117 S3195 IS: Consumer Online Privacy Rights Act
U.S. Senate
2021-11-04
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.
1.Short title; table of contents(a)This Act may be cited as the Consumer Online Privacy Rights Act
.(b)The table of contents of this Act is as follows:Sec. 1. Short title; table of contents.Sec. 2. Definitions.Sec. 3. Effective date.TITLE I—Data privacy rightsSec. 101. Duty of loyalty.Sec. 102. Right to access and transparency.Sec. 103. Right to delete.Sec. 104. Right to correct inaccuracies.Sec. 105. Right to controls.Sec. 106. Right to data minimization.Sec. 107. Right to data security.Sec. 108. Civil rights.Sec. 109. Prohibition on waiver of rights.Sec. 110. Limitations and applicability.TITLE II—Oversight and responsibilitySec. 201. Executive responsibility.Sec. 202. Privacy and data security officers; comprehensive privacy and data security programs; risk assessments and compliance.Sec. 203. Service providers and third parties.Sec. 204. Whistleblower protections.Sec. 205. Digital content forgeries.TITLE III—MiscellaneousSec. 301. Enforcement, civil penalties, and applicability.Sec. 302. Relationship to Federal and State laws.Sec. 303. Severability.Sec. 304. Authorization of appropriations.2.In this Act:(1)Affirmative express consent(A)The term affirmative express consent means an affirmative act by an individual that clearly communicates the individual’s authorization for an act or practice, in response to a specific request that meets the requirements of subparagraph (B).(B)The requirements of this subparagraph with respect to a request from a covered entity to an individual are the following:(i)The request is provided to the individual in a standalone disclosure.(ii)The request includes a description of each act or practice for which the individual’s consent is sought and—(I)clearly distinguishes between an act or practice which is necessary to fulfill a request of the individual and an act or practice which is for another purpose; and(II)is written in easy-to-understand language and includes a prominent heading that would enable a reasonable individual to identify and understand the act or practice.(iii)The request clearly explains the individual’s applicable rights related to consent.(C)An entity shall not infer that an individual has provided affirmative express consent to an act or practice from the inaction of the individual or the individual’s continued use of a service or product provided by the entity.(2)Algorithmic decision-makingThe term algorithmic decision-making means a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques that makes a decision or facilitates human decision-making with respect to covered data.(3)(A)The term biometric information means any covered data generated from the measurement or specific technological processing of an individual’s biological, physical, or physiological characteristics, including—(i)fingerprints;(ii)voice prints;(iii)iris or retina scans;(iv)facial scans or templates;(v)deoxyribonucleic acid (DNA) information; and(vi)gait.(B)Such term does not include writing samples, written signatures, photographs, voice recordings, demographic data, or physical characteristics such as height, weight, hair color, or eye color, provided that such data is not used for the purpose of identifying an individual’s unique biological, physical, or physiological characteristics.(4)The terms collect
and collection
mean buying, renting, gathering, obtaining, receiving, accessing, or otherwise acquiring covered data by any means, including by passively or actively observing the individual’s behavior.(5)The term common branding means a shared name, servicemark, or trademark.(6)The term control means, with respect to an entity—(A)ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of the entity;(B)control in any manner over the election of a majority of the directors of the entity (or of individuals exercising similar functions); or(C)the power to exercise a controlling influence over the management of the entity.(7)The term Commission means the Federal Trade Commission.(8)(A)The term covered data means information that identifies, or is linked or reasonably linkable to an individual or a consumer device, including derived data.(B)Such term does not include—(i)de-identified data;(ii)employee data; and(iii)public records.(9)(A)The term covered entity means any entity or person that—(i)is subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq.); and(ii)processes or transfers covered data.(B)Inclusion of commonly controlled and commonly branded entitiesSuch term includes any entity or person that controls, is controlled by, is under common control with, or shares common branding with a covered entity.(C)Exclusion of small businessSuch term does not include a small business.(10)Term de-identified data means information that cannot reasonably be used to infer information about, or otherwise be linked to, an individual, a household, or a device used by an individual or household, provided that the entity—(A)takes reasonable measures to ensure that the information cannot be reidentified, or associated with, an individual, a household, or a device used by an individual or household;(B)publicly commits in a conspicuous manner—(i)to process and transfer the information in a de-identified form; and(ii)not to attempt to reidentify or associate the information with any individual, household, or device used by an individual or household; and(C)contractually obligates any person or entity that receives the information from the covered entity to comply with all of the provisions of this paragraph.(11)The term derived data means covered data that is created by the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data about an individual, household, or device used by an individual or household.