117 HR 8152 RH: American Data Privacy and Protection Act
U.S. House of Representatives
2022-12-30
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.
1.Short title; table of contents(a)This Act may be cited as the American Data Privacy and Protection Act
.(b)The table of contents of this Act is as follows: Sec. 1. Short title; table of contents.Sec. 2. Definitions.Title I—Duty of LoyaltySec. 101. Data minimization.Sec. 102. Loyalty duties.Sec. 103. Privacy by design.Sec. 104. Loyalty to individuals with respect to pricing.Title II—Consumer Data RightsSec. 201. Consumer awareness.Sec. 202. Transparency.Sec. 203. Individual data ownership and control.Sec. 204. Right to consent and object.Sec. 205. Data protections for children and minors.Sec. 206. Third-party collecting entities.Sec. 207. Civil rights and algorithms.Sec. 208. Data security and protection of covered data.Sec. 209. Small business protections.Sec. 210. Unified opt-out mechanisms.Title III—Corporate AccountabilitySec. 301. Executive responsibility.Sec. 302. Service providers and third parties.Sec. 303. Technical compliance programs.Sec. 304. Commission approved compliance guidelines.Sec. 305. Digital content forgeries.Title IV—Enforcement, Applicability, and MiscellaneousSec. 401. Enforcement by the Federal Trade Commission.Sec. 402. Enforcement by States.Sec. 403. Enforcement by persons.Sec. 404. Relationship to Federal and State laws.Sec. 405. Severability.Sec. 406. COPPA.Sec. 407. Authorization of appropriations.Sec. 408. Effective date.2.In this Act:(1)Affirmative express consent(A)The term affirmative express consent
means an affirmative act by an individual that clearly communicates the individual’s freely given, specific, and unambiguous authorization for an act or practice after having been informed, in response to a specific request from a covered entity that meets the requirements of subparagraph (B).(B)The requirements of this subparagraph with respect to a request from a covered entity to an individual are the following:(i)The request is provided to the individual in a clear and conspicuous standalone disclosure made through the primary medium used to offer the covered entity’s product or service, or only if the product or service is not offered in a medium that permits the making of the request under this paragraph, another medium regularly used in conjunction with the covered entity’s product or service.(ii)The request includes a description of the processing purpose for which the individual’s consent is sought and—(I)clearly states the specific categories of covered data that the covered entity shall collect, process, and transfer necessary to effectuate the processing purpose; and(II)includes a prominent heading and is written in easy-to-understand language that would enable a reasonable individual to identify and understand the processing purpose for which consent is sought and the covered data to be collected, processed, or transferred by the covered entity for such processing purpose.(iii)The request clearly explains the individual’s applicable rights related to consent.(iv)The request is made in a manner reasonably accessible to and usable by individuals with disabilities.(v)The request is made available to the individual in each covered language in which the covered entity provides a product or service for which authorization is sought.(vi)The option to refuse consent shall be at least as prominent as the option to accept, and the option to refuse consent shall take the same number of steps or fewer as the option to accept.(vii)Processing or transferring any covered data collected pursuant to affirmative express consent for a different processing purpose than that for which affirmative express consent was obtained shall require affirmative express consent for the subsequent processing purpose.(C)A covered entity may not infer that an individual has provided affirmative express consent to an act or practice from the inaction of the individual or the individual’s continued use of a service or product provided by the covered entity.(D)Pretextual consent prohibitedA covered entity may not obtain or attempt to obtain the affirmative express consent of an individual through—(i)the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or(ii)the design, modification, or manipulation of any user interface with the purpose or substantial effect of obscuring, subverting, or impairing a reasonable individual’s autonomy, decision making, or choice to provide such consent or any covered data.(2)The term authentication
means the process of verifying an individual or entity for security purposes.(3)(A)The term biometric information
means any covered data generated from the technological processing of an individual’s unique biological, physical, or physiological characteristics that is linked or reasonably linkable to an individual, including—(i)fingerprints;(ii)voice prints;(iii)iris or retina scans;(iv)facial or hand mapping, geometry, or templates; or(v)gait or personally identifying physical movements.(B)The term biometric information
does not include—(i)a digital or physical photograph;(ii)an audio or video recording; or(iii)data generated from a digital or physical photograph, or an audio or video recording, that cannot be used to identify an individual.(4)The terms collect
and collection
mean buying, renting, gathering, obtaining, receiving, accessing, or otherwise acquiring covered data by any means.(5)The term Commission
means the Federal Trade Commission.(6)The term control
means, with respect to an entity—(A)ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of the entity;(B)control over the election of a majority of the directors of the entity (or of individuals exercising similar functions); or(C)the power to exercise a controlling influence over the management of the entity.(7)The term covered algorithm
means a computational process that uses machine learning, natural language processing, artificial intelligence techniques, or other computational processing techniques of similar or greater complexity and that makes a decision or facilitates human decision-making with respect to covered data, including to determine the provision of products or services or to rank, order, promote, recommend, amplify, or similarly determine the delivery or display of information to an individual.(8)(A)The term covered data
means information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual, and may include derived data and unique persistent identifiers.(B)The term covered data
does not include—(i)de-identified data;(ii)employee data;(iii)publicly available information; or(iv)inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect to an individual.(C)For purposes of subparagraph (B), the term employee data
means—(i)information relating to a job applicant collected by a covered entity acting as a prospective employer of such job applicant in the course of the application, or hiring process, if such information is collected, processed, or transferred by the prospective employer solely for purposes related to the employee’s status as a current or former job applicant of such employer;(ii)information processed by an employer relating to an employee who is acting in a professional capacity for the employer, provided that such information is collected, processed, or transferred solely for purposes related to such employee’s professional activities on behalf of the employer;(iii)the business contact information of an employee, including the employee’s name, position or title, business telephone number, business address, or business email address that is provided to an employer by an employee who is acting in a professional capacity, if such information is collected, processed, or transferred solely for purposes related to such employee’s professional activities on behalf of the employer;(iv)emergency contact information collected by an employer that relates to an employee of that employer, if such information is collected, processed, or transferred solely for the purpose of having an emergency contact on file for the employee and for processing or transferring such information in case of an emergency; or(v)information relating to an employee (or a spouse, dependent, other covered family member, or beneficiary of such employee) that is necessary for the employer to collect, process, or transfer solely for the purpose of administering benefits to which such employee (or spouse, dependent, other covered family member, or beneficiary of such employee) is entitled on the basis of the employee’s position with that employer.(9)(A)The term covered entity
—(i)means any entity or any person, other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing, or transferring covered data and—(I)is subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq.);(II)is a common carrier subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.) and all Acts amendatory thereof and supplementary thereto; or(III)is an organization not organized to carry on business for its own profit or that of its members; and(ii)includes any entity or person that controls, is controlled by, or is under common control with the covered entity.(B)The term covered entity
does not include—(i)a Federal, State, Tribal, territorial, or local government entity such as a body, authority, board, bureau, commission, district, agency, or political subdivision of the Federal Government or a State, Tribal, territorial, or local government;(ii)a person or an entity that is collecting, processing, or transferring covered data on behalf of a Federal, State, Tribal, territorial, or local government entity, in so far as such person or entity is acting as a service provider to the government entity; or(iii)an entity that serves as a congressionally designated nonprofit, national resource center, and clearinghouse to provide assistance to victims, families, child-serving professionals, and the general public on missing and exploited children issues.(C)Non-application to service providersAn entity shall not be considered to be a covered entity for purposes of this Act in so far as the entity is acting as a service provider (as defined in paragraph (29)).(10)The term covered language
means the ten languages with the most users in the United States, according to the most recent United States Census.(11)The term covered minor
means an individual under the age of 17.(12)The term de-identified data
means information that does not identify and is not linked or reasonably linkable to a distinct individual or a device, regardless of whether the information is aggregated, and if the covered entity or service provider—(A)takes reasonable technical measures to ensure that the information cannot, at any point, be used to re-identify any individual or device that identifies or is linked or reasonably linkable to an individual;(B)publicly commits in a clear and conspicuous manner—(i)to process and transfer the information solely in a de-identified form without any reasonable means for re-identification; and(ii)to not attempt to re-identify the information with any individual or device that identifies or is linked or reasonably linkable to an individual; and(C)contractually obligates any person or entity that receives the information from the covered entity or service provider—(i)to comply with all of the provisions of this paragraph with respect to the information; and(ii)to require that such contractual obligations be included contractually in all subsequent instances for which the data may be received.(13)The term derived data
means covered data that is created by the derivation of information, data, assumptions, correlations, inferences, predictions, or conclusions from facts, evidence, or another source of information or data about an individual or an individual’s device.(14)The term device
means any electronic equipment capable of collecting, processing, or transferring covered data that is used by one or more individuals.(15)The term employee
means an individual who is an employee, director, officer, staff member individual working as an independent contractor that is not a service provider, trainee, volunteer, or intern of an employer, regardless of whether such individual is paid, unpaid, or employed on a temporary basis.(16)The Executive agency
has the meaning given such term in section 105 of title 5, United States Code.(17)First party advertising or marketingThe term first party advertising or marketing
means advertising or marketing conducted by a first party either through direct communications with a user such as direct mail, email, or text message communications, or advertising or marketing conducted entirely within the first-party context, such as in a physical location operated by the first party, or on a web site or app operated by the first party.(18)The term genetic information
means any covered data, regardless of its format, that concerns an individual’s genetic characteristics, including—(A)raw sequence data that results from the sequencing of the complete, or a portion of the, extracted deoxyribonucleic acid (DNA) of an individual; or(B)genotypic and phenotypic information that results from analyzing raw sequence data described in subparagraph (A).(19)The term individual
means a natural person residing in the United States.(20)(A)The term knowledge
means—(i)with respect to a covered entity that is a covered high-impact social media company, the entity knew or should have known the individual was a covered minor;(ii)with respect to a covered entity or service provider that is a large data holder, and otherwise is not a covered high-impact social media company, that the covered entity knew or acted in willful disregard of the fact that the individual was a covered minor; and(iii)with respect to a covered entity or service provider that does not meet the requirements of clause (i) or (ii), actual knowledge.(B)Covered high-impact social media companyFor purposes of this paragraph, the term covered high-impact social media company
means a covered entity that provides any internet-accessible platform where—(i)such covered entity generates $3,000,000,000 or more in annual revenue;(ii)such platform has 300,000,000 or more monthly active users for not fewer than 3 of the preceding 12 months on the online product or service of such covered entity; and(iii)such platform constitutes an online product or service that is primarily used by users to access or share, user-generated content.(21)(A)The term large data holder
means a covered entity or service provider that, in the most recent calendar year—(i)had annual gross revenues of $250,000,000 or more; and(ii)collected, processed, or transferred—(I)the covered data of more than 5,000,000 individuals or devices that identify or are linked or reasonably linkable to 1 or more individuals, excluding covered data collected and processed solely for the purpose of initiating, rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested product or service; and(II)the sensitive covered data of more than 200,000 individuals or devices that identify or are linked or reasonably linkable to 1 or more individuals.(B)The term large data holder
does not include any instance in which the covered entity or service provider would qualify as a large data holder solely on the basis of collecting or processing—(i)personal email addresses;(ii)personal telephone numbers; or(iii)log-in information of an individual or device to allow the individual or device to log in to an account administered by the covered entity or service provider.(C)For purposes of determining whether any covered entity or service provider is a large data holder, the term revenue
, with respect to any covered entity or service provider that is not organized to carry on business for its own profit or that of its members—(i)means the gross receipts the covered entity or service provider received, in whatever form, from all sources, without subtracting any costs or expenses; and(ii)includes contributions, gifts, grants, dues or other assessments, income from investments, and proceeds from the sale of real or personal property.(22)The term market research
means the collection, processing, or transfer of covered data as reasonably necessary and proportionate to investigate the market for or marketing of products, services, or ideas, where the covered data is not—(A)integrated into any product or service;(B)otherwise used to contact any individual or individual’s device; or(C)used to advertise or market to any individual or individual’s device.(23)The term material
means, with respect to an act, practice, or representation of a covered entity (including a representation made by the covered entity in a privacy policy or similar disclosure to individuals) involving the collection, processing, or transfer of covered data, that such act, practice, or representation is likely to affect a reasonable individual’s decision or conduct regarding a product or service.(24)Precise geolocation information(A)The term precise geolocation information
means information that is derived from a device or technology that reveals the past or present physical location of an individual or device that identifies or is linked or reasonably linkable to 1 or more individuals, with sufficient precision to identify street level location information of an individual or device or the location of an individual or device within a range of 1,850 feet or less.(B)The term precise geolocation information
does not include geolocation information identifiable or derived solely from the visual content of a legally obtained image, including the location of the device that captured such image. (25)The term process
means to conduct or direct any operation or set of operations performed on covered data, including analyzing, organizing, structuring, retaining, storing, using, or otherwise handling covered data.(26)The term processing purpose
means a reason for which a covered entity or service provider collects, processes, or transfers covered data that is specific and granular enough for a reasonable individual to understand the material facts of how and why the covered entity or service provider collects, processes, or transfers the covered data.(27)Publicly available information(A)The term publicly available information
means any information that a covered entity or service provider has a reasonable basis to believe has been lawfully made available to the general public from—(i)Federal, State, or local government records, if the covered entity collects, processes, and transfers such information in accordance with any restrictions or terms of use placed on the information by the relevant government entity;(ii)widely distributed media;(iii)a website or online service made available to all members of the public, for free or for a fee, including where all members of the public, for free or for a fee, can log in to the website or online service;(iv)a disclosure that has been made to the general public as required by Federal, State, or local law; or(v)the visual observation of the physical presence of an individual or a device in a public place, not including data collected by a device in the individual’s possession.(B)Clarifications; limitations(i)Available to all members of the publicFor purposes of this paragraph, information from a website or online service is not available to all members of the public if the individual who made the information available via the website or online service has restricted the information to a specific audience.(ii)The term publicly available information
does not include—(I)any obscene visual depiction (as defined in section 1460 of title 18, United States Code);(II)any inference made exclusively from multiple independent sources of publicly available information that reveals sensitive covered data with respect to an individual; (III)biometric information;(IV)publicly available information that has been combined with covered data; (V)genetic information, unless otherwise made available by the individual to whom the information pertains as described in clause (ii) or (iii) of subparagraph (A); or(VI)intimate images known to be nonconsensual.(28)(A)The term sensitive covered data
means the following types of covered data:(i)A government-issued identifier, such as a Social Security number, passport number, or driver’s license number, that is not required by law to be displayed in public.(ii)Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition or treatment of an individual.(iii)A financial account number, debit card number, credit card number, or information that describes or reveals the income level or bank account balances of an individual, except that the last four digits of a debit or credit card number shall not be deemed sensitive covered data.(iv)Biometric information.(v)Genetic information.(vi)Precise geolocation information.(vii)An individual’s private communications such as voicemails, emails, texts, direct messages, or mail, or information identifying the parties to such communications, voice communications, video communications, and any information that pertains to the transmission of such communications, including telephone numbers called, telephone numbers from which calls were placed, the time calls were made, call duration, and location information of the parties to the call, unless the covered entity or a service provider acting on behalf of the covered entity is the sender or an intended recipient of the communication. Communications are not private for purposes of this clause if such communications are made from or to a device provided by an employer to an employee insofar as such employer provides conspicuous notice that such employer may access such communications.(viii)Account or device log-in credentials, or security or access codes for an account or device.(ix)Information identifying the sexual behavior of an individual in a manner inconsistent with the individual’s reasonable expectation regarding the collection, processing, or transfer of such information.(x)Calendar information, address book information, phone or text logs, photos, audio recordings, or videos, maintained for private use by an individual, regardless of whether such information is stored on the individual’s device or is accessible from that device and is backed up in a separate location. Such information is not sensitive for purposes of this paragraph if such information is sent from or to a device provided by an employer to an employee insofar as such employer provides conspicuous notice that it may access such information.(xi)A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual.(xii)Information revealing the video content requested or selected by an individual collected by a covered entity that is not a provider of a service described in section 102(4). This clause does not include covered data used solely for transfers for independent video measurement. (xiii)Information about an individual when the covered entity or service provider has knowledge that the individual is a covered minor.(xiv)An individual’s race, color, ethnicity, religion, or union membership.(xv)Information identifying an individual’s online activities over time and across third party websites or online services.(xvi)Any other covered data collected, processed, or transferred for the purpose of identifying the types of covered data listed in clauses (i) through (xv).(B)The Commission may commence a rulemaking pursuant to section 553 of title 5, United States Code, to include in the definition of sensitive covered data
any other type of covered data that may require a similar level of protection as the types of covered data listed in clauses (i) through (xvi) of subparagraph (A) as a result of any new method of collecting, processing, or transferring covered data.(29)(A)The term service provider
means a person or entity that—(i)collects, processes, or transfers covered data on behalf of, and at the direction of, a covered entity or a Federal, State, Tribal, territorial, or local government entity; and(ii)receives covered data from or on behalf of a covered entity or a Federal, State, Tribal, territorial, or local government entity.(B)Treatment with respect to service provider dataA service provider that receives service provider data from another service provider as permitted under this Act shall be treated as a service provider under this Act with respect to such data.(30)The term service provider data
means covered data that is collected or processed by or has been transferred to a service provider by or on behalf of a covered entity, a Federal, State, Tribal, territorial, or local government entity, or another service provider for the purpose of allowing the service provider to whom such covered data is transferred to perform a service or function on behalf of, and at the direction of, such covered entity or Federal, State, Tribal, territorial, or local government entity.(31)The term State
means any of the 50 States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands of the United States, Guam, American Samoa, or the Commonwealth of the Northern Mariana Islands.(32)The term State privacy authority
means—(A)the chief consumer protection officer of a State; or(B)a State consumer protection agency with expertise in data protection, including the California Privacy Protection Agency.(33)The term substantial privacy risk
means the collection, processing, or transfer of covered data in a manner that may result in any reasonably foreseeable substantial physical injury, economic injury, highly offensive intrusion into the privacy expectations of a reasonable individual under the circumstances, or discrimination on the basis of race, color, religion, national origin, sex, or disability.(34)The term targeted advertising
