117 HR 6027 IH: Online Privacy Act of 2021
U.S. House of Representatives
2021-11-18
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.
1.Short title; table of contents
(a)This Act may be cited as the Online Privacy Act of 2021
. (b)The table of contents for this Act is as follows:
Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. General provisions.
Sec. 4. Limitation on disclosing nonredacted government records.
Sec. 5. Privacy considerations for legislative branch agencies.
Sec. 6. Criminal prohibition on doxxing.
Title I—Individual Rights
Sec. 101. Right of access.
Sec. 102. Right of correction.
Sec. 103. Right of deletion.
Sec. 104. Right of portability.
Sec. 105. Right to human review of automated decisions.
Sec. 106. Right to individual autonomy.
Sec. 107. Right to be informed.
Sec. 108. Right to impermanence.
Sec. 109. Exemptions, exceptions, fees, timelines, and rules of construction for rights under this title.
Title II—Requirements for Covered Entities, Service Providers, and Third Parties
Sec. 201. Minimization.
Sec. 202. Minimization and records of access by employees and contractors.
Sec. 203. Prohibitions on disclosing of personal information.
Sec. 204. Disclosing to entities not subject to United States jurisdiction or not compliant with this Act.
Sec. 205. Prohibition on reidentification.
Sec. 206. Restrictions on collecting, processing, maintaining, and disclosing contents of communications.
Sec. 207. Prohibition on discriminatory processing.
Sec. 208. Requirements for notice and consent processes and privacy policies.
Sec. 209. Prohibition on dark patterns
in notice and consent processes and privacy policies.
Sec. 210. Notice and consent required.
Sec. 211. Privacy policy.
Sec. 212. Information security requirements.
Sec. 213. Notification of data breach or data-sharing abuse.
Title III—Digital Privacy Agency
Sec. 301. Establishment; director and deputy director.
Sec. 302. Agency powers and authorities.
Sec. 303. Reporting and audit requirements.
Sec. 304. Relation to other agencies.
Sec. 305. Personnel.
Sec. 306. Office of Civil Rights.
Sec. 307. Complaints of individuals.
Sec. 308. Advisory boards.
Sec. 309. Authorization of appropriations.
Title IV—Enforcement
Sec. 401. Investigations and administrative discovery.
Sec. 402. Hearings and adjudication proceedings.
Sec. 403. Litigation authority.
Sec. 404. Enforcement by States.
Sec. 405. Private rights of action.
Sec. 406. Relief available.
Sec. 407. Referral for criminal proceedings.
Sec. 408. Whistleblower enforcement.
Title V—Relation to Other Law
Sec. 501. Effective date.
Sec. 502. Relation to other Federal law.
Sec. 503. Severability.
2.In this Act: (1)The term Agency
means the Digital Privacy Agency established in section 301.
(2)The term Agency investigator
means any attorney or investigator employed by the Agency who is charged with the duty of enforcing or carrying into effect any provision of this Act or a rule or order prescribed under this Act. (3)Behavioral personalization (A)The term behavioral personalization
means the processing of an individual’s personal information, using an algorithm, model, or other means—
(i)built using— (I)that individual’s personal information collected over a period of time; or
(II)an aggregate of the information of one or more similarly situated individuals; and (ii)designed to—
(I)alter, influence, guide, or predict that individual’s behavior; (II)tailor or personalize a product or service to that individual; or
(III)filter, sort, limit, promote, display or otherwise differentiate between specific content or categories of content that would otherwise be accessible to that individual. (B)The term behavioral personalization
does not include the use of historical personal information to merely prevent the display of or provide additional information about previously accessed content.
(4)The term collect
includes, with respect to personal information or the contents of any communication, obtaining such information or contents in any manner, except when solely transmitting, routing, providing intermediate storage for, or providing connections for such personal information or communication through a system or network. (5)The term Commission
means the Federal Trade Commission.
(6)The term contents
, when used with respect to communication, has the meaning given such term in section 2510 of title 18, United States Code. (7) (A)The term covered entity
means a person who—
(i)intentionally collects, processes, or maintains personal information; and (ii)sends or receives such personal information over the internet or a similar communications network.
(B)The term covered entity
does not include a natural person, except to the extent such person is engaged in a commercial activity that is more than de minimis. (8)The term custodian
means the custodian or any deputy custodian designated by the Agency.
(9)The term data breach
means unauthorized access to or acquisition of personal information or contents of communications maintained by such covered entity. (10)The term data-sharing abuse
means processing, by a third party, of personal information or contents of communications disclosed by a covered entity to the third party, for any purpose other than—
(A)a purpose specified by the covered entity to the third party at the time such personal information or contents of communications was disclosed; or (B)a purpose to which the individual to whom the information relates has consented.
(11)
(A)The term de-identify
means, with respect to information, performing actions so that such information cannot reasonably identify, relate to, describe, reference, be capable of being associated with, or be linked, directly or indirectly, to a particular individual or device, but only to the extent that the covered entity that uses such information— (i)has performed such actions using best practices for the types of data such information contains;
(ii)has implemented technical safeguards that prohibit re-identification of the individual with whom such information was linked; (iii)has implemented business processes that specifically prohibit re-identification of the information;
(iv)has implemented business processes to prevent inadvertent release of such information; and (v)makes no attempt to re-identify such information.
(B)Determination by the directorThe Director may determine that a methodology of de-identifying personal information is insufficient for the purposes of this paragraph. (12)The term Director
means the Director of the Agency.
(13)The term disclose
means, with respect to personal information or contents of communication, to sell, release, transfer, share, disseminate, make available, or otherwise cause to be communicated, such information or contents to a third party. (14)The term documentary material
includes the original or any copy of any book, document, record, report, memorandum, paper, communication, tabulation, chart, logs, electronic files, or other data or data compilations stored in any medium.
(15)The term Federal agency
has the meaning given to the term agency
in section 3371 of title 5, United States Code. (16)The term Federal privacy laws
includes the laws and regulations described in section 502.
(17)The term government entity
means— (A)a Federal agency;
(B)a State or political subdivision thereof; (C)or any agency, authority, or instrumentality of a State or political subdivision thereof.
(18)The term individual
means a natural person residing in the United States. (19)The term Indian Tribe
has the meaning given such term in section 4(e) of the Indian Self-Determination and Education Assistance Act (25 U.S.C. 5304(e)).
(20)The term maintain
means, with respect to personal information or the contents of any communication, to store, secure, or otherwise cause the retention of such information or contents, or to take actions necessary for storing, securing, or otherwise causing the retention of such information or contents. (21)The term nonpublic information
means information that has not been disclosed in a criminal, civil, or administrative proceeding, in a government investigation, report, or audit, or by the news media or other public source of information, and that was not obtained in violation of the law.
(22)
(A)The term personal information
means any information maintained by a covered entity that, on its own or combined with other information, is linked or reasonably linkable to a specific individual or a specific device, including de-identified personal information and the means to behavioral personalization created for or linked to a specific individual. (B)The term personal information
does not include—
(i)publicly available information linked to an individual; or (ii)information derived or inferred from personal information, if the derived or inferred information is not linked or reasonably linkable to a specific individual.
(23)The term privacy harm
means an adverse consequence or a potential adverse consequence to an individual, a group of individuals, or society caused from collecting, processing, maintaining, or disclosing of personal information or contents of communications, including— (A)direct or indirect financial loss or economic harm;
(B)physical harm; (C)psychological harm, including anxiety, embarrassment, fear, and other trauma;
(D)adverse outcomes or decisions with respect to the eligibility of an individual for rights, benefits, or privileges in employment (including hiring, firing, promotion, demotion, and compensation), credit and insurance (including denial of an application or obtaining less favorable terms), housing, education, professional certification, or the provision of health care and related services; (E)stigmatization or reputational harm;
(F)price discrimination; (G)adverse consequences that affect the private life of an individual, including private family matters and actions and communications within the home of such individual or a similar physical, online, or digital location where such individual has a reasonable expectation that personal information will not be collected, processed, or maintained;
(H)the chilling of free expression or action of an individual, a group of individuals, or society, due to perceived or actual pervasive and excessive collecting, processing, disclosing, or maintaining of personal information or contents of communications; (I)impairing the autonomy of an individual, a group of individuals, or society; and
(J)other adverse consequences or potential adverse consequences, consistent with the provisions of this Act, as determined by the Director. (24)Privacy-preserving computing (A)The term privacy-preserving computing
means—
(i)the collecting, processing, disclosing, or maintaining of personal information that has been encrypted or otherwise rendered unintelligible using a means that cannot be reversed by a covered entity, or a covered entity’s service provider, such that— (I)if such personal information could be rendered intelligible through cooperation or sharing of cryptographic secrets by multiple persons, the covered entity has both technical safeguards and business processes to prevent such cooperation or sharing;
(II)if such personal information is rendered intelligible within a hardware processing unit or other means of performing operations on the information, there are technical safeguards that, during the normal course of operation— - (aa)prevent rendering personal information intelligible anywhere but within the hardware processing unit or other means of performing operations; and
- (bb)make the exporting or otherwise observing of such intelligible information, or the cryptographic secret used to protect such information, impossible; and
(III)if the result of such processing of the personal information is also personal information, such result must be unintelligible to the covered entity or service provider and protected by privacy-preserving computing.
(B)Insufficient methodologiesThe Director may determine that a methodology of privacy-preserving computing is insufficient for the purposes of this definition. (25)The term process
means to perform or cause to be performed any operation or set of operations on personal information or contents of communication, whether or not by automated means.
(26)The term protected class
means the actual or perceived race, color, ethnicity, national origin, religion, sex (including sexual orientation and gender identity or expression), familial status, or disability of an individual or group of individuals. (27)Publicly available informationThe term publicly available information
—
(A)means— (i)information that is lawfully made available from a government entity;
(ii)information linked to a public individual or official that is made publicly accessible, without restrictions on accessibility other than the general authorization to access the services used to make the information accessible; (iii)information of an individual that—
(I)is made publicly accessible by such individual, without restrictions on accessibility other than the general authorization to access the services used to make the information accessible; and (II)such individual has the ability to delete or change without relying on a request under section 102 or 103; and
(B)does not include— (i)biometric information of an individual collected by a covered entity without the individual’s knowledge;
(ii)information used for a purpose that is not compatible with the purpose for which the information is maintained and made available in government records; (iii)information obtained from government records for the purpose of selling such information; or
(iv)information used to contact or locate a private individual either physically or electronically. (28)The term reasonable mechanism
means, in the case of a mechanism for individuals to exercise a right under title I or interact with a covered entity under title II, a mechanism that—
(A)is equivalent in availability and ease of use to that of other mechanisms for communicating or interacting with the covered entity; and (B)includes an online means of exercising such right or engaging in such interaction, if such individuals communicate or interact with such covered entity through an online medium or if such covered entity provides information processing services through a public or widely available application programming interface (or similar mechanism).
(29)
(A)The terms sell
and sale
mean the disclosing of personal information for monetary consideration or for a thing of value by a covered entity to a third party for the purposes of processing, maintaining or disclosing such personal information at the third party’s discretion. (B)The terms sell
and sale
do not include—
(i)the disclosing of personal information of an individual to a third party with which the individual has a direct relationship for purposes of providing a product or service requested by the individual or otherwise in a manner that is consistent with an individual’s reasonable expectations considering the context in which the individual provided the personal information to the covered entity; (ii)the disclosing or transfer of personal information to a subsidiary or an affiliate of the covered entity; or
(iii)the disclosing or transfer of personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the covered entity’s assets, unless personal information makes up the majority of the value of the assets of which the third party assumes control. (30) (A)The term service provider
means a covered entity that—
(i)processes, discloses, or maintains personal information, where such covered entity does not process, disclose, or maintain the personal information other than in accordance with the directions and on behalf of another covered entity; (ii)does not directly collect personal information from or control the mechanism for collecting personal information from an individual;
(iii)does not earn revenue from processing, maintaining, or disclosing personal information disclosed to such covered entity by another covered entity except by providing contracted services to such other covered entity; (iv)does not disclose personal information to another covered entity unless such personal information was provided by such other covered entity or resulted from maintaining or processing performed on personal information exclusively provided by such other covered entity;
(v)does not offer services that allow another covered entity to target specific individuals using personal information not provided by such other covered entity; (vi)with respect to personal information processed or maintained by such covered entity on behalf of another covered entity, assists such other covered entity in complying with title I, including providing tools for such other covered entity to comply with such requirements if requested; and
(vii)does not link the personal information provided by another covered entity to personal information from any other source. (B)A covered entity shall be treated as a service provider under this Act only to the extent that such covered entity is acting as a service provider, as defined in subparagraph (A).
(31)The term significant privacy harm
means adverse consequences to an individual arising from the collecting, processing, maintaining, or disclosing of personal information or contents of communications, limited to subparagraph (A), (B), or (D) of paragraph (23). (32)The term small business
means a covered entity that—
(A)does not earn revenue from the sale of personal information; (B)earns less than half of annual revenues from the processing of personal information for targeted or personalized advertising;
(C)has not, in combination with each subsidiary and affiliate of the service, maintained personal information of 250,000 or more individuals for 3 or more of the preceding 12 months; (D)has fewer than 200 employees; and
(E)received less than $25,000,000 in gross revenue in the preceding 12-month period. (33)The term State
means each State of the United States, the District of Columbia, each commonwealth, territory, or possession of the United States, and each federally recognized Indian Tribe.
(34)The term State attorney general
means, with respect to a State, the attorney general or chief law enforcement officer of the State, or another official or agency designated by the State to bring civil actions on behalf of the State or the residents of the State. (35)The term State privacy regulator
means an agency or instrumentality of a State that has the primary purpose of administering, implementing, or enforcing a privacy law or associated rules or regulations.
(36)The term third party
means, with respect to a covered entity, a person— (A)to which such covered entity disclosed personal information; and
(B)that is not— (i)such covered entity;
(ii)a subsidiary or corporate affiliate of such covered entity; or (iii)a service provider of such covered entity.
(37)The term users
means, with respect to a product or service, the monthly active users, subscribers, or customers (or a reasonable proxy or substitute therefor determined by the Director) of such product or service. (38)The term violation
means, except where otherwise specified, any act or omission that, if proved, would constitute a violation of any provision of this Act or a rule or order issued pursuant to this Act.
3.
(a)Rules of construction with respect to personal information and individualsIn this Act— (1)any reference to information as being of or belonging to an individual shall be construed to mean that such information is linked or reasonably linkable to such individual as described in section 2(21)(A); and
(2)any reference to any communication as being of or belong to an individual shall be construed to mean that such individual is party to such communication. (b) (1)The provisions under this Act may not be waived. Any agreement purporting to waive compliance with or modify any provision of this Act shall be void as contrary to public policy.
(2)Prohibition on predispute arbitration agreementsNo predispute arbitration agreement shall be valid or enforceable with respect to any claims under this Act. (c) (1)Covered entities engaged in journalism shall not be subject to the obligations imposed under this Act to the extent that those obligations directly infringe on the journalism rather than the business practices of the covered entity, so long as the covered entity has technical safeguards and business processes that prevent the collecting, processing, maintaining, or disclosing of such personal information for business practices other than journalism.
(2)The term journalism
includes the collecting, maintaining, processing, and disclosing of personal information about a public individual or official, or that otherwise concerns matters of public interest, for dissemination to the public. (d)Small business compliance rampUpon losing its status as a small business, a covered entity shall have nine months to comply with provisions of this Act that a small business is exempt from complying with.
(e)Prohibition on collecting, maintaining, processing, or disclosing personal informationA covered entity may not collect, maintain, process, or disclose personal information using a channel of interstate commerce unless such covered entity is in compliance with all requirements of this Act. 4.Limitation on disclosing nonredacted government records (a)A government entity may not use a channel of interstate commerce to disclose the personal information of an individual in a government record without an agreement prohibiting the recipient of such information from selling the information without the express consent of the individual.
(b)Notwithstanding subsection (a), nothing in this section shall prohibit the disclosure of personal information using a channel of interstate commerce to another government entity without consent of the individual. 5.Privacy considerations for legislative branch agencies (a)Government publishing office (1)Privacy responsibilities of the director (A)Chapter 3 of title 44, United States Code, is amended by inserting at the end the following:
319.Privacy responsibilities of the Director of the Government Publishing OfficeThe Director of the Government Publishing Office shall identify and implement appropriate measures to prevent the disclosure of personal information by the Government Publishing Office and to minimize the risk of privacy harms in its operations.. (B)The table of sections for chapter 3 of title 44, United States Code, is amended by inserting after the item relating to section 318 the following:
319. Privacy responsibilities of the Director of the Government Publishing Office..
(2)Privacy safeguards for published documentsSection 1701 of title 44, United States Code, is amended by striking the publication.
in the last sentence of the first paragraph and inserting the publication, and only after conducting an appropriate review or implementing other appropriate measures to prevent the disclosure of personal information and minimize the risks of privacy harms in such publication.
. (3)Privacy safeguards in the depository library programSection 1902 of title 44, United States Code, is amended by inserting at the end the following: The Superintendent of Documents shall assess the risks of disclosure of personal information and related privacy harms in publications made available to and by depository libraries and shall implement appropriate measures to minimize such risks, including to the extent necessary by imposing obligations upon depository libraries.
.
(b)The first paragraph under the center heading Library of Congress
under the center heading Legislative
of the Act entitled An Act Making appropriations for the legislative, executive, and judicial expenses of the Government for the fiscal year ending June thirtieth, eighteen hundred and ninety-eight, and for other purposes
, approved February 19, 1897 (2 U.S.C. 136), is amended by striking at the end Library.
and inserting Library, including by identifying and implementing appropriate measures to prevent the disclosure of personal information by the Library and to minimize the risk of privacy harms in its operations.
. (c)Section 7 of the Act entitled An Act to establish the Smithsonian Institution
for the increase and diffusion of knowledge among men
, approved August 10, 1846 (20 U.S.C. 46), is amended by adding at the end the following: The Secretary shall assess the risks of disclosure of personal information by the institution and related privacy harms and shall implement appropriate measures to minimize such risks.
.
(d)Chief Administrative Officer of the House of Representatives
(1)Subchapter III of chapter 55 of title 2, United States Code, is amended by inserting at the end the following: 5549.The Chief Administrative Officer of the House of Representatives shall identify and implement appropriate measures to prevent the disclosure of personal information and to minimize the risk of privacy harms in its areas of operational and financial responsibility..
(2)The table of sections for subchapter III of chapter 55 of title 2, United States Code, is amended by inserting after the item relating to section 5548 the following: 5549. Privacy responsibilities.. 6.Criminal prohibition on doxxing (a)Chapter 41 of title 18, United States Code, is amended by adding at the end the following:
881.Disclosing of personal information with the intent to cause harm
(a)Whoever uses a channel of interstate or foreign commerce to knowingly disclose an individual’s personal information with the intent— (1)to threaten, intimidate, or harass any person, incite or facilitate the commission of a crime of violence against any person, or place any person in reasonable fear of death or serious bodily injury; or
(2)that the information will be used to threaten, intimidate, or harass any person, incite or facilitate the commission of a crime of violence against any person, or place any person in reasonable fear of death or serious bodily injury, shall be fined under this title or imprisoned not more than 5 years, or both. (b)In this section:
(1)The term contents
when used with respect to communication, has the meaning given such term in section 2510 of title 18, United States Code. (2)The term disclose
means, with respect to personal information or contents of communication, to sell, release, transfer, share, disseminate, make available, or otherwise cause to be communicated such information or contents to a third party.
(3)The term government entity
means— (A)a Federal agency (as such term is defined in section 3371 of title 5, United States Code);
(B)a State or political subdivision thereof; or (C)any agency, authority, or instrumentality of a State or political subdivision thereof.
(4)The term individual
means a natural person residing in the United States. (5) (A)The term personal information
means any information maintained by a person that, on its own or combined with other information, is linked or reasonably linkable to a specific individual.
(B)The term personal information
does not include— (i)publicly available information linked to an individual; or
(ii)information derived or inferred from personal information, if the derived or inferred information is not linked or reasonably linkable to a specific individual. (6)Publicly available informationThe term publicly available information
—
(A)means— (i)information that is lawfully made available from a government entity;
(ii)information linked to a public individual or official that is made publicly accessible, without restrictions on accessibility other than the general authorization to access the services used to make the information accessible; (iii)information of an individual that—
(I)is made publicly accessible by such individual, without restrictions on accessibility other than the general authorization to access the services used to make the information accessible; and (II)such individual has the ability to delete or change; and
(B)does not include— (i)biometric information of an individual collected by a covered entity without the individual’s knowledge;
(ii)information used for a purpose that is not compatible with the purpose for which the information is maintained and made available in government records; (iii)information obtained from government records for the purpose of selling such information; or
(iv)information used to contact or locate a private individual either physically or electronically. (7)The term State
means each State of the United States, the District of Columbia, each commonwealth, territory, or possession of the United States, and each federally recognized Indian Tribe..