(12)The term employee data means—(A)covered data that is collected by a covered entity or the covered entity’s service provider about an individual in the course of the individual’s employment or application for employment (including on a contract or temporary basis) provided that such data is retained or processed by the covered entity or the covered entity’s service provider solely for purposes necessary for the individual’s employment or application for employment;(B)covered data that is collected by a covered entity or the covered entity’s service provider that is emergency contact information for an individual who is an employee, contractor, or job applicant of the covered entity provided that such data is retained or processed by the covered entity or the covered entity’s service provider solely for the purpose of having an emergency contact for such individual on file; and(C)covered data that is collected by a covered entity or the covered entity’s service provider about an individual (or a relative of an individual) who is an employee or former employee of the covered entity for the purpose of administering benefits to which such individual or relative is entitled on the basis of the individual’s employment with the covered entity, provided that such data is retained or processed by the covered entity or the covered entity’s service provider solely for the purpose of administering such benefits.(13)The term Executive agency has the meaning given such term in section 105 of title 5, United States Code.(14)The term individual means a natural person residing in the United States, however identified, including by any unique identifier.(15)The term large data holder means a covered entity that, in the most recent calendar year—(A)processed or transferred the covered data of more than 5,000,000 individuals, devices used by individuals or households, or households; or(B)processed or transferred the sensitive covered data of more than 100,000 individuals, devices used by individuals or households, or households.(16)The term process means any operation or set of operations performed on covered data including collection, analysis, organization, structuring, retaining, using, or otherwise handling covered data.(17)The term processing purpose means an adequately specific and granular reason for which a covered entity processes covered data that clearly describes the processing activity.(18)Publicly available information(A)The term publicly available information means—(i)information that a covered entity has a reasonable basis to believe is lawfully made available to the general public from widely distributed media; and(ii)information that is directly and voluntarily disclosed to the general public by the individual to whom the information relates.(B)Such term does not include—(i)information derived from publicly available information;(ii)biometric information; or(iii)nonpublicly available information that has been combined with publicly available information.(19)The term public records means information that is lawfully made available from Federal, State, or local government records provided that the covered entity processes and transfers such information in accordance with any restrictions or terms of use placed on the information by the relevant government entity.(20)The term sensitive covered data means the following forms of covered data:(A)A government-issued identifier, such as a Social Security number, passport number, or driver’s license number.(B)Any information that describes or reveals the past, present, or future physical health, mental health, disability, or diagnosis of an individual.(C)A financial account number, debit card number, credit card number, or any required security or access code, password, or credentials allowing access to any such account.(D)Biometric information.(E)Precise geolocation information that reveals the past or present actual physical location of an individual or device.(F)The content or metadata of an individual’s private communications or the identity of the parties to such communications unless the covered entity is an intended recipient of the communication.(G)An email address, telephone number, or account log-in credentials.(H)Information revealing an individual’s race, ethnicity, national origin, religion, or union membership in a manner inconsistent with the individual’s reasonable expectation regarding disclosure of such information.(I)Information revealing the sexual orientation or sexual behavior of an individual in a manner inconsistent with the individual’s reasonable expectation regarding disclosure of such information.(J)Information revealing online activities over time and across third-party websites or online services.(K)Calendar information, address book information, phone or text logs, photos, or videos maintained on an individual’s device.(L)A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual.(M)Any other covered data processed or transferred for the purpose of identifying the above data types.(N)Any other covered data that the Commission determines to be sensitive covered data through a rulemaking pursuant to section 553 of title 5, United States Code.(21)(A)The term service provider means a covered entity that processes or transfers covered data in the course of performing a service or function on behalf of, and at the direction of, another covered entity, but only to the extent that such processing or transferral—(i)relates to the performance of such service or function; or(ii)is necessary to comply with a legal obligation or to establish, exercise, or defend legal claims.