—(A)means presenting to an individual or device identified by a unique identifier, or groups of individuals or devices identified by unique identifiers, an online advertisement that is selected based on known or predicted preferences, characteristics, or interests associated with the individual or a device identified by a unique identifier; and(B)does not include—(i)advertising or marketing to an individual or an individual’s device in response to the individual’s specific request for information or feedback;(ii)contextual advertising, which is when an advertisement is displayed based on the content in which the advertisement appears and does not vary based on who is viewing the advertisement; or(iii)processing covered data solely for measuring or reporting advertising or content, performance, reach, or frequency, including independent measurement.(35)The term third party
—(A)means any person or entity, including a covered entity, that—(i)collects, processes, or transfers covered data that the person or entity did not collect directly from the individual linked or linkable to such covered data; and(ii)is not a service provider with respect to such data; and(B)does not include a person or entity that collects covered data from another entity if the 2 entities are related by common ownership or corporate control, but only if a reasonable consumer’s reasonable expectation would be that such entities share information.(36)Third-party collecting entity(A)The term third-party collecting entity
—(i)means a covered entity whose principal source of revenue is derived from processing or transferring covered data that the covered entity did not collect directly from the individuals linked or linkable to the covered data; and(ii)does not include a covered entity insofar as such entity processes employee data collected by and received from a third party concerning any individual who is an employee of the third party for the sole purpose of such third party providing benefits to the employee.(B)Principal source of revenue definedFor purposes of this paragraph, the term principal source of revenue
means, for the prior 12-month period, either—(i)more than 50 percent of all revenue of the covered entity; or(ii)obtaining revenue from processing or transferring the covered data of more than 5,000,000 individuals that the covered entity did not collect directly from the individuals linked or linkable to the covered data.(C)Non-application to service providersAn entity may not be considered to be a third-party collecting entity for purposes of this Act if the entity is acting as a service provider.(37)The term third party data
means covered data that has been transferred to a third party.(38)The term transfer
means to disclose, release, disseminate, make available, license, rent, or share covered data orally, in writing, electronically, or by any other means.(39)Unique persistent identifierThe term unique identifier
—(A)means an identifier to the extent that such identifier is reasonably linkable to an individual or device that identifies or is linked or reasonably linkable to 1 or more individuals, including a device identifier, Internet Protocol address, cookie, beacon, pixel tag, mobile ad identifier, or similar technology, customer number, unique pseudonym, user alias, telephone number, or other form of persistent or probabilistic identifier that is linked or reasonably linkable to an individual or device; and(B)does not include an identifier assigned by a covered entity for the specific purpose of giving effect to an individual's exercise of affirmative express consent or opt-outs of the collection, processing, and transfer of covered data pursuant to section 204 or otherwise limiting the collection, processing, or transfer of such information.(40)The term widely distributed media
means information that is available to the general public, including information from a telephone book or online directory, a television, internet, or radio program, the news media, or an internet site that is available to the general public on an unrestricted basis, but does not include an obscene visual depiction (as defined in section 1460 of title 18, United States Code).<enum>I</enum><header>Duty of Loyalty</header><section id="H542E13EE8BC04BD499D770C211E9D942"><enum>101.</enum><header>Data minimization</header><subsection id="H4D115A6768584C14982A88DFD176BD87"><enum>(a)</enum><header>In general</header><text>A covered entity may not collect, process, or transfer covered data unless the collection, processing, or transfer is limited to what is reasonably necessary and proportionate to—</text><paragraph id="H807E2BBB40554A28AE159113C9A50379"><enum>(1)</enum><text>provide or maintain a specific product or service requested by the individual to whom the data pertains; or</text></paragraph><paragraph id="HD50D1E4F00A84ADA891F5B0DBA70D890"><enum>(2)</enum><text>effect a purpose permitted under subsection (b).</text></paragraph></subsection><subsection id="HA84C4099D06E496CB093539CD0A4C515"><enum>(b)</enum><header>Permissible purposes</header><text display-inline="yes-display-inline">A covered entity may collect, process, or transfer covered data for any of the following purposes if the collection, processing, or transfer is limited to what is reasonably necessary and proportionate to such purpose:</text><paragraph id="HCCE2D0505639426ABD4F62D93FE71D1D"><enum>(1)</enum><text display-inline="yes-display-inline">To initiate, manage, or complete a transaction or fulfill an order for specific products or services requested by an individual, including any associated routine administrative, operational, and account-servicing activity such as billing, shipping, delivery, storage, and accounting.</text></paragraph><paragraph id="HC19FAB4ED53E46C4951B57E847B7A08E"><enum>(2)</enum><text display-inline="yes-display-inline">With respect to covered data previously collected in accordance with this Act, notwithstanding this exception—</text><subparagraph id="H3D604CB72A43462D9B4D8D7E617FF0AC"><enum>(A)</enum><text>to process such data as necessary to perform system maintenance or diagnostics;</text></subparagraph><subparagraph id="H7C3BE017A84C44CAB42C43EE09002A3A"><enum>(B)</enum><text>to develop, maintain, repair, or enhance a product or service for which such data was collected;</text></subparagraph><subparagraph id="H5D67E08292974B20A16490B05EA6810C"><enum>(C)</enum><text>to conduct internal research or analytics to improve a product or service for which such data was collected;</text></subparagraph><subparagraph id="H2A37E22C93E54059B998019A5ECC8CB5"><enum>(D)</enum><text>to perform inventory management or reasonable network management;</text></subparagraph><subparagraph id="H0763DD52D55C467F902900208B7262E5"><enum>(E)</enum><text>to protect against spam; or</text></subparagraph><subparagraph id="H5E47EF9BB8A4486A968E871EC1E6FAEF"><enum>(F)</enum><text>to debug or repair errors that impair the functionality of a service or product for which such data was collected.</text></subparagraph></paragraph><paragraph id="HB9923C94EB0742929AB987A45AFB3A16"><enum>(3)</enum><text>To authenticate users of a product or service.</text></paragraph><paragraph id="H61057F7FA0FF4EF5A0FF0A28AB42C560"><enum>(4)</enum><text display-inline="yes-display-inline">To fulfill a product or service warranty.</text></paragraph><paragraph id="HCE0C689600FA4269AC38BA33B06753B8"><enum>(5)</enum><text display-inline="yes-display-inline">To prevent, detect, protect against, or respond to a security incident. For purposes of this paragraph, security is defined as network security and physical security and life safety, including an intrusion or trespass, medical alerts, fire alarms, and access control security.</text></paragraph><paragraph id="H39B07BD32680428B93EE806B7BEF9648"><enum>(6)</enum><text display-inline="yes-display-inline">To prevent, detect, protect against, or respond to fraud, harassment, or illegal activity. For purposes of this paragraph, the term <quote>illegal activity</quote> means a violation of a Federal, State, or local law punishable as a felony or misdemeanor that can directly harm.</text></paragraph><paragraph id="HF788D64F4632404FA3DFB79B2AE561F0"><enum>(7)</enum><text>To comply with a legal obligation imposed by Federal, Tribal, local, or State law, or to investigate, establish, prepare for, exercise, or defend legal claims involving the covered entity or service provider.</text></paragraph><paragraph id="H03F08B24608441AC85F02AF77648DECB"><enum>(8)</enum><text>To prevent an individual, or group of individuals, from suffering harm where the covered entity or service provider believes in good faith that the individual, or group of individuals, is at risk of death, serious physical injury, or other serious health risk.</text></paragraph><paragraph id="H26706318C6D041BF932ACE046930F59E"><enum>(9)</enum><text>To effectuate a product recall pursuant to Federal or State law.</text></paragraph><paragraph id="H9CCCDB1F538F4CCA8248DE834A19A5D2"><enum>(10)</enum><subparagraph commented="no" display-inline="yes-display-inline" id="HE8935C8970A84B92B273F93FC6E7571E"><enum>(A)</enum><text>To conduct a public or peer-reviewed scientific, historical, or statistical research project that—</text><clause id="HE478815690A047D7BCA23A98D697E5ED" indent="up1"><enum>(i)</enum><text display-inline="yes-display-inline">is in the public interest; and</text></clause><clause id="H7B3125C35BAB443EAB1AA8E7E817B4C9" indent="up1"><enum>(ii)</enum><text display-inline="yes-display-inline">adheres to all relevant laws and regulations governing such research, including regulations for the protection of human subjects, or is excluded from criteria of the institutional review board.</text></clause></subparagraph><subparagraph id="H0E2BF5965C9A48E6BFCFC39677ADDAD8" indent="up1"><enum>(B)</enum><text display-inline="yes-display-inline">Not later than 18 months after the date of enactment of this Act, the Commission should issue guidelines to help covered entities ensure the privacy of affected users and the security of covered data, particularly as data is being transferred to and stored by researchers. Such guidelines should consider risks as they pertain to projects using covered data with special considerations for projects that are exempt under part 46 of title 45, Code of Federal Regulations (or any successor regulation) or are excluded from the criteria for institutional review board review.</text></subparagraph></paragraph><paragraph id="HDA527766580F408FA9D8AC5F05A0BEA7"><enum>(11)</enum><text display-inline="yes-display-inline">To deliver a communication that is not an advertisement to an individual, if the communication is reasonably anticipated by the individual within the context of the individual’s interactions with the covered entity.</text></paragraph><paragraph id="H0601C6DF05EB4792866E8C01CD689FA6"><enum>(12)</enum><text display-inline="yes-display-inline">To deliver a communication at the direction of an individual between such individual and one or more individuals or entities.</text></paragraph><paragraph id="HEE853F6B7EB04AC6B7BEDF3455D3B026"><enum>(13)</enum><text display-inline="yes-display-inline">To transfer assets to a third party in the context of a merger, acquisition, bankruptcy, or similar transaction when the third party assumes control, in whole or in part, of the covered entity’s assets, only if the covered entity, in a reasonable time prior to such transfer, provides each affected individual with—</text><subparagraph id="HCEBC72A217FA4ACC9D89FFF5A6D53333"><enum>(A)</enum><text display-inline="yes-display-inline">a notice describing such transfer, including the name of the entity or entities receiving the individual’s covered data and their privacy policies as described in section 202; and </text></subparagraph><subparagraph id="H3FF3D27C88FB470288BD09C60DD63927"><enum>(B)</enum><text>a reasonable opportunity to withdraw any previously given consents in accordance with the requirements of affirmative express consent under this Act related to the individual’s covered data and a reasonable opportunity to request the deletion of the individual’s covered data, as described in section 203.</text></subparagraph></paragraph><paragraph id="H57BDFA77F5F142D49B548598EBE2EF7C"><enum>(14)</enum><text display-inline="yes-display-inline">To ensure the data security and integrity of covered data, as described in section 208.</text></paragraph><paragraph id="H34A733B0731C4BF49CB842E61F9E74AF" commented="no"><enum>(15)</enum><text display-inline="yes-display-inline">With respect to covered data previously collected in accordance with this Act, a service provider acting at the direction of a government entity, or a service provided to a government entity by a covered entity, and only insofar as authorized by statute, to prevent, detect, protect against or respond to a public safety incident, including trespass, natural disaster, or national security incident. This paragraph does not permit, however, the transfer of covered data for payment or other valuable consideration to a government entity.</text></paragraph><paragraph id="H536AC6D5BBBD4323BC509F0BAD2DA79D"><enum>(16)</enum><text display-inline="yes-display-inline">With respect to covered data collected in accordance with this Act, notwithstanding this exception, to process such data as necessary to provide first party advertising or marketing of products or services provided by the covered entity for individuals who are not-covered minors.</text></paragraph><paragraph id="H2A7DC6ACDEF44100B69D752FE9E2AE05"><enum>(17)</enum><text>With respect to covered data previously collected in accordance with this Act, notwithstanding this exception and provided such collection, processing, and transferring otherwise complies with the requirements of this Act, including section 204(c), to provide targeted advertising.</text></paragraph></subsection><subsection id="H28BD93F3D1C44282A38B715BB5117D0E"><enum>(c)</enum><header>Guidance</header><text>The Commission shall issue guidance regarding what is reasonably necessary and proportionate to comply with this section. Such guidance shall take into consideration—</text><paragraph id="HB139BBBB4F4042D9A80D9DAAE0805839"><enum>(1)</enum><text>the size of, and the nature, scope, and complexity of the activities engaged in by, the covered entity, including whether the covered entity is a large data holder, nonprofit organization, covered entity meeting the requirements of section 209, third party, or third-party collecting entity;</text></paragraph><paragraph id="H35276E7F827F40F4BEEB5E85E9F00E45"><enum>(2)</enum><text>the sensitivity of covered data collected, processed, or transferred by the covered entity;</text></paragraph><paragraph id="HC744AF39E6B7463AB0B6B5D45AF624D0"><enum>(3)</enum><text>the volume of covered data collected, processed, or transferred by the covered entity; and</text></paragraph><paragraph id="HF8C7E8FF24A845DA993ACC0E92286513"><enum>(4)</enum><text>the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity relates.</text></paragraph></subsection><subsection id="H16D8BF6EC7A54B1E82093313E00AF381"><enum>(d)</enum><header>Deceptive marketing of a product or service</header><text>A covered entity or service provider may not engage in deceptive advertising or marketing with respect to a product or service offered to an individual.</text></subsection><subsection id="HD10AA1E5793949C6BEF082F3B98BB6CF"><enum>(e)</enum><header>Journalism</header><text>Nothing in this Act shall be construed to limit or diminish First Amendment freedoms guaranteed under the Constitution.</text></subsection></section><section id="H6DC183488376404FAC7D3EBBAC52C467"><enum>102.</enum><header>Loyalty duties</header><text display-inline="no-display-inline">Notwithstanding section 101 and unless an exception applies, with respect to covered data, a covered entity or service provider may not—</text><paragraph id="H0A71F237A21448368573B31A68A49F3F"><enum>(1)</enum><text>collect, process, or transfer a Social Security number, except when necessary to facilitate an extension of credit, authentication, fraud and identity fraud detection and prevention, the payment or collection of taxes, the enforcement of a contract between parties, or the prevention, investigation, or prosecution of fraud or illegal activity, or as otherwise required by Federal, State, or local law;</text></paragraph><paragraph id="H523EC61F6F3C41A18AEAC41D070A4A11"><enum>(2)</enum><text>collect or process sensitive covered data, except where such collection or processing is strictly necessary to provide or maintain a specific product or service requested by the individual to whom the covered data pertains, or is strictly necessary to effect a purpose enumerated in paragraphs (1) through (12) and (14) through (15) of section 101(b);</text></paragraph><paragraph id="HD14FC734AA574B5E819C59826D906D8B"><enum>(3)</enum><text>transfer an individual’s sensitive covered data to a third party, unless—</text><subparagraph id="H2F85767A318E42D289C142DB9A7A1BD6"><enum>(A)</enum><text>the transfer is made pursuant to the affirmative express consent of the individual;</text></subparagraph><subparagraph id="HFBEA5D7A66574D9DB348B8D98593E626"><enum>(B)</enum><text>the transfer is necessary to comply with a legal obligation imposed by Federal, State, Tribal, or local law, or to establish, exercise, or defend legal claims;</text></subparagraph><subparagraph id="H6181BA0F7B5D4C1698F55AA522FC55AA"><enum>(C)</enum><text>the transfer is necessary to prevent an individual from imminent injury where the covered entity believes in good faith that the individual is at risk of death, serious physical injury, or serious health risk;</text></subparagraph><subparagraph id="HEF4D47AF21E34B62862400AB36812002" commented="no"><enum>(D)</enum><text display-inline="yes-display-inline">with respect to covered data collected in accordance with this Act, notwithstanding this exception, a service provider acting at the direction of a government entity, or a service provided to a government entity by a covered entity, and only insofar as authorized by statute, the transfer is necessary to prevent, detect, protect against or respond to a public safety incident including trespass, natural disaster, or national security incident. This paragraph does not permit, however, the transfer of covered data for payment or other valuable consideration to a government entity;</text></subparagraph><subparagraph id="HCF72E1274CC54E598A10EE94FC4C6449"><enum>(E)</enum><text>in the case of the transfer of a password, the transfer is necessary to use a designated password manager or is to a covered entity for the exclusive purpose of identifying passwords that are being re-used across sites or accounts; </text></subparagraph><subparagraph id="H6170A37A4B024564AB8DCB78E0B0E37F"><enum>(F)</enum><text>in the case of the transfer of genetic information, the transfer is necessary to perform a medical diagnosis or medical treatment specifically requested by an individual, or to conduct medical research in accordance with conditions of section 101(b)(10); or</text></subparagraph><subparagraph id="H5424403A91D34BA2B3723AC7CE402609"><enum>(G)</enum><text display-inline="yes-display-inline">to transfer assets in the manner described in paragraph (13) of section 101(b); or</text></subparagraph></paragraph><paragraph id="HF82E6A4552B0487E9B6F07B6CABC8843" commented="no"><enum>(4)</enum><text display-inline="yes-display-inline">in the case of a provider of broadcast television service, cable service, satellite service, streaming media service, or other video programming service described in section 713(h)(2) of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/613">47 U.S.C. 613(h)(2)</external-xref>), transfer to an unaffiliated third party covered data that reveals the video content or services requested or selected by an individual from such service, except with the affirmative express consent of the individual or pursuant to one of the permissible purposes enumerated in paragraphs (1) through (15) of section 101(b).</text></paragraph></section><section id="H4C390C2B36CF4BDE8EBF715E809568D2"><enum>103.</enum><header>Privacy by design</header><subsection id="HD53EA7D981F64C89B1A9DA35FCE63B6A"><enum>(a)</enum><header>Policies, practices, and procedures</header><text>A covered entity and a service provider shall establish, implement, and maintain reasonable policies, practices, and procedures that reflect the role of the covered entity or service provider in the collection, processing, and transferring of covered data and that—</text><paragraph id="HC9E76ADFDE6A4CBF92DD41511FA599A1"><enum>(1)</enum><text>consider applicable Federal laws, rules, or regulations related to covered data the covered entity or service provider collects, processes, or transfers;</text></paragraph><paragraph id="H00DD719A3CA041E4B95B822888BB213A"><enum>(2)</enum><text>identify, assess, and mitigate privacy risks related to covered minors (including, if applicable, with respect to a covered entity that is not an entity meeting the requirements of section 209, in a manner that considers the developmental needs of different age ranges of covered minors) to result in reasonably necessary and proportionate residual risk to covered minors;</text></paragraph><paragraph id="HCCD3C8F4D82248C386EF1A9244220A3B"><enum>(3)</enum><text>mitigate privacy risks, including substantial privacy risks, related to the products and services of the covered entity or the service provider, including in the design, development, and implementation of such products and services, taking into account the role of the covered entity or service provider and the information available to it; and</text></paragraph><paragraph id="H03C11FA555ED45E78026F82921571C63"><enum>(4)</enum><text>implement reasonable training and safeguards within the covered entity and service provider to promote compliance with all privacy laws applicable to covered data the covered entity collects, processes, or transfers or covered data the service provider collects, processes, or transfers on behalf of the covered entity and mitigate privacy risks, including substantial privacy risks, taking into account the role of the covered entity or service provider and the information available to it.</text></paragraph></subsection><subsection id="HF4BD890D04964D18B00FCC138948BA89"><enum>(b)</enum><header>Factors to consider</header><text>The policies, practices, and procedures established by a covered entity and a service provider under subsection (a), shall correspond with, as applicable—</text><paragraph id="HA130458BE2644059B5D2F5A2A74F9602"><enum>(1)</enum><text display-inline="yes-display-inline">the size of the covered entity or the service provider and the nature, scope, and complexity of the activities engaged in by the covered entity or service provider, including whether the covered entity or service provider is a large data holder, nonprofit organization, entity meeting the requirements of section 209, third party, or third-party collecting entity, taking into account the role of the covered entity or service provider and the information available to it;</text></paragraph><paragraph id="H21BD0D1C2F2F4D8789C80DAC6AB71576"><enum>(2)</enum><text>the sensitivity of the covered data collected, processed, or transferred by the covered entity or service provider;</text></paragraph><paragraph id="H428362358DFC42318A6C6E968C2C3026"><enum>(3)</enum><text>the volume of covered data collected, processed, or transferred by the covered entity or service provider;</text></paragraph><paragraph id="H64894241D25A4BB9ACC351F53607965B"><enum>(4)</enum><text>the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity or service provider relates; and</text></paragraph><paragraph id="H5E2A593AA0B94AA89C623BFF2B07482D"><enum>(5)</enum><text>the cost of implementing such policies, practices, and procedures in relation to the risks and nature of the covered data.</text></paragraph></subsection><subsection id="HA89F769CC92743739FCB30DE0867526B"><enum>(c)</enum><header>Commission guidance</header><text display-inline="yes-display-inline">Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance as to what constitutes reasonable policies, practices, and procedures as required by this section. The Commission shall consider unique circumstances applicable to nonprofit organizations, to entities meeting the requirements of section 209, and to service providers.</text></subsection></section><section id="H6EBCAE4642AA40B284E4A706E002ADBE"><enum>104.</enum><header>Loyalty to individuals with respect to pricing</header><subsection id="H9D8F7A555A4846ADB8DCE5379011BC86"><enum>(a)</enum><header>Retaliation through service or pricing prohibited</header><text display-inline="yes-display-inline">A covered entity may not retaliate against an individual for exercising any of the rights guaranteed by the Act, or any regulations promulgated under this Act, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services.