117 HR 5433 IH: Renew Effective Protection of Americans’ Information Rights Act
U.S. House of Representatives
2021-09-30
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.
1.Short title; table of contents(a)This Act may be cited as the Renew Effective Protection of Americans’ Information Rights Act
or the REPAIR Act
. (b)The table of contents for this Act is as follows:Sec. 1. Short title; table of contents.Title I—Data Privacy Bill of RightsSec. 101. Short title.Sec. 102. Policy of the United States.Sec. 103. Findings.Sec. 104. Rights relating to transparency.Sec. 105. Right to delete.Sec. 106. Right to correct inaccuracies.Sec. 107. Right to controls.Sec. 108. Right to data minimization.Sec. 109. Right to data security.Sec. 110. Prohibition of service offers conditioned on waivers of privacy rights.Sec. 111. Scope of coverage.Sec. 112. Small business exception.Sec. 113. Application and enforcement.Sec. 114. State privacy protections.Sec. 115. Severability.Sec. 116. Definitions.Sec. 117. Effective date.Title II—Do Not TrackSec. 201. Short title.Sec. 202. Establishment of Do Not Track system.Sec. 203. Do Not Track: requirements for operators; prohibited acts.Sec. 204. Scope of coverage.Sec. 205. Application and enforcement.Sec. 206. State privacy protections.Sec. 207. Severability.Sec. 208. Definitions.Sec. 209. Effective date.<enum>I</enum><header>Data Privacy Bill of Rights</header><section id="H687DC8EC33F948B3A0D8E710F0B7919A"><enum>101.</enum><header>Short title</header><text display-inline="no-display-inline">This title may be cited as the <quote><short-title>Data Privacy Bill of Rights Act</short-title></quote>.</text></section><section id="HB104CD7D8F3D4A2B8E2BC6F50AF799B8"><enum>102.</enum><header>Policy of the United States</header><text display-inline="no-display-inline">It is the policy of the United States that individuals have fundamental rights to secure and protect their privacy in data collected from and about them by firms doing business with them as provided for in this title and that it is also a fundamental purpose of the Federal Government to defend and enforce such privacy rights.</text></section><section id="H2B467B47A4814BC586441A6C3FB1D8FF" commented="no"><enum>103.</enum><header>Findings</header><text display-inline="no-display-inline">Congress finds the following:</text><paragraph id="HD101074ACAA14054BDD30612B295FD49" commented="no"><enum>(1)</enum><text>Individuals are endowed with rights to secure and protect data related to their lives, their patterns of movement and commercial exchange and any other information that is classified as sensitive pursuant to this title.</text></paragraph><paragraph id="H84AD32CBC0DA4C63A4437061E85290A6" commented="no"><enum>(2)</enum><text>Individuals have a right to complete transparency with respect to the exchanges they make in terms of a complete accounting of both the nonpecuniary and pecuniary costs allocated to and collected from them.</text></paragraph><paragraph id="HBE2AD3E3BEA847A6BA26972E8515B9FC" commented="no"><enum>(3)</enum><text>While the internet and other technologies have produced enormous benefits to the Nation, they have also had unintentional consequences in eroding individual data privacy rights.</text></paragraph><paragraph id="HDCFA76AC1ABB44BA843422664A71D511" commented="no"><enum>(4)</enum><text>The Nation needs to update individual rights to include adequate and effective protections to secure and sustain individual rights to data privacy.</text></paragraph><paragraph id="HF4DFFBC599BE44B6A63E87DDB27F2EB1" commented="no"><enum>(5)</enum><text>That protection of individual data privacy rights should be secured with due consideration of the collateral rights of entities to pursue businesses while assuring complete transparency to individuals as relates to their data and the role that such data plays in the entities’ business models.</text></paragraph></section><section id="H73FA2E50EE074AF5AD4C34845531E69D"><enum>104.</enum><header>Rights relating to transparency</header><subsection id="H57E10FC87899444881541FA55F0B293A"><enum>(a)</enum><header>Right to access</header><text>Upon the verified request of an individual, a covered entity shall provide to the individual—</text><paragraph id="H79CD070CD6854A69AC92347961036F2B"><enum>(1)</enum><text>in a portable format, without licensing restrictions, the covered data of the individual that is collected, processed, or transferred by the covered entity; and</text></paragraph><paragraph id="H86B17F0612C24E29ACC00EDC8EFFBDF0"><enum>(2)</enum><text>in a human-readable format that a reasonable individual can understand—</text><subparagraph id="HA3DFCC5F1F054121A83A86A86CCE50B8"><enum>(A)</enum><text>a copy of the covered data of the individual that is collected, processed, or transferred by the covered entity;</text></subparagraph><subparagraph id="HAEF9009DF8DA471DA75896019F7A5EC1"><enum>(B)</enum><text>a list of each category of third party to which the covered entity has transferred the covered data of the individual; and</text></subparagraph><subparagraph id="H19E94EB522D34CC987E4023B41443079"><enum>(C)</enum><text>the identity of each such third party and a description of the covered data that was transferred to such third party and the purpose of the transfer.</text></subparagraph></paragraph></subsection><subsection id="H2184259E7ED444FABE3BB8533847D37F"><enum>(b)</enum><header>Right to immediate notification of collection</header><paragraph id="H2114497315134EB9BA5EE9A6DD6804E4"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">On every website or application landing page, the second-party operator of a covered internet platform shall display, immediately when the page is accessed by an individual, an easily identifiable indicator that provides a real-time notification of whether or not the covered data of the individual is being actively collected by the covered internet platform or any program of a third-party operator that appears on the covered internet platform.</text></paragraph><paragraph id="HD3B0606E979C495196E3D8C1CB7B3692"><enum>(2)</enum><header>Contents of notification</header><text>The notification required by paragraph (1) shall include (or provide a link to or other convenient means of accessing) the following information:</text><subparagraph id="H6235A256F1A04547B695CA03ECE1077E"><enum>(A)</enum><text>The types of data being collected.</text></subparagraph><subparagraph id="H61552E8632554E8CA85F3001A968745B"><enum>(B)</enum><text>The purposes for which such data is processed.</text></subparagraph><subparagraph id="HEF35166126974A2FAF1F24BDB7602D5E"><enum>(C)</enum><text>The categories of such data transferred to third parties.</text></subparagraph><subparagraph id="HE8103CD275F04EF798E3364E0FCE030C"><enum>(D)</enum><text>The categories of third parties to which such data is transferred.</text></subparagraph><subparagraph id="H2153D5864A3749CCBC440D733C05B8A8"><enum>(E)</enum><text>The identity of each third party to which such data is transferred.</text></subparagraph><subparagraph id="HBD514AFDABFE42029C913330B5093547"><enum>(F)</enum><text>How long such data will be retained by the second-party operator, any third-party operator, and any third party (as applicable).</text></subparagraph><subparagraph id="HC11BD400F8E04102AC65D8E0291602BE"><enum>(G)</enum><text>A description of individuals’ privacy rights under this title.</text></subparagraph><subparagraph id="HBEA57D039F82425DB9890C2B65125B45"><enum>(H)</enum><text>The contact information for the representatives for privacy and data security inquires of the second-party operator, any third-party operator, and any third party (as applicable).</text></subparagraph></paragraph><paragraph id="H9FE4AFA3F13E42729FE95E8F95951AFF"><enum>(3)</enum><header>Responsibility of third-party operators</header><text>A third-party operator of a program that appears on a covered internet platform shall, if the program collects any covered data of a user of the platform, ensure that the second-party operator of the platform provides the notification required by paragraph (1) and that the notification includes the information required by paragraph (2) with respect to the program.</text></paragraph></subsection><subsection id="H69C72F7468EB427F97D27366D78BC9ED"><enum>(c)</enum><header>Right To receive privacy policy</header><paragraph id="H3890933C297C443E92FC11233A442795"><enum>(1)</enum><header>In general</header><text>A covered entity shall make publicly and persistently available, in a conspicuous and readily accessible manner, a privacy policy that provides a detailed and accurate representation of the activities of the covered entity with respect to the collection, processing, and transfer of covered data.</text></paragraph><paragraph id="HD4478BC5FA404D128C35577C90DAB4DA"><enum>(2)</enum><header>Contents of privacy policy</header><text>The privacy policy required by paragraph (1) shall include, at a minimum, the following:</text><subparagraph id="H5E669E4EF8734141B76240DC32CD7FE8"><enum>(A)</enum><text>An easy-to-understand explanation of the policy of the covered entity with respect to the collection, processing, and transfer of covered data (including clear descriptions that avoid technical and legal jargon to the extent practicable).</text></subparagraph><subparagraph id="H1C8D049BDAD845A3AB5E2CCB0DC1ABF9"><enum>(B)</enum><text>The identity of and contact information for the covered entity, including the contact information for the covered entity’s representative for privacy and data security inquiries.</text></subparagraph><subparagraph id="H0D4AD61F7D2F4FF18F575EFC123B7AC8"><enum>(C)</enum><text>Each category of covered data the covered entity collects and the processing purposes for which such data is collected.</text></subparagraph><subparagraph id="H3A67ACD6214F4F1F8AAAAD6CF5C73EFA"><enum>(D)</enum><text>Whether the covered entity transfers covered data and, if so—</text><clause id="HD0CBB896C35C47779388C5FEA7634331"><enum>(i)</enum><text>each category of service provider or third party to which the covered entity transfers covered data and the purposes for which such data is transferred to each such category; and</text></clause><clause id="H5A7C2F15306948E897664D55FE546A6D"><enum>(ii)</enum><text>the identity of each third party to which the covered entity transfers covered data and the purposes for which such data is transferred to such third party.</text></clause></subparagraph><subparagraph id="H304F7DC731624C94ABB2EE332B4904B2"><enum>(E)</enum><text>How long covered data processed by the covered entity will be retained by the covered entity or a third party and a description of the covered entity’s data minimization policies.</text></subparagraph><subparagraph id="H7CC6B6762265457CA0A8E7588092FC53"><enum>(F)</enum><text>How individuals can exercise the individual rights described in this title.</text></subparagraph><subparagraph id="H1C3376AEF8134BB9ABC65ADA4A8A242E"><enum>(G)</enum><text>A description of the covered entity’s data security policies.</text></subparagraph><subparagraph id="H1980BF58BE4F46A285883C3ABF577C6E"><enum>(H)</enum><text>The effective date of the privacy policy.</text></subparagraph></paragraph><paragraph id="H9EA9F2F8F0E4483EAE645B2F2548645A"><enum>(3)</enum><header>Languages</header><text>A covered entity shall make the privacy policy required under paragraph (1) available to the public in all of the languages in which the covered entity provides a product or service or carries out any other activities to which the privacy policy relates.</text></paragraph></subsection><subsection id="HC851394F08154805B7CEFD504526A2DD"><enum>(d)</enum><header>Right To consent to material changes</header><text>If a material change to the privacy policy of a covered entity required under subsection (c) would weaken privacy protections for covered data, the covered entity may not apply such change to the covered data of an individual that was collected before the change takes effect without obtaining the affirmative express consent of the individual to the change.</text></subsection></section><section id="H79B93AD5D7D44ABC80E14D7F04B5727E"><enum>105.