[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 8152 Reported in House (RH)]
<DOC>
Union Calendar No. 488
117th CONGRESS
2d Session
H. R. 8152
[Report No. 117-669]
To provide consumers with foundational data privacy rights, create
strong oversight mechanisms, and establish meaningful enforcement.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
June 21, 2022
Mr. Pallone (for himself, Mrs. Rodgers of Washington, Ms. Schakowsky,
and Mr. Bilirakis) introduced the following bill; which was referred to
the Committee on Energy and Commerce
December 30, 2022
Reported with an amendment, committed to the Committee of the Whole
House on the State of the Union, and ordered to be printed
[Strike out all after the enacting clause and insert the part printed
in italic]
[For text of introduced bill, see copy of bill as introduced on June
21, 2022]
_______________________________________________________________________
A BILL
To provide consumers with foundational data privacy rights, create
strong oversight mechanisms, and establish meaningful enforcement.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``American Data
Privacy and Protection Act''.
(b) Table of Contents.--The table of contents of this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
TITLE I--DUTY OF LOYALTY
Sec. 101. Data minimization.
Sec. 102. Loyalty duties.
Sec. 103. Privacy by design.
Sec. 104. Loyalty to individuals with respect to pricing.
TITLE II--CONSUMER DATA RIGHTS
Sec. 201. Consumer awareness.
Sec. 202. Transparency.
Sec. 203. Individual data ownership and control.
Sec. 204. Right to consent and object.
Sec. 205. Data protections for children and minors.
Sec. 206. Third-party collecting entities.
Sec. 207. Civil rights and algorithms.
Sec. 208. Data security and protection of covered data.
Sec. 209. Small business protections.
Sec. 210. Unified opt-out mechanisms.
TITLE III--CORPORATE ACCOUNTABILITY
Sec. 301. Executive responsibility.
Sec. 302. Service providers and third parties.
Sec. 303. Technical compliance programs.
Sec. 304. Commission approved compliance guidelines.
Sec. 305. Digital content forgeries.
TITLE IV--ENFORCEMENT, APPLICABILITY, AND MISCELLANEOUS
Sec. 401. Enforcement by the Federal Trade Commission.
Sec. 402. Enforcement by States.
Sec. 403. Enforcement by persons.
Sec. 404. Relationship to Federal and State laws.
Sec. 405. Severability.
Sec. 406. COPPA.
Sec. 407. Authorization of appropriations.
Sec. 408. Effective date.
SEC. 2. DEFINITIONS.
In this Act:
(1) Affirmative express consent.--
(A) In general.--The term ``affirmative express
consent'' means an affirmative act by an individual
that clearly communicates the individual's freely
given, specific, and unambiguous authorization for an
act or practice after having been informed, in response
to a specific request from a covered entity that meets
the requirements of subparagraph (B).
(B) Request requirements.--The requirements of this
subparagraph with respect to a request from a covered
entity to an individual are the following:
(i) The request is provided to the
individual in a clear and conspicuous
standalone disclosure made through the primary
medium used to offer the covered entity's
product or service, or only if the product or
service is not offered in a medium that permits
the making of the request under this paragraph,
another medium regularly used in conjunction
with the covered entity's product or service.
(ii) The request includes a description of
the processing purpose for which the
individual's consent is sought and--
(I) clearly states the specific
categories of covered data that the
covered entity shall collect, process,
and transfer necessary to effectuate
the processing purpose; and
(II) includes a prominent heading
and is written in easy-to-understand
language that would enable a reasonable
individual to identify and understand
the processing purpose for which
consent is sought and the covered data
to be collected, processed, or
transferred by the covered entity for
such processing purpose.
(iii) The request clearly explains the
individual's applicable rights related to
consent.
(iv) The request is made in a manner
reasonably accessible to and usable by
individuals with disabilities.
(v) The request is made available to the
individual in each covered language in which
the covered entity provides a product or
service for which authorization is sought.
(vi) The option to refuse consent shall be
at least as prominent as the option to accept,
and the option to refuse consent shall take the
same number of steps or fewer as the option to
accept.
(vii) Processing or transferring any
covered data collected pursuant to affirmative
express consent for a different processing
purpose than that for which affirmative express
consent was obtained shall require affirmative
express consent for the subsequent processing
purpose.
(C) Express consent required.--A covered entity may
not infer that an individual has provided affirmative
express consent to an act or practice from the inaction
of the individual or the individual's continued use of
a service or product provided by the covered entity.
(D) Pretextual consent prohibited.--A covered
entity may not obtain or attempt to obtain the
affirmative express consent of an individual through--
(i) the use of any false, fictitious,
fraudulent, or materially misleading statement
or representation; or
(ii) the design, modification, or
manipulation of any user interface with the
purpose or substantial effect of obscuring,
subverting, or impairing a reasonable
individual's autonomy, decision making, or
choice to provide such consent or any covered
data.
(2) Authentication.--The term ``authentication'' means the
process of verifying an individual or entity for security
purposes.
(3) Biometric information.--
(A) In general.--The term ``biometric information''
means any covered data generated from the technological
processing of an individual's unique biological,
physical, or physiological characteristics that is
linked or reasonably linkable to an individual,
including--
(i) fingerprints;
(ii) voice prints;
(iii) iris or retina scans;
(iv) facial or hand mapping, geometry, or
templates; or
(v) gait or personally identifying physical
movements.
(B) Exclusion.--The term ``biometric information''
does not include--
(i) a digital or physical photograph;
(ii) an audio or video recording; or
(iii) data generated from a digital or
physical photograph, or an audio or video
recording, that cannot be used to identify an
individual.
(4) Collect; collection.--The terms ``collect'' and
``collection'' mean buying, renting, gathering, obtaining,
receiving, accessing, or otherwise acquiring covered data by
any means.
(5) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(6) Control.--The term ``control'' means, with respect to
an entity--
(A) ownership of, or the power to vote, more than
50 percent of the outstanding shares of any class of
voting security of the entity;
(B) control over the election of a majority of the
directors of the entity (or of individuals exercising
similar functions); or
(C) the power to exercise a controlling influence
over the management of the entity.
(7) Covered algorithm.--The term ``covered algorithm''
means a computational process that uses machine learning,
natural language processing, artificial intelligence
techniques, or other computational processing techniques of
similar or greater complexity and that makes a decision or
facilitates human decision-making with respect to covered data,
including to determine the provision of products or services or
to rank, order, promote, recommend, amplify, or similarly
determine the delivery or display of information to an
individual.
(8) Covered data.--
(A) In general.--The term ``covered data'' means
information that identifies or is linked or reasonably
linkable, alone or in combination with other
information, to an individual or a device that
identifies or is linked or reasonably linkable to an
individual, and may include derived data and unique
persistent identifiers.
(B) Exclusions.--The term ``covered data'' does not
include--
(i) de-identified data;
(ii) employee data;
(iii) publicly available information; or
(iv) inferences made exclusively from
multiple independent sources of publicly
available information that do not reveal
sensitive covered data with respect to an
individual.
(C) Employee data defined.--For purposes of
subparagraph (B), the term ``employee data'' means--
(i) information relating to a job applicant
collected by a covered entity acting as a
prospective employer of such job applicant in
the course of the application, or hiring
process, if such information is collected,
processed, or transferred by the prospective
employer solely for purposes related to the
employee's status as a current or former job
applicant of such employer;
(ii) information processed by an employer
relating to an employee who is acting in a
professional capacity for the employer,
provided that such information is collected,
processed, or transferred solely for purposes
related to such employee's professional
activities on behalf of the employer;
(iii) the business contact information of
an employee, including the employee's name,
position or title, business telephone number,
business address, or business email address
that is provided to an employer by an employee
who is acting in a professional capacity, if
such information is collected, processed, or
transferred solely for purposes related to such
employee's professional activities on behalf of
the employer;
(iv) emergency contact information
collected by an employer that relates to an
employee of that employer, if such information
is collected, processed, or transferred solely
for the purpose of having an emergency contact
on file for the employee and for processing or
transferring such information in case of an
emergency; or
(v) information relating to an employee (or
a spouse, dependent, other covered family
member, or beneficiary of such employee) that
is necessary for the employer to collect,
process, or transfer solely for the purpose of
administering benefits to which such employee
(or spouse, dependent, other covered family
member, or beneficiary of such employee) is
entitled on the basis of the employee's
position with that employer.
(9) Covered entity.--
(A) In general.--The term ``covered entity''--
(i) means any entity or any person, other
than an individual acting in a non-commercial
context, that alone or jointly with others
determines the purposes and means of
collecting, processing, or transferring covered
data and--
(I) is subject to the Federal Trade
Commission Act (15 U.S.C. 41 et seq.);
(II) is a common carrier subject to
the Communications Act of 1934 (47
U.S.C. 151 et seq.) and all Acts
amendatory thereof and supplementary
thereto; or
(III) is an organization not
organized to carry on business for its
own profit or that of its members; and
(ii) includes any entity or person that
controls, is controlled by, or is under common
control with the covered entity.
(B) Exclusions.--The term ``covered entity'' does
not include--
(i) a Federal, State, Tribal, territorial,
or local government entity such as a body,
authority, board, bureau, commission, district,
agency, or political subdivision of the Federal
Government or a State, Tribal, territorial, or
local government;
(ii) a person or an entity that is
collecting, processing, or transferring covered
data on behalf of a Federal, State, Tribal,
territorial, or local government entity, in so
far as such person or entity is acting as a
service provider to the government entity; or
(iii) an entity that serves as a
congressionally designated nonprofit, national
resource center, and clearinghouse to provide
assistance to victims, families, child-serving
professionals, and the general public on
missing and exploited children issues.
(C) Non-application to service providers.--An
entity shall not be considered to be a covered entity
for purposes of this Act in so far as the entity is
acting as a service provider (as defined in paragraph
(29)).
(10) Covered language.--The term ``covered language'' means
the ten languages with the most users in the United States,
according to the most recent United States Census.
(11) Covered minor.--The term ``covered minor'' means an
individual under the age of 17.
(12) De-identified data.--The term ``de-identified data''
means information that does not identify and is not linked or
reasonably linkable to a distinct individual or a device,
regardless of whether the information is aggregated, and if the
covered entity or service provider--
(A) takes reasonable technical measures to ensure
that the information cannot, at any point, be used to
re-identify any individual or device that identifies or
is linked or reasonably linkable to an individual;
(B) publicly commits in a clear and conspicuous
manner--
(i) to process and transfer the information
solely in a de-identified form without any
reasonable means for re-identification; and
(ii) to not attempt to re-identify the
information with any individual or device that
identifies or is linked or reasonably linkable
to an individual; and
(C) contractually obligates any person or entity
that receives the information from the covered entity
or service provider--
(i) to comply with all of the provisions of
this paragraph with respect to the information;
and
(ii) to require that such contractual
obligations be included contractually in all
subsequent instances for which the data may be
received.
(13) Derived data.--The term ``derived data'' means covered
data that is created by the derivation of information, data,
assumptions, correlations, inferences, predictions, or
conclusions from facts, evidence, or another source of
information or data about an individual or an individual's
device.
(14) Device.--The term ``device'' means any electronic
equipment capable of collecting, processing, or transferring
covered data that is used by one or more individuals.
(15) Employee.--The term ``employee'' means an individual
who is an employee, director, officer, staff member individual
working as an independent contractor that is not a service
provider, trainee, volunteer, or intern of an employer,
regardless of whether such individual is paid, unpaid, or
employed on a temporary basis.
(16) Executive agency.--The ``Executive agency'' has the
meaning given such term in section 105 of title 5, United
States Code.
(17) First party advertising or marketing.--The term
``first party advertising or marketing'' means advertising or
marketing conducted by a first party either through direct
communications with a user such as direct mail, email, or text
message communications, or advertising or marketing conducted
entirely within the first-party context, such as in a physical
location operated by the first party, or on a web site or app
operated by the first party.
(18) Genetic information.--The term ``genetic information''
means any covered data, regardless of its format, that concerns
an individual's genetic characteristics, including--
(A) raw sequence data that results from the
sequencing of the complete, or a portion of the,
extracted deoxyribonucleic acid (DNA) of an individual;
or
(B) genotypic and phenotypic information that
results from analyzing raw sequence data described in
subparagraph (A).
(19) Individual.--The term ``individual'' means a natural
person residing in the United States.
(20) Knowledge.--
(A) In general.--The term ``knowledge'' means--
(i) with respect to a covered entity that
is a covered high-impact social media company,
the entity knew or should have known the
individual was a covered minor;
(ii) with respect to a covered entity or
service provider that is a large data holder,
and otherwise is not a covered high-impact
social media company, that the covered entity
knew or acted in willful disregard of the fact
that the individual was a covered minor; and
(iii) with respect to a covered entity or
service provider that does not meet the
requirements of clause (i) or (ii), actual
knowledge.
(B) Covered high-impact social media company.--For
purposes of this paragraph, the term ``covered high-
impact social media company'' means a covered entity
that provides any internet-accessible platform where--
(i) such covered entity generates
$3,000,000,000 or more in annual revenue;
(ii) such platform has 300,000,000 or more
monthly active users for not fewer than 3 of
the preceding 12 months on the online product
or service of such covered entity; and
(iii) such platform constitutes an online
product or service that is primarily used by
users to access or share, user-generated
content.
(21) Large data holder.--
(A) In general.--The term ``large data holder''
means a covered entity or service provider that, in the
most recent calendar year--
(i) had annual gross revenues of
$250,000,000 or more; and
(ii) collected, processed, or transferred--
(I) the covered data of more than
5,000,000 individuals or devices that
identify or are linked or reasonably
linkable to 1 or more individuals,
excluding covered data collected and
processed solely for the purpose of
initiating, rendering, billing for,
finalizing, completing, or otherwise
collecting payment for a requested
product or service; and
(II) the sensitive covered data of
more than 200,000 individuals or
devices that identify or are linked or
reasonably linkable to 1 or more
individuals.
(B) Exclusions.--The term ``large data holder''
does not include any instance in which the covered
entity or service provider would qualify as a large
data holder solely on the basis of collecting or
processing--
(i) personal email addresses;
(ii) personal telephone numbers; or
(iii) log-in information of an individual
or device to allow the individual or device to
log in to an account administered by the
covered entity or service provider.
(C) Revenue.--For purposes of determining whether
any covered entity or service provider is a large data
holder, the term ``revenue'', with respect to any
covered entity or service provider that is not
organized to carry on business for its own profit or
that of its members--
(i) means the gross receipts the covered
entity or service provider received, in
whatever form, from all sources, without
subtracting any costs or expenses; and
(ii) includes contributions, gifts, grants,
dues or other assessments, income from
investments, and proceeds from the sale of real
or personal property.