</text></subsection><subsection id="H49CFE80CFDAC49B5BA4A0F84865638EE"><enum>(b)</enum><header>Rules of construction</header><text>Nothing in subsection (a) may be construed to—</text><paragraph id="H581E2FCFD5CA4B18B8DEFB27DF6EE750"><enum>(1)</enum><text>prohibit the relation of the price of a service or the level of service provided to an individual to the provision, by the individual, of financial information that is necessarily collected and processed only for the purpose of initiating, rendering, billing for, or collecting payment for a service or product requested by the individual;</text></paragraph><paragraph id="HFDC5237220144F75BFBDEDDC1D7DD759" commented="no"><enum>(2)</enum><text display-inline="yes-display-inline">prohibit a covered entity from offering a different price, rate, level, quality or selection of goods or services to an individual, including offering goods or services for no fee, if the offering is in connection with an individual’s voluntary participation in a bona fide loyalty program;</text></paragraph><paragraph id="HA2CE8827369444EE89EBA4F0F3377646"><enum>(3)</enum><text display-inline="yes-display-inline">require a covered entity to provide a bona fide loyalty program that would require the covered entity to collect, process, or transfer covered data that the covered entity otherwise would not collect, process, or transfer;</text></paragraph><paragraph id="H4896E19A711543569AE493952E9A4ADA" commented="no"><enum>(4)</enum><text>prohibit a covered entity from offering a financial incentive or other consideration to an individual for participation in market research; </text></paragraph><paragraph id="HC714287C07974530A1E68BF17F7686A9" commented="no"><enum>(5)</enum><text>prohibit a covered entity from offering different types of pricing or functionalities with respect to a product or service based on an individual’s exercise of a right under section 203(a)(3); or</text></paragraph><paragraph id="HC886454C1A594891B68E0117AB963B65" commented="no"><enum>(6)</enum><text display-inline="yes-display-inline">prohibit a covered entity from declining to provide a product or service insofar as the collection and processing of covered data is strictly necessary for such product or service.</text></paragraph></subsection><subsection id="H9D105A63ED694F9AACF0F7136FE861D6" commented="no"><enum>(c)</enum><header>Bona fide loyalty program defined</header><text>For purposes of this section, the term <quote>bona fide loyalty program</quote> includes rewards, premium features, discount or club card programs.</text></subsection></section><enum>II</enum><header>Consumer Data Rights</header><section id="H30CC5A8D8E004F3EA94F35899BEBC9D7"><enum>201.</enum><header>Consumer awareness</header><subsection id="HDFC5E960DC4B4A3BBA9F912BE3418BA9"><enum>(a)</enum><header>In general</header><text>Not later than 90 days after the date of enactment of this Act, the Commission shall publish, on the public website of the Commission, a webpage that describes each provision, right, obligation, and requirement of this Act, listed separately for individuals and for covered entities and service providers, and the remedies, exemptions, and protections associated with this Act, in plain and concise language and in an easy-to-understand manner.</text></subsection><subsection id="H7A287F2833B842A28C30580C5C0FD686"><enum>(b)</enum><header>Updates</header><text>The Commission shall update the information published under subsection (a) on a quarterly basis as necessitated by any change in law, regulation, guidance, or judicial decisions.</text></subsection><subsection id="H93ED4FEED68E404584E31EA3B6E450A2"><enum>(c)</enum><header>Accessibility</header><text display-inline="yes-display-inline">The Commission shall publish the information required to be published under subsection (a) in the ten languages with the most users in the United States, according to the most recent United States Census.</text></subsection></section><section id="HC352DC1AB7D5460AA815F8B562064CD9"><enum>202.</enum><header>Transparency</header><subsection id="H0BFA64E2CAFF42199709CA7B5967DD8B"><enum>(a)</enum><header>In general</header><text display-inline="yes-display-inline">Each covered entity shall make publicly available, in a clear, conspicuous, not misleading, and easy-to-read and readily accessible manner, a privacy policy that provides a detailed and accurate representation of the data collection, processing, and transfer activities of the covered entity.</text></subsection><subsection id="HCD966D07CE8C4C919D58494B8F59CD77"><enum>(b)</enum><header>Content of privacy policy</header><text display-inline="yes-display-inline">A covered entity or service provider shall have a privacy policy that includes, at a minimum, the following:</text><paragraph id="HB6783BF7949A442B90A9553157F3C1FD"><enum>(1)</enum><text>The identity and the contact information of—</text><subparagraph id="H12A535A3AD324A43AD5C1A2B7AED3735"><enum>(A)</enum><text>the covered entity or service provider to which the privacy policy applies (including the covered entity’s or service provider’s points of contact and generic electronic mail addresses, as applicable for privacy and data security inquiries); and</text></subparagraph><subparagraph id="H16B47FCA387A49F7AADDFCD50320AE8B"><enum>(B)</enum><text>any other entity within the same corporate structure as the covered entity or service provider to which covered data is transferred by the covered entity.</text></subparagraph></paragraph><paragraph id="HA56F425BE4BC4C32ACB2156927DC2C76"><enum>(2)</enum><text>The categories of covered data the covered entity or service provider collects or processes.</text></paragraph><paragraph id="H317C3D6243A54F08A3116497223C3956"><enum>(3)</enum><text>The processing purposes for each category of covered data the covered entity or service provider collects or processes.</text></paragraph><paragraph id="HBAF4C96F74894CC7963B9207A3546A08"><enum>(4)</enum><text display-inline="yes-display-inline">Whether the covered entity or service provider transfers covered data and, if so, each category of service provider and third party to which the covered entity or service provider transfers covered data, the name of each third-party collecting entity to which the covered entity or service provider transfers covered data, and the purposes for which such data is transferred to such categories of service providers and third parties or third-party collecting entities, except for a transfer to a governmental entity pursuant to a court order or law that prohibits the covered entity or service provider from disclosing such transfer, except for transfers to governmental entities pursuant to a court order or law that prohibits the covered entity from disclosing the transfer.</text></paragraph><paragraph id="H423F220EF2F944A9B0A69B0B3C2DF125"><enum>(5)</enum><text>The length of time the covered entity or service provider intends to retain each category of covered data, including sensitive covered data, or, if it is not possible to identify that timeframe, the criteria used to determine the length of time the covered entity or service provider intends to retain categories of covered data.</text></paragraph><paragraph id="HB63DED02D7484987987017CE19789531"><enum>(6)</enum><text>A prominent description of how an individual can exercise the rights described in this Act.</text></paragraph><paragraph id="H66A109F1222D4050BA99DC61EFD80AD6"><enum>(7)</enum><text>A general description of the covered entity’s or service provider’s data security practices.</text></paragraph><paragraph id="H314391A20F2649F7AA446CC5884978B8"><enum>(8)</enum><text>The effective date of the privacy policy.</text></paragraph><paragraph id="H8F1AD5F5F2624A0D96175B6A419DCE45"><enum>(9)</enum><text>Whether or not any covered data collected by the covered entity or service provider is transferred to, processed in, stored in, or otherwise accessible to the People’s Republic of China, Russia, Iran, or North Korea.</text></paragraph></subsection><subsection id="HC53170768DC0429C9EAF122BBAF8274A"><enum>(c)</enum><header>Languages</header><text>The privacy policy required under subsection (a) shall be made available to the public in each covered language in which the covered entity or service provider—</text><paragraph id="H6061BB3B33EC4B60910B230699C24738"><enum>(1)</enum><text>provides a product or service that is subject to the privacy policy; or</text></paragraph><paragraph id="HA34CD24C4EDB4969934D22CEA08A6BB3"><enum>(2)</enum><text>carries out activities related to such product or service.</text></paragraph></subsection><subsection id="H8F2FB3DFFCD041E68B9A6DB631024951"><enum>(d)</enum><header>Accessibility</header><text display-inline="yes-display-inline">The covered entity or service provider shall also provide the disclosures under this section in a manner that is reasonably accessible to and usable by individuals with disabilities.</text></subsection><subsection id="HE2F7BDB5B1B4460AB800696592E0EA3D"><enum>(e)</enum><header>Material changes</header><paragraph id="H9581C11762D14963821352DCF2FE1A29"><enum>(1)</enum><header>Affirmative express consent</header><text>If a covered entity makes a material change to its privacy policy or practices, the covered entity shall notify each individual affected by such material change before implementing the material change with respect to any prospectively collected covered data and, except as provided in paragraphs (1) through (15) of section 101(b), provide a reasonable opportunity for each individual to withdraw consent to any further materially different collection, processing, or transfer of previously collected covered data under the changed policy.</text></paragraph><paragraph id="H6F0CDF087EC74701A03A468EEC2A00D0"><enum>(2)</enum><header>Notification</header><text>The covered entity shall take all reasonable electronic measures to provide direct notification regarding material changes to the privacy policy to each affected individual, in each covered language in which the privacy policy is made available, and taking into account available technology and the nature of the relationship.</text></paragraph><paragraph id="H72E9DFBE2CC34733AB7BE06D352789A5"><enum>(3)</enum><header>Clarification</header><text>Nothing in this section may be construed to affect the requirements for covered entities under section 102 or 204.</text></paragraph><paragraph id="HEC0A5C4F87E64BC79C62E882D3958616"><enum>(4)</enum><header>Log of material changes</header><text>Each large data holder shall retain copies of previous versions of its privacy policy for at least 10 years beginning after the date of enactment of this Act and publish them on its website. Such large data holder shall make publicly available, in a clear, conspicuous, and readily accessible manner, a log describing the date and nature of each material change to its privacy policy over the past 10 years. The descriptions shall be sufficient for a reasonable individual to understand the material effect of each material change. The obligations in this paragraph shall not apply to any previous versions of a large data holder’s privacy policy, or any material changes to such policy, that precede the date of enactment of this Act.</text></paragraph></subsection><subsection id="HAA013BE5F8CB4EE5B7646EA33E976AB6"><enum>(f)</enum><header>Short-form notice to consumers by large data holders</header><paragraph id="H4182C63ED17A4DCA82224964C09D8ADF"><enum>(1)</enum><header>In general</header><text>In addition to the privacy policy required under subsection (a), a large data holder that is a covered entity shall provide a short-form notice of its covered data practices in a manner that is—</text><subparagraph id="HA766F4708DAF459DBD997E5B7E3F95B3"><enum>(A)</enum><text>concise, clear, conspicuous, and not misleading;</text></subparagraph><subparagraph id="H9BEC4AD15B3D43FBB84158A724B81D20"><enum>(B)</enum><text>readily accessible to the individual, based on what is reasonably anticipated within the context of the relationship between the individual and the large data holder;</text></subparagraph><subparagraph id="H6AFAB8342AF045D9B3527F63F23822B8"><enum>(C)</enum><text>inclusive of an overview of individual rights and disclosures to reasonably draw attention to data practices that may reasonably be unexpected to a reasonable person or that involve sensitive covered data; and</text></subparagraph><subparagraph id="H8A67CAE5C4BC4FC3AF233315C7288ADE"><enum>(D)</enum><text>no more than 500 words in length.</text></subparagraph></paragraph><paragraph id="H0DE48BC7DF66445F8CF0DFB7EA9A6691"><enum>(2)</enum><header>Rulemaking</header><text>The Commission shall issue a rule pursuant to section 553 of title 5, United States Code, establishing the minimum data disclosures necessary for the short-form notice required under paragraph (1), which shall not exceed the content requirements in subsection (b) and shall include templates or models of short-form notices.</text></paragraph></subsection></section><section id="HBA3C89312046433D92297CB0CB30DE69"><enum>203.</enum><header>Individual data ownership and control</header><subsection id="HF6E928468CA5453391E938F212D197B7"><enum>(a)</enum><header>Access to, and correction, deletion, and portability of, covered data</header><text display-inline="yes-display-inline">In accordance with subsections (b) and (c), a covered entity shall provide an individual, after receiving a verified request from the individual, with the right to—</text><paragraph id="H12A129F363FF43908DB2DDBCB829C0BA"><enum>(1)</enum><text>access—</text><subparagraph id="HF22F087FB27944B1882C808619D533BE"><enum>(A)</enum><text display-inline="yes-display-inline">in a human-readable format that a reasonable individual can understand and download from the internet, the covered data (except covered data in a back-up or archival system) of the individual making the request that is collected, processed, or transferred by the covered entity or any service provider of the covered entity within the 24 months preceding the request;</text></subparagraph><subparagraph id="H25AF3D42FB9E490A8F9D531AC0B6A621"><enum>(B)</enum><text>the categories of any third party, if applicable, and an option for consumers to obtain the names of any such third party as well as and the categories of any service providers to whom the covered entity has transferred for consideration the covered data of the individual, as well as the categories of sources from which the covered data was collected; and</text></subparagraph><subparagraph id="H3D1F2B825CAF42298883418D152B82D4"><enum>(C)</enum><text>a description of the purpose for which the covered entity transferred the covered data of the individual to a third party or service provider;</text></subparagraph></paragraph><paragraph id="H9EDEE043BA334FCA9764A53EF3DCC297"><enum>(2)</enum><text display-inline="yes-display-inline">correct any verifiable substantial inaccuracy or substantially incomplete information with respect to the covered data of the individual that is processed by the covered entity and instruct the covered entity to make reasonable efforts to notify all third parties or service providers to which the covered entity transferred such covered data of the corrected information;</text></paragraph><paragraph id="H741B6D435436431EA7618B9F2E935425"><enum>(3)</enum><text>delete covered data of the individual that is processed by the covered entity and instruct the covered entity to make reasonable efforts to notify all third parties or service provider to which the covered entity transferred such covered data of the individual’s deletion request; and</text></paragraph><paragraph id="H811C233AF15243CEA1A2699E9B2E3C62" commented="no"><enum>(4)</enum><text display-inline="yes-display-inline">to the extent technically feasible, export to the individual or directly to another entity the covered data of the individual that is processed by the covered entity, including inferences linked or reasonably linkable to the individual but not including other derived data, without licensing restrictions that limit such transfers in—</text><subparagraph id="HB5B926AF82CF4D12AB8207F63A360A69" commented="no"><enum>(A)</enum><text>a human-readable format that a reasonable individual can understand and download from the internet; and</text></subparagraph><subparagraph id="H57BEE31A1B664762BF86F6D2578E3CEF" commented="no"><enum>(B)</enum><text>a portable, structured, interoperable, and machine-readable format.</text></subparagraph></paragraph></subsection><subsection id="HD5E9889A5BC940AEA6829F67D68E652F"><enum>(b)</enum><header>Individual autonomy</header><text>A covered entity may not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of a right described in subsection (a) through—</text><paragraph id="HD70F11C41A784B0398E9B18C96D22FDB"><enum>(1)</enum><text>the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or</text></paragraph><paragraph id="H47CEDC6367E24940BC2BEEA0A332D528"><enum>(2)</enum><text>the design, modification, or manipulation of any user interface with the purpose or substantial effect of obscuring, subverting, or impairing a reasonable individual’s autonomy, decision making, or choice to exercise such right.</text></paragraph></subsection><subsection id="HB05B612BA78848B9AF12CE197655044B"><enum>(c)</enum><header>Timing</header><paragraph id="H45F75418206F43F9AEDEE3138803CBBC"><enum>(1)</enum><header>In general</header><text>Subject to subsections (d) and (e), each request under subsection (a) shall be completed by any—</text><subparagraph id="HE17CF9D40D134B00862F1250C649F324"><enum>(A)</enum><text>large data holder within 45 days of such request from an individual, unless it is demonstrably impracticable or impracticably costly to verify such individual;</text></subparagraph><subparagraph id="HC0AA03A89A5345AABE8F19F6BD85E927"><enum>(B)</enum><text>covered entity that is not a large data holder or a covered entity meeting the requirements of section 209 within 60 days of such request from an individual, unless it is demonstrably impracticable or impracticably costly to verify such individual; or</text></subparagraph><subparagraph id="H02FB928874F74FF1ADDCE3BEE8E148CE"><enum>(C)</enum><text>covered entity meeting the requirements of section 209 within 90 days of such request from an individual, unless it is demonstrably impracticable or impracticably costly to verify such individual.</text></subparagraph></paragraph><paragraph id="H827F3947DBEB46F7986E36C75E3D0D4B"><enum>(2)</enum><header>Extension</header><text>A response period set forth in this subsection may be extended once by 45 additional days when reasonably necessary, considering the complexity and number of the individual’s requests, so long as the covered entity informs the individual of any such extension within the initial 45-day response period, together with the reason for the extension.</text></paragraph></subsection><subsection id="H483BA0E6C2E2482B8E0C204A7409E324"><enum>(d)</enum><header>Frequency and cost of access</header><text>A covered entity—</text><paragraph id="H306E7227826545FEA13EF927915BABD2"><enum>(1)</enum><text>shall provide an individual with the opportunity to exercise each of the rights described in subsection (a); and</text></paragraph><paragraph id="H820F2435BB824FFFA9DB31D356F580C5"><enum>(2)</enum><text>with respect to—</text><subparagraph id="H4FB92B485B6840A587A50D19EB963D9C"><enum>(A)</enum><text>the first 2 times that an individual exercises any right described in subsection (a) in any 12-month period, shall allow the individual to exercise such right free of charge; and</text></subparagraph><subparagraph id="HFA5568DF48724C4EA2F5785888D40974"><enum>(B)</enum><text>any time beyond the initial 2 times described in subparagraph (A), may allow the individual to exercise such right for a reasonable fee for each request.</text></subparagraph></paragraph></subsection><subsection id="H6AFE76D82D79481DA1F116E8BEFF08AB"><enum>(e)</enum><header>Verification and exceptions</header><paragraph id="H34C7241C490140ACB477BE64D5D571EE"><enum>(1)</enum><header>Required exceptions</header><text>A covered entity may not permit an individual to exercise a right described in subsection (a), in whole or in part, if the covered entity—</text><subparagraph id="HA80D1AB80BE245A1AB33C7205BEFCBAD"><enum>(A)</enum><text>cannot reasonably verify that the individual making the request to exercise the right is the individual whose covered data is the subject of the request or an individual authorized to make such a request on the individual’s behalf; </text></subparagraph><subparagraph id="H017090695F2241A9B431051E8AF21830"><enum>(B)</enum><text>reasonably believes that the request is made to interfere with a contract between the covered entity and another individual;</text></subparagraph><subparagraph id="HBF96EBFF1E9B477999E32A2E693EFDF6"><enum>(C)</enum><text>determines that the exercise of the right would require access to or correction of another individual’s sensitive covered data; </text></subparagraph><subparagraph id="H0D5CF5C5A1FF4114895CF7363F67A5A7"><enum>(D)</enum><text>reasonably believes that the exercise of the right would require the covered entity to engage in an unfair or deceptive practice under section 5 of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45</external-xref>); or</text></subparagraph><subparagraph id="H4385040FB58141AE87D936E0927E7B30" commented="no"><enum>(E)</enum><text display-inline="yes-display-inline">reasonably believes that the request is made to further fraud, support criminal activity, or the exercise of the right presents a data security threat.</text></subparagraph></paragraph><paragraph id="H72FFB617F2B0441E9A7484A80CDE08AA"><enum>(2)</enum><header>Additional information</header><text>If a covered entity cannot reasonably verify that a request to exercise a right described in subsection (a) is made by the individual whose covered data is the subject of the request (or an individual authorized to make such a request on the individual’s behalf), the covered entity—</text><subparagraph id="HDE29486E329B45EDBDB00835BD8C3FB7"><enum>(A)</enum><text>may request that the individual making the request to exercise the right provide any additional information necessary for the sole purpose of verifying the identity of the individual; and</text></subparagraph><subparagraph id="H4B5C35536CA34E138C476188BB7A6BB6"><enum>(B)</enum><text>may not process or transfer such additional information for any other purpose.</text></subparagraph></paragraph><paragraph id="HA9EAFC432A774A49BAEF1641A50DD501"><enum>(3)</enum><header>Permissive exceptions</header><subparagraph id="H0593F56CD9934D82B32AC5679F131D35"><enum>(A)</enum><header>In general</header><text display-inline="yes-display-inline">A covered entity may decline, with adequate explanation to the individual, to comply with a request to exercise a right described in subsection (a), in whole or in part, that would—</text><clause id="H1345EF0E73674E31BD647BA7454F534B"><enum>(i)</enum><text>require the covered entity to retain any covered data collected for a single, one-time transaction, if such covered data is not processed or transferred by the covered entity for any purpose other than completing such transaction;</text></clause><clause id="H68D350505840411DACCB199CFF9FA773"><enum>(ii)</enum><text display-inline="yes-display-inline">be demonstrably impracticable or prohibitively costly to comply with, and the covered entity shall provide a description to the requestor detailing the inability to comply with the request;</text></clause><clause id="HF8286B89EE134FE6BF679F4163F1CAA1"><enum>(iii)</enum><text>require the covered entity to attempt to re-identify de-identified data;</text></clause><clause id="H515ACC018D394E84B3AE8BB648FAA452"><enum>(iv)</enum><text display-inline="yes-display-inline">require the covered entity to maintain covered data in an identifiable form or collect, retain, or access any data in order to be capable of associating a verified individual request with covered data of such individual;</text></clause><clause id="H1A72586973474DADA4079DEA43EEF3B0"><enum>(v)</enum><text>result in the release of trade secrets or other privileged or confidential business information;</text></clause><clause id="HBDC253B1F00A4737AEED67D97DD07185"><enum>(vi)</enum><text>require the covered entity to correct any covered data that cannot be reasonably verified as being inaccurate or incomplete;</text></clause><clause id="H766398F1A26B4F1B976AE61980D7F5FC"><enum>(vii)</enum><text>interfere with law enforcement, judicial proceedings, investigations, or reasonable efforts to guard against, detect, prevent, or investigate fraudulent, malicious, or unlawful activity, or enforce valid contracts;</text></clause><clause id="H2FF27B41833B4068849BAF8CAEB6C07B"><enum>(viii)</enum><text>violate Federal or State law or the rights and freedoms of another individual, including under the Constitution of the United States;</text></clause><clause id="H63ABFA31E36A4DB19DD63132E2644FC8"><enum>(ix)</enum><text>prevent a covered entity from being able to maintain a confidential record of deletion requests, maintained solely for the purpose of preventing covered data of an individual from being recollected after the individual submitted a deletion request and requested that the covered entity no longer collect, process, or transfer such data;</text></clause><clause id="H4432C7FFA54D41A49605F66DD399F5FA"><enum>(x)</enum><text>fall within an exception enumerated in the regulations promulgated by the Commission pursuant to subparagraph (D); or</text></clause><clause id="HF669E972402E469DA58D2801B791628C"><enum>(xi)</enum><text>with respect to requests for deletion—</text><subclause id="HA9A2B96E374A4DDE8DA591CE89513B81"><enum>(I)</enum><text>unreasonably interfere with the provision of products or services by the covered entity to another person it currently serves;</text></subclause><subclause id="H3FC68E7B16954B57ADCAE4A0BE15AD0A"><enum>(II)</enum><text>delete covered data that relates to a public figure and for which the requesting individual has no reasonable expectation of privacy;</text></subclause><subclause id="H05B81E29CBB14ACE8391D191D13F4339"><enum>(III)</enum><text>delete covered data reasonably necessary to perform a contract between the covered entity and the individual;</text></subclause><subclause id="H9E9CA3614CB54B0B8DDEA3CD3FA20431"><enum>(IV)</enum><text>delete covered data that the covered entity needs to retain in order to comply with professional ethical obligations; </text></subclause><subclause id="HF6BADC06F1BD4F799F250F8667C94C8C"><enum>(V)</enum><text>delete covered data that the covered entity reasonably believes may be evidence of unlawful activity or an abuse of the covered entity’s products or services; or</text></subclause><subclause id="HC3CFDB8266EF4E77A9C6BA93E9D1BC1A"><enum>(VI)</enum><text display-inline="yes-display-inline">for private elementary and secondary schools as defined by State law and private institutions of higher education as defined by title I of the Higher Education Act of 1965, delete covered data that would unreasonably interfere with the provision of education services by or the ordinary operation of the school or institution.