(B)Such term does not include a covered entity that processes or transfers the covered data outside of the direct relationship between the service provider and the covered entity.(22)The term service provider data means covered data that is collected by or has been transferred to a service provider by a covered entity for the purpose of allowing the service provider to perform a service or function on behalf of, and at the direction of, such covered entity.(23)(A)The term small business means an entity that can establish that, with respect to the 3 preceding calendar years (or for the period during which the entity has been in existence if, as of such date, such period is less than 3 years) the entity does not—(i)maintain annual average gross revenue in excess of $25,000,000;(ii)annually process the covered data of an average of 100,000 or more individuals, households, or devices used by individuals or households; and(iii)derive 50 percent or more of its annual revenue from transferring individuals’ covered data.(B)Common control; common brandingFor purposes of subparagraph (A), the annual average gross revenue, data processing volume, and percentage of annual revenue of an entity shall include the revenue and processing activities of any person that controls, is controlled by, is under common control with, or shares common branding with such entity.(24)The term third party—(A)means any person or entity that—(i)processes or transfers third party data; and(ii)is not a service provider with respect to such data; and(B)does not include a person or entity that collects covered data from another entity if the two entities are related by common ownership or corporate control and share common branding.(25)The term third party data means covered data that is transferred to a third party by a covered entity.(26)The term transfer means to disclose, release, share, disseminate, make available, sell, license, or otherwise communicate covered data by any means to a service provider or third party—(A)in exchange for consideration; or(B)for a commercial purpose.(27)The term unique identifier means an identifier that is reasonably linkable to an individual, household, or device used by an individual or household, including a device identifier, an Internet Protocol address, cookies, beacons, pixel tags, mobile ad identifiers, or similar technology, customer number, unique pseudonym, or user alias, telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular individual, a household, or a device.(28)The term widely distributed media means information that is available to the general public, including information from a telephone book or online directory, a television, internet, or radio program, the news media, or an internet site that is available to the general public on an unrestricted basis, but does not include an obscene visual depiction as defined in section 1460 of title 18, United States Code.3.This Act shall take effect on the date that is 180 days after the date of enactment of this Act.<enum>I</enum><header>Data privacy rights</header><section id="idd95044fbea1d498f888e130c44e92067"><enum>101.</enum><header>Duty of loyalty</header><subsection id="ida7a02d225aef48928698ddba2043a74a"><enum>(a)</enum><header>In general</header><text>A covered entity shall not—</text><paragraph id="idaf70972f0bf64676abb7dbc86e4f185d"><enum>(1)</enum><text>engage in a deceptive data practice or a harmful data practice; or</text></paragraph><paragraph id="id9368d1cea39d4c52a4f258c84893a61d"><enum>(2)</enum><text>process or transfer covered data in a manner that violates any provision of this Act.</text></paragraph></subsection><subsection id="ide5755dfacfd44e02aa81cd3f187c8dcf"><enum>(b)</enum><header>Definitions</header><paragraph id="idc67ac426c047427a970c2942a1719736"><enum>(1)</enum><header>Deceptive data practice</header><text>The term <term>deceptive data practice</term> means an act or practice involving the processing or transfer of covered data in a manner that constitutes a deceptive act or practice in violation of section 5(a)(1) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45(a)(1)</external-xref>).</text></paragraph><paragraph id="idcd72220a9347472abdaf74d4eb6baf18"><enum>(2)</enum><header>Harmful data practice</header><text>The term <term>harmful data practice</term> means the processing or transfer of covered data in a manner that causes or is likely to cause any of the following:</text><subparagraph id="id9270008c90614c4baf44a07eaf72e78e"><enum>(A)</enum><text>Financial, physical, or reputational injury to an individual.</text></subparagraph><subparagraph id="id3ac2c96de1d144d199c83ff51cc72b8a"><enum>(B)</enum><text>Physical or other offensive intrusion upon the solitude or seclusion of an individual or the individual’s private affairs or concerns, where such intrusion would be offensive to a reasonable person.</text></subparagraph><subparagraph id="idc9bf4618cec64cb68e407eb5f7e01321"><enum>(C)</enum><text>Other substantial injury to an individual.</text></subparagraph></paragraph></subsection></section><section id="id69dd63f744a848f88c46b956936f2242"><enum>102.</enum><header>Right to access and transparency</header><subsection id="id601be53f9579422c9226630ac7c17f1c"><enum>(a)</enum><header>Right to access</header><text>A covered entity, upon the verified request of an individual, shall provide the individual, in a human-readable format that a reasonable individual can understand, with—</text><paragraph id="id1568d2d46bec453ebb4b424159c1e1d8"><enum>(1)</enum><text>a copy or accurate representation of the covered data of the individual processed or transferred by the covered entity; and</text></paragraph><paragraph id="id0020cbcbb64f43afab83f52c8e2f7ef0"><enum>(2)</enum><text>the name of any third party to whom covered data of the individual has been transferred by the covered entity and a description of the purpose for which the entity transferred such data to such third party.