(22) Market research.--The term ``market research'' means
the collection, processing, or transfer of covered data as
reasonably necessary and proportionate to investigate the
market for or marketing of products, services, or ideas, where
the covered data is not--
(A) integrated into any product or service;
(B) otherwise used to contact any individual or
individual's device; or
(C) used to advertise or market to any individual
or individual's device.
(23) Material.--The term ``material'' means, with respect
to an act, practice, or representation of a covered entity
(including a representation made by the covered entity in a
privacy policy or similar disclosure to individuals) involving
the collection, processing, or transfer of covered data, that
such act, practice, or representation is likely to affect a
reasonable individual's decision or conduct regarding a product
or service.
(24) Precise geolocation information.--
(A) In general.--The term ``precise geolocation
information'' means information that is derived from a
device or technology that reveals the past or present
physical location of an individual or device that
identifies or is linked or reasonably linkable to 1 or
more individuals, with sufficient precision to identify
street level location information of an individual or
device or the location of an individual or device
within a range of 1,850 feet or less.
(B) Exclusion.--The term ``precise geolocation
information'' does not include geolocation information
identifiable or derived solely from the visual content
of a legally obtained image, including the location of
the device that captured such image.
(25) Process.--The term ``process'' means to conduct or
direct any operation or set of operations performed on covered
data, including analyzing, organizing, structuring, retaining,
storing, using, or otherwise handling covered data.
(26) Processing purpose.--The term ``processing purpose''
means a reason for which a covered entity or service provider
collects, processes, or transfers covered data that is specific
and granular enough for a reasonable individual to understand
the material facts of how and why the covered entity or service
provider collects, processes, or transfers the covered data.
(27) Publicly available information.--
(A) In general.--The term ``publicly available
information'' means any information that a covered
entity or service provider has a reasonable basis to
believe has been lawfully made available to the general
public from--
(i) Federal, State, or local government
records, if the covered entity collects,
processes, and transfers such information in
accordance with any restrictions or terms of
use placed on the information by the relevant
government entity;
(ii) widely distributed media;
(iii) a website or online service made
available to all members of the public, for
free or for a fee, including where all members
of the public, for free or for a fee, can log
in to the website or online service;
(iv) a disclosure that has been made to the
general public as required by Federal, State,
or local law; or
(v) the visual observation of the physical
presence of an individual or a device in a
public place, not including data collected by a
device in the individual's possession.
(B) Clarifications; limitations.--
(i) Available to all members of the
public.--For purposes of this paragraph,
information from a website or online service is
not available to all members of the public if
the individual who made the information
available via the website or online service has
restricted the information to a specific
audience.
(ii) Other limitations.--The term
``publicly available information'' does not
include--
(I) any obscene visual depiction
(as defined in section 1460 of title
18, United States Code);
(II) any inference made exclusively
from multiple independent sources of
publicly available information that
reveals sensitive covered data with
respect to an individual;
(III) biometric information;
(IV) publicly available information
that has been combined with covered
data;
(V) genetic information, unless
otherwise made available by the
individual to whom the information
pertains as described in clause (ii) or
(iii) of subparagraph (A); or
(VI) intimate images known to be
nonconsensual.
(28) Sensitive covered data.--
(A) In general.--The term ``sensitive covered
data'' means the following types of covered data:
(i) A government-issued identifier, such as
a Social Security number, passport number, or
driver's license number, that is not required
by law to be displayed in public.
(ii) Any information that describes or
reveals the past, present, or future physical
health, mental health, disability, diagnosis,
or healthcare condition or treatment of an
individual.
(iii) A financial account number, debit
card number, credit card number, or information
that describes or reveals the income level or
bank account balances of an individual, except
that the last four digits of a debit or credit
card number shall not be deemed sensitive
covered data.
(iv) Biometric information.
(v) Genetic information.
(vi) Precise geolocation information.
(vii) An individual's private
communications such as voicemails, emails,
texts, direct messages, or mail, or information
identifying the parties to such communications,
voice communications, video communications, and
any information that pertains to the
transmission of such communications, including
telephone numbers called, telephone numbers
from which calls were placed, the time calls
were made, call duration, and location
information of the parties to the call, unless
the covered entity or a service provider acting
on behalf of the covered entity is the sender
or an intended recipient of the communication.
Communications are not private for purposes of
this clause if such communications are made
from or to a device provided by an employer to
an employee insofar as such employer provides
conspicuous notice that such employer may
access such communications.
(viii) Account or device log-in
credentials, or security or access codes for an
account or device.
(ix) Information identifying the sexual
behavior of an individual in a manner
inconsistent with the individual's reasonable
expectation regarding the collection,
processing, or transfer of such information.
(x) Calendar information, address book
information, phone or text logs, photos, audio
recordings, or videos, maintained for private
use by an individual, regardless of whether
such information is stored on the individual's
device or is accessible from that device and is
backed up in a separate location. Such
information is not sensitive for purposes of
this paragraph if such information is sent from
or to a device provided by an employer to an
employee insofar as such employer provides
conspicuous notice that it may access such
information.
(xi) A photograph, film, video recording,
or other similar medium that shows the naked or
undergarment-clad private area of an
individual.
(xii) Information revealing the video
content requested or selected by an individual
collected by a covered entity that is not a
provider of a service described in section
102(4). This clause does not include covered
data used solely for transfers for independent
video measurement.
(xiii) Information about an individual when
the covered entity or service provider has
knowledge that the individual is a covered
minor.
(xiv) An individual's race, color,
ethnicity, religion, or union membership.
(xv) Information identifying an
individual's online activities over time and
across third party websites or online services.
(xvi) Any other covered data collected,
processed, or transferred for the purpose of
identifying the types of covered data listed in
clauses (i) through (xv).
(B) Rulemaking.--The Commission may commence a
rulemaking pursuant to section 553 of title 5, United
States Code, to include in the definition of
``sensitive covered data'' any other type of covered
data that may require a similar level of protection as
the types of covered data listed in clauses (i) through
(xvi) of subparagraph (A) as a result of any new method
of collecting, processing, or transferring covered
data.
(29) Service provider.--
(A) In general.--The term ``service provider''
means a person or entity that--
(i) collects, processes, or transfers
covered data on behalf of, and at the direction
of, a covered entity or a Federal, State,
Tribal, territorial, or local government
entity; and
(ii) receives covered data from or on
behalf of a covered entity or a Federal, State,
Tribal, territorial, or local government
entity.
(B) Treatment with respect to service provider
data.--A service provider that receives service
provider data from another service provider as
permitted under this Act shall be treated as a service
provider under this Act with respect to such data.
(30) Service provider data.--The term ``service provider
data'' means covered data that is collected or processed by or
has been transferred to a service provider by or on behalf of a
covered entity, a Federal, State, Tribal, territorial, or local
government entity, or another service provider for the purpose
of allowing the service provider to whom such covered data is
transferred to perform a service or function on behalf of, and
at the direction of, such covered entity or Federal, State,
Tribal, territorial, or local government entity.
(31) State.--The term ``State'' means any of the 50 States,
the District of Columbia, the Commonwealth of Puerto Rico, the
Virgin Islands of the United States, Guam, American Samoa, or
the Commonwealth of the Northern Mariana Islands.
(32) State privacy authority.--The term ``State privacy
authority'' means--
(A) the chief consumer protection officer of a
State; or
(B) a State consumer protection agency with
expertise in data protection, including the California
Privacy Protection Agency.
(33) Substantial privacy risk.--The term ``substantial
privacy risk'' means the collection, processing, or transfer of
covered data in a manner that may result in any reasonably
foreseeable substantial physical injury, economic injury,
highly offensive intrusion into the privacy expectations of a
reasonable individual under the circumstances, or
discrimination on the basis of race, color, religion, national
origin, sex, or disability.
(34) Targeted advertising.--The term ``targeted
advertising''--
(A) means presenting to an individual or device
identified by a unique identifier, or groups of
individuals or devices identified by unique
identifiers, an online advertisement that is selected
based on known or predicted preferences,
characteristics, or interests associated with the
individual or a device identified by a unique
identifier; and
(B) does not include--
(i) advertising or marketing to an
individual or an individual's device in
response to the individual's specific request
for information or feedback;
(ii) contextual advertising, which is when
an advertisement is displayed based on the
content in which the advertisement appears and
does not vary based on who is viewing the
advertisement; or
(iii) processing covered data solely for
measuring or reporting advertising or content,
performance, reach, or frequency, including
independent measurement.
(35) Third party.--The term ``third party''--
(A) means any person or entity, including a covered
entity, that--
(i) collects, processes, or transfers
covered data that the person or entity did not
collect directly from the individual linked or
linkable to such covered data; and
(ii) is not a service provider with respect
to such data; and
(B) does not include a person or entity that
collects covered data from another entity if the 2
entities are related by common ownership or corporate
control, but only if a reasonable consumer's reasonable
expectation would be that such entities share
information.
(36) Third-party collecting entity.--
(A) In general.--The term ``third-party collecting
entity''--
(i) means a covered entity whose principal
source of revenue is derived from processing or
transferring covered data that the covered
entity did not collect directly from the
individuals linked or linkable to the covered
data; and
(ii) does not include a covered entity
insofar as such entity processes employee data
collected by and received from a third party
concerning any individual who is an employee of
the third party for the sole purpose of such
third party providing benefits to the employee.
(B) Principal source of revenue defined.--For
purposes of this paragraph, the term ``principal source
of revenue'' means, for the prior 12-month period,
either--
(i) more than 50 percent of all revenue of
the covered entity; or
(ii) obtaining revenue from processing or
transferring the covered data of more than
5,000,000 individuals that the covered entity
did not collect directly from the individuals
linked or linkable to the covered data.
(C) Non-application to service providers.--An
entity may not be considered to be a third-party
collecting entity for purposes of this Act if the
entity is acting as a service provider.
(37) Third party data.--The term ``third party data'' means
covered data that has been transferred to a third party.
(38) Transfer.--The term ``transfer'' means to disclose,
release, disseminate, make available, license, rent, or share
covered data orally, in writing, electronically, or by any
other means.
(39) Unique persistent identifier.--The term ``unique
identifier''--
(A) means an identifier to the extent that such
identifier is reasonably linkable to an individual or
device that identifies or is linked or reasonably
linkable to 1 or more individuals, including a device
identifier, Internet Protocol address, cookie, beacon,
pixel tag, mobile ad identifier, or similar technology,
customer number, unique pseudonym, user alias,
telephone number, or other form of persistent or
probabilistic identifier that is linked or reasonably
linkable to an individual or device; and
(B) does not include an identifier assigned by a
covered entity for the specific purpose of giving
effect to an individual's exercise of affirmative
express consent or opt-outs of the collection,
processing, and transfer of covered data pursuant to
section 204 or otherwise limiting the collection,
processing, or transfer of such information.
(40) Widely distributed media.--The term ``widely
distributed media'' means information that is available to the
general public, including information from a telephone book or
online directory, a television, internet, or radio program, the
news media, or an internet site that is available to the
general public on an unrestricted basis, but does not include
an obscene visual depiction (as defined in section 1460 of
title 18, United States Code).
TITLE I--DUTY OF LOYALTY
SEC. 101. DATA MINIMIZATION.
(a) In General.--A covered entity may not collect, process, or
transfer covered data unless the collection, processing, or transfer is
limited to what is reasonably necessary and proportionate to--
(1) provide or maintain a specific product or service
requested by the individual to whom the data pertains; or
(2) effect a purpose permitted under subsection (b).
(b) Permissible Purposes.--A covered entity may collect, process,
or transfer covered data for any of the following purposes if the
collection, processing, or transfer is limited to what is reasonably
necessary and proportionate to such purpose:
(1) To initiate, manage, or complete a transaction or
fulfill an order for specific products or services requested by
an individual, including any associated routine administrative,
operational, and account-servicing activity such as billing,
shipping, delivery, storage, and accounting.
(2) With respect to covered data previously collected in
accordance with this Act, notwithstanding this exception--
(A) to process such data as necessary to perform
system maintenance or diagnostics;
(B) to develop, maintain, repair, or enhance a
product or service for which such data was collected;
(C) to conduct internal research or analytics to
improve a product or service for which such data was
collected;
(D) to perform inventory management or reasonable
network management;
(E) to protect against spam; or
(F) to debug or repair errors that impair the
functionality of a service or product for which such
data was collected.
(3) To authenticate users of a product or service.
(4) To fulfill a product or service warranty.
(5) To prevent, detect, protect against, or respond to a
security incident. For purposes of this paragraph, security is
defined as network security and physical security and life
safety, including an intrusion or trespass, medical alerts,
fire alarms, and access control security.
(6) To prevent, detect, protect against, or respond to
fraud, harassment, or illegal activity. For purposes of this
paragraph, the term ``illegal activity'' means a violation of a
Federal, State, or local law punishable as a felony or
misdemeanor that can directly harm.
(7) To comply with a legal obligation imposed by Federal,
Tribal, local, or State law, or to investigate, establish,
prepare for, exercise, or defend legal claims involving the
covered entity or service provider.
(8) To prevent an individual, or group of individuals, from
suffering harm where the covered entity or service provider
believes in good faith that the individual, or group of
individuals, is at risk of death, serious physical injury, or
other serious health risk.
(9) To effectuate a product recall pursuant to Federal or
State law.
(10)(A) To conduct a public or peer-reviewed scientific,
historical, or statistical research project that--
(i) is in the public interest; and
(ii) adheres to all relevant laws and regulations
governing such research, including regulations for the
protection of human subjects, or is excluded from
criteria of the institutional review board.
(B) Not later than 18 months after the date of enactment of
this Act, the Commission should issue guidelines to help
covered entities ensure the privacy of affected users and the
security of covered data, particularly as data is being
transferred to and stored by researchers. Such guidelines
should consider risks as they pertain to projects using covered
data with special considerations for projects that are exempt
under part 46 of title 45, Code of Federal Regulations (or any
successor regulation) or are excluded from the criteria for
institutional review board review.
(11) To deliver a communication that is not an
advertisement to an individual, if the communication is
reasonably anticipated by the individual within the context of
the individual's interactions with the covered entity.
(12) To deliver a communication at the direction of an
individual between such individual and one or more individuals
or entities.
(13) To transfer assets to a third party in the context of
a merger, acquisition, bankruptcy, or similar transaction when
the third party assumes control, in whole or in part, of the
covered entity's assets, only if the covered entity, in a
reasonable time prior to such transfer, provides each affected
individual with--
(A) a notice describing such transfer, including
the name of the entity or entities receiving the
individual's covered data and their privacy policies as
described in section 202; and
(B) a reasonable opportunity to withdraw any
previously given consents in accordance with the
requirements of affirmative express consent under this
Act related to the individual's covered data and a
reasonable opportunity to request the deletion of the
individual's covered data, as described in section 203.