</enum><header>Right to delete</header><subsection id="HD15F28EFF01F46D3B71B3E9C2A1A0E9F"><enum>(a)</enum><header>In general</header><text>A covered entity, upon the verified request of an individual, shall—</text><paragraph id="H980F855045D3452191000126009FF653"><enum>(1)</enum><text>at the option of the individual—</text><subparagraph id="HDE9171DE7DE54BEAAB1DBA9B246B25A2"><enum>(A)</enum><text>delete, or allow the individual to delete, any information in the covered data of the individual that is processed by the covered entity; or</text></subparagraph><subparagraph id="H059E424EDBC24E93957174CD3AC5B1CB"><enum>(B)</enum><text>take action to disable or mask the identification of the individual connected to any information in the covered data of the individual that is processed by the covered entity;</text></subparagraph></paragraph><paragraph id="H22795A12B9E14DAFB3D737825676DA81"><enum>(2)</enum><text>inform any service provider or third party to which the covered entity transferred such data of the request of the individual under paragraph (1); and</text></paragraph><paragraph id="H80B2010B10854B3CA819DCA257F82035"><enum>(3)</enum><text>direct the service provider or third party to honor the request.</text></paragraph></subsection><subsection id="H48E386D3899B43739BC2D5335A6C5667"><enum>(b)</enum><header>Service providers and third parties</header><text>In the case of a service provider or third party that is informed under paragraph (2) of subsection (a) and directed to honor under paragraph (3) of such subsection the request of an individual under paragraph (1) of such subsection, the service provider or third party shall, in accordance with the request, delete the information or take action to disable or mask the identification of the individual.</text></subsection></section><section id="HC1D5FAB3FF594FF5828605B3E6F7D25E"><enum>106.</enum><header>Right to correct inaccuracies</header><subsection id="H05D7B029275A455982BAB9DE735F987A"><enum>(a)</enum><header>In general</header><text>A covered entity, upon the verified request of an individual, shall—</text><paragraph id="HBA0D7BADAFE14B5CBC5445BFAC2BD8FE"><enum>(1)</enum><text>correct, or allow the individual to correct, inaccurate or incomplete information in the covered data of the individual that is processed by the covered entity;</text></paragraph><paragraph id="H0BDAF10469254E6F9E2D7668956791CA"><enum>(2)</enum><text>inform any service provider or third party to which the covered entity transferred such data of the request of the individual under paragraph (1) and of the corrected information; and</text></paragraph><paragraph id="HBC04BBCF88BA45F085AA0FC297D5FDEB"><enum>(3)</enum><text>direct the service provider or third party to honor the request.</text></paragraph></subsection><subsection id="HB6151C11A4BC4733A5CC5039A1D87E11"><enum>(b)</enum><header>Service providers and third parties</header><text>In the case of a service provider or third party that is informed under paragraph (2) of subsection (a) and directed to honor under paragraph (3) of such subsection the request of an individual under paragraph (1) of such subsection, the service provider or third party shall, in accordance with the request, correct the information.</text></subsection></section><section id="HEDC13477E5524EEEBE0E4C65CBBFF7B3"><enum>107.</enum><header>Right to controls</header><subsection id="HC78F3CBC030B496BB602FA7636E8BA93"><enum>(a)</enum><header>Sense of Congress</header><text>It is the sense of Congress that—</text><paragraph id="H889016CDC7414D65871BDAB6CAF6C93F"><enum>(1)</enum><text>the term <quote>privacy policy</quote> is deceptive;</text></paragraph><paragraph id="H244601AFCB28473BA123BAEC29699A88"><enum>(2)</enum><text>such policies are in fact data collection policies; and</text></paragraph><paragraph id="H14CD3D25FDC54C7CBD5665FF2D196CA3"><enum>(3)</enum><text>covered data is the private property of the individual about whom the data has been collected and should be treated as such.</text></paragraph></subsection><subsection id="H9B93F66C88474E1BBED489D8F6743FDF"><enum>(b)</enum><header>Requirement for affirmative express consent for collection, processing, or transfer of covered data</header><paragraph id="HF4F7EF2352A841C8BB7DF4365B9B978C"><enum>(1)</enum><header>In general</header><text>A covered entity may not collect, process, or transfer to a third party the covered data of an individual without obtaining the affirmative express consent of the individual to the collection, processing, or transfer through a process established under the rule issued by the Commission under paragraph (3).</text></paragraph><paragraph id="HD0B5FD121F8A47C7AA2DC3576E3CBB66"><enum>(2)</enum><header>Right to withdraw affirmative express consent</header><text>A covered entity shall permit an individual to withdraw the affirmative express consent of the individual to the collection, processing, or transfer to a third party of the covered data of the individual through a process established under the rule issued by the Commission under paragraph (3).</text></paragraph><paragraph id="H87AB0249FB7B48BAA7BEDBCA5AAFE8A9"><enum>(3)</enum><header>Rulemaking</header><subparagraph id="H6BCA5A3CA7024876BAA2079074089738"><enum>(A)</enum><header>In general</header><text>Not later than 1 year after the date of the enactment of this Act, the Commission shall issue a rule under section 553 of title 5, United States Code, establishing one or more acceptable processes for a covered entity to follow in requesting the affirmative express consent of an individual to the collection, processing, or transfer of the covered data of the individual and in permitting an individual to withdraw such consent.</text></subparagraph><subparagraph id="HAD72E5CD5A284B53AB7EBE4C375B3CBA"><enum>(B)</enum><header>Requirements</header><text>The processes established by the Commission under subparagraph (A) shall—</text><clause id="HC95A62EB97FE4FC4AE1C55D712893F7B"><enum>(i)</enum><text>include clear and conspicuous requests for affirmative express consent and consumer-friendly mechanisms to allow an individual to provide and withdraw affirmative express consent;</text></clause><clause id="H9C81E004676C45CD80E65D5A6E244B1A"><enum>(ii)</enum><text>allow an individual to provide and withdraw affirmative express consent—</text><subclause id="HC62D190EBAD243AA8EDB3DFE4F5E67F4"><enum>(I)</enum><text>for the collection, processing, or transfer of some or all (at the option of the individual) of the covered data of the individual; and</text></subclause><subclause id="H7C128075D327413FBA2D47F9DD36EF25"><enum>(II)</enum><text>for the transfer of the covered data of the individual to some or all (at the option of the individual) third parties;</text></subclause></clause><clause id="H7445C11840F94DA987FCB626062BF0DB"><enum>(iii)</enum><text>allow an individual to view the status of affirmative express consent provided or withdrawn;</text></clause><clause id="H256F8F83A016418583FC6DF0720B3519"><enum>(iv)</enum><text>be privacy protective; and</text></clause><clause id="H6DC8C74A702A45029A49826D200FF5A2"><enum>(v)</enum><text>be informed by the Commission’s experience developing and implementing the National Do Not Call Registry.</text></clause></subparagraph></paragraph></subsection></section><section id="HFCBFAA4DDF274D76B7B3994A4C0E6D39"><enum>108.</enum><header>Right to data minimization</header><subsection id="HEB86253C11214626900977885A4489C3"><enum>(a)</enum><header>In general</header><text>A covered entity may not collect, process, or transfer the covered data of an individual beyond what is reasonably necessary, proportionate, and limited to the purposes for which the individual provides affirmative express consent to the collection, processing, or transfer.</text></subsection><subsection id="H741861BB2C4E4281B779FA48D82AA182"><enum>(b)</enum><header>Rule of construction</header><text>Nothing in subsection (a) may be construed to authorize any collection, processing, or transfer of covered data that is prohibited by any other provision of this title.</text></subsection></section><section id="H45217F6A2F764827B74596D7344F23C9"><enum>109.</enum><header>Right to data security</header><subsection id="HEA72324EFA424C549F00CDCCF1A62B03"><enum>(a)</enum><header>In general</header><text>A covered entity shall establish, implement, and maintain reasonable data security practices to protect the confidentiality, integrity, and accessibility of covered data. Such data security practices shall be appropriate to the volume and nature of the covered data at issue.</text></subsection><subsection id="HEF45B3DBD77A46409281A624659578E3"><enum>(b)</enum><header>Specific requirements</header><text>Data security practices required under subsection (a) shall include, at a minimum, the following:</text><paragraph id="HD11A026F9C7C451BA08C9015CAC1568A"><enum>(1)</enum><header>Assess vulnerabilities</header><text>Identifying and assessing any reasonably foreseeable risks to, and vulnerabilities in, each system maintained by the covered entity that collects, processes, or transfers covered data, including unauthorized access to or risks to covered data, human vulnerabilities, access rights, and use of service providers. Such activities shall include a plan to receive and respond to unsolicited reports of vulnerabilities by entities and individuals.</text></paragraph><paragraph id="HCCF443BFC5B14E9FA27E4BB4F134F26D"><enum>(2)</enum><header>Preventive and correction action</header><text>Taking preventive and corrective action to mitigate any risks or vulnerabilities to covered data identified by the covered entity, which may include implementing administrative, technical, or physical safeguards or changes to data security practices or the architecture, installation, or implementation of network or operating software.</text></paragraph><paragraph id="HF2CA4CD648144182A413FD6DDB9CE37B"><enum>(3)</enum><header>Information retention and disposal</header><text>Deleting covered data that is required to be deleted or is no longer necessary for the purpose for which the data was collected unless the individual to whom the data relates provides affirmative express consent to the retention of the data. Such process shall include data hygiene practices to ensure ongoing compliance with this paragraph.</text></paragraph><paragraph id="HED2A8B55E75E43289B858C7103EA5C78"><enum>(4)</enum><header>Comprehensive data security program</header><text>Implementation of a comprehensive data security program, including—</text><subparagraph id="H5DB6F4DF570C470B8C266FC5FD198A1A"><enum>(A)</enum><text>designation of an employee responsible for data security;</text></subparagraph><subparagraph id="H6CE73F208EEC4FC78553C26FDE6D4967"><enum>(B)</enum><text>training for all employees with access to covered data on how to safeguard covered data and protect individual privacy, and updating that training as necessary; and</text></subparagraph><subparagraph id="HB2B415D7DDFB418EAC3275AAE7ACA01F"><enum>(C)</enum><text>due diligence with regard to the data security practices of service providers to which the covered entity transfers covered data.</text></subparagraph></paragraph></subsection></section><section id="H8869C2325AB94811AC6590504125B494"><enum>110.</enum><header>Prohibition of service offers conditioned on waivers of privacy rights</header><text display-inline="no-display-inline">A covered entity may not—</text><paragraph id="H292B2FB3461741088783C975BC30106E"><enum>(1)</enum><text>condition, or effectively condition, provision of the service on agreement by an individual to waive privacy rights guaranteed by law or regulation, including this title; or</text></paragraph><paragraph id="HA072B24068144BF0801A47C4B2B2813A"><enum>(2)</enum><text>terminate the service or otherwise refuse to provide the service as a direct or indirect consequence of the refusal of a user to waive any privacy rights described in this title.</text></paragraph></section><section id="H3EF3BA5093A14488BCE2B83B7F1455C4"><enum>111.