</text></paragraph></subsection><subsection id="id5863160b4e91445581d628e27134ccc7"><enum>(b)</enum><header>Right to transparency</header><text>A covered entity shall make publicly and persistently available, in a conspicuous and readily accessible manner, a privacy policy that provides a detailed and accurate representation of the entity’s data processing and data transfer activities. Such privacy policy shall include, at a minimum—</text><paragraph id="idff7c0065f45446a38ac876c0ba8000ed"><enum>(1)</enum><text>the identity and the contact information of the covered entity, including the contact information for the covered entity’s representative for privacy and data security inquiries;</text></paragraph><paragraph id="idb90aec201db34c2798ddd3ccd254aacd"><enum>(2)</enum><text>each category of data the covered entity collects and the processing purposes for which such data is collected;</text></paragraph><paragraph id="id78ef5837a58a48d2bb06b505afb7d96f"><enum>(3)</enum><text>whether the covered entity transfers covered data and, if so—</text><subparagraph id="id3be67ce99e674e688cde7c41c091e50b"><enum>(A)</enum><text>each category of service provider and third party to which the covered entity transfers covered data and the purposes for which such data is transferred to such categories; and</text></subparagraph><subparagraph id="idd347db24083c444ea0b8df73bbab47b9"><enum>(B)</enum><text>the identity of each third party to which the covered entity transfers covered data and the purposes for which such data is transferred to such third party, except for transfers to governmental entities pursuant to a court order or law that prohibits the covered entity from disclosing such transfer;</text></subparagraph></paragraph><paragraph id="id4cd02a4dd6bf45e0a51962ebbd8f494a"><enum>(4)</enum><text>how long covered data processed by the covered entity will be retained by the covered entity and a description of the covered entity’s data minimization policies;</text></paragraph><paragraph id="id93ca85ee5868471c98925fd95b9913db"><enum>(5)</enum><text>how individuals can exercise the individual rights described in this title;</text></paragraph><paragraph id="id9b533530457940c1bc9536faf9370462"><enum>(6)</enum><text>a description of the covered entity’s data security policies; and</text></paragraph><paragraph id="id6233788365dc4610a1b2e0f238f247a6"><enum>(7)</enum><text>the effective date of the privacy policy.</text></paragraph></subsection><subsection id="id5b102131ee16447790fb6e355bf82ab1"><enum>(c)</enum><header>Languages</header><text>A covered entity shall make the privacy policy required under this section available to the public in all of the languages in which the covered entity provides a product or service or carries out any other activities to which the privacy policy relates.</text></subsection><subsection id="id2b120b43f38b457ba47b1f6259b1159c"><enum>(d)</enum><header>Right To consent to material changes</header><text>A covered entity shall not make a material change to its privacy policy or practices with respect to previously collected covered data that would weaken the privacy protections applicable to such data without first obtaining prior affirmative express consent from the individuals affected. The covered entity shall provide direct notification, where possible, regarding material changes to affected individuals, taking into account available technology and the nature of the relationship.</text></subsection></section><section id="id57a32a0f8eca45ef89088b49ea14cda4"><enum>103.</enum><header>Right to delete</header><text display-inline="no-display-inline">A covered entity, upon the verified request of an individual, shall—</text><paragraph id="idb00b09b6d7d3494ebce974c1eb282eca"><enum>(1)</enum><text>delete, or allow the individual to delete, any information in the covered data of the individual that is processed by the covered entity; and</text></paragraph><paragraph id="id93b88d0f9add47de84b02789c2fb6f69"><enum>(2)</enum><text>inform any service provider or third party to which the covered entity transferred such data of the individual’s deletion request.</text></paragraph></section><section id="id20e6a054058347889e89625de8f1d299"><enum>104.</enum><header>Right to correct inaccuracies</header><text display-inline="no-display-inline">A covered entity, upon the verified request of an individual, shall—</text><paragraph id="id40db11dd15e64f0d8664256afcb508ae"><enum>(1)</enum><text>correct, or allow the individual to correct, inaccurate or incomplete information in the covered data of the individual that is processed by the covered entity; and</text></paragraph><paragraph id="idde3147fbd0754126b58ecdb30ed8ee47"><enum>(2)</enum><text>inform any service provider or third party to which the covered entity transferred such data of the corrected information.</text></paragraph></section><section id="id6e3c7978f2614ad9b029966324ba0b3e"><enum>105.</enum><header>Right to controls</header><subsection id="id3ebc266bcb9b491481db1c899a12f7f2"><enum>(a)</enum><header>Right to data portability</header><text>A covered entity, upon the verified request of an individual, shall export the individual’s covered data, except for derived data, without licensing restrictions—</text><paragraph id="id9874c6dfdcd940ceba3673627320d6c0"><enum>(1)</enum><text>in a human-readable format that allows the individual to understand such covered data of the individual; and</text></paragraph><paragraph id="idffd30942db2048b5829c41ac5ad37ee0"><enum>(2)</enum><text>in a structured, interoperable, and machine-readable format that includes all covered data or other information that the covered entity collected to the extent feasible.