[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 1816 Introduced in House (IH)]

<DOC>






117th CONGRESS
  1st Session
                                H. R. 1816

   To require the Federal Trade Commission to promulgate regulations 
   related to sensitive personal information, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             March 11, 2021

Ms. DelBene (for herself, Mr. Kilmer, Ms. Strickland, Ms. Houlahan, Mr. 
Blumenauer, Mr. Himes, Mr. Crist, Mr. Larson of Connecticut, Ms. Wild, 
 Mr. Perlmutter, Mr. Cartwright, Mr. Horsford, Mr. Case, Mr. Ryan, Ms. 
  Slotkin, Ms. Schrier, Mr. Beyer, Mr. Larsen of Washington, and Mr. 
    Costa) introduced the following bill; which was referred to the 
                    Committee on Energy and Commerce

_______________________________________________________________________

                                 A BILL


 
   To require the Federal Trade Commission to promulgate regulations 
   related to sensitive personal information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Information Transparency & Personal 
Data Control Act''.

SEC. 2. SENSE OF CONGRESS.

    It is the Sense of Congress that--
            (1) the United States must develop a balanced, high-
        standard digital privacy framework that complements global 
        standards;
            (2) a key element of this framework is a strong national 
        standard that combats anti-consumer practices;
            (3) it is critical that the Federal Government provide 
        guidance on the collection, processing, disclosure, 
        transmission and storage of sensitive data;
            (4) it is important to provide the Nation with fair and 
        thoughtful digital consumer rights with respect to such data;
            (5) it is important to ensure that enforcement authorities 
        have the resources needed to protect consumers from unlawful 
        and deceptive acts of practices in the data privacy and 
        security space; and
            (6) individuals have a right to--
                    (A) exercise control over the personal data 
                companies collect from them and how they use it;
                    (B) easily understandable and accessible 
                information about privacy and security practices;
                    (C) expect that companies will collect, use, and 
                disclose personal data in ways that are consistent with 
                the context in which consumers provide the data;
                    (D) secure and responsible handling of sensitive 
                personal information;
                    (E) access and correct persona data in usable 
                formats, in a manner that is appropriate to the 
                sensitivity of the data and the risk of adverse 
                consequences to consumers if the data is inaccurate; 
                and
                    (F) reasonable limits on the personal data that 
                companies collect and retain.

SEC. 3. REQUIREMENTS FOR SENSITIVE PERSONAL INFORMATION.

