[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5433 Introduced in House (IH)]

<DOC>






117th CONGRESS
  1st Session
                                H. R. 5433

To protect the privacy of internet users by reinforcing online privacy 
rights and through the establishment of a national Do Not Track system, 
                        and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           September 30, 2021

  Mr. Posey (for himself, Mr. Gohmert, and Mr. Mullin) introduced the 
   following bill; which was referred to the Committee on Energy and 
                                Commerce

_______________________________________________________________________

                                 A BILL


 
To protect the privacy of internet users by reinforcing online privacy 
rights and through the establishment of a national Do Not Track system, 
                        and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Renew Effective 
Protection of Americans' Information Rights Act'' or the ``REPAIR 
Act''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
                  TITLE I--DATA PRIVACY BILL OF RIGHTS

Sec. 101. Short title.
Sec. 102. Policy of the United States.
Sec. 103. Findings.
Sec. 104. Rights relating to transparency.
Sec. 105. Right to delete.
Sec. 106. Right to correct inaccuracies.
Sec. 107. Right to controls.
Sec. 108. Right to data minimization.
Sec. 109. Right to data security.
Sec. 110. Prohibition of service offers conditioned on waivers of 
                            privacy rights.
Sec. 111. Scope of coverage.
Sec. 112. Small business exception.
Sec. 113. Application and enforcement.
Sec. 114. State privacy protections.
Sec. 115. Severability.
Sec. 116. Definitions.
Sec. 117. Effective date.
                         TITLE II--DO NOT TRACK

Sec. 201. Short title.
Sec. 202. Establishment of Do Not Track system.
Sec. 203. Do Not Track: requirements for operators; prohibited acts.
Sec. 204. Scope of coverage.
Sec. 205. Application and enforcement.
Sec. 206. State privacy protections.
Sec. 207. Severability.
Sec. 208. Definitions.
Sec. 209. Effective date.

                  TITLE I--DATA PRIVACY BILL OF RIGHTS

SEC. 101. SHORT TITLE.

    This title may be cited as the ``Data Privacy Bill of Rights Act''.

SEC. 102. POLICY OF THE UNITED STATES.

    It is the policy of the United States that individuals have 
fundamental rights to secure and protect their privacy in data 
collected from and about them by firms doing business with them as 
provided for in this title and that it is also a fundamental purpose of 
the Federal Government to defend and enforce such privacy rights.

SEC. 103. FINDINGS.

    Congress finds the following:
            (1) Individuals are endowed with rights to secure and 
        protect data related to their lives, their patterns of movement 
        and commercial exchange and any other information that is 
        classified as sensitive pursuant to this title.
            (2) Individuals have a right to complete transparency with 
        respect to the exchanges they make in terms of a complete 
        accounting of both the nonpecuniary and pecuniary costs 
        allocated to and collected from them.
            (3) While the internet and other technologies have produced 
        enormous benefits to the Nation, they have also had 
        unintentional consequences in eroding individual data privacy 
        rights.
            (4) The Nation needs to update individual rights to include 
        adequate and effective protections to secure and sustain 
        individual rights to data privacy.
            (5) That protection of individual data privacy rights 
        should be secured with due consideration of the collateral 
        rights of entities to pursue businesses while assuring complete 
        transparency to individuals as relates to their data and the 
        role that such data plays in the entities' business models.

SEC. 104. RIGHTS RELATING TO TRANSPARENCY.

    (a) Right to Access.--Upon the verified request of an individual, a 
covered entity shall provide to the individual--
            (1) in a portable format, without licensing restrictions, 
        the covered data of the individual that is collected, 
        processed, or transferred by the covered entity; and
            (2) in a human-readable format that a reasonable individual 
        can understand--
                    (A) a copy of the covered data of the individual 
                that is collected, processed, or transferred by the 
                covered entity;
                    (B) a list of each category of third party to which 
                the covered entity has transferred the covered data of 
                the individual; and
                    (C) the identity of each such third party and a 
                description of the covered data that was transferred to 
                such third party and the purpose of the transfer.
    (b) Right to Immediate Notification of Collection.--
            (1) In general.--On every website or application landing 
        page, the second-party operator of a covered internet platform 
        shall display, immediately when the page is accessed by an 
        individual, an easily identifiable indicator that provides a 
        real-time notification of whether or not the covered data of 
        the individual is being actively collected by the covered 
        internet platform or any program of a third-party operator that 
        appears on the covered internet platform.
            (2) Contents of notification.--The notification required by 
        paragraph (1) shall include (or provide a link to or other 
        convenient means of accessing) the following information:
                    (A) The types of data being collected.
                    (B) The purposes for which such data is processed.
                    (C) The categories of such data transferred to 
                third parties.
                    (D) The categories of third parties to which such 
                data is transferred.
                    (E) The identity of each third party to which such 
                data is transferred.
                    (F) How long such data will be retained by the 
                second-party operator, any third-party operator, and 
                any third party (as applicable).
                    (G) A description of individuals' privacy rights 
                under this title.
                    (H) The contact information for the representatives 
                for privacy and data security inquires of the second-
                party operator, any third-party operator, and any third 
                party (as applicable).
            (3) Responsibility of third-party operators.--A third-party 
        operator of a program that appears on a covered internet 
        platform shall, if the program collects any covered data of a 
        user of the platform, ensure that the second-party operator of 
        the platform provides the notification required by paragraph 
        (1) and that the notification includes the information required 
        by paragraph (2) with respect to the program.
    (c) Right To Receive Privacy Policy.--
            (1) In general.--A covered entity shall make publicly and 
        persistently available, in a conspicuous and readily accessible 
        manner, a privacy policy that provides a detailed and accurate 
        representation of the activities of the covered entity with 
        respect to the collection, processing, and transfer of covered 
        data.
            (2) Contents of privacy policy.--The privacy policy 
        required by paragraph (1) shall include, at a minimum, the 
        following:
                    (A) An easy-to-understand explanation of the policy 
                of the covered entity with respect to the collection, 
                processing, and transfer of covered data (including 
                clear descriptions that avoid technical and legal 
                jargon to the extent practicable).
                    (B) The identity of and contact information for the 
                covered entity, including the contact information for 
                the covered entity's representative for privacy and 
                data security inquiries.
                    (C) Each category of covered data the covered 
                entity collects and the processing purposes for which 
                such data is collected.
                    (D) Whether the covered entity transfers covered 
                data and, if so--
                            (i) each category of service provider or 
                        third party to which the covered entity 
                        transfers covered data and the purposes for 
                        which such data is transferred to each such 
                        category; and
                            (ii) the identity of each third party to 
                        which the covered entity transfers covered data 
                        and the purposes for which such data is 
                        transferred to such third party.
                    (E) How long covered data processed by the covered 
                entity will be retained by the covered entity or a 
                third party and a description of the covered entity's 
                data minimization policies.
                    (F) How individuals can exercise the individual 
                rights described in this title.
                    (G) A description of the covered entity's data 
                security policies.
                    (H) The effective date of the privacy policy.
            (3) Languages.--A covered entity shall make the privacy 
        policy required under paragraph (1) available to the public in 
        all of the languages in which the covered entity provides a 
        product or service or carries out any other activities to which 
        the privacy policy relates.
    (d) Right To Consent to Material Changes.--If a material change to 
the privacy policy of a covered entity required under subsection (c) 
would weaken privacy protections for covered data, the covered entity 
may not apply such change to the covered data of an individual that was 
collected before the change takes effect without obtaining the 
affirmative express consent of the individual to the change.

