>rescission or reformation of contracts; and</text></clause> <clause id="id5F95AA443D3E4A3E94EE6F24E4E1B417"><enum>(iii)</enum><text>the refund of money or return of property.</text></clause></subparagraph>
<subparagraph id="id7ABF9E8296274202A75DDB335028DF79"><enum>(B)</enum><header>Limitations period</header><text>Relief under this paragraph shall not be available for a claim arising more than 10 years before the filing of the Commission's suit under subsection (b)(2)(B) with respect to the violation that gave rise to the claim.</text></subparagraph></paragraph> <paragraph id="id228E7EEDC47F4B02A7B8FE66DC88F933"><enum>(2)</enum><header>Disgorgement</header> <subparagraph id="id81813D3156CC48BD820BA5A8F5462E1A"><enum>(A)</enum><header>In general</header><text>In a suit brought under subsection (b)(2)(B) with respect to a violation of a provision of law enforced by the Commission, the Commission may seek, and the court may order, disgorgement of any unjust enrichment that a person obtained as a result of that violation.</text></subparagraph>
<subparagraph id="id38AD1B85F04E475CA8EBD68E3E3FFB8D"><enum>(B)</enum><header>Calculation</header><text>Any disgorgement that is ordered with respect to a person under subparagraph (A) shall be offset by any amount of restitution that the person is ordered to pay under paragraph (1).</text></subparagraph> <subparagraph id="id3472AA838F584FFE9CAD9CF44493182A"><enum>(C)</enum><header>Limitations period</header><text>Disgorgement under this paragraph shall be limited to any unjust enrichment a person, partnership, or corporation obtained in the 10 years preceding the filing of the Commission's suit under subsection (b)(2)(B) with respect to the violation that resulted in such unjust enrichment.</text></subparagraph></paragraph>
<paragraph id="id2D1C2FADBD0C4A1ABB3CF48ED5E8FB66"><enum>(3)</enum><header>Calculation of limitations periods</header><text>For purposes of calculating any limitations period with respect to a claim for relief under paragraph (1) or a disgorgement order under paragraph (2), any time in which a person, partnership, or corporation against which such relief or order is sought is outside the United States shall not be counted for purposes of calculating such period.</text></paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection> <subsection id="id203417E3CA644FF48770802202C90A38"><enum>(b)</enum><header>Conforming amendments</header><text>Section 16(a)(2) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/56">15 U.S.C. 56(a)(2)</external-xref>) is amended—</text>
<paragraph id="id4E26FD12657D45F2AFF2728FD0A26826"><enum>(1)</enum><text>in subparagraph (A), by striking <quote>(relating to injunctive relief)</quote>; and</text></paragraph> <paragraph id="id6647640D20CA4F64BFFFB5633BDCC1C0"><enum>(2)</enum><text>in subparagraph (B), by striking <quote>(relating to consumer redress)</quote>.</text></paragraph></subsection>
<subsection commented="no" display-inline="no-display-inline" id="id40D99E446F90413591D1D46C24152B20"><enum>(c)</enum><header>Applicability</header><text>The amendments made by this section shall apply with respect to any action or proceeding that is commenced on or after the date of enactment of this Act. </text></subsection></section> <section id="id633327bb02f84579bc44567931e83bf9" commented="no"><enum>404.</enum><header>Approved certification programs</header> <subsection id="id83cfb960c3354af8890485c179a24997"><enum>(a)</enum><header>In general</header><text>The Commission shall establish a program in which the Commission shall approve voluntary consensus standards or certification programs that covered entities may use to comply with one or more provisions in this Act.</text></subsection>
<subsection id="id8d7cfaff81a6459fb753f73ab2f91531"><enum>(b)</enum><header>Effect of approval</header><text>A covered entity in compliance with a voluntary consensus standard approved by the Commission shall be deemed to be in compliance with the provisions of this Act.</text></subsection> <subsection id="id3b86e9ae4f9e4525b9466e7fb91bd16f"><enum>(c)</enum><header>Time for approval</header><text>The Commission shall issue a decision regarding the approval of a proposed voluntary consensus standard not later than 180 days after a request for approval is submitted.</text></subsection>
<subsection id="ida86270f861a54a91a7c749190845a688"><enum>(d)</enum><header>Effect of non-Compliance</header><text>A covered entity that claims compliance with an approved voluntary consensus standard and is found not to be in compliance with such program by the Commission or in any judicial proceeding shall be considered to be in violation of the section 5 of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45</external-xref>) prohibition on unfair or deceptive acts or practices.</text></subsection> <subsection id="ide76db965510d4c239406275fa1aa71d1"><enum>(e)</enum><header>Rulemaking</header><text>Not later than 120 days after the date of enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, establishing a process for review of requests for approval of proposed voluntary consensus standards under this section.</text></subsection>