</text></paragraph></subsection><subsection id="idbfcbc655c15b4793b72bf2c70184e9c8"><enum>(b)</enum><header>Right To opt out of transfers</header><paragraph id="idd5a8411a7e434e348673d737b7a46621"><enum>(1)</enum><header>In general</header><text>A covered entity—</text><subparagraph id="id5474552e34a14a8aa4a9a431c693177c"><enum>(A)</enum><text>shall not transfer an individual’s covered data to a third party if the individual objects to the transfer; and</text></subparagraph><subparagraph id="idb697b07eb4e843c1bb842a245479eb81"><enum>(B)</enum><text>shall allow an individual to object to the covered entity transferring covered data of the individual to a third party through a process established under the rule issued by the Commission pursuant to paragraph (2).</text></subparagraph></paragraph><paragraph id="idff1893fe24894f3daface55a60e753c4"><enum>(2)</enum><header>Rulemaking</header><subparagraph id="id1d03a9975d9d440b83e2dea04e6a1bbc"><enum>(A)</enum><header>In general</header><text>Not later than 18 months after the date of enactment of this Act, the Commission shall issue a rule under section 553 of title 5, United States Code, establishing one or more acceptable processes for covered entities to follow in allowing individuals to opt out of transfers of covered data.</text></subparagraph><subparagraph id="id88ae3029be36406b9cc1eb8bba3a76a8"><enum>(B)</enum><header>Requirements</header><text>The processes established by the Commission pursuant to this subparagraph shall—</text><clause id="id8487d3ae1a9c47e1b24595141bab0cd2"><enum>(i)</enum><text>be centralized, to the extent feasible, to minimize the number of opt-out designations of a similar type that a consumer must make;</text></clause><clause id="id5eada8a00e40447ea5c0e2367432a829"><enum>(ii)</enum><text>include clear and conspicuous opt-out notices and consumer friendly mechanisms to allow an individual to opt out of transfers of covered data;</text></clause><clause id="id5cc01a4bb23e4718aaae9b8e1ba17047"><enum>(iii)</enum><text>allow an individual that objects to a transfer of covered data to view the status of such objection;</text></clause><clause id="id6ef6150cfe6548058d484c01f644b525"><enum>(iv)</enum><text>allow an individual that objects to a transfer of covered data to change the status of such objection;</text></clause><clause id="id1D69174069AF4452A833E5464F66A8EE"><enum>(v)</enum><text>be privacy protective; and</text></clause><clause id="id352f7af9acfd4a5ebf646a21cc6ddb56"><enum>(vi)</enum><text>be informed by the Commission’s experience developing and implementing the National Do Not Call Registry.</text></clause></subparagraph></paragraph></subsection><subsection id="id4a111ff221684eb5bcb3b6795e5c32f7"><enum>(c)</enum><header>Sensitive data</header><text>A covered entity—</text><paragraph commented="no" id="idbef4ffee66d841c49287ffe88037b006"><enum>(1)</enum><text>shall not process the sensitive covered data of an individual without the individual’s prior, affirmative express consent;</text></paragraph><paragraph commented="no" id="id76d051e0a4af416a904829c079040cd8"><enum>(2)</enum><text>shall not transfer the sensitive covered data of an individual without the individual’s prior, affirmative express consent;</text></paragraph><paragraph id="idab86f84a71af4b31b3ade2e2340f53d5"><enum>(3)</enum><text>shall provide an individual with a consumer-friendly means to withdraw affirmative express consent to process the sensitive covered data of the individual; and</text></paragraph><paragraph id="id7346d35f722b47f0b1adf28ad1b6fda7"><enum>(4)</enum><text>is not required to obtain prior, affirmative express consent to process or transfer publicly available information.</text></paragraph></subsection></section><section id="id19735adb0c614c419fe97c656215a276"><enum>106.</enum><header>Right to data minimization</header><text display-inline="no-display-inline">A covered entity shall not process or transfer covered data beyond what is reasonably necessary, proportionate, and limited—</text><paragraph id="idc61ed1173de84f11ae9ff7535f5586db"><enum>(1)</enum><text>to carry out the specific processing purposes and transfers described in the privacy policy made available by the covered entity as required under section 102;</text></paragraph><paragraph id="id79f0d92bde234b92966ad00f1d0fb829"><enum>(2)</enum><text>to carry out a specific processing purpose or transfer for which the covered entity has obtained affirmative express consent; or</text></paragraph><paragraph id="idae2c2084d05b446f965441a638efa32f"><enum>(3)</enum><text>for a purpose specifically permitted under subsection (d) of section 110.</text></paragraph><continuation-text continuation-text-level="section">Covered data processing and transfers consistent with this section shall not supersede any other provision of this Act.</continuation-text></section><section id="iddb11c5b0059847c281f92bcfe5739aec"><enum>107.</enum><header>Right to data security</header><subsection id="idb39672f204484662af3845e9c443af52"><enum>(a)</enum><header>In general</header><text>A covered entity shall establish, implement, and maintain reasonable data security practices to protect the confidentiality, integrity, and accessibility of covered data. Such data security practices shall be appropriate to the volume and nature of the covered data at issue.