SEC. 105. RIGHT TO DELETE.

    (a) In General.--A covered entity, upon the verified request of an 
individual, shall--
            (1) at the option of the individual--
                    (A) delete, or allow the individual to delete, any 
                information in the covered data of the individual that 
                is processed by the covered entity; or
                    (B) take action to disable or mask the 
                identification of the individual connected to any 
                information in the covered data of the individual that 
                is processed by the covered entity;
            (2) inform any service provider or third party to which the 
        covered entity transferred such data of the request of the 
        individual under paragraph (1); and
            (3) direct the service provider or third party to honor the 
        request.
    (b) Service Providers and Third Parties.--In the case of a service 
provider or third party that is informed under paragraph (2) of 
subsection (a) and directed to honor under paragraph (3) of such 
subsection the request of an individual under paragraph (1) of such 
subsection, the service provider or third party shall, in accordance 
with the request, delete the information or take action to disable or 
mask the identification of the individual.

SEC. 106. RIGHT TO CORRECT INACCURACIES.

    (a) In General.--A covered entity, upon the verified request of an 
individual, shall--
            (1) correct, or allow the individual to correct, inaccurate 
        or incomplete information in the covered data of the individual 
        that is processed by the covered entity;
            (2) inform any service provider or third party to which the 
        covered entity transferred such data of the request of the 
        individual under paragraph (1) and of the corrected 
        information; and
            (3) direct the service provider or third party to honor the 
        request.
    (b) Service Providers and Third Parties.--In the case of a service 
provider or third party that is informed under paragraph (2) of 
subsection (a) and directed to honor under paragraph (3) of such 
subsection the request of an individual under paragraph (1) of such 
subsection, the service provider or third party shall, in accordance 
with the request, correct the information.

SEC. 107. RIGHT TO CONTROLS.

    (a) Sense of Congress.--It is the sense of Congress that--
            (1) the term ``privacy policy'' is deceptive;
            (2) such policies are in fact data collection policies; and
            (3) covered data is the private property of the individual 
        about whom the data has been collected and should be treated as 
        such.
    (b) Requirement for Affirmative Express Consent for Collection, 
Processing, or Transfer of Covered Data.--
            (1) In general.--A covered entity may not collect, process, 
        or transfer to a third party the covered data of an individual 
        without obtaining the affirmative express consent of the 
        individual to the collection, processing, or transfer through a 
        process established under the rule issued by the Commission 
        under paragraph (3).
            (2) Right to withdraw affirmative express consent.--A 
        covered entity shall permit an individual to withdraw the 
        affirmative express consent of the individual to the 
        collection, processing, or transfer to a third party of the 
        covered data of the individual through a process established 
        under the rule issued by the Commission under paragraph (3).
            (3) Rulemaking.--
                    (A) In general.--Not later than 1 year after the 
                date of the enactment of this Act, the Commission shall 
                issue a rule under section 553 of title 5, United 
                States Code, establishing one or more acceptable 
                processes for a covered entity to follow in requesting 
                the affirmative express consent of an individual to the 
                collection, processing, or transfer of the covered data 
                of the individual and in permitting an individual to 
                withdraw such consent.
                    (B) Requirements.--The processes established by the 
                Commission under subparagraph (A) shall--
                            (i) include clear and conspicuous requests 
                        for affirmative express consent and consumer-
                        friendly mechanisms to allow an individual to 
                        provide and withdraw affirmative express 
                        consent;
                            (ii) allow an individual to provide and 
                        withdraw affirmative express consent--
                                    (I) for the collection, processing, 
                                or transfer of some or all (at the 
                                option of the individual) of the 
                                covered data of the individual; and
                                    (II) for the transfer of the 
                                covered data of the individual to some 
                                or all (at the option of the 
                                individual) third parties;
                            (iii) allow an individual to view the 
                        status of affirmative express consent provided 
                        or withdrawn;
                            (iv) be privacy protective; and
                            (v) be informed by the Commission's 
                        experience developing and implementing the 
                        National Do Not Call Registry.

SEC. 108. RIGHT TO DATA MINIMIZATION.

    (a) In General.--A covered entity may not collect, process, or 
transfer the covered data of an individual beyond what is reasonably 
necessary, proportionate, and limited to the purposes for which the 
individual provides affirmative express consent to the collection, 
processing, or transfer.
    (b) Rule of Construction.--Nothing in subsection (a) may be 
construed to authorize any collection, processing, or transfer of 
covered data that is prohibited by any other provision of this title.

SEC. 109. RIGHT TO DATA SECURITY.

    (a) In General.--A covered entity shall establish, implement, and 
maintain reasonable data security practices to protect the 
confidentiality, integrity, and accessibility of covered data. Such 
data security practices shall be appropriate to the volume and nature 
of the covered data at issue.
    (b) Specific Requirements.--Data security practices required under 
subsection (a) shall include, at a minimum, the following:
            (1) Assess vulnerabilities.--Identifying and assessing any 
        reasonably foreseeable risks to, and vulnerabilities in, each 
        system maintained by the covered entity that collects, 
        processes, or transfers covered data, including unauthorized 
        access to or risks to covered data, human vulnerabilities, 
        access rights, and use of service providers. Such activities 
        shall include a plan to receive and respond to unsolicited 
        reports of vulnerabilities by entities and individuals.
            (2) Preventive and correction action.--Taking preventive 
        and corrective action to mitigate any risks or vulnerabilities 
        to covered data identified by the covered entity, which may 
        include implementing administrative, technical, or physical 
        safeguards or changes to data security practices or the 
        architecture, installation, or implementation of network or 
        operating software.
            (3) Information retention and disposal.--Deleting covered 
        data that is required to be deleted or is no longer necessary 
        for the purpose for which the data was collected unless the 
        individual to whom the data relates provides affirmative 
        express consent to the retention of the data. Such process 
        shall include data hygiene practices to ensure ongoing 
        compliance with this paragraph.
            (4) Comprehensive data security program.--Implementation of 
        a comprehensive data security program, including--
                    (A) designation of an employee responsible for data 
                security;
                    (B) training for all employees with access to 
                covered data on how to safeguard covered data and 
                protect individual privacy, and updating that training 
                as necessary; and
                    (C) due diligence with regard to the data security 
                practices of service providers to which the covered 
                entity transfers covered data.