</enum><header>Scope of coverage</header><subsection id="HC9563D8C9ADE4C6FB671E782A32EE2C2"><enum>(a)</enum><header>General exceptions</header><text>Notwithstanding any other provision of this title, a covered entity may collect, process, or transfer covered data for any of the following purposes, if the collection, processing, or transfer is reasonably necessary, proportionate, and limited to such purpose:</text><paragraph id="H3AAD389EA35A446C9A2054A2AD574267"><enum>(1)</enum><text>To initiate or complete a transaction or to fulfill an order or provide a service specifically requested by an individual, including associated routine administrative activities such as billing, shipping, financial reporting, and accounting.</text></paragraph><paragraph id="HA094CC70829B49458F4A267E63B963C5"><enum>(2)</enum><text>To perform internal system maintenance, diagnostics, product or service management, inventory management, or network management.</text></paragraph><paragraph id="H761C47CE887949809BF02302B4882F13"><enum>(3)</enum><text>To prevent, detect, or respond to a security incident or trespassing, provide a secure environment, or maintain the safety and security of a product, service, or individual.</text></paragraph><paragraph id="HFE2816D230BC4B5B96B50980AFFA209B"><enum>(4)</enum><text>To protect against malicious, deceptive, fraudulent, or illegal activity.</text></paragraph><paragraph id="H5C5B32A03D964BFFBEE254F42B971E41"><enum>(5)</enum><text>To comply with a legal obligation or the establishment, exercise, analysis, or defense of legal claims or rights, or as required or specifically authorized by law.</text></paragraph><paragraph id="H44FFAB5D150C481992ED66074DCA562F"><enum>(6)</enum><text>To comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by an Executive agency.</text></paragraph><paragraph id="H06E556E1DDFB4217A7DF55050ADEA15B"><enum>(7)</enum><text>To cooperate with an Executive agency or a law enforcement official acting under the authority of an Executive or State agency concerning conduct or activity that the Executive agency or law enforcement official reasonably and in good faith believes may violate Federal, State, or local law, or pose a threat to public safety or national security.</text></paragraph><paragraph id="H2248C09C5032421CB0DA08CD552CBCEA"><enum>(8)</enum><text>To address risks to the safety of an individual or group of individuals, or to ensure customer safety, including by authenticating individuals in order to provide access to large venues open to the public.</text></paragraph><paragraph id="H8F7B211BE6BB474FAED60949E664E36B"><enum>(9)</enum><text>To effectuate a product recall pursuant to Federal or State law.</text></paragraph><paragraph id="H558549A0521E4E1CBB3D4DC44B4345C6"><enum>(10)</enum><text>To conduct public or peer-reviewed scientific, historical, or statistical research that—</text><subparagraph id="H59BDDF520D2E4170B9B736EFFA5E0D25"><enum>(A)</enum><text>is in the public interest;</text></subparagraph><subparagraph id="HFF460A02EDFA4293B3C17217562CFBF6"><enum>(B)</enum><text>adheres to all applicable ethics and privacy laws; and</text></subparagraph><subparagraph id="H0AE530BAABA245A0A6ED72BECE98EBFB"><enum>(C)</enum><text>is approved, monitored, and governed by an institutional review board or other oversight entity that meets standards promulgated by the Commission pursuant to section 553 of title 5, United States Code.</text></subparagraph></paragraph><paragraph id="H4B0C6DEC0C8E4013928B2CC87D28DF23"><enum>(11)</enum><text>To transfer covered data to a service provider.</text></paragraph><paragraph id="H4AD1DC685569452596190F0E463840BB"><enum>(12)</enum><text>For a purpose identified by the Commission pursuant to a regulation promulgated under subsection (b).</text></paragraph></subsection><subsection id="HA040D77796DA4D3593816519CE952D32"><enum>(b)</enum><header>Additional purposes</header><text>The Commission may promulgate regulations under section 553 of title 5, United States Code, identifying additional purposes for which a covered entity may collect, process, or transfer covered data and protect individual rights to data privacy in accordance with this title.</text></subsection></section><section id="H07B52DD8AF22475AB6A34ABF77EF716A"><enum>112.</enum><header>Small business exception</header><text display-inline="no-display-inline">Sections 103, 104, 105, and 106 do not apply in the case of a person who can establish that, for the 3 preceding calendar years (or for the period during which the person has been in existence if such period is less than 3 years)—</text><paragraph id="H7E5DDCCD3C2347D9944B4C1EF88C58DA"><enum>(1)</enum><text>the average annual gross revenues of the person did not exceed $50,000,000;</text></paragraph><paragraph id="HE013A1D88D4346EAB78348D57734228B"><enum>(2)</enum><text>on average, the person annually processed the covered data of less than 1,000,000 individuals;</text></paragraph><paragraph id="H52BF6DFD7F124ED4B35E0AEE94AAA0CE"><enum>(3)</enum><text>the person never employed more than 500 individuals at any one time; and</text></paragraph><paragraph id="H0A6F6BED297F44F994A9639715523258"><enum>(4)</enum><text>the person derived less than 50 percent of the revenues of the person from transferring covered data.</text></paragraph></section><section id="H78A2C0D1D6C742049DFAF8DF0EB9EA84"><enum>113.</enum><header>Application and enforcement</header><subsection id="H8198F6875C544BC4ACC3388D7755D16A"><enum>(a)</enum><header>General Application</header><text>The requirements of this title apply, according to their terms, to—</text><paragraph id="H075CCE31C0A045E984D29D0755609B66"><enum>(1)</enum><text>those persons, partnerships, and corporations over which the Commission has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45(a)(2)</external-xref>); and</text></paragraph><paragraph id="H0937981AD19D4EC6BD96BE15D9AC7F82"><enum>(2)</enum><text>notwithstanding sections 4 and 5(a)(2) of such Act (<external-xref legal-doc="usc" parsable-cite="usc/15/44">15 U.S.C. 44</external-xref>; 45(a)(2))—</text><subparagraph id="HC58D01DE24F14FDE8EF5A84BDE22A9EE"><enum>(A)</enum><text>common carriers described in such section 5(a)(2); and</text></subparagraph><subparagraph id="HDD7EB9E05514460B96DC4E32A06DDFF5"><enum>(B)</enum><text>organizations not organized to carry on business for their own profit or that of their members.</text></subparagraph></paragraph></subsection><subsection id="HDADF1C2E56A840E7AB9CBDB15DB91E57"><enum>(b)</enum><header>Enforcement by the commission</header><paragraph id="H4876BC3A38244DF7BD8B73CC87FC9D43"><enum>(1)</enum><header>In general</header><text>Except as otherwise provided, this title and the regulations prescribed under this title shall be enforced by the Commission under the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>).</text></paragraph><paragraph id="H7CFF562DA4B342FCB082FC7F6F49DB9F"><enum>(2)</enum><header>Unfair or deceptive acts or practices</header><text>A violation of this title or a regulation prescribed under this title shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/57a">15 U.S.C. 57a(a)(1)(B)</external-xref>).</text></paragraph><paragraph id="H62091F5965FC41C799B70E0EB033A1B2"><enum>(3)</enum><header>Actions by the commission</header><subparagraph id="HAAE6B6C340ED4FD885E1D4EB6AD6FC2C"><enum>(A)</enum><header>In general</header><text>Except as provided in subparagraph (B) and subsection (a), the Commission shall prevent any person from violating this title or a regulation prescribed under this title in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>) were incorporated into and made a part of this title, and any person who violates this title or a regulation prescribed under this title shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act.</text></subparagraph><subparagraph id="HFBDD1D2FEA68424E8E0DFF3EDC4FA232"><enum>(B)</enum><header>Penalties</header><clause id="HE4BAE5DC8E1242D68817E2B900E99AEA"><enum>(i)</enum><header>In general</header><text>Notwithstanding section 5(m) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45(m)</external-xref>), a civil penalty recovered for a violation of this title or a regulation prescribed under this title may be in excess of the amounts provided for in that section, if such penalty meets the requirements of this subparagraph.</text></clause><clause id="H07545D9931DD476381528FF685C75220"><enum>(ii)</enum><header>Penalty for negligent violation</header><text>In the case of a person who negligently violates this title or a regulation prescribed under this title, such person shall be liable for a civil penalty that does not exceed $50 for every individual affected by such violation for every day during which the person is in violation of this title or such regulation as described in this clause.</text></clause><clause id="HCFC0A23BD7D84E87B420A7FD3A948971"><enum>(iii)</enum><header>Penalty for willful or reckless violation</header><text>In the case of a person who willfully or recklessly violates this title or a regulation prescribed under this title, such person shall be liable for a civil penalty that—</text><subclause id="HEEAA293E51014911AAA93BB0D6D200B9"><enum>(I)</enum><text>is not less than $100,000; and</text></subclause><subclause id="H4EA58507432A4E3892D4B859A27809E0"><enum>(II)</enum><text>does not exceed $1,000 for every individual affected by such violation for every day during which the person is in violation of this title or such regulation as described in this clause.</text></subclause></clause></subparagraph></paragraph></subsection><subsection id="HA9671273A0964C1DB03050AE1955EB4D"><enum>(c)</enum><header>Enforcement by state attorneys general</header><paragraph id="H03A21B4FA29F4662AFFDA357CA8A21F2"><enum>(1)</enum><header>In general</header><subparagraph id="H22D23ACD5BE749D7A3215765D40FD223"><enum>(A)</enum><header>Civil actions</header><text>In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in an act or practice that violates this title or a regulation prescribed under this title, the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States or a State court of appropriate jurisdiction to—</text><clause id="H8C4752AC69A749289C5DA668F77476B5"><enum>(i)</enum><text>enjoin that act or practice;</text></clause><clause id="H1C8EDCCEB1F24AFFB75EC95BE24030AC"><enum>(ii)</enum><text>enforce compliance with this title or such regulation;</text></clause><clause id="H4E4D264925494F1B88A543BDE3C197BE"><enum>(iii)</enum><text>obtain damages, statutory damages in the same amount as the penalties that the Commission may obtain under section 5(m) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45(m)</external-xref>) and subsection (b)(3)(B) of this section, restitution, or other compensation on behalf of residents of the State; or</text></clause><clause id="HA3ED3E424EA0435E93D520FF50641210"><enum>(iv)</enum><text>obtain such other relief as the court may consider to be appropriate.</text></clause></subparagraph><subparagraph id="H43344631BBDD4EC183B15B5517B6BE84"><enum>(B)</enum><header>Notice</header><clause id="H39737B0A199249AD973B2495AC67B50B"><enum>(i)</enum><header>In general</header><text>Before filing an action under subparagraph (A), the attorney general of the State involved shall provide to the Commission—</text><subclause id="H5CC61462DFBF46F6B9B24781CAC9F128"><enum>(I)</enum><text>written notice of that action; and</text></subclause><subclause id="H7F876FEEDD5E4ABF9D470B348A86625D"><enum>(II)</enum><text>a copy of the complaint for that action.</text></subclause></clause><clause id="H3827D5691EB94D5D888B86D47A938AD1"><enum>(ii)</enum><header>Exemption</header><subclause id="HAABB53081F3F44409AACF607EC79FF48"><enum>(I)</enum><header>In general</header><text>Clause (i) does not apply with respect to the filing of an action by an attorney general of a State under this paragraph if the attorney general of the State determines that it is not feasible to provide the notice described in that clause before the filing of the action.