</text></subsection><subsection id="id217e25a587b64eefa3a94454a0db05f3"><enum>(b)</enum><header>Specific requirements</header><text>Data security practices required under subsection (a) shall include, at a minimum, the following:</text><paragraph id="id938cc0de92814404ac4bcd4db2c9d561"><enum>(1)</enum><header>Assess vulnerabilities</header><text>Identifying and assessing any reasonably foreseeable risks to, and vulnerabilities in, each system maintained by the covered entity that processes or transfers covered data, including unauthorized access to or risks to covered data, human vulnerabilities, access rights, and use of service providers. Such activities shall include a plan to receive and respond to unsolicited reports of vulnerabilities by entities and individuals.</text></paragraph><paragraph id="id2cf960bbe8384fe98d8e3a97f831f218"><enum>(2)</enum><header>Preventive and correction action</header><text>Taking preventive and corrective action to mitigate any risks or vulnerabilities to covered data identified by the covered entity, which may include implementing administrative, technical, or physical safeguards or changes to data security practices or the architecture, installation, or implementation of network or operating software.</text></paragraph><paragraph id="id141a6cb9eaff4ba983f25ecb167639b3"><enum>(3)</enum><header>Information retention and disposal</header><text>Disposing covered data that is required to be deleted or is no longer necessary for the purpose for which the data was collected unless an individual has provided affirmative express consent to such retention. Such process shall include destroying, permanently erasing, or otherwise modifying the covered data to make such data permanently unreadable or indecipherable and unrecoverable and data hygiene practices to ensure ongoing compliance with this subsection.</text></paragraph><paragraph id="id4fc9d71d246a4f2d98bcdd0c398e51af"><enum>(4)</enum><header>Training</header><text>Training all employees with access to covered data on how to safeguard covered data and protect individual privacy and updating that training as necessary.</text></paragraph></subsection><subsection id="id16dd4e0217824f0bb131c82422b41e18"><enum>(c)</enum><header>Training guidelines</header><text>Not later than 1 year after the date of enactment of this Act, the Commission, in conjunction with the National Institute of Standards and Technology, shall publish guidance for covered entities on how to provide effective data security and privacy training as described in subsection (b)(4).</text></subsection></section><section id="id835c0751fe304f178c2d3e526620bc2a"><enum>108.</enum><header>Civil rights</header><subsection id="id8aa8bd83321245dbbdb505797d578611"><enum>(a)</enum><header>Protections</header><paragraph id="id7600638b84094009b67408c3e833459d"><enum>(1)</enum><header>In general</header><text>A covered entity shall not process or transfer covered data on the basis of an individual’s or class of individuals’ actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, biometric information, lawful source of income, or disability—</text><subparagraph id="idda8415fd91824d3197bd1b8ae1354538"><enum>(A)</enum><text>for the purpose of advertising, marketing, soliciting, offering, selling, leasing, licensing, renting, or otherwise commercially contracting for a housing, employment, credit, or education opportunity, in a manner that unlawfully discriminates against or otherwise makes the opportunity unavailable to the individual or class of individuals; or</text></subparagraph><subparagraph id="id4f335d14c19945ec923c14e6e7a71160"><enum>(B)</enum><text>in a manner that unlawfully segregates, discriminates against, or otherwise makes unavailable to the individual or class of individuals the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation.</text></subparagraph></paragraph><paragraph id="ide6d5dfde154c4917a0eb23ac9c43e1ae"><enum>(2)</enum><header>Exception</header><text>Nothing in this section shall limit a covered entity from processing covered data for legitimate internal testing for the purpose of preventing unlawful discrimination or otherwise determining the extent or effectiveness of the covered entity’s compliance with this Act.</text></paragraph><paragraph id="idff145f202390499b8220475060431b14"><enum>(3)</enum><header>FTC advisory opinions</header><text>A covered entity may request advice from the Commission concerning the covered entity’s potential compliance with this subsection, in accordance with the Commission’s rules of practice on advisory opinions.</text></paragraph></subsection><subsection id="id9a46ad85998b4e3c9d0513e4352e2128"><enum>(b)</enum><header>Algorithmic decision-Making impact assessment</header><paragraph id="id9ec0613b23304ed492f121112f078466"><enum>(1)</enum><header>Impact assessment</header><text>Notwithstanding any other provision of law, a covered entity engaged in algorithmic decision-making, or in assisting others in algorithmic decision-making for the purpose of processing or transferring covered data, solely or in part to make or facilitate advertising for housing, education, employment or credit opportunities, or an eligibility determination for housing, education, employment or credit opportunities or determining access to, or restrictions on the use of, any place of public accommodation, must annually conduct an impact assessment of such algorithmic decision-making that—</text><subparagraph id="id99c8680374bb4cafa7e3124b963914cc"><enum>(A)</enum><text>describes and evaluates the development of the covered entity’s algorithmic decision-making processes including the design and training data used to develop the algorithmic decision-making process, how the algorithmic decision-making process was tested for accuracy, fairness, bias and discrimination; and</text></subparagraph><subparagraph id="id130b47ce01e3429abcbbd4c4000ba383"><enum>(B)</enum><text>assesses whether the algorithmic decision-making system produces discriminatory results on the basis of an individual’s or class of individuals’ actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, biometric information, lawful source of income, or disability.