[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 583 Introduced in Senate (IS)]

<DOC>






116th CONGRESS
  1st Session
                                 S. 583

        To provide for digital accountability and transparency.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           February 27, 2019

 Ms. Cortez Masto introduced the following bill; which was read twice 
 and referred to the Committee on Commerce, Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
        To provide for digital accountability and transparency.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Digital Accountability and 
Transparency to Advance Privacy Act'' or the ``DATA Privacy Act''.

SEC. 2. DEFINITIONS.

    (a) In General.--In this Act:
            (1) Collect.--The term ``collect'' means taking any 
        operation or set of operations to obtain covered data, 
        including by automated means, including purchasing, leasing, 
        assembling, recording, gathering, acquiring, or procuring.
            (2) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (3) Covered data.--The term ``covered data''--
                    (A) means any information that is--
                            (i) collected, processed, stored, or 
                        disclosed by a covered entity;
                            (ii) collected over the internet or other 
                        digital network; and
                            (iii)(I) linked to an individual or device 
                        associated with an individual; or
                            (II) practicably linkable to an individual 
                        or device associated with an individual, 
                        including by combination with separate 
                        information, by the covered entity or any 
                        potential recipient of the data; and
                    (B) does not include data that is--
                            (i) collected, processed, stored, or 
                        disclosed solely for the purpose of employment 
                        of an individual; and
                            (ii) lawfully made available to the public 
                        from Federal, State, or local government 
                        records.
            (4) Covered entity.--The term ``covered entity''--
                    (A) means any entity that collects, processes, 
                stores, or discloses covered data; and
                    (B) does not include any entity that collects, 
                processes, stores, or discloses covered data relating 
                to fewer than 3,000 individuals and devices during any 
                12-month period.
            (5) Disclose.--The term ``disclose'' means taking any 
        action with respect to covered data, including by automated 
        means, to sell, share, provide, or otherwise transfer covered 
        data to another entity, person, or the general public.
            (6) Privacy risk.--The term ``privacy risk'' means 
        potential harm to an individual resulting from the collection, 
        processing, storage, or disclosure of covered data, including--
                    (A) direct or indirect financial loss;
                    (B) stigmatization or reputational harm;
                    (C) anxiety, embarrassment, fear, and other severe 
                emotional trauma;
                    (D) loss of economic opportunity; or
                    (E) physical harm.
            (7) Process.--The term ``process'' means any operation or 
        set of operations that is performed on covered data or on sets 
        of covered data, including by automated means, including 
        organizing, combining, adapting, altering, using, or 
        transforming.
            (8) Protected characteristic.--The term ``protected 
        characteristic'' means an individual's race, sex, gender, 
        sexual orientation, nationality, religious belief, or political 
        affiliation.
            (9) Pseudonymous data.--The term ``pseudonymous data'' 
        means covered data that may only be linked to the identity of 
        an individual or the identity of a device associated with an 
        individual if combined with separate information.
            (10) Reasonable interest.--The term ``reasonable interest'' 
        means--
                    (A) a compelling business, operational, 
                administrative, legal, or educational justification for 
                the collection, processing, storage, or disclosure of 
                covered data exists;
                    (B) the use of covered data is within the context 
                of the relationship between the covered entity and the 
                individual linked to the covered data; and
                    (C) the interest does not subject the individual to 
                an unreasonable privacy risk.
            (11) Sensitive data.--The term ``sensitive data'' means any 
        covered data relating to--
                    (A) the health, biologic, physiologic, biometric, 
                sexual life, or genetic information of an individual; 
                or
                    (B) the precise geolocation information of a device 
                associated with an individual.
            (12) Store.--The term ``store'' means any operation or set 
        of operations to continue possession of covered data, including 
        by automated means.
            (13) Third party service provider.--The term ``third party 
        service provider'' means any covered entity that collects, 
        processes, stores, or discloses covered data at the direction 
        of, and for the sole benefit of, another covered entity under a 
        contract.
    (b) Modified Definition by Rulemaking.--If the Commission 
determines that a term defined in paragraph (9) or (11) is not 
sufficient to protect an individual's data privacy, the Commission may 
promulgated regulations under section 553 of title 5, United States 
Code, to modify the definition as the Commission considers appropriate.