(b)The table of sections for chapter 41 of title 18, United States Code, is amended by inserting after the item relating to section 880 the following: 881. Disclosing of personal information with the intent to cause harm.. <enum>I</enum><header>Individual Rights</header> <section id="H78DA2BDC4B6A4C16B00011DA84E78964"><enum>101.</enum><header>Right of access</header> <subsection id="H1409714097A341A181164EE90BF2C170"><enum>(a)</enum><header>In general</header><text>A covered entity shall make available a reasonable mechanism by which an individual may access—</text>
<paragraph id="HCC1CDA1D145A4EF0BB5F4D4D28CA186D"><enum>(1)</enum><text>the categories of personal information and contents of communications of such individual that is maintained by such covered entity, including, in the case of personal information that such covered entity did not collect from such individual, how and from whom such covered entity obtained such personal information;</text></paragraph> <paragraph id="HD2C6ADC5CEF44F718DCAA807F05F79BE"><enum>(2)</enum><text>a list of the third parties, subsidiaries, and corporate affiliates, to which such covered entity has disclosed and from which such covered entity has, at any time on or after the effective date of this Act, obtained the personal information of such individual;</text></paragraph>
<paragraph id="HA4B789E2C3E4479E8885426E8A58E7EC"><enum>(3)</enum><text>a concise and clear description of the business or commercial purposes of such covered entity—</text> <subparagraph id="H89A566E6BE034789BC37EEA000FCD4BC"><enum>(A)</enum><text>for collecting, processing, or maintaining the personal information of such individual; and</text></subparagraph>
<subparagraph id="H95CF344E341E4118AC1DC2A071D55541"><enum>(B)</enum><text>for disclosing to a third party the personal information of such individual; and</text></subparagraph></paragraph> <paragraph id="HBC147168F61C4379B6539DCC83551872"><enum>(4)</enum><text>a list of automated decisionmaking processes that an individual has a right to request human review of under section 105 with a concise and clear description of the implications and intended effects of such process.</text></paragraph></subsection>
<subsection id="HD49A1AA591D7444AAA125FB2EE0FF21C"><enum>(b)</enum><header>Exception for publicly accessible information</header><text>A covered entity that makes available information required in subsection (a) shall be considered in compliance with such requirements if the covered entity provides an individual with instructions on how to access a public posting of such information, including in a privacy policy, if the instructions are easy and do not require payment.</text></subsection> <subsection id="HE61864A8E1D4453EA6859487AC2710A1"><enum>(c)</enum><header>Small businesses excluded</header><text>Subsection (a)(3) does not apply to a small business.</text></subsection></section>
<section id="H057A5048476842ED9B2586FD8C38E438"><enum>102.</enum><header>Right of correction</header>
<subsection id="HC3527203950C4D3EB7ABF8ABCA12C01B"><enum>(a)</enum><header>Dispute by individual</header><text>A covered entity shall make available a reasonable mechanism by which an individual may dispute the accuracy or completeness of personal information linked to such individual that is maintained by such covered entity if such information is processed in any way, by such covered entity, a third party of such covered entity, or a service provider of such covered entity that may increase reasonably foreseeable significant privacy harms.</text></subsection> <subsection id="H5D886E77DDD2429D9E0F10338A0EF8A5"><enum>(b)</enum><header>Correction by covered entity</header><text>A covered entity receiving a dispute under subsection (a) shall—</text>
<paragraph id="H01FB2D0179414935855C202CA6703A09"><enum>(1)</enum><text>correct or complete (as the case may be) the disputed information and notify such individual that the correction or completion has been made; or</text></paragraph> <paragraph id="H912BE71ABA9C4DCCA929463089154C33"><enum>(2)</enum><text>notify such individual that—</text>
<subparagraph id="H252C6732EA4B46888508E38E7B52632C"><enum>(A)</enum><text>the disputed information is correct or complete;</text></subparagraph> <subparagraph id="H5A5FC311BC3945B498B7522808FF8D88"><enum>(B)</enum><text>such covered entity lacks sufficient information to correct or complete the disputed information; or</text></subparagraph>
<subparagraph id="H6B43312543BE41F4976688681225F819"><enum>(C)</enum><text>such covered entity is denying the request for correction or completion in reliance on an exemption or exception provided by section 109(g).</text></subparagraph></paragraph></subsection> <subsection id="HF2296CFDADB348DC856C5F451D025E96"><enum>(c)</enum><header>Small businesses excluded</header><text>This section does not apply to a small business.</text></subsection></section>
<section id="HF37AE33087984690A067F5087CAC8BF1"><enum>103.</enum><header>Right of deletion</header>
<subsection id="HB90DD358C4AE4BC293D5380214BFD4D4"><enum>(a)</enum><header>Request by individual</header><text>A covered entity shall make available a reasonable mechanism by which an individual may request the deletion of personal information and contents of communications of such individual maintained by such covered entity, including any such information that such covered entity acquired from a third party or inferred from other information maintained by such covered entity.</text></subsection> <subsection id="HBA680807D9854AE5BE9C4CAEE632260F"><enum>(b)</enum><header>Deletion by covered entity</header><text>A covered entity receiving a request for deletion under subsection (a) shall—</text>
<paragraph id="HF2153B70E75B491FB76C61516EE3FC51"><enum>(1)</enum><text>delete such information and notify such individual that such information has been deleted; or</text></paragraph> <paragraph id="HCE56218DBBEB46B99855618E77DFEEDB"><enum>(2)</enum><text>notify such individual that such covered entity is denying the request for deletion in reliance on an exemption or exception provided by section 109(g).</text></paragraph></subsection></section>
<section id="H615A6CCC358042C29BD57A7FDD9894FD"><enum>104.</enum><header>Right of portability</header>
<subsection id="H3E6EC1FA1EF5478789D641784F0210A9"><enum>(a)</enum><header>Determination of portable categories</header>
<paragraph id="H40A8B302D4C34036B7B28437453DF614"><enum>(1)</enum><header>Annual determination</header><text>Not less frequently than once per calendar year, the Director shall—</text> <subparagraph id="HD07956498F1A4F979A5D3A576065DC71"><enum>(A)</enum><text>establish categories of products and services offered by covered entities, based on similarities in the products and services;</text></subparagraph>
<subparagraph id="HEEBCE6F177DF48CBAA355FB227F62702"><enum>(B)</enum><text>determine which categories established under subparagraph (A) are portable categories; and</text></subparagraph> <subparagraph id="H9C77A414B85F4B9ABCE038F4851125F7"><enum>(C)</enum><text>publish in the Federal Register a list of portable categories determined under subparagraph (B).</text></subparagraph></paragraph>
<paragraph id="H517B18E851794423BE656B1EFC6D286E"><enum>(2)</enum><header>Opportunity for public comment</header><text>Before publishing the final list under paragraph (1)(C), the Director shall—</text> <subparagraph id="H674270178880461A8D30B1D9A8B88E9A"><enum>(A)</enum><text>publish a draft of such list in the Federal Register; and</text></subparagraph>
<subparagraph id="H334F5DB769AA4E8F822C28B8AF204CE4"><enum>(B)</enum><text>provide an opportunity for public comment on such draft list.</text></subparagraph></paragraph></subsection> <subsection id="HE68AFA9983F74857A0A652E16CBE9712"><enum>(b)</enum><header>Exercise of right</header> <paragraph id="HB6B2776CF2C146588843CC2ED2BD2350"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">A covered entity that offers a product or service in a portable category and that maintains personal information or the contents of any communications of an individual shall make available to such individual a reasonable mechanism by which such individual may—</text>
<subparagraph id="HC532569CE16B4FBA9EE39CB678DA3744"><enum>(A)</enum><text>download, in a format that is structured, commonly used, and machine-readable—</text> <clause id="HCB1B19DE25CF4EB4B7EFF53E27F50456"><enum>(i)</enum><text>any such personal information that such individual has provided to such covered entity, with the option to download such information by category that is accessible under section 101; and</text></clause>
<clause id="H47A257A852EC4A52BD883C29D75F4D4C"><enum>(ii)</enum><text>the contents of any such communications; and</text></clause></subparagraph> <subparagraph id="HF260D3E6F43F44FD9C2DB159D6761D9A"><enum>(B)</enum><text display-inline="yes-display-inline">using a real-time application programming interface, or similar mechanism, transmit all such personal information (whether or not provided to such covered entity by such individual) and the contents of any such communication from such covered entity to another covered entity in accordance with subsection (c).</text></subparagraph></paragraph>
<paragraph id="HEFFDCB73016944108541C51B212FCE52"><enum>(2)</enum><header>Requirements for application programming interface</header><text>The application programming interface, or similar mechanism, required by paragraph (1)(B) shall—</text> <subparagraph id="HEE7095600D5A4B63A34A66D16E05366B"><enum>(A)</enum><text>be publicly documented;</text></subparagraph>
<subparagraph id="H89C2BE1D31EE481BB71ECABAFB663E46"><enum>(B)</enum><text display-inline="yes-display-inline">allow the option of obtaining any personal information of an individual that the individual has provided to the covered entity, if such information is accessible under section 101;</text></subparagraph> <subparagraph id="H44088F85EC1F4BD9AE18F8D77D3668CE"><enum>(C)</enum><text>include a publicly available, fully functional test version for development purposes; and</text></subparagraph>
<subparagraph id="HB5CBF570D66347FD80DCD31C997D52E4"><enum>(D)</enum><text>be of similar quality to mechanisms used internally by the covered entity.</text></subparagraph></paragraph></subsection> <subsection id="H29954713055048E0840F77E2356453C6"><enum>(c)</enum><header>Requirements for access to an application programming interface</header> <paragraph id="HB8CD6AAE09054440928A6DE31169DCCF"><enum>(1)</enum><header>Access</header><text display-inline="yes-display-inline">Except as provided in paragraph (2)(A), a covered entity shall provide access to the application programming interface or similar mechanism required by subsection (b)(1)(B) upon the request of another covered entity if the requesting covered entity has self-certified, using the procedures established by the Director under paragraph (3)(A), that such requesting covered entity—</text>
<subparagraph id="H74BF3B57671040CAAF4FA1A24DB98A80"><enum>(A)</enum><text>is a covered entity;</text></subparagraph> <subparagraph id="H8D8958EFEE794D53B1F01209D907224B"><enum>(B)</enum><text>can have personal information disclosed to it under section 204;</text></subparagraph>
<subparagraph id="HFCF90C87D0F048159CA80D40A1243EBA"><enum>(C)</enum><text>is, at the time of the self-certification, in compliance with all applicable requirements of this Act (including provisions a small business is otherwise exempt from complying with);</text></subparagraph> <subparagraph id="H2FA3D679889846AAA94F6213727875C6"><enum>(D)</enum><text>will continue to comply with all requirements of this Act; and</text></subparagraph>
<subparagraph id="H6A06157B33F64F618BEA58107F538996"><enum>(E)</enum><text>will only use such application programming interface or similar mechanism at the express request of an individual.</text></subparagraph></paragraph> <paragraph id="HF1CC9CB38A3E4976A082F53A8002F7A7"><enum>(2)</enum><header>Denial of access</header> <subparagraph id="H0A64C63B528F4C87B0A1BC94D8FCD8DE"><enum>(A)</enum><header>In general</header><text>A covered entity may deny access to the application programming interface or similar mechanism required by subsection (b)(1)(B) if such covered entity has an objective, reasonable belief that the requesting covered entity has failed to meet the requirements for self-certification under paragraph (1).</text></subparagraph>
<subparagraph id="HD61931223E9248B4AA967C9160526EBB"><enum>(B)</enum><header>Review</header><text>In accordance with the procedures established under paragraph (3)(B), a covered entity the request of which is denied under subparagraph (A) may petition the Director for review of the denial. If the Director finds that such denial is unreasonable, the Director shall impose a penalty, to be established in such procedures, on the covered entity that denied the request.</text></subparagraph></paragraph> <paragraph id="H92DAA53970504AE7BE1078A3B15D6055"><enum>(3)</enum><header>Certification and review procedures</header><text>The Director shall establish—</text>
<subparagraph id="H6A97C324B59F45648900166B93DA5606"><enum>(A)</enum><text>procedures for a covered entity to self-certify under paragraph (1); and</text></subparagraph> <subparagraph id="H242EDEB3CDAF4DFB9A5154351D392BED"><enum>(B)</enum><text>procedures for the review of petitions under paragraph (2)(B), including penalties for unreasonable denials.</text></subparagraph></paragraph></subsection>
<subsection id="HEEA278220814417C8D37B6A5614A938E"><enum>(d)</enum><header>Small businesses excluded</header><text>This section does not apply to a small business.</text></subsection> <subsection id="HE098AE544CB34023AF0A817E11A30ECA"><enum>(e)</enum><header>Portable category defined</header><text>In this section, the term <quote>portable category</quote> means a category of products and services established by the Director under subsection (a)(1)(A)—</text>
<paragraph id="HAACAF570D48C418FB902E85DA2055AE5"><enum>(1)</enum><text>for which the sum obtained by adding the number of users or estimated users of each product or service in such category is greater than 10,000,000; and</text></paragraph> <paragraph id="H320A21D0C38F41928674A61564CB1A94"><enum>(2)</enum><text>that—</text>
<subparagraph id="H9DCE60A6BF424CDBA82ABD5D566878C1"><enum>(A)</enum><text>has an estimated Herfindahl-Hirschman Index of 2,000 or greater;</text></subparagraph> <subparagraph id="H25586C3CC1C442CEAFB41D11993C0C59"><enum>(B)</enum><text>has 3 or fewer covered entities offering products and services in such category; or</text></subparagraph>
<subparagraph id="H2B009E05E0754FB09BC2D8347954D13D"><enum>(C)</enum><text>the Director otherwise determines that a category would benefit from encouraging increased competition.</text></subparagraph></paragraph></subsection></section> <section id="H07E072499DFF4C44AAC03EBC35D03137"><enum>105.</enum><header>Right to human review of automated decisions</header><text display-inline="no-display-inline">For any decision by a covered entity based solely on automated processing of personal information of an individual, if such processing materially increases reasonably foreseeable significant privacy harms for such individual, such covered entity shall—</text>
<paragraph id="H3EF313A319F04B668140AFA2FC0A4F5E"><enum>(1)</enum><text>inform such individual of what personal information is being or may be used for such decision;</text></paragraph> <paragraph id="H2AC96341B6FB45D79FA20868990C4839"><enum>(2)</enum><text display-inline="yes-display-inline">make available a reasonable mechanism by which such individual may request human review of such decision, upon request or in a publicly accessible location; and</text></paragraph>
<paragraph id="HBC095E81B66A4647B88F6B1696F87377"><enum>(3)</enum><text>if such individual requests such a review, conduct such review within a reasonable amount of time after such request.</text></paragraph></section> <section id="H8BCDF941AAAF480AB3C66A2FC88611B2"><enum>106.</enum><header>Right to individual autonomy</header> <subsection id="HA4B69FB7DE2444C99052E648CFB4B89B"><enum>(a)</enum><header>In general</header><text>A covered entity shall not collect, process, maintain, or disclose an individual’s personal information to—</text>
<paragraph id="HCF989F7BAF6C4AE2992462629A529560"><enum>(1)</enum><text>create, improve upon, or maintain;</text></paragraph> <paragraph id="HE622E5304C3D4A8D90392187A64C746A"><enum>(2)</enum><text>process with; or</text></paragraph>
<paragraph id="HDB8EBEA42B3640158D55A92769716B25"><enum>(3)</enum><text>otherwise link an individual with;</text></paragraph><continuation-text continuation-text-level="subsection">an algorithm, model, or other means designed for behavioral personalization, without the affirmative express consent of that individual.</continuation-text></subsection> <subsection id="H6B05A170E782439DB655E76840F14AF2"><enum>(b)</enum><header>Consent</header><text display-inline="yes-display-inline">A covered entity must obtain express affirmative consent from an individual before it may provide a behaviorally personalized version of a product or service, and not less than every calendar year thereafter. Where consent is denied, a covered entity must provide the product or service without behavioral personalization.</text></subsection>
<subsection id="H3318F80B89AF406A9CAE851FCC3072C5"><enum>(c)</enum><header>Exceptions to providing product or service</header>
<paragraph id="HF25FAD4535754CEEA007306ED36E4163"><enum>(1)</enum><text>Where the offering of a substantially similar product or service without behavioral personalization is infeasible, a covered entity shall provide, to the greatest extent feasible, a core aspect or part of the product or service that can be offered without behavioral personalization.</text></paragraph> <paragraph id="H1C56C5FD299A4A1AA5A014A994594C64"><enum>(2)</enum><text>Where no core aspect or part of the product or service can function in a substantially similar function without behavioral personalization, a covered entity may deny providing an individual use of such product or service if such individual does not consent to behavioral personalization as required in subsection (a).</text></paragraph></subsection>
<subsection id="H9C2858E5F2F043DC9F334B7F152BA5E8"><enum>(d)</enum><header>Exception to behavioral processing</header><text display-inline="yes-display-inline">Notwithstanding subsections (a) and (b), a covered entity may process personal information to create or operate behavioral personalization algorithms, models, or other mechanisms for the purpose of increasing the usability of the product or service provided by a covered entity that—</text> <paragraph id="HFFD5EC4DD7934062B7AE5F75A05D2D3C"><enum>(1)</enum><text>are built using aggregated personal information that is representative of all the personal information the covered entity maintains; and</text></paragraph>
<paragraph id="H22C257E98C0345088052075F1E6C128B"><enum>(2)</enum><text>have an output that is both uniform across the individuals that use the product or service and independent of a specific individual’s inherent or behavioral characteristics.</text></paragraph></subsection> <subsection id="HCC8D95DA1F0E4C608B56C144E2E22553"><enum>(e)</enum><header>Usability</header><text>The term <quote>usability</quote> as used in subsection (d) does not include optimizations or other alterations to the product or service that are made with the primary purpose of increasing the amount of time an individual engages with or uses the product or service, unless such increase benefits the individual.</text></subsection>
<subsection id="H1E77671A92C14EC5BC8F2AE8B04FBAE0"><enum>(f)</enum><header>Small businesses excluded</header><text>This section does not apply to a small business.</text></subsection></section> <section id="H310C30BB38344C1F8166AE63B6B956FD"><enum>107.</enum><header>Right to be informed</header><text display-inline="no-display-inline">A covered entity that collects personal information of an individual with whom such covered entity does not have an existing relationship (as of the time of the collecting), if such personal information includes contact information, shall notify such individual within 30 days, in writing if possible and at no charge to the individual, that such covered entity has collected the personal information of such individual.</text></section>
<section id="H51E28822B7E34D0E9B2C4F615B12E07C"><enum>108.</enum><header>Right to impermanence</header>
<subsection id="H0437660675D74DB492849B303AABE550"><enum>(a)</enum><header>Limitation on maintaining of personal information</header><text>A covered entity shall not maintain personal information for more time than expressly consented to by an individual whose personal information is being maintained.</text></subsection> <subsection id="HA8123163CD824618B50359A2958454BA"><enum>(b)</enum><header>Consent</header><text>A covered entity must obtain express affirmative consent from an individual before maintaining the personal information of such individual for any duration. Such consent may be obtained for categories of personal information and shall give an individual options to affirmatively choose granting a covered entity consent for various durations, at least including—</text>
<paragraph id="HB60A8D31EE3841EA853FF4C029729889"><enum>(1)</enum><text>for no longer than needed to complete the specific request or transaction (including a reasonable estimate of such duration by the covered entity);</text></paragraph> <paragraph id="H975932C7923F4030AD007773FC90996D"><enum>(2)</enum><text>until consent is revoked; and</text></paragraph>
<paragraph id="HECC684262FD2431EB554A53F062F99EC"><enum>(3)</enum><text>one or more additional durations based on reasonable expectations and norms for maintaining the category of personal information.</text></paragraph></subsection> <subsection id="H306B324343D14EA3BFB119C5E534A8AE"><enum>(c)</enum><header>Exception for implied consent</header><text>Where the long-term maintaining of personal information is, on its face, obvious and a core feature of the product or service at the request of the individual, and the personal information is maintained only to provide such product or service, subsections (a) and (b) shall not apply.</text></subsection></section>
<section id="H8FC76C7C3FD44DDC86508139A18E7BEA"><enum>109.</enum><header>Exemptions, exceptions, fees, timelines, and rules of construction for rights under this title</header>
<subsection id="H93919014598E47CDAF0DCB6BE5BD920A"><enum>(a)</enum><header>Exemptions for personal information for particular purposes</header>
<paragraph id="HF66639DDDA044E148FD157495F4AF131"><enum>(1)</enum><header>In general</header><text>This title does not apply with respect to personal information that is collected, processed, maintained, or disclosed for any of the following purposes (or a combination of such purposes), where a covered entity has technical safeguards and business processes that limit collecting, processing, maintaining, or disclosing of such personal information to the following purposes:</text> <subparagraph id="H98FB44EBB508463F962CCA19DE682A77"><enum>(A)</enum><text>Detecting, responding to, or preventing security incidents or threats.</text></subparagraph>
<subparagraph id="H0C3FB9D412AC46F4B3151CDCEA8403ED"><enum>(B)</enum><text>Protecting against malicious, deceptive, fraudulent, or illegal activity.</text></subparagraph> <subparagraph id="H7FA511A28D4344A1924F6E885ABC45B5"><enum>(C)</enum><text display-inline="yes-display-inline">A good faith response to, or compliance with, a valid subpoena, court order, or warrant (including a subpoena and court order obtained by an entity that is not a government entity) or otherwise providing information as required by law.</text></subparagraph>
<subparagraph id="H03C2E44E7CE244B68934F927AE999DE0"><enum>(D)</enum><text>Protecting a legally recognized privilege or other legal right.</text></subparagraph> <subparagraph id="H2E2AAC62C7424AF0BF9156D56D68EB8B"><enum>(E)</enum><text>Protecting public safety.</text></subparagraph>
<subparagraph id="H7258034AB0D1471AB4A585ECCB08AC12"><enum>(F)</enum><text>Collecting, processing, or maintaining by an employer pursuant to an employer-employee relationship of records about employees or employment status, except—</text> <clause id="HE28EA3B039624A9BBDAD93654E536DE8"><enum>(i)</enum><text>where the information would not be reasonably expected to be collected in the context of an employee’s regular duties; or</text></clause>
<clause id="HA670B9081C39463C9C9062AF43EFEB37"><enum>(ii)</enum><text>was disclosed to the employer by a third party.</text></clause></subparagraph> <subparagraph id="H1900E86A782642FF9903668F7E694BF1"><enum>(G)</enum><text>Preventing prospective abuses of a service by an individual whose account has been previously terminated.</text></subparagraph>
<subparagraph id="H89767477EC144E0A8EAD008C8DC3A21A"><enum>(H)</enum><text>Routing a communication through a communications network or resolving the location of a host or client on a communications network.</text></subparagraph> <subparagraph id="H47FA3992A1CD482EB5EDECC6D03E4A35"><enum>(I)</enum><text>Providing transparency in advertising or origination of user-generated content.</text></subparagraph></paragraph>
<paragraph id="H122E708F7DD4436F8C5E91FB0DE292B0"><enum>(2)</enum><header>Reidentification</header><text display-inline="yes-display-inline">Where compliance with this title would require the reidentification of de-identified personal information, and the covered entity does not already maintain the information necessary for such reidentification, the covered entity shall be exempt from such compliance, except for requirements under section 106.</text></paragraph> <paragraph id="H77A554A050F94AC98B35B8B593E87C48"><enum>(3)</enum><header>Disclosing</header><text>A covered entity relying on an exemption under paragraph (1) with respect to personal information shall disclose in the privacy policy maintained by such entity under section 211—</text>
<subparagraph id="HE407965E62ED4E1F909F8623116FCED5"><enum>(A)</enum><text>the reason for which such information is collected, processed, maintained, or disclosed; and</text></subparagraph> <subparagraph id="H922FD637ED3A48AF9C18C00AEACEF31E"><enum>(B)</enum><text>a description of the rights provided by this title that are not available with respect to such personal information by reason of such exemption.</text></subparagraph></paragraph></subsection>