    (a) Regulations.--Not later than 18 months after the date of 
enactment of this Act, the Federal Trade Commission shall promulgate 
regulations under section 553 of title 5, United States Code, to 
require, except as provided in subsection (b), controllers, processors, 
and third parties to make available to the public involving the 
collection, transmission, storage, processing, sale, sharing of 
sensitive personal information, or other use of sensitive personal 
information from persons operating in or persons located in the United 
States when the sensitive personal information is collected, 
transmitted, stored, processed, sold or shared to meet the following 
requirements:
            (1) Affirmative, express, and opt-in consent.--
                    (A) Any controller shall provide users whose 
                personal information is collected, transmitted, stored, 
                process, sold, or otherwise shared with notice through 
                a privacy and data use policy of a specific request to 
                collect, transmit, sell, share or otherwise disclose 
                their sensitive personal information and require that 
                users provide affirmative, express consent to any 
                functionality that involves the sale, sharing, or other 
                disclosure of sensitive personal information, including 
                sharing sensitive personal information with third 
                parties, if the sensitive personal information is to be 
                used by the third party for purposes other than the 
                purposes outlined in the notice.
                    (B) The documented instruction from a controller to 
                a processor or third party shall adhere to the limits 
                of the consent granted in subparagraph (A), and 
                processors and third parties shall not use or disclose 
                the sensitive personal information for any other 
                purposes or in any way that exceeds the limits of the 
                consent granted in subparagraph (A).
                    (C) Controllers and processors shall not be liable 
                for the failure of another processor or third party to 
                adhere to the limits of an opt-in consent granted under 
                subparagraph (A).
            (2) Privacy and data use policy.--Controllers, processors, 
        and third parties shall publicly maintain an up-to-date, 
        transparent privacy, security, and data use policy that meets 
        general requirements, including that such policy, presented in 
        the context where it applies--
                    (A) is concise, intelligible, and uses plain 
                language;
                    (B) is clear and conspicuous consistent with the 
                guidelines of the Federal Trade Commission;
                    (C) uses visualizations, where appropriate to make 
                complex information understandable by the ordinary 
                user; and
                    (D) is provided free of charge.
            (3) Additional requirements for privacy and data use 
        policy.--The privacy, security, and data use policy required 
        under paragraph (2) shall include the following:
                    (A) Identity and contact information of the entity 
                collecting or processing the sensitive personal 
                information.
                    (B) The purpose or use for collecting, storing, 
                processing, selling, sharing, or otherwise using the 
                sensitive personal information.
                    (C) Categories of third parties with whom the 
                sensitive personal information will be shared and for 
                what general purposes.
                    (D) The process by which individuals may withdraw 
                consent to the collecting, storing, processing, 
                selling, sharing, or other use of the sensitive 
                personal information, including sharing with third 
                parties.
                    (E) How a user, controller, or processor can view 
                or obtain the sensitive personal information that they 
                have received or provided to a controller or processor, 
                including whether it can be exported to other web-based 
                platforms.
                    (F) The categories of sensitive personal 
                information that is collected by the controller or 
                processor and shared with processors or third parties.
                    (G) How sensitive personal information is protected 
                from unauthorized access or acquisition.
            (4) Opt-out consent.--
                    (A) For any collection, transmission, storage, 
                processing, selling, sharing, or other use of non-
                sensitive personal information, including sharing with 
                third parties, controllers shall provide users with the 
                ability to opt out at any time.
                    (B) Controllers shall honor an opt out request from 
                a user under subparagraph (A) to the extent of its role 
                in any collection, transmission, storage, processing, 
                selling, sharing, or other use of non-sensitive 
                personal information and shall communicate an opt-out 
                request to the relevant processor or third party with 
                which the controller has shared information regarding 
                that user.
                    (C) Processors or third parties receiving an opt 
                out pursuant to subparagraph (A) and (B) shall comply 
                with such opt out to the extent of their role in any 
                collection, transmission, storage, processing, selling, 
                sharing, or other use of non-sensitive personal 
                information.
                    (D) Any controller that communicates an opt out 
                from a user as required by subparagraph (B) shall not 
                be liable for the failure of a service provider or 
                third party to comply with such opt out.
            (5) Relationship between controller and processor.--
                    (A) Processing by a processor must be governed by a 
                contract between the controller and the processor that 
                is binding on both parties and that sets the processor 
                to processes the personal data only on documented 
                instructions from the controller.
                    (B) Processors shall share sensitive personal 
                information with a subcontractor only for purposes of 
                providing services and only after first providing the 
                controller with an opportunity to object.
                    (C) In no event may any contract or documented 
                instructions relieve a controller or a processor from 
                the obligations and liabilities imposed on them by this 
                Act.
            (6) Privacy audits.--
                    (A) In general.--Except as provided in 
                subparagraphs (C) and (D), at least once every 2 years, 
                each controller, processor, or third party that has 
                collected, transmitted, stored, processed, selling, 
                shared, or otherwise used sensitive personal 
                information shall--
                            (i) obtain a privacy audit from a 
                        qualified, objective, independent third-party; 
                        and
                            (ii) shall make publicly available whether 
                        or not the privacy audit found the controller, 
                        processor, or third party compliant.
                    (B) Audit requirements.--Each such audit shall--
                            (i) set forth the privacy, security, and 