</text></subparagraph></paragraph><paragraph id="id4d35c0f7ff9a45118b5c55eb1d5727a9"><enum>(2)</enum><header>External, independent auditor or researcher</header><text>A covered entity may utilize an external, independent auditor or researcher to conduct such assessments.</text></paragraph><paragraph id="id86bbc7e2ca3247e4a3498306bfe25a2c"><enum>(3)</enum><header>Availability</header><text>The covered entity—</text><subparagraph id="idb70202195576455887650448793ec863"><enum>(A)</enum><text>shall make the impact assessment available to the Commission upon request; and</text></subparagraph><subparagraph id="id3dd7ddf2bf684251960675f0a44facfb"><enum>(B)</enum><text>may make the impact assessment public.</text></subparagraph><continuation-text continuation-text-level="paragraph">A covered entity may redact and segregate trade secrets as defined by section 1839 of title 18, United States Code, from public disclosure under this subsection.</continuation-text></paragraph><paragraph id="id1b47500cf0db4577a1b2cbb97f17826c"><enum>(4)</enum><header>Study</header><text>Not later than 3 years after the date of enactment of this Act, the Commission shall publish a report containing the results of a study, using the Commission’s authority under section 6(b) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/46">15 U.S.C. 46(b)</external-xref>), examining the use of algorithms for the purposes described in this subsection. Not later than 3 years after the publication of the initial report, and as necessary thereafter, the Commission shall publish a new and updated version of such report.</text></paragraph></subsection></section><section id="id497963105803435ca40c47d362d49d01"><enum>109.</enum><header>Prohibition on waiver of rights</header><text display-inline="no-display-inline">A covered entity shall not condition the provision of a service or product to an individual on the individual’s agreement to waive privacy rights guaranteed by—</text><paragraph id="idc5cce95f8cea45c7847a86404406fa3c"><enum>(1)</enum><text>sections 101, 105(a), and 106 through 109 of this Act; and</text></paragraph><paragraph id="id03db0c42dd7644bb8e2e37f579f27f2a"><enum>(2)</enum><text>sections 102 through 104, and 105(b) and (c) of this Act, except in the case where—</text><subparagraph id="id6d6246b148f4452ba9019c28ba8a14ee"><enum>(A)</enum><text>there exists a direct relationship between the individual and the covered entity initiated by the individual;</text></subparagraph><subparagraph id="id07dd8962fa0a447482bad35c482d90f6"><enum>(B)</enum><text>the provision of the service or product requested by the individual requires the processing or transferring of the specific covered data of the individual and the covered data is strictly necessary to provide the service or product; and</text></subparagraph><subparagraph id="id082a70ec95194a8f81fc03d708d13a72"><enum>(C)</enum><text>an individual provides affirmative express consent to such specific limitations.</text></subparagraph></paragraph></section><section id="id505aaf1853664154b0cd36c390bae31e"><enum>110.</enum><header>Limitations and applicability</header><subsection id="id7a6c2ac121834ca4aa846a8f7a5a94d7"><enum>(a)</enum><header>Verification of requests</header><paragraph id="id375214f3a3534801a1cc4bf23dca0c07"><enum>(1)</enum><header>In general</header><text>A covered entity shall not permit an individual to exercise a right described in sections 102 through 105(a) if—</text><subparagraph id="id4524819d057848be9f3130f0855a5f0d"><enum>(A)</enum><text>the covered entity cannot reasonably verify that the individual making the request to exercise the right is the individual whose covered data is the subject of the request or an individual authorized to make such a request on the individual’s behalf; or</text></subparagraph><subparagraph id="id13d8962489664a58b109aff50e76d7bc"><enum>(B)</enum><text>the covered entity reasonably believes that the request is made to interfere with a contract between the covered entity and another individual.</text></subparagraph></paragraph><paragraph id="id9a380e12f21443ebb7c67f64ed92836e"><enum>(2)</enum><header>Additional information</header><text>If a covered entity cannot reasonably verify that a request to exercise a right described in sections 102 through 105(a) is made by the individual whose covered data is the subject of the request (or an individual authorized to make such a request on the individual’s behalf), the covered entity shall request the provision of additional information necessary for the sole purpose of verifying the identity of the individual and shall not process or transfer such additional information for any other purpose.</text></paragraph><paragraph id="id0aaf06629ec04c879d027f75f169772f"><enum>(3)</enum><header>Burden minimization</header><text>A covered entity shall minimize the inconvenience to consumers relating to the verification or authentication of requests.</text></paragraph></subsection><subsection id="id95786ae1578545deb55a95c2a1ecb3c5"><enum>(b)</enum><header>Cost of access</header><text>A covered entity shall carry out the rights described in sections 102 through 105(a) free of charge.