<subsection id="H325BCAFF3CA24B30A9BCADF708B2E5DE"><enum>(b)</enum><header>Exceptions for particular requests</header>
<paragraph id="H601F757531F146F8B7525B6AA5706F9C"><enum>(1)</enum><header>In general</header><text>A covered entity may deny the request of an individual under this title if—</text> <subparagraph id="HB64B1F82F2A348AB81B925CAC64907C1"><enum>(A)</enum><text>such covered entity cannot confirm the identity of such individual;</text></subparagraph>
<subparagraph id="H8FF0BAECB5C94CF2893C78E2513B1410"><enum>(B)</enum><text>such covered entity determines that granting the request of such individual would create a legitimate risk to the privacy, security, safety, or other rights of another individual;</text></subparagraph> <subparagraph id="H5A1BF422E5274ADFB767E0F5E1359FA1"><enum>(C)</enum><text>such covered entity determines that granting the request of such individual would create a legitimate risk to free expression; or</text></subparagraph>
<subparagraph id="H528B6059ECE9467CBA9637D32E36A2AC"><enum>(D)</enum><text>the personal information requested to be corrected under section 102 or deleted under section 103—</text> <clause id="HEC5187A5175345B193416342F1EB3294"><enum>(i)</enum><text>is necessary to the completion of a transaction initiated before such request was made or the performance of a contract entered into before such request was made;</text></clause>
<clause id="H8DFF11EE58144E1EBBA969AB13A8234E"><enum>(ii)</enum><text>was collected specifically for the completion of such transaction or the performance of such contract; and</text></clause> <clause id="H5D5754998712412B8E0D80C05DFC8949"><enum>(iii)</enum><text>would undermine the integrity of a legally significant transaction.</text></clause></subparagraph></paragraph>
<paragraph id="H48E8ECE16A194BBBBAAEAAA08E0849D8"><enum>(2)</enum><header>Limitations on requests for additional information to confirm identity</header><text>A covered entity may not deny a request of an individual under paragraph (1)(A) on the basis of the refusal of such individual to provide additional personal information to such covered entity to confirm the identity of such individual—</text> <subparagraph id="H48F5E86A469B413BB1F19955F3DFDC95"><enum>(A)</enum><text>if the identity of such individual can reasonably be confirmed using personal information of such individual that such covered entity (as of the time of the request) already maintains; or</text></subparagraph>
<subparagraph id="HA18AC87ADC09476B80E161CB3D750EF3"><enum>(B)</enum><text>if such individual has an existing relationship (as of the time of the request) with such covered entity, such individual has confirmed the identity of such individual to such covered entity in the same manner as for other transactions of a similar sensitivity.</text></subparagraph></paragraph></subsection> <subsection id="H5583AF85D7BF4BF9895148697FDF26D6"><enum>(c)</enum><header>Exemption for service providers</header><text>This title does not apply to a service provider.</text></subsection>
<subsection id="H7461823831A4443BAEE789ADD7C940BC"><enum>(d)</enum><header>Exemption for privacy-Preserving computing</header><text>Except for sections 101, 105, and 106, this title does not apply to personal information secured using privacy-preserving computing.</text></subsection> <subsection id="H6C90F3E079C54F2BAAC8FC22185E6FA6"><enum>(e)</enum><header>Timeline for complying with a request</header><text>Without undue delay but not longer than 30 days after the request, a covered entity that receives a request under this title must—</text>
<paragraph id="H8B8E61EC1E4D41B98856813B27EFA7CE"><enum>(1)</enum><text>comply with such request; or</text></paragraph> <paragraph id="HA34B4AFB5C3A468D8B7FD63065216FA3"><enum>(2)</enum><text>inform such individual of the reason for denying such request, as allowed under subsection (a) or (b).</text></paragraph></subsection>
<subsection id="HD8050E4E83E54445BA9898059C54E41C"><enum>(f)</enum><header>Fees prohibited</header>
<paragraph id="H1CB90F64CFC9429ABC25E07716992601"><enum>(1)</enum><header>In general</header><text>Except as provided in paragraph (2), a covered entity may not charge a fee to an individual for a request made under this title.</text></paragraph> <paragraph id="HB2D350F0308F4C8190DAEBDB1C273814"><enum>(2)</enum><header>Unfounded or excessive requests</header><text>If a request under this title is unfounded or excessive, a covered entity may charge a reasonable fee that reflects the estimated administrative costs of complying with such request.</text></paragraph>
<paragraph id="HA9A85AA026454049A3A258D183070DCA"><enum>(3)</enum><header>Agency notice</header><text>If a covered entity plans to charge fee under paragraph (2), it must notify the Agency at least 7 days before charging such fee.</text></paragraph> <paragraph id="HD55310831FBF498AAA83E35738293AA3"><enum>(4)</enum><header>Agency review</header><text>The Director may reject any fee that a covered entity plans to charge for a request made under this title if the Agency finds—</text>
<subparagraph id="H944DB4CFDC054AEAB3E128ADAB034F4C"><enum>(A)</enum><text>such fee to be unreasonable relative to reasonable administrative costs of complying with a request under this title; or</text></subparagraph> <subparagraph id="H06EC5845980B42DB9FF3A97F9A205B07"><enum>(B)</enum><text>such request is not unfounded or excessive.</text></subparagraph></paragraph></subsection>
<subsection id="H5B39B6A091454E919003A0808C6C568F"><enum>(g)</enum><header>Rules of construction</header><text>Nothing in this title shall be construed to require a covered entity to—</text> <paragraph id="H1DDF807670534C5381456FB53DFABDE8"><enum>(1)</enum><text>take an action that would convert information that is not personal information into personal information;</text></paragraph>
<paragraph id="H15F089229B2549B3B53D0C5B2ED4787D"><enum>(2)</enum><text display-inline="yes-display-inline">collect or maintain personal information or contents of communication that the covered entity would otherwise not maintain (including record of an individual exercising rights under this title); or</text></paragraph> <paragraph id="HDF75842512B74E0D9426DB47D83848CC"><enum>(3)</enum><text>maintain personal information or contents of communication longer than the covered entity would otherwise maintain such personal information.</text></paragraph></subsection>
<subsection id="H3693E7DF716D4BAE8D918878801B2EFC"><enum>(h)</enum><header>Regulations</header><text>The Director shall promulgate regulations to implement this section.</text></subsection></section> <enum>II</enum><header>Requirements for Covered Entities, Service Providers, and Third Parties</header> <section id="H902895A2AD6F4D4A80BFE2A0BCC2286A"><enum>201.</enum><header>Minimization</header> <subsection id="HDD1B3E84D5694C2F8652F6757CE39BC5"><enum>(a)</enum><header>Articulated basis</header><text>A covered entity shall have a reasonable, articulated basis for collecting, processing, maintaining, and disclosing of personal information that takes into account the reasonable business needs of the covered entity and minimum amount of personal information necessary for providing the service, balanced with the intrusion on the privacy of, potential privacy harms to, and reasonable expectations of individuals to whom the personal information relates.</text></subsection>
<subsection id="HE8449FE9DD1D4DCFB0B56FF61CC8F034"><enum>(b)</enum><header>Minimization of collecting, processing, maintaining, and disclosing</header>
<paragraph id="H4B14DC0AEBC84B84B1E43EF6CE06C4C6"><enum>(1)</enum><header>Collecting</header><text>A covered entity may not collect more personal information than is reasonably needed to provide a product or service that an individual has requested.</text></paragraph> <paragraph id="H46EAB466EA5B419A9AB0023A95911875"><enum>(2)</enum><header>Processing</header><text>A covered entity may not process personal information for a purpose other than the purpose for which such information was originally collected from the individual or in the case of a service provider, a purpose other than that which is in accordance with the directions of a covered entity.</text></paragraph>
<paragraph id="H0073B1E86BBC4AD8AA5ADFBFAFBC7773"><enum>(3)</enum><header>Maintaining</header><text display-inline="yes-display-inline">A covered entity may not maintain personal information once such information is no longer needed for the purpose for which such information was originally collected from the individual or in the case of a service provider, a purpose other than that which is in accordance with the directions of a covered entity.</text></paragraph> <paragraph id="HC847FACB692D4871BC62B445B7C97548"><enum>(4)</enum><header>Disclosing</header><text>A covered entity may not disclose personal information for a purpose other than the purpose for which such information was originally collected from the individual or in the case of a service provider, a purpose other than that which is in accordance with the directions of a covered entity.</text></paragraph></subsection>
<subsection id="H275370A7A9C74D76BC09AAA0853CC70A"><enum>(c)</enum><header>Ancillary collecting, processing, maintaining, and disclosing</header><text>Notwithstanding subsection (b), a covered entity may collect, process, disclose, or maintain personal information beyond limitations under subsection (b) only if such covered entity complies with this subsection.</text> <paragraph id="HEC56458374AB42A6B786196F41B5AF5E"><enum>(1)</enum><header>No notice or consent required</header><text>A covered entity may collect, process, or maintain personal information without additional notice or consent if the purpose for such collecting, processing, or maintaining is substantially similar to the type of personal information and purpose for which such personal information was originally collected and such ancillary collecting, processing, or maintaining will not result in additional or increased privacy harms.</text></paragraph>
<paragraph id="HA53B2E65996D49CA93987C2022ACF047"><enum>(2)</enum><header>Notice required</header><text display-inline="yes-display-inline">A covered entity shall provide notice of ancillary collecting, processing, maintaining, or disclosing of personal information in the case of one, but not more than one, of the following instances:</text> <subparagraph id="HC3812BB5EF2740BDA3A3E98F2E391995"><enum>(A)</enum><text>Such ancillary collecting, processing, maintaining, or disclosing may result in additional or increased privacy harms (but not increased significant privacy harms), and is substantially similar to the purpose for which such personal information was originally collected.</text></subparagraph>
<subparagraph id="H344CEC175C874EDCAB39876F7BAF5429"><enum>(B)</enum><text>Such ancillary collecting, processing, maintaining, or disclosing is not substantially similar to the purpose for which such personal information was originally collected, but will not result in additional or increased privacy harms.</text></subparagraph> <subparagraph id="H1F901892D7374EC9BCEF206ABDD95018"><enum>(C)</enum><text>Such ancillary collecting, processing, maintaining, or disclosing may result in additional or increased privacy harms (but not increased significant privacy harms) and the purpose is not substantially similar to the purpose for which such personal information was originally collected, so long as the personal information is secured using privacy preserving computing.</text></subparagraph></paragraph>
<paragraph id="HE38ADCD60F3449E683B158534D207BD6"><enum>(3)</enum><header>Notice and consent required</header><text>For scenarios not covered under paragraph (1) or (2), and notwithstanding sections 208(b)(2) and (3), a covered entity shall provide notice of and obtain consent for ancillary collecting, processing, maintaining, or disclosing of personal information.</text></paragraph></subsection> <subsection id="HDD37A6040DBE42DEB0EFCC53E88829D4"><enum>(d)</enum><header>Substitution</header><text>In cases in which personal information can be replaced with artificial personal information, personal information that has been de-identified, or the random personal information of one or more individuals without substantially reducing the utility of the data or requiring an unreasonable amount of effort, such a replacement shall take place.</text></subsection></section>
<section id="H610FFBE5F61D4FCB86760027C0C07759"><enum>202.</enum><header>Minimization and records of access by employees and contractors</header>
<subsection id="H9ED80DA5E1534C1FAA6282A7E8A6864F"><enum>(a)</enum><header>Minimization</header><text>A covered entity shall restrict access to personal information and contents of communications by the employees or contractors of such covered entity based on an articulated balance between the potential for privacy harm, reasonable expectations of individuals to whom the personal information relates, and reasonable business needs.</text></subsection> <subsection id="H015FD60D318D414BB1F3E55FBFE4DC7C"><enum>(b)</enum><header>Records of access</header> <paragraph id="H6C6CFBD9E6BD4AD08EB44006D14F34F7"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">A covered entity shall maintain records identifying each instance in which an employee or a contractor of such covered entity accesses personal information or contents of communications if disclosing such personal information or contents of communication, or a data breach or data-sharing abuse involving such personal information or contents of communication, may foreseeably result in increased privacy harms.</text></paragraph>
<paragraph id="H6FC46EFFA28D4958B1F563B86ECE3B76"><enum>(2)</enum><header>Information required</header><text>The records required by paragraph (1) shall include the following:</text> <subparagraph id="H3DF7587B94B34AA1A26782C2EBAB4CE3"><enum>(A)</enum><text>A unique identifier for the employee or contractor accessing personal information or contents of communications.</text></subparagraph>
<subparagraph id="HA35733472DFB459B8FF0D93707B462C3"><enum>(B)</enum><text>The date and time of access.</text></subparagraph> <subparagraph id="HA3EE1383B2BA49ADB627DEF445D4E3B9"><enum>(C)</enum><text>The fields of information accessed.</text></subparagraph>
<subparagraph id="HEC71DEDCB16847518C0FC504D8007F90"><enum>(D)</enum><text>The individuals whose personal information was accessed or the contents of whose communications were accessed.</text></subparagraph></paragraph> <paragraph id="H7CDCD7C44E7F41048E0F565E6B33A490"><enum>(3)</enum><header>Small businesses excluded</header><text>This subsection does not apply to a small business.</text></paragraph></subsection></section>
<section id="HB662D8ADD710467FB8E234B09B6A90B0"><enum>203.</enum><header>Prohibitions on disclosing of personal information</header>
<subsection id="HD678FBE960A74547A3D8F6A41EB8FE57"><enum>(a)</enum><header>Consent for disclosing required</header>
<paragraph id="HC7A5974CCB02459083D6CD4335D6F4A0"><enum>(1)</enum><header>In general</header><text>A covered entity may not intentionally disclose personal information unless the covered entity obtains consent of the individual whose personal information is being disclosed for each category of third party to which such personal information will be disclosed. Such covered entity must also provide such individual with notice of—</text> <subparagraph id="H9606CC65B29A42D0BA00F8CFBD2F241E"><enum>(A)</enum><text>each category of third party;</text></subparagraph>
<subparagraph id="H42ECC26507E043CA88D8B415A9D6E958"><enum>(B)</enum><text>the personal information to be disclosed; and</text></subparagraph> <subparagraph id="H67821F2FF1034C4C84184F84D2E31DD1"><enum>(C)</enum><text display-inline="yes-display-inline">a concise and clear description of the business or commercial purpose for disclosing such personal information.</text></subparagraph></paragraph>
<paragraph id="H1D8DE9A02DB844DB9632624B6BB63A8A"><enum>(2)</enum><header>Additional requirements for sale of personal information</header>
<subparagraph id="H1942384B3EC74CBF889EA30F49EC7066"><enum>(A)</enum><header>In general</header><text>A covered entity may not intentionally sell personal information unless the covered entity—</text> <clause id="H85C370ED30A34781B830601057401CD4"><enum>(i)</enum><text>obtains the consent required by paragraph (1) for disclosing such personal information; and</text></clause>
<clause id="H9FF682B27AC9414E9B9F4A8DCEB9E57B"><enum>(ii)</enum><text>provides the individual to whom such personal information relates with the identity of the specific third party to which such personal information will be disclosed.</text></clause></subparagraph> <subparagraph id="H32C242CCCE4441D08151497B3B4880B7"><enum>(B)</enum><header>Disclosing services</header><text>Subparagraph (A) shall not apply to a covered entity in a case in which an individual is directing the covered entity to disclose the personal information of such individual for the sole purpose of procuring goods or services, or offers for goods or services, for such individual, if there is a reasonable mechanism for the individual to withdraw consent.</text></subparagraph></paragraph>
<paragraph id="H81754629B68F4957B2CF01BB90A3029C"><enum>(3)</enum><header>Requirement to include original purpose of collecting</header><text>A covered entity may not intentionally disclose personal information without including the purpose for which the personal information was originally collected.</text></paragraph> <paragraph id="H4B6A4D488FD4435EA8EC91689DDD58DE"><enum>(4)</enum><header>Exception for privacy-preserving computing</header><text>Notwithstanding paragraph (1), consent is not required for disclosing (not including selling) personal information secured using privacy preserving computing.</text></paragraph>
<paragraph id="H85EFB152938B4478A741A144FDDA8C97"><enum>(5)</enum><header>Exception for de-identified personal information</header><text>Notwithstanding paragraph (1), consent is not required for disclosing (not including selling) de-identified personal information where the disclosed personal information is limited to the narrowest possible scope likely to yield the intended benefit and contractual obligations are in place that prohibit—</text> <subparagraph id="HB09A74FE2AAE4F83ABBE890E7781902E"><enum>(A)</enum><text>re-identification of the disclosed personal information; and</text></subparagraph>
<subparagraph id="HEBDD58D8721C4047AEA0F7242C6058C8"><enum>(B)</enum><text>the processing of additional personal information in combination with the disclosed personal information that would allow for the reidentification of the disclosed personal information.</text></subparagraph></paragraph></subsection> <subsection id="H8D289A13622245BEBBD81F09EC7B5E96"><enum>(b)</enum><header>Disclosing for advertising or marketing purposes</header> <paragraph id="H4DAFEC8F84384460A53BC3B9161C5A55"><enum>(1)</enum><header>In general</header><text>A covered entity may not intentionally disclose for advertising or marketing purposes a unique identifier or any other personal information that would allow information disclosed to be linked to information relating to the same individual or device disclosed in the past.</text></paragraph>
<paragraph id="H8807076B6E3648B89092FE2513E824B4"><enum>(2)</enum><header>Treatment of certain types of information</header><text display-inline="yes-display-inline">Disclosing personal information or contents of communication for advertising or marketing purposes may not be treated as violating paragraph (1) by reason of including any or all of the following:</text> <subparagraph id="H242B1352FA124086872048CA0A11BB22"><enum>(A)</enum><text>Internet Protocol addresses truncated to no more than the first 24 bits for Internet Protocol version 4 and the first 48 bits for Internet Protocol version 6, or for a successor protocol truncated to limit the precision of the identifier to a network address of the internet access provider.</text></subparagraph>
<subparagraph id="HADF20A69425B4F829595609AD868E295"><enum>(B)</enum><text>Geolocation information truncated to allow no more than the equivalent of two decimal degrees of precision at the equator or prime meridian, or an equivalent precision in another geolocation standard.</text></subparagraph> <subparagraph id="H460473A50A3D47C3AF303FA5CBCE6C89"><enum>(C)</enum><text>A general description of a device, browser, or operating system, or any combination thereof.</text></subparagraph>
<subparagraph id="H346073BBB37E4ABD887B01CC9C7CF7AF"><enum>(D)</enum><text>An identifier that is unique to a disclosure.</text></subparagraph></paragraph></subsection></section> <section id="H70E9F4AE46284C97B2BD5EE43240ABDD"><enum>204.</enum><header>Disclosing to entities not subject to United States jurisdiction or not compliant with this Act</header> <subsection id="H4D7977EDB4D7491E94AAF216505EFBEA"><enum>(a)</enum><header>Prohibition</header><text>A covered entity may not intentionally disclose personal information to any entity that—</text>
<paragraph id="H7B232D8175B44C6C95938B7027A94DED"><enum>(1)</enum><text>is not subject to the jurisdiction of the United States; or</text></paragraph> <paragraph id="H3D1E809A4614487EAFFCB908AA9687BB"><enum>(2)</enum><text>is not in compliance with all requirements of this Act.</text></paragraph></subsection>
<subsection id="H8216E93D4403456AA78598F7DADB9C4A"><enum>(b)</enum><header>Exception</header><text>Notwithstanding subsection (a), a covered entity may disclose personal information where that personal information is limited to an identifier created primarily for the purpose of sending or receiving electronic communications and the sole purpose of disclosing is to send or receive an electronic communication at the request of the individual whose personal information is being disclosed.</text></subsection> <subsection id="HC816A79EA6AC4A058862A55390C816B9"><enum>(c)</enum><header>Safe harbors for disclosing</header><text>Notwithstanding subsection (a), a covered entity may disclose personal information to another covered entity (the receiving covered entity) that is not subject to the jurisdiction of the United States if either—</text>
<paragraph id="HCFB6E8D8FBE34286B10F67E05A97D56C"><enum>(1)</enum><text>the receiving covered entity has entered into an agreement, as described in subsection (e), with the Agency, and—</text> <subparagraph id="HF93E35B9727940F0ACBBD96376438558"><enum>(A)</enum><text>the covered entity has a reasonable belief that the receiving covered entity is sufficiently solvent to compensate victims or pay fines for violations of this Act;</text></subparagraph>
<subparagraph id="H11BE3D9C9D5F4C85892C6023AF7BC781"><enum>(B)</enum><text>a contract between the covered entity and receiving covered entity requires that the receiving covered entity complies with this Act, and the covered entity has reason to believe the receiving covered entity is compliant with this Act; and</text></subparagraph> <subparagraph id="HF79F356E3C05407D81B0A057CC1E963E"><enum>(C)</enum><text>a contract between the covered entity and the receiving covered entity prohibits the receiving covered entity from using the disclosed personal information for any purpose other than provided in the contract; or</text></subparagraph></paragraph>
<paragraph id="HE42AEEF0F0E342CF90CA0E398C5C4E32"><enum>(2)</enum><text>the covered entity has—</text> <subparagraph id="H0AF9BE8CCE274D97914D9EDBBA016AB0"><enum>(A)</enum><text>entered into an agreement with the receiving covered entity that—</text>
<clause id="H95219C84AC7242A98B4230AA5647C2B4"><enum>(i)</enum><text>requires the receiving covered entity to comply with this Act;</text></clause> <clause id="H7E777062CA63445BA0240164AF782644"><enum>(ii)</enum><text>prohibits the receiving covered entity from using the disclosed personal information for any purpose other than provided in the contract;</text></clause>
<clause id="H2F8E517F0C06409EB2F2FF096E1D0400"><enum>(iii)</enum><text>requires the receiving covered entity to indemnify the covered entity against violations of this Act committed by the receiving covered entity for any amount the covered entity is unable to pay of a judgment for such violation;</text></clause> <clause id="H74837E40773B463B902E160C81F915EA"><enum>(iv)</enum><text>grants the covered entity the authority to audit, including physical access to electronic devices and data, the receiving covered entity’s compliance with this Act and the contract; and</text></clause>
<clause id="HA9D41B6F25F841438B60979621FE6740"><enum>(v)</enum><text>requires the receiving covered entity to assist the covered entity in responding to and complying with any court orders, Agency orders, or the exercising of an individual’s rights under this Act;</text></clause></subparagraph> <subparagraph id="HD024F62AB6A7497A9493C7FE58989D50"><enum>(B)</enum><text>actual knowledge that the receiving covered entity is in compliance with this Act and not using personal information contrary to their agreement;</text></subparagraph>
<subparagraph id="H2BBE284833854333BE4B67A702150489"><enum>(C)</enum><text>actual knowledge that the receiving covered entity is sufficiently solvent to compensate victims or pay fines for violations of this Act;</text></subparagraph> <subparagraph id="H0543B0FB43A34D19BAB7D7151F2D8E52"><enum>(D)</enum><text>an auditing and compliance program to ensure the receiving covered entity’s continued compliance with this Act and contract terms;</text></subparagraph>
<subparagraph id="H8564CF6281DA4364980F05134C4E85E5"><enum>(E)</enum><text>filed with the Agency the terms of said contract, proof of its actual knowledge of the receiving covered entity’s compliance with this Act and contract terms, and documents detailing its auditing and compliance program for approval and publication by the Agency; and</text></subparagraph> <subparagraph id="H9D27F25DEAA64B0EAEC26E53060FC226"><enum>(F)</enum><text>entered into an agreement with the Agency where the covered entity agrees to accept, respond to, or comply with a court order, Agency order, or request by an individual regarding actions taken by the receiving covered entity with respect to covered information it has disclosed.</text></subparagraph></paragraph></subsection>