SEC. 110. PROHIBITION OF SERVICE OFFERS CONDITIONED ON WAIVERS OF 
              PRIVACY RIGHTS.

    A covered entity may not--
            (1) condition, or effectively condition, provision of the 
        service on agreement by an individual to waive privacy rights 
        guaranteed by law or regulation, including this title; or
            (2) terminate the service or otherwise refuse to provide 
        the service as a direct or indirect consequence of the refusal 
        of a user to waive any privacy rights described in this title.

SEC. 111. SCOPE OF COVERAGE.

    (a) General Exceptions.--Notwithstanding any other provision of 
this title, a covered entity may collect, process, or transfer covered 
data for any of the following purposes, if the collection, processing, 
or transfer is reasonably necessary, proportionate, and limited to such 
purpose:
            (1) To initiate or complete a transaction or to fulfill an 
        order or provide a service specifically requested by an 
        individual, including associated routine administrative 
        activities such as billing, shipping, financial reporting, and 
        accounting.
            (2) To perform internal system maintenance, diagnostics, 
        product or service management, inventory management, or network 
        management.
            (3) To prevent, detect, or respond to a security incident 
        or trespassing, provide a secure environment, or maintain the 
        safety and security of a product, service, or individual.
            (4) To protect against malicious, deceptive, fraudulent, or 
        illegal activity.
            (5) To comply with a legal obligation or the establishment, 
        exercise, analysis, or defense of legal claims or rights, or as 
        required or specifically authorized by law.
            (6) To comply with a civil, criminal, or regulatory 
        inquiry, investigation, subpoena, or summons by an Executive 
        agency.
            (7) To cooperate with an Executive agency or a law 
        enforcement official acting under the authority of an Executive 
        or State agency concerning conduct or activity that the 
        Executive agency or law enforcement official reasonably and in 
        good faith believes may violate Federal, State, or local law, 
        or pose a threat to public safety or national security.
            (8) To address risks to the safety of an individual or 
        group of individuals, or to ensure customer safety, including 
        by authenticating individuals in order to provide access to 
        large venues open to the public.
            (9) To effectuate a product recall pursuant to Federal or 
        State law.
            (10) To conduct public or peer-reviewed scientific, 
        historical, or statistical research that--
                    (A) is in the public interest;
                    (B) adheres to all applicable ethics and privacy 
                laws; and
                    (C) is approved, monitored, and governed by an 
                institutional review board or other oversight entity 
                that meets standards promulgated by the Commission 
                pursuant to section 553 of title 5, United States Code.
            (11) To transfer covered data to a service provider.
            (12) For a purpose identified by the Commission pursuant to 
        a regulation promulgated under subsection (b).
    (b) Additional Purposes.--The Commission may promulgate regulations 
under section 553 of title 5, United States Code, identifying 
additional purposes for which a covered entity may collect, process, or 
transfer covered data and protect individual rights to data privacy in 
accordance with this title.

SEC. 112. SMALL BUSINESS EXCEPTION.

    Sections 103, 104, 105, and 106 do not apply in the case of a 
person who can establish that, for the 3 preceding calendar years (or 
for the period during which the person has been in existence if such 
period is less than 3 years)--
            (1) the average annual gross revenues of the person did not 
        exceed $50,000,000;
            (2) on average, the person annually processed the covered 
        data of less than 1,000,000 individuals;
            (3) the person never employed more than 500 individuals at 
        any one time; and
            (4) the person derived less than 50 percent of the revenues 
        of the person from transferring covered data.

SEC. 113. APPLICATION AND ENFORCEMENT.

    (a) General Application.--The requirements of this title apply, 
according to their terms, to--
            (1) those persons, partnerships, and corporations over 
        which the Commission has authority pursuant to section 5(a)(2) 
        of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)); and
            (2) notwithstanding sections 4 and 5(a)(2) of such Act (15 
        U.S.C. 44; 45(a)(2))--
                    (A) common carriers described in such section 
                5(a)(2); and
                    (B) organizations not organized to carry on 
                business for their own profit or that of their members.
    (b) Enforcement by the Commission.--
            (1) In general.--Except as otherwise provided, this title 
        and the regulations prescribed under this title shall be 
        enforced by the Commission under the Federal Trade Commission 
        Act (15 U.S.C. 41 et seq.).
            (2) Unfair or deceptive acts or practices.--A violation of 
        this title or a regulation prescribed under this title shall be 
        treated as a violation of a rule defining an unfair or 
        deceptive act or practice prescribed under section 18(a)(1)(B) 
        of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
            (3) Actions by the commission.--
                    (A) In general.--Except as provided in subparagraph 
                (B) and subsection (a), the Commission shall prevent 
                any person from violating this title or a regulation 
                prescribed under this title in the same manner, by the 
                same means, and with the same jurisdiction, powers, and 
                duties as though all applicable terms and provisions of 
                the Federal Trade Commission Act (15 U.S.C. 41 et seq.) 
                were incorporated into and made a part of this title, 
                and any person who violates this title or a regulation 
                prescribed under this title shall be subject to the 
                penalties and entitled to the privileges and immunities 
                provided in the Federal Trade Commission Act.
                    (B) Penalties.--
                            (i) In general.--Notwithstanding section 
                        5(m) of the Federal Trade Commission Act (15 
                        U.S.C. 45(m)), a civil penalty recovered for a 
                        violation of this title or a regulation 
                        prescribed under this title may be in excess of 
                        the amounts provided for in that section, if 
                        such penalty meets the requirements of this 
                        subparagraph.
                            (ii) Penalty for negligent violation.--In 
                        the case of a person who negligently violates 
                        this title or a regulation prescribed under 
                        this title, such person shall be liable for a 
                        civil penalty that does not exceed $50 for 
                        every individual affected by such violation for 
                        every day during which the person is in 
                        violation of this title or such regulation as 
                        described in this clause.
                            (iii) Penalty for willful or reckless 
                        violation.--In the case of a person who 
                        willfully or recklessly violates this title or 
                        a regulation prescribed under this title, such 
                        person shall be liable for a civil penalty 
                        that--
                                    (I) is not less than $100,000; and
                                    (II) does not exceed $1,000 for 
                                every individual affected by such 
                                violation for every day during which 
                                the person is in violation of this 
                                title or such regulation as described 
                                in this clause.
    (c) Enforcement by State Attorneys General.--
            (1) In general.--
                    (A) Civil actions.--In any case in which the 
                attorney general of a State has reason to believe that 
                an interest of the residents of that State has been or 
                is threatened or adversely affected by the engagement 
                of any person in an act or practice that violates this 
                title or a regulation prescribed under this title, the 
                State, as parens patriae, may bring a civil action on 
                behalf of the residents of the State in a district 
                court of the United States or a State court of 
                appropriate jurisdiction to--
                            (i) enjoin that act or practice;
                            (ii) enforce compliance with this title or 
                        such regulation;
                            (iii) obtain damages, statutory damages in 
                        the same amount as the penalties that the 
                        Commission may obtain under section 5(m) of the 
                        Federal Trade Commission Act (15 U.S.C. 45(m)) 
                        and subsection (b)(3)(B) of this section, 
                        restitution, or other compensation on behalf of 
                        residents of the State; or
                            (iv) obtain such other relief as the court 
                        may consider to be appropriate.
                    (B) Notice.--
                            (i) In general.--Before filing an action 
                        under subparagraph (A), the attorney general of 
                        the State involved shall provide to the 
                        Commission--
                                    (I) written notice of that action; 
                                and
                                    (II) a copy of the complaint for 
                                that action.
                            (ii) Exemption.--
                                    (I) In general.--Clause (i) does 
                                not apply with respect to the filing of 
                                an action by an attorney general of a 
                                State under this paragraph if the 
                                attorney general of the State 
                                determines that it is not feasible to 
                                provide the notice described in that 
                                clause before the filing of the action.
                                    (II) Notification.--In an action 
                                described in subclause (I), the 
                                attorney general of a State shall 
                                provide notice and a copy of the 
                                complaint to the Commission at the same 
                                time as the attorney general files the 
                                action.
            (2) Intervention.--
                    (A) In general.--On receiving notice under 
                paragraph (1)(B), the Commission shall have the right 
                to intervene in the action that is the subject of the 
                notice.
                    (B) Effect of intervention.--If the Commission 
                intervenes in an action under paragraph (1), it shall 
                have the right--
                            (i) to be heard with respect to any matter 
                        that arises in that action; and
                            (ii) to file a petition for appeal.
            (3) Construction.--For purposes of bringing any civil 
        action under paragraph (1), nothing in this title shall be 
        construed to prevent an attorney general of a State from 
        exercising the powers conferred on the attorney general by the 
        laws of that State to--
                    (A) conduct investigations;
                    (B) administer oaths or affirmations; or
                    (C) compel the attendance of witnesses or the 
                production of documentary and other evidence.
            (4) Actions by the commission.--In any case in which an 
        action is instituted by or on behalf of the Commission for 
        violation of this title or a regulation prescribed under this 
        title, no State may, during the pendency of that action, 
        institute an action under paragraph (1) against any defendant 
        named in the complaint in the action instituted by or on behalf 
        of the Commission for that violation.
            (5) Venue; service of process.--
                    (A) Venue.--Any action brought under paragraph (1) 
                may be brought in--
                            (i) a district court of the United States 
                        that meets applicable requirements relating to 
                        venue under section 1391 of title 28, United 
                        States Code; or
                            (ii) a State court of competent 
                        jurisdiction.
                    (B) Service of process.--In an action brought under 
                paragraph (1) in a district court of the United States, 
                process may be served wherever the defendant--
                            (i) is an inhabitant; or
                            (ii) may be found.