SEC. 3. REQUIRED PRIVACY NOTICE.

    (a) Privacy Notice.--Each covered entity shall post in an 
accessible location a notice that is concise, in context, in easily 
understandable language, accurate, clear, timely, updated, uses 
visualizations where appropriate, conspicuous, and free of charge 
regarding the covered entity's privacy practices.
    (b) Contents of Notice.--The notice required by subsection (a) 
shall include--
            (1) a description of the covered data that the entity 
        collects, processes, stores, and discloses, including the 
        sources that provided the covered data if the covered entity 
        did not collect the covered data;
            (2) the purposes for and means by which the entity 
        collects, processes, and stores the covered data;
            (3) the persons and entities to whom, and purposes for 
        which, the covered entity discloses the covered data; and
            (4) a conspicuous, clear, and understandable means for 
        individuals to access the methods necessary to exercise their 
        rights under sections 4 and 5.

SEC. 4. REQUIRED DATA PRACTICES.

    (a) Regulations.--Not later than 1 year after the date of the 
enactment of this Act, the Commission shall promulgate regulations 
under section 553 of title 5, United States Code, that require covered 
entities to implement, practice, and maintain certain data procedures 
and processes that meet the following requirements:
            (1) Minimum data processing requirements.--Except as 
        provided in subsection (b), require covered entities to meet 
        all of the following requirements regarding the means by and 
        purposes for which covered data is collected, processed, 
        stored, and disclosed:
                    (A) Reasonable.--Except as provided in paragraph 
                (3), covered data collection, processing, storage, and 
                disclosure practices must meet a reasonable interest of 
                the covered entity, including--
                            (i) business, educational, and 
                        administrative operations that are relevant and 
                        appropriate to the context of the relationship 
                        between the covered entity and the individual 
                        linked to the covered data;
                            (ii) relevant and appropriate product and 
                        service development and enhancement;
                            (iii) preventing and detecting abuse, 
                        fraud, and other criminal activity;
                            (iv) reasonable communications and 
                        marketing practices that follow best practices, 
                        rules, and ethical standards;
                            (v) engaging in scientific, medical, or 
                        statistical research that follows commonly 
                        accepted ethical standards; or
                            (vi) any other purpose for which the 
                        Commission considers to be reasonable.
                    (B) Equitable.--Covered data collection, 
                processing, storage, and disclosure practices may not 
                be for purposes that result in discrimination against a 
                protected characteristic, including--
                            (i) discriminatory targeted advertising 
                        practices;
                            (ii) price, service, or employment 
                        opportunity discrimination; or
                            (iii) any other practice the Commission 
                        considers likely to result in unfair 
                        discrimination against a protected 
                        characteristic.
                    (C) Forthright.--Covered data collection, 
                processing, storage, and disclosure practices may not 
                be accomplished with means or for purposes that are 
                deceptive, including--
                            (i) the use of inconspicuous recording or 
                        tracking devices and methods;
                            (ii) the disclosure of covered data that a 
                        reasonable individual believes to be the 
                        content of a private communication with another 
                        party or parties;
                            (iii) notices, interfaces, or other 
                        representations likely to mislead consumers; or
                            (iv) any other practice that the Commission 
                        considers likely to mislead individuals 
                        regarding the purposes for and means by which 
                        covered data is collected, processed, stored, 
                        or disclosed.
            (2) Requirements for opt-out consent.--Except as provided 
        in subsection (b), require covered entities to provide 
        individuals with conspicuous access to a method that is in 
        easily understandable language, concise, accurate, clear, to 
        opt out of any collection, processing, storage, or disclosure 
        of covered data linked to the individual.
            (3) Requirements for affirmative consent.--Except as 
        provided in subsection (b), require covered entities to provide 
        individuals with a notice that is concise, in easily 
        understandable language, accurate, clear, timely, and 
        conspicuous to express affirmative, opt-in consent--
                    (A) before the covered entity collects or discloses 
                sensitive data linked to the individual; or
                    (B) before the covered entity collects, processes, 
                stores, or discloses data for purposes which are 
                outside the context of the relationship of the covered 
                entity with the individual linked to the data, 
                including--
                            (i) the use of covered data beyond what is 
                        necessary to provide, improve, or market a good 
                        or service that the individual requests;
                            (ii) the processing or disclosure of 
                        covered data differs in material ways from the 
                        purposes described in the privacy policy that 
                        was in effect when the data was collected; and
                            (iii) any other purpose that Commission 
                        considers outside of context.
            (4) Data minimization requirements.--Except as provided in 
        subsection (b), require covered entities to--
                    (A) take reasonable measures to limit the 
                collection, processing, storage, and disclosure of 
                covered data to the amount that is necessary to carry 
                out the purposes for which the data is collected; and
                    (B) store covered data only as long as is 
                reasonably necessary to carry out the purposes for 
                which the data was collected.
    (b) Exemptions.--Subsection (a) shall not apply if the limitations 
on the collection, processing, storage, or disclosure of covered data 
would--
            (1) inhibit detection or prevention of a security risk or 
        incident;
            (2) risk the health, safety, or property of the covered 
        entity or individual; or
            (3) prevent compliance with an applicable law (including 
        regulations) or legal process.