</text></subclause></clause></subparagraph><subparagraph id="H9F408B6A88BE4A2FBDFC9F2A5702F0AA"><enum>(B)</enum><header>Partial compliance</header><text>In a circumstance that would allow a denial pursuant to subparagraph (A), a covered entity shall partially comply with the remainder of the request if it is possible and not unduly burdensome to do so.</text></subparagraph><subparagraph id="HAC05DAA1B7DC4683B5FDF65AACC253C5"><enum>(C)</enum><header>Number of requests</header><text>For purposes of subparagraph (A)(ii), the receipt of a large number of verified requests, on its own, may not be considered to render compliance with a request demonstrably impracticable.</text></subparagraph><subparagraph id="H33B7D6A01BB74A4B965EA0AC67E41B8E"><enum>(D)</enum><header>Further exceptions</header><text>The Commission may, by regulation as described in subsection (g), establish additional permissive exceptions necessary to protect the rights of individuals, alleviate undue burdens on covered entities, prevent unjust or unreasonable outcomes from the exercise of access, correction, deletion, or portability rights, or as otherwise necessary to fulfill the purposes of this section. In establishing such exceptions, the Commission should consider any relevant changes in technology, means for protecting privacy and other rights, and beneficial uses of covered data by covered entities.</text></subparagraph></paragraph></subsection><subsection id="H96ABB9B2236543748374384EA340FE4E"><enum>(f)</enum><header>Large data holder metrics reporting</header><text>A large data holder that is a covered entity shall, for each calendar year in which it was a large data holder, do the following:</text><paragraph id="H85F70EDFC17E40A1A680386F14FC2868"><enum>(1)</enum><text>Compile the following metrics for the prior calendar year:</text><subparagraph id="HA761F888E31F482986105DA745B13A45"><enum>(A)</enum><text>The number of verified access requests under subsection (a)(1).</text></subparagraph><subparagraph id="H4169EE2C04A644D1BE16E7D06285FA21"><enum>(B)</enum><text>The number of verified deletion requests under subsection (a)(3).</text></subparagraph><subparagraph id="H2CA5E07E957F4A929C959012E8EB8283"><enum>(C)</enum><text>The number of requests to opt-out of covered data transfers under section 204(b).</text></subparagraph><subparagraph id="HD7EB07E905D6430F9469A29685685596"><enum>(D)</enum><text>The number of requests to opt-out of targeted advertising under section 204(c).</text></subparagraph><subparagraph id="H58C4CBD48DB041509268C0CE741176DA"><enum>(E)</enum><text>The number of requests in each of subparagraphs (A) through (D) that such large data holder (i) complied with in whole or in part and (ii) denied.</text></subparagraph><subparagraph id="HA019A01E4D0840B69407623B4880F048"><enum>(F)</enum><text>The median or mean number of days within which such large data holder substantively responded to the requests in each of subparagraphs (A) through (D).</text></subparagraph></paragraph><paragraph id="H9737274EB7C542ABAE7AAB4AD960FB4D"><enum>(2)</enum><text>Disclose by July 1 of each applicable calendar year the information compiled in paragraph (1) within such large data holder’s privacy policy required under section 202 or on the publicly accessible website of such large data holder that is accessible from a hyperlink included in the privacy policy.</text></paragraph></subsection><subsection id="H13F7EE08B65049C88AF51DEE136D7CB7"><enum>(g)</enum><header>Regulations</header><text>Not later than 2 years after the date of enactment of this Act, the Commission shall promulgate regulations, pursuant to section 553 of title 5, United States Code, as necessary to establish processes by which covered entities are to comply with the provisions of this section. Such regulations shall take into consideration—</text><paragraph id="H0C034A5DA7084430B69EB8E2B7536793"><enum>(1)</enum><text>the size of, and the nature, scope, and complexity of the activities engaged in by the covered entity, including whether the covered entity is a large data holder, nonprofit organization, covered entity meeting the requirements of section 209, third party, or third-party collecting entity;</text></paragraph><paragraph id="H788AF3E77FA1490189B7D861910DD8F3"><enum>(2)</enum><text>the sensitivity of covered data collected, processed, or transferred by the covered entity;</text></paragraph><paragraph id="H823301FD4237486797366FDA5E440EA3"><enum>(3)</enum><text>the volume of covered data collected, processed, or transferred by the covered entity; </text></paragraph><paragraph id="HE94DE67D01674775B96A0611ACC6E8CF"><enum>(4)</enum><text>the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity relates; and</text></paragraph><paragraph id="HD9BB93C0F22144F4816E29DD607DD15F"><enum>(5)</enum><text display-inline="yes-display-inline">after consulting the National Institute of Standards and Technology, standards for ensuring the deletion of covered data under this Act where appropriate.</text></paragraph></subsection><subsection id="HB93E0CE597FB4F99B34670187A001119"><enum>(h)</enum><header>Accessibility</header><text>A covered entity shall facilitate the ability of individuals to make requests under subsection (a) in any covered language in which the covered entity provides a product or service. The mechanisms by which a covered entity enables individuals to make requests under subsection (a) shall be readily accessible and usable by with individuals with disabilities.</text></subsection></section><section id="HBF7ED0857876400DABF57C93218116EB"><enum>204.</enum><header>Right to consent and object</header><subsection id="H71E2C915AD584154BD125EE77C78821F"><enum>(a)</enum><header>Withdrawal of consent</header><text>A covered entity shall provide an individual with a clear and conspicuous, easy-to-execute means to withdraw any affirmative express consent previously provided by the individual that is as easy to execute by a reasonable individual as the means to provide consent, with respect to the processing or transfer of the covered data of the individual.</text></subsection><subsection id="H3BD964A7961C4C7FAE47452C2C1B0687"><enum>(b)</enum><header>Right to opt out of covered data transfers</header><paragraph id="H687A9E8516EA4C999D4A29F7D90B8976"><enum>(1)</enum><header>In general</header><text>A covered entity—</text><subparagraph id="H282B9177AEFD483EAF99D34A3F4F7F12"><enum>(A)</enum><text display-inline="yes-display-inline">may not transfer or direct the transfer of the covered data of an individual to a third party if the individual objects to the transfer; and</text></subparagraph><subparagraph id="H11FD68AA7088482EB1659B98CA4E6A4C"><enum>(B)</enum><text>shall allow an individual to object to such a transfer through an opt-out mechanism, as described in section 210.</text></subparagraph></paragraph><paragraph id="H607142B9A83D4EB2B90800E6D232B4AD"><enum>(2)</enum><header>Exception</header><text display-inline="yes-display-inline">Except as provided in section 206(b)(3)(C), a covered entity need not allow an individual to opt out of the collection, processing, or transfer of covered data made pursuant to the exceptions in paragraphs (1) through (15) of section 101(b).</text></paragraph></subsection><subsection id="HD6B6456898204477A0B3C3F61D9D4019"><enum>(c)</enum><header>Right to opt out of targeted advertising</header><paragraph id="HB8BE9AE6E9A043EE8E05E416199150CB"><enum>(1)</enum><text>A covered entity or service provider that directly delivers a targeted advertisement shall—</text><subparagraph id="H412ECD84AE044455AC22E11DFD53AD35"><enum>(A)</enum><text>prior to engaging in targeted advertising to an individual or device and at all times thereafter, provide such individual with a clear and conspicuous means to opt out of targeted advertising;</text></subparagraph><subparagraph id="HF926F94A4C1B4C4C9D57232C16B1DB5E"><enum>(B)</enum><text>abide by any opt-out designation by an individual with respect to targeted advertising and notify the covered entity that directed the service provider to deliver the targeted advertisement of the opt-out decision; and</text></subparagraph><subparagraph id="HD47EDA403DE641A69E1D8F51537F4BF4"><enum>(C)</enum><text>allow an individual to make an opt-out designation with respect to targeted advertising through an opt-out mechanism, as described in section 210.</text></subparagraph></paragraph><paragraph id="H486F8F609741459C8E09C6B3E3E64A7D"><enum>(2)</enum><text>A covered entity or service provider that receives an opt-out notification pursuant to paragraph (1)(B) or this paragraph shall abide by such opt-out designations by an individual and notify any other person that directed the covered entity or service provider to serve, deliver, or otherwise handle the advertisement of the opt-out decision.</text></paragraph></subsection><subsection id="H1F427B3D250244F7AB1ACA279D1C8F97"><enum>(d)</enum><header>Individual autonomy</header><text>A covered entity may not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of any individual right under this section through—</text><paragraph id="HE3FE1A52E6C84E4AB1B9F575CB5D7B62"><enum>(1)</enum><text>the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or</text></paragraph><paragraph id="HA23A1816170F4B3EA24E68A1F3B1C018"><enum>(2)</enum><text>the design, modification, or manipulation of any user interface with the purpose or substantial effect of obscuring, subverting, or impairing a reasonable individual’s autonomy, decision making, or choice to exercise any such right.</text></paragraph></subsection></section><section id="H64B30A2785DC49CEAB27C1D6CF9340F3"><enum>205.</enum><header>Data protections for children and minors</header><subsection id="HC5D8126BBF3D4EABBDB0A51701C70BB2"><enum>(a)</enum><header>Prohibition on targeted advertising to children and minors</header><text display-inline="yes-display-inline">A covered entity may not engage in targeted advertising to any individual if the covered entity has knowledge that the individual is a covered minor.</text></subsection><subsection id="H8074840CF84F4316A4421BBB06419076"><enum>(b)</enum><header>Data transfer requirements related to covered minors</header><paragraph id="H2E4AABB5D5AD4408821D044FEFC7FC08"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">A covered entity may not transfer or direct the transfer of the covered data of a covered minor to a third party if the covered entity— </text><subparagraph id="HFD1FF6F1559C41FD944BFD6378C4BC88" commented="no"><enum>(A)</enum><text>has knowledge that the individual is a covered minor; and</text></subparagraph><subparagraph id="HB4A36B62B242472D89685C21CA91D33C" commented="no"><enum>(B)</enum><text>has not obtained affirmative express consent from the covered minor or the covered minor’s parent or guardian.</text></subparagraph></paragraph><paragraph id="H5748EFCB333C4D2A973198DC45241C1E"><enum>(2)</enum><header>Exception</header><text>A covered entity or service provider may collect, process, or transfer covered data of an individual the covered entity or service provider knows is under the age of 18 solely in order to submit information relating to child victimization to law enforcement or to the nonprofit, national resource center and clearinghouse congressionally designated to provide assistance to victims, families, child-serving professionals, and the general public on missing and exploited children issues.</text></paragraph></subsection><subsection id="H06B6C9BED229425786969E4A4BB9C11B"><enum>(c)</enum><header>Youth privacy and marketing division</header><paragraph id="H0DA318612AC944D39BA93D0C5B67AC20"><enum>(1)</enum><header>Establishment</header><text display-inline="yes-display-inline">There is established within the Commission in the privacy bureau established in this Act, a division to be known as the <quote>Youth Privacy and Marketing Division</quote> (in this section referred to as the <quote>Division</quote>).</text></paragraph><paragraph id="HD4FCF14C5B334AB1BE439496D56FF8A0"><enum>(2)</enum><header>Director</header><text>The Division shall be headed by a Director, who shall be appointed by the Chair of the Commission.</text></paragraph><paragraph id="HC0F0FDAA52D7462B956FE69D38D3A92E"><enum>(3)</enum><header>Duties</header><text>The Division shall be responsible for assisting the Commission in addressing, as it relates to this Act—</text><subparagraph id="H2AE106C6260B49E097555D74D51D876F"><enum>(A)</enum><text>the privacy of children and minors; and</text></subparagraph><subparagraph id="H8104CECA77DB450FBC1D0728F52E0567"><enum>(B)</enum><text>marketing directed at children and minors.</text></subparagraph></paragraph><paragraph id="HAE095204EAEA4873BCE783A46E158A88"><enum>(4)</enum><header>Staff</header><text>The Director of the Division shall hire adequate staff to carry out the duties described in paragraph (3), including by hiring individuals who are experts in data protection, digital advertising, data analytics, and youth development.</text></paragraph><paragraph id="H071782299B08448F88690592998B8670"><enum>(5)</enum><header>Reports</header><text>Not later than 2 years after the date of enactment of this Act, and annually thereafter, the Commission shall submit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives a report that includes—</text><subparagraph id="HF743D9C761CC425D9660945AB8D4D4FE"><enum>(A)</enum><text>a description of the work of the Division regarding emerging concerns relating to youth privacy and marketing practices; and</text></subparagraph><subparagraph id="HD78C65D045F740A6A70D2F1CED47D9A1"><enum>(B)</enum><text>an assessment of how effectively the Division has, during the period for which the report is submitted, assisted the Commission to address youth privacy and marketing practices.</text></subparagraph></paragraph><paragraph id="H76601C4C268A44C48FD6C5AE873C3EC5"><enum>(6)</enum><header>Publication</header><text>Not later than 10 days after the date on which a report is submitted under paragraph (5), the Commission shall publish the report on its website.</text></paragraph></subsection><subsection id="H315A6CC281AB49A1A1D9CF11FAD9DFF9"><enum>(d)</enum><header>Report by the inspector general</header><paragraph id="H9A334EA75ADB4072958499520B654FD4"><enum>(1)</enum><header>In general</header><text>Not later than 2 years after the date of enactment of this Act, and biennially thereafter, the Inspector General of the Commission shall submit to the Commission and to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives a report regarding the safe harbor provisions in section 1304 of the Children’s Online Privacy Protection Act of 1998 (<external-xref legal-doc="usc" parsable-cite="usc/15/6503">15 U.S.C. 6503</external-xref>), which shall include—</text><subparagraph id="HB4BD1EDBC740459F8EED89485ACC5BEC"><enum>(A)</enum><text>an analysis of whether the safe harbor provisions are—</text><clause id="HB052AE96026A4E638724C3524FDF572D"><enum>(i)</enum><text>operating fairly and effectively; and</text></clause><clause id="H82A781B783474C9EB96350CCBB1A79F4"><enum>(ii)</enum><text>effectively protecting the interests of children and minors; and</text></clause></subparagraph><subparagraph id="H87CC443F0555491998318A65B9FD0929"><enum>(B)</enum><text>any proposal or recommendation for policy changes that would improve the effectiveness of the safe harbor provisions.</text></subparagraph></paragraph><paragraph id="H32CCADE2F27248DC98748EDCA75FE8A6"><enum>(2)</enum><header>Publication</header><text>Not later than 10 days after the date on which a report is submitted under paragraph (1), the Commission shall publish the report on the website of the Commission.</text></paragraph></subsection></section><section id="H3CEF7AC223744644A5943EB24F0DC4BF"><enum>206.</enum><header>Third-party collecting entities</header><subsection id="H7560B8D181FC4798A1C69119BD1E4F08"><enum>(a)</enum><header>Notice</header><text display-inline="yes-display-inline">Each third-party collecting entity shall place a clear, conspicuous, not misleading, and readily accessible notice on the website or mobile application of the third-party collecting entity (if the third-party collecting entity maintains such a website or mobile application) that—</text><paragraph id="H96CCFF19FEEB49BFBD3C96D311F395E2"><enum>(1)</enum><text>notifies individuals that the entity is a third-party collecting entity using specific language that the Commission shall develop through rulemaking under section 553 of title 5, United States Code; </text></paragraph><paragraph id="H92DB1FEA72F04FA9AD3D8DE6B0266EE1"><enum>(2)</enum><text>includes a link to the website established under subsection (b)(3); and</text></paragraph><paragraph id="HA4D13ED36C114B9C88206BCB8B784D15"><enum>(3)</enum><text display-inline="yes-display-inline">is reasonably accessible to and usable by individuals with disabilities.</text></paragraph></subsection><subsection id="H2D662A4AC72E4E91AC3164435FF4F6A9"><enum>(b)</enum><header>Third-party collecting entity registration</header><paragraph id="H0B07E0F3DB8A49748CCCA8DE7E12ED4F"><enum>(1)</enum><header>In general</header><text>Not later than January 31 of each calendar year that follows a calendar year during which a covered entity acted as a third-party collecting entity and processed covered data pertaining to more than 5,000 individuals or devices that identify or are linked or reasonably linkable to an individual, such covered entity shall register with the Commission in accordance with this subsection.</text></paragraph><paragraph id="H2DF57E68F7F9457990EA18EDA2EB9C03"><enum>(2)</enum><header>Registration requirements</header><text>In registering with the Commission as required under paragraph (1), a third-party collecting entity shall do the following:</text><subparagraph id="HAF9577A8528C4CC39575610B82F6A2F4"><enum>(A)</enum><text>Pay to the Commission a registration fee of $100.</text></subparagraph><subparagraph id="H86E1510332114DF09233F6D8FECDA559"><enum>(B)</enum><text>Provide the Commission with the following information:</text><clause id="HD515CD36853942C7A91E1E3C6D739A65"><enum>(i)</enum><text>The legal name and primary physical, email, and internet addresses of the third-party collecting entity.</text></clause><clause id="H57B7ED9E3CC74D188AF960F8BB83CBF6"><enum>(ii)</enum><text>A description of the categories of covered data the third-party collecting entity processes and transfers.</text></clause><clause id="H21FE4537D0CE485392E78AEAE0B1C3BD"><enum>(iii)</enum><text>The contact information of the third-party collecting entity, including a contact person, a telephone number, an e-mail address, a website, and a physical mailing address.</text></clause><clause id="H2AC6E2F92E364AD9AE5F0A46F4A957F1"><enum>(iv)</enum><text>A link to a website through which an individual may easily exercise the rights provided under this subsection.</text></clause></subparagraph></paragraph><paragraph id="H293C4831A20E4D2BBCA0EF0416AD9ED4" commented="no"><enum>(3)</enum><header>Third-party collecting entity registry</header><text>The Commission shall establish and maintain on a website a searchable, publicly available, central registry of third-party collecting entities that are registered with the Commission under this subsection that includes the following:</text><subparagraph id="H1D3E98F8D29F41B19D65514462C38F3A" commented="no"><enum>(A)</enum><text>A listing of all registered third-party collecting entities and a search feature that allows members of the public to identify individual third-party collecting entities.</text></subparagraph><subparagraph id="H57C56B371668454984B2D9599EA560E0" commented="no"><enum>(B)</enum><text>For each registered third-party collecting entity, the information provided under paragraph (2)(B).</text></subparagraph><subparagraph id="H5CB2AD18E7664587A687B7875EE48B04" commented="no"><enum>(C)</enum><clause commented="no" display-inline="yes-display-inline" id="H626EFC924974494B8B9267A5436C7EED"><enum>(i)</enum><text>A <quote>Do Not Collect</quote> registry link and mechanism by which an individual may, easily submit a request to all registered third-party collecting entities that are not consumer reporting agencies (as defined in section 603(f) of the Fair Credit Reporting Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1681a">15 U.S.C. 1681a(f)</external-xref>)), and to the extent such third-party collecting entities are not acting as consumer reporting agencies (as so defined), to—</text><subclause id="H6A69774838D0450CAC58083E64C0A69D" indent="up1" commented="no"><enum>(I)</enum><text>delete all covered data related to such individual that the third-party collecting entity did not collect from such individual directly or when acting as a service provider; and</text></subclause><subclause id="HE109DE43EEEA453BB02AD786126BDAF4" indent="up1" commented="no"><enum>(II)</enum><text display-inline="yes-display-inline">ensure that the third-party collecting entity no longer collects covered data related to such individual without the affirmative express consent of such individual, except insofar as the third-party collecting entity is acting as a service provider.</text></subclause></clause><clause id="H7AAD777051C64674A15772CC742A1310" indent="up1" commented="no"><enum>(ii)</enum><text>Each third-party collecting entity that receives such a request from an individual shall delete all the covered data of the individual not later than 30 days after the request is received by the third-party collecting entity.</text></clause><clause id="H6FEBA22B15C84C6EAD707B216E5492F9" indent="up1" commented="no"><enum>(iii)</enum><text display-inline="yes-display-inline">Notwithstanding the provisions of clauses (i) and (ii), a third-party collecting entity may decline to fulfill a <quote>Do Not Collect</quote> request from an individual who it has actual knowledge has been convicted of a crime related to the abduction or sexual exploitation of a child, and the data the entity is collecting is necessary to effectuate the purposes of a national or State-run sex offender registry or the congressionally designated entity that serves as the nonprofit national resource center and clearinghouse to provide assistance to victims, families, child-serving professionals, and the general public on missing and exploited children issues.</text></clause></subparagraph></paragraph></subsection><subsection id="HB2AC60FAED46471A936E3B3C805CD7E4"><enum>(c)</enum><header>Penalties</header><paragraph id="HE4B64D9491A74F0CBCC39E3A492F71E8"><enum>(1)</enum><header>In general</header><text>A third-party collecting entity that fails to register or provide the notice as required under this section shall be liable for—</text><subparagraph id="H3F2B3998E02D466D88A43875D41E3229"><enum>(A)</enum><text>a civil penalty of $100 for each day the third-party collecting entity fails to register or provide notice as required under this section, not to exceed a total of $10,000 for any year; and</text></subparagraph><subparagraph id="H9E87E903A5E049F7BCF3A54A906D9254"><enum>(B)</enum><text display-inline="yes-display-inline">an amount equal to the registration fees due under paragraph (2)(A) of subsection (b) for each year that the third-party collecting entity failed to register as required under paragraph (1) of such subsection.</text></subparagraph></paragraph><paragraph id="H0E33308D39924C6CAD6BA24A35828E6A" commented="no"><enum>(2)</enum><header>Rule of construction</header><text display-inline="yes-display-inline">Nothing in this subsection shall be construed as altering, limiting, or affecting any enforcement authorities or remedies under this Act.</text></paragraph></subsection></section><section id="HD58970CD67B741C891BC0E71CD547070"><enum>207.</enum><header>Civil rights and algorithms</header><subsection id="HA86CE810522B46EDAD84EBADD5BD1510"><enum>(a)</enum><header>Civil rights protections</header><paragraph id="HD91476E42AB54D66A2D4CA86D3DC05DC"><enum>(1)</enum><header>In general</header><text>A covered entity or a service provider may not collect, process, or transfer covered data in a manner that discriminates in or otherwise makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, or disability.</text></paragraph><paragraph id="H9791FDA5DF4541CF9749DCEF67DED370"><enum>(2)</enum><header>Exceptions</header><text>This subsection shall not apply to—</text><subparagraph id="H3CB140E25C5A4CB895D03DF8F0FA3730"><enum>(A)</enum><text>the collection, processing, or transfer of covered data for the purpose of—</text><clause id="HF1DBECD2352F46419251215DD757F337"><enum>(i)</enum><text>a covered entity’s or a service provider’s self-testing to prevent or mitigate unlawful discrimination; or</text></clause><clause id="H56B6237F2B26419AB88A1E7288984104"><enum>(ii)</enum><text>diversifying an applicant, participant, or customer pool; or</text></clause></subparagraph><subparagraph id="H21852CCB9DE14135AB4D4413CDF73BD2"><enum>(B)</enum><text>any private club or group not open to the public, as described in section 201(e) of the Civil Rights Act of 1964 (<external-xref legal-doc="usc" parsable-cite="usc/42/2000a">42 U.S.C. 2000a(e)</external-xref>).