</text></subclause><subclause id="HB834E9E3B41345D9A4D730C537F321A1"><enum>(II)</enum><header>Notification</header><text>In an action described in subclause (I), the attorney general of a State shall provide notice and a copy of the complaint to the Commission at the same time as the attorney general files the action.</text></subclause></clause></subparagraph></paragraph><paragraph id="H3B4AB5A6D6E2491F85820E8FB94DB7EA"><enum>(2)</enum><header>Intervention</header><subparagraph id="HBD9A5313EBCC4B3A9800EBF4C3900DC6"><enum>(A)</enum><header>In general</header><text>On receiving notice under paragraph (1)(B), the Commission shall have the right to intervene in the action that is the subject of the notice.</text></subparagraph><subparagraph id="H64D96F57BE2C49D2855F36A4A5D6C066"><enum>(B)</enum><header>Effect of intervention</header><text>If the Commission intervenes in an action under paragraph (1), it shall have the right—</text><clause id="H257F487554B349ED9FE3BEFAC3816853"><enum>(i)</enum><text>to be heard with respect to any matter that arises in that action; and</text></clause><clause id="H9578145067D74EA98EE52840E96581E6"><enum>(ii)</enum><text>to file a petition for appeal.</text></clause></subparagraph></paragraph><paragraph id="HC563C151A8994958BEBCA030EB9222BE"><enum>(3)</enum><header>Construction</header><text>For purposes of bringing any civil action under paragraph (1), nothing in this title shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to—</text><subparagraph id="HECD64B64151141C993DB90E6FF0CB188"><enum>(A)</enum><text>conduct investigations;</text></subparagraph><subparagraph id="H967244CE33F141B8BC8201C78813E027"><enum>(B)</enum><text>administer oaths or affirmations; or</text></subparagraph><subparagraph id="HDD67AFB84C5B4ECE939DA18549E37080"><enum>(C)</enum><text>compel the attendance of witnesses or the production of documentary and other evidence.</text></subparagraph></paragraph><paragraph id="HC4008A8483AE4D9DAB6DCCD90E1080A8"><enum>(4)</enum><header>Actions by the commission</header><text>In any case in which an action is instituted by or on behalf of the Commission for violation of this title or a regulation prescribed under this title, no State may, during the pendency of that action, institute an action under paragraph (1) against any defendant named in the complaint in the action instituted by or on behalf of the Commission for that violation.</text></paragraph><paragraph id="HBABB6C38630B4DE0AE8B7BB293435DD6"><enum>(5)</enum><header>Venue; service of process</header><subparagraph id="HE182D9D40F614084940B771D58FC3382"><enum>(A)</enum><header>Venue</header><text>Any action brought under paragraph (1) may be brought in—</text><clause id="HAB62AF3491E34FA9A4300648CF14D59E"><enum>(i)</enum><text>a district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code; or</text></clause><clause id="H89D46E728F394D948709424D4BA0736F"><enum>(ii)</enum><text>a State court of competent jurisdiction.</text></clause></subparagraph><subparagraph id="H101BA94439D846AAB28480F3ED055E3D"><enum>(B)</enum><header>Service of process</header><text>In an action brought under paragraph (1) in a district court of the United States, process may be served wherever the defendant—</text><clause id="H24D7689C85F845E1A84AAFD0983CC6A0"><enum>(i)</enum><text>is an inhabitant; or</text></clause><clause id="H5FE2F3B4B2A440399FD37E3B8C8AA24D"><enum>(ii)</enum><text>may be found.</text></clause></subparagraph></paragraph></subsection></section><section id="HCCC32F1B08E74E24A1D1743C76D9FBAF"><enum>114.</enum><header>State privacy protections</header><text display-inline="no-display-inline">Nothing in this title shall preempt any State law, regulation, or other requirement having the force or effect of law that is more protective of the privacy of individuals than the requirements of this title.</text></section><section id="H4D6F704FA5AB4F50B9B16B468D72384D"><enum>115.</enum><header>Severability</header><text display-inline="no-display-inline">If any provision of this title or the application of a provision of this title to any person or circumstance is held to be invalid or unconstitutional, the remainder of this title, or the application of such provision to any other person or circumstance, shall not be affected.</text></section><section id="H9ACE1BC86062471980EAF4155799A9A1"><enum>116.</enum><header>Definitions</header><text display-inline="no-display-inline">In this title:</text><paragraph id="H147154C9A0154E59997E887A65EC4F18"><enum>(1)</enum><header>Affirmative express consent</header><subparagraph id="HB8D7372F4407452F8272A5D0E469DDCC"><enum>(A)</enum><header>In general</header><text>The term <quote>affirmative express consent</quote> means an affirmative act by an individual that clearly communicates the individual’s authorization for an act or practice, in response to a specific request that meets the requirements of subparagraph (B).</text></subparagraph><subparagraph id="HB38B7E92835F45699B59D7B279942F42"><enum>(B)</enum><header>Request requirements</header><text>The requirements of this subparagraph with respect to a request from a covered entity to an individual are the following:</text><clause id="HB1FF785C76DE45D78A63BDE73861E1F6"><enum>(i)</enum><text>The request is provided to the individual in a standalone disclosure.</text></clause><clause id="H5D6AE6D40D8D4D83B75560265F42FB82"><enum>(ii)</enum><text>The request includes a description of each act or practice for which the individual’s consent is sought and—</text><subclause id="HBB875101D765476EB6F6508C4F0D9E62"><enum>(I)</enum><text>clearly distinguishes between an act or practice which is necessary to fulfill a request of the individual and an act or practice which is for another purpose; and</text></subclause><subclause id="H5A1D9E8B1E844F6F82E6B30412124802"><enum>(II)</enum><text>is written in easy-to-understand language and includes a prominent heading that would enable a reasonable individual to identify and understand the act or practice.</text></subclause></clause><clause id="HD5C5473C1C29472C8C2933D11CA89872"><enum>(iii)</enum><text>The request clearly explains the individual’s applicable rights related to consent.</text></clause></subparagraph><subparagraph id="H7892ACA6CBC2409F94FB947D78107DAA"><enum>(C)</enum><header>Express consent required</header><text>A covered entity may not infer that an individual has provided affirmative express consent to an act or practice from the inaction of the individual or the individual’s continued use of a service or product provided by the covered entity.</text></subparagraph><subparagraph id="HC56BBD2E507645318317A6D248CEAD2E"><enum>(D)</enum><header>Prior consent required</header><text>In the case of any requirement of this title for a covered entity to obtain affirmative express consent for an act or practice, the covered entity shall obtain such consent before engaging in the act or practice. </text></subparagraph></paragraph><paragraph id="H082F2A6204CF469EBCA8748555999B69"><enum>(2)</enum><header>Collect; collection</header><text>The terms <quote>collect</quote> and <quote>collection</quote> mean, with respect to the covered data of an individual, buying, renting, gathering, obtaining, receiving, accessing, or otherwise acquiring such data by any means, including by passively or actively observing the individual’s behavior.</text></paragraph><paragraph id="HB9FCC07B7B494B468FE087F911581842"><enum>(3)</enum><header>Commission</header><text>The term <quote>Commission</quote> means the Federal Trade Commission.</text></paragraph><paragraph id="HC23DC52C643A4DFB967E936B02BD5C9B"><enum>(4)</enum><header>Connected device</header><text>The term <quote>connected device</quote> means a physical object that—</text><subparagraph id="H957F2312947A4A1C9C0FC4A51746CADA"><enum>(A)</enum><text>is capable of connecting to the internet, either directly or indirectly through a network, to communicate information at the direction of an individual; and</text></subparagraph><subparagraph id="H8906BDAB95CC493CBFE631A61E946F2E"><enum>(B)</enum><text>has computer processing capabilities for collecting, sending, receiving, or analyzing data.</text></subparagraph></paragraph><paragraph id="H11A7A0FA78CA46C6B9B1FE773366514B"><enum>(5)</enum><header>Control</header><text>The term <quote>control</quote> means, with respect to an entity—</text><subparagraph id="H69E7B3CC5FF4457CB7E463489A93C833"><enum>(A)</enum><text>ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of the entity;</text></subparagraph><subparagraph id="HCEFC82A31C814076836C489281001DAC"><enum>(B)</enum><text>control in any manner over the election of a majority of the directors of the entity (or of individuals exercising similar functions); or</text></subparagraph><subparagraph id="H7B493C0808414DA3B96E6D779E43B777"><enum>(C)</enum><text>the power to exercise a controlling influence over the management of the entity.</text></subparagraph></paragraph><paragraph id="HE13D7B2442DD450EA7FAFDA4D450C467"><enum>(6)</enum><header>Covered data</header><subparagraph id="HA5640C4FFBA440238BC37ACB62052FF7"><enum>(A)</enum><header>In general</header><text>The term <quote>covered data</quote> means information that identifies or is linked or reasonably linkable to an individual or a connected device that is linked or reasonably linkable to an individual.</text></subparagraph><subparagraph id="HA56A282DBCB94852ACBC059FEB2702AB"><enum>(B)</enum><header>Linked or reasonably linkable</header><text>For purposes of subparagraph (A), information held by a covered entity is linked or reasonably linkable to an individual or a connected device if, as a practical matter, it can be used on its own or in combination with other information held by, or readily accessible to, the covered entity to identify such individual or such device.</text></subparagraph><subparagraph id="H5BC030FD069043D898034D11666EFD10"><enum>(C)</enum><header>Exclusions</header><text>Such term does not include—</text><clause id="H61DF91CF4EC94F77A3AD7694BE353F5F"><enum>(i)</enum><text>aggregated data;</text></clause><clause id="HE48BA2C5683D4430808B0E7E727C01DF"><enum>(ii)</enum><text>de-identified data;</text></clause><clause id="HD2D1E34465D747C29C92C3735AFCF1AF"><enum>(iii)</enum><text>data of an individual processed by the covered entity in the capacity of the covered entity as the employer of the individual; or</text></clause><clause id="H40172426A24C45B6B946FEDE10DBAA22"><enum>(iv)</enum><text display-inline="yes-display-inline">publicly available information.</text></clause></subparagraph></paragraph><paragraph id="H1C4B850C2E024AD89C4FA053E933621B"><enum>(7)</enum><header>Covered entity</header><text>The term <quote>covered entity</quote> means any person who—</text><subparagraph id="H2500C8E2BFBE42FC9BD68BEF0A7AE937"><enum>(A)</enum><text>collects, processes, or transfers covered data; and</text></subparagraph><subparagraph id="H882DD91F5AB44BA7B1C8FD2E5E90E580" commented="no"><enum>(B)</enum><text>determines the purposes and means of such collection, processing, or transfer.</text></subparagraph></paragraph><paragraph id="H4DA9E12BFFEA4FDF8B42EDF98959BD4D" commented="no"><enum>(8)</enum><header>Covered internet platform</header><subparagraph id="HE3F6ADB645AE4D618136B83147314C2C" commented="no"><enum>(A)</enum><header>In general</header><text>The term <quote>covered internet platform</quote> means any public-facing website, internet application, or mobile application, including a social network site, video sharing service, search engine, or content aggregation service.</text></subparagraph><subparagraph id="H706790330DE94286AB82ADDDAD82DA44" commented="no"><enum>(B)</enum><header>Exclusion</header><text>Such term does not include a platform that is operated for the sole purpose of conducting research that is not conducted for profit, either directly or indirectly.</text></subparagraph></paragraph><paragraph id="HD893CE759DEA481C8BAB3F706974CCF7"><enum>(9)</enum><header>Delete</header><text>The term <quote>delete</quote> means to remove or destroy information such that it is not maintained in human or machine-readable form and cannot be retrieved or utilized in such form in the normal course of business.