(14) To ensure the data security and integrity of covered
data, as described in section 208.
(15) With respect to covered data previously collected in
accordance with this Act, a service provider acting at the
direction of a government entity, or a service provided to a
government entity by a covered entity, and only insofar as
authorized by statute, to prevent, detect, protect against or
respond to a public safety incident, including trespass,
natural disaster, or national security incident. This paragraph
does not permit, however, the transfer of covered data for
payment or other valuable consideration to a government entity.
(16) With respect to covered data collected in accordance
with this Act, notwithstanding this exception, to process such
data as necessary to provide first party advertising or
marketing of products or services provided by the covered
entity for individuals who are not-covered minors.
(17) With respect to covered data previously collected in
accordance with this Act, notwithstanding this exception and
provided such collection, processing, and transferring
otherwise complies with the requirements of this Act, including
section 204(c), to provide targeted advertising.
(c) Guidance.--The Commission shall issue guidance regarding what
is reasonably necessary and proportionate to comply with this section.
Such guidance shall take into consideration--
(1) the size of, and the nature, scope, and complexity of
the activities engaged in by, the covered entity, including
whether the covered entity is a large data holder, nonprofit
organization, covered entity meeting the requirements of
section 209, third party, or third-party collecting entity;
(2) the sensitivity of covered data collected, processed,
or transferred by the covered entity;
(3) the volume of covered data collected, processed, or
transferred by the covered entity; and
(4) the number of individuals and devices to which the
covered data collected, processed, or transferred by the
covered entity relates.
(d) Deceptive Marketing of a Product or Service.--A covered entity
or service provider may not engage in deceptive advertising or
marketing with respect to a product or service offered to an
individual.
(e) Journalism.--Nothing in this Act shall be construed to limit or
diminish First Amendment freedoms guaranteed under the Constitution.
SEC. 102. LOYALTY DUTIES.
Notwithstanding section 101 and unless an exception applies, with
respect to covered data, a covered entity or service provider may not--
(1) collect, process, or transfer a Social Security number,
except when necessary to facilitate an extension of credit,
authentication, fraud and identity fraud detection and
prevention, the payment or collection of taxes, the enforcement
of a contract between parties, or the prevention,
investigation, or prosecution of fraud or illegal activity, or
as otherwise required by Federal, State, or local law;
(2) collect or process sensitive covered data, except where
such collection or processing is strictly necessary to provide
or maintain a specific product or service requested by the
individual to whom the covered data pertains, or is strictly
necessary to effect a purpose enumerated in paragraphs (1)
through (12) and (14) through (15) of section 101(b);
(3) transfer an individual's sensitive covered data to a
third party, unless--
(A) the transfer is made pursuant to the
affirmative express consent of the individual;
(B) the transfer is necessary to comply with a
legal obligation imposed by Federal, State, Tribal, or
local law, or to establish, exercise, or defend legal
claims;
(C) the transfer is necessary to prevent an
individual from imminent injury where the covered
entity believes in good faith that the individual is at
risk of death, serious physical injury, or serious
health risk;
(D) with respect to covered data collected in
accordance with this Act, notwithstanding this
exception, a service provider acting at the direction
of a government entity, or a service provided to a
government entity by a covered entity, and only insofar
as authorized by statute, the transfer is necessary to
prevent, detect, protect against or respond to a public
safety incident including trespass, natural disaster,
or national security incident. This paragraph does not
permit, however, the transfer of covered data for
payment or other valuable consideration to a government
entity;
(E) in the case of the transfer of a password, the
transfer is necessary to use a designated password
manager or is to a covered entity for the exclusive
purpose of identifying passwords that are being re-used
across sites or accounts;
(F) in the case of the transfer of genetic
information, the transfer is necessary to perform a
medical diagnosis or medical treatment specifically
requested by an individual, or to conduct medical
research in accordance with conditions of section
101(b)(10); or
(G) to transfer assets in the manner described in
paragraph (13) of section 101(b); or
(4) in the case of a provider of broadcast television
service, cable service, satellite service, streaming media
service, or other video programming service described in
section 713(h)(2) of the Communications Act of 1934 (47 U.S.C.
613(h)(2)), transfer to an unaffiliated third party covered
data that reveals the video content or services requested or
selected by an individual from such service, except with the
affirmative express consent of the individual or pursuant to
one of the permissible purposes enumerated in paragraphs (1)
through (15) of section 101(b).
SEC. 103. PRIVACY BY DESIGN.
(a) Policies, Practices, and Procedures.--A covered entity and a
service provider shall establish, implement, and maintain reasonable
policies, practices, and procedures that reflect the role of the
covered entity or service provider in the collection, processing, and
transferring of covered data and that--
(1) consider applicable Federal laws, rules, or regulations
related to covered data the covered entity or service provider
collects, processes, or transfers;
(2) identify, assess, and mitigate privacy risks related to
covered minors (including, if applicable, with respect to a
covered entity that is not an entity meeting the requirements
of section 209, in a manner that considers the developmental
needs of different age ranges of covered minors) to result in
reasonably necessary and proportionate residual risk to covered
minors;
(3) mitigate privacy risks, including substantial privacy
risks, related to the products and services of the covered
entity or the service provider, including in the design,
development, and implementation of such products and services,
taking into account the role of the covered entity or service
provider and the information available to it; and
(4) implement reasonable training and safeguards within the
covered entity and service provider to promote compliance with
all privacy laws applicable to covered data the covered entity
collects, processes, or transfers or covered data the service
provider collects, processes, or transfers on behalf of the
covered entity and mitigate privacy risks, including
substantial privacy risks, taking into account the role of the
covered entity or service provider and the information
available to it.
(b) Factors to Consider.--The policies, practices, and procedures
established by a covered entity and a service provider under subsection
(a), shall correspond with, as applicable--
(1) the size of the covered entity or the service provider
and the nature, scope, and complexity of the activities engaged
in by the covered entity or service provider, including whether
the covered entity or service provider is a large data holder,
nonprofit organization, entity meeting the requirements of
section 209, third party, or third-party collecting entity,
taking into account the role of the covered entity or service
provider and the information available to it;
(2) the sensitivity of the covered data collected,
processed, or transferred by the covered entity or service
provider;
(3) the volume of covered data collected, processed, or
transferred by the covered entity or service provider;
(4) the number of individuals and devices to which the
covered data collected, processed, or transferred by the
covered entity or service provider relates; and
(5) the cost of implementing such policies, practices, and
procedures in relation to the risks and nature of the covered
data.
(c) Commission Guidance.--Not later than 1 year after the date of
enactment of this Act, the Commission shall issue guidance as to what
constitutes reasonable policies, practices, and procedures as required
by this section. The Commission shall consider unique circumstances
applicable to nonprofit organizations, to entities meeting the
requirements of section 209, and to service providers.
SEC. 104. LOYALTY TO INDIVIDUALS WITH RESPECT TO PRICING.
(a) Retaliation Through Service or Pricing Prohibited.--A covered
entity may not retaliate against an individual for exercising any of
the rights guaranteed by the Act, or any regulations promulgated under
this Act, including denying goods or services, charging different
prices or rates for goods or services, or providing a different level
of quality of goods or services.
(b) Rules of Construction.--Nothing in subsection (a) may be
construed to--
(1) prohibit the relation of the price of a service or the
level of service provided to an individual to the provision, by
the individual, of financial information that is necessarily
collected and processed only for the purpose of initiating,
rendering, billing for, or collecting payment for a service or
product requested by the individual;
(2) prohibit a covered entity from offering a different
price, rate, level, quality or selection of goods or services
to an individual, including offering goods or services for no
fee, if the offering is in connection with an individual's
voluntary participation in a bona fide loyalty program;
(3) require a covered entity to provide a bona fide loyalty
program that would require the covered entity to collect,
process, or transfer covered data that the covered entity
otherwise would not collect, process, or transfer;
(4) prohibit a covered entity from offering a financial
incentive or other consideration to an individual for
participation in market research;
(5) prohibit a covered entity from offering different types
of pricing or functionalities with respect to a product or
service based on an individual's exercise of a right under
section 203(a)(3); or
(6) prohibit a covered entity from declining to provide a
product or service insofar as the collection and processing of
covered data is strictly necessary for such product or service.
(c) Bona Fide Loyalty Program Defined.--For purposes of this
section, the term ``bona fide loyalty program'' includes rewards,
premium features, discount or club card programs.
TITLE II--CONSUMER DATA RIGHTS
SEC. 201. CONSUMER AWARENESS.
(a) In General.--Not later than 90 days after the date of enactment
of this Act, the Commission shall publish, on the public website of the
Commission, a webpage that describes each provision, right, obligation,
and requirement of this Act, listed separately for individuals and for
covered entities and service providers, and the remedies, exemptions,
and protections associated with this Act, in plain and concise language
and in an easy-to-understand manner.
(b) Updates.--The Commission shall update the information published
under subsection (a) on a quarterly basis as necessitated by any change
in law, regulation, guidance, or judicial decisions.
(c) Accessibility.--The Commission shall publish the information
required to be published under subsection (a) in the ten languages with
the most users in the United States, according to the most recent
United States Census.
SEC. 202. TRANSPARENCY.
(a) In General.--Each covered entity shall make publicly available,
in a clear, conspicuous, not misleading, and easy-to-read and readily
accessible manner, a privacy policy that provides a detailed and
accurate representation of the data collection, processing, and
transfer activities of the covered entity.
(b) Content of Privacy Policy.--A covered entity or service
provider shall have a privacy policy that includes, at a minimum, the
following:
(1) The identity and the contact information of--
(A) the covered entity or service provider to which
the privacy policy applies (including the covered
entity's or service provider's points of contact and
generic electronic mail addresses, as applicable for
privacy and data security inquiries); and
(B) any other entity within the same corporate
structure as the covered entity or service provider to
which covered data is transferred by the covered
entity.
(2) The categories of covered data the covered entity or
service provider collects or processes.
(3) The processing purposes for each category of covered
data the covered entity or service provider collects or
processes.
(4) Whether the covered entity or service provider
transfers covered data and, if so, each category of service
provider and third party to which the covered entity or service
provider transfers covered data, the name of each third-party
collecting entity to which the covered entity or service
provider transfers covered data, and the purposes for which
such data is transferred to such categories of service
providers and third parties or third-party collecting entities,
except for a transfer to a governmental entity pursuant to a
court order or law that prohibits the covered entity or service
provider from disclosing such transfer, except for transfers to
governmental entities pursuant to a court order or law that
prohibits the covered entity from disclosing the transfer.
(5) The length of time the covered entity or service
provider intends to retain each category of covered data,
including sensitive covered data, or, if it is not possible to
identify that timeframe, the criteria used to determine the
length of time the covered entity or service provider intends
to retain categories of covered data.
(6) A prominent description of how an individual can
exercise the rights described in this Act.
(7) A general description of the covered entity's or
service provider's data security practices.
(8) The effective date of the privacy policy.
(9) Whether or not any covered data collected by the
covered entity or service provider is transferred to, processed
in, stored in, or otherwise accessible to the People's Republic
of China, Russia, Iran, or North Korea.
(c) Languages.--The privacy policy required under subsection (a)
shall be made available to the public in each covered language in which
the covered entity or service provider--
(1) provides a product or service that is subject to the
privacy policy; or
(2) carries out activities related to such product or
service.
(d) Accessibility.--The covered entity or service provider shall
also provide the disclosures under this section in a manner that is
reasonably accessible to and usable by individuals with disabilities.
(e) Material Changes.--
(1) Affirmative express consent.--If a covered entity makes
a material change to its privacy policy or practices, the
covered entity shall notify each individual affected by such
material change before implementing the material change with
respect to any prospectively collected covered data and, except
as provided in paragraphs (1) through (15) of section 101(b),
provide a reasonable opportunity for each individual to
withdraw consent to any further materially different
collection, processing, or transfer of previously collected
covered data under the changed policy.
(2) Notification.--The covered entity shall take all
reasonable electronic measures to provide direct notification
regarding material changes to the privacy policy to each
affected individual, in each covered language in which the
privacy policy is made available, and taking into account
available technology and the nature of the relationship.
(3) Clarification.--Nothing in this section may be
construed to affect the requirements for covered entities under
section 102 or 204.
(4) Log of material changes.--Each large data holder shall
retain copies of previous versions of its privacy policy for at
least 10 years beginning after the date of enactment of this
Act and publish them on its website. Such large data holder
shall make publicly available, in a clear, conspicuous, and
readily accessible manner, a log describing the date and nature
of each material change to its privacy policy over the past 10
years. The descriptions shall be sufficient for a reasonable
individual to understand the material effect of each material
change. The obligations in this paragraph shall not apply to
any previous versions of a large data holder's privacy policy,
or any material changes to such policy, that precede the date
of enactment of this Act.
(f) Short-form Notice to Consumers by Large Data Holders.--
(1) In general.--In addition to the privacy policy required
under subsection (a), a large data holder that is a covered
entity shall provide a short-form notice of its covered data
practices in a manner that is--
(A) concise, clear, conspicuous, and not
misleading;
(B) readily accessible to the individual, based on
what is reasonably anticipated within the context of
the relationship between the individual and the large
data holder;
(C) inclusive of an overview of individual rights
and disclosures to reasonably draw attention to data
practices that may reasonably be unexpected to a
reasonable person or that involve sensitive covered
data; and
(D) no more than 500 words in length.
(2) Rulemaking.--The Commission shall issue a rule pursuant
to section 553 of title 5, United States Code, establishing the
minimum data disclosures necessary for the short-form notice
required under paragraph (1), which shall not exceed the
content requirements in subsection (b) and shall include
templates or models of short-form notices.
SEC. 203. INDIVIDUAL DATA OWNERSHIP AND CONTROL.
(a) Access to, and Correction, Deletion, and Portability of,
Covered Data.--In accordance with subsections (b) and (c), a covered
entity shall provide an individual, after receiving a verified request
from the individual, with the right to--
(1) access--
(A) in a human-readable format that a reasonable
individual can understand and download from the
internet, the covered data (except covered data in a
back-up or archival system) of the individual making
the request that is collected, processed, or
transferred by the covered entity or any service
provider of the covered entity within the 24 months
preceding the request;
(B) the categories of any third party, if
applicable, and an option for consumers to obtain the
names of any such third party as well as and the
categories of any service providers to whom the covered
entity has transferred for consideration the covered
data of the individual, as well as the categories of
sources from which the covered data was collected; and
(C) a description of the purpose for which the
covered entity transferred the covered data of the
individual to a third party or service provider;
(2) correct any verifiable substantial inaccuracy or
substantially incomplete information with respect to the
covered data of the individual that is processed by the covered
entity and instruct the covered entity to make reasonable
efforts to notify all third parties or service providers to
which the covered entity transferred such covered data of the
corrected information;
(3) delete covered data of the individual that is processed
by the covered entity and instruct the covered entity to make
reasonable efforts to notify all third parties or service
provider to which the covered entity transferred such covered
data of the individual's deletion request; and
(4) to the extent technically feasible, export to the
individual or directly to another entity the covered data of
the individual that is processed by the covered entity,
including inferences linked or reasonably linkable to the
individual but not including other derived data, without
licensing restrictions that limit such transfers in--
(A) a human-readable format that a reasonable
individual can understand and download from the
internet; and
(B) a portable, structured, interoperable, and
machine-readable format.