SEC. 114. STATE PRIVACY PROTECTIONS.

    Nothing in this title shall preempt any State law, regulation, or 
other requirement having the force or effect of law that is more 
protective of the privacy of individuals than the requirements of this 
title.

SEC. 115. SEVERABILITY.

    If any provision of this title or the application of a provision of 
this title to any person or circumstance is held to be invalid or 
unconstitutional, the remainder of this title, or the application of 
such provision to any other person or circumstance, shall not be 
affected.

SEC. 116. DEFINITIONS.

    In this title:
            (1) Affirmative express consent.--
                    (A) In general.--The term ``affirmative express 
                consent'' means an affirmative act by an individual 
                that clearly communicates the individual's 
                authorization for an act or practice, in response to a 
                specific request that meets the requirements of 
                subparagraph (B).
                    (B) Request requirements.--The requirements of this 
                subparagraph with respect to a request from a covered 
                entity to an individual are the following:
                            (i) The request is provided to the 
                        individual in a standalone disclosure.
                            (ii) The request includes a description of 
                        each act or practice for which the individual's 
                        consent is sought and--
                                    (I) clearly distinguishes between 
                                an act or practice which is necessary 
                                to fulfill a request of the individual 
                                and an act or practice which is for 
                                another purpose; and
                                    (II) is written in easy-to-
                                understand language and includes a 
                                prominent heading that would enable a 
                                reasonable individual to identify and 
                                understand the act or practice.
                            (iii) The request clearly explains the 
                        individual's applicable rights related to 
                        consent.
                    (C) Express consent required.--A covered entity may 
                not infer that an individual has provided affirmative 
                express consent to an act or practice from the inaction 
                of the individual or the individual's continued use of 
                a service or product provided by the covered entity.
                    (D) Prior consent required.--In the case of any 
                requirement of this title for a covered entity to 
                obtain affirmative express consent for an act or 
                practice, the covered entity shall obtain such consent 
                before engaging in the act or practice.
            (2) Collect; collection.--The terms ``collect'' and 
        ``collection'' mean, with respect to the covered data of an 
        individual, buying, renting, gathering, obtaining, receiving, 
        accessing, or otherwise acquiring such data by any means, 
        including by passively or actively observing the individual's 
        behavior.
            (3) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (4) Connected device.--The term ``connected device'' means 
        a physical object that--
                    (A) is capable of connecting to the internet, 
                either directly or indirectly through a network, to 
                communicate information at the direction of an 
                individual; and
                    (B) has computer processing capabilities for 
                collecting, sending, receiving, or analyzing data.
            (5) Control.--The term ``control'' means, with respect to 
        an entity--
                    (A) ownership of, or the power to vote, more than 
                50 percent of the outstanding shares of any class of 
                voting security of the entity;
                    (B) control in any manner over the election of a 
                majority of the directors of the entity (or of 
                individuals exercising similar functions); or
                    (C) the power to exercise a controlling influence 
                over the management of the entity.
            (6) Covered data.--
                    (A) In general.--The term ``covered data'' means 
                information that identifies or is linked or reasonably 
                linkable to an individual or a connected device that is 
                linked or reasonably linkable to an individual.
                    (B) Linked or reasonably linkable.--For purposes of 
                subparagraph (A), information held by a covered entity 
                is linked or reasonably linkable to an individual or a 
                connected device if, as a practical matter, it can be 
                used on its own or in combination with other 
                information held by, or readily accessible to, the 
                covered entity to identify such individual or such 
                device.
                    (C) Exclusions.--Such term does not include--
                            (i) aggregated data;
                            (ii) de-identified data;
                            (iii) data of an individual processed by 
                        the covered entity in the capacity of the 
                        covered entity as the employer of the 
                        individual; or
                            (iv) publicly available information.
            (7) Covered entity.--The term ``covered entity'' means any 
        person who--
                    (A) collects, processes, or transfers covered data; 
                and
                    (B) determines the purposes and means of such 
                collection, processing, or transfer.
            (8) Covered internet platform.--
                    (A) In general.--The term ``covered internet 
                platform'' means any public-facing website, internet 
                application, or mobile application, including a social 
                network site, video sharing service, search engine, or 
                content aggregation service.
                    (B) Exclusion.--Such term does not include a 
                platform that is operated for the sole purpose of 
                conducting research that is not conducted for profit, 
                either directly or indirectly.
            (9) Delete.--The term ``delete'' means to remove or destroy 
        information such that it is not maintained in human or machine-
        readable form and cannot be retrieved or utilized in such form 
        in the normal course of business.
            (10) Executive agency.--The term ``Executive agency'' has 
        the meaning given such term in section 105 of title 5, United 