<subsection id="id7ceb06bbc67547039165b48c0f6df940"><enum>(f)</enum><header>Requirements</header><text>To be eligible for approval by the Commission, a voluntary consensus standard shall meet the requirements for voluntary consensus standards set forth in Office of Management and Budget Circular A–119, or other equivalent guidance document, ensuring that they are the result of due process procedures and appropriately balance the interests of all the stakeholders, including individuals, businesses, organizations, and other entities making lawful uses of the covered data covered by the standard, and—</text> <paragraph id="id97d4071b2fd645ce9ab27302ff1dc2d9"><enum>(1)</enum><text>specify clear and enforceable requirements for covered entities participating in the program that provide an overall level of data privacy or data security protection that is equivalent to or greater than that provided in the relevant provisions in this Act;</text></paragraph>
<paragraph id="idd709c1798b0245c8a9a2d617e28ed156"><enum>(2)</enum><text>require each participating covered entity to post in a prominent place a clear and conspicuous public attestation of compliance and a link to the website described in paragraph (4);</text></paragraph> <paragraph id="idf477b9c051e244e2a47244640e062b30"><enum>(3)</enum><text>include a process for an independent assessment of a participating covered entity’s compliance with the voluntary consensus standard or certification program prior to certification and at reasonable intervals thereafter;</text></paragraph>
<paragraph id="id077f88703b2c42e88f8c3705ea2cd31c"><enum>(4)</enum><text>create a website describing the voluntary consensus standard or certification program’s goals and requirements, listing participating covered entities, and providing a method for individuals to ask questions and file complaints about the program or any participating covered entity;</text></paragraph> <paragraph id="idb11d42b12b8748de82eeb1f2042edc79"><enum>(5)</enum><text>take meaningful action for non-compliance with the relevant provisions of this Act by any participating covered entity, which shall depend on the severity of the non-compliance and may include—</text>
<subparagraph id="id01c82cf55d894b1c8a70ca305e34f7f1"><enum>(A)</enum><text>removing the covered entity from the program;</text></subparagraph> <subparagraph id="idba54b1cc7818475ca037f3f7c495c05c"><enum>(B)</enum><text>referring the covered entity to the Commission or other appropriate Federal or State agencies for enforcement;</text></subparagraph>
<subparagraph id="id078590eb567743f79e3b47305953e1bb"><enum>(C)</enum><text>publicly reporting the disciplinary action taken with respect to the covered entity;</text></subparagraph> <subparagraph id="id245ff419a6e14c5ab6f22dd076889bec"><enum>(D)</enum><text>providing redress to individuals harmed by the non-compliance;</text></subparagraph>
<subparagraph id="id880139ec05e842239f99b68f4b5e2af0"><enum>(E)</enum><text>making voluntary payments to the United States Treasury; and</text></subparagraph> <subparagraph id="ida307cf13388f4c84a88a90b306dc0c59"><enum>(F)</enum><text>taking any other action or actions to ensure the compliance of the covered entity with respect to the relevant provisions of this Act; and</text></subparagraph></paragraph>
<paragraph id="id098983636fec4dbcba576415ba06ff67"><enum>(6)</enum><text>issue annual reports to the Commission and to the public detailing the activities of the program and its effectiveness during the preceding year in ensuring compliance with the relevant provisions of this Act by participating covered entities and taking meaningful disciplinary action for non-compliance with such provisions by such entities.</text></paragraph></subsection></section> <section id="id02a77b0fa7be4667985874c34adcca26"><enum>405.</enum><header>Relationship between Federal and State law</header> <subsection id="idc3fe8d67711840068b6aa05bc8e54502"><enum>(a)</enum><header>Relationship to State law</header><text>No State or political subdivision of a State may adopt, maintain, enforce, or continue in effect any law, regulation, rule, requirement, or standard related to the data privacy or data security and associated activities of covered entities.</text></subsection>
<subsection id="idf4414194694c4465949046471cb3519e"><enum>(b)</enum><header>Savings provision</header><text>Subsection (a) may not be construed to preempt State laws that directly establish requirements for the notification of consumers in the event of a data breach.</text></subsection> <subsection id="id01e54a6dfcdd43938db6a1cac4117aa7"><enum>(c)</enum><header>Relationship to other Federal laws</header> <paragraph id="idea6275c6baf544f593d5ef708a187a46"><enum>(1)</enum><header>In general</header><text>Except as provided in paragraphs (2) and (3), the requirements of this Act shall supersede any other Federal law or regulation relating to the privacy or security of covered data or associated activities of covered entities.</text></paragraph>