</text></subparagraph></paragraph></subsection><subsection id="H665CF0F7E4BF4EE591563C7548363DB6"><enum>(b)</enum><header>FTC enforcement assistance</header><paragraph id="H72C0BFA8803C458BA09D942066C3AC0A"><enum>(1)</enum><header>In general</header><text>Whenever the Commission obtains information that a covered entity or service provider may have collected, processed, or transferred covered data in violation of subsection (a), the Commission shall transmit such information as allowable under Federal law to any Executive agency with authority to initiate enforcement actions or proceedings relating to such violation.</text></paragraph><paragraph id="H1F85CDCD243042A9B8C06BC4AA627EFE"><enum>(2)</enum><header>Annual report</header><text>Not later than 3 years after the date of enactment of this Act, and annually thereafter, the Commission shall submit to Congress a report that includes a summary of—</text><subparagraph id="H1AC4439BE35B4270A4CE6EEEE0EBF29E"><enum>(A)</enum><text>the types of information the Commission transmitted to Executive agencies under paragraph (1) during the previous 1-year period; and</text></subparagraph><subparagraph id="H59A55AF76ACB4290B4FB0469523B8602"><enum>(B)</enum><text>how such information relates to Federal civil rights laws.</text></subparagraph></paragraph><paragraph id="H3894F138D9C14837880C3997F7B31712"><enum>(3)</enum><header>Technical assistance</header><text>In transmitting information under paragraph (1), the Commission may consult and coordinate with, and provide technical and investigative assistance, as appropriate, to such Executive agency.</text></paragraph><paragraph id="H0264827662C644AD988A182E00F3F882"><enum>(4)</enum><header>Cooperation with other agencies</header><text>The Commission may implement this subsection by executing agreements or memoranda of understanding with the appropriate Executive agencies.</text></paragraph></subsection><subsection id="H30B849E932C84D468F3756CD6B90E2B0"><enum>(c)</enum><header>Covered algorithm impact and evaluation</header><paragraph id="H60D7D8222D1B47B2AA2C708E4EC2D98C"><enum>(1)</enum><header>Covered algorithm impact assessment</header><subparagraph id="H95D0DCE1DA2745DAB4E84DC4A0DA0E24"><enum>(A)</enum><header>Impact assessment</header><text display-inline="yes-display-inline">Notwithstanding any other provision of law, not later than 2 years after the date of enactment of this Act, and annually thereafter, a large data holder that uses a covered algorithm in a manner that poses a consequential risk of harm to an individual or group of individuals, and uses such covered algorithm solely or in part, to collect, process, or transfer covered data shall conduct an impact assessment of such algorithm in accordance with subparagraph (B).</text></subparagraph><subparagraph id="H15E86E3A8CE6450A9CFE2BF844EC1E66"><enum>(B)</enum><header>Impact assessment scope</header><text>The impact assessment required under subparagraph (A) shall provide the following:</text><clause id="HD73E21A3C81549A18024FE991E9D5835"><enum>(i)</enum><text>A detailed description of the design process and methodologies of the covered algorithm.</text></clause><clause id="H91D7B0E9943D499A99386C0A1E7FD240"><enum>(ii)</enum><text display-inline="yes-display-inline">A statement of the purpose and proposed uses of the covered algorithm.</text></clause><clause id="H865A728C2097484D9C4C03A14A37D0BF"><enum>(iii)</enum><text display-inline="yes-display-inline">A detailed description of the data used by the covered algorithm, including the specific categories of data that will be processed as input and any data used to train the model that the covered algorithm relies on, if applicable.</text></clause><clause id="H465A558EFAAF408D9DAE0659691C9625"><enum>(iv)</enum><text display-inline="yes-display-inline">A description of the outputs produced by the covered algorithm.</text></clause><clause id="H2E8A930AC2D14F4E939E97C1FB0FAE7C"><enum>(v)</enum><text display-inline="yes-display-inline">An assessment of the necessity and proportionality of the covered algorithm in relation to its stated purpose.</text></clause><clause id="H935277A636284512A1D99D2106D30779"><enum>(vi)</enum><text display-inline="yes-display-inline">A detailed description of steps the large data holder has taken or will take to mitigate potential harms from the covered algorithm to an individual or group of individuals, including related to—</text><subclause id="HAC4BF89ADC2B4F5282F4798C783161AF"><enum>(I)</enum><text>covered minors;</text></subclause><subclause id="HEC37A566CA3F4522BD0873449058FF33"><enum>(II)</enum><text>making or facilitating advertising for, or determining access to, or restrictions on the use of housing, education, employment, healthcare, insurance, or credit opportunities;</text></subclause><subclause id="HBA871D1E78004C5D8A4CACE5886FF3C2"><enum>(III)</enum><text>determining access to, or restrictions on the use of, any place of public accommodation, particularly as such harms relate to the protected characteristics of individuals, including race, color, religion, national origin, sex, or disability; </text></subclause><subclause id="H21439A4079444F15AF37935E95C73387"><enum>(IV)</enum><text>disparate impact on the basis of individuals’ race, color, religion, national origin, sex, or disability status; or</text></subclause><subclause id="H74CCCD43715C44449CD5D178391880EB"><enum>(V)</enum><text display-inline="yes-display-inline">disparate impact on the basis of individuals’ political party registration status.</text></subclause></clause></subparagraph></paragraph><paragraph id="H2A9DFD87C3004846AE5E5B5CE040D786"><enum>(2)</enum><header>Algorithm design evaluation</header><text display-inline="yes-display-inline">Notwithstanding any other provision of law, not later than 2 years after the date of enactment of this Act, a covered entity or service provider that knowingly develops a covered algorithm that is designed to, solely or in part, to collect, process, or transfer covered data in furtherance of a consequential decision shall prior to deploying the covered algorithm in interstate commerce evaluate the design, structure, and inputs of the covered algorithm, including any training data used to develop the covered algorithm, to reduce the risk of the potential harms identified under paragraph (1)(B).</text></paragraph><paragraph id="H703FB6B09F354EEA99F7ACD73ACAB8BA"><enum>(3)</enum><header>Other considerations</header><subparagraph id="HBC82F3B995364F77BAEC6ECBA13C521B"><enum>(A)</enum><header>Focus</header><text display-inline="yes-display-inline">In complying with paragraphs (1) and (2), a covered entity and a service provider may focus the impact assessment or evaluation on any covered algorithm, or portions of a covered algorithm, that will be put to use and may reasonably contribute to the risk of the potential harms identified under paragraph (1)(B).</text></subparagraph><subparagraph id="H35D5DFDE6A754B05829A84B5684F6B20"><enum>(B)</enum><header>Availability</header><clause id="HB339F2EC064D4B029B8B132575CBF3F0"><enum>(i)</enum><header>In general</header><text>A covered entity and a service provider—</text><subclause id="HE34384C6617944A5ADCBEC380BBDECDD"><enum>(I)</enum><text>shall, not later than 30 days after completing an impact assessment or evaluation, submit the impact assessment or evaluation conducted under paragraph (1) or (2) to the Commission;</text></subclause><subclause id="HE29B55356FAD4898BD71EF16EF8E8E15"><enum>(II)</enum><text>shall, upon request, make such impact assessment and evaluation available to Congress; and</text></subclause><subclause id="H3412B5323D174D16BB5308F0AC9BCC42"><enum>(III)</enum><text>may make a summary of such impact assessment and evaluation publicly available in a place that is easily accessible to individuals.</text></subclause></clause><clause id="HB7CB17AFBA674619ACB3B60BFE94C01E"><enum>(ii)</enum><header>Trade secrets</header><text display-inline="yes-display-inline">Covered entities and service providers may redact and segregate any trade secret (as defined in section 1839 of title 18, United States Code) or other confidential or proprietary information from public disclosure under this subparagraph and the Commission shall abide by its obligations under section 6(f) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/46">15 U.S.C. 46(f)</external-xref>) in regard to such information.</text></clause></subparagraph><subparagraph id="H40BA6C3511464D0692AEA5FFE83C37D9"><enum>(C)</enum><header>Enforcement</header><text display-inline="yes-display-inline">The Commission may not use any information obtained solely and exclusively through a covered entity or a service provider’s disclosure of information to the Commission in compliance with this section for any purpose other than enforcing this Act with the exception of enforcing consent orders, including the study and report provisions in paragraph (6). This subparagraph does not preclude the Commission from providing this information to Congress in response to a subpoena.</text></subparagraph></paragraph><paragraph id="HED245A0A93234CA38D13099147B375A8"><enum>(4)</enum><header>Guidance</header><text>Not later than 2 years after the date of enactment of this Act, the Commission shall, in consultation with the Secretary of Commerce, or their respective designees, publish guidance regarding compliance with this section.</text></paragraph><paragraph id="HE7DB0C0FFD9E40B192587DEB95297999"><enum>(5)</enum><header>Rulemaking and exemption</header><text>The Commission shall have authority under section 553 of title 5, United States Code, to promulgate regulations as necessary to establish processes by which a large data holder—</text><subparagraph id="H50AA5A04BF92467AA6DE6EC0BCAE570C"><enum>(A)</enum><text>shall submit an impact assessment to the Commission under paragraph (3)(B)(i)(I); and</text></subparagraph><subparagraph id="HBEF952AD40DF42B3988EB3482A12ADDB"><enum>(B)</enum><text display-inline="yes-display-inline">may exclude from this subsection any covered algorithm that presents low or minimal consequential risk of harm to an individual or group of individuals.</text></subparagraph></paragraph><paragraph id="H1F4E1B4C25BA42F999D4BAA5615203F0"><enum>(6)</enum><header>Study and report</header><subparagraph id="HDE80F7BC0E6C485DAA1934FE00F78442"><enum>(A)</enum><header>Study</header><text>The Commission, in consultation with the Secretary of Commerce or the Secretary’s designee, shall conduct a study, to review any impact assessment or evaluation submitted under this subsection. Such study shall include an examination of—</text><clause id="H69D9532CCEF34DBDB5AC61DB6596AAB4"><enum>(i)</enum><text display-inline="yes-display-inline">best practices for the assessment and evaluation of covered algorithms; and</text></clause><clause id="H9E77F7E11AB54CE7920883CBF3395FB9"><enum>(ii)</enum><text display-inline="yes-display-inline">methods to reduce the risk of harm to individuals that may be related to the use of covered algorithms.</text></clause></subparagraph><subparagraph id="H8CA009A9B68A4A4FA5FDFBACED6C541E"><enum>(B)</enum><header>Report</header><clause id="HBDF51EDDDBF34CB380D14A0B7E1ABEAB"><enum>(i)</enum><header>Initial report</header><text>Not later than 3 years after the date of enactment of this Act, the Commission, in consultation with the Secretary of Commerce or the Secretary’s designee, shall submit to Congress a report containing the results of the study conducted under subparagraph (A), together with recommendations for such legislation and administrative action as the Commission determines appropriate.</text></clause><clause id="H0CEAF4E3C352407698386F67ED9CF929"><enum>(ii)</enum><header>Additional reports</header><text>Not later than 3 years after submission of the initial report under clause (i), and as the Commission determines necessary thereafter, the Commission shall submit to Congress an updated version of such report.</text></clause></subparagraph></paragraph></subsection></section><section id="H13C0EF0ECD5A46F8A9BCC8714B8A2FC9"><enum>208.</enum><header>Data security and protection of covered data</header><subsection id="H93AD938AD692429C836B2010123696F5"><enum>(a)</enum><header>Establishment of data security practices</header><paragraph id="H03C0FFBE90254E8786E8ED93C6BFEAB6"><enum>(1)</enum><header>In general</header><text>A covered entity or service provider shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices and procedures to protect and secure covered data against unauthorized access and acquisition.</text></paragraph><paragraph id="H8FCECC87DCCF45639C2A2D6BF1A246D9"><enum>(2)</enum><header>Considerations</header><text>The reasonable administrative, technical, and physical data security practices required under paragraph (1) shall be appropriate to—</text><subparagraph id="H862913DBFD4846E8A2B41B37781D5B3E"><enum>(A)</enum><text>the size and complexity of the covered entity or service provider;</text></subparagraph><subparagraph id="HC37293ED67424AF5B7FEC9587EC50C3F"><enum>(B)</enum><text>the nature and scope of the covered entity or the service provider’s collecting, processing, or transferring of covered data;</text></subparagraph><subparagraph id="H047ABD346F244355B37CCE081A0A177B"><enum>(C)</enum><text>the volume and nature of the covered data collected, processed, or transferred by the covered entity or service provider;</text></subparagraph><subparagraph id="HEDB3D17037C0458B8A47BE89AE421FCE"><enum>(D)</enum><text>the sensitivity of the covered data collected, processed, or transferred;</text></subparagraph><subparagraph id="H11CD0C8040A84DE68569983C49D9593E"><enum>(E)</enum><text display-inline="yes-display-inline">the current state of the art (and limitations thereof) in administrative, technical, and physical safeguards for protecting such covered data; and</text></subparagraph><subparagraph id="H2A81A243C01145A9BB6974124627F9F6"><enum>(F)</enum><text>the cost of available tools to improve security and reduce vulnerabilities to unauthorized access and acquisition of such covered data in relation to the risks and nature of the covered data.</text></subparagraph></paragraph></subsection><subsection id="HBD60FEA1C1064E74886918B95E9ED0ED"><enum>(b)</enum><header>Specific requirements</header><text display-inline="yes-display-inline">The data security practices of the covered entity and of the service provider required under subsection (a) shall include, for each respective entity’s own system or systems, at a minimum, the following practices:</text><paragraph id="H0AF3C5C625E947359E53F0B213D8420C"><enum>(1)</enum><header>Assess vulnerabilities</header><text display-inline="yes-display-inline">Identifying and assessing any material internal and external risk to, and vulnerability in, the security of each system maintained by the covered entity that collects, processes, or transfers covered data, or service provider that collects, processes, or transfers covered data on behalf of the covered entity, including unauthorized access to or risks to such covered data, human vulnerabilities, access rights, and the use of service providers. With respect to large data holders, such activities shall include a plan to receive and reasonably respond to unsolicited reports of vulnerabilities by any entity or individual and by performing a reasonable investigation of such reports.</text></paragraph><paragraph id="H120E20CD5CC640CA96A5F6C9D25E84DA"><enum>(2)</enum><header>Preventive and corrective action</header><text display-inline="yes-display-inline">Taking preventive and corrective action designed to mitigate reasonably foreseeable risks or vulnerabilities to covered data identified by the covered entity or service provider, consistent with the nature of such risk or vulnerability and the entity’s role in collecting, processing, or transferring the data. Such action may include implementing administrative, technical, or physical safeguards or changes to data security practices or the architecture, installation, or implementation of network or operating software, among other actions.</text></paragraph><paragraph id="H97D1B425C71E4D968DD1B9D89D40E79F"><enum>(3)</enum><header>Evaluation of preventive and corrective action</header><text>Evaluating and making reasonable adjustments to the action described in paragraph (2) in light of any material changes in technology, internal or external threats to covered data, and the covered entity or service provider’s own changing business arrangements or operations.</text></paragraph><paragraph id="H1295BF49DAEF4216AC874F58A6D9DF9D"><enum>(4)</enum><header>Information retention and disposal</header><text display-inline="yes-display-inline">Disposing of covered data in accordance with a retention schedule that shall require the deletion of covered data when such data is required to be deleted by law or is no longer necessary for the purpose for which the data was collected, processed, or transferred, unless an individual has provided affirmative express consent to such retention. Such disposal shall include destroying, permanently erasing, or otherwise modifying the covered data to make such data permanently unreadable or indecipherable and unrecoverable to ensure ongoing compliance with this section. Service providers shall establish practices to delete or return covered data to a covered entity as requested at the end of the provision of services unless retention of the covered data is required by law, consistent with section 302(a)(6).</text></paragraph><paragraph id="H2B1DB2A4D27F4D3D9681B4562F6FDC8F"><enum>(5)</enum><header>Training</header><text>Training each employee with access to covered data on how to safeguard covered data and updating such training as necessary.</text></paragraph><paragraph id="HABB2D465FB50459FA366B8D3B70BB490"><enum>(6)</enum><header>Designation</header><text>Designating an officer, employee, or employees to maintain and implement such practices.</text></paragraph><paragraph id="H2BE995D64B60413A8DD9CDFF6B3E2B5C"><enum>(7)</enum><header>Incident response</header><text>Implementing procedures to detect, respond to, or recover from security incidents, including breaches.</text></paragraph></subsection><subsection id="HAC0F36939437496B9187733C98B75A18" commented="no"><enum>(c)</enum><header>Regulations</header><text display-inline="yes-display-inline">The Commission may promulgate, in accordance with section 553 of title 5, United States Code, technology-neutral regulations to establish processes for complying with this section. The Commission shall consult with the National Institute of Standards and Technology in establishing such processes.</text></subsection></section><section id="H7CB14BADCFD8442D858F84BD9A6C85D6"><enum>209.</enum><header>Small business protections</header><subsection id="H2D8E0918770544A8A698B86A2D0FCDF3"><enum>(a)</enum><header>Establishment of exemption</header><text display-inline="yes-display-inline">Any covered entity or service provider that can establish that it met the requirements described in subsection (b) for the period of the 3 preceding calendar years (or for the period during which the covered entity or service provider has been in existence if such period is less than 3 years) shall—</text><paragraph id="H1F6E9DA6D4E940C4BDA4714989723F90"><enum>(1)</enum><text display-inline="yes-display-inline">be exempt from compliance with section 203(a)(4), paragraphs (1) through (3) and (5) through (7) of section 208(b), and section 301(c); and</text></paragraph><paragraph id="HE7EEE4E5A07141AFBE864176E305833E"><enum>(2)</enum><text>at the covered entity’s sole discretion, have the option of complying with section 203(a)(2) by, after receiving a verified request from an individual to correct covered data of the individual under such section, deleting such covered data in its entirety instead of making the requested correction.</text></paragraph></subsection><subsection id="H0D73FEBB0777427ABDC749B535F1D921"><enum>(b)</enum><header>Exemption requirements</header><text>The requirements of this subsection are, with respect to a covered entity or a service provider, the following:</text><paragraph id="H2CCC8B7F9AF848E394D6B9F680FE3CE8"><enum>(1)</enum><text>The covered entity or service provider’s average annual gross revenues during the period did not exceed $41,000,000.</text></paragraph><paragraph id="HA7BE1E043DAB4284860625CE5C6E973C"><enum>(2)</enum><text display-inline="yes-display-inline">The covered entity or service provider, on average, did not annually collect or process the covered data of more than 200,000 individuals during the period beyond the purpose of initiating, rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested service or product, so long as all covered data for such purpose was deleted or de-identified within 90 days, except when necessary to investigate fraud or as consistent with a covered entity’s return policy.</text></paragraph><paragraph id="H243EC64E89A546E6BA5088FAD6A4B51D"><enum>(3)</enum><text>The covered entity or service provider did not derive more than 50 percent of its revenue from transferring covered data during any year (or part of a year if the covered entity has been in existence for less than 1 year) that occurs during the period.</text></paragraph></subsection><subsection id="HFFAD4E96DF9B4172BE69949D65E4995A"><enum>(c)</enum><header>Revenue defined</header><text>For purposes of this section, the term <term>revenue</term> as it relates to any covered entity or service provider that is not organized to carry on business for its own profit or that of its members, means the gross receipts the covered entity or service provider received in whatever form from all sources without subtracting any costs or expenses, and includes contributions, gifts, grants, dues or other assessments, income from investments, or proceeds from the sale of real or personal property.</text></subsection></section><section id="HD71BB3915EDB43F98F9252B42860D2A5"><enum>210.</enum><header>Unified opt-out mechanisms</header><subsection id="HE60A3C4215EC4469A53D6FEF0CF24E05"><enum>(a)</enum><header>In general</header><text display-inline="yes-display-inline">For the rights established under subsection (b) of section 204, subsection (c) of section 204 (except as provided for under section 101(b)(16)), and section 206(b)(3)(C), following public notice and opportunity to comment and not later than 18 months after the date of enactment of this Act, the Commission shall establish or recognize one or more acceptable privacy protective, centralized mechanisms, including global privacy signals such as browser or device privacy settings, other tools offered by covered entities or service providers, and registries of identifiers, for individuals to exercise all such rights through a single interface for a covered entity or service provider to utilize to allow an individual to make such opt out designations with respect to covered data related to such individual.</text></subsection><subsection id="HDA9B9DF86D9440C3BB2FE180477A567F"><enum>(b)</enum><header>Requirements</header><text>Any such centralized opt-out mechanism shall—</text><paragraph id="HBE4B69854C28421BB920224F05623434"><enum>(1)</enum><text>require covered entities or service providers acting on behalf of covered entities to inform individuals about the centralized opt-out choice;</text></paragraph><paragraph id="H943D4AD587624A018A3779778845EDE1"><enum>(2)</enum><text>not be required to be the default setting, but may be the default setting provided that in all cases the mechanism clearly represents the individual’s affirmative, freely given, and unambiguous choice to opt out;</text></paragraph><paragraph id="H9922586C18FB4501B096760A4595417E"><enum>(3)</enum><text>be consumer-friendly, clearly described, and easy-to-use by a reasonable individual;</text></paragraph><paragraph id="HF52D72210DC94A04AFB811F78E20C47B"><enum>(4)</enum><text>permit the covered entity or service provider acting on behalf of a covered entity to have an authentication process the covered entity or service provider acting on behalf of a covered entity may use to determine if the mechanism represents a legitimate request to opt out;</text></paragraph><paragraph id="HA70935D7F35144A28890AE41C3ACAEB2"><enum>(5)</enum><text>be provided in any covered language in which the covered entity provides products or services subject to the opt-out; and</text></paragraph><paragraph id="HA004617931404DC3B14E1DD69837EA09"><enum>(6)</enum><text>be provided in a manner that is reasonably accessible to and usable by individuals with disabilities.</text></paragraph></subsection></section><enum>III</enum><header>Corporate Accountability</header><section id="HE4967568C7724CB5A4DDC7502EA0BE62"><enum>301.</enum><header>Executive responsibility</header><subsection id="HAA850E7A224C4D9BA4AB08C2AF26FD8C"><enum>(a)</enum><header>In general</header><text>Beginning 1 year after the date of enactment of this Act, an executive officer of a large data holder shall annually certify, in good faith, to the Commission, in a manner specified by the Commission by regulation under section 553 of title 5, United States Code, that the entity maintains—</text><paragraph id="H48C735FC983E4FF783890FC774C99DFA"><enum>(1)</enum><text>internal controls reasonably designed to comply with this Act; and</text></paragraph><paragraph id="H90F673AB84014761BD175EAD4C2E19A9"><enum>(2)</enum><text>internal reporting structures to ensure that such certifying executive officer is involved in and responsible for the decisions that impact the compliance by the large data holder with this Act.