(b) Individual Autonomy.--A covered entity may not condition,
effectively condition, attempt to condition, or attempt to effectively
condition the exercise of a right described in subsection (a) through--
(1) the use of any false, fictitious, fraudulent, or
materially misleading statement or representation; or
(2) the design, modification, or manipulation of any user
interface with the purpose or substantial effect of obscuring,
subverting, or impairing a reasonable individual's autonomy,
decision making, or choice to exercise such right.
(c) Timing.--
(1) In general.--Subject to subsections (d) and (e), each
request under subsection (a) shall be completed by any--
(A) large data holder within 45 days of such
request from an individual, unless it is demonstrably
impracticable or impracticably costly to verify such
individual;
(B) covered entity that is not a large data holder
or a covered entity meeting the requirements of section
209 within 60 days of such request from an individual,
unless it is demonstrably impracticable or
impracticably costly to verify such individual; or
(C) covered entity meeting the requirements of
section 209 within 90 days of such request from an
individual, unless it is demonstrably impracticable or
impracticably costly to verify such individual.
(2) Extension.--A response period set forth in this
subsection may be extended once by 45 additional days when
reasonably necessary, considering the complexity and number of
the individual's requests, so long as the covered entity
informs the individual of any such extension within the initial
45-day response period, together with the reason for the
extension.
(d) Frequency and Cost of Access.--A covered entity--
(1) shall provide an individual with the opportunity to
exercise each of the rights described in subsection (a); and
(2) with respect to--
(A) the first 2 times that an individual exercises
any right described in subsection (a) in any 12-month
period, shall allow the individual to exercise such
right free of charge; and
(B) any time beyond the initial 2 times described
in subparagraph (A), may allow the individual to
exercise such right for a reasonable fee for each
request.
(e) Verification and Exceptions.--
(1) Required exceptions.--A covered entity may not permit
an individual to exercise a right described in subsection (a),
in whole or in part, if the covered entity--
(A) cannot reasonably verify that the individual
making the request to exercise the right is the
individual whose covered data is the subject of the
request or an individual authorized to make such a
request on the individual's behalf;
(B) reasonably believes that the request is made to
interfere with a contract between the covered entity
and another individual;
(C) determines that the exercise of the right would
require access to or correction of another individual's
sensitive covered data;
(D) reasonably believes that the exercise of the
right would require the covered entity to engage in an
unfair or deceptive practice under section 5 of the
Federal Trade Commission Act (15 U.S.C. 45); or
(E) reasonably believes that the request is made to
further fraud, support criminal activity, or the
exercise of the right presents a data security threat.
(2) Additional information.--If a covered entity cannot
reasonably verify that a request to exercise a right described
in subsection (a) is made by the individual whose covered data
is the subject of the request (or an individual authorized to
make such a request on the individual's behalf), the covered
entity--
(A) may request that the individual making the
request to exercise the right provide any additional
information necessary for the sole purpose of verifying
the identity of the individual; and
(B) may not process or transfer such additional
information for any other purpose.
(3) Permissive exceptions.--
(A) In general.--A covered entity may decline, with
adequate explanation to the individual, to comply with
a request to exercise a right described in subsection
(a), in whole or in part, that would--
(i) require the covered entity to retain
any covered data collected for a single, one-
time transaction, if such covered data is not
processed or transferred by the covered entity
for any purpose other than completing such
transaction;
(ii) be demonstrably impracticable or
prohibitively costly to comply with, and the
covered entity shall provide a description to
the requestor detailing the inability to comply
with the request;
(iii) require the covered entity to attempt
to re-identify de-identified data;
(iv) require the covered entity to maintain
covered data in an identifiable form or
collect, retain, or access any data in order to
be capable of associating a verified individual
request with covered data of such individual;
(v) result in the release of trade secrets
or other privileged or confidential business
information;
(vi) require the covered entity to correct
any covered data that cannot be reasonably
verified as being inaccurate or incomplete;
(vii) interfere with law enforcement,
judicial proceedings, investigations, or
reasonable efforts to guard against, detect,
prevent, or investigate fraudulent, malicious,
or unlawful activity, or enforce valid
contracts;
(viii) violate Federal or State law or the
rights and freedoms of another individual,
including under the Constitution of the United
States;
(ix) prevent a covered entity from being
able to maintain a confidential record of
deletion requests, maintained solely for the
purpose of preventing covered data of an
individual from being recollected after the
individual submitted a deletion request and
requested that the covered entity no longer
collect, process, or transfer such data;
(x) fall within an exception enumerated in
the regulations promulgated by the Commission
pursuant to subparagraph (D); or
(xi) with respect to requests for
deletion--
(I) unreasonably interfere with the
provision of products or services by
the covered entity to another person it
currently serves;
(II) delete covered data that
relates to a public figure and for
which the requesting individual has no
reasonable expectation of privacy;
(III) delete covered data
reasonably necessary to perform a
contract between the covered entity and
the individual;
(IV) delete covered data that the
covered entity needs to retain in order
to comply with professional ethical
obligations;
(V) delete covered data that the
covered entity reasonably believes may
be evidence of unlawful activity or an
abuse of the covered entity's products
or services; or
(VI) for private elementary and
secondary schools as defined by State
law and private institutions of higher
education as defined by title I of the
Higher Education Act of 1965, delete
covered data that would unreasonably
interfere with the provision of
education services by or the ordinary
operation of the school or institution.
(B) Partial compliance.--In a circumstance that
would allow a denial pursuant to subparagraph (A), a
covered entity shall partially comply with the
remainder of the request if it is possible and not
unduly burdensome to do so.
(C) Number of requests.--For purposes of
subparagraph (A)(ii), the receipt of a large number of
verified requests, on its own, may not be considered to
render compliance with a request demonstrably
impracticable.
(D) Further exceptions.--The Commission may, by
regulation as described in subsection (g), establish
additional permissive exceptions necessary to protect
the rights of individuals, alleviate undue burdens on
covered entities, prevent unjust or unreasonable
outcomes from the exercise of access, correction,
deletion, or portability rights, or as otherwise
necessary to fulfill the purposes of this section. In
establishing such exceptions, the Commission should
consider any relevant changes in technology, means for
protecting privacy and other rights, and beneficial
uses of covered data by covered entities.
(f) Large Data Holder Metrics Reporting.--A large data holder that
is a covered entity shall, for each calendar year in which it was a
large data holder, do the following:
(1) Compile the following metrics for the prior calendar
year:
(A) The number of verified access requests under
subsection (a)(1).
(B) The number of verified deletion requests under
subsection (a)(3).
(C) The number of requests to opt-out of covered
data transfers under section 204(b).
(D) The number of requests to opt-out of targeted
advertising under section 204(c).
(E) The number of requests in each of subparagraphs
(A) through (D) that such large data holder (i)
complied with in whole or in part and (ii) denied.
(F) The median or mean number of days within which
such large data holder substantively responded to the
requests in each of subparagraphs (A) through (D).
(2) Disclose by July 1 of each applicable calendar year the
information compiled in paragraph (1) within such large data
holder's privacy policy required under section 202 or on the
publicly accessible website of such large data holder that is
accessible from a hyperlink included in the privacy policy.
(g) Regulations.--Not later than 2 years after the date of
enactment of this Act, the Commission shall promulgate regulations,
pursuant to section 553 of title 5, United States Code, as necessary to
establish processes by which covered entities are to comply with the
provisions of this section. Such regulations shall take into
consideration--
(1) the size of, and the nature, scope, and complexity of
the activities engaged in by the covered entity, including
whether the covered entity is a large data holder, nonprofit
organization, covered entity meeting the requirements of
section 209, third party, or third-party collecting entity;
(2) the sensitivity of covered data collected, processed,
or transferred by the covered entity;
(3) the volume of covered data collected, processed, or
transferred by the covered entity;
(4) the number of individuals and devices to which the
covered data collected, processed, or transferred by the
covered entity relates; and
(5) after consulting the National Institute of Standards
and Technology, standards for ensuring the deletion of covered
data under this Act where appropriate.
(h) Accessibility.--A covered entity shall facilitate the ability
of individuals to make requests under subsection (a) in any covered
language in which the covered entity provides a product or service. The
mechanisms by which a covered entity enables individuals to make
requests under subsection (a) shall be readily accessible and usable by
with individuals with disabilities.
SEC. 204. RIGHT TO CONSENT AND OBJECT.
(a) Withdrawal of Consent.--A covered entity shall provide an
individual with a clear and conspicuous, easy-to-execute means to
withdraw any affirmative express consent previously provided by the
individual that is as easy to execute by a reasonable individual as the
means to provide consent, with respect to the processing or transfer of
the covered data of the individual.
(b) Right to Opt Out of Covered Data Transfers.--
(1) In general.--A covered entity--
(A) may not transfer or direct the transfer of the
covered data of an individual to a third party if the
individual objects to the transfer; and
(B) shall allow an individual to object to such a
transfer through an opt-out mechanism, as described in
section 210.
(2) Exception.--Except as provided in section 206(b)(3)(C),
a covered entity need not allow an individual to opt out of the
collection, processing, or transfer of covered data made
pursuant to the exceptions in paragraphs (1) through (15) of
section 101(b).
(c) Right to Opt Out of Targeted Advertising.--
(1) A covered entity or service provider that directly
delivers a targeted advertisement shall--
(A) prior to engaging in targeted advertising to an
individual or device and at all times thereafter,
provide such individual with a clear and conspicuous
means to opt out of targeted advertising;
(B) abide by any opt-out designation by an
individual with respect to targeted advertising and
notify the covered entity that directed the service
provider to deliver the targeted advertisement of the
opt-out decision; and
(C) allow an individual to make an opt-out
designation with respect to targeted advertising
through an opt-out mechanism, as described in section
210.
(2) A covered entity or service provider that receives an
opt-out notification pursuant to paragraph (1)(B) or this
paragraph shall abide by such opt-out designations by an
individual and notify any other person that directed the
covered entity or service provider to serve, deliver, or
otherwise handle the advertisement of the opt-out decision.
(d) Individual Autonomy.--A covered entity may not condition,
effectively condition, attempt to condition, or attempt to effectively
condition the exercise of any individual right under this section
through--
(1) the use of any false, fictitious, fraudulent, or
materially misleading statement or representation; or
(2) the design, modification, or manipulation of any user
interface with the purpose or substantial effect of obscuring,
subverting, or impairing a reasonable individual's autonomy,
decision making, or choice to exercise any such right.
SEC. 205. DATA PROTECTIONS FOR CHILDREN AND MINORS.
(a) Prohibition on Targeted Advertising to Children and Minors.--A
covered entity may not engage in targeted advertising to any individual
if the covered entity has knowledge that the individual is a covered
minor.
(b) Data Transfer Requirements Related to Covered Minors.--
(1) In general.--A covered entity may not transfer or
direct the transfer of the covered data of a covered minor to a
third party if the covered entity--
(A) has knowledge that the individual is a covered
minor; and
(B) has not obtained affirmative express consent
from the covered minor or the covered minor's parent or
guardian.
(2) Exception.--A covered entity or service provider may
collect, process, or transfer covered data of an individual the
covered entity or service provider knows is under the age of 18
solely in order to submit information relating to child
victimization to law enforcement or to the nonprofit, national
resource center and clearinghouse congressionally designated to
provide assistance to victims, families, child-serving
professionals, and the general public on missing and exploited
children issues.
(c) Youth Privacy and Marketing Division.--
(1) Establishment.--There is established within the
Commission in the privacy bureau established in this Act, a
division to be known as the ``Youth Privacy and Marketing
Division'' (in this section referred to as the ``Division'').
(2) Director.--The Division shall be headed by a Director,
who shall be appointed by the Chair of the Commission.
(3) Duties.--The Division shall be responsible for
assisting the Commission in addressing, as it relates to this
Act--
(A) the privacy of children and minors; and
(B) marketing directed at children and minors.
(4) Staff.--The Director of the Division shall hire
adequate staff to carry out the duties described in paragraph
(3), including by hiring individuals who are experts in data
protection, digital advertising, data analytics, and youth
development.
(5) Reports.--Not later than 2 years after the date of
enactment of this Act, and annually thereafter, the Commission
shall submit to the Committee on Commerce, Science, and
Transportation of the Senate and the Committee on Energy and
Commerce of the House of Representatives a report that
includes--
(A) a description of the work of the Division
regarding emerging concerns relating to youth privacy
and marketing practices; and
(B) an assessment of how effectively the Division
has, during the period for which the report is
submitted, assisted the Commission to address youth
privacy and marketing practices.
(6) Publication.--Not later than 10 days after the date on
which a report is submitted under paragraph (5), the Commission
shall publish the report on its website.
(d) Report by the Inspector General.--
(1) In general.--Not later than 2 years after the date of
enactment of this Act, and biennially thereafter, the Inspector
General of the Commission shall submit to the Commission and to
the Committee on Commerce, Science, and Transportation of the
Senate and the Committee on Energy and Commerce of the House of
Representatives a report regarding the safe harbor provisions
in section 1304 of the Children's Online Privacy Protection Act
of 1998 (15 U.S.C. 6503), which shall include--
(A) an analysis of whether the safe harbor
provisions are--
(i) operating fairly and effectively; and
(ii) effectively protecting the interests
of children and minors; and
(B) any proposal or recommendation for policy
changes that would improve the effectiveness of the
safe harbor provisions.
(2) Publication.--Not later than 10 days after the date on
which a report is submitted under paragraph (1), the Commission
shall publish the report on the website of the Commission.
SEC. 206. THIRD-PARTY COLLECTING ENTITIES.
(a) Notice.--Each third-party collecting entity shall place a
clear, conspicuous, not misleading, and readily accessible notice on
the website or mobile application of the third-party collecting entity
(if the third-party collecting entity maintains such a website or
mobile application) that--
(1) notifies individuals that the entity is a third-party
collecting entity using specific language that the Commission
shall develop through rulemaking under section 553 of title 5,
United States Code;
(2) includes a link to the website established under
subsection (b)(3); and
(3) is reasonably accessible to and usable by individuals
with disabilities.