<subsection id="HA3514FD70BA54C1BAB29E079761673EC"><enum>(d)</enum><header>Liability for violation by receiving covered entity; failure To report</header><text>For the purposes of subsection (c)(2), the covered entity shall be jointly liable for a violation of this Act by the receiving covered entity regarding the personal information the covered entity disclosed, except where the covered entity was the first to notify the Agency of the violation, in which case, it shall be severally liable. Where the covered entity should reasonably have known of a violation of this Act by the receiving covered entity and fails to disclose the violation to the Agency, each day of continuance of the failure to report such violation shall be treated as a separate violation.</text></subsection> <subsection id="HEC89030BB37C46C380147890A7EF4112"><enum>(e)</enum><header>Agency agreements</header><text>Upon the request of a covered entity not subject to the jurisdiction of the United States, the Agency shall enter into an agreement with the covered entity that includes, but is not limited to, the following conditions:</text>
<paragraph id="H9757558F87BC46B0920A72E631B3C71E"><enum>(1)</enum><text>The principal place of business for the covered entity must be in a country that allows for the domestication of a United States court decision for civil fines payable to a government entity and injunctive relief. Where a foreign court refuses to enforce a United States court decision under this Act, the agreement, and all other agreements with covered entities with a principal place of business in the same jurisdiction, shall be void.</text></paragraph> <paragraph id="HCDFC2396D66A4CF0BDF451F70CD298D1"><enum>(2)</enum><text>The covered entity agrees to comply with this Act.</text></paragraph>
<paragraph id="HBBF68FB8162744F3BC9615E75839A602"><enum>(3)</enum><text>The covered entity agrees to be subject to this Act with choice of venue being a United States court.</text></paragraph> <paragraph id="HC21C340A7E604788A4E3EEB4F6180562"><enum>(4)</enum><text>The covered entity agrees to comply with Agency investigative requests or orders, and United States court orders or decisions under this Act.</text></paragraph>
<paragraph id="HDA4074F445A84D1388987BC7DBE15F0F"><enum>(5)</enum><text>The covered entity consents to United States Federal court personal jurisdiction for the sole purpose of enforcing this Act.</text></paragraph> <paragraph id="H57A2814C74AC472E9B4DA332AD7285EB"><enum>(6)</enum><text>Where enforcement of the decision requires the use of a foreign court, the covered entity agrees to pay reasonable attorney fees necessary to enforce the judgment.</text></paragraph>
<paragraph id="H3A56E65BF95B47708D90D8446EC17FEC"><enum>(7)</enum><text>A default judgment, failure to comply with Agency investigative requests or orders, or failure to comply with United States court orders or decisions shall result in the immediate termination of the agreement.</text></paragraph></subsection> <subsection id="HCBDC1D518DA044C5B01D09BBD396A4BE"><enum>(f)</enum><header>Rule of construction against data localization</header><text>Nothing in this section shall be construed to require the localization of processing or maintaining personal information by a covered entity to within the United States, or limit internal disclosing of personal information within a covered entity or to subsidiary or corporate affiliate of such covered entity, regardless of the country in which the covered entity will process, disclose, or maintain that personal information.</text></subsection></section>
<section id="H696EA844A9FA414DB460838BF7C232B4"><enum>205.</enum><header>Prohibition on reidentification</header>
<subsection id="H5913BF6E41D2435B86CD177CF393E526"><enum>(a)</enum><header>In general</header><text>Except as required under title I, a covered entity shall not use personal information collected from an individual, acquired from a third party, or acquired from a publicly available information to reidentify an individual from de-identified information.</text></subsection> <subsection id="H479A9D805931489AB591E4995392C15D"><enum>(b)</enum><header>Third-Party prohibition</header><text>A covered entity that discloses de-identified information to a third party shall prohibit such third party from reidentifying an individual using such de-identified information.</text></subsection>
<subsection id="H046CBFD29E684E9B93C18673B0AD27BF"><enum>(c)</enum><header>Exception</header><text>Subsection (a) shall not apply to qualified research entities, as determined by the Director, conducting research not for commercial purposes.</text></subsection></section> <section id="H5C92273F2B2546909A975C7E733977CC"><enum>206.</enum><header>Restrictions on collecting, processing, maintaining, and disclosing contents of communications</header> <subsection id="HBB0F42CA962E4DA3BCBAE0BCFA462537"><enum>(a)</enum><header>In general</header><text>A covered entity may not collect, process, maintain, or disclose the contents of any communication, regardless of whether the sender or intended recipient of the communication is an individual, other person, or an electronic device, for any purpose other than—</text>
<paragraph id="H04B7AC27BCCD4504887706C65DD85C79"><enum>(1)</enum><text>transmitting or displaying the communication to any intended recipient or the original sender, or maintaining such communications for such purposes;</text></paragraph> <paragraph id="HB253CEB58ABB4214B0F72DED3AAC5CE5"><enum>(2)</enum><text>detecting, responding to, or preventing security incidents or threats;</text></paragraph>
<paragraph id="H48A49204FFFB460AA557DA8A4E072EC2"><enum>(3)</enum><text>providing services to assist in the drafting or creation of the content of a communication;</text></paragraph> <paragraph id="H1CB3EA723DD643A9A1387C269CBE2321"><enum>(4)</enum><text>processing expressly requested by the sender or intended recipient, if the sender or intended recipient can terminate such processing using a reasonable mechanism;</text></paragraph>
<paragraph id="HFE67BF03E88D434FA2EB2DE107C9F127"><enum>(5)</enum><text>disclosing otherwise required by law;</text></paragraph> <paragraph id="H7328EFC441AA4A9D8EDE2D1F25FD0FA8"><enum>(6)</enum><text display-inline="yes-display-inline">filtering a communication where primary purpose of the communication is the commercial advertisement or promotion of a commercial product or service of a covered entity; or</text></paragraph>
<paragraph id="HDB964C6913584422B21E65224CA6A977"><enum>(7)</enum><text display-inline="yes-display-inline">detecting or enforcing an abuse or violation of the terms of service of the covered entity that would result in either a temporary or permanent ban from using the service.</text></paragraph></subsection> <subsection id="H646A72B1409C408885C533C057622D65"><enum>(b)</enum><header>Intended recipient</header><text>A covered entity is not considered an intended recipient of a communication, or any communication used in the creation of the content of said communication, where—</text>
<paragraph id="HC457C8BBD6164EF695F4CD095157F020"><enum>(1)</enum><text>at least one intended recipient is a natural person other than an employee or contractor of the covered entity;</text></paragraph> <paragraph id="H349FFF082D01498E9F801F8B43D857DD"><enum>(2)</enum><text>at least one intended recipient is a person other than the covered entity; or</text></paragraph>
<paragraph id="H492C640D330E4F0D8EEF8A00640E661D"><enum>(3)</enum><text>a purpose of the covered entity’s service is to maintain, at the direction of the sender, the content of said communication for more than a transitory period.</text></paragraph></subsection> <subsection id="HA103C82B28E841CBA6D98E86ABDED6CD"><enum>(c)</enum><header>Sender</header><text>The sender of a communication is the person for whom the communication, and its content, is disclosed at the direction of and on behalf of.</text>
<paragraph id="HD19EC1AE1B1C4F22A788242C54B334B7"><enum>(1)</enum><text>Where the sender is a natural person, they shall be the sender of the entire content of the communication, regardless of the original author of any portion of the content.</text></paragraph> <paragraph id="HAAF1FFC13A87484297FACED3520EFFB4"><enum>(2)</enum><text>Otherwise, a sender shall be the sender of only the content it was an original author of, or content it received as an intended recipient.</text></paragraph></subsection>
<subsection id="H58A561CDC09944AC9654D1ACC9EDBA0D"><enum>(d)</enum><header>Exception for publicly available communications</header><text>Subsection (a) shall not apply where the contents of communication are made publicly accessible by the sender without restrictions on accessibility other than the general authorization to access the services used to make the information accessible.</text></subsection> <subsection id="HA820DF6A86194F72AD1984D4358FC6D7"><enum>(e)</enum><header>Encryption protection</header><text>A covered entity shall not—</text>
<paragraph id="H6CA8277683A7421180E7EAE34517EC28"><enum>(1)</enum><text>prohibit or prevent a person from encrypting or otherwise rendering unintelligible the content of a communication using a means that prevents the covered entity from being able to decrypt or otherwise render intelligible said content; and</text></paragraph> <paragraph id="H273A5A2E3B264529BB7FB0A233D2E91D"><enum>(2)</enum><text>require or cause a person to disclose or circumvent the means described in paragraph (1) to the covered entity that would allow it to render the content intelligible.</text></paragraph></subsection>
<subsection id="HD04403A5C1124C9C82D6DAF5D4823742"><enum>(f)</enum><header>Service providers safe harbor</header><text>A service provider shall not be held liable for a violation of this section if such service provider is acting at the direction of and on behalf of a covered entity and has a reasonable belief that the covered entity’s directions are in compliance with this section.</text></subsection></section> <section id="H3EA96C9E6DBB49D98D61EC35B0DA6929"><enum>207.</enum><header>Prohibition on discriminatory processing</header> <subsection id="H91C735781656472496719BE5714DFB0B"><enum>(a)</enum><header>Discrimination in economic opportunities</header><text>A covered entity shall not process personal information or contents of communication for advertising, marketing, soliciting, offering, selling, leasing, licensing, renting, or otherwise commercially contracting for employment, finance, health care, credit, insurance, housing, or education opportunities in a manner that discriminates against or otherwise makes opportunities unavailable on the basis of an individual’s protected class status.</text></subsection>
<subsection id="HFE744A2DCFF440A7990074072C80226F"><enum>(b)</enum><header>Public accommodations</header><text display-inline="yes-display-inline">A covered entity shall not process personal information in a manner that segregates, discriminates in, or otherwise makes unavailable the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation on the basis of the protected class status of an individual or a group of individuals.</text></subsection> <subsection id="H49D60589497E44CCA9AC85173F2610C0"><enum>(c)</enum><header>Regulations</header><text>The Director shall promulgate regulations to implement this section.</text></subsection></section>
<section id="HCE8381F77DB94E4C8328DC7CE4830E39"><enum>208.</enum><header>Requirements for notice and consent processes and privacy policies</header>
<subsection id="HF5B242E6618F4E7E9EC8DCDC734465D9"><enum>(a)</enum><header>Minimum threshold</header><text>The Director shall establish minimum thresholds that covered entities must meet for the percentage of individuals who understand a notice or consent process or privacy policy required by this Act. In establishing such minimum thresholds, the Director shall—</text> <paragraph id="H839917A0D70B4B8CB125191B17243A93"><enum>(1)</enum><text display-inline="yes-display-inline">vary required thresholds on types and scale of reasonably foreseeable privacy harms; and</text></paragraph>
<paragraph id="H126D048CA14D4609BE3A4A07EEBE6042"><enum>(2)</enum><text>take into account expectations of individuals, potential privacy harms, and individuals’ awareness of privacy harms.</text></paragraph></subsection> <subsection id="HD185660828C04B2C91E8111141FEB477"><enum>(b)</enum><header>Consent revocation</header><text>A covered entity shall make available a reasonable mechanism by which an individual may revoke consent for any consent given under this Act.</text></subsection>
<subsection id="H87DE49E6BEFA4FAD94D0129E93CC8286"><enum>(c)</enum><header>Safe harbor</header>
<paragraph id="HAE89257415B04766BBCC19E1EEA2A4F0"><enum>(1)</enum><header>Approval procedures</header><text>The Director shall develop procedures for analyzing and approving data submitted by a covered entity to establish that a notice and consent process or privacy policy of such covered entity meets the threshold established under subsection (a).</text></paragraph> <paragraph id="H5D035B55241D4F79B381A62E6A46DF7D"><enum>(2)</enum><header>Presumption</header><text>If a covered entity submits testing data to and receives an approval from the Director under paragraph (1) establishing that a notice or consent process or privacy policy of such covered entity meets the threshold established under subsection (a), such notice or consent process or privacy policy shall be presumed to have met such threshold. Such presumption may be rebutted by clear and convincing evidence.</text></paragraph>
<paragraph id="H89618E0FAFE24CDC9FC026E646138B6C"><enum>(3)</enum><header>Public availability of Approved processes and policies and associated testing data</header><text>The Director shall make publicly available online the notice and consent processes and privacy policies and associated testing data that the Director approves under paragraph (1).</text></paragraph> <paragraph id="HE751F656331A469D8040C654F0C718FB"><enum>(4)</enum><header>Small business adoption of notice or consent process of another covered entity</header> <subparagraph id="H262C0B56E07C4253955676E555BAFB25"><enum>(A)</enum><header>In general</header><text>If a small business adopts a notice or consent process of another covered entity that collects, processes, maintains, or discloses personal information in substantially the same way as such small business, if the process of such other covered entity has been approved under paragraph (1), the process of such small business shall receive the presumption under paragraph (2).</text></subparagraph>
<subparagraph id="H1F50DE81B4CD415BAECEB5CA9A92A278"><enum>(B)</enum><header>Ability to freely use Approved process</header><text>A covered entity whose notice or consent process is approved under paragraph (1) shall permit a small business to freely use such process, or a derivative thereof, as described in subparagraph (A).</text></subparagraph> <subparagraph id="HFB51EB475DDD4A669992C1E46DBEE34C"><enum>(C)</enum><header>No published process</header><text>In the case of a small business for which there is no approved notice or consent process published under paragraph (3) of a covered entity that collects, processes, maintains, or discloses personal information in substantially the same way as such small business, any requirement under this title for a notice or consent process to be objectively shown to meet the threshold established by the Director under subsection (a) shall not apply to such small business. Nothing in the preceding sentence exempts a small business from the requirement to use such notice or consent process or that such process be concise and clear.</text></subparagraph>
<subparagraph id="HAE0EAABF4C3E4D4285CBFDF530F4930A"><enum>(D)</enum><header>Inapplicability to privacy policy</header><text>Paragraph (4) does not apply with respect to a privacy policy.</text></subparagraph></paragraph> <paragraph id="H23AEC886A2A84FFA8F779BB4AC3E6C3F"><enum>(5)</enum><header>Minor changes</header><text>A covered entity may make minor changes in a notice or consent process or privacy policy approved under paragraph (1) and retain the presumption under paragraph (2) for such process or policy without retesting or resubmission of testing data to the Director.</text></paragraph></subsection></section>
<section id="H832A880D14D64F6698B5B0F48E8109D9"><enum>209.</enum><header>Prohibition on <quote>dark patterns</quote> in notice and consent processes and privacy policies</header><text display-inline="no-display-inline">In providing notice, obtaining consent, or maintaining a privacy policy as required by this title, a covered entity may not intentionally take any action that substantially impairs, obscures, or subverts the ability of an individual to—</text> <paragraph id="HE141DF9A715B46E7A6A80F2127FB5AC6"><enum>(1)</enum><text>understand the contents of such notice or such privacy policy;</text></paragraph>
<paragraph id="H737A8CC226A24C16B7314E3E330C65E2"><enum>(2)</enum><text>understand the process for granting such consent;</text></paragraph> <paragraph id="H076CE8F1E96A4535937BBCB0C8B322A4"><enum>(3)</enum><text>make a decision regarding whether to grant or withdraw such consent; or</text></paragraph>
<paragraph id="H657DD19B1B424A348D6648897C51B0BE"><enum>(4)</enum><text>act on any such decision.</text></paragraph></section> <section id="HD9365C8677FF466A8E64DCB4C8B84CCB"><enum>210.</enum><header>Notice and consent required</header> <subsection id="HB44FDF07E70B4B70B9B39A9E20BF5875"><enum>(a)</enum><header>Notice</header><text>A covered entity shall provide an individual with notice of the personal information such covered entity collects, processes, maintains, and discloses through a process that is concise and clear and can be objectively shown to meet the threshold established by the Director under section 208(a).</text></subsection>
<subsection id="H5619FC30EAC04C2F9FC497B87DC53A55"><enum>(b)</enum><header>Consent</header>
<paragraph id="H274E0D91345942519D9093BD248E583D"><enum>(1)</enum><header>Express consent required</header><text>Except as provided in paragraphs (2) and (3), a covered entity may not collect from an individual personal information that creates or increases the risk of foreseeable privacy harms, or process or maintain any such personal information collected from an individual, unless such entity obtains the express consent of such individual to the collecting, processing, or maintaining (or any combination thereof) of such information through a process that is concise and clear and can be objectively shown to meet the threshold established by the Director under section 208(a).</text></paragraph> <paragraph id="H93C09893CF604C47A292CCEFEB5F7247"><enum>(2)</enum><header>Exception for implied consent</header><text>Notwithstanding paragraph (1), express consent is not required for collecting, processing, or maintaining personal information if the collecting, processing, or maintaining is, on its face, obvious and necessary to provide a service at the request of the individual and the personal information is collected, processed, or maintained only for such request. Nothing in this paragraph shall be construed to exempt the covered entity from the requirement of subsection (a) to provide notice to such individual with respect to such collecting, processing, or maintaining.</text></paragraph>
<paragraph id="H88A04325316A4AEF8B849CDC9DD61D64"><enum>(3)</enum><header>Exemption for privacy-preserving computing</header><text>Notwithstanding paragraph (1), except with regard to consent for purposes of section 106, express consent is not required for collecting, processing, or maintaining personal information secured using privacy-preserving computing. Nothing in this paragraph shall be construed to exempt the covered entity from the requirement of subsection (a) to provide notice to such individual with respect to such collecting, processing, or maintaining.</text></paragraph></subsection> <subsection id="HD99805AE777D44CF8641237291DEA9A2"><enum>(c)</enum><header>Service providers excluded</header><text>This section does not apply to a service provider if such service provider has a reasonable belief that a covered entity for which it processes, maintains, or discloses personal information is in compliance with this section.</text></subsection></section>
<section id="H05DEF5176EB54EDAA58014CEB35982D6"><enum>211.</enum><header>Privacy policy</header>
<subsection id="H5ED6052943534D3BBFFE9F0B4F7E19F5"><enum>(a)</enum><header>Policy required</header><text>A covered entity shall maintain a privacy policy relating to the practices of such entity regarding the collecting, processing, maintaining, and disclosing of personal information.</text></subsection> <subsection id="H94BF9A7E2C9B496A88545029F7D557C7"><enum>(b)</enum><header>Contents</header><text>The privacy policy required by subsection (a) shall contain the following:</text>
<paragraph id="HF815C06F689A466CBC3F55AB99956CC8"><enum>(1)</enum><text>A general description of the practices of the covered entity regarding the collecting, processing, maintaining, and disclosing of personal information.</text></paragraph> <paragraph id="H4E60F129E1BA41438BA67D18D7756075"><enum>(2)</enum><text>A description of how individuals may exercise the rights provided by title I.</text></paragraph>
<paragraph id="HFFE943221A2B43FAA97AE42E27A4EE65"><enum>(3)</enum><text>A clear and concise summary of the following:</text> <subparagraph id="H21EBC84415F14564B604A748A5B9CDAD"><enum>(A)</enum><text>The categories of personal information collected or otherwise obtained by the covered entity.</text></subparagraph>
<subparagraph id="H000D16FC821A4AD4B6CE4D2FFF782C30"><enum>(B)</enum><text>The business or commercial purposes of the covered entity for collecting, processing, maintaining, or disclosing personal information.</text></subparagraph> <subparagraph id="H8AB1394196334BBF9AE0422128F33883"><enum>(C)</enum><text>The categories and a list of third parties to which the covered entity discloses personal information.</text></subparagraph></paragraph>
<paragraph id="H2127EEA093F44790A2C80ED855C85FE1"><enum>(4)</enum><text>A description of the personal information that the covered entity maintains that the covered entity does not collect from individuals and how the covered entity obtains such personal information.</text></paragraph> <paragraph id="H59736746AB294A91A1266CD0B056A84F"><enum>(5)</enum><text>A list of the third parties to which the covered entity has disclosed personal information.</text></paragraph>
<paragraph id="HD144EC115951473F9640CA78FF66CF62"><enum>(6)</enum><text>A list of the third parties from which the covered entity has obtained personal information at any time on or after the effective date of this Act.</text></paragraph> <paragraph id="HE3A5E95D598C46798FAC0B040605E897"><enum>(7)</enum><text>The articulated basis for the collecting, processing, disclosing, and maintaining of personal information, as required under section 201(a).</text></paragraph></subsection>
<subsection id="HB5AAD4FEF76A447BA5EEE67E294B1DE5"><enum>(c)</enum><header>Exemption for personal information for particular purposes</header><text>The privacy policy required by subsection (a) is not required to contain information relating to personal information that is collected, processed, maintained, or disclosed exclusively for any of the purposes described in paragraph (1) of section 109(a) (or a combination of such purposes), except as provided in paragraph (2) of such section.</text></subsection> <subsection id="H1839129D3612488BB34F33CF243A1CA6"><enum>(d)</enum><header>Availability of privacy policy</header> <paragraph id="HFD49DF1BF2884A74B974524E2890E166"><enum>(1)</enum><header>Form and manner</header><text>The privacy policy required by subsection (a) shall be—</text>
<subparagraph id="H9ECAF5CFA9014E1CB263FB473F1D4CA1"><enum>(A)</enum><text>clear and in plain language; and</text></subparagraph> <subparagraph id="H4974AD53E0C24C2FB6FD7C6BF7F701A4"><enum>(B)</enum><text>made publicly available in a prominent location on an ongoing basis.</text></subparagraph></paragraph>
<paragraph id="HEF29A27309B9402AB95712644D63B383"><enum>(2)</enum><header>Timing</header><text display-inline="yes-display-inline">The privacy policy required by subsection (a) shall be made available as required by paragraph (1) before the covered entity collects personal information after the effective date of this Act.</text></paragraph></subsection> <subsection id="HB4C1E36A6C3B42FD94D180FC517C1962"><enum>(e)</enum><header>Small businesses excluded</header><text>Subsections (b)(7) and (d) do not apply to a small business.</text></subsection>
<subsection id="H10505384AF414ABF9BC0E7DA8FC78FDB"><enum>(f)</enum><header>Service providers excluded</header><text>This section does not apply to a service provider if such service provider has a reasonable belief that a covered entity for which it processes, maintains, or discloses personal information is in compliance with this section.</text></subsection></section> <section id="H21C12BA487F14E60B38E7F6012DCA2DB"><enum>212.</enum><header>Information security requirements</header> <subsection id="H788B37980CC947C1BF9B551320E979FE"><enum>(a)</enum><header>In general</header><text>A covered entity shall establish and implement reasonable information security policies, practices, and procedures for the protection of personal information collected, processed, maintained, or disclosed by such covered entity, taking into consideration—</text>
<paragraph id="H0C5DFF73BFEB43058EF0EF922610ADE4"><enum>(1)</enum><text>the nature, scope, and complexity of the activities engaged in by such covered entity;</text></paragraph> <paragraph id="HADC3C3F08605446A958FA3422C3F1AD3"><enum>(2)</enum><text>the sensitivity of any personal information at issue;</text></paragraph>
<paragraph id="H913A6494007C4A8FB4876C1D475E7161"><enum>(3)</enum><text>the current state of the art in administrative, technical, and physical safeguards for protecting such information; and</text></paragraph> <paragraph id="H119C02F653B94CFF88A803E76DF3281A"><enum>(4)</enum><text>the cost of implementing such administrative, technical, and physical safeguards.</text></paragraph></subsection>