SEC. 5. INDIVIDUAL CONTROL OVER DATA USE.

    (a) Regulations.--Not later than 1 year after the date of the 
enactment of this Act, the Commission shall promulgate regulations 
under section 553 of title 5, United States Code, to require covered 
entities to provide conspicuous, understandable, clear, and free of 
charge method to--
            (1) upon the request of an individual, provide the 
        individual with access to, or an accurate representation of, 
        covered data linked to with the individual or the individual's 
        device stored by the covered entity;
            (2) upon the request of an individual, provide the 
        individual with a means to dispute and resolve the accuracy or 
        completeness of the covered data linked to the individual or 
        the individual's device stored by the entity;
            (3) upon the request of an individual, delete any covered 
        data that the covered entity stores linked to the individual or 
        the individual's device; and
            (4) when technically feasible, upon the request of an 
        individual, allow the individual to transmit or transfer 
        covered data linked to the individual or the individual's 
        device that is maintained by the entity to the individual in a 
        format that is standardized and interoperable.
    (b) Pseudonymous Data.--If the covered data that an individual has 
requested processed under subsection (a) is pseudonymous data, a 
covered entity may decline the request if processing the request is not 
technically feasible.
    (c) Timeliness of Requests.--In fulfilling any requests made by the 
individual under subsection (a) the covered entity shall act in as 
timely a manner as is reasonably possible.
    (d) Access to Same Service.--A covered entity shall not 
discriminate against an individual because of any action the individual 
took under their rights described in subsection (a), including--
            (1) denying goods or services to the individual;
            (2) charging, or advertising, different prices or rates for 
        goods or services; or
            (3) providing different quality of goods or services.
    (e) Consideration.--The Commission shall allow a covered entity, by 
contract, to provide relevant obligations to the individual under 
subsection (a) on behalf of a third party service provider that 
collects, processes, stores, or discloses covered data only on behalf 
of the covered entity.

SEC. 6. INFORMATION SECURITY STANDARDS.

    (a) Required Data Security Practices.--
            (1) Regulations.--Not later than 1 year after the date of 
        enactment of this Act, the Commission shall promulgate 
        regulations under section 553 of title 5, United States Code, 
        to require covered entities to establish and implement policies 
        and procedures regarding information security practices for the 
        treatment and protection of covered data taking into 
        consideration--
                    (A) the level of identifiability of the covered 
                data and the associated privacy risk;
                    (B) the sensitivity of the covered data collected, 
                processed, and stored and the associated privacy risk;
                    (C) the currently available and widely accepted 
                technological, administrative, and physical means to 
                protect personal data under the control of the covered 
                entity;
                    (D) the cost associated with implementing, 
                maintaining, and regularly reviewing the safeguards; 
                and
                    (E) the impact of these requirements on small and 
                medium-sized businesses.
            (2) Limitations.--In promulgating the regulations required 
        under this section, the Commission shall consider a covered 
        entity who is in compliance with existing information security 
        laws that the Commission determines are sufficiently rigorous 
        to be in compliance with this section with respect to 
        particular types of covered data to the extent those types of 
        covered data are covered by such law, including the following:
                    (A) Title V of the Gramm-Leach-Bliley Act (15 
                U.S.C. 6801 et seq.).
                    (B) The Health Information Technology for Economic 
                and Clinical Health Act (42 U.S.C. 17931).
                    (C) The Health Insurance Portability and 
                Accountability Act of 1996 Security Rule (45 CFR 
                160.103 and part 164).
                    (D) Any other existing law requiring a covered 
                entity to implement and maintain information security 
                practices and procedures that the Commission determines 
                to be sufficiently rigorous.