(b) Third-party Collecting Entity Registration.--
(1) In general.--Not later than January 31 of each calendar
year that follows a calendar year during which a covered entity
acted as a third-party collecting entity and processed covered
data pertaining to more than 5,000 individuals or devices that
identify or are linked or reasonably linkable to an individual,
such covered entity shall register with the Commission in
accordance with this subsection.
(2) Registration requirements.--In registering with the
Commission as required under paragraph (1), a third-party
collecting entity shall do the following:
(A) Pay to the Commission a registration fee of
$100.
(B) Provide the Commission with the following
information:
(i) The legal name and primary physical,
email, and internet addresses of the third-
party collecting entity.
(ii) A description of the categories of
covered data the third-party collecting entity
processes and transfers.
(iii) The contact information of the third-
party collecting entity, including a contact
person, a telephone number, an e-mail address,
a website, and a physical mailing address.
(iv) A link to a website through which an
individual may easily exercise the rights
provided under this subsection.
(3) Third-party collecting entity registry.--The Commission
shall establish and maintain on a website a searchable,
publicly available, central registry of third-party collecting
entities that are registered with the Commission under this
subsection that includes the following:
(A) A listing of all registered third-party
collecting entities and a search feature that allows
members of the public to identify individual third-
party collecting entities.
(B) For each registered third-party collecting
entity, the information provided under paragraph
(2)(B).
(C)(i) A ``Do Not Collect'' registry link and
mechanism by which an individual may, easily submit a
request to all registered third-party collecting
entities that are not consumer reporting agencies (as
defined in section 603(f) of the Fair Credit Reporting
Act (15 U.S.C. 1681a(f))), and to the extent such
third-party collecting entities are not acting as
consumer reporting agencies (as so defined), to--
(I) delete all covered data related to such
individual that the third-party collecting
entity did not collect from such individual
directly or when acting as a service provider;
and
(II) ensure that the third-party collecting
entity no longer collects covered data related
to such individual without the affirmative
express consent of such individual, except
insofar as the third-party collecting entity is
acting as a service provider.
(ii) Each third-party collecting entity that
receives such a request from an individual shall delete
all the covered data of the individual not later than
30 days after the request is received by the third-
party collecting entity.
(iii) Notwithstanding the provisions of clauses (i)
and (ii), a third-party collecting entity may decline
to fulfill a ``Do Not Collect'' request from an
individual who it has actual knowledge has been
convicted of a crime related to the abduction or sexual
exploitation of a child, and the data the entity is
collecting is necessary to effectuate the purposes of a
national or State-run sex offender registry or the
congressionally designated entity that serves as the
nonprofit national resource center and clearinghouse to
provide assistance to victims, families, child-serving
professionals, and the general public on missing and
exploited children issues.
(c) Penalties.--
(1) In general.--A third-party collecting entity that fails
to register or provide the notice as required under this
section shall be liable for--
(A) a civil penalty of $100 for each day the third-
party collecting entity fails to register or provide
notice as required under this section, not to exceed a
total of $10,000 for any year; and
(B) an amount equal to the registration fees due
under paragraph (2)(A) of subsection (b) for each year
that the third-party collecting entity failed to
register as required under paragraph (1) of such
subsection.
(2) Rule of construction.--Nothing in this subsection shall
be construed as altering, limiting, or affecting any
enforcement authorities or remedies under this Act.
SEC. 207. CIVIL RIGHTS AND ALGORITHMS.
(a) Civil Rights Protections.--
(1) In general.--A covered entity or a service provider may
not collect, process, or transfer covered data in a manner that
discriminates in or otherwise makes unavailable the equal
enjoyment of goods or services on the basis of race, color,
religion, national origin, sex, or disability.
(2) Exceptions.--This subsection shall not apply to--
(A) the collection, processing, or transfer of
covered data for the purpose of--
(i) a covered entity's or a service
provider's self-testing to prevent or mitigate
unlawful discrimination; or
(ii) diversifying an applicant,
participant, or customer pool; or
(B) any private club or group not open to the
public, as described in section 201(e) of the Civil
Rights Act of 1964 (42 U.S.C. 2000a(e)).
(b) FTC Enforcement Assistance.--
(1) In general.--Whenever the Commission obtains
information that a covered entity or service provider may have
collected, processed, or transferred covered data in violation
of subsection (a), the Commission shall transmit such
information as allowable under Federal law to any Executive
agency with authority to initiate enforcement actions or
proceedings relating to such violation.
(2) Annual report.--Not later than 3 years after the date
of enactment of this Act, and annually thereafter, the
Commission shall submit to Congress a report that includes a
summary of--
(A) the types of information the Commission
transmitted to Executive agencies under paragraph (1)
during the previous 1-year period; and
(B) how such information relates to Federal civil
rights laws.
(3) Technical assistance.--In transmitting information
under paragraph (1), the Commission may consult and coordinate
with, and provide technical and investigative assistance, as
appropriate, to such Executive agency.
(4) Cooperation with other agencies.--The Commission may
implement this subsection by executing agreements or memoranda
of understanding with the appropriate Executive agencies.
(c) Covered Algorithm Impact and Evaluation.--
(1) Covered algorithm impact assessment.--
(A) Impact assessment.--Notwithstanding any other
provision of law, not later than 2 years after the date
of enactment of this Act, and annually thereafter, a
large data holder that uses a covered algorithm in a
manner that poses a consequential risk of harm to an
individual or group of individuals, and uses such
covered algorithm solely or in part, to collect,
process, or transfer covered data shall conduct an
impact assessment of such algorithm in accordance with
subparagraph (B).
(B) Impact assessment scope.--The impact assessment
required under subparagraph (A) shall provide the
following:
(i) A detailed description of the design
process and methodologies of the covered
algorithm.
(ii) A statement of the purpose and
proposed uses of the covered algorithm.
(iii) A detailed description of the data
used by the covered algorithm, including the
specific categories of data that will be
processed as input and any data used to train
the model that the covered algorithm relies on,
if applicable.
(iv) A description of the outputs produced
by the covered algorithm.
(v) An assessment of the necessity and
proportionality of the covered algorithm in
relation to its stated purpose.
(vi) A detailed description of steps the
large data holder has taken or will take to
mitigate potential harms from the covered
algorithm to an individual or group of
individuals, including related to--
(I) covered minors;
(II) making or facilitating
advertising for, or determining access
to, or restrictions on the use of
housing, education, employment,
healthcare, insurance, or credit
opportunities;
(III) determining access to, or
restrictions on the use of, any place
of public accommodation, particularly
as such harms relate to the protected
characteristics of individuals,
including race, color, religion,
national origin, sex, or disability;
(IV) disparate impact on the basis
of individuals' race, color, religion,
national origin, sex, or disability
status; or
(V) disparate impact on the basis
of individuals' political party
registration status.
(2) Algorithm design evaluation.--Notwithstanding any other
provision of law, not later than 2 years after the date of
enactment of this Act, a covered entity or service provider
that knowingly develops a covered algorithm that is designed
to, solely or in part, to collect, process, or transfer covered
data in furtherance of a consequential decision shall prior to
deploying the covered algorithm in interstate commerce evaluate
the design, structure, and inputs of the covered algorithm,
including any training data used to develop the covered
algorithm, to reduce the risk of the potential harms identified
under paragraph (1)(B).
(3) Other considerations.--
(A) Focus.--In complying with paragraphs (1) and
(2), a covered entity and a service provider may focus
the impact assessment or evaluation on any covered
algorithm, or portions of a covered algorithm, that
will be put to use and may reasonably contribute to the
risk of the potential harms identified under paragraph
(1)(B).
(B) Availability.--
(i) In general.--A covered entity and a
service provider--
(I) shall, not later than 30 days
after completing an impact assessment
or evaluation, submit the impact
assessment or evaluation conducted
under paragraph (1) or (2) to the
Commission;
(II) shall, upon request, make such
impact assessment and evaluation
available to Congress; and
(III) may make a summary of such
impact assessment and evaluation
publicly available in a place that is
easily accessible to individuals.
(ii) Trade secrets.--Covered entities and
service providers may redact and segregate any
trade secret (as defined in section 1839 of
title 18, United States Code) or other
confidential or proprietary information from
public disclosure under this subparagraph and
the Commission shall abide by its obligations
under section 6(f) of the Federal Trade
Commission Act (15 U.S.C. 46(f)) in regard to
such information.
(C) Enforcement.--The Commission may not use any
information obtained solely and exclusively through a
covered entity or a service provider's disclosure of
information to the Commission in compliance with this
section for any purpose other than enforcing this Act
with the exception of enforcing consent orders,
including the study and report provisions in paragraph
(6). This subparagraph does not preclude the Commission
from providing this information to Congress in response
to a subpoena.
(4) Guidance.--Not later than 2 years after the date of
enactment of this Act, the Commission shall, in consultation
with the Secretary of Commerce, or their respective designees,
publish guidance regarding compliance with this section.
(5) Rulemaking and exemption.--The Commission shall have
authority under section 553 of title 5, United States Code, to
promulgate regulations as necessary to establish processes by
which a large data holder--
(A) shall submit an impact assessment to the
Commission under paragraph (3)(B)(i)(I); and
(B) may exclude from this subsection any covered
algorithm that presents low or minimal consequential
risk of harm to an individual or group of individuals.
(6) Study and report.--
(A) Study.--The Commission, in consultation with
the Secretary of Commerce or the Secretary's designee,
shall conduct a study, to review any impact assessment
or evaluation submitted under this subsection. Such
study shall include an examination of--
(i) best practices for the assessment and
evaluation of covered algorithms; and
(ii) methods to reduce the risk of harm to
individuals that may be related to the use of
covered algorithms.
(B) Report.--
(i) Initial report.--Not later than 3 years
after the date of enactment of this Act, the
Commission, in consultation with the Secretary
of Commerce or the Secretary's designee, shall
submit to Congress a report containing the
results of the study conducted under
subparagraph (A), together with recommendations
for such legislation and administrative action
as the Commission determines appropriate.
(ii) Additional reports.--Not later than 3
years after submission of the initial report
under clause (i), and as the Commission
determines necessary thereafter, the Commission
shall submit to Congress an updated version of
such report.
SEC. 208. DATA SECURITY AND PROTECTION OF COVERED DATA.
(a) Establishment of Data Security Practices.--
(1) In general.--A covered entity or service provider shall
establish, implement, and maintain reasonable administrative,
technical, and physical data security practices and procedures
to protect and secure covered data against unauthorized access
and acquisition.
(2) Considerations.--The reasonable administrative,
technical, and physical data security practices required under
paragraph (1) shall be appropriate to--
(A) the size and complexity of the covered entity
or service provider;
(B) the nature and scope of the covered entity or
the service provider's collecting, processing, or
transferring of covered data;
(C) the volume and nature of the covered data
collected, processed, or transferred by the covered
entity or service provider;
(D) the sensitivity of the covered data collected,
processed, or transferred;
(E) the current state of the art (and limitations
thereof) in administrative, technical, and physical
safeguards for protecting such covered data; and
(F) the cost of available tools to improve security
and reduce vulnerabilities to unauthorized access and
acquisition of such covered data in relation to the
risks and nature of the covered data.
(b) Specific Requirements.--The data security practices of the
covered entity and of the service provider required under subsection
(a) shall include, for each respective entity's own system or systems,
at a minimum, the following practices:
(1) Assess vulnerabilities.--Identifying and assessing any
material internal and external risk to, and vulnerability in,
the security of each system maintained by the covered entity
that collects, processes, or transfers covered data, or service
provider that collects, processes, or transfers covered data on
behalf of the covered entity, including unauthorized access to
or risks to such covered data, human vulnerabilities, access
rights, and the use of service providers. With respect to large
data holders, such activities shall include a plan to receive
and reasonably respond to unsolicited reports of
vulnerabilities by any entity or individual and by performing a
reasonable investigation of such reports.
(2) Preventive and corrective action.--Taking preventive
and corrective action designed to mitigate reasonably
foreseeable risks or vulnerabilities to covered data identified
by the covered entity or service provider, consistent with the
nature of such risk or vulnerability and the entity's role in
collecting, processing, or transferring the data. Such action
may include implementing administrative, technical, or physical
safeguards or changes to data security practices or the
architecture, installation, or implementation of network or
operating software, among other actions.
(3) Evaluation of preventive and corrective action.--
Evaluating and making reasonable adjustments to the action
described in paragraph (2) in light of any material changes in
technology, internal or external threats to covered data, and
the covered entity or service provider's own changing business
arrangements or operations.
(4) Information retention and disposal.--Disposing of
covered data in accordance with a retention schedule that shall
require the deletion of covered data when such data is required
to be deleted by law or is no longer necessary for the purpose
for which the data was collected, processed, or transferred,
unless an individual has provided affirmative express consent
to such retention. Such disposal shall include destroying,
permanently erasing, or otherwise modifying the covered data to
make such data permanently unreadable or indecipherable and
unrecoverable to ensure ongoing compliance with this section.
Service providers shall establish practices to delete or return
covered data to a covered entity as requested at the end of the
provision of services unless retention of the covered data is
required by law, consistent with section 302(a)(6).
(5) Training.--Training each employee with access to
covered data on how to safeguard covered data and updating such
training as necessary.
(6) Designation.--Designating an officer, employee, or
employees to maintain and implement such practices.
(7) Incident response.--Implementing procedures to detect,
respond to, or recover from security incidents, including
breaches.
(c) Regulations.--The Commission may promulgate, in accordance with
section 553 of title 5, United States Code, technology-neutral
regulations to establish processes for complying with this section. The
Commission shall consult with the National Institute of Standards and
Technology in establishing such processes.
SEC. 209. SMALL BUSINESS PROTECTIONS.
(a) Establishment of Exemption.--Any covered entity or service
provider that can establish that it met the requirements described in
subsection (b) for the period of the 3 preceding calendar years (or for
the period during which the covered entity or service provider has been
in existence if such period is less than 3 years) shall--
(1) be exempt from compliance with section 203(a)(4),
paragraphs (1) through (3) and (5) through (7) of section
208(b), and section 301(c); and
(2) at the covered entity's sole discretion, have the
option of complying with section 203(a)(2) by, after receiving
a verified request from an individual to correct covered data
of the individual under such section, deleting such covered
data in its entirety instead of making the requested
correction.
(b) Exemption Requirements.--The requirements of this subsection
are, with respect to a covered entity or a service provider, the
following:
(1) The covered entity or service provider's average annual
gross revenues during the period did not exceed $41,000,000.
(2) The covered entity or service provider, on average, did
not annually collect or process the covered data of more than
200,000 individuals during the period beyond the purpose of
initiating, rendering, billing for, finalizing, completing, or
otherwise collecting payment for a requested service or
product, so long as all covered data for such purpose was
deleted or de-identified within 90 days, except when necessary
to investigate fraud or as consistent with a covered entity's
return policy.