</text></paragraph></subsection><subsection id="HF439E64F4DE143098BD27A1F086EBC96"><enum>(b)</enum><header>Requirements</header><text display-inline="yes-display-inline">A certification submitted under subsection (a) shall be based on a review of the effectiveness of the internal controls and reporting structures of the large data holder that is conducted by the certifying executive officer not more than 90 days before the submission of the certification. A certification submitted under subsection (a) is made in good faith if the certifying officer had, after a reasonable investigation, reasonable ground to believe and did believe, at the time that certification was submitted, that the statements therein were true and that there was no omission to state a material fact required to be stated therein or necessary to make the statements therein not misleading.</text></subsection><subsection id="H74836AD6D4084007969E0DE1FB42789E" commented="no"><enum>(c)</enum><header>Designation of privacy and data security officer</header><paragraph id="H850181B7E58140689DAD5CB96C34B7FC" commented="no"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">A covered entity or service provider that have more than 15 employees, shall designate—</text><subparagraph id="H5EF3113A121D4A48AFD9A9A146C84F01" commented="no"><enum>(A)</enum><text>1 or more qualified employees as privacy officers; and</text></subparagraph><subparagraph id="HBAEAAF2545DE4EFE9496B7CCCCD1E049" commented="no"><enum>(B)</enum><text>1 or more qualified employees (in addition to any employee designated under subparagraph (A)) as data security officers.</text></subparagraph></paragraph><paragraph id="HA814808C8D4A41B382811382C2FE1E1F" commented="no"><enum>(2)</enum><header>Requirements for officers</header><text>An employee who is designated by a covered entity or a service provider as a privacy officer or a data security officer pursuant to paragraph (1) shall, at a minimum—</text><subparagraph id="HE9EDBC37467D498EB870EF14327DA9BB" commented="no"><enum>(A)</enum><text>implement a data privacy program and data security program to safeguard the privacy and security of covered data in compliance with the requirements of this Act; and</text></subparagraph><subparagraph id="H694D0456DB574F61AC3BD7B0830B13FE" commented="no"><enum>(B)</enum><text>facilitate the covered entity or service provider’s ongoing compliance with this Act.</text></subparagraph></paragraph><paragraph id="HFEE0C9158B3D403EACDB1FB55FCCBB8B" commented="no"><enum>(3)</enum><header>Additional requirements for large data holders</header><text>A large data holder shall designate at least 1 of the officers described in paragraph (1) to report directly to the highest official at the large data holder as a privacy protection officer who shall, in addition to the requirements in paragraph (2), either directly or through a supervised designee or designees—</text><subparagraph id="H3212022086684B6DAFCCE3E4C1281E4D" commented="no"><enum>(A)</enum><text>establish processes to periodically review and update the privacy and security policies, practices, and procedures of the large data holder, as necessary;</text></subparagraph><subparagraph id="H2A8B25C5E1AE4B2B9FBEC26C4535652B" commented="no"><enum>(B)</enum><text>conduct biennial and comprehensive audits to ensure the policies, practices, and procedures of the large data holder ensure the large data holder is in compliance with this Act and ensure such audits are accessible to the Commission upon request;</text></subparagraph><subparagraph id="H771805E3542341559565181FC9AC734B" commented="no"><enum>(C)</enum><text>develop a program to educate and train employees about compliance requirements of this Act;</text></subparagraph><subparagraph id="H9439CD123CBB408B8FEEA2182085C08E" commented="no"><enum>(D)</enum><text>maintain updated, accurate, clear, and understandable records of all material privacy and data security practices undertaken by the large data holder; and</text></subparagraph><subparagraph id="H04D5B1EC6A194FB3AFFDFD5D0066901B" commented="no"><enum>(E)</enum><text>serve as the point of contact between the large data holder and enforcement authorities.</text></subparagraph></paragraph></subsection><subsection id="HB83DA2A56AFD48A2B1370C417E66D2D7"><enum>(d)</enum><header>Large data holder privacy impact assessments</header><paragraph id="H05AF92153B7542B1B275C76F6B2E96AF"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">Not later than 1 year after the date of enactment of this Act or 1 year after the date on which a covered entity first meets the definition of large data holder, whichever is earlier, and biennially thereafter, each covered entity that is a large data holder shall conduct a privacy impact assessment that weighs the benefits of the large data holder’s covered data collecting, processing, and transfer practices against the potential adverse consequences of such practices, including substantial privacy risks, to individual privacy.</text></paragraph><paragraph id="HAA090FCC40FF4F779517DB87C9DCC56E"><enum>(2)</enum><header>Assessment requirements</header><text>A privacy impact assessment required under paragraph (1) shall be—</text><subparagraph id="H655485982BFB4B67A859D48187AAEE45"><enum>(A)</enum><text>reasonable and appropriate in scope given—</text><clause id="H228D31BF6F2B412098A961F33B4FA4DE"><enum>(i)</enum><text>the nature of the covered data collected, processed, and transferred by the large data holder;</text></clause><clause id="H58998D7D38C84F6F8F1B0DC064604A18"><enum>(ii)</enum><text>the volume of the covered data collected, processed, and transferred by the large data holder; and</text></clause><clause id="H73E19E786C924983A77E0E0AC989A505"><enum>(iii)</enum><text display-inline="yes-display-inline">the potential material risks posed to the privacy of individuals by the collecting, processing, and transfer of covered data by the large data holder; </text></clause></subparagraph><subparagraph id="H5AE54EE98E134E118B8C6B8A54BDAE57"><enum>(B)</enum><text>documented in written form and maintained by the large data holder unless rendered out of date by a subsequent assessment conducted under paragraph (1); and</text></subparagraph><subparagraph id="HE3A175D22C29404A9DFF8C88C3AE0DB5"><enum>(C)</enum><text display-inline="yes-display-inline">approved by the privacy protection officer designated in subsection (c)(3) of the large data holder, as applicable.</text></subparagraph></paragraph><paragraph id="H393CBBB7956243618517137601616DB1"><enum>(3)</enum><header>Additional factors to include in assessment</header><text>In assessing the privacy risks, including substantial privacy risks, the large data holder must include reviews of the means by which technologies, including blockchain and distributed ledger technologies and other emerging technologies, are used to secure covered data.</text></paragraph></subsection><subsection id="H1D74721FEC6E4F32959A93A9D6CA541D"><enum>(e)</enum><header>Other privacy impact assessments</header><paragraph id="HCA12F11EB305499FB5D7469F2A7FB42D"><enum>(1)</enum><header>In general</header><text>Not later than 1 year after the date of enactment of this Act and biennially thereafter, each covered entity that is not large data holder and does not meet the requirements for covered entities under section 209 shall conduct a privacy impact assessment. Such assessment shall weigh the benefits of the covered entity’s covered data collecting, processing, and transfer practices that may cause a substantial privacy risk against the potential material adverse consequences of such practices to individual privacy.</text></paragraph><paragraph id="H4659450CBC3F45FB96AC625BB9759879"><enum>(2)</enum><header>Assessment requirements</header><text>A privacy impact assessment required under paragraph (1) shall be—</text><subparagraph id="HF29334430E4C4D49BD2DB89C292BF31D"><enum>(A)</enum><text>reasonable and appropriate in scope given—</text><clause id="H1CF53DC2E2184AD697B5D6156DB18B2C"><enum>(i)</enum><text>the nature of the covered data collected, processed, and transferred by the covered entity;</text></clause><clause id="H5297BE4AE4E244C297C93ECF64BE1164"><enum>(ii)</enum><text>the volume of the covered data collected, processed, and transferred by the covered entity; and</text></clause><clause id="H871A41663DFF4E609E98529F243D46ED"><enum>(iii)</enum><text>the potential risks posed to the privacy of individuals by the collecting, processing, and transfer of covered data by the covered entity; and</text></clause></subparagraph><subparagraph id="H6B571E6E4EB147F48157DBA1E28CDCB0"><enum>(B)</enum><text>documented in written form and maintained by the covered entity unless rendered out of date by a subsequent assessment conducted under paragraph (1).</text></subparagraph></paragraph><paragraph id="HE34CE5BE61644159857870F1C39DE2F0"><enum>(3)</enum><header>Additional factors to include in assessment</header><text>In assessing the privacy risks, including substantial privacy risks, the covered entity may include reviews of the means by which technologies, including blockchain and distributed ledger technologies and other emerging technologies, are used to secure covered data.</text></paragraph></subsection></section><section id="H4E70FA93313C4C14B72DC44FF76CC1D1" commented="no"><enum>302.</enum><header>Service providers and third parties</header><subsection id="HC8F28A6DD10D45D59266B0208C46EAF3" commented="no"><enum>(a)</enum><header>Service providers</header><text>A service provider—</text><paragraph id="H7CC72979A04F484BB96CE7425DEEF62C" commented="no"><enum>(1)</enum><text>shall adhere to the instructions of a covered entity and only collect, process, and transfer service provider data to the extent necessary and proportionate to provide a service requested by the covered entity, as set out in the contract required by subsection (b), and this paragraph does not require a service provider to collect, process, or transfer covered data if the service provider would not otherwise do so;</text></paragraph><paragraph id="H97893E633A014DD3B89601565DF7027B" commented="no"><enum>(2)</enum><text>may not collect, process, or transfer service provider data if the service provider has actual knowledge that a covered entity violated this Act with respect to such data;</text></paragraph><paragraph id="HEFA06072A41D4287A020F2F8E8B149E9" commented="no"><enum>(3)</enum><text>shall assist a covered entity in responding to a request made by an individual under section 203 or 204, by either—</text><subparagraph id="HDCA9D9CEEA61471389E8EC81A53671FC" commented="no"><enum>(A)</enum><text>providing appropriate technical and organizational measures, taking into account the nature of the processing and the information reasonably available to the service provider, for the covered entity to comply with such request for service provider data; or</text></subparagraph><subparagraph id="HFFDBECEC242149879DA45D8143C8D225" commented="no"><enum>(B)</enum><text>fulfilling a request by a covered entity to execute an individual rights request that the covered entity has determined should be complied with, by either—</text><clause id="H34217572539C4B129387589CC6D79B30" commented="no"><enum>(i)</enum><text>complying with the request pursuant to the covered entity’s instructions; or</text></clause><clause id="H38153DD5BBCE4DD8BC484F68532CA209" commented="no"><enum>(ii)</enum><text>providing written verification to the covered entity that it does not hold covered data related to the request, that complying with the request would be inconsistent with its legal obligations, or that the request falls within an exception to section 203 or 204;</text></clause></subparagraph></paragraph><paragraph id="H28A76F4F0B7041F2876AAB08D3BD61A3" commented="no"><enum>(4)</enum><text display-inline="yes-display-inline">may engage another service provider for purposes of processing service provider data on behalf of a covered entity only after providing that covered entity with notice and pursuant to a written contract that requires such other service provider to satisfy the obligations of the service provider with respect to such service provider data, including that the other service provider be treated as a service provider under this Act;</text></paragraph><paragraph id="H13783B75C41C46FE88A49715804AD3C4" commented="no"><enum>(5)</enum><text>shall, upon the reasonable request of the covered entity, make available to the covered entity information necessary to demonstrate the compliance of the service provider with the requirements of this Act, which may include making available a report of an independent assessment arranged by the service provider on terms agreed to by the service provider and the covered entity, providing information necessary to enable the covered entity to conduct and document a privacy impact assessment required by subsection (d) or (e) of section 301, and making available the report required under section 207(c)(2);</text></paragraph><paragraph id="HB5EED8C560BC45779844A16F744070A0" commented="no"><enum>(6)</enum><text>shall, at the covered entity’s direction, delete or return all covered data to the covered entity as requested at the end of the provision of services, unless retention of the covered data is required by law;</text></paragraph><paragraph id="H019462C3FA2748D6AEC1488CEF967294" commented="no"><enum>(7)</enum><text>shall develop, implement, and maintain reasonable administrative, technical, and physical safeguards that are designed to protect the security and confidentiality of covered data the service provider processes consistent with section 208; and</text></paragraph><paragraph id="H4F5A843E23194F61AC7D433463E674D3" commented="no"><enum>(8)</enum><text>shall allow and cooperate with, reasonable assessments by the covered entity or the covered entity’s designated assessor; alternatively, the service provider may arrange for a qualified and independent assessor to conduct an assessment of the service provider’s policies and technical and organizational measures in support of the obligations under this Act using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The service provider shall provide a report of such assessment to the covered entity upon request. </text></paragraph></subsection><subsection id="H096E4BB1E28644888D3913EA27D45607" commented="no"><enum>(b)</enum><header>Contracts Between Covered Entities and Service Providers</header><paragraph id="H6039B9E8F3074C82A211579D5F12976B" commented="no"><enum>(1)</enum><header>Requirements</header><text display-inline="yes-display-inline">A person or entity may only act as a service provider pursuant to a written contract between the covered entity and the service provider, or a written contract between one service provider and a second service provider as described under subsection (a)(4), if the contract—</text><subparagraph id="H685541EC91BE46D9934489B74EE3EE88" commented="no"><enum>(A)</enum><text>sets forth the data processing procedures of the service provider with respect to collection, processing, or transfer performed on behalf of the covered entity or service provider;</text></subparagraph><subparagraph id="H1D8BBBF120F6485CBD7EA14553385921" commented="no"><enum>(B)</enum><text>clearly sets forth—</text><clause id="H250E1AED256C4ED289D660917E36929F" commented="no"><enum>(i)</enum><text display-inline="yes-display-inline">instructions for collecting, processing, or transferring data;</text></clause><clause id="HC7CA74B3FD7D4A48B9A49E6890040EEB" commented="no"><enum>(ii)</enum><text>the nature and purpose of collecting, processing, or transferring;</text></clause><clause id="HEB70386A0F884881A4FE0CC74728B8E9" commented="no"><enum>(iii)</enum><text display-inline="yes-display-inline">the type of data subject to collecting, processing, or transferring;</text></clause><clause id="H98671404D4E943B88826C93261F3A7BE" commented="no"><enum>(iv)</enum><text>the duration of processing; and </text></clause><clause id="H33F45EABF3934A14B7034253FA4E853B" commented="no"><enum>(v)</enum><text display-inline="yes-display-inline">the rights and obligations of both parties, including a method by which the service provider shall notify the covered entity of material changes to its privacy practices; </text></clause></subparagraph><subparagraph id="H4CD15B0620314289B220F1A18C3FA780" commented="no"><enum>(C)</enum><text display-inline="yes-display-inline">does not relieve a covered entity or a service provider of any requirement or liability imposed on such covered entity or service provider under this Act; and</text></subparagraph><subparagraph id="HB2DC3C3C6D1E41C3B1E59AD75A582962" commented="no"><enum>(D)</enum><text display-inline="yes-display-inline">prohibits—</text><clause id="HCE534C36F092435DB0B79BAA1946AAEB" commented="no"><enum>(i)</enum><text>collecting, processing, or transferring covered data in contravention to subsection (a); and</text></clause><clause id="HD8EA251CB8BE434A97DD82F121E5ADC6" commented="no"><enum>(ii)</enum><text display-inline="yes-display-inline">combining service provider data with covered data which the service provider receives from or on behalf of another person or persons or collects from the interaction of the service provider with an individual, provided that such combining is not necessary to effectuate a purpose described in paragraphs (1) through (15) of section 101(b) and is otherwise permitted under the contract required by this subsection.</text></clause></subparagraph></paragraph><paragraph id="HEC6916ECC0D94300A5CC8FA1FA5EF94D" commented="no"><enum>(2)</enum><header>Contract terms</header><text>Each service provider shall retain copies of previous contracts entered into in compliance with this subsection with each covered entity to which it provides requested products or services.</text></paragraph></subsection><subsection id="H205352E2014C42049B1A2B9CA62956A0" commented="no"><enum>(c)</enum><header>Relationship Between Covered Entities and Service Providers</header><paragraph id="H31ED5A28FB0E47888FD5D61FED8EEFB1" commented="no"><enum>(1)</enum><text>Determining whether a person is acting as a covered entity or service provider with respect to a specific processing of covered data is a fact-based determination that depends upon the context in which such data is processed.</text></paragraph><paragraph id="H05A7F64F459842068BC7756F91D3BF37" commented="no"><enum>(2)</enum><text display-inline="yes-display-inline">A person that is not limited in its processing of covered data pursuant to the instructions of a covered entity, or that fails to adhere to such instructions, is a covered entity and not a service provider with respect to a specific processing of covered data. A service provider that continues to adhere to the instructions of a covered entity with respect to a specific processing of covered data remains a service provider. If a service provider begins, alone or jointly with others, determining the purposes and means of the processing of covered data, it is a covered entity and not a service provider with respect to the processing of such data.</text></paragraph><paragraph id="H6A0B096DC36A4210BB3DBCA2B7EE9FA3" commented="no"><enum>(3)</enum><text display-inline="yes-display-inline">A covered entity that transfers covered data to a service provider or a service provider that transfers covered data to a covered entity or another service provider, in compliance with the requirements of this Act, is not liable for a violation of this Act by the service provider or covered entity to whom such covered data was transferred, if at the time of transferring such covered data, the covered entity or service provider did not have actual knowledge that the service provider or covered entity would violate this Act.</text></paragraph><paragraph id="HE4B6F26F2C9643D68F6EC2787F65ADB0" commented="no"><enum>(4)</enum><text>A covered entity or service provider that receives covered data in compliance with the requirements of this Act is not in violation of this Act as a result of a violation by a covered entity or service provider from which such data was received. </text></paragraph></subsection><subsection id="HBD158187AF9948939E28B4750336D2F9" commented="no"><enum>(d)</enum><header>Third parties</header><text>A third party—</text><paragraph id="H92FC1E77410843788E5DEB7B3233D723" commented="no"><enum>(1)</enum><text display-inline="yes-display-inline">shall not process third party data for a processing purpose other than, in the case of sensitive covered data, the processing purpose for which the individual gave affirmative express consent or to effect a purpose enumerated in paragraph (1), (3), or (5) of section 101(b) and, in the case of non-sensitive data, the processing purpose for which the covered entity made a disclosure pursuant to section 202(b)(4); and </text></paragraph><paragraph id="HBEF76E8B1EA74B0DBC7C23F10F850381" commented="no"><enum>(2)</enum><text>for purposes of paragraph (1), may reasonably rely on representations made by the covered entity that transferred the third party data if the third party conducts reasonable due diligence on the representations of the covered entity and finds those representations to be credible.</text></paragraph></subsection><subsection id="H46D519FD70984AC9A4629B807D141FAF" commented="no"><enum>(e)</enum><header>Additional obligations on covered entities</header><paragraph id="HBCD709C513704D55BA1D4B267F962B47" commented="no"><enum>(1)</enum><header>In general</header><text>A covered entity or service provider shall exercise reasonable due diligence in—</text><subparagraph id="H20065CCAE8C848DA8DA6B7381EC1F2DC" commented="no"><enum>(A)</enum><text>selecting a service provider; and</text></subparagraph><subparagraph id="H353E43F86EB74FC2974328FA69754BAF" commented="no"><enum>(B)</enum><text>deciding to transfer covered data to a third party.</text></subparagraph></paragraph><paragraph id="H41286BF041F543429F089AA0993B0465" commented="no"><enum>(2)</enum><header>Guidance</header><text display-inline="yes-display-inline">Not later than 2 years after the date of enactment of this Act, the Commission shall publish guidance regarding compliance with this subsection, taking into consideration the burdens on large data holders, covered entities who are not large data holders, and covered entities meeting the requirements of section 209.</text></paragraph></subsection><subsection id="HD20FCA2D31BD4B7A9E73765FEA431A34"><enum>(f)</enum><header>Rule of construction</header><text display-inline="yes-display-inline">Solely for the purposes of this section, the requirements for service providers to contract with, assist, and follow the instructions of covered entities shall be read to include requirements to contract with, assist, and follow the instructions of a government entity if the service provider is providing a service to a government entity.</text></subsection></section><section id="H14F56D5166754F41AB65EC2924175F74"><enum>303.</enum><header>Technical compliance programs</header><subsection id="HB301B0C373414E8B9D7BB96B9D040AB0"><enum>(a)</enum><header>In general</header><text>Not later than 3 years after the date of enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to establish a process for the proposal and approval of technical compliance programs under this section used by a covered entity to collect, process, or transfer covered data.</text></subsection><subsection id="HAF77618023844EFF972F22E454ED3A92"><enum>(b)</enum><header>Scope of programs</header><text>The technical compliance programs established under this section shall, with respect to a technology, product, service, or method used by a covered entity to collect, process, or transfer covered data—</text><paragraph id="H352AF4C8094F40E8BABE6B276620FAC0"><enum>(1)</enum><text>establish publicly available guidelines for compliance with this Act; and</text></paragraph><paragraph id="H1DB1BFAC0EC24D41AB159CD09C5AA532"><enum>(2)</enum><text>meet or exceed the requirements of this Act.</text></paragraph></subsection><subsection id="H878F49CB02B143D5A7F6E74FD3DEA83B"><enum>(c)</enum><header>Approval process</header><paragraph id="H204C5D06E7AD4FCE957EE9E9523C2911"><enum>(1)</enum><header>In general</header><text>Any request for approval, amendment, or repeal of a technical compliance program may be submitted to the Commission by any person, including a covered entity, a representative of a covered entity, an association of covered entities, or a public interest group or organization. Within 90 days after the request is made, the Commission shall publish the request and provide an opportunity for public comment on the proposal.</text></paragraph><paragraph id="HE43FD0616D984FA2A3357CD5A15935B2" commented="no"><enum>(2)</enum><header>Expedited response to requests</header><text>Beginning 1 year after the date of enactment of this Act, the Commission shall act upon a request for the proposal and approval of a technical compliance program not later than 1 year after the filing of the request, and shall set forth publicly in writing the conclusions of the Commission with regard to such request.</text></paragraph></subsection><subsection id="HE01692DA11674BF09B498D403EC45549"><enum>(d)</enum><header>Right to Appeal</header><text>Final action by the Commission on a request for approval, amendment, or repeal of a technical compliance program, or the failure to act within the 1-year period after a request for approval, amendment, or repeal of a technical compliance program is made under subsection (c), may be appealed to a Federal district court of the United States of appropriate jurisdiction as provided for in section 702 of title 5, United States Code.