</text></paragraph><paragraph id="H7B85C786110145AAB6AFD2E2DE931B47"><enum>(10)</enum><header>Executive agency</header><text>The term <quote>Executive agency</quote> has the meaning given such term in section 105 of title 5, United States Code.</text></paragraph><paragraph id="H78E64B7BD3B14307B2E0961124AA6B5C"><enum>(11)</enum><header>Individual</header><text>The term <quote>individual</quote> means a natural person residing in the United States, however identified, including by any unique identifier.</text></paragraph><paragraph id="H68E27671785F4E548EDF18EDCDB2D821"><enum>(12)</enum><header>Material</header><text>The term <quote>material</quote> means, with respect to an act, practice, or representation of a covered entity (including a representation made by the covered entity in a privacy policy or similar disclosure to individuals), that such act, practice, or representation is likely to affect an individual’s decision or conduct regarding a product or service.</text></paragraph><paragraph id="H3905793973394899B573998A0F06AD39"><enum>(13)</enum><header>Process</header><text>The term <quote>process</quote> means to perform any operation or set of operations on covered data, including collection, analysis, organization, structuring, retaining, using, transferring, or otherwise handling covered data. </text></paragraph><paragraph id="H7E622C0A0065428CB8FBC6555CB59CFD"><enum>(14)</enum><header>Processing purpose</header><text>The term <quote>processing purpose</quote> means an adequately specific and granular reason for which a covered entity processes covered data that clearly describes the processing activity.</text></paragraph><paragraph id="HB35A9FD7547948DB860552A1F2595D15" commented="no"><enum>(15)</enum><header>Program</header><text>The term <quote>program</quote> means, with respect to a covered internet platform, any program that appears on the platform, including a program that delivers advertisements to users of the platform and a program used to log into the platform.</text></paragraph><paragraph id="HAB3BA683AEF846378A9B4EBB57260C08" commented="no"><enum>(16)</enum><header>Publicly available information</header><text>The term <quote>publicly available information</quote> means information that is available to the general public, including—</text><subparagraph id="H14FE1A4EFADE427389200F730BE5B2AA" commented="no"><enum>(A)</enum><text>any information to which the source allows access by anyone upon request; and</text></subparagraph><subparagraph id="HAC13D7D80F5744E7BC4B7387F9261B03" commented="no"><enum>(B)</enum><text>any information that a covered entity has a reasonable basis to believe is lawfully made available to the general public from Federal, State, or local government records, widely distributed media, or disclosures to the general public that are required to be made by Federal, State, or local law.</text></subparagraph></paragraph><paragraph id="H55388602663440B18B16D3739D4A1FE5"><enum>(17)</enum><header>Research</header><text>The term <quote>research</quote> means the scientific analysis of information, including covered data, by a covered entity or those with whom the covered entity is cooperating or others acting at the direction or on behalf of the covered entity, that is conducted for the primary purpose of advancing scientific knowledge and may be for the commercial benefit of the covered entity.</text></paragraph><paragraph id="H844433FBC4CA4C25A44D1053F86D9431"><enum>(18)</enum><header>Second-party operator</header><text display-inline="yes-display-inline">The term <quote>second-party operator</quote> means the operator of a covered internet platform with which a user intends to connect, but does not include the operator of a program that appears on the platform (if the operator of the program is different from the operator of the platform).</text></paragraph><paragraph id="H56F1A1EB919543C0BBA8923C0DE3554D"><enum>(19)</enum><header>Service provider</header><text>The term <quote>service provider</quote> means, with respect to a set of covered data, a covered entity that collects, processes, or transfers such covered data for the purpose of performing one or more services or functions on behalf of, and at the direction of, another covered entity that—</text><subparagraph id="HA2C9EA22E9DC40A281BACD034CB65BBF"><enum>(A)</enum><text>is not related to the covered entity providing the service or function by common ownership or corporate control; and</text></subparagraph><subparagraph id="H6D056F15AF0941F58301D34DF95B9B28"><enum>(B)</enum><text>does not share common branding with the covered entity providing the service or function.</text></subparagraph></paragraph><paragraph id="HB6EDABE7D95848428869842673E5B5C0"><enum>(20)</enum><header>State</header><text>The term <quote>State</quote> means each State of the United States, the District of Columbia, each commonwealth, territory, or possession of the United States, and each federally recognized Indian Tribe.</text></paragraph><paragraph id="HD613A36ED10C4EBA82D8DEBDD3E6017D"><enum>(21)</enum><header>Third party</header><text display-inline="yes-display-inline">The term <quote>third party</quote> means with respect to a set of covered data, a covered entity—</text><subparagraph id="H5738F4BB978C4A3EAB1C8305E4E8DFEB"><enum>(A)</enum><text>that is not a service provider with respect to such covered data; and</text></subparagraph><subparagraph id="HD5CADA3CA7D5467C8D1BC30EFD1028A2"><enum>(B)</enum><text>that received such covered data from another covered entity—</text><clause id="H096D7958BF4041DCAF7A7FF70EA3CDB2"><enum>(i)</enum><text>that is not related to the covered entity by common ownership or corporate control; and</text></clause><clause id="H7E5C5A006D3A4B279005BB5E1050C08D"><enum>(ii)</enum><text>that does not share common branding with the covered entity.</text></clause></subparagraph></paragraph><paragraph id="H6BB103C1E21040B0B1D78DBF1AC1513D"><enum>(22)</enum><header>Third-party operator</header><text display-inline="yes-display-inline">The term <quote>third-party operator</quote> means the operator of a program that appears on a covered internet platform (if the operator of the program is different from the operator of the platform).</text></paragraph><paragraph id="HEE7732B84E844688B2D5BD8F9F5E6850"><enum>(23)</enum><header>Transfer</header><text>The term <quote>transfer</quote> means, with respect to covered data, to disclose, release, share, disseminate, make available, or license such data, in writing, electronically, or by any other means, for consideration of any kind or for a commercial purpose.</text></paragraph></section><section id="HB99045EE6C79421E977C2566CB7C6568"><enum>117.</enum><header>Effective date</header><text display-inline="no-display-inline">This title shall take effect on the date that is 6 months after the date of the enactment of this Act.</text></section><enum>II</enum><header>Do Not Track</header><section id="H49E7FC35242847BC8FA127B1AAF9188C"><enum>201.</enum><header>Short title</header><text display-inline="no-display-inline">This title may be cited as the <quote><short-title>Do Not Track Act</short-title></quote>.</text></section><section id="HCC89081C671443A297A058DAB68A7BE6"><enum>202.</enum><header>Establishment of Do Not Track system</header><subsection id="HB91BE554640A465CA1671BB8DC826056"><enum>(a)</enum><header>In general</header><text>Not later than 6 months after the date of the enactment of this Act, the Commission shall implement and enforce a Do Not Track (DNT) system, including the program described in subsection (b), to protect consumers from unwanted online data harvesting and targeted advertising.</text></subsection><subsection id="H4901807AEE1B445C81A6B805E805409C"><enum>(b)</enum><header>Do Not Track program</header><text>As part of the Do Not Track system required under this section, the Commission shall designate the DNT signal and make available on the public website of the Commission a simple program that—</text><paragraph id="H807F7F96A94F402DA4FD048329E6D770"><enum>(1)</enum><text>can be downloaded to any common connected device;</text></paragraph><paragraph id="H07B8FEDC5687474FA62660214CCC7EC4"><enum>(2)</enum><text>sends the DNT signal to every covered internet platform (except for a covered internet platform designated under paragraph (3)) to which the device connects each time the device connects to the platform; and</text></paragraph><paragraph id="H5F97984AB6CF47FCAA7A2B565E06C04F"><enum>(3)</enum><text>permits the user of the device to designate covered internet platforms to which the DNT signal should not be sent, but does not exempt any covered internet platform from receiving the signal if the platform is not so designated.</text></paragraph></subsection><subsection id="H0EC5AB0537D04A2EA4AE6A3861318DCD"><enum>(c)</enum><header>Other do not track systems</header><text>Nothing in this title may be construed to prohibit the operator of any web browser or similar interface or a connected device designer or manufacturer from offering a program that sends the DNT signal to covered internet platforms, if the program permits users to designate covered internet platforms to which the DNT signal should not be sent.</text></subsection><subsection id="H506C36B5AD2F4639BFED2E8DAF1DC790"><enum>(d)</enum><header>Rulemaking authority</header><text>The Commission may promulgate regulations, in accordance with section 553 of title 5, United States Code, to carry out this section.</text></subsection></section><section id="HB30E6DC010814EE38C9571312BD596C1"><enum>203.</enum><header>Do Not Track: requirements for operators; prohibited acts</header><subsection id="H64977BA88DBB4FE5BB8D2FDD881403CF"><enum>(a)</enum><header>Requirements</header><paragraph id="H4D184B04504A427BAC7F753C1AD5B12D"><enum>(1)</enum><header>Search for dnt signal</header><text>When a connected device connects to a covered internet platform—</text><subparagraph id="HE65887851F6F45298F19441765DC6D70"><enum>(A)</enum><text>the second-party operator of the platform shall ensure that the platform searches for the DNT signal; and</text></subparagraph><subparagraph id="HC9918235DF3A4970A56A2A2986770987"><enum>(B)</enum><text>the third-party operator of any program that appears on the platform shall ensure that the program searches for the DNT signal.</text></subparagraph></paragraph><paragraph id="H72AA118FC0F34C6FB18C6ED1CB6B2F24"><enum>(2)</enum><header>Mandatory notification</header><subparagraph id="H2F6F29CC1CA64B27AEB16EF0409E882A"><enum>(A)</enum><header>In general</header><text>Subject to subparagraph (B), if a second-party operator of a covered internet platform collects more data from a user of the platform than is necessary to operate the platform, or if a third-party operator of a program that appears on the platform collects more data from a user of the platform than is necessary to operate the platform, the second-party operator or third-party operator, respectively, shall, through a pop-up notification, provide any user whose connected device is not sending the DNT signal with—</text><clause id="H4FC58389428C402B9831AC8FFC51F226"><enum>(i)</enum><text>notice of the policy of the platform or program of collecting data beyond what is necessary to operate the platform;</text></clause><clause id="H43734FA9D3DB4A9496D9BFA53F76EABE"><enum>(ii)</enum><text>notice of the protections from data collection and targeted advertising available to users under this title;</text></clause><clause id="H3CA811486D6B483BAD709C07381C8CE6"><enum>(iii)</enum><text>notice that the user may, through the public website of the Commission, download the Do Not Track program described in section 202(b), including a link to such website; and</text></clause><clause id="H47900A782C2F4BCD8862939490ABA544"><enum>(iv)</enum><text>notice that the user may be able to activate the DNT signal through the user’s device or browser.