(3) The covered entity or service provider did not derive
more than 50 percent of its revenue from transferring covered
data during any year (or part of a year if the covered entity
has been in existence for less than 1 year) that occurs during
the period.
(c) Revenue Defined.--For purposes of this section, the term
``revenue'' as it relates to any covered entity or service provider
that is not organized to carry on business for its own profit or that
of its members, means the gross receipts the covered entity or service
provider received in whatever form from all sources without subtracting
any costs or expenses, and includes contributions, gifts, grants, dues
or other assessments, income from investments, or proceeds from the
sale of real or personal property.
SEC. 210. UNIFIED OPT-OUT MECHANISMS.
(a) In General.--For the rights established under subsection (b) of
section 204, subsection (c) of section 204 (except as provided for
under section 101(b)(16)), and section 206(b)(3)(C), following public
notice and opportunity to comment and not later than 18 months after
the date of enactment of this Act, the Commission shall establish or
recognize one or more acceptable privacy protective, centralized
mechanisms, including global privacy signals such as browser or device
privacy settings, other tools offered by covered entities or service
providers, and registries of identifiers, for individuals to exercise
all such rights through a single interface for a covered entity or
service provider to utilize to allow an individual to make such opt out
designations with respect to covered data related to such individual.
(b) Requirements.--Any such centralized opt-out mechanism shall--
(1) require covered entities or service providers acting on
behalf of covered entities to inform individuals about the
centralized opt-out choice;
(2) not be required to be the default setting, but may be
the default setting provided that in all cases the mechanism
clearly represents the individual's affirmative, freely given,
and unambiguous choice to opt out;
(3) be consumer-friendly, clearly described, and easy-to-
use by a reasonable individual;
(4) permit the covered entity or service provider acting on
behalf of a covered entity to have an authentication process
the covered entity or service provider acting on behalf of a
covered entity may use to determine if the mechanism represents
a legitimate request to opt out;
(5) be provided in any covered language in which the
covered entity provides products or services subject to the
opt-out; and
(6) be provided in a manner that is reasonably accessible
to and usable by individuals with disabilities.
TITLE III--CORPORATE ACCOUNTABILITY
SEC. 301. EXECUTIVE RESPONSIBILITY.
(a) In General.--Beginning 1 year after the date of enactment of
this Act, an executive officer of a large data holder shall annually
certify, in good faith, to the Commission, in a manner specified by the
Commission by regulation under section 553 of title 5, United States
Code, that the entity maintains--
(1) internal controls reasonably designed to comply with
this Act; and
(2) internal reporting structures to ensure that such
certifying executive officer is involved in and responsible for
the decisions that impact the compliance by the large data
holder with this Act.
(b) Requirements.--A certification submitted under subsection (a)
shall be based on a review of the effectiveness of the internal
controls and reporting structures of the large data holder that is
conducted by the certifying executive officer not more than 90 days
before the submission of the certification. A certification submitted
under subsection (a) is made in good faith if the certifying officer
had, after a reasonable investigation, reasonable ground to believe and
did believe, at the time that certification was submitted, that the
statements therein were true and that there was no omission to state a
material fact required to be stated therein or necessary to make the
statements therein not misleading.
(c) Designation of Privacy and Data Security Officer.--
(1) In general.--A covered entity or service provider that
have more than 15 employees, shall designate--
(A) 1 or more qualified employees as privacy
officers; and
(B) 1 or more qualified employees (in addition to
any employee designated under subparagraph (A)) as data
security officers.
(2) Requirements for officers.--An employee who is
designated by a covered entity or a service provider as a
privacy officer or a data security officer pursuant to
paragraph (1) shall, at a minimum--
(A) implement a data privacy program and data
security program to safeguard the privacy and security
of covered data in compliance with the requirements of
this Act; and
(B) facilitate the covered entity or service
provider's ongoing compliance with this Act.
(3) Additional requirements for large data holders.--A
large data holder shall designate at least 1 of the officers
described in paragraph (1) to report directly to the highest
official at the large data holder as a privacy protection
officer who shall, in addition to the requirements in paragraph
(2), either directly or through a supervised designee or
designees--
(A) establish processes to periodically review and
update the privacy and security policies, practices,
and procedures of the large data holder, as necessary;
(B) conduct biennial and comprehensive audits to
ensure the policies, practices, and procedures of the
large data holder ensure the large data holder is in
compliance with this Act and ensure such audits are
accessible to the Commission upon request;
(C) develop a program to educate and train
employees about compliance requirements of this Act;
(D) maintain updated, accurate, clear, and
understandable records of all material privacy and data
security practices undertaken by the large data holder;
and
(E) serve as the point of contact between the large
data holder and enforcement authorities.
(d) Large Data Holder Privacy Impact Assessments.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act or 1 year after the date on which a
covered entity first meets the definition of large data holder,
whichever is earlier, and biennially thereafter, each covered
entity that is a large data holder shall conduct a privacy
impact assessment that weighs the benefits of the large data
holder's covered data collecting, processing, and transfer
practices against the potential adverse consequences of such
practices, including substantial privacy risks, to individual
privacy.
(2) Assessment requirements.--A privacy impact assessment
required under paragraph (1) shall be--
(A) reasonable and appropriate in scope given--
(i) the nature of the covered data
collected, processed, and transferred by the
large data holder;
(ii) the volume of the covered data
collected, processed, and transferred by the
large data holder; and
(iii) the potential material risks posed to
the privacy of individuals by the collecting,
processing, and transfer of covered data by the
large data holder;
(B) documented in written form and maintained by
the large data holder unless rendered out of date by a
subsequent assessment conducted under paragraph (1);
and
(C) approved by the privacy protection officer
designated in subsection (c)(3) of the large data
holder, as applicable.
(3) Additional factors to include in assessment.--In
assessing the privacy risks, including substantial privacy
risks, the large data holder must include reviews of the means
by which technologies, including blockchain and distributed
ledger technologies and other emerging technologies, are used
to secure covered data.
(e) Other Privacy Impact Assessments.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act and biennially thereafter, each covered
entity that is not large data holder and does not meet the
requirements for covered entities under section 209 shall
conduct a privacy impact assessment. Such assessment shall
weigh the benefits of the covered entity's covered data
collecting, processing, and transfer practices that may cause a
substantial privacy risk against the potential material adverse
consequences of such practices to individual privacy.
(2) Assessment requirements.--A privacy impact assessment
required under paragraph (1) shall be--
(A) reasonable and appropriate in scope given--
(i) the nature of the covered data
collected, processed, and transferred by the
covered entity;
(ii) the volume of the covered data
collected, processed, and transferred by the
covered entity; and
(iii) the potential risks posed to the
privacy of individuals by the collecting,
processing, and transfer of covered data by the
covered entity; and
(B) documented in written form and maintained by
the covered entity unless rendered out of date by a
subsequent assessment conducted under paragraph (1).
(3) Additional factors to include in assessment.--In
assessing the privacy risks, including substantial privacy
risks, the covered entity may include reviews of the means by
which technologies, including blockchain and distributed ledger
technologies and other emerging technologies, are used to
secure covered data.
SEC. 302. SERVICE PROVIDERS AND THIRD PARTIES.
(a) Service Providers.--A service provider--
(1) shall adhere to the instructions of a covered entity
and only collect, process, and transfer service provider data
to the extent necessary and proportionate to provide a service
requested by the covered entity, as set out in the contract
required by subsection (b), and this paragraph does not require
a service provider to collect, process, or transfer covered
data if the service provider would not otherwise do so;
(2) may not collect, process, or transfer service provider
data if the service provider has actual knowledge that a
covered entity violated this Act with respect to such data;
(3) shall assist a covered entity in responding to a
request made by an individual under section 203 or 204, by
either--
(A) providing appropriate technical and
organizational measures, taking into account the nature
of the processing and the information reasonably
available to the service provider, for the covered
entity to comply with such request for service provider
data; or
(B) fulfilling a request by a covered entity to
execute an individual rights request that the covered
entity has determined should be complied with, by
either--
(i) complying with the request pursuant to
the covered entity's instructions; or
(ii) providing written verification to the
covered entity that it does not hold covered
data related to the request, that complying
with the request would be inconsistent with its
legal obligations, or that the request falls
within an exception to section 203 or 204;
(4) may engage another service provider for purposes of
processing service provider data on behalf of a covered entity
only after providing that covered entity with notice and
pursuant to a written contract that requires such other service
provider to satisfy the obligations of the service provider
with respect to such service provider data, including that the
other service provider be treated as a service provider under
this Act;
(5) shall, upon the reasonable request of the covered
entity, make available to the covered entity information
necessary to demonstrate the compliance of the service provider
with the requirements of this Act, which may include making
available a report of an independent assessment arranged by the
service provider on terms agreed to by the service provider and
the covered entity, providing information necessary to enable
the covered entity to conduct and document a privacy impact
assessment required by subsection (d) or (e) of section 301,
and making available the report required under section
207(c)(2);
(6) shall, at the covered entity's direction, delete or
return all covered data to the covered entity as requested at
the end of the provision of services, unless retention of the
covered data is required by law;
(7) shall develop, implement, and maintain reasonable
administrative, technical, and physical safeguards that are
designed to protect the security and confidentiality of covered
data the service provider processes consistent with section
208; and
(8) shall allow and cooperate with, reasonable assessments
by the covered entity or the covered entity's designated
assessor; alternatively, the service provider may arrange for a
qualified and independent assessor to conduct an assessment of
the service provider's policies and technical and
organizational measures in support of the obligations under
this Act using an appropriate and accepted control standard or
framework and assessment procedure for such assessments. The
service provider shall provide a report of such assessment to
the covered entity upon request.
(b) Contracts Between Covered Entities and Service Providers.--
(1) Requirements.--A person or entity may only act as a
service provider pursuant to a written contract between the
covered entity and the service provider, or a written contract
between one service provider and a second service provider as
described under subsection (a)(4), if the contract--
(A) sets forth the data processing procedures of
the service provider with respect to collection,
processing, or transfer performed on behalf of the
covered entity or service provider;
(B) clearly sets forth--
(i) instructions for collecting,
processing, or transferring data;
(ii) the nature and purpose of collecting,
processing, or transferring;
(iii) the type of data subject to
collecting, processing, or transferring;
(iv) the duration of processing; and
(v) the rights and obligations of both
parties, including a method by which the
service provider shall notify the covered
entity of material changes to its privacy
practices;
(C) does not relieve a covered entity or a service
provider of any requirement or liability imposed on
such covered entity or service provider under this Act;
and
(D) prohibits--
(i) collecting, processing, or transferring
covered data in contravention to subsection
(a); and
(ii) combining service provider data with
covered data which the service provider
receives from or on behalf of another person or
persons or collects from the interaction of the
service provider with an individual, provided
that such combining is not necessary to
effectuate a purpose described in paragraphs
(1) through (15) of section 101(b) and is
otherwise permitted under the contract required
by this subsection.
(2) Contract terms.--Each service provider shall retain
copies of previous contracts entered into in compliance with
this subsection with each covered entity to which it provides
requested products or services.
(c) Relationship Between Covered Entities and Service Providers.--
(1) Determining whether a person is acting as a covered
entity or service provider with respect to a specific
processing of covered data is a fact-based determination that
depends upon the context in which such data is processed.
(2) A person that is not limited in its processing of
covered data pursuant to the instructions of a covered entity,
or that fails to adhere to such instructions, is a covered
entity and not a service provider with respect to a specific
processing of covered data. A service provider that continues
to adhere to the instructions of a covered entity with respect
to a specific processing of covered data remains a service
provider. If a service provider begins, alone or jointly with
others, determining the purposes and means of the processing of
covered data, it is a covered entity and not a service provider
with respect to the processing of such data.
(3) A covered entity that transfers covered data to a
service provider or a service provider that transfers covered
data to a covered entity or another service provider, in
compliance with the requirements of this Act, is not liable for
a violation of this Act by the service provider or covered
entity to whom such covered data was transferred, if at the
time of transferring such covered data, the covered entity or
service provider did not have actual knowledge that the service
provider or covered entity would violate this Act.
(4) A covered entity or service provider that receives
covered data in compliance with the requirements of this Act is
not in violation of this Act as a result of a violation by a
covered entity or service provider from which such data was
received.
(d) Third Parties.--A third party--
(1) shall not process third party data for a processing
purpose other than, in the case of sensitive covered data, the
processing purpose for which the individual gave affirmative
express consent or to effect a purpose enumerated in paragraph
(1), (3), or (5) of section 101(b) and, in the case of non-
sensitive data, the processing purpose for which the covered
entity made a disclosure pursuant to section 202(b)(4); and
(2) for purposes of paragraph (1), may reasonably rely on
representations made by the covered entity that transferred the
third party data if the third party conducts reasonable due
diligence on the representations of the covered entity and
finds those representations to be credible.
(e) Additional Obligations on Covered Entities.--
(1) In general.--A covered entity or service provider shall
exercise reasonable due diligence in--
(A) selecting a service provider; and
(B) deciding to transfer covered data to a third
party.
(2) Guidance.--Not later than 2 years after the date of
enactment of this Act, the Commission shall publish guidance
regarding compliance with this subsection, taking into
consideration the burdens on large data holders, covered
entities who are not large data holders, and covered entities
meeting the requirements of section 209.
(f) Rule of Construction.--Solely for the purposes of this section,
the requirements for service providers to contract with, assist, and
follow the instructions of covered entities shall be read to include
requirements to contract with, assist, and follow the instructions of a
government entity if the service provider is providing a service to a
government entity.
SEC. 303. TECHNICAL COMPLIANCE PROGRAMS.
(a) In General.--Not later than 3 years after the date of enactment
of this Act, the Commission shall promulgate regulations under section
553 of title 5, United States Code, to establish a process for the
proposal and approval of technical compliance programs under this
section used by a covered entity to collect, process, or transfer
covered data.
(b) Scope of Programs.--The technical compliance programs
established under this section shall, with respect to a technology,
product, service, or method used by a covered entity to collect,
process, or transfer covered data--
(1) establish publicly available guidelines for compliance
with this Act; and
(2) meet or exceed the requirements of this Act.
(c) Approval Process.--
(1) In general.--Any request for approval, amendment, or
repeal of a technical compliance program may be submitted to
the Commission by any person, including a covered entity, a
representative of a covered entity, an association of covered
entities, or a public interest group or organization. Within 90
days after the request is made, the Commission shall publish
the request and provide an opportunity for public comment on
the proposal.
(2) Expedited response to requests.--Beginning 1 year after
the date of enactment of this Act, the Commission shall act
upon a request for the proposal and approval of a technical
compliance program not later than 1 year after the filing of
the request, and shall set forth publicly in writing the
conclusions of the Commission with regard to such request.