        States Code.
            (11) Individual.--The term ``individual'' means a natural 
        person residing in the United States, however identified, 
        including by any unique identifier.
            (12) Material.--The term ``material'' means, with respect 
        to an act, practice, or representation of a covered entity 
        (including a representation made by the covered entity in a 
        privacy policy or similar disclosure to individuals), that such 
        act, practice, or representation is likely to affect an 
        individual's decision or conduct regarding a product or 
        service.
            (13) Process.--The term ``process'' means to perform any 
        operation or set of operations on covered data, including 
        collection, analysis, organization, structuring, retaining, 
        using, transferring, or otherwise handling covered data.
            (14) Processing purpose.--The term ``processing purpose'' 
        means an adequately specific and granular reason for which a 
        covered entity processes covered data that clearly describes 
        the processing activity.
            (15) Program.--The term ``program'' means, with respect to 
        a covered internet platform, any program that appears on the 
        platform, including a program that delivers advertisements to 
        users of the platform and a program used to log into the 
        platform.
            (16) Publicly available information.--The term ``publicly 
        available information'' means information that is available to 
        the general public, including--
                    (A) any information to which the source allows 
                access by anyone upon request; and
                    (B) any information that a covered entity has a 
                reasonable basis to believe is lawfully made available 
                to the general public from Federal, State, or local 
                government records, widely distributed media, or 
                disclosures to the general public that are required to 
                be made by Federal, State, or local law.
            (17) Research.--The term ``research'' means the scientific 
        analysis of information, including covered data, by a covered 
        entity or those with whom the covered entity is cooperating or 
        others acting at the direction or on behalf of the covered 
        entity, that is conducted for the primary purpose of advancing 
        scientific knowledge and may be for the commercial benefit of 
        the covered entity.
            (18) Second-party operator.--The term ``second-party 
        operator'' means the operator of a covered internet platform 
        with which a user intends to connect, but does not include the 
        operator of a program that appears on the platform (if the 
        operator of the program is different from the operator of the 
        platform).
            (19) Service provider.--The term ``service provider'' 
        means, with respect to a set of covered data, a covered entity 
        that collects, processes, or transfers such covered data for 
        the purpose of performing one or more services or functions on 
        behalf of, and at the direction of, another covered entity 
        that--
                    (A) is not related to the covered entity providing 
                the service or function by common ownership or 
                corporate control; and
                    (B) does not share common branding with the covered 
                entity providing the service or function.
            (20) State.--The term ``State'' means each State of the 
        United States, the District of Columbia, each commonwealth, 
        territory, or possession of the United States, and each 
        federally recognized Indian Tribe.
            (21) Third party.--The term ``third party'' means with 
        respect to a set of covered data, a covered entity--
                    (A) that is not a service provider with respect to 
                such covered data; and
                    (B) that received such covered data from another 
                covered entity--
                            (i) that is not related to the covered 
                        entity by common ownership or corporate 
                        control; and
                            (ii) that does not share common branding 
                        with the covered entity.
            (22) Third-party operator.--The term ``third-party 
        operator'' means the operator of a program that appears on a 
        covered internet platform (if the operator of the program is 
        different from the operator of the platform).
            (23) Transfer.--The term ``transfer'' means, with respect 
        to covered data, to disclose, release, share, disseminate, make 
        available, or license such data, in writing, electronically, or 
        by any other means, for consideration of any kind or for a 
        commercial purpose.

SEC. 117. EFFECTIVE DATE.

    This title shall take effect on the date that is 6 months after the 
date of the enactment of this Act.

                         TITLE II--DO NOT TRACK

SEC. 201. SHORT TITLE.

    This title may be cited as the ``Do Not Track Act''.

SEC. 202. ESTABLISHMENT OF DO NOT TRACK SYSTEM.

    (a) In General.--Not later than 6 months after the date of the 
enactment of this Act, the Commission shall implement and enforce a Do 
Not Track (DNT) system, including the program described in subsection 
(b), to protect consumers from unwanted online data harvesting and 
targeted advertising.
    (b) Do Not Track Program.--As part of the Do Not Track system 
required under this section, the Commission shall designate the DNT 
signal and make available on the public website of the Commission a 
simple program that--
            (1) can be downloaded to any common connected device;
            (2) sends the DNT signal to every covered internet platform 
        (except for a covered internet platform designated under 
        paragraph (3)) to which the device connects each time the 
        device connects to the platform; and
            (3) permits the user of the device to designate covered 
        internet platforms to which the DNT signal should not be sent, 
        but does not exempt any covered internet platform from 
        receiving the signal if the platform is not so designated.
    (c) Other Do Not Track Systems.--Nothing in this title may be 
construed to prohibit the operator of any web browser or similar 
interface or a connected device designer or manufacturer from offering 
a program that sends the DNT signal to covered internet platforms, if 
the program permits users to designate covered internet platforms to 
which the DNT signal should not be sent.
    (d) Rulemaking Authority.--The Commission may promulgate 
regulations, in accordance with section 553 of title 5, United States 
Code, to carry out this section.

SEC. 203. DO NOT TRACK: REQUIREMENTS FOR OPERATORS; PROHIBITED ACTS.