                        data use controls that the controller, 
                        processor, or third party has implemented and 
                        maintained during the reporting period;
                            (ii) describe whether such controls are 
                        appropriate to the size and complexity of the 
                        controller, processor, or third party, the 
                        nature and scope of the activities of the 
                        controller, processor, or third party, and the 
                        nature of the sensitive personal information or 
                        behavioral data collected by the controller, 
                        processor, or third party;
                            (iii) certify whether the privacy and 
                        security controls operate with sufficient 
                        effectiveness to provide reasonable assurance 
                        to protect the privacy and security of 
                        sensitive personal information or behavioral 
                        data, including with respect to data shared 
                        with third parties, and that the controls have 
                        so operated throughout the reporting period;
                            (iv) be prepared and completed within 60 
                        days after a substantial change to the 
                        controller's privacy and data use policy 
                        described in paragraph (2); and
                            (v) be provided--
                                    (I) to the Federal Trade 
                                Commission; and
                                    (II) to any attorney general of a 
                                State, or other authorized State 
                                officer, within 10 days of receiving 
                                written request by the such attorney 
                                general, or other authorized State 
                                officer where such officer has 
                                presented to the controller, processor, 
                                or third party allegations that a 
                                violation of this Act or any regulation 
                                issued under this Act has been 
                                committed by the controller, processor, 
                                or third party.
                    (C) Small business audit exemption.--The audit 
                requirements described in this paragraph shall not 
                apply to controllers who collect, store, process, sell, 
                share, or otherwise use sensitive personal information 
                relating to 250,000 or fewer individuals per year.
                    (D) Non-sensitive personal information exemption.--
                The audit requirements set forth above shall not apply 
                to controllers, processors or third parties who do not 
                collect, store, process, sell, share, or otherwise use 
                sensitive personal information.
                    (E) Rules that do not incentivize selling 
                information.--The Commission shall promulgate rules 
                regarding qualifications and requirements of third-
                party auditors such as a duty to conduct an independent 
                assessment that does not incentivize the auditor to 
                sell under the guise of a potential violation by the 
                controller products or services when there is not a 
                violation of the Act.
    (b) Exemptions.--
            (1) Necessary operations and security purposes.--Subsection 
        (a) shall not apply to the processing, transmission, 
        collecting, storing, sharing, selling of sensitive and non-
        sensitive personal information for the following purposes:
                    (A) Preventing or detecting fraud, identity theft, 
                unauthorized transactions, theft, shoplifting, or 
                criminal activity including financial crimes and money 
                laundering.
                    (B) The use of such information to identify errors 
                that impair functionality or otherwise enhancing or 
                maintaining the availability of the services or 
                information systems of the controller for authorized 
                access and use.
                    (C) Protecting the vital interests of the consumer 
                or another natural person.
                    (D) Responding in good faith to valid legal process 
                or providing information as otherwise required or 
                authorized by law.
                    (E) Monitoring or enforcing agreements between the 
                Controller, processor, or third party and an 
                individual, including but not limited to, terms of 
                service, terms of use, user agreements, or agreements 
                concerning monitoring criminal activity.
                    (F) Protecting the property, services, or 
                information systems of the controller, processor, or 
                third party against unauthorized access or use.
                    (G) Advancing a substantial public interest, 
                including archival purposes, scientific or historical 
                research, and public health, if such processing does 
                not create a significant risk of harm to consumers.
                    (H) Uses authorized by the Fair Credit Reporting 
                Act or used by a commercial credit reporting agency.
                    (I) Completing the transaction for which the 
                personal information was collected, provide a good or 
                service requested by the consumer that is reasonably 
                anticipated within the context of a business' ongoing 
                relationship with the consumer, bill or collect for 
                such good or service or otherwise perform a contract 
                between the controller and a consumer.
                    (J) Complying with other Federal, State, and local 
                law.
                    (K) Conducting product recalls and servicing 
                warranties.
            (2) Reasonable expectation of users.--The regulations 
        promulgated pursuant to subsection (a) with respect to the 
        requirement to provide opt-in consent shall not apply to the 
        processing, transmission, storage, selling, sharing, or 
        collection of sensitive personal information in which such 
        processing does not deviate from purposes consistent with a 
        controller's relationship with users as understood by the 
        reasonable use, including but not limited to--
                    (A) carrying out the term of a contract or service 
                agreement, including elements of a customer loyalty 
                program, with a user;
                    (B) accepting and processing a payment from a user;
                    (C) completing a transaction with a user such as 
                through delivering a good or service even if such 
                delivery is made by a processor or third party;
                    (D) marking goods or services to a user as long as 
                the user is provided with the ability to opt out of 
                such marketing;
                    (E) taking steps to continue or extend an existing 
                business relationship with a user, or inviting a new 
                user to participate in a customer promotion, benefit or 
                loyalty program, as long as the user is provided with 
                the ability to opt out;
                    (F) conduct internal research to improve, repair, 
                or develop products, services, or technology; or
                    (G) municipal governments.