</text></clause></subparagraph><subparagraph id="HAFFAFE5EFA8B4D6CB78E2842CE62BBDF"><enum>(B)</enum><header>Number and timing</header><text>A second-party operator or third-party operator, respectively, shall provide the notification required by subparagraph (A)—</text><clause id="HA02862E8FA4B4146BA7BAE6F50BA6C21"><enum>(i)</enum><text>the first time a connected device connects to the covered internet platform; and</text></clause><clause id="HD771A320434948C9913A84365A3C5EEC"><enum>(ii)</enum><text>unless the user of the connected device opts out of receiving the notification required by subparagraph (A), at least every 30th time the connected device connects to the covered internet platform.</text></clause></subparagraph><subparagraph id="HB6DE695588FF4F0FB8B7CCFD90A86E87"><enum>(C)</enum><header>Collection of data for targeted advertising</header><text>For purposes of this paragraph, the second-party operator of a covered internet platform, or the third-party operator of a program that appears on the platform, that collects data for the purpose of designing or displaying advertisements for targeted advertising shall be considered to be collecting more data than is necessary to operate the platform.</text></subparagraph></paragraph></subsection><subsection id="H7731878736A64FF083D7B660D1AA1197"><enum>(b)</enum><header>Prohibition on data collection and targeted advertising</header><paragraph id="HA73B5687064D4B60B68981621988950F"><enum>(1)</enum><header>Second-party operators</header><text>Subject to paragraph (3), it shall be unlawful for a second-party operator of a covered internet platform that receives the DNT signal from the connected device of a user to—</text><subparagraph id="HEBA2AC69C09D482CAF31ACBFD362796F"><enum>(A)</enum><text>collect any data (other than such data as is necessary to operate the platform) from the user;</text></subparagraph><subparagraph id="HBBFFFCB8194846758B5D4B46C78759C9"><enum>(B)</enum><text>use any data collected from the user for a secondary purpose, including for the purpose of targeted advertising; or</text></subparagraph><subparagraph id="HEBFFB0DF95D24E17AE51EB2B50F8EE4B"><enum>(C)</enum><text>transfer any data collected from the user to a third party, unless the user provides affirmative express consent to the transfer of data in a manner that demonstrates the user’s intent for the second-party operator to be an intermediary between the user and the third party.</text></subparagraph></paragraph><paragraph id="H775BF67E57E44A6B92ACAF1415CD6897"><enum>(2)</enum><header>Third-party operators</header><subparagraph id="HF25D53EB738C483CBEAD87BF4BCEB2CB"><enum>(A)</enum><header>In general</header><text>It shall be unlawful for a third-party operator of a program that receives the DNT signal from the connected device of a user of a covered internet platform on which the program appears to collect any data from the user, other than, subject to subparagraph (B), data collected for the purpose of analyzing how or whether the user engaged with the program.</text></subparagraph><subparagraph id="HDEEA8C0A1EA94811BB0EAEB4B3D4A4F0"><enum>(B)</enum><header>Limitations on collection of data for engagement analytics</header><text>Data collected for the purpose of analyzing how or whether the user engaged with the program, as described in subparagraph (A)—</text><clause id="HBA4B414C17F54A21A0E5DA6C06C62EC9"><enum>(i)</enum><text>may only be collected in a de-identified manner; and</text></clause><clause id="HDB17D0A9F800416E8AFC61EE782C6D4B"><enum>(ii)</enum><text>may not be used to create or contribute to a profile of the user.</text></clause></subparagraph></paragraph><paragraph id="HFD490DBBB1744416B450C80CCAA63C22"><enum>(3)</enum><header>Exception for complementary services</header><text>Notwithstanding paragraph (1), a second-party operator of a covered internet platform may collect additional data from a user beyond what is necessary for the operation of the platform if the additional data is necessary for the operation of a different covered internet platform that is—</text><subparagraph id="H1A1AD411B64E49F7A5149BF85306C371"><enum>(A)</enum><text>both owned and operated by the second-party operator;</text></subparagraph><subparagraph id="H98B6C7AADFBE449CB3EAFB1F2C616C1E"><enum>(B)</enum><text>designed to complement the covered internet platform accessed by the user; and</text></subparagraph><subparagraph id="H8E6A6C16DCB045EFA9E062AD7D560E68"><enum>(C)</enum><text>branded as a complementary covered internet platform to the covered internet platform accessed by the user.</text></subparagraph></paragraph></subsection><subsection id="H6351A43FF36E4DB2866D9216D833BC6B"><enum>(c)</enum><header>Interfering with DNT signal</header><text>It shall be unlawful for any person to—</text><paragraph id="HB8C8DD752E254598BD5220FA11DBAA21"><enum>(1)</enum><text>block or impede the ability of a covered internet platform, or a program that appears on a covered internet platform, to receive the DNT signal; or</text></paragraph><paragraph id="H5C97E7034C704DA68F480E4A832B137A"><enum>(2)</enum><text>block or impede the ability of a connected device to send the DNT signal.</text></paragraph></subsection><subsection id="H4E2F5D8F07BF4DDFB6116575B954A750"><enum>(d)</enum><header>Discrimination based on DNT preferences</header><text>It shall be unlawful for a second-party operator of a covered internet platform to—</text><paragraph id="HF1BD974DE9C141F5AD5BA4C65B237324"><enum>(1)</enum><text>deny a user access to, or service from, the platform on the basis of receiving the DNT signal from the user; or</text></paragraph><paragraph id="HED834CACB7EA48D89A11FFB501770119"><enum>(2)</enum><text>provide a user from whom the platform receives the DNT signal with a different level of access or service than the level of access or service provided to a user from whom the platform does not receive the DNT signal.</text></paragraph></subsection></section><section id="H875604C6AC55440298EE9A8B315260C5"><enum>204.</enum><header>Scope of coverage</header><subsection id="H6FEC15C769A840F2A1F909A27E0D5E1F"><enum>(a)</enum><header>General exceptions</header><text>Notwithstanding any other provision of this title, a covered entity may collect, process, or transfer covered data for any of the following purposes, if the collection, processing, or transfer is reasonably necessary, proportionate, and limited to such purpose:</text><paragraph id="H6A7B74FCC25B4207AA61A2FDD5FB93D9"><enum>(1)</enum><text>To initiate or complete a transaction or to fulfill an order or provide a service specifically requested by an individual, including associated routine administrative activities such as billing, shipping, financial reporting, and accounting.</text></paragraph><paragraph id="H038751EC043A4C06A1B2C669D9800429"><enum>(2)</enum><text>To perform internal system maintenance, diagnostics, product or service management, inventory management, or network management.</text></paragraph><paragraph id="H5AC79F25F3E34C0AA6467BC146DCA03B"><enum>(3)</enum><text>To prevent, detect, or respond to a security incident or trespassing, provide a secure environment, or maintain the safety and security of a product, service, or individual.</text></paragraph><paragraph id="HA8689246779A4F4786D55900D5F94DE1"><enum>(4)</enum><text>To protect against malicious, deceptive, fraudulent, or illegal activity.</text></paragraph><paragraph id="HBDCFB1B4D913444C91F673B5CAA39154"><enum>(5)</enum><text>To comply with a legal obligation or the establishment, exercise, analysis, or defense of legal claims or rights, or as required or specifically authorized by law.</text></paragraph><paragraph id="HA440549519254FE3B3CF99A682B83A67"><enum>(6)</enum><text>To comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by an Executive agency.</text></paragraph><paragraph id="H0B7C56448DBA46B09B7DFC0E2728BA8E"><enum>(7)</enum><text>To cooperate with an Executive agency or a law enforcement official acting under the authority of an Executive or State agency concerning conduct or activity that the Executive agency or law enforcement official reasonably and in good faith believes may violate Federal, State, or local law, or pose a threat to public safety or national security.</text></paragraph><paragraph id="H49079A1739C14EDC8DBFC672CEF60F42"><enum>(8)</enum><text>To address risks to the safety of an individual or group of individuals, or to ensure customer safety, including by authenticating individuals in order to provide access to large venues open to the public.</text></paragraph><paragraph id="HF23DEA41A5E34B74B0AAF024963312D7"><enum>(9)</enum><text>To effectuate a product recall pursuant to Federal or State law.</text></paragraph><paragraph id="H3902B01399684ECDB28CB88A90819978"><enum>(10)</enum><text>To conduct public or peer-reviewed scientific, historical, or statistical research that—</text><subparagraph id="H95EC32CC2DE6465A8DB3A289CA2EDEB8"><enum>(A)</enum><text>is in the public interest;</text></subparagraph><subparagraph id="HC5015D7F862D40998F8EC88E99BAE351"><enum>(B)</enum><text>adheres to all applicable ethics and privacy laws; and</text></subparagraph><subparagraph id="H3263A54C62CB4079BD545218A45A45E8"><enum>(C)</enum><text>is approved, monitored, and governed by an institutional review board or other oversight entity that meets standards promulgated by the Commission pursuant to section 553 of title 5, United States Code.</text></subparagraph></paragraph><paragraph id="HDB087B9FA105452291F7F654C2A7DDA9"><enum>(11)</enum><text>To transfer covered data to a service provider.</text></paragraph><paragraph id="HE5F4722445AF495BA574DB41FF751DF2"><enum>(12)</enum><text>For a purpose identified by the Commission pursuant to a regulation promulgated under subsection (b).</text></paragraph></subsection><subsection id="H336626EE358D452C99E2043D35F07B33"><enum>(b)</enum><header>Additional purposes</header><text>The Commission may promulgate regulations under section 553 of title 5, United States Code, identifying additional purposes for which a covered entity may collect, process, or transfer covered data and protect individual rights to data privacy in accordance with this title.</text></subsection></section><section id="H4C11EFB537764617853D98AB230DE466"><enum>205.</enum><header>Application and enforcement</header><subsection id="HE9B4AE0603494EC0AA892A9EF5C57C07"><enum>(a)</enum><header>General Application</header><text>The requirements of this title apply, according to their terms, to—</text><paragraph id="HB511656AB2AE4D17B6CE9D2CA98BEF77"><enum>(1)</enum><text>those persons, partnerships, and corporations over which the Commission has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45(a)(2)</external-xref>); and</text></paragraph><paragraph id="H675D6006D6A4453595A4238EEBD503A9"><enum>(2)</enum><text>notwithstanding sections 4 and 5(a)(2) of such Act (<external-xref legal-doc="usc" parsable-cite="usc/15/44">15 U.S.C. 44</external-xref>; 45(a)(2))—</text><subparagraph id="HA1A78C308F854BE6ACFB0363F924C634"><enum>(A)</enum><text>common carriers described in such section 5(a)(2); and</text></subparagraph><subparagraph id="H7003FA7CB6834902B8ABBD510F09B174"><enum>(B)</enum><text>organizations not organized to carry on business for their own profit or that of their members.</text></subparagraph></paragraph></subsection><subsection id="H918D0C4443B1499695981D271D2314C7"><enum>(b)</enum><header>Enforcement by the commission</header><paragraph id="H237EBEC00F974F02829F21306AE600BF"><enum>(1)</enum><header>In general</header><text>Except as otherwise provided, this title and the regulations prescribed under this title shall be enforced by the Commission under the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>).</text></paragraph><paragraph id="H075EE8AC50EB463399215095073AC6E6"><enum>(2)</enum><header>Unfair or deceptive acts or practices</header><text>A violation of this title or a regulation prescribed under this title shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/57a">15 U.S.C. 57a(a)(1)(B)</external-xref>).</text></paragraph><paragraph id="HECD58A9EC90646358DA7D10555651D44"><enum>(3)</enum><header>Actions by the commission</header><subparagraph id="H1B110302FA50487E99EC6462F40D04E9"><enum>(A)</enum><header>In general</header><text>Except as provided in subparagraph (B) and subsection (a), the Commission shall prevent any person from violating this title or a regulation prescribed under this title in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>) were incorporated into and made a part of this title, and any person who violates this title or a regulation prescribed under this title shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act.