<subsection id="H7E17B4724027451D95ECE755B492B6EF"><enum>(b)</enum><header>Specific policies, practices, and procedures</header><text>The policies, practices, and procedures required by subsection (a) shall include the following:</text> <paragraph id="H455603E6A4C34A25A7140D0625F3F9D2"><enum>(1)</enum><text>A written security policy with respect to collecting, processing, maintaining, and disclosing of personal information. Such policy shall be made publicly available in a prominent location on an ongoing basis, except that the publicly available version is not required to contain information that would compromise a purpose described in section 109(a)(1).</text></paragraph>
<paragraph id="H6B20962783E4476CAE434BFCD67019A3"><enum>(2)</enum><text>A process for identifying and assessing reasonably foreseeable security vulnerabilities in the system or systems used by such covered entity that contain personal information, which shall include regular monitoring for vulnerabilities or data breaches involving such system or systems.</text></paragraph> <paragraph id="H9F54CDDA1648405F8F5463D6F8F880E2"><enum>(3)</enum><text>A process for taking action designed to mitigate against vulnerabilities identified in the process required by paragraph (2), which may include implementing any changes to security practices and the architecture, installation, or implementation of network or operating software, or for regularly testing or otherwise monitoring the effectiveness of the existing safeguards.</text></paragraph>
<paragraph id="H13DB1FE67FD44EC38DE58352DAAD3B74"><enum>(4)</enum><text>A process for determining if personal information is no longer needed and disposing of personal information by shredding, permanently erasing, or otherwise modifying the medium on which such personal information is maintained to make such personal information permanently unreadable or indecipherable.</text></paragraph> <paragraph id="HCE87342E917F42FF86EA3FF31458F291"><enum>(5)</enum><text>A process for overseeing persons who have access to personal information, including through network-connected devices.</text></paragraph>
<paragraph id="H26B4E816F0B24FDF9E59D83E0D429164"><enum>(6)</enum><text>A process for employee training and supervision for implementation of the policies, practices, and procedures required by this section.</text></paragraph> <paragraph id="HFFCE3F03C8E142FFAEE67F621D476D57"><enum>(7)</enum><text>A written plan or protocol for internal and public response in the event of a data breach or data-sharing abuse.</text></paragraph></subsection>
<subsection id="H49EC7882B74846F4AA4F73F506D975AE"><enum>(c)</enum><header>Regulations</header><text display-inline="yes-display-inline">The Director, in consultation with the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology, shall promulgate regulations to implement this section.</text></subsection> <subsection id="H4CE7036E08E649AEAA764D6F9CFFD9EF"><enum>(d)</enum><header>Small businesses assistance</header><text display-inline="yes-display-inline">The Director, in consultation with the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, the Small Business Administration, the Minority Business Development Agency, and small businesses, shall develop policy templates, toolkits, tip sheets, configuration guidelines for commonly used hardware and software, interactive tools, and other materials to assist small businesses with complying with this section.</text></subsection></section>
<section id="H840EE5C2E3E3447FA6EA87D8B8521ED1"><enum>213.</enum><header>Notification of data breach or data-sharing abuse</header>
<subsection id="H1DC27C223A534EAC9E6E33B04D87A19A"><enum>(a)</enum><header>Notification of agency</header>
<paragraph id="HC792B0D9F68446A9B9ABFABBD916E402"><enum>(1)</enum><header>In general</header><text>In the case of a data breach or data-sharing abuse with respect to personal information maintained by a covered entity, such covered entity shall, without undue delay and, if feasible, not later than 72 hours after becoming aware of such data breach or data-sharing abuse, notify the Director of such data breach or data-sharing abuse, unless such data breach or data-sharing abuse is unlikely to create or increase foreseeable privacy harms.</text></paragraph> <paragraph id="H27E71EF3D26243239DE68A0E9D88F3E2"><enum>(2)</enum><header>Reasons for delay</header><text>If the notification required by paragraph (1) is made more than 72 hours after the covered entity becomes aware of the data breach or data-sharing abuse, such notification shall be accompanied by a statement of the reasons for the delay.</text></paragraph></subsection>
<subsection id="HA98D3D5FF57D4B3EB093BB7A50C34036"><enum>(b)</enum><header>Notification of other covered entity</header><text>In the case of a data breach or data-sharing abuse with respect to personal information maintained by a covered entity that such covered entity obtained from another covered entity, the covered entity experiencing such data breach or data-sharing abuse shall, without undue delay and, if feasible, not later than 72 hours after becoming aware of such data breach or data-sharing abuse, notify such other covered entity of such data breach or data-sharing abuse, unless such data breach or data-sharing abuse is unlikely to create or increase foreseeable privacy harms. A covered entity receiving notice under this subsection of a data breach or data-sharing abuse shall notify any other covered entity from which the covered entity receiving notice obtained personal information involved in such data breach or data-sharing abuse, in the same manner as required under the preceding sentence for the covered entity experiencing such data breach or data-sharing abuse.</text></subsection> <subsection id="H105A5B27C4E74394BBBB3C0741F3E016"><enum>(c)</enum><header>Notification of individuals</header> <paragraph id="H24C402EAAF184F298AC046DC62BB0B53"><enum>(1)</enum><header>In general</header><text>In the case of a data breach or data-sharing abuse with respect to personal information maintained by a covered entity (or a data breach or data-sharing abuse about which a covered entity is notified under subsection (b)), if such covered entity has a relationship with an individual whose personal information was involved or potentially involved in such data breach or data-sharing abuse, such covered entity shall notify such individual of such data breach or data-sharing abuse not later than 14 days after becoming aware of such data breach or data-sharing abuse (or, in the case of a data breach or data-sharing abuse about which a covered entity is notified under subsection (b), not later than 14 days after being so notified), if such data breach or data-sharing abuse creates or increases foreseeable privacy harms.</text></paragraph>
<paragraph id="H9073D85D64584EE2969E415DAC3257E5"><enum>(2)</enum><header>Medium of notification</header><text>A covered entity shall notify an individual as required by paragraph (1) through—</text> <subparagraph id="HD18B7C1B4C1D411E98BA63E3BE40585D"><enum>(A)</enum><text>the same medium through which such individual routinely interacts with such covered entity; and</text></subparagraph>
<subparagraph id="HA8B5832CD1DB43558572801E841CDAF8"><enum>(B)</enum><text>one additional medium of notification, if such covered entity has the personal information necessary to make a notification through such an additional medium without causing excessive financial burden for such covered entity.</text></subparagraph></paragraph></subsection> <subsection id="H37D78F15D61C4E65BF43D301BB84A474"><enum>(d)</enum><header>Rule of construction</header><text>This section shall not apply to a covered entity if a person uses personal information obtained from a data breach or data-sharing abuse not involving such covered entity.</text></subsection></section>
<enum>III</enum><header>Digital Privacy Agency</header>
<section id="HBBA72FA03CA446EB94EE56793F470645"><enum>301.</enum><header>Establishment; director and deputy director</header>
<subsection id="HB38B9F1CF68A47CB9A60B47B212EEFE2"><enum>(a)</enum><header>Agency established</header><text>There is established an independent agency in the executive branch to be known as the <quote>Digital Privacy Agency</quote>, which shall implement and enforce this Act.</text></subsection> <subsection id="HE37B178D12944D309A7943BF6FC82F9D"><enum>(b)</enum><header>Director</header> <paragraph id="H5EAC066BB08C4791B2128D596682827A"><enum>(1)</enum><header>In general</header><text>There is established the position of the Director, who shall serve as the head of the Agency.</text></paragraph>
<paragraph id="H0ACB93658EC94797A3BBE6B61D254ED4"><enum>(2)</enum><header>Appointment</header><text>Subject to paragraph (3), the Director shall be appointed by the President, by and with the advice and consent of the Senate.</text></paragraph> <paragraph id="H54B2E99F345342BFAC4BBE3235F84C32"><enum>(3)</enum><header>Qualification</header><text>The President shall nominate the Director who, by reason of professional background and experience, is especially qualified to lead the Agency based on their knowledge and expertise in—</text>
<subparagraph id="H39EF1D961EEF49E69F9159EF9CF3C118"><enum>(A)</enum><text>privacy;</text></subparagraph> <subparagraph id="H758A485C46C8495D848B721E1255E119"><enum>(B)</enum><text>information security;</text></subparagraph>
<subparagraph id="H92CACD394AC64F2FB5169EA2B0E3EEFA"><enum>(C)</enum><text>technology; and</text></subparagraph> <subparagraph id="H92EC0D530FC7485B93063F6C5AA0E4C3"><enum>(D)</enum><text>civil rights and civil liberties.</text></subparagraph></paragraph>
<paragraph id="HC220953A514248E38D6D03D8AB268DAA"><enum>(4)</enum><header>Term</header>
<subparagraph id="HB9C9213AD03343E894AA89DCF9F01705"><enum>(A)</enum><header>In general</header><text>The Director shall serve for a term of 6 years.</text></subparagraph> <subparagraph id="H2C162261D0494246A06914B11F9ED4B8"><enum>(B)</enum><header>Expiration of term</header><text>An individual may serve as Director after the expiration of the term for which appointed, until a successor has been appointed and qualified.</text></subparagraph></paragraph>
<paragraph id="HF63D35C22C8C4A818FB0E5DB1A79A8E8"><enum>(5)</enum><header>Compensation</header>
<subparagraph id="HAE9BB2FD7ED44A3F9B6C5C73861E04E2"><enum>(A)</enum><header>In general</header><text>The Director shall be compensated at the rate prescribed for level II of the Executive Schedule under section 5313 of title 5, United States Code.</text></subparagraph> <subparagraph id="H8EB0970A3047471EA8F3B48C5EEA727D"><enum>(B)</enum><header>Conforming amendment</header><text>Section 5313 of title 5, United States Code, is amended by inserting after the item relating to the <quote>Chief Executive Officer, United States International Development Finance Corporation.</quote> the following new item: <quote>Director of the Digital Privacy Agency.</quote>.</text></subparagraph></paragraph></subsection>
<subsection id="H0E0579C2E3CC40F99470886EB8A9E33D"><enum>(c)</enum><header>Deputy director</header><text>There is established the position of Deputy Director, who shall—</text> <paragraph id="HEB792F4F5E3C4482860C4D1F1D7CFE38"><enum>(1)</enum><text>be appointed by the Director; and</text></paragraph>
<paragraph id="H0F7873418D9541E394684EC2BDE68F11"><enum>(2)</enum><text>serve as acting Director in the absence or unavailability of the Director, notwithstanding section 3345 of title 5, United States Code.</text></paragraph></subsection> <subsection id="H422EB50C9EC34C28A8DD951CB441C1E1"><enum>(d)</enum><header>Service restriction</header><text>No Director or Deputy Director may hold any office, position, or employment in any covered entity during the period of service of such person as Director or Deputy Director.</text></subsection>
<subsection id="H200D9C4B121445B1A2B34873FBDAF24C"><enum>(e)</enum><header>Offices</header><text>The Director shall establish a principal office and field offices of the Agency in locations that have high levels of activity by covered entities, as determined by the Director.</text></subsection></section> <section id="H831A8B781F12403E8CA61C56CE734F57"><enum>302.</enum><header>Agency powers and authorities</header> <subsection id="H52758E0505264DC29B2EF4678C74EDB0"><enum>(a)</enum><header>Powers of the agency</header><text>The Director is authorized to establish the general policies of the Agency with respect to all executive and administrative functions, including—</text>
<paragraph id="H8A82F6A68CBB47D6980FFAAE47180802"><enum>(1)</enum><text>establishing of rules for conducting the general business of the Agency, in a manner not inconsistent with this Act;</text></paragraph> <paragraph id="H2B79204245C9428D91719FBE86966FE1"><enum>(2)</enum><text>binding the Agency and enter into contracts;</text></paragraph>
<paragraph id="HD2FA5173A3B04797BA5B20683859D018"><enum>(3)</enum><text display-inline="yes-display-inline">directing the establishment and continued operation of divisions or other offices within the Agency, in order to carry out the responsibilities of the Agency under this Act, and to satisfy the requirements of other applicable law;</text></paragraph> <paragraph id="HD42F6013771842B7968C46C00AA05419"><enum>(4)</enum><text>coordinating and overseeing the operation of all administrative, enforcement, and research activities of the Agency;</text></paragraph>
<paragraph id="HF2B7D7E78DD141908C862B12F454BF48"><enum>(5)</enum><text>adopting and using a seal;</text></paragraph> <paragraph id="HCF50382BC5BE4E1D8C8172C474434836"><enum>(6)</enum><text>determining the character of and the necessity for the obligations and expenditures of the Agency;</text></paragraph>
<paragraph id="H6A5DD2F12AEB44619B324283F3336BE3"><enum>(7)</enum><text>appointing and supervising of personnel employed by the Agency;</text></paragraph> <paragraph id="HB1172E41A16448C783B7F0C09ACCBBA0"><enum>(8)</enum><text>distributing business among personnel appointed and supervised by the Director and among administrative units of the Agency;</text></paragraph>
<paragraph id="H29123130728D44488CA80FCD5F199778"><enum>(9)</enum><text>using and expending of funds;</text></paragraph> <paragraph id="H97297CF57D3B4CBAB78012D4DEB87A3D"><enum>(10)</enum><text>implementing this Act through rules, orders, guidance, interpretations, statements of policy, investigations, and enforcement actions; and</text></paragraph>
<paragraph id="H00E8D9D9CE9848DF938914DCB170EF7C"><enum>(11)</enum><text>performing such other functions as may be authorized or required by law.</text></paragraph></subsection> <subsection id="H01D97E6EC96941A9A3867ED1BA3E9AC2"><enum>(b)</enum><header>Delegation of authority</header><text>The Director may delegate to any duly authorized employee, representative, or agent any power vested in the Director or the Agency by law, except that the Director may not delegate the power to appoint the Deputy Director under section 301(c).</text></subsection>
<subsection id="HCE63B1FDA5ED4D58A122A0CBF4FEF99E"><enum>(c)</enum><header>Autonomy of agency regarding recommendations and testimony</header><text>No officer or agency of the United States shall have any authority to require the Director or any other officer of the Agency to submit legislative recommendations, or testimony or comments on legislation, to any officer or agency of the United States for approval, comments, or review prior to the submission of such recommendations, testimony, or comments to the Congress, if such recommendations, testimony, or comments to the Congress include a statement indicating that the views expressed therein are those of the Director or such officer, and do not necessarily reflect the views of the President.</text></subsection> <subsection id="H51CA7F56847E433997D778CDDA5B5710"><enum>(d)</enum><header>Rulemaking authority</header> <paragraph id="H2CDEC099E69A47EB8D58928B80AF3F43"><enum>(1)</enum><header>In general</header><text>The Director may prescribe rules and issue orders and guidance, as may be necessary or appropriate to enable the Agency to implement, administer, and carry out the purposes and objectives of this Act, and to prevent evasions thereof.</text></paragraph>
<paragraph id="HE1ED7F516D704200A525B6F6A0110AB0"><enum>(2)</enum><header>Regulations</header><text>The Agency may issue regulations after notice and comment in accordance with section 553 of title 5, United States Code, as may be necessary to implement, administer, and carry out this Act.</text></paragraph></subsection> <subsection id="H6298584B58A34C2C873DDF9C69ECE334"><enum>(e)</enum><header>Consultations</header><text>In implementing or enforcing this Act, the Director may consult with—</text>
<paragraph id="H24D5BE9247F24FD1AB70C3CF4DDDABDF"><enum>(1)</enum><text>Federal agencies that have—</text> <subparagraph id="HAB746E7B58DF494BB0C48CBFA3D7878A"><enum>(A)</enum><text>jurisdiction over Federal privacy laws; and</text></subparagraph>
<subparagraph id="H550E09FF716B422C83E65C4A5D666BAE"><enum>(B)</enum><text>expertise in privacy or information security;</text></subparagraph></paragraph> <paragraph id="HCFBF08A7E73D4C33B464CFA55EEADA1A"><enum>(2)</enum><text>State attorneys general, State privacy regulators, and other State agencies that have expertise in privacy or information security;</text></paragraph>
<paragraph id="H390D3710FF86458594580A870E1A2802"><enum>(3)</enum><text>international and intergovernmental bodies that conduct activities relating to the privacy or information security;</text></paragraph> <paragraph id="HC79438093E314566A97E18B83F6DCBA8"><enum>(4)</enum><text>agencies of other countries that are similar to the Agency or have expertise in privacy or information security;</text></paragraph>
<paragraph id="H259C3A51392D4159B32C8740CA43CB7F"><enum>(5)</enum><text>privacy and information security experts in academia, government, civil society, or industry; and</text></paragraph> <paragraph id="H236C38B08C184C4FB41159A720F4D01A"><enum>(6)</enum><text>advisory boards of the Agency established under section 308, as appropriate.</text></paragraph></subsection></section>
<section id="H4DC851B47A8B4BA4B24683BAB939F30E"><enum>303.</enum><header>Reporting and audit requirements</header>
<subsection id="H82AF063C2C9A4757B41D478E099078C3"><enum>(a)</enum><header>Reports required</header>
<paragraph id="HAB7F60A67D2145C3AD526100637339F6"><enum>(1)</enum><header>In general</header><text>Not later than 6 months after the date of the enactment of this Act, and every 6 months thereafter, the Director shall submit a report to the President and to the Committee on Energy and Commerce, the Committee on the Judiciary, and the Committee on Appropriations of the House of Representatives and the Committee on Commerce, Science, and Transportation, the Committee on the Judiciary, and the Committee on Appropriations of the Senate, and shall publish such report on the website of the Agency.</text></paragraph> <paragraph id="HD284C26A705A4096857F3FB962845153"><enum>(2)</enum><header>Contents</header><text>Each report required by subsection (a) shall include—</text>
<subparagraph id="H0C7FFA03662140F5833A53BE60C36698"><enum>(A)</enum><text>a discussion of the significant problems faced by individuals with respect to the privacy or security of personal information;</text></subparagraph> <subparagraph id="H851F2D0CFFF04DEB89F30A4DB81BDF5B"><enum>(B)</enum><text>a justification of the budget request of the Agency for the preceding year, unless a justification for such year was included in the preceding report submitted under such subsection;</text></subparagraph>
<subparagraph id="H67837E201DF44526B94DF9BA271C2AB8"><enum>(C)</enum><text>a list of the significant rules and orders adopted by the Agency, as well as other significant initiatives conducted by the Agency, during the preceding 6-month period and the plan of the Agency for rules, orders, or other initiatives to be undertaken during the upcoming 6-month period;</text></subparagraph> <subparagraph id="HCB2C0721B0D648C8B7CDD8819103078D"><enum>(D)</enum><text>an analysis of complaints about the privacy or security of personal information that the Agency has received and collected in the database described in section 307(a) during the preceding 6-month period;</text></subparagraph>
<subparagraph id="H2831AF8FF0294C5484C1C3D1ACA108F5"><enum>(E)</enum><text>a list, with a brief statement of the issues, of the public enforcement actions to which the Agency was a party during the preceding 6-month period; and</text></subparagraph> <subparagraph id="H29C2EF80C5C44D64A1314547B427E591"><enum>(F)</enum><text display-inline="yes-display-inline">an assessment of significant actions by State attorneys general or State privacy regulators relating to this Act or the rules prescribed under this Act during the preceding 6-month period.</text></subparagraph></paragraph></subsection>
<subsection id="H933C6AAD903D4F048FE44A6CAB75C1D1"><enum>(b)</enum><header>Annual audits</header><text>The Director shall order an annual independent audit of the operations and budget of the Agency.</text></subsection></section> <section id="HB26B6D5E8C5849B3A207341874404D53"><enum>304.</enum><header>Relation to other agencies</header> <subsection id="HBF42BC9A1EAC4F22B681EC2BECD51411"><enum>(a)</enum><header>Coordination</header> <paragraph id="HFE4ABBC1667D4C25B171682A7643E722"><enum>(1)</enum><header>In general</header><text>With respect to covered entities and service providers, to the extent that Federal law authorizes the Agency and another Federal agency to enforce a Federal privacy law, the other Federal agency shall coordinate with the Agency to promote consistent enforcement of this Act and the other Federal privacy law.</text></paragraph>
<paragraph id="H79037CCF01914AAA818E0D3ECACF5833"><enum>(2)</enum><header>Referral</header><text>Any Federal agency authorized to enforce Federal privacy laws may recommend in writing to the Agency that the Agency initiate an enforcement proceeding, as the Agency is authorized by that Federal privacy law or by this Act.</text></paragraph></subsection> <subsection id="H8D589E5E64434163B80D3C9BB2379C9C"><enum>(b)</enum><header>Transfers from the commission</header> <paragraph id="HDB3C65671A4F41F8B6BE314E772E2B8A"><enum>(1)</enum><header>Transfers of authority</header> <subparagraph id="H55D6B93D94D5434A9EE8258E0ABBD9E4"><enum>(A)</enum><header>Transfer of rulemaking and certain other authorities under federal privacy laws</header><text>The Agency shall have all powers and duties under the Federal privacy laws to prescribe rules, issue guidelines, or to conduct studies or issue reports mandated by such laws, that were vested in the Commission on the effective date of this Act. The authority of the Commission under Federal privacy laws to prescribe rules, issue guidelines, or conduct a study or issue a report mandated under such law shall be transferred to the Agency on the effective date of this Act.</text></subparagraph>
<subparagraph id="H088568AA45B34462B25A36A59C3CDC9E"><enum>(B)</enum><header>Transfer of enforcement authority</header><text>The Agency may enforce a rule prescribed by the Commission under—</text> <clause id="HD3723B8B17A544799982110431F60BAD"><enum>(i)</enum><text>Federal privacy laws; or</text></clause>
<clause id="HC43903740DC8409AB82BFCC21A0C770C"><enum>(ii)</enum><text>the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>) related to unfair or deceptive acts or practices relating to privacy, information security, identity theft, data abuses, and related matters shall be transferred to the Agency.</text></clause></subparagraph></paragraph> <paragraph id="H4FEBE4E7DC7D4879804FE53668EFB45D"><enum>(2)</enum><header>Transfer of privacy employees</header><text>Any employee of the Commission employed in a division, bureau, office, or other subdivision of the Commission with the primary responsibility of administering, investigating, or enforcing Federal privacy laws or applications of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>) related to unfair or deceptive acts or practices relating to privacy, information security, identity theft, data abuses, and related matters shall be transferred to the Agency. Such employee shall be provided with compensation and benefits not less than the equivalent of compensation and benefits provided to such employee on the date of enactment of this Act or compensation and benefits provided to an employee of the Agency in comparable position with comparable experience.</text></paragraph></subsection>
<subsection id="H8FA914CA67224EAEBF456AA45DC18623"><enum>(c)</enum><header>Preservation of authorities of other agencies</header><text>Except as described in this section, no provision of this Act shall be construed as modifying, limiting, or otherwise affecting the operation of any provision of Federal law, or otherwise affecting the authority of any Federal agency under a Federal privacy law or any other law, including the ability of such Federal agency to promulgate regulations and enforce Federal privacy laws.</text></subsection></section> <section id="H0F0DBD7A01D448DB93FBA422C9CB5A9C"><enum>305.</enum><header>Personnel</header> <subsection id="HD46CB4EE3CA8464E871C67A8EF6DFF18"><enum>(a)</enum><header>Personnel</header> <paragraph id="H900E7C74A33448E5A95CF9815135AFFC"><enum>(1)</enum><header>Appointment generally</header><text>The Director may fix the number of, and appoint and direct, all employees of the Agency, in accordance with the applicable provisions of title 5, United States Code. The Director may appoint personnel without regard to the provisions of title 5, United States Code, governing appointments in the competitive service, so long as the Director sets requirements, conducts recruitment, and determines appointments in a fair, transparent, and equitable manner.</text></paragraph>