(d) Right to Appeal.--Final action by the Commission on a request
for approval, amendment, or repeal of a technical compliance program,
or the failure to act within the 1-year period after a request for
approval, amendment, or repeal of a technical compliance program is
made under subsection (c), may be appealed to a Federal district court
of the United States of appropriate jurisdiction as provided for in
section 702 of title 5, United States Code.
(e) Effect on Enforcement.--
(1) In general.--Prior to commencing an investigation or
enforcement action against any covered entity under this Act,
the Commission and State attorney general shall consider the
covered entity's history of compliance with any technical
compliance program approved under this section and any action
taken by the covered entity to remedy noncompliance with such
program. If such enforcement action described in section 403 is
brought, the covered entity's history of compliance with any
technical compliance program approved under this section and
any action taken by the covered entity to remedy noncompliance
with such program shall be taken into consideration when
determining liability or a penalty. The covered entity's
history of compliance with any technical compliance program
shall not affect any burden of proof or the weight given to
evidence in an enforcement or judicial proceeding.
(2) Commission authority.--Approval of a technical
compliance program shall not limit the authority of the
Commission, including the Commission's authority to commence an
investigation or enforcement action against any covered entity
under this Act or any other Act.
(3) Rule of construction.--Nothing in this subsection shall
provide any individual, class of individuals, or person with
any right to seek discovery of any non-public Commission
deliberation or activity or impose any pleading requirement on
the Commission if the Commission brings an enforcement action
of any kind.
SEC. 304. COMMISSION APPROVED COMPLIANCE GUIDELINES.
(a) Application for Compliance Guideline Approval.--
(1) In general.--A covered entity that is not a third-party
collecting entity and meets the requirements of section 209, or
a group of such covered entities, may apply to the Commission
for approval of 1 or more sets of compliance guidelines
governing the collection, processing, and transfer of covered
data by the covered entity or group of covered entities.
(2) Application requirements.--Such application shall
include--
(A) a description of how the proposed guidelines
will meet or exceed the requirements of this Act;
(B) a description of the entities or activities the
proposed set of compliance guidelines is designed to
cover;
(C) a list of the covered entities that meet the
requirements of section 209 and are not third-party
collecting entities, if any are known at the time of
application, that intend to adhere to the compliance
guidelines; and
(D) a description of how such covered entities will
be independently assessed for adherence to such
compliance guidelines, including the independent
organization not associated with any of the covered
entities that may participate in guidelines that will
administer such guidelines.
(3) Commission review.--
(A) Initial approval.--
(i) Public comment period.--Within 90 days
after the receipt of proposed guidelines
submitted pursuant to paragraph (2), the
Commission shall publish the application and
provide an opportunity for public comment on
such compliance guidelines.
(ii) Approval.--The Commission shall
approve an application regarding proposed
guidelines under paragraph (2) if the applicant
demonstrates that the compliance guidelines--
(I) meet or exceed requirements of
this Act;
(II) provide for the regular review
and validation by an independent
organization not associated with any of
the covered entities that may
participate in the guidelines and that
is approved by the Commission to
conduct such reviews of the compliance
guidelines of the covered entity or
entities to ensure that the covered
entity or entities continue to meet or
exceed the requirements of this Act;
and
(III) include a means of
enforcement if a covered entity does
not meet or exceed the requirements in
the guidelines, which may include
referral to the Commission for
enforcement consistent with section 401
or referral to the appropriate State
attorney general for enforcement
consistent with section 402.
(iii) Timeline.--Within 1 year after
receiving an application regarding proposed
guidelines under paragraph (2), the Commission
shall issue a determination approving or
denying the application and providing its
reasons for approving or denying such
application.
(B) Approval of modifications.--
(i) In general.--If the independent
organization administering a set of guidelines
makes material changes to guidelines previously
approved by the Commission, the independent
organization shall submit the updated
guidelines to the Commission for approval. As
soon as feasible, the Commission shall publish
the updated guidelines and provide an
opportunity for public comment.
(ii) Timeline.--The Commission shall
approve or deny any material change to the
guidelines within 1 year after receipt of the
submission for approval.
(b) Withdrawal of Approval.--If at any time the Commission
determines that the guidelines previously approved no longer meet the
requirements of this Act or a regulation promulgated under this Act or
that compliance with the approved guidelines is insufficiently enforced
by the independent organization administering the guidelines, the
Commission shall notify the covered entities or group of such entities
and the independent organization of the determination of the Commission
to withdraw approval of such guidelines and the basis for doing so.
Within180 days after receipt of such notice, the covered entity or
group of such entities and the independent organization may cure any
alleged deficiency with the guidelines or the enforcement of such
guidelines and submit each proposed cure to the Commission. If the
Commission determines that such cures eliminate the alleged deficiency
in the guidelines, then the Commission may not withdraw approval of
such guidelines on the basis of such determination.
(c) Deemed Compliance.--A covered entity that is eligible to
participate under subsection (a)(1) and participates in guidelines
approved under this section shall be deemed in compliance with the
relevant provisions of this Act if such covered entity is in compliance
with such guidelines.
SEC. 305. DIGITAL CONTENT FORGERIES.
(a) Reports.--Not later than 1 year after the date of enactment of
this Act, and annually thereafter, the Secretary of Commerce or the
Secretary's designee shall publish a report regarding digital content
forgeries.
(b) Requirements.--Each report under subsection (a) shall include
the following:
(1) A definition of digital content forgeries along with
accompanying explanatory materials.
(2) A description of the common sources of digital content
forgeries in the United States and commercial sources of
digital content forgery technologies.
(3) An assessment of the uses, applications, and harms of
digital content forgeries.
(4) An analysis of the methods and standards available to
identify digital content forgeries as well as a description of
the commercial technological counter-measures that are, or
could be, used to address concerns with digital content
forgeries, which may include the provision of warnings to
viewers of suspect content.
(5) A description of the types of digital content
forgeries, including those used to commit fraud, cause harm, or
violate any provision of law.
(6) Any other information determined appropriate by the
Secretary of Commerce or the Secretary's designee.
TITLE IV--ENFORCEMENT, APPLICABILITY, AND MISCELLANEOUS
SEC. 401. ENFORCEMENT BY THE FEDERAL TRADE COMMISSION.
(a) Bureau of Privacy.--
(1) In general.--The Commission shall establish within the
Commission a new bureau to be known as the ``Bureau of
Privacy'', which shall be of similar structure, size,
organization, and authority as the existing bureaus within the
Commission related to consumer protection and competition.
(2) Mission.--The mission of the Bureau established under
paragraph (1) shall be to assist the Commission in carrying out
the duties of the Commission under this Act and related duties
under other provisions of law.
(3) Timeline.--The Bureau required to be established under
paragraph (1) shall be established, staffed, and fully
operational not later than 1 year after the date of enactment
of this Act.
(b) Office of Business Mentorship.--The Director of the Bureau
established under subsection (a)(1) shall establish within the Bureau
an office to be known as the ``Office of Business Mentorship'' to
provide guidance and education to covered entities and service
providers regarding compliance with this Act. Covered entities or
service providers may request advice from the Commission or the Office
with respect to a course of action that the covered entity or service
provider proposes to pursue and that may relate to the requirements of
this Act.
(c) Enforcement by the Federal Trade Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
this Act or a regulation promulgated under this Act shall be
treated as a violation of a rule defining an unfair or
deceptive act or practice prescribed under section 18(a)(1)(B)
of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(2) Powers of the commission.--
(A) In general.--Except as provided in paragraphs
(3), (4), and (5), the Commission shall enforce this
Act and the regulations promulgated under this Act in
the same manner, by the same means, and with the same
jurisdiction, powers, and duties as though all
applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated
into and made a part of this Act.
(B) Privileges and immunities.--Any person who
violates this Act or a regulation promulgated under
this Act shall be subject to the penalties and entitled
to the privileges and immunities provided in the
Federal Trade Commission Act (15 U.S.C. 41 et seq.).
(3) Limiting certain actions unrelated to this act.--If the
Commission brings a civil action alleging that an act or
practice violates this Act or a regulation promulgated under
this Act, the Commission may not seek a cease and desist order
against the same defendant under section 5(b) of the Federal
Trade Commission Act (15 U.S.C. 45(b)) to stop that same act or
practice on the grounds that such act or practice constitutes
an unfair or deceptive act or practice.
(4) Common carriers and nonprofit organizations.--
Notwithstanding any jurisdictional limitation of the Commission
with respect to consumer protection or privacy, the Commission
shall enforce this Act and the regulations promulgated under
this Act, in the same manner provided in paragraphs (1), (2),
(3), and (5), with respect to common carriers subject to the
Communications Act of 1934 (47 U.S.C. 151 et seq.) and all Acts
amendatory thereof and supplementary thereto and organizations
not organized to carry on business for their own profit or that
of their members.
(5) Privacy and security victims relief fund.--
(A) Establishment.--There is established in the
Treasury of the United States a separate fund to be
known as the ``Privacy and Security Victims Relief
Fund'' in this paragraph referred to as the ``Victims
Relief Fund'').
(B) Deposits.--Notwithstanding section 3302 of
title 31, United States Code, in any judicial or
administrative action to enforce this Act or a
regulation promulgated under this Act, the amount of
any civil penalty obtained against a covered entity or
service provider, or any other monetary relief ordered
to be paid by a covered entity or service provider to
provide redress, payment, compensation, or other relief
to individuals that cannot be located or the payment of
which would otherwise not be practicable, shall be
deposited into the Victims Relief Fund.
(C) Use of funds.--
(i) Use by commission.--Amounts in the
Victims Relief Fund shall be available to the
Commission, without fiscal year limitation, to
provide redress, payment, compensation, or
other monetary relief to individuals affected
by an act or practice for which relief has been
obtained under this Act.
(ii) Other permissible uses.--To the extent
that the individuals described in clause (i)
cannot be located or such redress, payments,
compensation, or other monetary relief are
otherwise not practicable, the Commission may
use such funds for the purpose of--
(I) funding the activities of the
Office of Business Mentorship
established under subsection (b); or
(II) engaging in technological
research that the Commission considers
necessary to enforce or administer this
Act.
SEC. 402. ENFORCEMENT BY STATES.
(a) Civil Action.--In any case in which the attorney general or
State Privacy Authority of a State has reason to believe that an
interest of the residents of that State has been, may be, or is
adversely affected by a violation of this Act or a regulation
promulgated under this Act by a covered entity or service provider, the
attorney general or State Privacy Authority may bring a civil action in
the name of the State, or as parens patriae on behalf of the residents
of the State. Any such action shall be brought exclusively in an
appropriate Federal district court of the United States to--
(1) enjoin such act or practice;
(2) enforce compliance with this Act or such regulation;
(3) obtain damages, civil penalties, restitution, or other
compensation on behalf of the residents of such State; or
(4) obtain reasonable attorneys' fees and other litigation
costs reasonably incurred.
(b) Rights of the Commission.--
(1) In general.--Except as provided in paragraph (2), the
attorney general or State Privacy Authority of a State shall
notify the Commission in writing prior to initiating a civil
action under subsection (a). Such notification shall include a
copy of the complaint to be filed to initiate such action. Upon
receiving such notification, the Commission may intervene in
such action as a matter of right pursuant to the Federal Rules
of Civil Procedure.
(2) Feasibility.--If the notification required by paragraph
(1) is not feasible, the attorney general or State Privacy
Authority shall notify the Commission immediately after
initiating the civil action.
(c) Actions by the Commission.--In any case in which a civil action
is instituted by or on behalf of the Commission for violation of this
Act or a regulation promulgated under this Act, no attorney general or
State Privacy Authority of a State may, during the pendency of such
action, institute a civil action against any defendant named in the
complaint in the action instituted by or on behalf of the Commission
for a violation of this Act or a regulation promulgated under this Act
that is alleged in such complaint, if such complaint alleges such
violation affected the residents of such State or individuals
nationwide. If the Commission brings a civil action against a covered
entity or service provider for a violation of this Act or a regulation
promulgated under this Act that affects the interests of the residents
of a State, the attorney general or State Privacy Authority of such
State may intervene in such action as a matter of right pursuant to the
Federal Rules of Civil Procedure.
(d) Rule of Construction.--Nothing in this section may be construed
to prevent the attorney general or State Privacy Authority of a State
from exercising the powers conferred on the attorney general or State
Privacy Authority to conduct investigations, to administer oaths or
affirmations, or to compel the attendance of witnesses or the
production of documentary or other evidence.
(e) Preservation of State Powers.--Except as provided in subsection
(c), nothing in this section may be construed as altering, limiting, or
affecting the authority of the attorney general or State Privacy
Authority of a State to--
(1) bring an action or other regulatory proceeding arising
solely under the law in effect in the State that is preempted
by this Act or under another applicable Federal law; or
(2) exercise the powers conferred on the attorney general
or State Privacy Authority by the laws of the State, including
the ability to conduct investigations, administer oaths or
affirmations, or compel the attendance of witnesses or the
production of documentary or other evidence.
SEC. 403. ENFORCEMENT BY PERSONS.
(a) Enforcement by Persons.--
(1) In general.--Beginning on the date that is 2 years
after the date on which this Act takes effect, any person or
class of persons for a violation of this Act or a regulation
promulgated under this Act by a covered entity or service
provider may bring a civil action against such entity in any
Federal court of competent jurisdiction.
(2) Relief.--In a civil action brought under paragraph (1)
in which a plaintiff prevails, the court may award the
plaintiff--
(A) an amount equal to the sum of any compensatory
damages;
(B) injunctive relief;
(C) declaratory relief; and
(D) reasonable attorney's fees and litigation
costs.
(3) Rights of the commission and state attorneys general.--
(A) In general.--Prior to a person bringing a civil
action under paragraph (1), such person shall notify
the Commission and the attorney general of the State
where such person resides in writing that such person
intends to bring a civil action under such paragraph.
Upon receiving such notice, the Commission and State
attorney general shall each or jointly make a
determination and respond to such person not later than
60 days after receiving such notice, as to whether they
will intervene in such action pursuant to the Federal
Rules of Civil Procedure. If a state attorney general
does intervene, they shall only be heard with respect
to the interests of the residents of their State
(B) Retained authority.--Subparagraph (A) may not
be construed to limit the authority of the Commission
or any applicable State attorney general or State
Privacy Authority to later commence a proceeding or
civil action or intervene by motion if the Commission
or State attorney general or State Privacy Authority
does not commence a proceeding or civil action within
the 60-day period.