</text></subsection><subsection id="HF0C84F73D0234023850033CAC82D56AE"><enum>(e)</enum><header>Effect on enforcement</header><paragraph id="H0212F578BC314752BF71CA9ED2FEAF9F"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">Prior to commencing an investigation or enforcement action against any covered entity under this Act, the Commission and State attorney general shall consider the covered entity’s history of compliance with any technical compliance program approved under this section and any action taken by the covered entity to remedy noncompliance with such program. If such enforcement action described in section 403 is brought, the covered entity’s history of compliance with any technical compliance program approved under this section and any action taken by the covered entity to remedy noncompliance with such program shall be taken into consideration when determining liability or a penalty. The covered entity’s history of compliance with any technical compliance program shall not affect any burden of proof or the weight given to evidence in an enforcement or judicial proceeding.</text></paragraph><paragraph id="HA5053502FDC14BE88C1C91EEB1099751"><enum>(2)</enum><header>Commission authority</header><text>Approval of a technical compliance program shall not limit the authority of the Commission, including the Commission’s authority to commence an investigation or enforcement action against any covered entity under this Act or any other Act.</text></paragraph><paragraph id="H067A03995E06446CB7B64C1734867964"><enum>(3)</enum><header>Rule of construction</header><text>Nothing in this subsection shall provide any individual, class of individuals, or person with any right to seek discovery of any non-public Commission deliberation or activity or impose any pleading requirement on the Commission if the Commission brings an enforcement action of any kind.</text></paragraph></subsection></section><section id="HE9E6AA642C6244799CC43090C636079C"><enum>304.</enum><header>Commission approved compliance guidelines</header><subsection id="H53083208025A4F47AB78D35DBC7DD93E"><enum>(a)</enum><header>Application for compliance guideline Approval</header><paragraph id="H50F3BFA7B77E47B3B339E479F6AA3788"><enum>(1)</enum><header>In general</header><text>A covered entity that is not a third-party collecting entity and meets the requirements of section 209, or a group of such covered entities, may apply to the Commission for approval of 1 or more sets of compliance guidelines governing the collection, processing, and transfer of covered data by the covered entity or group of covered entities.</text></paragraph><paragraph id="HE51A23FA50984DF6B893AC3ECA50A871"><enum>(2)</enum><header>Application requirements</header><text>Such application shall include—</text><subparagraph id="H6F2F2EF437EB4B85882CB6112FE64115"><enum>(A)</enum><text>a description of how the proposed guidelines will meet or exceed the requirements of this Act;</text></subparagraph><subparagraph id="H139D4D20AB374C2D84A1C6B18F8B1BB0"><enum>(B)</enum><text>a description of the entities or activities the proposed set of compliance guidelines is designed to cover;</text></subparagraph><subparagraph id="HB70FFFB9026B4BCEAB22B17394A8505C"><enum>(C)</enum><text>a list of the covered entities that meet the requirements of section 209 and are not third-party collecting entities, if any are known at the time of application, that intend to adhere to the compliance guidelines; and</text></subparagraph><subparagraph id="H25E58FFFD22F4A639782383EB574EF4D"><enum>(D)</enum><text>a description of how such covered entities will be independently assessed for adherence to such compliance guidelines, including the independent organization not associated with any of the covered entities that may participate in guidelines that will administer such guidelines.</text></subparagraph></paragraph><paragraph id="H337C8E34FBC54DA9BD412612AC6E7909"><enum>(3)</enum><header>Commission review</header><subparagraph id="H1D71D91C9BD345619FB12FCE934FA7DD"><enum>(A)</enum><header>Initial approval</header><clause id="H5D953987D5C249A7BC06B08E715D39A9"><enum>(i)</enum><header>Public comment period</header><text display-inline="yes-display-inline">Within 90 days after the receipt of proposed guidelines submitted pursuant to paragraph (2), the Commission shall publish the application and provide an opportunity for public comment on such compliance guidelines.</text></clause><clause id="HDE3CA418AB47424BB13D82177F184125"><enum>(ii)</enum><header>Approval</header><text>The Commission shall approve an application regarding proposed guidelines under paragraph (2) if the applicant demonstrates that the compliance guidelines—</text><subclause id="H747C90E6512349A48B04BC9142F10271"><enum>(I)</enum><text>meet or exceed requirements of this Act;</text></subclause><subclause id="H9EC14BE9167D4042B276AE8AD061247B"><enum>(II)</enum><text>provide for the regular review and validation by an independent organization not associated with any of the covered entities that may participate in the guidelines and that is approved by the Commission to conduct such reviews of the compliance guidelines of the covered entity or entities to ensure that the covered entity or entities continue to meet or exceed the requirements of this Act; and</text></subclause><subclause id="HE34AB17CA44D4ADDBE3652F0B8A0D895"><enum>(III)</enum><text>include a means of enforcement if a covered entity does not meet or exceed the requirements in the guidelines, which may include referral to the Commission for enforcement consistent with section 401 or referral to the appropriate State attorney general for enforcement consistent with section 402.</text></subclause></clause><clause id="H2DA2C4C7AE5F474186FE09306BEC811F"><enum>(iii)</enum><header>Timeline</header><text>Within 1 year after receiving an application regarding proposed guidelines under paragraph (2), the Commission shall issue a determination approving or denying the application and providing its reasons for approving or denying such application.</text></clause></subparagraph><subparagraph id="H3407F408A9754110B2D0BD6A29616FC6"><enum>(B)</enum><header>Approval of modifications</header><clause id="H533B777E80E14E9AAEFA1A6135AABD17"><enum>(i)</enum><header>In general</header><text>If the independent organization administering a set of guidelines makes material changes to guidelines previously approved by the Commission, the independent organization shall submit the updated guidelines to the Commission for approval. As soon as feasible, the Commission shall publish the updated guidelines and provide an opportunity for public comment.</text></clause><clause id="HAAA785126C044EEDBE270EBCC7C7AF4B"><enum>(ii)</enum><header>Timeline</header><text>The Commission shall approve or deny any material change to the guidelines within 1 year after receipt of the submission for approval.</text></clause></subparagraph></paragraph></subsection><subsection id="H29C0395AC5C1469480E1EB0EB57F9FC4"><enum>(b)</enum><header>Withdrawal of Approval</header><text display-inline="yes-display-inline">If at any time the Commission determines that the guidelines previously approved no longer meet the requirements of this Act or a regulation promulgated under this Act or that compliance with the approved guidelines is insufficiently enforced by the independent organization administering the guidelines, the Commission shall notify the covered entities or group of such entities and the independent organization of the determination of the Commission to withdraw approval of such guidelines and the basis for doing so. Within180 days after receipt of such notice, the covered entity or group of such entities and the independent organization may cure any alleged deficiency with the guidelines or the enforcement of such guidelines and submit each proposed cure to the Commission. If the Commission determines that such cures eliminate the alleged deficiency in the guidelines, then the Commission may not withdraw approval of such guidelines on the basis of such determination.</text></subsection><subsection id="H1FA69041D2D14A55ADDED72F71CC6364"><enum>(c)</enum><header>Deemed compliance</header><text display-inline="yes-display-inline">A covered entity that is eligible to participate under subsection (a)(1) and participates in guidelines approved under this section shall be deemed in compliance with the relevant provisions of this Act if such covered entity is in compliance with such guidelines.</text></subsection></section><section id="H6BEF1017EC454F41AB98870BD2E40401"><enum>305.</enum><header>Digital content forgeries</header><subsection id="H2C36910BCD4849BEB6689BDA0793689B"><enum>(a)</enum><header>Reports</header><text>Not later than 1 year after the date of enactment of this Act, and annually thereafter, the Secretary of Commerce or the Secretary’s designee shall publish a report regarding digital content forgeries.</text></subsection><subsection id="HF3E6DAD2650F4A70AADD2983E573AE65"><enum>(b)</enum><header>Requirements</header><text>Each report under subsection (a) shall include the following:</text><paragraph id="H887F27CFFB9D4E87A4DD6FFA4867DF1E"><enum>(1)</enum><text>A definition of digital content forgeries along with accompanying explanatory materials.</text></paragraph><paragraph id="H20AF7906643F4F069B17FD2FD80834B7"><enum>(2)</enum><text>A description of the common sources of digital content forgeries in the United States and commercial sources of digital content forgery technologies.</text></paragraph><paragraph id="HB94E9FDD4AE740FF8351D74217D940E2"><enum>(3)</enum><text>An assessment of the uses, applications, and harms of digital content forgeries.</text></paragraph><paragraph id="H1DDD21A4D7BE4C6FB21A15045578B83B"><enum>(4)</enum><text>An analysis of the methods and standards available to identify digital content forgeries as well as a description of the commercial technological counter-measures that are, or could be, used to address concerns with digital content forgeries, which may include the provision of warnings to viewers of suspect content.</text></paragraph><paragraph id="H965381B00F864D8780925C4A7B6FCCB9"><enum>(5)</enum><text>A description of the types of digital content forgeries, including those used to commit fraud, cause harm, or violate any provision of law.</text></paragraph><paragraph id="HA86EC539DFA74889A9C65AB0CC4A3E5D"><enum>(6)</enum><text>Any other information determined appropriate by the Secretary of Commerce or the Secretary’s designee.</text></paragraph></subsection></section><enum>IV</enum><header>Enforcement, Applicability, and Miscellaneous</header><section id="HDBCB15A93DBA439F9F8B63258619198F"><enum>401.</enum><header>Enforcement by the Federal Trade Commission</header><subsection id="HBDEA382E08394760AD1AF1A8A11CC83F"><enum>(a)</enum><header>Bureau of Privacy</header><paragraph id="H986359F54B8247EA993FEDF12761F170"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">The Commission shall establish within the Commission a new bureau to be known as the <quote>Bureau of Privacy</quote>, which shall be of similar structure, size, organization, and authority as the existing bureaus within the Commission related to consumer protection and competition.</text></paragraph><paragraph id="HB34F8151797240BFA368498D3F53EC12"><enum>(2)</enum><header>Mission</header><text>The mission of the Bureau established under paragraph (1) shall be to assist the Commission in carrying out the duties of the Commission under this Act and related duties under other provisions of law.</text></paragraph><paragraph id="HFB6CFFC1AD5B4570987BFDFDF6293E53"><enum>(3)</enum><header>Timeline</header><text>The Bureau required to be established under paragraph (1) shall be established, staffed, and fully operational not later than 1 year after the date of enactment of this Act.</text></paragraph></subsection><subsection id="H6477FAA843DA4B7184A9BFD2E6213D49"><enum>(b)</enum><header>Office of Business Mentorship</header><text>The Director of the Bureau established under subsection (a)(1) shall establish within the Bureau an office to be known as the <quote>Office of Business Mentorship</quote> to provide guidance and education to covered entities and service providers regarding compliance with this Act. Covered entities or service providers may request advice from the Commission or the Office with respect to a course of action that the covered entity or service provider proposes to pursue and that may relate to the requirements of this Act.</text></subsection><subsection id="H5EB5C5BE66AD4881B305E854D95AA2CC"><enum>(c)</enum><header>Enforcement by the Federal Trade Commission</header><paragraph id="H5B23230AF4A94E84A65C771278FC9048"><enum>(1)</enum><header>Unfair or deceptive acts or practices</header><text>A violation of this Act or a regulation promulgated under this Act shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/57a">15 U.S.C. 57a(a)(1)(B)</external-xref>).</text></paragraph><paragraph id="H57B1C1B2F8694D3E89427B77A6FCCA02"><enum>(2)</enum><header>Powers of the commission</header><subparagraph id="H149E99FDF4E6409BB43F9A9C86D37744"><enum>(A)</enum><header>In general</header><text>Except as provided in paragraphs (3), (4), and (5), the Commission shall enforce this Act and the regulations promulgated under this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>) were incorporated into and made a part of this Act.</text></subparagraph><subparagraph id="H6FDF6796AF7F43E2A44022EA5E503C83" commented="no"><enum>(B)</enum><header>Privileges and immunities</header><text>Any person who violates this Act or a regulation promulgated under this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>).</text></subparagraph></paragraph><paragraph id="H0D961534F579449A83DE006AA0FDC6F1"><enum>(3)</enum><header>Limiting certain actions unrelated to this act</header><text>If the Commission brings a civil action alleging that an act or practice violates this Act or a regulation promulgated under this Act, the Commission may not seek a cease and desist order against the same defendant under section 5(b) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45(b)</external-xref>) to stop that same act or practice on the grounds that such act or practice constitutes an unfair or deceptive act or practice.</text></paragraph><paragraph id="HD541379B076747C5B18024D74F16F6FA"><enum>(4)</enum><header>Common carriers and nonprofit organizations</header><text>Notwithstanding any jurisdictional limitation of the Commission with respect to consumer protection or privacy, the Commission shall enforce this Act and the regulations promulgated under this Act, in the same manner provided in paragraphs (1), (2), (3), and (5), with respect to common carriers subject to the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/151">47 U.S.C. 151 et seq.</external-xref>) and all Acts amendatory thereof and supplementary thereto and organizations not organized to carry on business for their own profit or that of their members.</text></paragraph><paragraph id="HC51A33A0F2164F22839398450210479A"><enum>(5)</enum><header>Privacy and security victims relief fund</header><subparagraph id="HCEFE5FFA92084FDFA78383C42B6D5B74"><enum>(A)</enum><header>Establishment</header><text>There is established in the Treasury of the United States a separate fund to be known as the <quote>Privacy and Security Victims Relief Fund</quote> in this paragraph referred to as the <quote>Victims Relief Fund</quote>).</text></subparagraph><subparagraph id="H55E8B54B4BF64C56B606B192CB08E41C"><enum>(B)</enum><header>Deposits</header><text display-inline="yes-display-inline">Notwithstanding section 3302 of title 31, United States Code, in any judicial or administrative action to enforce this Act or a regulation promulgated under this Act, the amount of any civil penalty obtained against a covered entity or service provider, or any other monetary relief ordered to be paid by a covered entity or service provider to provide redress, payment, compensation, or other relief to individuals that cannot be located or the payment of which would otherwise not be practicable, shall be deposited into the Victims Relief Fund.</text></subparagraph><subparagraph id="H65463034A71A4091A7ADB1E22A1F0566"><enum>(C)</enum><header>Use of funds</header><clause id="H25D1169CF8E041BFA89868615EAB0E5A"><enum>(i)</enum><header>Use by commission</header><text>Amounts in the Victims Relief Fund shall be available to the Commission, without fiscal year limitation, to provide redress, payment, compensation, or other monetary relief to individuals affected by an act or practice for which relief has been obtained under this Act.</text></clause><clause id="HD1EF161A5D51499F9FD65DF134E91192"><enum>(ii)</enum><header>Other permissible uses</header><text>To the extent that the individuals described in clause (i) cannot be located or such redress, payments, compensation, or other monetary relief are otherwise not practicable, the Commission may use such funds for the purpose of—</text><subclause id="H310DC86B6B6A48D78D67C06EE9A1A6DE"><enum>(I)</enum><text>funding the activities of the Office of Business Mentorship established under subsection (b); or</text></subclause><subclause id="H0617C018C5754B588A1FB7D680B1C401"><enum>(II)</enum><text>engaging in technological research that the Commission considers necessary to enforce or administer this Act.</text></subclause></clause></subparagraph></paragraph></subsection></section><section id="H401445A1EE9745D7B69A8CB34C7D1708"><enum>402.</enum><header>Enforcement by States</header><subsection id="H3E36A13A4293411D888E76380F331A6F"><enum>(a)</enum><header>Civil action</header><text>In any case in which the attorney general or State Privacy Authority of a State has reason to believe that an interest of the residents of that State has been, may be, or is adversely affected by a violation of this Act or a regulation promulgated under this Act by a covered entity or service provider, the attorney general or State Privacy Authority may bring a civil action in the name of the State, or as parens patriae on behalf of the residents of the State. Any such action shall be brought exclusively in an appropriate Federal district court of the United States to—</text><paragraph id="HC7E8B7ACBE1C4039B6C98288964E7A39"><enum>(1)</enum><text>enjoin such act or practice;</text></paragraph><paragraph id="H3D8C2279F0A24AE89FE2FB0A09E66222"><enum>(2)</enum><text>enforce compliance with this Act or such regulation;</text></paragraph><paragraph id="H634F5847BEA6422E8EEE326D720C34B5"><enum>(3)</enum><text>obtain damages, civil penalties, restitution, or other compensation on behalf of the residents of such State; or</text></paragraph><paragraph id="H98F203EECD52404B9E232D6BD2201575"><enum>(4)</enum><text>obtain reasonable attorneys’ fees and other litigation costs reasonably incurred.</text></paragraph></subsection><subsection id="H7F488E77FF0B4F51A32DAA40EC5325DB"><enum>(b)</enum><header>Rights of the Commission</header><paragraph id="H6161B0AC95A64454BC66ADA96F6E944B"><enum>(1)</enum><header>In general</header><text>Except as provided in paragraph (2), the attorney general or State Privacy Authority of a State shall notify the Commission in writing prior to initiating a civil action under subsection (a). Such notification shall include a copy of the complaint to be filed to initiate such action. Upon receiving such notification, the Commission may intervene in such action as a matter of right pursuant to the Federal Rules of Civil Procedure.</text></paragraph><paragraph id="HB25BFD56895B41A795E8A8F545991E6B"><enum>(2)</enum><header>Feasibility</header><text>If the notification required by paragraph (1) is not feasible, the attorney general or State Privacy Authority shall notify the Commission immediately after initiating the civil action.</text></paragraph></subsection><subsection id="HDE2EF8A1CA204FCBBF61ED3F0E37BD63" commented="no"><enum>(c)</enum><header>Actions by the Commission</header><text>In any case in which a civil action is instituted by or on behalf of the Commission for violation of this Act or a regulation promulgated under this Act, no attorney general or State Privacy Authority of a State may, during the pendency of such action, institute a civil action against any defendant named in the complaint in the action instituted by or on behalf of the Commission for a violation of this Act or a regulation promulgated under this Act that is alleged in such complaint, if such complaint alleges such violation affected the residents of such State or individuals nationwide. If the Commission brings a civil action against a covered entity or service provider for a violation of this Act or a regulation promulgated under this Act that affects the interests of the residents of a State, the attorney general or State Privacy Authority of such State may intervene in such action as a matter of right pursuant to the Federal Rules of Civil Procedure.</text></subsection><subsection id="H2153357308C346F59083B0D32531E39D"><enum>(d)</enum><header>Rule of construction</header><text>Nothing in this section may be construed to prevent the attorney general or State Privacy Authority of a State from exercising the powers conferred on the attorney general or State Privacy Authority to conduct investigations, to administer oaths or affirmations, or to compel the attendance of witnesses or the production of documentary or other evidence.</text></subsection><subsection id="HBCC979AEEE6942E0976C649B9E030153"><enum>(e)</enum><header>Preservation of state powers</header><text>Except as provided in subsection (c), nothing in this section may be construed as altering, limiting, or affecting the authority of the attorney general or State Privacy Authority of a State to—</text><paragraph id="HF3464996320248C3973018528AAED1DC"><enum>(1)</enum><text display-inline="yes-display-inline">bring an action or other regulatory proceeding arising solely under the law in effect in the State that is preempted by this Act or under another applicable Federal law; or</text></paragraph><paragraph id="H4E0CC963175F411FB29398ECC4899F74"><enum>(2)</enum><text>exercise the powers conferred on the attorney general or State Privacy Authority by the laws of the State, including the ability to conduct investigations, administer oaths or affirmations, or compel the attendance of witnesses or the production of documentary or other evidence.</text></paragraph></subsection></section><section id="H862667E090604F50A3698B3D94E6BC82"><enum>403.</enum><header>Enforcement by persons</header><subsection id="H0129FC9836034118B387CA698D5EE7AE"><enum>(a)</enum><header>Enforcement by persons</header><paragraph id="H4B832BA807EB46C5B8096F32052C6F79"><enum>(1)</enum><header>In general</header><text>Beginning on the date that is 2 years after the date on which this Act takes effect, any person or class of persons for a violation of this Act or a regulation promulgated under this Act by a covered entity or service provider may bring a civil action against such entity in any Federal court of competent jurisdiction.</text></paragraph><paragraph id="HB09B84FE8FF44444AC93180A36217B30"><enum>(2)</enum><header>Relief</header><text>In a civil action brought under paragraph (1) in which a plaintiff prevails, the court may award the plaintiff—</text><subparagraph id="HDA4AFC46FA964161B874D6548511129C"><enum>(A)</enum><text display-inline="yes-display-inline">an amount equal to the sum of any compensatory damages;</text></subparagraph><subparagraph id="HF7C34FA106444E5C8410B9211709B56F"><enum>(B)</enum><text>injunctive relief;</text></subparagraph><subparagraph id="HC3A7B121ED5E46A99E54BEC49714500E"><enum>(C)</enum><text>declaratory relief; and</text></subparagraph><subparagraph id="H07FA2356BCA340C78913CA79A510B810"><enum>(D)</enum><text>reasonable attorney’s fees and litigation costs.</text></subparagraph></paragraph><paragraph id="H7B0ED85B879A4322862914D7EFA96463"><enum>(3)</enum><header>Rights of the Commission and State attorneys general</header><subparagraph id="H67B19B84443944EEAEAB443A44212739"><enum>(A)</enum><header>In general</header><text>Prior to a person bringing a civil action under paragraph (1), such person shall notify the Commission and the attorney general of the State where such person resides in writing that such person intends to bring a civil action under such paragraph. Upon receiving such notice, the Commission and State attorney general shall each or jointly make a determination and respond to such person not later than 60 days after receiving such notice, as to whether they will intervene in such action pursuant to the Federal Rules of Civil Procedure. If a state attorney general does intervene, they shall only be heard with respect to the interests of the residents of their State</text></subparagraph><subparagraph id="HC30B25D23BC942FDA5D5D6745414A2AD"><enum>(B)</enum><header>Retained authority</header><text display-inline="yes-display-inline">Subparagraph (A) may not be construed to limit the authority of the Commission or any applicable State attorney general or State Privacy Authority to later commence a proceeding or civil action or intervene by motion if the Commission or State attorney general or State Privacy Authority does not commence a proceeding or civil action within the 60-day period.