<paragraph id="HD44391549B7C4AA096F1A24A76BC7890"><enum>(2)</enum><header>Employees of the agency</header><text display-inline="yes-display-inline">The Director is authorized to employ privacy experts, technologists, computer scientists, user experience designers and researchers, data scientists, ethicists, attorneys, investigators, economists, civil rights experts, and other employees as the Director considers necessary to conduct the business of the Agency. Unless otherwise provided expressly by law, any individual appointed under this section shall be an employee, as defined in section 2105 of title 5, United States Code, and subject to the provisions of such title and other laws generally applicable to the employees of an executive agency.</text></paragraph> <paragraph id="HC1AF3ED2E36B4D1691B2EDB91777DE7D"><enum>(3)</enum><header>Employee compensation</header><text>The Director may fix and adjust the pay and benefits of personnel as the Director considers desirable, competitive, transparent, and equitable, without regard to the provisions of chapter 51 and subchapter III of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/5/53">chapter 53</external-xref> of title 5, United States Code, relating to classification and General Schedule pay rates, respectively.</text></paragraph>
<paragraph id="HFE1B2FB84ED94F99A33D56344061BD2F"><enum>(4)</enum><header>Labor-management relations</header><text><external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/5/71">Chapter 71</external-xref> of title 5, United States Code, shall apply to the Agency and the employees of the Agency.</text></paragraph></subsection> <subsection id="HE9F15F4AD9AF4B83A081A1ED3D47BFB6"><enum>(b)</enum><header>Additional roles</header> <paragraph id="HB4A2560AB33147FDA951E10DF5B7C891"><enum>(1)</enum><header>Chief information officer</header> <subparagraph id="H22B8BE9B8ECD4A38B944DD8111972C3A"><enum>(A)</enum><header>Designation of an agency cio</header><text>Subchapter II of chapter 113 of subtitle III of title 40, United States Code, is amended—</text>
<clause id="H00E9A9AE8FDD4101962A338D025E3F7E"><enum>(i)</enum><text>in section 11315(c) by adding <quote>and of the Digital Privacy Agency</quote> before the em-dash immediately preceding paragraph (1); and</text></clause> <clause id="H3CEC78B35E30454BBC0781C6B26A5E02"><enum>(ii)</enum><text>in section 11319(a)(1) by adding <quote>and the Digital Privacy Agency</quote> before the period.</text></clause></subparagraph>
<subparagraph id="H0AC3282BB7F84F5786A6D2253BC46935"><enum>(B)</enum><header>Responsibility</header><text>The Chief Information Officer of the Digital Privacy Agency, as designated by subparagraph (A), shall ensure the Digital Privacy Agency uses technology efficiency to implement, administer, and enforce this Act and the rules and orders issued pursuant to this Act.</text></subparagraph></paragraph> <paragraph id="H534C5F13D70E4F42A4DF59B75FF99197"><enum>(2)</enum><header>Inspector general</header><text>Section 12 of the Inspector General Act of 1978 (5 U.S.C. App.) is amended—</text>
<subparagraph id="H51D5A16CD805453E8E7C0067F38477E7"><enum>(A)</enum><text>in paragraph (1), by inserting <quote>the Director of the Digital Privacy Agency;</quote> after <quote>the President of the Export-Import Bank;</quote>; and</text></subparagraph> <subparagraph id="H0391B32BF77D4B308C3761EBABF5D9A5"><enum>(B)</enum><text>in paragraph (2), by inserting <quote>the Digital Privacy Agency,</quote> after <quote>the Export-Import Bank,</quote>.</text></subparagraph></paragraph>
<paragraph id="HF07D03B9585242ED9A56B87BC24859FC"><enum>(3)</enum><header>Ombud</header><text>The Director shall appoint an ombud who shall—</text> <subparagraph id="H5C7654DBC0C94CD1A186F4D8228B6F89"><enum>(A)</enum><text>act as a liaison between the Agency and any affected person with respect to any problem that such person may have in dealing with the Agency that result from the regulatory activities of the Agency; and</text></subparagraph>
<subparagraph id="HCB57D16D3CCD49598F6FFC62AB32674C"><enum>(B)</enum><text>assure that safeguards exist to encourage complainants to come forward and preserve confidentiality.</text></subparagraph></paragraph></subsection> <subsection id="H4D3D2109EB3A4B448D7D99CFAA968A7F"><enum>(c)</enum><header>Authority To accept Federal detailees</header><text display-inline="yes-display-inline">The Director may accept officers or employees of the United States or members of the Armed Forces on a detail from an element of the Federal Government on a nonreimbursable basis, as jointly agreed to by the heads of the receiving and detailing elements, for a period not to exceed 3 years.</text></subsection></section>
<section id="HFEFF7239755141AC90687D6D15372CCE"><enum>306.</enum><header>Office of Civil Rights</header><text display-inline="no-display-inline">The Director shall establish an Office of Civil Rights within the Agency that shall have following responsibilities:</text> <paragraph id="H448507CA8F7B4D16A8DC386EDD8706AA"><enum>(1)</enum><text>Providing oversight and enforcement of this Act, rules and orders issued pursuant to this Act, and Federal privacy laws to ensure that collecting, processing, maintaining, and disclosing of personal information is fair, equitable, and non-discriminatory in treatment and effect, including through the implementation and enforcement of section 207.</text></paragraph>
<paragraph id="H3455DCF21694477C88F64BF4401065B5"><enum>(2)</enum><text>Developing, establishing, and promoting practices that affirmatively further equal opportunity to and expand access to employment (including hiring, firing, promotion, demotion, and compensation), credit and insurance (including denial of an application or obtaining less favorable terms), housing, education, professional certification, or the provision of health care and related services.</text></paragraph> <paragraph id="H5F73FDFFF411452EAC9F447FCF3BA392"><enum>(3)</enum><text>Coordinating the Agency’s civil rights efforts with other Federal agencies and State regulators, as appropriate, to promote consistent, efficient, and effective enforcement of Federal civil rights laws.</text></paragraph>
<paragraph id="H537B8CD42B584DCD975BC1620100BB68"><enum>(4)</enum><text>Working with civil rights advocates, privacy experts, and other experts (including members of the advisory boards established under section 308) on the promotion of compliance with the civil rights provisions under this Act, rules and orders issued pursuant this Act, and Federal privacy laws.</text></paragraph> <paragraph id="HA19B531295404CD7A3162ECEFD0ADAB4"><enum>(5)</enum><text>Liaising with communities and consumers impacted by practices regulated by this Act and the Agency, to ensure that their needs and views are appropriately taken into account.</text></paragraph>
<paragraph id="HAA67760AF8BF4EB38C823EB47AC4F1B5"><enum>(6)</enum><text>Providing annual reports to Congress on the efforts of the Agency to fulfill its civil rights mandate.</text></paragraph> <paragraph id="H7E28A43021BA4D3BA4F1C03A96DB1999"><enum>(7)</enum><text>Such additional powers and duties as the Director may determine are appropriate.</text></paragraph></section>
<section id="HF6D5896926C742698C6D048DF53CF597"><enum>307.</enum><header>Complaints of individuals</header>
<subsection id="H39F85DDCF65047BEB461BEA6AAB43CA1"><enum>(a)</enum><header>In general</header><text display-inline="yes-display-inline">The Director shall establish a unit within the Agency the functions of which shall include establishing a single, toll-free telephone number, a website, and a database or utilizing an existing database to facilitate the centralized collection of, monitoring of, and response to complaints of individuals regarding the privacy or security of personal information. The Director shall coordinate with other Federal agencies with jurisdiction over Federal privacy laws to route complaints to such agencies, where appropriate.</text></subsection> <subsection id="H22B8616202084235A6967D1B244280E2"><enum>(b)</enum><header>Routing complaints to states</header><text display-inline="yes-display-inline">To the extent practicable, State agencies (including State privacy regulators) may receive appropriate complaints from the systems established under subsection (a), if—</text>
<paragraph id="HE6F610EC652E407DBAB86A836A3E9CDA"><enum>(1)</enum><text>the State agency system has the functional capacity to receive calls or electronic reports routed by the Agency systems;</text></paragraph> <paragraph id="H2E614B99156D4CF2A097840EA1E523C1"><enum>(2)</enum><text>the State agency has satisfied any conditions of participation in the system that the Agency may establish, including treatment of personal information and sharing of information on complaint resolution or related compliance procedures and resources; and</text></paragraph>
<paragraph id="H8B58C208C864410BA05FA65882CBFF51"><enum>(3)</enum><text>participation by the State agency includes measures necessary to provide for protection of personal information that conform to the standards for protection of the confidentiality of personal information and for data integrity and security that apply to Federal agencies.</text></paragraph></subsection> <subsection id="H77CA0F6CEFD748428FF72BA1FF12CD29"><enum>(c)</enum><header>Data sharing required</header><text display-inline="yes-display-inline">To facilitate inclusion in the reports required by section 303 of the matters regarding complaints of individuals required by subsection (a)(2)(D) of such section to be included in such reports, investigation and enforcement activities, and monitoring of the privacy and security of personal information, the Agency shall share information about complaints of individuals with Federal and State agencies (including State privacy regulators) that have jurisdiction over the privacy or security of personal information and State attorneys general, subject to the standards applicable to Federal agencies for the protection of the confidentiality of personal information and for information security and integrity. Other Federal agencies that have jurisdiction over the privacy or security of personal information shall share data relating to complaints of individuals regarding the privacy or security of personal information with the Agency, subject to the standards applicable to Federal agencies for the protection of confidentiality of personal information and for information security and integrity.</text></subsection>
<subsection id="H54E5E0D2B4EF4E2CB7B1A8A2960AE760"><enum>(d)</enum><header>Publishing of complaints</header>
<paragraph id="H40F6860376AB44D88F1F0D68D390F6C7"><enum>(1)</enum><header>Consent required</header><text>In collecting a complaint from an individual, the Agency shall request consent for publishing the complaint without any information identifying the individual.</text></paragraph> <paragraph id="HDB7D9E6F93264A469402013C7DE10162"><enum>(2)</enum><header>Public database</header><text>The Agency shall make publicly available on its website a database of each complaint for which it has received consent to publish the complaint from an individual who provided the complaint to the Agency.</text></paragraph>
<paragraph id="H089B08A486FC49F0AFF1CD5F00BE4E8E"><enum>(3)</enum><header>Redacting information</header><text>When necessary, the Agency may redact information from a published complaint to protect the privacy of the individual.</text></paragraph></subsection></section> <section id="H2849B01C79C54BB0B23A6C245CFF2622"><enum>308.</enum><header>Advisory boards</header> <subsection id="H85CBCFC0EB264FDCB56C38DB7F7B774B"><enum>(a)</enum><header>Establishment</header><text>The Director shall establish the following advisory boards to advise and consult with the Agency in the exercise of its functions under this Act, and to provide information on emerging practices relating to the treatment of personal information by covered entities:</text>
<paragraph id="H2F516CB30153447083F850E6192168E7"><enum>(1)</enum><text>The User Advisory Board, which shall be comprised of experts in consumer protection, privacy, civil rights, and ethics.</text></paragraph> <paragraph id="H930ED54895B04E2C8BADD27EB343D10C"><enum>(2)</enum><text>The Research Advisory Board, which shall be comprised of individuals with academic and research expertise in privacy, cybersecurity, computer science, innovation, design, ethics, economics, law, and public policy.</text></paragraph>
<paragraph id="H461BB9BB54544CB9B12D9C1E88234075"><enum>(3)</enum><text>The Startup Advisory Board, which shall be comprised of representatives of small businesses and investors in small businesses.</text></paragraph> <paragraph id="H42EE5C0143F64A109799C93E93DC9AE2"><enum>(4)</enum><text>The Product Advisory Board, which shall be comprised of technologists, computer scientists, designers, product managers, attorneys, and other representatives of covered entities.</text></paragraph></subsection>
<subsection id="H12B2BADB1F4B45C2A7C308A7CE52F4F3"><enum>(b)</enum><header>Appointments</header><text>The Director shall appoint members to the advisory boards established under subsection (a) without regard to party affiliation.</text></subsection> <subsection id="H18B40CCD423D4561BA07261EF630C86F"><enum>(c)</enum><header>Meetings</header><text>Each advisory board established under subsection (a) shall meet from time to time at the call of the Director, but, at a minimum, shall meet at least twice in each calendar year.</text></subsection>
<subsection id="H4CBFD2C5DFE84916BD4ACDB8DB1B816D"><enum>(d)</enum><header>Compensation and travel expenses</header><text>Members of the advisory boards established under subsection (a) who are not full-time employees of the United States shall—</text> <paragraph id="H6CB614288D7E4788ABB41646245BDB6D"><enum>(1)</enum><text>be entitled to receive compensation at a rate fixed by the Director while attending meetings of the advisory board, including travel time; and</text></paragraph>
<paragraph id="HCAEA836E26314C668678832831349899"><enum>(2)</enum><text>receive travel expenses, including per diem in lieu of subsistence, in accordance with applicable provisions under subchapter I of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/5/57">chapter 57</external-xref> of title 5, United States Code.</text></paragraph></subsection></section> <section id="HE200E88D622F43398E25096BB7C8F182"><enum>309.</enum><header>Authorization of appropriations</header><text display-inline="no-display-inline">There are authorized to be appropriated to the Director to carry out this Act $550,000,000 for each of the fiscal years 2022, 2023, 2024, 2025, and 2026.</text></section>
<enum>IV</enum><header>Enforcement</header>
<section id="HAE83886F95734AF7854829C304E2174D"><enum>401.</enum><header>Investigations and administrative discovery</header>
<subsection id="HCAE4010C8D6944EAB6B6BFA8A92BC22A"><enum>(a)</enum><header>Joint investigations</header><text display-inline="yes-display-inline">The Agency or, where appropriate, an Agency investigator, may conduct investigations and make requests for information, as authorized under this Act, on a joint basis with another Federal agency, a State attorney general, or a State privacy regulator.</text></subsection> <subsection id="H420E91CE915545F0A7296F5739B0387B"><enum>(b)</enum><header>Subpoenas</header> <paragraph id="H0376D3D3C93A4FA78A189C37DF52FDF7"><enum>(1)</enum><header>In general</header><text>The Agency or an Agency investigator may issue subpoenas for the attendance and testimony of witnesses and the production of relevant papers, books, documents, or other material in connection with hearings under this Act.</text></paragraph>
<paragraph id="HFF02BAE77DDD4EAB822BE947A601476D"><enum>(2)</enum><header>Failure to obey</header><text>In the case of contumacy or refusal to obey a subpoena issued pursuant to this subsection and served upon any person, the district court of the United States for any district in which such person is found, resides, or transacts business, upon application by the Agency or an Agency investigator and after notice to such person, may issue an order requiring such person to appear and give testimony or to appear and produce documents or other material.</text></paragraph> <paragraph id="HADF562E7BF064CD4BC0106D7773DB24C"><enum>(3)</enum><header>Contempt</header><text>Any failure to obey an order of the court under paragraph (2) may be punished by the court as a contempt thereof.</text></paragraph></subsection>
<subsection id="H92E32F77611946AB8512BDC5AB7F30D3"><enum>(c)</enum><header>Demands</header>
<paragraph id="HBACA0050A4514306BD60294DDFA9EAC6"><enum>(1)</enum><header>In general</header><text>Whenever the Agency has reason to believe that any person may be in possession, custody, or control of any documentary material or tangible things, or may have any information, relevant to a violation, the Agency may, before the institution of any proceedings under this Act, issue in writing, and cause to be served upon such person, a civil investigative demand requiring such person to—</text> <subparagraph id="H694642DB7FF24AB4BDAA91ED81965D21"><enum>(A)</enum><text>produce such documentary material for inspection and copying or reproduction in the form or medium requested by the Agency;</text></subparagraph>
<subparagraph id="H9BB2E8DAA6694C189B2004E26B4BC45F"><enum>(B)</enum><text>submit such tangible things;</text></subparagraph> <subparagraph id="H119185DDE84A4325962904B895E40D84"><enum>(C)</enum><text>file written reports or answers to questions;</text></subparagraph>
<subparagraph id="H6B5423B828DE46A4A0471845160EA2CF"><enum>(D)</enum><text>give oral testimony concerning documentary material, tangible things, or other information; or</text></subparagraph> <subparagraph id="H9E4AB2D888744BC28343DD16BC8EEEED"><enum>(E)</enum><text>furnish any combination of such material, answers, or testimony.</text></subparagraph></paragraph>
<paragraph id="H1AC3B12FDC8B45438FE9B75B74DFBDED"><enum>(2)</enum><header>Requirements</header><text>Each civil investigative demand shall state the nature of the conduct constituting the alleged violation which is under investigation and the provision of law applicable to such violation.</text></paragraph> <paragraph id="HC8A2187C8C5640DF8C90919EBB5E26A2"><enum>(3)</enum><header>Production of documents</header><text>Each civil investigative demand for the production of documentary material shall—</text>
<subparagraph id="H7794526451054C4B9B644CC5A9C15558"><enum>(A)</enum><text>describe each class of documentary material to be produced under the demand with such definiteness and certainty as to permit such material to be fairly identified;</text></subparagraph> <subparagraph id="H8CDA8816081E4EC1AD3FF70AA7BDCEAE"><enum>(B)</enum><text>prescribe a return date or dates which will provide a reasonable period of time within which the material so demanded may be assembled and made available for inspection and copying or reproduction; and</text></subparagraph>
<subparagraph id="H8FC75979F755415CB5CA0A1A13E38D73"><enum>(C)</enum><text>identify the custodian to whom such material shall be made available.</text></subparagraph></paragraph> <paragraph id="H8582CF303CE440C3B68794E1230D14E1"><enum>(4)</enum><header>Production of things</header><text>Each civil investigative demand for the submission of tangible things shall—</text>
<subparagraph id="H5390516BB20E47E2AC42B762280371CD"><enum>(A)</enum><text>describe each class of tangible things to be submitted under the demand with such definiteness and certainty as to permit such things to be fairly identified;</text></subparagraph> <subparagraph id="HCFC8DCAFCC6F4FDAB3455F150438D974"><enum>(B)</enum><text>prescribe a return date or dates which will provide a reasonable period of time within which the things so demanded may be assembled and submitted; and</text></subparagraph>
<subparagraph id="H5A8CB013697A4CDEAD5F90BF8460ABEA"><enum>(C)</enum><text>identify the custodian to whom such things shall be submitted.</text></subparagraph></paragraph> <paragraph id="HD4AF4120BCB54B098552F3525CFE9489"><enum>(5)</enum><header>Demand for written reports or answers</header><text>Each civil investigative demand for written reports or answers to questions shall—</text>
<subparagraph id="H140E28BFFEB94143B1AF92963807B56C"><enum>(A)</enum><text>propound with definiteness and certainty the reports to be produced or the questions to be answered;</text></subparagraph> <subparagraph id="HC33E5CB747B448309714E0DE7FDBA8A7"><enum>(B)</enum><text>prescribe a date or dates at which time written reports or answers to questions shall be submitted; and</text></subparagraph>
<subparagraph id="H0FB73C4FF4DB47809EE68F244C6115DF"><enum>(C)</enum><text>identify the custodian to whom such reports or answers shall be submitted.</text></subparagraph></paragraph> <paragraph id="HCA32988516ED4C9598076F8A9ECD100A"><enum>(6)</enum><header>Oral testimony</header><text>Each civil investigative demand for the giving of oral testimony shall—</text>
<subparagraph id="HD47DEA902E5846889381EF8519A1204A"><enum>(A)</enum><text>prescribe a date, time, and place at which oral testimony shall be commenced; and</text></subparagraph> <subparagraph id="H3B412D609D144F498220E0F9A21DAB55"><enum>(B)</enum><text>identify an Agency investigator who shall conduct the investigation and the custodian to whom the transcript of such investigation shall be submitted.</text></subparagraph></paragraph>
<paragraph id="H563EB86DDCC3494AA212D65A822705FF"><enum>(7)</enum><header>Service</header><text>Any civil investigative demand issued, and any enforcement petition filed, under this section may be served—</text> <subparagraph id="H91E318FEB6384803A3DB1C46D45D970C"><enum>(A)</enum><text>by any Agency investigator at any place within the territorial jurisdiction of any court of the United States; and</text></subparagraph>
<subparagraph id="HBC9A378E049443979D161FCF8DC92D08"><enum>(B)</enum><text>upon any person who is not found within the territorial jurisdiction of any court of the United States—</text> <clause id="H032845E49C524A279CE72C92565DE822"><enum>(i)</enum><text>in such manner as the Federal Rules of Civil Procedure prescribe for service in a foreign nation; and</text></clause>
<clause id="H51A4850AF9DB44EB9A8D88899C9AA66F"><enum>(ii)</enum><text>to the extent that the courts of the United States have authority to assert jurisdiction over such person, consistent with due process, the United States District Court for the District of Columbia shall have the same jurisdiction to take any action respecting compliance with this section by such person that such district court would have if such person were personally within the jurisdiction of such district court.</text></clause></subparagraph></paragraph> <paragraph id="HD81EB350AAE54AFE8BAD042398562A5A"><enum>(8)</enum><header>Method of service</header><text>Service of any civil investigative demand or any enforcement petition filed under this section may be made upon a person by—</text>
<subparagraph id="H37DD7F47EF3D4B6485470AA0E8E7686C"><enum>(A)</enum><text>delivering a duly executed copy of such demand or petition to the individual or to any partner, executive officer, managing agent, or general agent of such person, or to any agent of such person authorized by appointment or by law to receive service of process on behalf of such person;</text></subparagraph> <subparagraph id="H3C076A090EAF45F699B489711B986FFA"><enum>(B)</enum><text>delivering a duly executed copy of such demand or petition to the principal office or place of business of the person to be served; or</text></subparagraph>
<subparagraph id="H932A4369A8A04504BAD54DCA2BA91116"><enum>(C)</enum><text>depositing a duly executed copy in the United States mails, by registered or certified mail, return receipt requested, duly addressed to such person at the principal office or place of business of such person.</text></subparagraph></paragraph> <paragraph id="HBE0F301E5EBC4B7E8FFBEEB6288ECC03"><enum>(9)</enum><header>Proof of service</header> <subparagraph id="H2A00EA8D54B14EF1A837E48FC68A3CC3"><enum>(A)</enum><header>In general</header><text>A verified return by the individual serving any civil investigative demand or any enforcement petition filed under this section setting forth the manner of such service shall be proof of such service.</text></subparagraph>
<subparagraph id="H66B3C6576B3244E59B36820148DB5775"><enum>(B)</enum><header>Return receipts</header><text>In the case of service by registered or certified mail, such return shall be accompanied by the return post office receipt of delivery of such demand or enforcement petition.</text></subparagraph></paragraph> <paragraph id="H5FFC933D91714BCDBFD6C761772C03B3"><enum>(10)</enum><header>Production of documentary material</header><text>The production of documentary material in response to a civil investigative demand shall be made under a sworn certificate, in such form as the demand designates, by the person, if a natural person, to whom the demand is directed or, if not a natural person, by any person having knowledge of the facts and circumstances relating to such production, to the effect that all of the documentary material required by the demand and in the possession, custody, or control of the person to whom the demand is directed has been produced and made available to the custodian.</text></paragraph>
<paragraph id="H4692DB214EFE445FAF9EC24C6711CA07"><enum>(11)</enum><header>Submission of tangible things</header><text>The submission of tangible things in response to a civil investigative demand shall be made under a sworn certificate, in such form as the demand designates, by the person to whom the demand is directed or, if not a natural person, by any person having knowledge of the facts and circumstances relating to such production, to the effect that all of the tangible things required by the demand and in the possession, custody, or control of the person to whom the demand is directed have been submitted to the custodian.</text></paragraph> <paragraph id="HB87424C08AF2453ABF1AE1D5A75F26A0"><enum>(12)</enum><header>Separate answers</header><text>Each reporting requirement or question in a civil investigative demand shall be answered separately and fully in writing under oath, unless it is objected to, in which event the reasons for the objection shall be stated in lieu of an answer, and it shall be submitted under a sworn certificate, in such form as the demand designates, by the person, if a natural person, to whom the demand is directed or, if not a natural person, by any person responsible for answering each reporting requirement or question, to the effect that all information required by the demand and in the possession, custody, control, or knowledge of the person to whom the demand is directed has been submitted.</text></paragraph>