(C) Bad faith.--Any written communication from
counsel for an aggrieved party to a covered entity or
service provider requesting a monetary payment from
that covered entity or service provider regarding a
specific claim described in a letter sent pursuant to
subsection (d), not including filings in court
proceedings, arbitrations, mediations, judgment
collection processes, or other communications related
to previously initiated litigation or arbitrations,
shall be considered to have been sent in bad faith and
shall be unlawful as defined in this Act, if the
written communication was sent prior to the date that
is 60 days after either a State attorney general or the
Commission has received the notice required under
subparagraph (A).
(4) FTC study.--Beginning on the date that is 5 years after
the date of enactment of this Act and every 5 years thereafter,
the Commission's Bureau of Economics and Bureau of Privacy
shall assist the Commission in conducting a study to determine
the economic impacts in the United States of demand letters
sent pursuant to this section and the scope of the rights of a
person under this section to bring forth civil actions against
covered entities and service providers. Such study shall
include the following:
(A) The impact on insurance rates in the United
States.
(B) The impact on the ability of covered entities
to offer new products or services.
(C) The impact on the creation and growth of new
startup companies, including new technology companies.
(D) Any emerging risks, benefits, and long-term
trends in relevant marketplaces, supply chains, and
labor availability.
(E) The impact on reducing, preventing, or
remediating harms to individuals, including from fraud,
identity theft, spam, discrimination, defective
products, and violations of rights.
(F) The impact on the volume and severity of data
security incidents, and the ability to respond to data
security incidents.
(G) Other intangible direct and indirect costs and
benefits to individuals.
(5) Report to congress.--Not later than 5 years after the
first day on which persons and classes of persons are able to
bring civil actions under this subsection, and annually
thereafter, the Commission shall submit to the Committee on
Energy and Commerce of the House of Representatives and the
Committee on Commerce, Science, and Transportation of the
Senate a report that contains the results of the study
conducted under paragraph (4).
(b) Arbitration Agreements and Pre-dispute Joint Action Waivers.--
(1) Pre-dispute arbitration agreements.--
(A) Notwithstanding any other provision of law, no
pre-dispute arbitration agreement with respect to an
individual under the age of 18 is enforceable with
regard to a dispute arising under this Act.
(B) Notwithstanding any other provision of law, no
pre-dispute arbitration agreement is enforceable with
regard to a dispute arising under this Act concerning a
claim related to gender or partner-based violence or
physical harm.
(2) Pre-dispute joint-action waivers.--Notwithstanding any
other provision of law, no pre-dispute joint-action waiver with
respect to an individual under the age of 18 is enforceable
with regard to a dispute arising under this Act.
(3) Definitions.--For purposes of this subsection:
(A) Pre-dispute arbitration agreement.--The term
``pre-dispute arbitration agreement'' means any
agreement to arbitrate a dispute that has not arisen at
the time of the making of the agreement.
(B) Pre-dispute joint-action waiver.--The term
``pre-dispute joint-action waiver'' means an agreement,
whether or not part of a pre-dispute arbitration
agreement, that would prohibit or waive the right of 1
of the parties to the agreement to participate in a
joint, class, or collective action in a judicial,
arbitral, administrative, or other related forum,
concerning a dispute that has not yet arisen at the
time of the making of the agreement.
(c) Right to Cure.--
(1) Notice.--Subject to paragraph (3), with respect to a
claim under this section for--
(A) injunctive relief; or
(B) an action against a covered entity or service
provider that meets the requirements of section 209 of
this Act, such claim may be brought by a person or
class of persons if--prior to asserting such claim--the
person or class or persons provides to the covered
entity or service provider 45 days' written notice
identifying the specific provisions of this Act the
person or class of persons alleges have been or are
being violated.
(2) Effect of cure.--Subject to paragraph (3), in the event
a cure is possible, if within the 45 days the covered entity or
service provider demonstrates to the court that it has cured
the noticed violation or violations and provides the person or
class of persons an express written statement that the
violation or violations has been cured and that no further
violations shall occur, a claim for injunctive relief shall not
be permitted and may be reasonably dismissed.
(3) Rule of construction.--The notice described in
paragraph (1) and the reasonable dismissal in paragraph (2)
shall not apply more than once to any alleged underlying
violation by the same covered entity.
(d) Demand Letter.--If a person or a identified members of a class
of persons represented by counsel in regard to an alleged violation or
violations of the Act and has correspondence sent to a covered entity
or service provider by counsel alleging a violation or violations of
the provisions of this Act and requests a monetary payment, such
correspondence shall include the following language: ``Please visit the
website of the Federal Trade Commission for a general description of
your rights under the American Data Privacy and Protection Act''
followed by a hyperlink to the webpage of the Commission required under
section 201. If such correspondence does not include such language and
hyperlink, a civil action brought under this section by such person or
identified members of the class of persons represented by counsel may
be dismissed without prejudice and shall not be reinstated until such
person or persons has complied with this subsection.
(e) Applicability.--
(1) In general.--This section shall only apply to a claim
alleging a violation of section 102, 104, 202, 203, 204,
205(a), 205(b), 206(b)(3)(C), 207(a), 208(a), or 302, or a
regulation promulgated under any such section.
(2) Exception.--This section shall not apply to any claim
against a covered entity that has less than $25,000,000 per
year in revenue, collects, processes, or transfers the covered
data of fewer than 50,000 individuals, and derives less than 50
percent of its revenue from transferring covered data.
SEC. 404. RELATIONSHIP TO FEDERAL AND STATE LAWS.
(a) Federal Law Preservation.--
(1) In general.--Nothing in this Act or a regulation
promulgated under this Act may be construed to limit--
(A) the authority of the Commission, or any other
Executive agency, under any other provision of law;
(B) any requirement for a common carrier subject to
section 64.2011 of title 47, Code of Federal
Regulations (or any successor regulation) regarding
information security breaches; or
(C) any other provision of Federal law, except as
otherwise provided in this Act.
(2) Antitrust savings clause.--
(A) Full application of the antitrust law.--Nothing
in this Act may be construed to modify, impair or
supersede the operation of the antitrust law or any
other provision of law.
(B) No immunity from the antitrust law.--Nothing in
the regulatory regime adopted by this Act shall be
construed as operating to limit any law deterring
anticompetitive conduct or diminishing the need for
full application of the antitrust law. Nothing in this
Act explicitly or implicitly precludes the application
of the antitrust law.
(C) Definition of antitrust law.--For purposes of
this section, the term antitrust law has the same
meaning as in subsection (a) of the first section of
the Clayton Act (15 U.S.C. 12), except that such term
includes section 5 of the Federal Trade Commission Act
(15 U.S.C. 45) to the extent that such section 5
applies to unfair methods of competition.
(3) Applicability of other privacy requirements.--A covered
entity that is required to comply with title V of the Gramm-
Leach-Bliley Act (15 U.S.C. 6801 et seq.), the Health
Information Technology for Economic and Clinical Health Act (42
U.S.C. 17931 et seq.), part C of title XI of the Social
Security Act (42 U.S.C. 1320d et seq.), the Fair Credit
Reporting Act (15 U.S.C. 1681 et seq.), the Family Educational
Rights and Privacy Act (20 U.S.C. 1232g; part 99 of title 34,
Code of Federal Regulations) to the extent such covered entity
is a school as defined in 20 U.S.C. 1232g(a)(3) or 34 C.F.R.
99.1(a), section 444 of the General Education Provisions Act
(commonly known as the ``Family Educational Rights and Privacy
Act of 1974'') (20 U.S.C. 1232g) and part 99 of title 34, Code
of Federal Regulations (or any successor regulation), the
Confidentiality of Alcohol and Drug Abuse Patient Records at 42
U.S.C. 290dd-2 and its implementing regulations at 42 CFR part
2, the Genetic Information Non-discrimination Act (GINA), or
the regulations promulgated pursuant to section 264(c) of the
Health Insurance Portability and Accountability Act of 1996 (42
U.S.C. 1320d-2 note), and is in compliance with the data
privacy requirements of such regulations, part, title, or Act
(as applicable), shall be deemed to be in compliance with the
related requirements of this Act, except for section 208,
solely and exclusively with respect to data subject to the
requirements of such regulations, part, title, or Act. Not
later than 1 year after the date of enactment of this Act, the
Commission shall issue guidance describing the implementation
of this paragraph.
(4) Applicability of other data security requirements.--A
covered entity that is required to comply with title V of the
Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), the Health
Information Technology for Economic and Clinical Health Act (42
U.S.C. 17931 et seq.), part C of title XI of the Social
Security Act (42 U.S.C. 1320d et seq.), or the regulations
promulgated pursuant to section 264(c) of the Health Insurance
Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2
note), and is in compliance with the information security
requirements of such regulations, part, title, or Act (as
applicable), shall be deemed to be in compliance with the
requirements of section 208, solely and exclusively with
respect to data subject to the requirements of such
regulations, part, title, or Act. Not later than 1 year after
the date of enactment of this Act, the Commission shall issue
guidance describing the implementation of this paragraph.
(b) Preemption of State Laws.--
(1) In general.--No State or political subdivision of a
State may adopt, maintain, enforce, prescribe, or continue in
effect any law, regulation, rule, standard, requirement, or
other provision having the force and effect of law of any
State, or political subdivision of a State, covered by the
provisions of this Act, or a rule, regulation, or requirement
promulgated under this Act.
(2) State law preservation.--Paragraph (1) may not be
construed to preempt, displace, or supplant the following State
laws, rules, regulations, or requirements:
(A) Consumer protection laws of general
applicability, such as laws regulating deceptive,
unfair, or unconscionable practices, except that the
fact of a violation of this Act or a regulation
promulgated under this Act may not be pleaded as an
element of any violation of such a law.
(B) Civil rights laws.
(C) Provisions of laws, in so far as, that govern
the privacy rights or other protections of employees,
employee information, students, or student information.
(D) Laws that address notification requirements in
the event of a data breach.
(E) Contract or tort law.
(F) Criminal laws.
(G) Civil laws governing fraud, theft (including
identity theft), unauthorized access to information or
electronic devices, unauthorized use of information,
malicious behavior, or similar provisions of law.
(H) Civil laws regarding cyberstalking,
cyberbullying, nonconsensual pornography, sexual
harassment, child abuse material, child pornography,
child abduction or attempted child abduction, coercion
or enticement of a child for sexual activity, or child
sex trafficking.
(I) Public safety or sector specific laws unrelated
to privacy or security.
(J) Provisions of law, insofar as such provisions
address public records, criminal justice information
systems, arrest records, mug shots, conviction records,
or non-conviction records.
(K) Provisions of law, insofar as such provisions
address banking records, financial records, tax
records, Social Security numbers, credit cards,
consumer and credit reporting and investigations,
credit repair, credit clinics, or check-cashing
services.
(L) Provisions of law, insofar as such provisions
address facial recognition or facial recognition
technologies, electronic surveillance, wiretapping, or
telephone monitoring.
(M) The Biometric Information Privacy Act (740 ICLS
14 et seq.) and the Genetic Information Privacy Act
(410 ILCS 513 et seq.).
(N) Provisions of laws, in so far as, such
provisions to address unsolicited email or text
messages, telephone solicitation, or caller
identification.
(O) Provisions of laws, in so far as, such
provisions address health information, medical
information, medical records, HIV status, or HIV
testing.
(P) Provisions of laws, in so far as, such
provisions pertain to public health activities,
reporting, data, or services.
(Q) Provisions of law, insofar as such provisions
address the confidentiality of library records.
(R) Section 1798.150 of the California Civil Code
(as amended on November 3, 2020 by initiative
Proposition 24, Section 16).
(S) Laws pertaining to the use of encryption as a
means of providing data security.
(3) CPPA enforcement.--Notwithstanding any other provisions
of law, the California Privacy Protection Agency established
under 1798.199.10(a) of the California Privacy Rights Act may
enforce this Act, in the same manner, it would otherwise
enforce the California Consumer Privacy Act, Section 1798.1050
et. seq.
(4) Nonapplication of fcc privacy laws and regulations to
certain covered entities.--Notwithstanding any other provision
of law, sections 222, 338(i), and 631 of the Communications Act
of 1934 (47 U.S.C. 222; 338(i); 551), and any regulations and
orders promulgated by the Federal Communications Commission
under any such section, do not apply to any covered entity with
respect to the collection, processing, transfer, or security of
covered data or its equivalent, and the related privacy and
data security activities of a covered entity that would
otherwise be regulated under such sections shall be governed
exclusively by the provisions of this Act, except for--
(A) any emergency services, as defined in section 7
of the Wireless Communications and Public Safety Act of
1999 (47 U.S.C. 615b);
(B) subsections (b) and (g) of section 222 of the
Communications Act of 1934 (47 U.S.C. 222); and
(C) any obligation of an international treaty
related to the exchange of traffic implemented and
enforced by the Federal Communications Commission.
(c) Preservation of Common Law or Statutory Causes of Action for
Civil Relief.--Nothing in this Act, nor any amendment, standard, rule,
requirement, assessment, or regulation promulgated under this Act, may
be construed to preempt, displace, or supplant any Federal or State
common law rights or remedies, or any statute creating a remedy for
civil relief, including any cause of action for personal injury,
wrongful death, property damage, or other financial, physical,
reputational, or psychological injury based in negligence, strict
liability, products liability, failure to warn, an objectively
offensive intrusion into the private affairs or concerns of the
individual, or any other legal theory of liability under any Federal or
State common law, or any State statutory law.
SEC. 405. SEVERABILITY.
If any provision of this Act, or the application thereof to any
person or circumstance, is held invalid, the remainder of this Act, and
the application of such provision to other persons not similarly
situated or to other circumstances, shall not be affected by the
invalidation.
SEC. 406. COPPA.
(a) In General.--Nothing in this Act may be construed to relieve or
change any obligation that a covered entity or other person may have
under the Children's Online Privacy Protection Act of 1998 (15 U.S.C.
6501 et seq.).
(b) Updated Regulations.--Not later than 180 days after the date of
enactment of this Act, the Commission shall amend its rules issued
pursuant to the regulations promulgated by the Commission under the
Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et
seq.) to make reference to the additional requirements placed on
covered entities under this Act, in addition to the requirements under
the Children's Online Privacy Protection Act of 1998 that may already
apply to certain covered entities.
SEC. 407. AUTHORIZATION OF APPROPRIATIONS.
There are authorized to be appropriated to the Commission such sums
as may be necessary to carry out this Act.
SEC. 408. EFFECTIVE DATE.
This Act shall take effect on the date that is 180 days after the
date of enactment of this Act.
Union Calendar No. 488
117th CONGRESS
2d Session
H. R. 8152
[Report No. 117-669]
_______________________________________________________________________
A BILL
To provide consumers with foundational data privacy rights, create
strong oversight mechanisms, and establish meaningful enforcement.
_______________________________________________________________________
December 30, 2022
Reported with an amendment, committed to the Committee of the Whole
House on the State of the Union, and ordered to be printed