</text></subparagraph><subparagraph id="H28D186969D8E4016B79346E111C870E9"><enum>(B)</enum><header>Penalties</header><clause id="H3648FA97B7664ADDA6F15A4B06483F76"><enum>(i)</enum><header>In general</header><text>Notwithstanding section 5(m) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45(m)</external-xref>), a civil penalty recovered for a violation of this title or a regulation prescribed under this title may be in excess of the amounts provided for in that section, if such penalty meets the requirements of this subparagraph.</text></clause><clause id="H57293A1F67C64C98985786607C42CE3D"><enum>(ii)</enum><header>Penalty for negligent violation</header><text>In the case of a person who negligently violates this title or a regulation prescribed under this title, such person shall be liable for a civil penalty that does not exceed $50 for every individual affected by such violation for every day during which the person is in violation of this title or such regulation as described in this clause.</text></clause><clause id="H076D4B910E074173BED438927616226C"><enum>(iii)</enum><header>Penalty for willful or reckless violation</header><text>In the case of a person who willfully or recklessly violates this title or a regulation prescribed under this title, such person shall be liable for a civil penalty that—</text><subclause id="HA5207A4C57E84884B03C4653A441732A"><enum>(I)</enum><text>is not less than $100,000; and</text></subclause><subclause id="H252966BA45E94847B7AB0A54934DDB19"><enum>(II)</enum><text>does not exceed $1,000 for every individual affected by such violation for every day during which the person is in violation of this title or such regulation as described in this clause.</text></subclause></clause></subparagraph></paragraph></subsection><subsection id="H5928FE1C5FAD4FD198407A6182868068"><enum>(c)</enum><header>Enforcement by state attorneys general</header><paragraph id="HE29EB9579121499AB9B7FFF2288E06DD"><enum>(1)</enum><header>In general</header><subparagraph id="H38D6E37068D74C6BA84184B6B9BC2915"><enum>(A)</enum><header>Civil actions</header><text>In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in an act or practice that violates this title or a regulation prescribed under this title, the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States or a State court of appropriate jurisdiction to—</text><clause id="H5466F03908904EBD8391A34D2F4D261E"><enum>(i)</enum><text>enjoin that act or practice;</text></clause><clause id="H4AD46D21CC334111877B0BB8CB4D309B"><enum>(ii)</enum><text>enforce compliance with this title or such regulation;</text></clause><clause id="H0216CAA3737541E783F48A74B1E92131"><enum>(iii)</enum><text>obtain damages, statutory damages in the same amount as the penalties that the Commission may obtain under section 5(m) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45(m)</external-xref>) and subsection (b)(3)(B) of this section, restitution, or other compensation on behalf of residents of the State; or</text></clause><clause id="H1B9251FA1A22427395AD48C82229BB78"><enum>(iv)</enum><text>obtain such other relief as the court may consider to be appropriate.</text></clause></subparagraph><subparagraph id="HFACB54156B324153B74DC9EEB63CEBF8"><enum>(B)</enum><header>Notice</header><clause id="HCD29AC0E2405446E933D5CF81B26E48C"><enum>(i)</enum><header>In general</header><text>Before filing an action under subparagraph (A), the attorney general of the State involved shall provide to the Commission—</text><subclause id="H82EC133FEFF940B3888679C47DF60EC9"><enum>(I)</enum><text>written notice of that action; and</text></subclause><subclause id="H6FB1C07A4819414383B19DAE8FD88098"><enum>(II)</enum><text>a copy of the complaint for that action.</text></subclause></clause><clause id="HD0A8287DCB054EE08650B03C420BAD7F"><enum>(ii)</enum><header>Exemption</header><subclause id="H8D35EF22F6C144498D9ABBEAE70BAC6F"><enum>(I)</enum><header>In general</header><text>Clause (i) does not apply with respect to the filing of an action by an attorney general of a State under this paragraph if the attorney general of the State determines that it is not feasible to provide the notice described in that clause before the filing of the action.</text></subclause><subclause id="HC4FF0ED935354A67B3C6DD7B7B18A55E"><enum>(II)</enum><header>Notification</header><text>In an action described in subclause (I), the attorney general of a State shall provide notice and a copy of the complaint to the Commission at the same time as the attorney general files the action.</text></subclause></clause></subparagraph></paragraph><paragraph id="HE205570C5D5B425DAFE9013A757486A7"><enum>(2)</enum><header>Intervention</header><subparagraph id="HD9B201F1129F4F3EB0DD3E468B4D52B9"><enum>(A)</enum><header>In general</header><text>On receiving notice under paragraph (1)(B), the Commission shall have the right to intervene in the action that is the subject of the notice.</text></subparagraph><subparagraph id="H35B559C57F99454C96FA99A6F601D1FA"><enum>(B)</enum><header>Effect of intervention</header><text>If the Commission intervenes in an action under paragraph (1), it shall have the right—</text><clause id="H4851F66381E64545B0272EE3D8F247D4"><enum>(i)</enum><text>to be heard with respect to any matter that arises in that action; and</text></clause><clause id="HFC9628C10FE8476D8003A82DD8A03A51"><enum>(ii)</enum><text>to file a petition for appeal.</text></clause></subparagraph></paragraph><paragraph id="H30023B16E82C4821A7CEEEC1AB60313A"><enum>(3)</enum><header>Construction</header><text>For purposes of bringing any civil action under paragraph (1), nothing in this title shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to—</text><subparagraph id="H573CFFCE2EBC4F5E849AF41C5376988C"><enum>(A)</enum><text>conduct investigations;</text></subparagraph><subparagraph id="H22DE533BA9C248068DD7877B2B05622C"><enum>(B)</enum><text>administer oaths or affirmations; or</text></subparagraph><subparagraph id="HA353306367884AFEBFC0EF51060C69FC"><enum>(C)</enum><text>compel the attendance of witnesses or the production of documentary and other evidence.</text></subparagraph></paragraph><paragraph id="HE234592BE5AB4DDF98AA3491E8A13F48"><enum>(4)</enum><header>Actions by the commission</header><text>In any case in which an action is instituted by or on behalf of the Commission for violation of this title or a regulation prescribed under this title, no State may, during the pendency of that action, institute an action under paragraph (1) against any defendant named in the complaint in the action instituted by or on behalf of the Commission for that violation.</text></paragraph><paragraph id="HF4DB32D60C8B414EB0A35FC15676C5B7"><enum>(5)</enum><header>Venue; service of process</header><subparagraph id="H980FF7D7D641418182840B9210EC8E04"><enum>(A)</enum><header>Venue</header><text>Any action brought under paragraph (1) may be brought in—</text><clause id="HB1AB18BF8A784D6FBA9BBCA76C73B63C"><enum>(i)</enum><text>a district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code; or</text></clause><clause id="H7E83802266AC40DC98FD4C71E2110CDD"><enum>(ii)</enum><text>a State court of competent jurisdiction.</text></clause></subparagraph><subparagraph id="HEFAE6E04DF6C4B0294E92AD7709D9E28"><enum>(B)</enum><header>Service of process</header><text>In an action brought under paragraph (1) in a district court of the United States, process may be served wherever the defendant—</text><clause id="HFF1051DA8F0E48779074ABBA15DFD34C"><enum>(i)</enum><text>is an inhabitant; or</text></clause><clause id="HBB161C21E982433ABE8C967612433C67"><enum>(ii)</enum><text>may be found.</text></clause></subparagraph></paragraph></subsection></section><section id="H1465656DEDCE49DC9A41C8F6F4C0BCE0"><enum>206.</enum><header>State privacy protections</header><text display-inline="no-display-inline">Nothing in this title shall preempt any State law, regulation, or other requirement having the force or effect of law that is more protective of the privacy of individuals than the requirements of this title.</text></section><section id="H7DC9D921EB3041E287B8871225673EC7"><enum>207.</enum><header>Severability</header><text display-inline="no-display-inline">If any provision of this title or the application of a provision of this title to any person or circumstance is held to be invalid or unconstitutional, the remainder of this title, or the application of such provision to any other person or circumstance, shall not be affected.</text></section><section id="H6F979E30DA2E4052BDA54C5A6B24E77F"><enum>208.</enum><header>Definitions</header><text display-inline="no-display-inline">In this title:</text><paragraph id="H9450A543E77F482D900641017B5BAD59"><enum>(1)</enum><header>Affirmative express consent</header><subparagraph id="HE7F6AFAC8F81404B98BAA624707C1518"><enum>(A)</enum><header>In general</header><text>The term <quote>affirmative express consent</quote> means an affirmative act by an individual that clearly communicates the individual’s authorization for an act or practice, in response to a specific request that meets the requirements of subparagraph (B).</text></subparagraph><subparagraph id="H0268412C4D044EB895809AD9DFB2FB3D"><enum>(B)</enum><header>Request requirements</header><text>The requirements of this subparagraph with respect to a request from a covered entity to an individual are the following:</text><clause id="H123E2303079D426BB85EAA1F0CA5EE0F"><enum>(i)</enum><text>The request is provided to the individual in a standalone disclosure.</text></clause><clause id="H134FE45F287C4CB9877788192C5883DA"><enum>(ii)</enum><text>The request includes a description of each act or practice for which the individual’s consent is sought and—</text><subclause id="H489BB3F5EF6A41C398B9473249306D08"><enum>(I)</enum><text>clearly distinguishes between an act or practice which is necessary to fulfill a request of the individual and an act or practice which is for another purpose; and</text></subclause><subclause id="HD42309E5ED89429E84BCF38A0A569988"><enum>(II)</enum><text>is written in easy-to-understand language and includes a prominent heading that would enable a reasonable individual to identify and understand the act or practice.</text></subclause></clause><clause id="H0B2BE8BE99DA4A1FB6A06DAE72E53127"><enum>(iii)</enum><text>The request clearly explains the individual’s applicable rights related to consent.</text></clause></subparagraph><subparagraph id="H95AABB4EE4184269BF788F8E872E733B"><enum>(C)</enum><header>Express consent required</header><text>A covered entity may not infer that an individual has provided affirmative express consent to an act or practice from the inaction of the individual or the individual’s continued use of a service or product provided by the covered entity.</text></subparagraph><subparagraph id="HC8D726282F9A42F9A7C4FDDF635373B8"><enum>(D)</enum><header>Prior consent required</header><text>In the case of any requirement of this title for a covered entity to obtain affirmative express consent for an act or practice, the covered entity shall obtain such consent before engaging in the act or practice. </text></subparagraph></paragraph><paragraph id="H3E3412A6878948C6BBA8D075CB93A9D3"><enum>(2)</enum><header>Collect; collection</header><text>The terms <quote>collect</quote> and <quote>collection</quote> mean, with respect to the covered data of an individual, buying, renting, gathering, obtaining, receiving, accessing, or otherwise acquiring such data by any means, including by passively or actively observing the individual’s behavior.</text></paragraph><paragraph id="HB87CDA5CF14540F59799187A8450D26C"><enum>(3)</enum><header>Commission</header><text>The term <quote>Commission</quote> means the Federal Trade Commission.