SEC. 4. APPLICATION AND ENFORCEMENT BY THE FEDERAL TRADE COMMISSION.

    (a) Common Carriers.--Notwithstanding the limitations in the 
Federal Trade Commission Act (15 U.S.C. 41 et seq.) on Commission 
authority with respect to common carriers, this Act applies, according 
to its terms, to common carriers subject to the Communications Act of 
(47 U.S.C. 151 et seq.) and all Acts amendatory thereof and 
supplementary thereto. The Federal Trade Commission shall be the only 
Federal agency with authority to enforce such common carriers' privacy 
practices.
    (b) Enforcement.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        this Act or a regulation promulgated under this Act shall be 
        treated as a violation section 18(a)(1)(B) of the Federal Trade 
        Commission Act (15 U.S.C. 57(a)(1)(B)) regarding unfair or 
        deceptive acts or practices.
            (2) Powers of commission.--Except as provided in subsection 
        (a), the Federal Trade Commission shall enforce this Act and 
        the regulations promulgated under this Act in the same manner, 
        by the same means, and with the same jurisdiction, powers, and 
        duties as though all applicable terms and provisions of the 
        Federal Trade Commission Act (15 U.S.C. 41 et seq.) were 
        incorporated into and made a part of this Act. Any person who 
        violates this Act or a regulation promulgated under this Act 
        shall be subject to the penalties and entitled to the 
        privileges and immunities provided in the Federal Trade 
        Commission Act.
    (c) Construction.--Nothing in this Act shall be construed to limit 
the authority of the Federal Trade Commission under any other provision 
of law.
    (d) Opportunity to Comply.--The Commission shall notify a 
controller of alleged violations and provide them with 30 days to cure 
a non-wilful violations of this Act before the Commission shall 
commence and enforcement action.

SEC. 5. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) Right of Action.--Except as provided in subsection (e), the 
attorney general of a State, alleging a violation of this Act or any 
regulation issued under this Act that affects or may affect such State 
or its residents may bring an action on behalf of the residents of the 
State in any United States district court for the district in which the 
defendant is found, resides, or transacts business, or wherever venue 
is proper under section 1391 of title 28, United States Code, to obtain 
appropriate injunctive relief.
    (b) Notice to Commission Required.--A State shall provide prior 
written notice to the Federal Trade Commission of any civil action 
under subsection (a) together with a copy of its complaint, except that 
if it is not feasible for the State to provide such prior notice, the 
State shall provide such notice immediately upon instituting such 
action.
    (c) Intervention by the Commission.--The Commission may intervene 
in such civil action and upon intervening--
            (1) be heard on all matters arising in such civil action; 
        and
            (2) file petitions for appeal of a decision in such civil 
        action.
    (d) Construction.--Nothing in this section shall be construed--
            (1) to prevent the attorney general of a State, or other 
        authorized State officer, from exercising the powers conferred 
        on the attorney general, or other authorized State officer, by 
        the laws of such State; or
            (2) to prohibit the attorney general of a State, or other 
        authorized State officer, from proceeding in State or Federal 
        court on the basis of an alleged violation of any civil or 
        criminal statute of that State.
    (e) Limitation.--
            (1) No separate action.--An action may not be brought under 
        subsection (a) if the same alleged violation is the subject of 
        a pending action by the Commission or the United States.
            (2) Exclusive period to act by commission.--An action--
                    (A) may not be brought under subsection (a) until 
                the expiration of the 60-day period that begins on the 
                date on which a violation is discovered by the 
                Commission or the date on which the Commission is 
                notified of the violation; and
                    (B) may only be brought under subsection (a) if the 
                Commission does not bring an action related to the 
                violation during such period.
    (f) Opportunity to Comply.--Prior to bringing any action under this 
section, the state attorney general shall notify a controller of 
alleged violations and provide them with 30 days to cure a non-wilful 
violations of this Act before commencing an enforcement action.

SEC. 6. PRIVACY AND DATA SECURITY EMPLOYEES AND FUNDING FOR THE 
              COMMISSION.

    (a) Employment Authority.--The Commission shall hire 500 new full-
time employees to focus on privacy and data security, 50 of which shall 
have technology expertise.
    (b) Additional Funding for Privacy and Data Security.--There is 
authorized to be appropriated to the Commission $350,000,000 for issues 
related to privacy and data security.

SEC. 7. DEFINITIONS.