    (a) Requirements.--
            (1) Search for dnt signal.--When a connected device 
        connects to a covered internet platform--
                    (A) the second-party operator of the platform shall 
                ensure that the platform searches for the DNT signal; 
                and
                    (B) the third-party operator of any program that 
                appears on the platform shall ensure that the program 
                searches for the DNT signal.
            (2) Mandatory notification.--
                    (A) In general.--Subject to subparagraph (B), if a 
                second-party operator of a covered internet platform 
                collects more data from a user of the platform than is 
                necessary to operate the platform, or if a third-party 
                operator of a program that appears on the platform 
                collects more data from a user of the platform than is 
                necessary to operate the platform, the second-party 
                operator or third-party operator, respectively, shall, 
                through a pop-up notification, provide any user whose 
                connected device is not sending the DNT signal with--
                            (i) notice of the policy of the platform or 
                        program of collecting data beyond what is 
                        necessary to operate the platform;
                            (ii) notice of the protections from data 
                        collection and targeted advertising available 
                        to users under this title;
                            (iii) notice that the user may, through the 
                        public website of the Commission, download the 
                        Do Not Track program described in section 
                        202(b), including a link to such website; and
                            (iv) notice that the user may be able to 
                        activate the DNT signal through the user's 
                        device or browser.
                    (B) Number and timing.--A second-party operator or 
                third-party operator, respectively, shall provide the 
                notification required by subparagraph (A)--
                            (i) the first time a connected device 
                        connects to the covered internet platform; and
                            (ii) unless the user of the connected 
                        device opts out of receiving the notification 
                        required by subparagraph (A), at least every 
                        30th time the connected device connects to the 
                        covered internet platform.
                    (C) Collection of data for targeted advertising.--
                For purposes of this paragraph, the second-party 
                operator of a covered internet platform, or the third-
                party operator of a program that appears on the 
                platform, that collects data for the purpose of 
                designing or displaying advertisements for targeted 
                advertising shall be considered to be collecting more 
                data than is necessary to operate the platform.
    (b) Prohibition on Data Collection and Targeted Advertising.--
            (1) Second-party operators.--Subject to paragraph (3), it 
        shall be unlawful for a second-party operator of a covered 
        internet platform that receives the DNT signal from the 
        connected device of a user to--
                    (A) collect any data (other than such data as is 
                necessary to operate the platform) from the user;
                    (B) use any data collected from the user for a 
                secondary purpose, including for the purpose of 
                targeted advertising; or
                    (C) transfer any data collected from the user to a 
                third party, unless the user provides affirmative 
                express consent to the transfer of data in a manner 
                that demonstrates the user's intent for the second-
                party operator to be an intermediary between the user 
                and the third party.
            (2) Third-party operators.--
                    (A) In general.--It shall be unlawful for a third-
                party operator of a program that receives the DNT 
                signal from the connected device of a user of a covered 
                internet platform on which the program appears to 
                collect any data from the user, other than, subject to 
                subparagraph (B), data collected for the purpose of 
                analyzing how or whether the user engaged with the 
                program.
                    (B) Limitations on collection of data for 
                engagement analytics.--Data collected for the purpose 
                of analyzing how or whether the user engaged with the 
                program, as described in subparagraph (A)--
                            (i) may only be collected in a de-
                        identified manner; and
                            (ii) may not be used to create or 
                        contribute to a profile of the user.
            (3) Exception for complementary services.--Notwithstanding 
        paragraph (1), a second-party operator of a covered internet 
        platform may collect additional data from a user beyond what is 
        necessary for the operation of the platform if the additional 
        data is necessary for the operation of a different covered 
        internet platform that is--
                    (A) both owned and operated by the second-party 
                operator;
                    (B) designed to complement the covered internet 
                platform accessed by the user; and
                    (C) branded as a complementary covered internet 
                platform to the covered internet platform accessed by 
                the user.
    (c) Interfering With DNT Signal.--It shall be unlawful for any 
person to--
            (1) block or impede the ability of a covered internet 
        platform, or a program that appears on a covered internet 
        platform, to receive the DNT signal; or
            (2) block or impede the ability of a connected device to 
        send the DNT signal.
    (d) Discrimination Based on DNT Preferences.--It shall be unlawful 
for a second-party operator of a covered internet platform to--
            (1) deny a user access to, or service from, the platform on 
        the basis of receiving the DNT signal from the user; or
            (2) provide a user from whom the platform receives the DNT 
        signal with a different level of access or service than the 
        level of access or service provided to a user from whom the 
        platform does not receive the DNT signal.

SEC. 204. SCOPE OF COVERAGE.

    (a) General Exceptions.--Notwithstanding any other provision of 
this title, a covered entity may collect, process, or transfer covered 
data for any of the following purposes, if the collection, processing, 
or transfer is reasonably necessary, proportionate, and limited to such 
purpose:
            (1) To initiate or complete a transaction or to fulfill an 
        order or provide a service specifically requested by an 
        individual, including associated routine administrative 
        activities such as billing, shipping, financial reporting, and 
        accounting.
            (2) To perform internal system maintenance, diagnostics, 
        product or service management, inventory management, or network 
        management.
            (3) To prevent, detect, or respond to a security incident 
        or trespassing, provide a secure environment, or maintain the 
        safety and security of a product, service, or individual.
            (4) To protect against malicious, deceptive, fraudulent, or 
        illegal activity.
            (5) To comply with a legal obligation or the establishment, 
        exercise, analysis, or defense of legal claims or rights, or as 
        required or specifically authorized by law.
            (6) To comply with a civil, criminal, or regulatory 
        inquiry, investigation, subpoena, or summons by an Executive 
        agency.
            (7) To cooperate with an Executive agency or a law 
        enforcement official acting under the authority of an Executive 
        or State agency concerning conduct or activity that the 
        Executive agency or law enforcement official reasonably and in 
        good faith believes may violate Federal, State, or local law, 
        or pose a threat to public safety or national security.
            (8) To address risks to the safety of an individual or 
        group of individuals, or to ensure customer safety, including 
        by authenticating individuals in order to provide access to 
        large venues open to the public.
            (9) To effectuate a product recall pursuant to Federal or 
        State law.
            (10) To conduct public or peer-reviewed scientific, 
        historical, or statistical research that--
                    (A) is in the public interest;
                    (B) adheres to all applicable ethics and privacy 
                laws; and
                    (C) is approved, monitored, and governed by an 
                institutional review board or other oversight entity 
                that meets standards promulgated by the Commission 
                pursuant to section 553 of title 5, United States Code.
            (11) To transfer covered data to a service provider.
            (12) For a purpose identified by the Commission pursuant to 
        a regulation promulgated under subsection (b).
    (b) Additional Purposes.--The Commission may promulgate regulations 
under section 553 of title 5, United States Code, identifying 
additional purposes for which a covered entity may collect, process, or 
transfer covered data and protect individual rights to data privacy in 
accordance with this title.

SEC. 205. APPLICATION AND ENFORCEMENT.