SEC. 7. PRIVACY PROTECTION OFFICERS.

    (a) Appointment of a Privacy Protection Officer.--Each covered 
entity with annual revenue in excess of $25,000,000 the prior year 
shall designate at least 1 appropriately qualified employee as a 
privacy protection officer who shall--
            (1) educate employees about compliance requirements;
            (2) train employees involved in data processing;
            (3) conduct regular, comprehensive audits to ensure 
        compliance and make records of the audits available to 
        enforcement authorities upon request;
            (4) maintain updated, clear, and understandable records of 
        all data security practices undertaken by the covered entity;
            (5) serve as the point of contact between the covered 
        entity and enforcement authorities; and
            (6) advocate for policies and practices within the covered 
        entity that promote individual privacy.
    (b) Protections.--The privacy protection officer shall not be 
dismissed or otherwise penalized by the covered entity for performing 
any of the tasks assigned to the person under this section.

SEC. 8. RESEARCH INTO PRIVACY ENHANCING TECHNOLOGY.

    Section 4(a) of the Cyber Security Research and Development Act (15 
U.S.C. 7403(a)) is amended--
            (1) by striking the subsection heading and inserting the 
        following:
    ``(a) Network Security and Information Privacy Research Grants.--
''; and
            (2) in paragraph (1), by striking subparagraph (D) and 
        inserting the following:
                    ``(D) privacy and confidentiality, including--
                            ``(i) cryptography;
                            ``(ii) anonymization;
                            ``(iii) pseudonymization;
                            ``(iv) filtering tools;
                            ``(v) anti-spying and anti-tracking tools; 
                        and
                            ``(vi) any other technology that the 
                        Director determines will enhance individual 
                        privacy;''.

SEC. 9. ENFORCEMENT.