    In this Act the following definitions apply:
            (1) Call detail record.--The term ``call detail record''--
                    (A) means session-identifying information 
                (including an originating or terminating telephone 
                number, an International Mobile Subscriber Identity 
                number, or an International Mobile Station Equipment 
                Identity number), a telephone calling card number, or 
                the time or duration of a call;
                    (B) does not include--
                            (i) the contents (as defined in section (8) 
                        of title 18, United States Code) of any 
                        communication;
                            (ii) the name, address, or financial 
                        information of a subscriber or customer;
                            (iii) cell site location or global 
                        positioning system information; or
                            (iv) business customers.
            (2) Clear and prominent.--The term ``clear and prominent'' 
        means in any communication medium, the required disclosure is--
                    (A) of a type, size, and location sufficiently 
                noticeable for an ordinary consumer to read and 
                comprehend the communication;
                    (B) provided in a manner such that an ordinary 
                consumer is able to read and comprehend the 
                communication;
                    (C) is presented in an understandable language and 
                syntax;
                    (D) includes nothing contrary to, inconsistent 
                with, or that mitigates any statement contained within 
                the disclosure or within any document linked to or 
                referenced therein; and
                    (E) includes an option that is compliant with 
                applicable obligations of the controller under title 
                III of the Americans with Disabilities Act of 1990 (42 
                U.S.C. 12181 et seq.).
            (3) Collection.--The term ``collection'' means buying, 
        renting, gathering, obtaining, receiving, or accessing any 
        sensitive data of an individual by any means.
            (4) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (5) Controller.--The term ``controller'' means a person 
        that, on its own or jointly with other entities, determines the 
        purposes and means of processing sensitive personal 
        information.
            (6) De-identified data.--The term ``de-identified data'' 
        means information held that--
                    (A) does not identify, and is not linked or 
                reasonably linkable to, and individual or device;
                    (B) does not contain a persistent identifier or 
                other information that could readily be used to de-
                identify the individual to whom, or the device to 
                which, the identifier or information pertains;
                    (C) is subject to a public commitment by the 
                entity;
                    (D) to refrain from attempting to use such 
                information to identify any individual or device;
                    (E) to adopt technical and organizational measures 
                to ensure that such information is not linked to any 
                individual or device; and
                    (F) is not disclosed by the covered entity to any 
                other party unless the disclosure is subject to a 
                contractually or other legally binding requirement.
            (7) Employee data.--The term ``employee data'' means--
                    (A) information relating to an individual collected 
                in the course of the individual acting as a job 
                applicant to, or employee (regardless of whether such 
                employee is paid of unpaid, or employed on a temporary 
                basis), owner, director, officer, staff member, 
                trainee, vendor, visitor, volunteer, intern, or 
                contractor;
                    (B) business contact information of an individual, 
                including the individual's name, position or title, 
                business telephone number, business address, business 
                email address, qualifications, and other similar 
                information that is provided by an individual who is 
                acting in a professional capacity, provided that such 
                information is collected, processed, or transferred 
                solely for purposes related to such individuals' 
                professional activities; or
                    (C) emergency contact information collected by a 
                covered entity that relates to an individual who is 
                acting in a role described in subparagraph (A).
            (8) Processor.--The term ``processor'' means a person that 
        processes data on behalf of a controller or another processor 
        according to and for the purposes set forth in the documented 
        instructions. If a person processes data on its own behalf or 
        for its own purposes, then that person is not a processor with 
        respect to that data but is instead a controller. Determining 
        whether a person is acting as a controller or processor with 
        respect to a specific processing of data is a fact-based 
        determination that depends upon the controller's documented 
        instructions and the context in which personal data is to be 
        processed. A processor shall only remain a processor to the 
        extent that it continues to process data for the sole purposes 
        set forth in the documented instructions of the controller and 
        adheres to those instructions and the limitations in the 
        controller's privacy policy as communicated to the processor 
        with respect to a specific processing of personal information.
            (9) Sensitive personal information.--
                    (A) The term ``sensitive personal information'' 
                means information relating to an identified or 
                identifiable individual that is--
                            (i) financial account numbers;
                            (ii) health information;
                            (iii) genetic data;
                            (iv) any information pertaining to children 
                        under 13 years of age;
                            (v) Social Security numbers;
                            (vi) unique government-issued identifiers;
                            (vii) authentication credentials for a 
                        financial account, such as a username and 
                        password;
                            (viii) precise geolocation information;
                            (ix) content of a personal wire 
                        communication, oral communication, or 
                        electronic communication such as e-mail or 
                        direct messaging with respect to any entity 
                        that is not the intended recipient of the 
                        communication;
                            (x) call detail records for calls conducted 
                        in a personal and not a business capacity;
                            (xi) biometric information;
                            (xii) sexual orientation, gender identity, 
                        or intersex status;
                            (xiii) citizenship or immigration status;
                            (xiv) mental or physical health diagnosis;
                            (xv) religious beliefs; or
                            (xvi) web browsing history, application 
                        usage history, and the functional equivalent of 
                        either that is data described in this 
                        subparagraph that is not aggregated data.
                    (B) The term ``sensitive personal information'' 
                does not include--
                            (i) de-identified information (or the 
                        measurement, analysis or process utilized to 
                        transforming personal data so that it is not 
                        directly relatable to an identified or 
                        identifiable consumer);
                            (ii) information related to employment, 
                        including any employee data;
                            (iii) personal information reflecting a 
                        written or verbal communication or a 
                        transaction between a controller and the user, 
                        where the user is a natural person who is 
                        acting as an employee, owner, director, 
                        officer, or contractor of a company, 
                        partnership, sole proprietorship, non-profit, 
                        or government agency and whose communications 
                        or transaction with the controller occur solely 
                        within the context of the controller conducting 
                        due diligence regarding, or providing or 
                        receiving a product or service to or from such 
                        company, partnership, sole proprietorship, non-
                        profit, or government agency; or
                            (iv) publicly available information.
            (10) State.--The term ``State'' means each State of the 
        United States, the District of Columbia, and each commonwealth, 
        territory, or possession of the United States.
            (11) Third party.--The term ``third party'' means an 
        individual or entity that uses or receives sensitive personal 
        information obtained by or on behalf of a controller, other 
        than--
                    (A) a service provider of a controller to whom the 
                controller discloses the consumer's sensitive personal 
                information for an operational purpose subject to 
                section 3(a)(1)(B) of this Act; and
                    (B) any entity that uses sensitive personal 
                information only as reasonably necessary--
                            (i) to comply with applicable law, 
                        regulation, or legal process;
                            (ii) to enforce the terms of use of a 
                        controller;
                            (iii) to detect, prevent, or mitigate fraud 
                        or security vulnerabilities; or
                            (iv) does not determine the purposes and 
                        means of processing sensitive personal 
                        information.
            (12) Transfer.--The term ``transfer'' means to disclose, 
        release, share, disseminate, make available, or license in 
        writing, electronically or by any other means, for 
        consideration of any kind for a commercial purpose.