    (a) General Application.--The requirements of this title apply, 
according to their terms, to--
            (1) those persons, partnerships, and corporations over 
        which the Commission has authority pursuant to section 5(a)(2) 
        of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)); and
            (2) notwithstanding sections 4 and 5(a)(2) of such Act (15 
        U.S.C. 44; 45(a)(2))--
                    (A) common carriers described in such section 
                5(a)(2); and
                    (B) organizations not organized to carry on 
                business for their own profit or that of their members.
    (b) Enforcement by the Commission.--
            (1) In general.--Except as otherwise provided, this title 
        and the regulations prescribed under this title shall be 
        enforced by the Commission under the Federal Trade Commission 
        Act (15 U.S.C. 41 et seq.).
            (2) Unfair or deceptive acts or practices.--A violation of 
        this title or a regulation prescribed under this title shall be 
        treated as a violation of a rule defining an unfair or 
        deceptive act or practice prescribed under section 18(a)(1)(B) 
        of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
            (3) Actions by the commission.--
                    (A) In general.--Except as provided in subparagraph 
                (B) and subsection (a), the Commission shall prevent 
                any person from violating this title or a regulation 
                prescribed under this title in the same manner, by the 
                same means, and with the same jurisdiction, powers, and 
                duties as though all applicable terms and provisions of 
                the Federal Trade Commission Act (15 U.S.C. 41 et seq.) 
                were incorporated into and made a part of this title, 
                and any person who violates this title or a regulation 
                prescribed under this title shall be subject to the 
                penalties and entitled to the privileges and immunities 
                provided in the Federal Trade Commission Act.
                    (B) Penalties.--
                            (i) In general.--Notwithstanding section 
                        5(m) of the Federal Trade Commission Act (15 
                        U.S.C. 45(m)), a civil penalty recovered for a 
                        violation of this title or a regulation 
                        prescribed under this title may be in excess of 
                        the amounts provided for in that section, if 
                        such penalty meets the requirements of this 
                        subparagraph.
                            (ii) Penalty for negligent violation.--In 
                        the case of a person who negligently violates 
                        this title or a regulation prescribed under 
                        this title, such person shall be liable for a 
                        civil penalty that does not exceed $50 for 
                        every individual affected by such violation for 
                        every day during which the person is in 
                        violation of this title or such regulation as 
                        described in this clause.
                            (iii) Penalty for willful or reckless 
                        violation.--In the case of a person who 
                        willfully or recklessly violates this title or 
                        a regulation prescribed under this title, such 
                        person shall be liable for a civil penalty 
                        that--
                                    (I) is not less than $100,000; and
                                    (II) does not exceed $1,000 for 
                                every individual affected by such 
                                violation for every day during which 
                                the person is in violation of this 
                                title or such regulation as described 
                                in this clause.
    (c) Enforcement by State Attorneys General.--
            (1) In general.--
                    (A) Civil actions.--In any case in which the 
                attorney general of a State has reason to believe that 
                an interest of the residents of that State has been or 
                is threatened or adversely affected by the engagement 
                of any person in an act or practice that violates this 
                title or a regulation prescribed under this title, the 
                State, as parens patriae, may bring a civil action on 
                behalf of the residents of the State in a district 
                court of the United States or a State court of 
                appropriate jurisdiction to--
                            (i) enjoin that act or practice;
                            (ii) enforce compliance with this title or 
                        such regulation;
                            (iii) obtain damages, statutory damages in 
                        the same amount as the penalties that the 
                        Commission may obtain under section 5(m) of the 
                        Federal Trade Commission Act (15 U.S.C. 45(m)) 
                        and subsection (b)(3)(B) of this section, 
                        restitution, or other compensation on behalf of 
                        residents of the State; or
                            (iv) obtain such other relief as the court 
                        may consider to be appropriate.
                    (B) Notice.--
                            (i) In general.--Before filing an action 
                        under subparagraph (A), the attorney general of 
                        the State involved shall provide to the 
                        Commission--
                                    (I) written notice of that action; 
                                and
                                    (II) a copy of the complaint for 
                                that action.
                            (ii) Exemption.--
                                    (I) In general.--Clause (i) does 
                                not apply with respect to the filing of 
                                an action by an attorney general of a 
                                State under this paragraph if the 
                                attorney general of the State 
                                determines that it is not feasible to 
                                provide the notice described in that 
                                clause before the filing of the action.
                                    (II) Notification.--In an action 
                                described in subclause (I), the 
                                attorney general of a State shall 
                                provide notice and a copy of the 
                                complaint to the Commission at the same 
                                time as the attorney general files the 
                                action.
            (2) Intervention.--
                    (A) In general.--On receiving notice under 
                paragraph (1)(B), the Commission shall have the right 
                to intervene in the action that is the subject of the 
                notice.
                    (B) Effect of intervention.--If the Commission 
                intervenes in an action under paragraph (1), it shall 
                have the right--
                            (i) to be heard with respect to any matter 
                        that arises in that action; and
                            (ii) to file a petition for appeal.
            (3) Construction.--For purposes of bringing any civil 
        action under paragraph (1), nothing in this title shall be 
        construed to prevent an attorney general of a State from 
        exercising the powers conferred on the attorney general by the 
        laws of that State to--
                    (A) conduct investigations;
                    (B) administer oaths or affirmations; or
                    (C) compel the attendance of witnesses or the 
                production of documentary and other evidence.
            (4) Actions by the commission.--In any case in which an 
        action is instituted by or on behalf of the Commission for 
        violation of this title or a regulation prescribed under this 
        title, no State may, during the pendency of that action, 
        institute an action under paragraph (1) against any defendant 
        named in the complaint in the action instituted by or on behalf 
        of the Commission for that violation.
            (5) Venue; service of process.--
                    (A) Venue.--Any action brought under paragraph (1) 
                may be brought in--
                            (i) a district court of the United States 
                        that meets applicable requirements relating to 
                        venue under section 1391 of title 28, United 
                        States Code; or
                            (ii) a State court of competent 
                        jurisdiction.
                    (B) Service of process.--In an action brought under 
                paragraph (1) in a district court of the United States, 
                process may be served wherever the defendant--
                            (i) is an inhabitant; or
                            (ii) may be found.

SEC. 206. STATE PRIVACY PROTECTIONS.

    Nothing in this title shall preempt any State law, regulation, or 
other requirement having the force or effect of law that is more 
protective of the privacy of individuals than the requirements of this 
title.

SEC. 207. SEVERABILITY.

    If any provision of this title or the application of a provision of 
this title to any person or circumstance is held to be invalid or 
unconstitutional, the remainder of this title, or the application of 
such provision to any other person or circumstance, shall not be 
affected.

SEC. 208. DEFINITIONS.