</text></paragraph><paragraph id="H3C07E08D5EAF495899BD3C049EF62BFF"><enum>(4)</enum><header>Connected device</header><text>The term <quote>connected device</quote> means a physical object that—</text><subparagraph id="HB659CAB764CB4D858B472A65C4A488CC"><enum>(A)</enum><text>is capable of connecting to the internet, either directly or indirectly through a network, to communicate information at the direction of an individual; and</text></subparagraph><subparagraph id="HF3BE873EFA96412B91209B10A0B94B44"><enum>(B)</enum><text>has computer processing capabilities for collecting, sending, receiving, or analyzing data.</text></subparagraph></paragraph><paragraph id="H295BBF8B639B442B8A551581B0C07953"><enum>(5)</enum><header>Control</header><text>The term <quote>control</quote> means, with respect to an entity—</text><subparagraph id="H62CC1F7E0F694E8CB5EA65F0F158B662"><enum>(A)</enum><text>ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of the entity;</text></subparagraph><subparagraph id="HF104BCCBE4A1408DA1E09D8007FD0FD7"><enum>(B)</enum><text>control in any manner over the election of a majority of the directors of the entity (or of individuals exercising similar functions); or</text></subparagraph><subparagraph id="H7A47B4742A374003A3A77D06AB9C2ED1"><enum>(C)</enum><text>the power to exercise a controlling influence over the management of the entity.</text></subparagraph></paragraph><paragraph id="HFB9E9F96882B4636986311D542E64E12"><enum>(6)</enum><header>Covered data</header><subparagraph id="HF319F69D68554F419AE21FB3D2B0A803"><enum>(A)</enum><header>In general</header><text>The term <quote>covered data</quote> means information that identifies or is linked or reasonably linkable to an individual or a connected device that is linked or reasonably linkable to an individual.</text></subparagraph><subparagraph id="HE78D3CAB79FF408A84D2BA15ECD4F695"><enum>(B)</enum><header>Linked or reasonably linkable</header><text>For purposes of subparagraph (A), information held by a covered entity is linked or reasonably linkable to an individual or a connected device if, as a practical matter, it can be used on its own or in combination with other information held by, or readily accessible to, the covered entity to identify such individual or such device.</text></subparagraph><subparagraph id="H22E7CAB321F74549B7938EACFCAC5989"><enum>(C)</enum><header>Exclusions</header><text>Such term does not include—</text><clause id="H0F62BBAC37404C49A45C3AC012F8A731"><enum>(i)</enum><text>aggregated data;</text></clause><clause id="H44E28F6A256541B8B24BEF85A70FBCA0"><enum>(ii)</enum><text>de-identified data;</text></clause><clause id="HE7320503194F421496C425A1C5842671"><enum>(iii)</enum><text>data of an individual processed by the covered entity in the capacity of the covered entity as the employer of the individual; or</text></clause><clause id="HAE61E305540445008BF8A295F3E30A5D"><enum>(iv)</enum><text display-inline="yes-display-inline">publicly available information.</text></clause></subparagraph></paragraph><paragraph id="H05B460C4B1C04D3B86B522910B46BEDA"><enum>(7)</enum><header>Covered entity</header><text>The term <quote>covered entity</quote> means any person who—</text><subparagraph id="H5E4161DF18914009B43316BAB04E0C42"><enum>(A)</enum><text>collects, processes, or transfers covered data; and</text></subparagraph><subparagraph id="H6DF05B619A5D49C3AAF64F94B493CC05" commented="no"><enum>(B)</enum><text>determines the purposes and means of such collection, processing, or transfer.</text></subparagraph></paragraph><paragraph id="H61ECF8B4A1024FDAA9B899637C25C7D1" commented="no"><enum>(8)</enum><header>Covered internet platform</header><subparagraph id="HFE07882ED979459BAA3C37C67381307F" commented="no"><enum>(A)</enum><header>In general</header><text>The term <quote>covered internet platform</quote> means any public-facing website, internet application, or mobile application, including a social network site, video sharing service, search engine, or content aggregation service.</text></subparagraph><subparagraph id="HB476FBDB907F477DB37A44AF1F8BCC62" commented="no"><enum>(B)</enum><header>Exclusion</header><text>Such term does not include a platform that is operated for the sole purpose of conducting research that is not conducted for profit, either directly or indirectly.</text></subparagraph></paragraph><paragraph id="HCB89415DCC0E4D0FA2362A547F517804"><enum>(9)</enum><header>DNT signal</header><text>The term <quote>DNT signal</quote> means a signal sent by a connected device, such as the hypertext transfer protocol developed by the World Wide Web Consortium Working Group on Tracking Preference Expression, that is designated by the Commission for purposes of the Do Not Track program required under section 202(b).</text></paragraph><paragraph id="H6D29922E5A6C436B8C2C610DF1282921"><enum>(10)</enum><header>Executive agency</header><text>The term <quote>Executive agency</quote> has the meaning given such term in section 105 of title 5, United States Code.</text></paragraph><paragraph id="HF710CAC2553A4290B19DD0E854F169E4"><enum>(11)</enum><header>Individual</header><text>The term <quote>individual</quote> means a natural person residing in the United States, however identified, including by any unique identifier.</text></paragraph><paragraph id="HCC8C386B67884BB3A1FE4E20B1AC6659"><enum>(12)</enum><header>Process</header><text>The term <quote>process</quote> means to perform any operation or set of operations on covered data, including collection, analysis, organization, structuring, retaining, using, transferring, or otherwise handling covered data. </text></paragraph><paragraph id="H4FFF0131F3F34754A005DFD678E9EC5B" commented="no"><enum>(13)</enum><header>Program</header><text>The term <quote>program</quote> means, with respect to a covered internet platform, any program that appears on the platform, including a program that delivers advertisements to users of the platform and a program used to log into the platform.</text></paragraph><paragraph id="HBDF25805F16D41CEA8BCFFF6440F5A95" commented="no"><enum>(14)</enum><header>Publicly available information</header><text>The term <quote>publicly available information</quote> means information that is available to the general public, including—</text><subparagraph id="H22F83B09057F4D5E9A8A297EAA243B47" commented="no"><enum>(A)</enum><text>any information to which the source allows access by anyone upon request; and</text></subparagraph><subparagraph id="HEB6BD22DC43E4339A949408353E6D3C8" commented="no"><enum>(B)</enum><text>any information that a covered entity has a reasonable basis to believe is lawfully made available to the general public from Federal, State, or local government records, widely distributed media, or disclosures to the general public that are required to be made by Federal, State, or local law.</text></subparagraph></paragraph><paragraph id="HB707808A3A9B48C9B29FE14A7C284268"><enum>(15)</enum><header>Research</header><text>The term <quote>research</quote> means the scientific analysis of information, including covered data, by a covered entity or those with whom the covered entity is cooperating or others acting at the direction or on behalf of the covered entity, that is conducted for the primary purpose of advancing scientific knowledge and may be for the commercial benefit of the covered entity.</text></paragraph><paragraph id="H31027279A637478C9922FC42C6A1EE0E"><enum>(16)</enum><header>Second-party operator</header><text display-inline="yes-display-inline">The term <quote>second-party operator</quote> means the operator of a covered internet platform with which a user intends to connect, but does not include the operator of a program that appears on the platform (if the operator of the program is different from the operator of the platform).</text></paragraph><paragraph id="H26A94B67760A4F249CFBB1476A6E2433"><enum>(17)</enum><header>Service provider</header><text>The term <quote>service provider</quote> means, with respect to a set of covered data, a covered entity that collects, processes, or transfers such covered data for the purpose of performing one or more services or functions on behalf of, and at the direction of, another covered entity that—</text><subparagraph id="H733E6DEC3386454FA7B774B6A167B526"><enum>(A)</enum><text>is not related to the covered entity providing the service or function by common ownership or corporate control; and</text></subparagraph><subparagraph id="H9C96F6B845DF4AD6B7F7675E4BE18BBA"><enum>(B)</enum><text>does not share common branding with the covered entity providing the service or function.</text></subparagraph></paragraph><paragraph id="H4FED775FB39E440381658233F40CAD0B"><enum>(18)</enum><header>State</header><text>The term <quote>State</quote> means each State of the United States, the District of Columbia, each commonwealth, territory, or possession of the United States, and each federally recognized Indian Tribe.</text></paragraph><paragraph id="H92F161D994D14CBEA4BBA4F6DA97036B"><enum>(19)</enum><header>Targeted advertising</header><subparagraph id="HFACFF9928C4C4206B27AF3530255D9FE"><enum>(A)</enum><header>In general</header><text>The term <quote>targeted advertising</quote> means a form of advertising in which advertisements are displayed to a user based on the user’s traits, information from a profile about the user that is created for the purpose of selling advertisements, or the user’s previous online or offline behavior.</text></subparagraph><subparagraph id="HD016F1E186724711A2BADCC0E023098F"><enum>(B)</enum><header>Limitation</header><text>Such term does not include contextual advertising, including—</text><clause id="HAA799EB5868D49E58ACB665D7A5329B9"><enum>(i)</enum><text>advertising that is directed to a user based on the content of the covered internet platform that the user is connected to; or</text></clause><clause id="H65CBB93C724D4CBD844A5B6DC18C3A4E"><enum>(ii)</enum><text display-inline="yes-display-inline">advertising that is directed to a user by the second-party operator of a covered internet platform, or by the third-party operator of a program that appears on the platform, based on the search terms that the user used to arrive at the platform.</text></clause></subparagraph></paragraph><paragraph id="H179FE18AA43B49E5952349B4412DD686"><enum>(20)</enum><header>Third party</header><text display-inline="yes-display-inline">The term <quote>third party</quote> means with respect to a set of covered data, a covered entity—</text><subparagraph id="H81D96B4EF34D4887B60E48C4F13EED62"><enum>(A)</enum><text>that is not a service provider with respect to such covered data; and</text></subparagraph><subparagraph id="H2468E54F7E794984AD8497E52498B458"><enum>(B)</enum><text>that received such covered data from another covered entity—</text><clause id="H98EC1D56300A4D0E8DE7ED8A1870F22D"><enum>(i)</enum><text>that is not related to the covered entity by common ownership or corporate control; and</text></clause><clause id="HC4BDD9DA1C5647CE86601E1767C0905A"><enum>(ii)</enum><text>that does not share common branding with the covered entity.</text></clause></subparagraph></paragraph><paragraph id="H36800702AE344CE6A50E9EAAECC2BACD"><enum>(21)</enum><header>Third-party operator</header><text display-inline="yes-display-inline">The term <quote>third-party operator</quote> means the operator of a program that appears on a covered internet platform (if the operator of the program is different from the operator of the platform).</text></paragraph><paragraph id="HE536993DC7BF4683B88881D56CB93088"><enum>(22)</enum><header>Transfer</header><text>The term <quote>transfer</quote> means, with respect to covered data, to disclose, release, share, disseminate, make available, or license such data, in writing, electronically, or by any other means, for consideration of any kind or for a commercial purpose.</text></paragraph></section><section id="HA583C4FF74F5473A9DA1343945D07F4A"><enum>209.</enum><header>Effective date</header><text display-inline="no-display-inline">This title shall take effect on the date that is 6 months after the date of the enactment of this Act.</text></section>