SEC. 8. RULES OF CONSTRUCTION.

    (a) Federal Acquisition.--Nothing in this Act may be construed to 
preclude the acquisition by the Federal Government of--
            (1) the contents of a wire or electronic communication 
        pursuant to other lawful authorities, including the authorities 
        under chapter 119 of title 18, United States Code (commonly 
        known as the ``Wiretap Act''), the Foreign Intelligence 
        Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), or any other 
        provision of Federal law not specifically amended by this Act; 
        or
            (2) records or other information relating to a subscriber 
        or customer of any electronic communication service or remote 
        computing service (not including the content of such 
        communications) pursuant to the Foreign Intelligence 
        Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), chapter 119 
        of title 18, United States Code (commonly known as the 
        ``Wiretap Act''), or any other provision of Federal law not 
        specifically amended by this Act.
    (b) Effect on Other Laws.--Nothing in this Act shall be construed 
to limit or substitute for the requirements under title V of the Gramm-
Leach-Bliley Act (15 U.S.C. 6801 et seq.), section 264(c) of the Health 
Insurance Portability and Accountability Act of 1996 (Public Law 104-
191), section 444 of the General Education Provisions Act (commonly 
known as the Family Educational Rights and Privacy Act of 1974) (20 
U.S.C. 1232g), the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).

SEC. 9. NATIONAL STANDARD.

    (a) Relationship to State Law.--No State or political subdivision 
of a State may adopt, maintain, enforce, or continue in effect any law, 
regulation, rule, requirement, or standard related to the data privacy 
or associated activities of covered entities.
    (b) Nonpreemption.--Subsection (a) shall not be construed to--
            (1) preempt State laws that directly establish requirements 
        for the notification of consumers in the event of a data 
        breach;
            (2) preempt State laws that directly establish requirements 
        regarding biometric laws;
            (3) preempt State laws regarding wiretapping laws; or
            (4) preempt State laws like the Public Records Act.

SEC. 10. EFFECTIVE DATE.

     This Act shall take effect 180 days after the date of the 
enactment of this Act.
                                 <all>