    In this title:
            (1) Affirmative express consent.--
                    (A) In general.--The term ``affirmative express 
                consent'' means an affirmative act by an individual 
                that clearly communicates the individual's 
                authorization for an act or practice, in response to a 
                specific request that meets the requirements of 
                subparagraph (B).
                    (B) Request requirements.--The requirements of this 
                subparagraph with respect to a request from a covered 
                entity to an individual are the following:
                            (i) The request is provided to the 
                        individual in a standalone disclosure.
                            (ii) The request includes a description of 
                        each act or practice for which the individual's 
                        consent is sought and--
                                    (I) clearly distinguishes between 
                                an act or practice which is necessary 
                                to fulfill a request of the individual 
                                and an act or practice which is for 
                                another purpose; and
                                    (II) is written in easy-to-
                                understand language and includes a 
                                prominent heading that would enable a 
                                reasonable individual to identify and 
                                understand the act or practice.
                            (iii) The request clearly explains the 
                        individual's applicable rights related to 
                        consent.
                    (C) Express consent required.--A covered entity may 
                not infer that an individual has provided affirmative 
                express consent to an act or practice from the inaction 
                of the individual or the individual's continued use of 
                a service or product provided by the covered entity.
                    (D) Prior consent required.--In the case of any 
                requirement of this title for a covered entity to 
                obtain affirmative express consent for an act or 
                practice, the covered entity shall obtain such consent 
                before engaging in the act or practice.
            (2) Collect; collection.--The terms ``collect'' and 
        ``collection'' mean, with respect to the covered data of an 
        individual, buying, renting, gathering, obtaining, receiving, 
        accessing, or otherwise acquiring such data by any means, 
        including by passively or actively observing the individual's 
        behavior.
            (3) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (4) Connected device.--The term ``connected device'' means 
        a physical object that--
                    (A) is capable of connecting to the internet, 
                either directly or indirectly through a network, to 
                communicate information at the direction of an 
                individual; and
                    (B) has computer processing capabilities for 
                collecting, sending, receiving, or analyzing data.
            (5) Control.--The term ``control'' means, with respect to 
        an entity--
                    (A) ownership of, or the power to vote, more than 
                50 percent of the outstanding shares of any class of 
                voting security of the entity;
                    (B) control in any manner over the election of a 
                majority of the directors of the entity (or of 
                individuals exercising similar functions); or
                    (C) the power to exercise a controlling influence 
                over the management of the entity.
            (6) Covered data.--
                    (A) In general.--The term ``covered data'' means 
                information that identifies or is linked or reasonably 
                linkable to an individual or a connected device that is 
                linked or reasonably linkable to an individual.
                    (B) Linked or reasonably linkable.--For purposes of 
                subparagraph (A), information held by a covered entity 
                is linked or reasonably linkable to an individual or a 
                connected device if, as a practical matter, it can be 
                used on its own or in combination with other 
                information held by, or readily accessible to, the 
                covered entity to identify such individual or such 
                device.
                    (C) Exclusions.--Such term does not include--
                            (i) aggregated data;
                            (ii) de-identified data;
                            (iii) data of an individual processed by 
                        the covered entity in the capacity of the 
                        covered entity as the employer of the 
                        individual; or
                            (iv) publicly available information.
            (7) Covered entity.--The term ``covered entity'' means any 
        person who--
                    (A) collects, processes, or transfers covered data; 
                and
                    (B) determines the purposes and means of such 
                collection, processing, or transfer.
            (8) Covered internet platform.--
                    (A) In general.--The term ``covered internet 
                platform'' means any public-facing website, internet 
                application, or mobile application, including a social 
                network site, video sharing service, search engine, or 
                content aggregation service.
                    (B) Exclusion.--Such term does not include a 
                platform that is operated for the sole purpose of 
                conducting research that is not conducted for profit, 
                either directly or indirectly.
            (9) DNT signal.--The term ``DNT signal'' means a signal 
        sent by a connected device, such as the hypertext transfer 
        protocol developed by the World Wide Web Consortium Working 
        Group on Tracking Preference Expression, that is designated by 
        the Commission for purposes of the Do Not Track program 
        required under section 202(b).
            (10) Executive agency.--The term ``Executive agency'' has 
        the meaning given such term in section 105 of title 5, United 
        States Code.
            (11) Individual.--The term ``individual'' means a natural 
        person residing in the United States, however identified, 
        including by any unique identifier.
            (12) Process.--The term ``process'' means to perform any 
        operation or set of operations on covered data, including 
        collection, analysis, organization, structuring, retaining, 
        using, transferring, or otherwise handling covered data.
            (13) Program.--The term ``program'' means, with respect to 
        a covered internet platform, any program that appears on the 
        platform, including a program that delivers advertisements to 
        users of the platform and a program used to log into the 
        platform.
            (14) Publicly available information.--The term ``publicly 
        available information'' means information that is available to 
        the general public, including--
                    (A) any information to which the source allows 
                access by anyone upon request; and
                    (B) any information that a covered entity has a 
                reasonable basis to believe is lawfully made available 
                to the general public from Federal, State, or local 
                government records, widely distributed media, or 
                disclosures to the general public that are required to 
                be made by Federal, State, or local law.
            (15) Research.--The term ``research'' means the scientific 
        analysis of information, including covered data, by a covered 
        entity or those with whom the covered entity is cooperating or 
        others acting at the direction or on behalf of the covered 
        entity, that is conducted for the primary purpose of advancing 
        scientific knowledge and may be for the commercial benefit of 
        the covered entity.
            (16) Second-party operator.--The term ``second-party 
        operator'' means the operator of a covered internet platform 
        with which a user intends to connect, but does not include the 
        operator of a program that appears on the platform (if the 
        operator of the program is different from the operator of the 
        platform).
            (17) Service provider.--The term ``service provider'' 
        means, with respect to a set of covered data, a covered entity 
        that collects, processes, or transfers such covered data for 
        the purpose of performing one or more services or functions on 
        behalf of, and at the direction of, another covered entity 
        that--
                    (A) is not related to the covered entity providing 
                the service or function by common ownership or 
                corporate control; and
                    (B) does not share common branding with the covered 
                entity providing the service or function.
            (18) State.--The term ``State'' means each State of the 
        United States, the District of Columbia, each commonwealth, 
        territory, or possession of the United States, and each 
        federally recognized Indian Tribe.
            (19) Targeted advertising.--
                    (A) In general.--The term ``targeted advertising'' 
                means a form of advertising in which advertisements are 
                displayed to a user based on the user's traits, 
                information from a profile about the user that is 
                created for the purpose of selling advertisements, or 
                the user's previous online or offline behavior.
                    (B) Limitation.--Such term does not include 
                contextual advertising, including--
                            (i) advertising that is directed to a user 
                        based on the content of the covered internet 
                        platform that the user is connected to; or
                            (ii) advertising that is directed to a user 
                        by the second-party operator of a covered 
                        internet platform, or by the third-party 
                        operator of a program that appears on the 
                        platform, based on the search terms that the 
                        user used to arrive at the platform.
            (20) Third party.--The term ``third party'' means with 
        respect to a set of covered data, a covered entity--
                    (A) that is not a service provider with respect to 
                such covered data; and
                    (B) that received such covered data from another 
                covered entity--
                            (i) that is not related to the covered 
                        entity by common ownership or corporate 
                        control; and
                            (ii) that does not share common branding 
                        with the covered entity.
            (21) Third-party operator.--The term ``third-party 
        operator'' means the operator of a program that appears on a 
        covered internet platform (if the operator of the program is 
        different from the operator of the platform).
            (22) Transfer.--The term ``transfer'' means, with respect 
        to covered data, to disclose, release, share, disseminate, make 
        available, or license such data, in writing, electronically, or 
        by any other means, for consideration of any kind or for a 
        commercial purpose.

SEC. 209. EFFECTIVE DATE.

    This title shall take effect on the date that is 6 months after the 
date of the enactment of this Act.
                                 <all>