<paragraph id="HC726736B5B2E4FFAACE2CAE513403D79"><enum>(13)</enum><header>Testimony</header>
<subparagraph id="H1E825971AEE84AF2AA70C87ED10C844C"><enum>(A)</enum><header>In general</header>
<clause id="H5C9F48C2E9A4484583C0270168D773B2"><enum>(i)</enum><header>Oath and recordation</header><text>The examination of any person pursuant to a demand for oral testimony served under this subsection shall be taken before an officer authorized to administer oaths and affirmations by the laws of the United States or of the place at which the examination is held. The officer before whom oral testimony is to be taken shall put the witness on oath or affirmation and shall personally, or by any individual acting under the direction of and in the presence of the officer, record the testimony of the witness.</text></clause> <clause id="H6978C0E913404C069E8D1F9FDF8C43FB"><enum>(ii)</enum><header>Transcription</header><text>The testimony shall be taken stenographically and transcribed.</text></clause></subparagraph>
<subparagraph id="H5BD27900E4BF4119B00EFCE92DBD95A8"><enum>(B)</enum><header>Parties present</header><text>Any Agency investigator before whom oral testimony is to be taken shall exclude from the place where the testimony is to be taken all other persons, except the person giving the testimony, the attorney for that person, the officer before whom the testimony is to be taken, an investigator or representative of an agency with which the Agency is engaged in a joint investigation, and any stenographer taking such testimony.</text></subparagraph> <subparagraph id="HB2A888063CE94682B359EA1732B0F87A"><enum>(C)</enum><header>Location</header><text>The oral testimony of any person taken pursuant to a civil investigative demand shall be taken in the judicial district of the United States in which such person resides, is found, or transacts business, or in such other place as may be agreed upon by the Agency investigator before whom the oral testimony of such person is to be taken and such person.</text></subparagraph>
<subparagraph id="H7BC9F6B99CD3479FB6E901B793534E96"><enum>(D)</enum><header>Attorney representation</header>
<clause id="H7B55C85399414FE88EFB952590583EB8"><enum>(i)</enum><header>In general</header><text>Any person compelled to appear under a civil investigative demand for oral testimony pursuant to this subsection may be accompanied, represented, and advised by an attorney.</text></clause> <clause id="H032C3EA05EE6407F89BF6A285FE74D55"><enum>(ii)</enum><header>Authority</header><text>The attorney may advise a person described in clause (i), in confidence, either upon the request of such person or upon the initiative of the attorney, with respect to any question asked of such person.</text></clause>
<clause id="H5A20E6208E2E4D39B8560F4E8892581D"><enum>(iii)</enum><header>Objections</header><text>A person described in clause (i), or the attorney for that person, may object on the record to any question, in whole or in part, and such person shall briefly state for the record the reason for the objection. An objection may properly be made, received, and entered upon the record when it is claimed that such person is entitled to refuse to answer the question on grounds of any constitutional or other legal right or privilege, including the privilege against self-incrimination, but such person shall not otherwise object to or refuse to answer any question, and such person or attorney shall not otherwise interrupt the oral examination.</text></clause> <clause id="HD00BDBE6D8B34A6BAA6E9C55F59D7CA8"><enum>(iv)</enum><header>Refusal to answer</header><text>If a person described in clause (i) refuses to answer any question—</text>
<subclause id="HCBE81EB91CEA4277968DD74F2B591474"><enum>(I)</enum><text>the Agency may petition the district court of the United States pursuant to this section for an order compelling such person to answer such question; and</text></subclause> <subclause id="H4D97D31C34FA49E399B3587B0E5B59CC"><enum>(II)</enum><text>if the refusal is on grounds of the privilege against self-incrimination, the testimony of such person may be compelled in accordance with the provisions of section 6004 of title 18, United States Code.</text></subclause></clause></subparagraph>
<subparagraph id="H1934BAB393844747B251A2FD26BE5A37"><enum>(E)</enum><header>Transcripts</header><text>For purposes of this subsection—</text> <clause id="H73FC3B3826284B089E0D357639E87509"><enum>(i)</enum><text>after the testimony of any witness is fully transcribed, the Agency investigator shall afford the witness (who may be accompanied by an attorney) a reasonable opportunity to examine the transcript;</text></clause>
<clause id="HA5046782E9D84231B0580F9EC4143ED3"><enum>(ii)</enum><text>the transcript shall be read to or by the witness, unless such examination and reading are waived by the witness;</text></clause> <clause id="H223DF996B42546B2827957A570DD9D02"><enum>(iii)</enum><text>any changes in form or substance which the witness desires to make shall be entered and identified upon the transcript by the Agency investigator, with a statement of the reasons given by the witness for making such changes;</text></clause>
<clause id="H52D37A8DB6E6481DA4B3724900A6341F"><enum>(iv)</enum><text>the transcript shall be signed by the witness, unless the witness in writing waives the signing, is ill, cannot be found, or refuses to sign; and</text></clause> <clause id="HB79C47E757B34A7E838D417C4FC28BAB"><enum>(v)</enum><text>if the transcript is not signed by the witness during the 30-day period following the date on which the witness is first afforded a reasonable opportunity to examine the transcript, the Agency investigator shall sign the transcript and state on the record the fact of the waiver, illness, absence of the witness, or the refusal to sign, together with any reasons given for the failure to sign.</text></clause></subparagraph>
<subparagraph id="H3F7DACAA1C8545449D6C207EC9570C0C"><enum>(F)</enum><header>Certification by investigator</header><text display-inline="yes-display-inline">The Agency investigator shall certify on the transcript that the witness was duly sworn by such Agency investigator and that the transcript is a true record of the testimony given by the witness, and the Agency investigator shall promptly deliver the transcript or send it by registered or certified mail to the custodian.</text></subparagraph> <subparagraph id="H8A9B24F66CC44DF9809B692CF4C6E66C"><enum>(G)</enum><header>Copy of transcript</header><text display-inline="yes-display-inline">The Agency investigator shall furnish a copy of the transcript (upon payment of reasonable charges for the transcript) to the witness only, except that the Agency may for good cause limit such witness to inspection of the official transcript of the testimony of such witness.</text></subparagraph>
<subparagraph id="H4BD02BE9FA734D91B76185D66EAABB19"><enum>(H)</enum><header>Witness fees</header><text>Any witness appearing for the taking of oral testimony pursuant to a civil investigative demand shall be entitled to the same fees and mileage which are paid to witnesses in the district courts of the United States.</text></subparagraph></paragraph></subsection> <subsection id="H04E44F5A7850456CBB3EA3D3A6EA016A"><enum>(d)</enum><header>Confidential treatment of demand material</header> <paragraph id="H0854EE03CFEA40048AE75B7BDEEFED15"><enum>(1)</enum><header>In general</header><text>Documentary materials and tangible things received as a result of a civil investigative demand shall be subject to requirements and procedures regarding confidentiality, in accordance with rules established by the Agency.</text></paragraph>
<paragraph id="HC5C9EC0BAE2349D9906BC9C2F2231C7E"><enum>(2)</enum><header>Disclosure to congress</header><text>No rule established by the Agency regarding the confidentiality of materials submitted to, or otherwise obtained by, the Agency shall be intended to prevent disclosure to either House of Congress or to an appropriate committee of the Congress, except that the Agency is permitted to adopt rules allowing prior notice to any party that owns or otherwise provided the material to the Agency and had designated such material as confidential.</text></paragraph></subsection> <subsection id="H6302AE658F014D088DE4FF2433725E2B"><enum>(e)</enum><header>Petition for enforcement</header> <paragraph id="H1BADCF90CADA4948AD1424A9BEDE63F3"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">Whenever any person fails to comply with any civil investigative demand duly served upon such person under this section, or whenever satisfactory copying or reproduction of material requested pursuant to the demand cannot be accomplished and such person refuses to surrender such material, the Agency, through such officers or attorneys as it may designate, may file, in the district court of the United States for any judicial district in which such person resides, is found, or transacts business, and serve upon such person, a petition for an order of such court for the enforcement of this section.</text></paragraph>
<paragraph id="H6F213115E766416894D9661D828E776C"><enum>(2)</enum><header>Service of process</header><text>All process of any court to which application may be made as provided in this subsection may be served in any judicial district.</text></paragraph></subsection> <subsection id="H2AF8A3CA456B4FCD935736C4E14917F4"><enum>(f)</enum><header>Petition for order modifying or setting aside demand</header> <paragraph id="H4F289435F4C643018DCCD90AC33E9D39"><enum>(1)</enum><header>In general</header><text>Not later than 20 days after the service of any civil investigative demand upon any person under subsection (c), or at any time before the return date specified in the demand, whichever period is shorter, or within such period exceeding 20 days after service or in excess of such return date as may be prescribed in writing, subsequent to service, by any Agency investigator named in the demand, such person may file with the Agency a petition for an order by the Agency modifying or setting aside the demand.</text></paragraph>
<paragraph id="HFEDC8AE39A394F3483E55707A46D90E7"><enum>(2)</enum><header>Compliance during pendency</header><text>The time permitted for compliance with the demand in whole or in part, as determined proper and ordered by the Agency, shall not run during the pendency of a petition under paragraph (1) at the Agency, except that such person shall comply with any portions of the demand not sought to be modified or set aside.</text></paragraph> <paragraph id="H8AE884E2D9664B81B02FE53346D9CD51"><enum>(3)</enum><header>Specific grounds</header><text>A petition under paragraph (1) shall specify each ground upon which the petitioner relies in seeking relief, and may be based upon any failure of the demand to comply with the provisions of this section, or upon any constitutional or other legal right or privilege of such person.</text></paragraph></subsection>
<subsection id="H13CD96920F5F4D4182763C36F4749B57"><enum>(g)</enum><header>Custodial control</header><text display-inline="yes-display-inline">At any time during which any custodian is in custody or control of any documentary material, tangible things, reports, answers to questions, or transcripts of oral testimony given by any person in compliance with any civil investigative demand, such person may file, in the district court of the United States for the judicial district within which the office of such custodian is situated, and serve upon such custodian, a petition for an order of such court requiring the performance by such custodian of any duty imposed upon such custodian by this section or rule promulgated by the Agency.</text></subsection> <subsection id="H93E4BDBD8DF94C69BBA24053CD61A35B"><enum>(h)</enum><header>Jurisdiction of court</header> <paragraph id="H70B5CCD6649348F083115964B03D7020"><enum>(1)</enum><header>In general</header><text>Whenever any petition is filed in any district court of the United States under this section, such court shall have jurisdiction to hear and determine the matter so presented, and to enter such order or orders as may be required to carry out the provisions of this section.</text></paragraph>
<paragraph id="HDA47EC35B9C24A22845D2D0352715D5D"><enum>(2)</enum><header>Appeal</header><text>Any final order entered as described in paragraph (1) shall be subject to appeal pursuant to section 1291 of title 28, United States Code.</text></paragraph></subsection></section> <section id="H911F60DF193040C48C5A805D0989A668"><enum>402.</enum><header>Hearings and adjudication proceedings</header> <subsection id="HF15581A6789E48B8A28568AB7BED0602"><enum>(a)</enum><header>In general</header><text>The Agency is authorized to conduct hearings and adjudication proceedings with respect to any person in the manner prescribed by <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/5/5">chapter 5</external-xref> of title 5, United States Code, in order to ensure or enforce compliance with this Act and the rules prescribed under this Act.</text></subsection>
<subsection id="H14DAECE533FE466385D2F280FDEAA33E"><enum>(b)</enum><header>Special rules for cease-and-Desist proceedings</header>
<paragraph id="HF4D813EB7138495C83A4A964F96ABA33"><enum>(1)</enum><header>Orders authorized</header>
<subparagraph id="HF48F75FCB8D148A5A5C25852687EFF69"><enum>(A)</enum><header>In general</header><text>If, in the opinion of the Agency, a person is engaging or has engaged in an act or omission that violates any provision of this Act or a rule or order prescribed under this Act, the Agency may issue and serve upon the person a notice of charges in respect thereof.</text></subparagraph> <subparagraph id="H2D30193AFC4647BB95D262CB2440F73C"><enum>(B)</enum><header>Content of notice</header><text>The notice under subparagraph (A) shall contain a statement of the facts constituting the alleged violation, and shall fix a time and place at which a hearing will be held to determine whether an order to cease and desist should issue against the person, such hearing to be held not earlier than 30 days nor later than 60 days after the date of service of such notice, unless an earlier or a later date is set by the Agency, at the request of any person so served.</text></subparagraph>
<subparagraph id="HF11796E5E8F24430B5CA4B58241AC21F"><enum>(C)</enum><header>Consent</header><text>Unless a person served under subparagraph (B) appears at the hearing personally or by a duly authorized representative, the person shall be deemed to have consented to the issuance of the cease-and-desist order.</text></subparagraph> <subparagraph id="H38EB1252B08D42E189F4FD7A35D8C80B"><enum>(D)</enum><header>Procedure</header><text>In the event of consent under subparagraph (C), or if, upon the record made at any such hearing, the Agency finds that any violation specified in the notice of charges has been established, the Agency may issue and serve upon the person an order to cease and desist from the violation. Such order may, by provisions which may be mandatory or otherwise, require the person to cease and desist from the subject act or omission, and to take affirmative action to correct the conditions resulting from any such violation.</text></subparagraph></paragraph>
<paragraph id="H3F0DED0614714EDBB1022A042B111980"><enum>(2)</enum><header>Effectiveness of order</header><text>A cease-and-desist order shall become effective at the expiration of 30 days after the date of service of the order under paragraph (1)(D) (except in the case of a cease-and-desist order issued upon consent, which shall become effective at the time specified therein), and shall remain effective and enforceable as provided therein, except to such extent as the order is stayed, modified, terminated, or set aside by action of the Agency or a reviewing court.</text></paragraph> <paragraph id="H3597FB44D94C4117B8FF7179E2E77ED1"><enum>(3)</enum><header>Decision and Appeal</header><text>Any hearing provided for in this subsection shall be held in the Federal judicial district or in the territory in which the residence or principal office or place of business of the person is located unless the person consents to another place, and shall be conducted in accordance with the provisions of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/5/5">chapter 5</external-xref> of title 5, United States Code. After such hearing, and not later than 90 days after the Agency has notified each party to the proceeding that the case has been submitted to the Agency for final decision, the Agency shall render its decision (which shall include findings of fact upon which its decision is predicated) and shall issue and serve upon each such party an order or orders consistent with the provisions of this section. Judicial review of any such order shall be exclusively as provided in this subsection. Unless a petition for review is timely filed in a court of appeals of the United States, as provided in paragraph (4), and thereafter until the record in the proceeding has been filed as provided in paragraph (4), the Agency may at any time, upon such notice and in such manner as the Agency shall determine proper, modify, terminate, or set aside any such order. Upon filing of the record as provided, the Agency may modify, terminate, or set aside any such order with permission of the court.</text></paragraph>
<paragraph id="H322E087DA86B4FBD9830101313662CC4"><enum>(4)</enum><header>Appeal to court of Appeals</header><text>Any party to any proceeding under this subsection may obtain a review of any order served pursuant to this subsection (other than an order issued with the consent of the party) by filing in the court of appeals of the United States for the circuit in which the residence or principal office or place of business of the party is located, or in the United States Court of Appeals for the District of Columbia Circuit, within 30 days after the date of service of such order, a written petition praying that the order of the Agency be modified, terminated, or set aside. A copy of such petition shall be forthwith transmitted by the clerk of the court to the Agency, and thereupon the Agency shall file in the court the record in the proceeding, as provided in section 2112 of title 28, United States Code. Upon the filing of such petition, such court shall have jurisdiction, which upon the filing of the record shall, except as provided in the last sentence of paragraph (3), be exclusive, to affirm, modify, terminate, or set aside, in whole or in part, the order of the Agency. Review of such proceedings shall be had as provided in <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/5/7">chapter 7</external-xref> of title 5, United States Code. The judgment and decree of the court shall be final, except that the same shall be subject to review by the Supreme Court of the United States, upon certiorari, as provided in section 1254 of title 28, United States Code.</text></paragraph> <paragraph id="H6B6075F37DCF42989F246BC49FC80677"><enum>(5)</enum><header>No stay</header><text>The commencement of proceedings for judicial review under paragraph (4) shall not, unless specifically ordered by the court, operate as a stay of any order issued by the Agency.</text></paragraph></subsection>
<subsection id="HB5D2C7FABA194F528B251C9DBE522AEE"><enum>(c)</enum><header>Special rules for temporary cease-and-Desist proceedings</header>
<paragraph id="H896637DD4DB74189AE9708CD8CF642B4"><enum>(1)</enum><header>In general</header><text>Whenever the Agency determines that the violation specified in the notice of charges served upon a person pursuant to subsection (b), or the continuation thereof, is likely to cause the person to be insolvent or otherwise prejudice the interests of individuals before the completion of the proceedings conducted pursuant to subsection (b), the Agency may issue a temporary order requiring the person to cease and desist from any such violation and to take affirmative action to prevent or remedy such insolvency or other condition pending completion of such proceedings. Such order may include any requirement authorized under this title. Such order shall become effective upon service upon the person and, unless set aside, limited, or suspended by a court in proceedings authorized by paragraph (2), shall remain effective and enforceable pending the completion of the administrative proceedings pursuant to such notice and until such time as the Agency shall dismiss the charges specified in such notice, or if a cease-and-desist order is issued against the person, until the effective date of such order.</text></paragraph> <paragraph id="H30C7A9BF364E4832AC2F6BC16AC6EEE0"><enum>(2)</enum><header>Appeal</header><text>Not later than 10 days after a person has been served with a temporary cease-and-desist order, the person may apply to the United States district court for the judicial district in which the residence or principal office or place of business of the person is located, or the United States District Court for the District of Columbia, for an injunction setting aside, limiting, or suspending the enforcement, operation, or effectiveness of such order pending the completion of the administrative proceedings pursuant to the notice of charges served upon the person under subsection (b), and such court shall have jurisdiction to issue such injunction.</text></paragraph></subsection>
<subsection id="H5661F41366214E6CBFC49DB33B0CC036"><enum>(d)</enum><header>Special rules for enforcement of orders</header>
<paragraph id="H3A988A05AD7F48508D132C07FF3C6105"><enum>(1)</enum><header>In general</header><text>The Agency may in its discretion apply to the United States district court within the jurisdiction of which the residence or principal office or place of business of a person is located, for the enforcement of any effective and outstanding order issued under this section against such person, and such court shall have jurisdiction and power to order and require compliance with such order.</text></paragraph> <paragraph id="HAAD209BBD7224C6295759E76F21D6FD7"><enum>(2)</enum><header>Exception</header><text>Except as otherwise provided in this section, no court shall have jurisdiction to affect by injunction or otherwise the issuance or enforcement of any order or to review, modify, suspend, terminate, or set aside any such order.</text></paragraph></subsection>
<subsection id="HB5862A199E83442F8552C3BC3FED008F"><enum>(e)</enum><header>Rules</header><text>The Agency shall prescribe rules establishing such procedures as may be necessary to carry out this section.</text></subsection></section> <section id="H30F5372B87E94393BFC4448B693C1EA0"><enum>403.</enum><header>Litigation authority</header> <subsection id="H302D08E34A6844C198A1EAD9AB34FCE7"><enum>(a)</enum><header>In general</header><text display-inline="yes-display-inline">If a person violates any provision of this Act or a rule or order prescribed under this Act, the Agency may commence a civil action against such person to impose a civil penalty or to seek all appropriate legal and equitable relief, including a permanent or temporary injunction as permitted by law.</text></subsection>
<subsection id="HF474719E48E44832BD63F9996EF6A0D9"><enum>(b)</enum><header>Representation</header><text display-inline="yes-display-inline">Except as provided in subsection (e), the Agency may act in its own name and through its own attorneys enforcing any provision of this Act or rules or orders issued pursuant to this Act or in any action, suit, or other court proceeding to which the Agency is a party.</text></subsection> <subsection id="H728B91A53E76466CB2072D39B6A5CD97"><enum>(c)</enum><header>Compromise of actions</header><text>The Agency may compromise or settle any action, suit, or other court proceeding to which the Agency is a party if such compromise is approved by the court.</text></subsection>
<subsection id="HD5C0CAB100414E8196CD62AB80BE05C2"><enum>(d)</enum><header>Notice to the attorney general of the United States</header>
<paragraph id="H22CC87BD94DF4BB3A1519BF046B75368"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">When commencing a civil action under this Act or regulations or rules or orders issued pursuant to this Act, the Agency shall notify the Attorney General.</text></paragraph> <paragraph id="HA30436AADEC2412CBFEB3D789774CF1E"><enum>(2)</enum><header>Notice and coordination</header> <subparagraph id="H166C7AF2AA384B1A9C63B1F5180E7FF8"><enum>(A)</enum><header>Notice of other actions</header><text>In addition to any notice required under paragraph (1), the Agency shall notify the Attorney General concerning any action, suit, or other court proceeding to which the Agency is a party.</text></subparagraph>
<subparagraph id="H3554280C147747E598951A47C1075831"><enum>(B)</enum><header>Coordination</header><text>In order to avoid conflicts and promote consistency regarding litigation of matters under Federal law, the Attorney General and the Agency shall consult regarding the coordination of investigations and proceedings, including by negotiating an agreement for coordination not later than 180 days after the effective date of this Act. The agreement under this subparagraph shall include provisions to ensure that parallel investigations and proceedings involving this Act and the rules prescribed under this Act are conducted in a manner that avoids conflicts and does not impede the ability of the Attorney General to prosecute violations of Federal criminal laws.</text></subparagraph> <subparagraph id="H7140B9BDC268469B9956199FA6598D11"><enum>(C)</enum><header>Rule of construction</header><text>Nothing in this paragraph shall be construed to limit the authority of the Agency under this Act, including the authority to interpret this Act.</text></subparagraph></paragraph></subsection>
<subsection id="H4F731306DA754B648624A643B1C512BB"><enum>(e)</enum><header>Appearance before the supreme court</header><text>The Agency may represent itself in its own name before the Supreme Court of the United States, if the Agency makes a written request to the Attorney General within the 10-day period which begins on the date of entry of the judgment which would permit any party to file a petition for writ of certiorari, and the Attorney General concurs with such request or fails to take action within 60 days of the request of the Agency.</text></subsection> <subsection id="HF60EC4EFDD664F799B9E644FEFE20C84"><enum>(f)</enum><header>Forum</header><text display-inline="yes-display-inline">Any civil action brought under this Act or regulations or rules or orders issued pursuant to this Act may be brought in an appropriate district court of the United States or an appropriate State court.</text></subsection>