<paragraph id="id323534c58204481f910ab3755e203b26"><enum>(2)</enum><header>Savings provision</header><text>This Act may not be construed to modify, limit, or supersede the operation of the following:</text> <subparagraph id="id2973619b94384798a3ab90562f09ecc4"><enum>(A)</enum><text>The Children’s Online Privacy Protection Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6501">15 U.S.C. 6501</external-xref> et seq.).</text></subparagraph>
<subparagraph id="id2000390adc6b43b29411affc56c03cce"><enum>(B)</enum><text>The Communications Assistance for Law Enforcement Act (<external-xref legal-doc="usc" parsable-cite="usc/47/1001">47 U.S.C. 1001</external-xref> et seq.).</text></subparagraph> <subparagraph id="id5bc06bdd476049cb922c1486d74087e7"><enum>(C)</enum><text>Section 227 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/227">47 U.S.C. 227</external-xref>).</text></subparagraph>
<subparagraph id="idee7c7b28b6aa4622b96de07e36ef04b8"><enum>(D)</enum><text>Title V of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6801">15 U.S.C. 6801</external-xref> et seq.).</text></subparagraph> <subparagraph id="id48ccceecca8e4e14bbeff2ad698d8a60"><enum>(E)</enum><text>The Fair Credit Reporting Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1681">15 U.S.C. 1681</external-xref> et seq.).</text></subparagraph>
<subparagraph id="id116b644bf58f4776a528144206f0d516"><enum>(F)</enum><text>The Health Insurance Portability and Accountability Act (<external-xref legal-doc="public-law" parsable-cite="pl/104/191">Public Law 104–191</external-xref>).</text></subparagraph> <subparagraph id="id8d60022537614010a77d317cd90b91e1"><enum>(G)</enum><text>The Electronic Communications Privacy Act (<external-xref legal-doc="usc" parsable-cite="usc/18/2510">18 U.S.C. 2510</external-xref> et seq.).</text></subparagraph>
<subparagraph id="id3a1f23c7bda245e5aa68462aff5e6fb9"><enum>(H)</enum><text>Section 444 of the General Education Provisions Act (<external-xref legal-doc="usc" parsable-cite="usc/20/1232g">20 U.S.C. 1232g</external-xref>) (commonly referred to as the <quote>Family Educational Rights and Privacy Act of 1974</quote>).</text></subparagraph> <subparagraph id="id55b4659e3b694d2c964da831508ad5d5"><enum>(I)</enum><text>The Driver's Privacy Protection Act of 1994 (<external-xref legal-doc="usc" parsable-cite="usc/18/2721">18 U.S.C. 2721</external-xref> et seq.).</text></subparagraph>
<subparagraph id="id265b47579c384c7794cc9787f9841d36"><enum>(J)</enum><text>The Federal Aviation Act of 1958 (<external-xref legal-doc="usc-appendix" parsable-cite="usc-appendix/49/1301">49 U.S.C. App. 1301</external-xref> et seq.). </text></subparagraph> <subparagraph id="id4ca418a22e634de88b3e3e9401c746f1"><enum>(K)</enum><text>The Health Information Technology for Economic and Clinical Health Act (<external-xref legal-doc="usc" parsable-cite="usc/42/17931">42 U.S.C. 17931</external-xref> et seq.). </text></subparagraph></paragraph>
<paragraph id="idc736a7780f1e427e866dc86ae098dc81"><enum>(3)</enum><header>Compliance with saved Federal laws</header><text>To the extent that the data collection, processing, or transfer activities of a covered entity are subject to a law listed in paragraph (2), such activities of such entity shall not be subject to the requirements of this Act.</text></paragraph> <paragraph id="ide499211804f44c6c87a74070744a2073"><enum>(4)</enum><header>Nonapplication of FCC laws and regulations to covered entities</header><text>Notwithstanding any other provision of law, neither any provision of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/151">47 U.S.C. 151</external-xref> et seq.) and all Acts amendatory thereof and supplementary thereto nor any regulation promulgated by the Federal Communications Commission under such Acts shall apply to any covered entity with respect to the collection, use, processing, transferring, or security of individual information, except to the extent that such provision or regulation pertains solely to <quote>911</quote> lines or other emergency line of a hospital, medical provider or service office, health care facility, poison control center, fire protection agency, or law enforcement agency. </text></paragraph></subsection></section>
<section id="id7a631b8bf598401fb1a1314069c603bd" commented="no"><enum>406.</enum><header>Constitutional avoidance</header><text display-inline="no-display-inline">The provisions of this Act shall be construed, to the greatest extent possible, to avoid conflicting with the Constitution of the United States, including the protections of free speech and freedom of the press established under the First Amendment to the Constitution of the United States.</text></section> <section id="id5f6cf06570c54947933965339ad23d36"><enum>407.</enum><header>Severability</header><text display-inline="no-display-inline">If any provision of this Act, or an amendment made by this Act, is determined to be unenforceable or invalid, the remaining provisions of this Act and the amendments made by this Act shall not be affected.</text></section>