</text></subparagraph><subparagraph id="H011AFE2DFF3E404EAF8379BEC6440216"><enum>(C)</enum><header>Bad faith</header><text display-inline="yes-display-inline">Any written communication from counsel for an aggrieved party to a covered entity or service provider requesting a monetary payment from that covered entity or service provider regarding a specific claim described in a letter sent pursuant to subsection (d), not including filings in court proceedings, arbitrations, mediations, judgment collection processes, or other communications related to previously initiated litigation or arbitrations, shall be considered to have been sent in bad faith and shall be unlawful as defined in this Act, if the written communication was sent prior to the date that is 60 days after either a State attorney general or the Commission has received the notice required under subparagraph (A).</text></subparagraph></paragraph><paragraph id="H290F8813200B4C9BB945D68BBB5C49FC"><enum>(4)</enum><header>FTC study</header><text display-inline="yes-display-inline">Beginning on the date that is 5 years after the date of enactment of this Act and every 5 years thereafter, the Commission’s Bureau of Economics and Bureau of Privacy shall assist the Commission in conducting a study to determine the economic impacts in the United States of demand letters sent pursuant to this section and the scope of the rights of a person under this section to bring forth civil actions against covered entities and service providers. Such study shall include the following:</text><subparagraph id="H196786EF2B9941FE83140D280C544369"><enum>(A)</enum><text>The impact on insurance rates in the United States.</text></subparagraph><subparagraph id="H396B3AD75FCA4311B8431612A3946C10"><enum>(B)</enum><text>The impact on the ability of covered entities to offer new products or services.</text></subparagraph><subparagraph id="HCE426546C699434B811CC484F698EFE0"><enum>(C)</enum><text>The impact on the creation and growth of new startup companies, including new technology companies.</text></subparagraph><subparagraph id="HA96275CE58BB47CFA5C050236B5B3573"><enum>(D)</enum><text>Any emerging risks, benefits, and long-term trends in relevant marketplaces, supply chains, and labor availability.</text></subparagraph><subparagraph id="HF19E4833FF504569B8AFE7B38078D365"><enum>(E)</enum><text display-inline="yes-display-inline">The impact on reducing, preventing, or remediating harms to individuals, including from fraud, identity theft, spam, discrimination, defective products, and violations of rights.</text></subparagraph><subparagraph id="H052083A7F0BC4DDA8B620BAF4760E653"><enum>(F)</enum><text>The impact on the volume and severity of data security incidents, and the ability to respond to data security incidents.</text></subparagraph><subparagraph id="H767E1997CD514BCE8781EDEF4D9DF6D4"><enum>(G)</enum><text>Other intangible direct and indirect costs and benefits to individuals.</text></subparagraph></paragraph><paragraph id="H7A4F806B35D04415B39676BC58FA909D"><enum>(5)</enum><header>Report to Congress</header><text>Not later than 5 years after the first day on which persons and classes of persons are able to bring civil actions under this subsection, and annually thereafter, the Commission shall submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a report that contains the results of the study conducted under paragraph (4).</text></paragraph></subsection><subsection id="HAE55533FF53341BAABD8C9B7A00BF7BB" commented="no"><enum>(b)</enum><header>Arbitration agreements and pre-dispute joint action waivers</header><paragraph id="H8A489CA584D9460295F72010872B5A23" commented="no"><enum>(1)</enum><header>Pre-dispute arbitration agreements</header><subparagraph id="H79B5FE4E99B948138F0F10A4D0A53DC5"><enum>(A)</enum><text display-inline="yes-display-inline">Notwithstanding any other provision of law, no pre-dispute arbitration agreement with respect to an individual under the age of 18 is enforceable with regard to a dispute arising under this Act.</text></subparagraph><subparagraph id="H58BEBAC784A643AC9585BAAC3208DAF6"><enum>(B)</enum><text display-inline="yes-display-inline">Notwithstanding any other provision of law, no pre-dispute arbitration agreement is enforceable with regard to a dispute arising under this Act concerning a claim related to gender or partner-based violence or physical harm.</text></subparagraph></paragraph><paragraph id="HC9D4F90EF02A46888E85C6D44C0D40A5" commented="no"><enum>(2)</enum><header>Pre-dispute joint-action waivers</header><text display-inline="yes-display-inline">Notwithstanding any other provision of law, no pre-dispute joint-action waiver with respect to an individual under the age of 18 is enforceable with regard to a dispute arising under this Act.</text></paragraph><paragraph id="HA3EDD810A3DF4F4D92346EE134883A8F" commented="no"><enum>(3)</enum><header>Definitions</header><text>For purposes of this subsection:</text><subparagraph commented="no" id="H80F9982A954A4D4A8ECEAA82E39E8389"><enum>(A)</enum><header>Pre-dispute arbitration agreement</header><text>The term <term>pre-dispute arbitration agreement</term> means any agreement to arbitrate a dispute that has not arisen at the time of the making of the agreement.</text></subparagraph><subparagraph commented="no" id="H28103F33FD06484794ECAC44ACB7FBF1"><enum>(B)</enum><header>Pre-dispute joint-action waiver</header><text>The term <term>pre-dispute joint-action waiver</term> means an agreement, whether or not part of a pre-dispute arbitration agreement, that would prohibit or waive the right of 1 of the parties to the agreement to participate in a joint, class, or collective action in a judicial, arbitral, administrative, or other related forum, concerning a dispute that has not yet arisen at the time of the making of the agreement.</text></subparagraph></paragraph></subsection><subsection commented="no" id="H767738BFC3E74611B8580FADD250C3E4"><enum>(c)</enum><header>Right to cure</header><paragraph id="H23B3B8825EFD424F80F120FFB07D8FD4" commented="no"><enum>(1)</enum><header>Notice</header><text>Subject to paragraph (3), with respect to a claim under this section for—</text><subparagraph id="H1D8A3F337CBC438C9F0EBEEE692CB1A9" commented="no"><enum>(A)</enum><text>injunctive relief; or</text></subparagraph><subparagraph id="HC59FBF05C48448979770B309D0E4AA9B" commented="no"><enum>(B)</enum><text>an action against a covered entity or service provider that meets the requirements of section 209 of this Act, such claim may be brought by a person or class of persons if—prior to asserting such claim—the person or class or persons provides to the covered entity or service provider 45 days’ written notice identifying the specific provisions of this Act the person or class of persons alleges have been or are being violated.</text></subparagraph></paragraph><paragraph id="H2570C9E0AE9D4C2AA88ADE650487FB06" commented="no"><enum>(2)</enum><header>Effect of cure</header><text>Subject to paragraph (3), in the event a cure is possible, if within the 45 days the covered entity or service provider demonstrates to the court that it has cured the noticed violation or violations and provides the person or class of persons an express written statement that the violation or violations has been cured and that no further violations shall occur, a claim for injunctive relief shall not be permitted and may be reasonably dismissed.</text></paragraph><paragraph id="HCBA12055C6254366B78904D41FCC810C" commented="no"><enum>(3)</enum><header>Rule of construction</header><text display-inline="yes-display-inline">The notice described in paragraph (1) and the reasonable dismissal in paragraph (2) shall not apply more than once to any alleged underlying violation by the same covered entity.</text></paragraph></subsection><subsection id="H97D7BFBABF304D4AB2E3B27D487AD3B6"><enum>(d)</enum><header>Demand letter</header><text display-inline="yes-display-inline">If a person or a identified members of a class of persons represented by counsel in regard to an alleged violation or violations of the Act and has correspondence sent to a covered entity or service provider by counsel alleging a violation or violations of the provisions of this Act and requests a monetary payment, such correspondence shall include the following language: <quote>Please visit the website of the Federal Trade Commission for a general description of your rights under the American Data Privacy and Protection Act</quote> followed by a hyperlink to the webpage of the Commission required under section 201. If such correspondence does not include such language and hyperlink, a civil action brought under this section by such person or identified members of the class of persons represented by counsel may be dismissed without prejudice and shall not be reinstated until such person or persons has complied with this subsection.</text></subsection><subsection id="HD21552219ED34956A25FD614480FE6DA"><enum>(e)</enum><header>Applicability</header><paragraph id="HC74961A01F40470395E3759219F61454"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">This section shall only apply to a claim alleging a violation of section 102, 104, 202, 203, 204, 205(a), 205(b), 206(b)(3)(C), 207(a), 208(a), or 302, or a regulation promulgated under any such section.</text></paragraph><paragraph id="H98B1AC30782447F3BF325B14179F2E2F"><enum>(2)</enum><header>Exception</header><text display-inline="yes-display-inline">This section shall not apply to any claim against a covered entity that has less than $25,000,000 per year in revenue, collects, processes, or transfers the covered data of fewer than 50,000 individuals, and derives less than 50 percent of its revenue from transferring covered data.</text></paragraph></subsection></section><section id="HB512E26C49274B20A17C81D17DE0892E"><enum>404.</enum><header>Relationship to Federal and State laws</header><subsection id="H1609ED48A95A406C9B01C0EC60A02F37"><enum>(a)</enum><header>Federal law preservation</header><paragraph id="H8717D478D6E143A98C044D22F0974407"><enum>(1)</enum><header>In general</header><text>Nothing in this Act or a regulation promulgated under this Act may be construed to limit—</text><subparagraph id="HC7F18DDDF22B4A8DACFE729F1F9192F7"><enum>(A)</enum><text>the authority of the Commission, or any other Executive agency, under any other provision of law;</text></subparagraph><subparagraph id="HD99DB7E4E675462F8E167C1F099C2352" commented="no"><enum>(B)</enum><text>any requirement for a common carrier subject to section 64.2011 of title 47, Code of Federal Regulations (or any successor regulation) regarding information security breaches; or</text></subparagraph><subparagraph id="H9F02DF3835F74AB4A676FD67B0EB52C3"><enum>(C)</enum><text>any other provision of Federal law, except as otherwise provided in this Act.</text></subparagraph></paragraph><paragraph id="HA2D2BE65F7B14BCAB4531D5AA0AA4977"><enum>(2)</enum><header>Antitrust savings clause</header><subparagraph id="H124B2B5FAD1A43D584920427A1649676"><enum>(A)</enum><header>Full application of the antitrust law</header><text>Nothing in this Act may be construed to modify, impair or supersede the operation of the antitrust law or any other provision of law.</text></subparagraph><subparagraph id="H7672683618E54F8389999A5FFC91672F"><enum>(B)</enum><header>No immunity from the antitrust law</header><text>Nothing in the regulatory regime adopted by this Act shall be construed as operating to limit any law deterring anticompetitive conduct or diminishing the need for full application of the antitrust law. Nothing in this Act explicitly or implicitly precludes the application of the antitrust law.</text></subparagraph><subparagraph id="H00A47B6FE61148CA9C9F8B29C5C554CC"><enum>(C)</enum><header>Definition of antitrust law</header><text>For purposes of this section, the term antitrust law has the same meaning as in subsection (a) of the first section of the Clayton Act (<external-xref legal-doc="usc" parsable-cite="usc/15/12">15 U.S.C. 12</external-xref>), except that such term includes section 5 of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45</external-xref>) to the extent that such section 5 applies to unfair methods of competition.</text></subparagraph></paragraph><paragraph id="HDE157970BFE34AE9929D8F60036DF8C4"><enum>(3)</enum><header>Applicability of other privacy requirements</header><text display-inline="yes-display-inline">A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6801">15 U.S.C. 6801 et seq.</external-xref>), the Health Information Technology for Economic and Clinical Health Act (<external-xref legal-doc="usc" parsable-cite="usc/42/17931">42 U.S.C. 17931 et seq.</external-xref>), part C of title XI of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d">42 U.S.C. 1320d et seq.</external-xref>), the Fair Credit Reporting Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1681">15 U.S.C. 1681 et seq.</external-xref>), the Family Educational Rights and Privacy Act (<external-xref legal-doc="usc" parsable-cite="usc/20/1232g">20 U.S.C. 1232g</external-xref>; part 99 of title 34, Code of Federal Regulations) to the extent such covered entity is a school as defined in <external-xref legal-doc="usc" parsable-cite="usc/20/1232g">20 U.S.C. 1232g(a)(3)</external-xref> or 34 C.F.R. 99.1(a), section 444 of the General Education Provisions Act (commonly known as the <quote>Family Educational Rights and Privacy Act of 1974</quote>) (<external-xref legal-doc="usc" parsable-cite="usc/20/1232g">20 U.S.C. 1232g</external-xref>) and part 99 of title 34, Code of Federal Regulations (or any successor regulation), the Confidentiality of Alcohol and Drug Abuse Patient Records at 42 U.S.C. 290dd-2 and its implementing regulations at 42 CFR part 2, the Genetic Information Non-discrimination Act (GINA), or the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-2">42 U.S.C. 1320d–2</external-xref> note), and is in compliance with the data privacy requirements of such regulations, part, title, or Act (as applicable), shall be deemed to be in compliance with the related requirements of this Act, except for section 208, solely and exclusively with respect to data subject to the requirements of such regulations, part, title, or Act. Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance describing the implementation of this paragraph.</text></paragraph><paragraph id="H93CECF37D73343EBA4C5DC071AAB226C"><enum>(4)</enum><header>Applicability of other data security requirements</header><text display-inline="yes-display-inline">A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6801">15 U.S.C. 6801 et seq.</external-xref>), the Health Information Technology for Economic and Clinical Health Act (<external-xref legal-doc="usc" parsable-cite="usc/42/17931">42 U.S.C. 17931 et seq.</external-xref>), part C of title XI of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d">42 U.S.C. 1320d et seq.</external-xref>), or the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-2">42 U.S.C. 1320d–2</external-xref> note), and is in compliance with the information security requirements of such regulations, part, title, or Act (as applicable), shall be deemed to be in compliance with the requirements of section 208, solely and exclusively with respect to data subject to the requirements of such regulations, part, title, or Act. Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance describing the implementation of this paragraph.</text></paragraph></subsection><subsection id="HA1A0DDCAB1164C978947807C1C4239EB"><enum>(b)</enum><header>Preemption of State laws</header><paragraph id="H3C8DDC79E82B43878E633AE4A7BE4650"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">No State or political subdivision of a State may adopt, maintain, enforce, prescribe, or continue in effect any law, regulation, rule, standard, requirement, or other provision having the force and effect of law of any State, or political subdivision of a State, covered by the provisions of this Act, or a rule, regulation, or requirement promulgated under this Act. </text></paragraph><paragraph id="HD76428846C3B46EE83E99252FDC22BC2"><enum>(2)</enum><header>State law preservation</header><text>Paragraph (1) may not be construed to preempt, displace, or supplant the following State laws, rules, regulations, or requirements:</text><subparagraph id="H9D5122E773954B058356AF4C755CA4FC"><enum>(A)</enum><text display-inline="yes-display-inline">Consumer protection laws of general applicability, such as laws regulating deceptive, unfair, or unconscionable practices, except that the fact of a violation of this Act or a regulation promulgated under this Act may not be pleaded as an element of any violation of such a law.</text></subparagraph><subparagraph id="HA6EAF094BEE4412CBED2E83AA3EA50EA"><enum>(B)</enum><text display-inline="yes-display-inline">Civil rights laws.</text></subparagraph><subparagraph id="HCE281B26AF3A4CF2829871D6640F37BC"><enum>(C)</enum><text>Provisions of laws, in so far as, that govern the privacy rights or other protections of employees, employee information, students, or student information.</text></subparagraph><subparagraph id="H6E22B5C8E1014A2A9680EFF8401A61D6"><enum>(D)</enum><text>Laws that address notification requirements in the event of a data breach.</text></subparagraph><subparagraph id="H7EFD3EC2DCE74D109B761BD68A08B1E7"><enum>(E)</enum><text>Contract or tort law.</text></subparagraph><subparagraph id="H532FE0BC47A04CF08706A1378EDA78AD"><enum>(F)</enum><text>Criminal laws.</text></subparagraph><subparagraph id="HC6A41DB0313941F69EAB850340188B0E"><enum>(G)</enum><text>Civil laws governing fraud, theft (including identity theft), unauthorized access to information or electronic devices, unauthorized use of information, malicious behavior, or similar provisions of law.</text></subparagraph><subparagraph id="H19B9CAD0111F4D989B35005E078F9F0B"><enum>(H)</enum><text>Civil laws regarding cyberstalking, cyberbullying, nonconsensual pornography, sexual harassment, child abuse material, child pornography, child abduction or attempted child abduction, coercion or enticement of a child for sexual activity, or child sex trafficking.</text></subparagraph><subparagraph id="H1E3137C04E4541AA8E0CA9C6548C123E"><enum>(I)</enum><text>Public safety or sector specific laws unrelated to privacy or security.</text></subparagraph><subparagraph id="H28C59D3919E34BEC9134DB7CD52600F8"><enum>(J)</enum><text>Provisions of law, insofar as such provisions address public records, criminal justice information systems, arrest records, mug shots, conviction records, or non-conviction records.</text></subparagraph><subparagraph id="H356744528A7E429383319F0503B082FD"><enum>(K)</enum><text>Provisions of law, insofar as such provisions address banking records, financial records, tax records, Social Security numbers, credit cards, consumer and credit reporting and investigations, credit repair, credit clinics, or check-cashing services.</text></subparagraph><subparagraph id="H1B008B6BBBD14161B907F1A8018A9E51"><enum>(L)</enum><text>Provisions of law, insofar as such provisions address facial recognition or facial recognition technologies, electronic surveillance, wiretapping, or telephone monitoring.</text></subparagraph><subparagraph id="H4860C931D2A44C2D9B8E8A1501D415B3"><enum>(M)</enum><text>The Biometric Information Privacy Act (740 ICLS 14 et seq.) and the Genetic Information Privacy Act (410 ILCS 513 et seq.).</text></subparagraph><subparagraph id="H71BF1203541545EFA18FCF64E37D9E5E"><enum>(N)</enum><text display-inline="yes-display-inline">Provisions of laws, in so far as, such provisions to address unsolicited email or text messages, telephone solicitation, or caller identification.</text></subparagraph><subparagraph id="H743BCFC73E794933A54FE60D3FC86CB0"><enum>(O)</enum><text display-inline="yes-display-inline">Provisions of laws, in so far as, such provisions address health information, medical information, medical records, HIV status, or HIV testing.</text></subparagraph><subparagraph id="H09AAB27954DB45AC9B6C0DDB58BCF4EB"><enum>(P)</enum><text display-inline="yes-display-inline">Provisions of laws, in so far as, such provisions pertain to public health activities, reporting, data, or services.</text></subparagraph><subparagraph id="H234948C8F5ED4728AF462914A515CFD9"><enum>(Q)</enum><text>Provisions of law, insofar as such provisions address the confidentiality of library records.</text></subparagraph><subparagraph id="HF42E6E0329DF45DA89A74B6106928FE9"><enum>(R)</enum><text>Section 1798.150 of the California Civil Code (as amended on November 3, 2020 by initiative Proposition 24, Section 16).</text></subparagraph><subparagraph id="HD23DB9E57E71465AA093601B61597C09"><enum>(S)</enum><text display-inline="yes-display-inline">Laws pertaining to the use of encryption as a means of providing data security.</text></subparagraph></paragraph><paragraph id="HB798602E5A564396B5D071C8BC470B2F"><enum>(3)</enum><header>CPPA enforcement</header><text>Notwithstanding any other provisions of law, the California Privacy Protection Agency established under 1798.199.10(a) of the California Privacy Rights Act may enforce this Act, in the same manner, it would otherwise enforce the California Consumer Privacy Act, Section 1798.1050 et. seq.</text></paragraph><paragraph id="H82D902D0EFFF4D928523585B2297F418" commented="no"><enum>(4)</enum><header>Nonapplication of fcc privacy laws and regulations to certain covered entities</header><text>Notwithstanding any other provision of law, sections 222, 338(i), and 631 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/222">47 U.S.C. 222</external-xref>; 338(i); 551), and any regulations and orders promulgated by the Federal Communications Commission under any such section, do not apply to any covered entity with respect to the collection, processing, transfer, or security of covered data or its equivalent, and the related privacy and data security activities of a covered entity that would otherwise be regulated under such sections shall be governed exclusively by the provisions of this Act, except for—</text><subparagraph id="HBBFE4B4D5A5C4C62A6DE704EEEE612A3" commented="no"><enum>(A)</enum><text>any emergency services, as defined in section 7 of the Wireless Communications and Public Safety Act of 1999 (<external-xref legal-doc="usc" parsable-cite="usc/47/615b">47 U.S.C. 615b</external-xref>);</text></subparagraph><subparagraph id="H7DCD284AF56C42B194A538E3D3BF115A" commented="no"><enum>(B)</enum><text>subsections (b) and (g) of section 222 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/222">47 U.S.C. 222</external-xref>); and</text></subparagraph><subparagraph id="HED1BAB7E3BC14343BAC853517AB684D4" commented="no"><enum>(C)</enum><text>any obligation of an international treaty related to the exchange of traffic implemented and enforced by the Federal Communications Commission.</text></subparagraph></paragraph></subsection><subsection id="H3681EF53E57A4AEA97D86E74FC5D314E"><enum>(c)</enum><header>Preservation of common law or statutory causes of action for civil relief</header><text>Nothing in this Act, nor any amendment, standard, rule, requirement, assessment, or regulation promulgated under this Act, may be construed to preempt, displace, or supplant any Federal or State common law rights or remedies, or any statute creating a remedy for civil relief, including any cause of action for personal injury, wrongful death, property damage, or other financial, physical, reputational, or psychological injury based in negligence, strict liability, products liability, failure to warn, an objectively offensive intrusion into the private affairs or concerns of the individual, or any other legal theory of liability under any Federal or State common law, or any State statutory law.</text></subsection></section><section id="HE56D95261FAD45559D10CAB5295B14FC"><enum>405.</enum><header>Severability</header><text display-inline="no-display-inline">If any provision of this Act, or the application thereof to any person or circumstance, is held invalid, the remainder of this Act, and the application of such provision to other persons not similarly situated or to other circumstances, shall not be affected by the invalidation.</text></section><section id="H580ECFA3277D49DEAFE083AA1B7F6C91"><enum>406.</enum><header>COPPA</header><subsection id="H2CA2184F33C24D8DB57E81C1F218DEEF"><enum>(a)</enum><header>In general</header><text>Nothing in this Act may be construed to relieve or change any obligation that a covered entity or other person may have under the Children’s Online Privacy Protection Act of 1998 (<external-xref legal-doc="usc" parsable-cite="usc/15/6501">15 U.S.C. 6501 et seq.</external-xref>).</text></subsection><subsection id="HEAB14591E2644BCEB3BF8580378F807C"><enum>(b)</enum><header>Updated regulations</header><text>Not later than 180 days after the date of enactment of this Act, the Commission shall amend its rules issued pursuant to the regulations promulgated by the Commission under the Children’s Online Privacy Protection Act of 1998 (<external-xref legal-doc="usc" parsable-cite="usc/15/6501">15 U.S.C. 6501 et seq.</external-xref>) to make reference to the additional requirements placed on covered entities under this Act, in addition to the requirements under the Children’s Online Privacy Protection Act of 1998 that may already apply to certain covered entities.</text></subsection></section><section id="HFB1978E38769431E98567FE8851BF3E3"><enum>407.</enum><header>Authorization of appropriations</header><text display-inline="no-display-inline">There are authorized to be appropriated to the Commission such sums as may be necessary to carry out this Act. </text></section><section id="H668072D8DBBD4EBCBE20CE5DB213D8B3"><enum>408.</enum><header>Effective date</header><text display-inline="no-display-inline">This Act shall take effect on the date that is 180 days after the date of enactment of this Act.</text></section>December 30, 2022Reported with an amendment, committed to the Committee of the Whole House on the State of the Union, and ordered to be printed