<subsection id="H991C1CC28CE848148A30B0E1D8FC8018"><enum>(g)</enum><header>Time for bringing action</header><text>Except as otherwise permitted by law or equity, no action may be brought under this Act more than 3 years after the date of discovery of the violation to which the action relates.</text></subsection></section> <section id="H01017791A02744768EAF72279FF25FF4"><enum>404.</enum><header>Enforcement by States</header> <subsection id="H798E098267CC4DA2A6D723434566E76B"><enum>(a)</enum><header>Civil action</header><text>In any case in which a State attorney general or a State privacy regulator has reason to believe that an interest of the residents of a State has been or is adversely affected by any person who violates any provision of this Act or a rule or order prescribed under this Act, the State attorney general or State privacy regulator, as parens patriae, may bring a civil action on behalf of the residents of the State in an appropriate State court or an appropriate district court of the United States to—</text>
<paragraph id="HFCD82445552E4029A6DB58832EF36135"><enum>(1)</enum><text>enjoin further violation of such provision by the defendant;</text></paragraph> <paragraph id="HF9BF581498C74E2183CE7EF1EAB1DD86"><enum>(2)</enum><text>compel compliance with such provision; or</text></paragraph>
<paragraph id="H73190F8C39FE417286CC28FE72C61EC7"><enum>(3)</enum><text>obtain relief under section 406.</text></paragraph></subsection> <subsection id="HFBB1E96EE4F94CF0B568B47F5C3D88DD"><enum>(b)</enum><header>Rights of agency</header><text>Before initiating a civil action under subsection (a), the State attorney general or State privacy regulator, as the case may be, shall notify the Agency in writing of such civil action. Upon receiving notice with respect to a civil action, the Agency may—</text>
<paragraph id="H3E1D2482F00E4128B5B74EDA5D2AE76B"><enum>(1)</enum><text>intervene in such action; and</text></paragraph> <paragraph id="HD7E0BD2D3D0F4E179456A2852A962847"><enum>(2)</enum><text>upon intervening—</text>
<subparagraph id="HA60058E5BA4C455190384530CC7AC49B"><enum>(A)</enum><text>be heard on all matters arising in such civil action; and</text></subparagraph> <subparagraph id="H8724EAA8E5AC4D8286749CDD59D0A906"><enum>(B)</enum><text>file petitions for appeal of a decision in such action.</text></subparagraph></paragraph></subsection>
<subsection id="H885C1443759C4DA1B2103C7195FFBAF6"><enum>(c)</enum><header>Preemptive action by agency</header><text>If the Agency institutes a civil action for violation of any provision of this Act or a rule or order prescribed under this Act, no State attorney general or State privacy regulator may bring a civil action against any defendant named in the complaint of the Agency for a violation of such provision that is alleged in such complaint.</text></subsection></section> <section id="HD32675524C5743539F130C5E241842B0"><enum>405.</enum><header>Private rights of action</header> <subsection id="H0587091144674C7D91E9E3E5B100F8CB"><enum>(a)</enum><header>Injunctive relief</header><text>A person who is aggrieved by a violation of this Act may bring a civil action for declaratory or injunctive relief in any court of competent jurisdiction in any State or in an appropriate district court.</text></subsection>
<subsection id="H783D45EB59404A7BA89E53E9455C99D6"><enum>(b)</enum><header>Civil action for damages</header><text>Except for claims under rule 23 of the Federal Rules of Civil Procedure or a similar judicial procedure authorizing an action to be brought by 1 or more representatives, a person who is aggrieved by a violation of this Act may bring a civil action for damages in any court of competent jurisdiction in any State or in an appropriate district court.</text></subsection> <subsection id="HC1C68E37EA994BEBBA29E94DB6E3DDE7"><enum>(c)</enum><header>Nonprofit collective representation</header><text display-inline="yes-display-inline">An individual shall have the right to appoint a nonprofit organization (as described in <external-xref legal-doc="usc" parsable-cite="usc/26/501">section 501(c)(3)</external-xref> of the Internal Revenue Code of 1986 and exempt from taxation under section 501(a) of such Code) which has been properly constituted in accordance with the law, has statutory objectives which are in the public interest, and is active in the field of the protection of individual rights and freedoms with regard to the protection of privacy and information security to lodge the complaint on behalf of such individual to exercise the rights referred to in this Act on behalf of such individual.</text>
<paragraph id="H7AB1BB0A7EB64CDF8F6337901B01EC4F"><enum>(1)</enum><text>A nonprofit may represent a class of aggrieved individuals.</text></paragraph> <paragraph id="H93CA4F19AF734CB5AD125FADE5238142"><enum>(2)</enum><text>A prevailing nonprofit shall receive reasonable compensation for expenses, including attorneys’ fees.</text></paragraph>
<paragraph id="HC15EC49EFEFE400FA8006542F9E13E18"><enum>(3)</enum><text>Individuals shall receive an equally divided share of the total damages.</text></paragraph></subsection> <subsection id="H37EAA66FF0514DDE84F6352176887841"><enum>(d)</enum><header>State Appointment</header><text>A State may provide that any body, organization, or association referred to in subsection (c), independent of an individual’s appointment, has the right to lodge, in that State, a complaint with the Agency and to exercise the rights referred to in this Act if it considers that the rights of an individual under this Act have been infringed.</text></subsection></section>
<section id="H8BD172D6E5FA4E549BBDB7534B480CC7"><enum>406.</enum><header>Relief available</header>
<subsection id="H445BBC49AA34416193AA37D911709EF1"><enum>(a)</enum><header>Civil actions and adjudication proceedings</header>
<paragraph id="H8382D5AB250E45ED9CC288BB1795C74E"><enum>(1)</enum><header>Jurisdiction</header><text display-inline="yes-display-inline">In any civil action or any adjudication proceeding brought by the Agency, a State attorney general, or State privacy regulator under any provision of this Act or a rule or order prescribed under this Act, the court or the Agency (as the case may be) shall have jurisdiction to grant any appropriate legal or equitable relief with respect to a violation of such provision.</text></paragraph> <paragraph id="H3E919F6DFCA14BBD9C238CBFB7C13B8F"><enum>(2)</enum><header>Relief</header><text>Relief under this section may include—</text>
<subparagraph id="H17B88F6EF99847FB9C3210AD8B64376E"><enum>(A)</enum><text>rescission or reformation of contracts;</text></subparagraph> <subparagraph id="H6F9977B40A514067AC82D66CA65E54E7"><enum>(B)</enum><text>refund of moneys;</text></subparagraph>
<subparagraph id="HCB84235C8038400A8F9D54648DAAE645"><enum>(C)</enum><text>restitution;</text></subparagraph> <subparagraph id="H64E7DDFA26684463AE7D7BAF880C4F30"><enum>(D)</enum><text>disgorgement or compensation for unjust enrichment;</text></subparagraph>
<subparagraph id="H694F271F16BD4FE280C6BCB652327B6F"><enum>(E)</enum><text>payment of damages or other monetary relief;</text></subparagraph> <subparagraph id="HA7A674FE37E14AD5862DA1A988085C73"><enum>(F)</enum><text>public notification regarding the violation, including the costs of notification;</text></subparagraph>
<subparagraph id="H5FB13593DEDF4DA780A69DE76C7BA275"><enum>(G)</enum><text>limits on the activities or functions of the person; and</text></subparagraph> <subparagraph id="HD74E1E1CA2C74934884E591B97AADC3E"><enum>(H)</enum><text>civil money penalties, as provided in subsection (c).</text></subparagraph></paragraph>
<paragraph id="H719849095A8442A8870EB0A7B0DE09E7"><enum>(3)</enum><header>No exemplary or punitive damages</header><text>Nothing in this subsection shall be construed as authorizing the imposition of exemplary or punitive damages.</text></paragraph></subsection> <subsection id="HF49B4C028AC94653BD103F6F85C83E81"><enum>(b)</enum><header>Recovery of costs</header><text>In any civil action brought by the Agency, State attorney general, or State privacy regulator under any provision of this Act or a rule or order prescribed under this Act, the Agency, State attorney general, or State privacy regulator may recover its costs in connection with prosecuting such action if the Agency or State attorney general is the prevailing party in the action.</text></subsection>
<subsection id="H5EC9C86562064CEE9C81333E4CBED03D"><enum>(c)</enum><header>Civil money penalty in court and administrative actions</header>
<paragraph id="HAA75784FC2B944658E67E37FA54516D6"><enum>(1)</enum><header>In general</header><text>Any person who violates, through any act or omission, any provision of this Act or a rule or order issued pursuant to this Act shall forfeit and pay a civil penalty under this subsection.</text></paragraph> <paragraph id="H053B478567B44FF4AF96DF6DD57081B7"><enum>(2)</enum><header>Penalty amount</header> <subparagraph id="H3BB31E3A3A2B4579886CD3E4096983F0"><enum>(A)</enum><header>In general</header><text>The amount of a civil penalty under this subsection may not exceed, for each violation, the product of—</text>
<clause id="HC48AA4F073AC4F218BBDAE13E234B286"><enum>(i)</enum><text>the maximum civil penalty for which a person, partnership, or corporation may be liable under section 5(m)(1)(A) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45(m)(1)(A)</external-xref>) for a violation of a rule under such Act respecting unfair or deceptive acts or practices, as adjusted under the Federal Civil Penalties Inflation Adjustment Act of 1990 (<external-xref legal-doc="usc" parsable-cite="usc/28/2461">28 U.S.C. 2461</external-xref> note); and</text></clause> <clause id="HC44587BD4ED4402283F15920FC07B3A8"><enum>(ii)</enum><text>the number of individuals whose personal information is affected by the violation.</text></clause></subparagraph>
<subparagraph id="H0E7D549A28EE4AD0BD82FD1B24ACCD33"><enum>(B)</enum><header>Continuing violations</header><text>In the case of a violation through continuing failure to comply with a provision of this Act or a rule or order prescribed under this Act, each day of continuance of such failure shall be treated as a separate violation for purposes of subparagraph (A).</text></subparagraph></paragraph> <paragraph id="H843B075E45E04A71A2F163DE779BF988"><enum>(3)</enum><header>Mitigating factors</header><text>In determining the amount of any penalty assessed under paragraph (2), the court or the Agency shall take into account the appropriateness of the penalty with respect to—</text>
<subparagraph id="H35BF27C5CEC84A76965D2088672FB495"><enum>(A)</enum><text>the size of financial resources and good faith of the person charged;</text></subparagraph> <subparagraph id="HB0C856D0C16F4BA6B82AD54484C9F05A"><enum>(B)</enum><text>the gravity of the violation;</text></subparagraph>
<subparagraph id="H571AE4A0370F4987B9D330359537DBD4"><enum>(C)</enum><text>the severity of the privacy harms (including both actual and potential harms) to individuals;</text></subparagraph> <subparagraph id="HF4A983CBE239430CB079DB03239518A6"><enum>(D)</enum><text>any disparate impact of the privacy harms (including both actual and potential harms) on protected classes;</text></subparagraph>
<subparagraph id="H6C0562CE35BB4BA59C2FAEB831E3F821"><enum>(E)</enum><text>the history of previous violations; and</text></subparagraph> <subparagraph id="H06B084A22DFA467FB84F5D2B227FDCD4"><enum>(F)</enum><text>such other matters as justice may require.</text></subparagraph></paragraph>
<paragraph id="H5804287275194F0DA45A3BB07260FB85"><enum>(4)</enum><header>Authority to modify or remit penalty</header><text>The Agency, State attorney general, or State privacy regulator may compromise, modify, or remit any penalty which may be assessed or has already been assessed under paragraph (2). The amount of such penalty, when finally determined, shall be exclusive of any sums owed by the person to the United States in connection with the costs of the proceeding, and may be deducted from any sums owing by the United States to the person charged.</text></paragraph> <paragraph id="H0C0F58A0CC3C4FA38F915C25127C269A"><enum>(5)</enum><header>Notice and hearing</header><text>No civil penalty may be assessed under this subsection with respect to a violation of any provision of this Act or a rule or order issued pursuant to this Act, unless—</text>
<subparagraph id="H85DEC2720C00431CB2216589205FD57C"><enum>(A)</enum><text>the Agency, State attorney general, or State privacy regulator gives notice and an opportunity for a hearing to the person accused of the violation; or</text></subparagraph> <subparagraph id="H3B305CD0140D4436A4F31A133031FB70"><enum>(B)</enum><text>the appropriate court has ordered such assessment and entered judgment in favor of the Agency, State attorney general, or State privacy regulator.</text></subparagraph></paragraph></subsection></section>
<section id="HA5DFCE86D36440B8BD1362D56C9337C3"><enum>407.</enum><header>Referral for criminal proceedings</header><text display-inline="no-display-inline">If the Agency obtains evidence that any person, domestic or foreign, has engaged in conduct that may constitute a violation of Federal criminal law, the Agency shall transmit such evidence to the Attorney General of the United States, who may institute criminal proceedings under appropriate law. Nothing in this section affects any other authority of the Agency to disclose information.</text></section> <section id="H469E5F855D1E4EE7B4BB02217CE69176"><enum>408.</enum><header>Whistleblower enforcement</header> <subsection id="H92EC2F3452A141D6955E88E9AAF196C0"><enum>(a)</enum><header>In general</header><text>Any person who becomes aware, based on nonpublic information, that a covered entity has violated this Act may file a civil action for civil penalties, if prior to filing such action, the person files with the Director a written request for the Director to commence the action. The request shall include a clear and concise statement of the grounds for believing a cause of action exists. The person shall make the nonpublic information available to the Director upon request:</text>
<paragraph id="H1D5CC728870A4F919B7E7398863AEA72"><enum>(1)</enum><text>If the Director files suit within 90 days from receipt of the written request to commence the action, no other action may be brought unless the action brought by the Director is dismissed without prejudice.</text></paragraph> <paragraph id="HED1860993B0A4BF69EAD6CBF76C407E3"><enum>(2)</enum><text>If the Director does not file suit within 90 days from receipt of the written request to commence the action, the person requesting the action may proceed to file a civil action.</text></paragraph>
<paragraph id="H312910DED3044E55AD44173DB17090FD"><enum>(3)</enum><text>The time period within which a civil action shall be commenced shall be tolled from the date of receipt by the Director of the written request to either the date that the civil action is dismissed without prejudice, or for 150 days, whichever is later, but only for a civil action brought by the person who requested the Director to commence the action.</text></paragraph></subsection> <subsection id="H9395A73900A8426EA1BA9EB38EB8F247"><enum>(b)</enum><header>Allocation of civil penalties</header><text>If a judgment is entered against the defendant or defendants in an action brought pursuant to this section, or the matter is settled, amounts received as civil penalties or pursuant to a settlement of the action shall be allocated as follows:</text>
<paragraph id="HBCCBE834087E46568E991FA088D13D76"><enum>(1)</enum><text>If the action was brought by the Director upon a request made by a person pursuant to subsection (a), the person who made the request shall be entitled to 15 percent of the civil penalties.</text></paragraph> <paragraph id="H6BC0FC711447401D828D353D720D4EA1"><enum>(2)</enum><text>If the action was brought by the person who made the request pursuant to subsection (a), that person shall receive an amount the court determines is reasonable for collecting the civil penalties on behalf of the government. The amount shall be not less than 25 percent and not more than 50 percent of the proceeds of the action and shall be paid out of the proceeds.</text></paragraph></subsection></section>
<enum>V</enum><header>Relation to Other Law</header>
<section id="HD5228BAD68CB4305887CD8A777BCD779"><enum>501.</enum><header>Effective date</header>
<subsection id="H9C92BA8172B14EDD9669D59997DF9A5B"><enum>(a)</enum><header>In general</header><text>This Act shall apply beginning on the date that is 1 year after the date of the enactment of this Act.</text></subsection> <subsection id="H4F8C5CBB10634B6B9A14AC3C9FF69CF1"><enum>(b)</enum><header>Authority To promulgate regulations and take certain other actions</header><text>Nothing in subsection (a) affects the authority of the Agency to take an action expressly required by a provision of this Act to be taken before the effective date described in such subsection.</text></subsection></section>
<section id="H941F3FBF0F0341238897F21D4EF991A8"><enum>502.</enum><header>Relation to other Federal law</header><text display-inline="no-display-inline">Nothing in this Act shall be construed to modify, limit, or supersede the operation of any privacy or security provision in the following:</text> <paragraph id="HAACF41F43EBE4E16834BAD3CFCFB7761"><enum>(1)</enum><text>Section 552a of title 5, United States Code (commonly known as the <quote>Privacy Act of 1974</quote>).</text></paragraph>
<paragraph id="H9797C9AC62944618BA4173D64807D926"><enum>(2)</enum><text>The Right to Financial Privacy Act of 1978 (<external-xref legal-doc="usc" parsable-cite="usc/12/3401">12 U.S.C. 3401 et seq.</external-xref>).</text></paragraph> <paragraph id="H4BFE66B60A174B7C8B030712ACC39576"><enum>(3)</enum><text>The Fair Credit Reporting Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1681">15 U.S.C. 1681 et seq.</external-xref>).</text></paragraph>
<paragraph id="HD43866507D0A4408B4AA849AF7A97D38"><enum>(4)</enum><text>The Fair Debt Collection Practices Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1692">15 U.S.C. 1692 et seq.</external-xref>).</text></paragraph> <paragraph id="HF8C79EE000964D3BA993BBDC460CEDA9"><enum>(5)</enum><text>The Children’s Online Privacy Protection Act of 1998 (<external-xref legal-doc="usc" parsable-cite="usc/15/6501">15 U.S.C. 6501 et seq.</external-xref>).</text></paragraph>
<paragraph id="H09ECF2BCEF4942928049835D3F36F6AD"><enum>(6)</enum><text>Title V of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6801">15 U.S.C. 6801 et seq.</external-xref>).</text></paragraph> <paragraph id="H4C89425542DD421E8306DB1B564358EF"><enum>(7)</enum><text>Chapter 119, 123, or 206 of title 18, United States Code.</text></paragraph>
<paragraph id="H03371992D67949CF8132BC90B6F6B866"><enum>(8)</enum><text>Section 444 of the General Education Provisions Act (<external-xref legal-doc="usc" parsable-cite="usc/20/1232g">20 U.S.C. 1232g</external-xref>) (commonly known as the <quote>Family Educational Rights and Privacy Act of 1974</quote>).</text></paragraph> <paragraph id="H990C44B9EDD746828620131996A3D12C"><enum>(9)</enum><text>Section 445 of the General Education Provisions Act (<external-xref legal-doc="usc" parsable-cite="usc/20/1232h">20 U.S.C. 1232h</external-xref>).</text></paragraph>
<paragraph id="H19FE4DB4C10A45189028B58EEF0D360B"><enum>(10)</enum><text>The Privacy Protection Act of 1980 (<external-xref legal-doc="usc" parsable-cite="usc/42/2000aa">42 U.S.C. 2000aa et seq.</external-xref>).</text></paragraph> <paragraph id="HD01B8B648C734225A34B4B277712AA64"><enum>(11)</enum><text>The regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-2">42 U.S.C. 1320d–2</external-xref> note), as those regulations relate to—</text>
<subparagraph id="H087DC763ADEB47B281408E34EB91BB45"><enum>(A)</enum><text>a person described in section 1172(a) of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-1">42 U.S.C. 1320d–1(a)</external-xref>); or</text></subparagraph> <subparagraph id="HA2E9A3DAA27340CAA028CDE9E63CCA60"><enum>(B)</enum><text>transactions referred to in section 1173(a)(1) of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-2">42 U.S.C. 1320d–2(a)(1)</external-xref>).</text></subparagraph></paragraph>
<paragraph id="H18CC53D2DA4247D6A08B750D7041A1D9"><enum>(12)</enum><text>The Communications Assistance for Law Enforcement Act (<external-xref legal-doc="usc" parsable-cite="usc/47/1001">47 U.S.C. 1001 et seq.</external-xref>).</text></paragraph> <paragraph id="H2CFD87BB57FE41A6B4044C323DDAB1CC"><enum>(13)</enum><text>Section 222, 227, 338, or 631 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/222">47 U.S.C. 222</external-xref>, 227, 338, or 551).</text></paragraph>
<paragraph id="H7ED052FC18DE4C51B2A48FFDEE97F8DF"><enum>(14)</enum><text>The E-Government Act of 2002 (<external-xref legal-doc="usc" parsable-cite="usc/44/101">44 U.S.C. 101 et seq.</external-xref>).</text></paragraph> <paragraph id="H932DB16F6EE64329972111B5140A1E35"><enum>(15)</enum><text>The Paperwork Reduction Act of 1995 (<external-xref legal-doc="usc" parsable-cite="usc/44/3501">44 U.S.C. 3501 et seq.</external-xref>).</text></paragraph>
<paragraph id="H82B027C0241B4E5AB312407A1CD20BA1"><enum>(16)</enum><text>The Federal Information Security Management Act of 2002 (<external-xref legal-doc="usc" parsable-cite="usc/44/3541">44 U.S.C. 3541 et seq.</external-xref>).</text></paragraph> <paragraph id="H2BCE631EB0784166908256BCA9D14460"><enum>(17)</enum><text>The Currency and Foreign Transactions Reporting Act of 1970, as amended (commonly known as the <quote>Bank Secrecy Act</quote>) (12 U.S.C. 1829b and 1951–1959, 31 U.S.C. 5311–5314 and 5316–5332), including the International Money Laundering Abatement and Financial Anti-Terrorism Act of 2001, title III of <external-xref legal-doc="public-law" parsable-cite="pl/107/56">Public Law 107–56</external-xref>, as amended.</text></paragraph>
<paragraph id="HAA10ACC7C4FA476CBBE3C953F0F82B4C"><enum>(18)</enum><text>The National Security Act of 1947 (<external-xref legal-doc="usc" parsable-cite="usc/50/3001">50 U.S.C. 3001 et seq.</external-xref>).</text></paragraph> <paragraph id="H43E6FF5299904D828350DBB83341ADCF"><enum>(19)</enum><text>The Foreign Intelligence Surveillance Act of 1978, as amended (<external-xref legal-doc="usc" parsable-cite="usc/50/1801">50 U.S.C. 1801 et seq.</external-xref>).</text></paragraph>
<paragraph id="H4491354F0FF74504B40C365866B3912C"><enum>(20)</enum><text>The Civil Rights Act of 1964 (<external-xref legal-doc="public-law" parsable-cite="pl/88/352">Public Law 88–352</external-xref>, 78 Stat. 241).</text></paragraph> <paragraph id="H699EF585BE874B4E983EF6278CBE4030"><enum>(21)</enum><text>The Americans with Disabilities Act (<external-xref legal-doc="usc" parsable-cite="usc/42/12101">42 U.S.C. 12101 et seq.</external-xref>).</text></paragraph>
<paragraph id="HB4BA587EC14C4D4EA925CB274E393158"><enum>(22)</enum><text>The Fair Housing Act (<external-xref legal-doc="usc" parsable-cite="usc/42/3601">42 U.S.C. 3601 et seq.</external-xref>).</text></paragraph> <paragraph id="HB3A5B213F40F499E84213A4D308707D7"><enum>(23)</enum><text>The Consumer Financial Protection Act of 2010 (<external-xref legal-doc="usc" parsable-cite="usc/12/5481">12 U.S.C. 5481 et seq.</external-xref>).</text></paragraph>
<paragraph id="HA8ADD436BCAA4D17A5EB724002C1F0FE"><enum>(24)</enum><text>The Equal Credit Opportunity Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1691">15 U.S.C. 1691 et seq.</external-xref>).</text></paragraph> <paragraph id="H48E3F1913AC44BF3AFCD73FD80054FEF"><enum>(25)</enum><text>The Age Discrimination in Employment Act (<external-xref legal-doc="usc" parsable-cite="usc/29/621">29 U.S.C. 621 et seq.</external-xref>).</text></paragraph>
<paragraph id="H21450A6529664151A2E04FB49C879894"><enum>(26)</enum><text>The Genetic Information Nondiscrimination Act (<external-xref legal-doc="public-law" parsable-cite="pl/110/233">Public Law 110–233</external-xref>, 122 Stat. 881).</text></paragraph> <paragraph id="H9CB5D96B599944008BCFDA34DD470EB5"><enum>(27)</enum><text>Subpart A of part 46 of title 45, Code of Federal Regulations (commonly known as the <quote>Common Rule</quote>).</text></paragraph>
<paragraph id="HA75F4A0BA7EA4924A813FF88D022E0A7"><enum>(28)</enum><text>The Driver’s Privacy Protection Act of 1994 (<external-xref legal-doc="usc" parsable-cite="usc/18/2721">18 U.S.C. 2721 et seq.</external-xref>).</text></paragraph> <paragraph id="HB5FA1C6C39CB45AEA6B7A569EEAD630B"><enum>(29)</enum><text>The Video Privacy Protection Act (<external-xref legal-doc="usc" parsable-cite="usc/18/2710">18 U.S.C. 2710 et seq.</external-xref>).</text></paragraph>
<paragraph id="HE086440D38A24D75BD8699FF4486165A"><enum>(30)</enum><text>Chapters 61, 68, 75, and 76 of the Internal Revenue Code of 1986.</text></paragraph> <paragraph id="HDF2C27837A414F44B64AF4AAD2E63524"><enum>(31)</enum><text>Section 1106 of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1306">42 U.S.C. 1306</external-xref>).</text></paragraph>
<paragraph id="H7C1155C01FE74257B4BDE6BE925913AB"><enum>(32)</enum><text>The Stored Communications Act (<external-xref legal-doc="usc" parsable-cite="usc/18/2701">18 U.S.C. 2701 et seq.</external-xref>).</text></paragraph> <paragraph id="H2E938192D53F402EA00ED4C59F011AF8"><enum>(33)</enum><text>Any other privacy or information security provision of Federal law.</text></paragraph></section>
<section id="HD29CEA3AA4AD4F0C8BBC33334893AB2E"><enum>503.</enum><header>Severability</header><text display-inline="no-display-inline">If any provision of this Act or the amendments made by this Act, or the application thereof, is held unconstitutional or otherwise invalid, the validity of the remainder of the Act, the amendments, and the application of such provision shall not be affected thereby.</text></section>