    (a) Enforcement by the Commission.--
            (1) In general.--Except as otherwise provided, this Act and 
        the regulations prescribed under this Act shall be enforced by 
        the Commission under the Federal Trade Commission Act (15 
        U.S.C. 41 et seq.).
            (2) Unfair or deceptive acts or practices.--A violation of 
        this Act or a regulation prescribed under this Act shall be 
        treated as a violation of a rule defining an unfair or 
        deceptive act or practice prescribed under section 18(a)(1)(B) 
        of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
            (3) Actions by the commission.--Subject to paragraph (4), 
        the Commission shall prevent any person from violating this Act 
        or a regulation prescribed under this Act in the same manner, 
        by the same means, and with the same jurisdiction, powers, and 
        duties as though all applicable terms and provisions of the 
        Federal Trade Commission Act (15 U.S.C. 41 et seq.) were 
        incorporated into and made a part of this Act, and any person 
        who violates this Act or such regulation shall be subject to 
        the penalties and entitled to the privileges and immunities 
        provided in the Federal Trade Commission Act (15 U.S.C. 41 et 
        seq.).
            (4) Common carriers.--Notwithstanding section 4, 5(a)(2), 
        or 6 of the Federal Trade Commission Act (15 U.S.C. 44, 
        45(a)(2), and 46) or any jurisdictional limitation of the 
        Commission, the Commission shall also enforce this Act, in the 
        same manner provided in paragraphs (1), (2), and (3) with 
        respect to common carriers subject to the Communications Act of 
        1934 (47 U.S.C. 151 et seq.) and Acts amendatory thereof and 
        supplementary thereto.
    (b) Enforcement by State Attorneys General.--
            (1) In general.--
                    (A) Civil actions.--In any case in which the 
                attorney general of a State has reason to believe that 
                an interest of the residents of that State has been or 
                is threatened or adversely affected by the engagement 
                of any person in a practice that violates this Act or a 
                regulation prescribed under this Act, the State, as 
                parens patriae, may bring a civil action on behalf of 
                the residents of the State in a district court of the 
                United States of appropriate jurisdiction to--
                            (i) enjoin that practice;
                            (ii) enforce compliance with this Act or 
                        such regulation;
                            (iii) obtain damages, restitution, or other 
                        compensation on behalf of residents of the 
                        State;
                            (iv) impose a civil penalty in an amount 
                        that is not greater than the product of the 
                        number of individuals whose information was 
                        affected by a violation and $40,000; or
                            (v) obtain such other relief as the court 
                        may consider to be appropriate.
                    (B) Adjustment for inflation.--Beginning on the 
                date that the Consumer Price Index is first published 
                by the Bureau of Labor Statistics that is after 1 year 
                after the date of enactment of this Act, and each year 
                thereafter, the amounts specified in subparagraph 
                (A)(iv) shall be increased by the percentage increase 
                in the Consumer Price Index published on that date from 
                the Consumer Price Index published the previous year.
                    (C) Notice.--
                            (i) In general.--Before filing an action 
                        under subparagraph (A), the attorney general of 
                        the State involved shall provide to the 
                        Commission--
                                    (I) written notice of that action; 
                                and
                                    (II) a copy of the complaint for 
                                that action.
                            (ii) Exemption.--
                                    (I) In general.--Clause (i) shall 
                                not apply with respect to the filing of 
                                an action by an attorney general of a 
                                State under this paragraph if the 
                                attorney general determines that it is 
                                not feasible to provide the notice 
                                described in that clause before the 
                                filing of the action.
                                    (II) Notification.--In an action 
                                described in subclause (I), the 
                                attorney general of a State shall 
                                provide notice and a copy of the 
                                complaint to the Commission at the same 
                                time as the attorney general files the 
                                action.
    (c) Rights of the Commission.--
            (1) Intervention by the commission.--The Commission may 
        intervene in any civil action brought by the attorney general 
        of a State under subsection (b) and upon intervening--
                    (A) be heard on all matters arising in the civil 
                action; and
                    (B) file petitions for appeal of a decision in the 
                civil action.
            (2) Powers.--Nothing in this subsection may be construed to 
        prevent the attorney general of a State from exercising the 
        powers conferred on the attorney general by the laws of the 
        State to conduct investigations, to administer oaths or 
        affirmations, or to compel the attendance of witnesses or the 
        production of documentary or other evidence.
            (3) Action by the commission.--If the Commission institutes 
        a civil action for violation of this title or a regulation 
        promulgated under this title, no attorney general of a State 
        may bring a civil action under subsection (b) against any 
        defendant named in the complaint of the Commission for 
        violation of this Act or a regulation promulgated under this 
        Act that is alleged in the complaint.
    (d) Venue and Service of Process.--
            (1) Venue.--Any action brought under subsection (b) may be 
        brought in--
                    (A) the district court of the United States that 
                meets applicable requirements relating to venue under 
                section 1391 of title 28, United States Code; or
                    (B) another court of competent jurisdiction.
            (2) Service of process.--In an action brought under 
        subsection (b), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.
    (e) Action of Other State Officials.--
            (1) In general.--In addition to civil actions brought by 
        attorneys general under subsection (b), any other officer of a 
        State who is authorized by the State to do so may bring a civil 
        action under subsection (b), subject to the same requirements 
        and limitations that apply under this subsection to civil 
        actions brought by attorneys general.
            (2) Savings provision.--Nothing in this subsection may be 
        construed to prohibit an authorized official of a State from 
        initiating or continuing any proceeding in a court of the State 
        for a violation of any civil or criminal law of the State.
    (f) Preservation of Authority.--Nothing in this Act shall be 
construed to limit the authority of the Federal Trade Commission under 
any other provision of law.

SEC. 10. ADDITIONAL ENFORCEMENT RESOURCES.

    (a) In General.--Notwithstanding any other provision of law the 
Commission may, without regard to the civil service laws (including 
regulations), appoint not more than 300 additional personnel for the 
purposes of enforcing privacy and data security laws and regulations.
    (b) Authorization of Appropriations.--There is authorized to be 
appropriated to the Commission such sums as may be necessary to carry 
out this section.
                                 <all>