</text></subsection><subsection id="id8638b6a767a94f22ac5b423dabcbd50f"><enum>(c)</enum><header>Exceptions to sections 102 through 105<enum-in-header>(b)</enum-in-header></header><text>A covered entity may decline to comply with an individual’s request to exercise a right described in sections 102 through 105(b) if—</text><paragraph id="id0bbe47ab6f98407db973659f5b911331"><enum>(1)</enum><text>complying with the request would be demonstrably impossible (for purposes of this paragraph, the receipt of a large number of verified requests, on its own, shall not be considered to render compliance with a request demonstrably impossible);</text></paragraph><paragraph id="id2b4ec732f1e44c14a10a38fe8216e727"><enum>(2)</enum><text>complying with the request would prevent the covered entity from carrying out internal audits, performing accounting functions, processing refunds, or fulfilling warranty claims, provided that the covered data that is the subject of the request is not processed or transferred for any purpose other than such specific activities;</text></paragraph><paragraph id="id96192f2262df461492c6a892f10fa58b"><enum>(3)</enum><text>the request is made to correct or delete publicly available information, and then only to the extent the data is publicly available information;</text></paragraph><paragraph id="idd7f26b8eee834cb69b216a18f2f91f5a"><enum>(4)</enum><text>complying with the request would impair the publication of newsworthy information of legitimate public concern to the public by a covered entity, or the processing or transfer of information by a covered entity for such purpose;</text></paragraph><paragraph id="id5a629b5e05ab45b7b993075fcd8bc412"><enum>(5)</enum><text>complying with the request would impair the privacy of another individual or the rights of another to exercise free speech; or</text></paragraph><paragraph id="id2ed95fcdaf224871b9b06cb66edb5ebe"><enum>(6)</enum><text>the covered entity processes or will process the data subject to the request for a specific purpose described in subsection (d) of this section, and complying with the request would prevent the covered entity from using such data for such specific purpose.</text></paragraph></subsection><subsection id="id7ecb5f1d7ac946279b19ca0e4570e60f"><enum>(d)</enum><header>Exceptions to affirmative express consent</header><paragraph id="idfc73e311720d4ea6a0cb015187c2f78f"><enum>(1)</enum><header>In general</header><text>A covered entity may process or transfer covered data without the individual’s affirmative express consent for any of the following purposes, provided that the processing or transfer is reasonably necessary, proportionate, and limited to such purpose:</text><subparagraph id="idd948c618e3e045f29fdb805c5c9d519f"><enum>(A)</enum><text>To complete a transaction or fulfill an order or service specifically requested by an individual, such as billing, shipping, or accounting.</text></subparagraph><subparagraph id="id8aa7eeb1349240fba0fd28893d118343"><enum>(B)</enum><text>To perform system maintenance, debug systems, or repair errors to ensure the functionality of a product or service provided by the covered entity.</text></subparagraph><subparagraph id="idef35ba0ec15b437f93854bae1168574d"><enum>(C)</enum><text>To detect or respond to a security incident, provide a secure environment, or maintain the safety of a product or service.</text></subparagraph><subparagraph id="idcf48e6cb0e234dae93fdc7ca9ca0c3bc"><enum>(D)</enum><text>To protect against malicious, deceptive, fraudulent, or illegal activity.</text></subparagraph><subparagraph id="ida4120dd2d12e40de9aa7f78b3b632183"><enum>(E)</enum><text>To comply with a legal obligation or the establishment, exercise, or defense of legal claims.</text></subparagraph><subparagraph id="idcf412dfcb93e485da415d6291965a740"><enum>(F)</enum><text>To prevent an individual from suffering harm where the covered entity believes in good faith that the individual is in danger of suffering death or serious physical injury.</text></subparagraph><subparagraph id="id1407d2a6faae4672909e3b7642cdf758"><enum>(G)</enum><text>To effectuate a product recall pursuant to Federal or State law.</text></subparagraph><subparagraph id="idf4c94ab245504f7ba0fedb524ffa489f"><enum>(H)</enum><text>To conduct scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board or a similar oversight entity that meets standards promulgated by the Commission pursuant to section 553 of title 5, United States Code.</text></subparagraph></paragraph><paragraph id="idf7bade3b29cf47d7bdbe4fc84f61ddcf"><enum>(2)</enum><header>Biometric information</header><text>Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate regulations pursuant to section 553 of title 5, United States Code, identifying privacy protective requirements for the processing of biometric information for a purpose described in subparagraph (C) or (D) of paragraph (1). Such regulations shall include—</text><subparagraph id="idd34050ed02ff46e0949bce4ccb2e121b"><enum>(A)</enum><text>strict data processing limitations, including a prohibition on the processing of biometric information unless the covered entity has a reasonable suspicion, after a specific criminal incident involving the covered entity, that the individual may engage in criminal activity;</text></subparagraph><subparagraph id="id051b5c20265d46d2bb3e606fb040d443"><enum>(B)</enum><text>strict data transfer limitations, including a prohibition on the transfer of biometric information to a third party other than to comply with a legal obligation or to establish, exercise, or defend a legal claim; and</text></subparagraph><subparagraph id="id9fa3fb78a7ea4eefac3a35d3989705d1"><enum>(C)</enum><text>strict transparency obligations, including requiring disclosures in a conspicuous and readily accessible manner regarding specific data processing and transfer activities.</text></subparagraph></paragraph></subsection><subsection id="id884a796d41724791bd4c1792c190ca5f"><enum>(e)</enum><header>Journalism exception</header><text>Nothing in this title shall apply to the publication of newsworthy information of legitimate public concern to the public by a covered entity, or to the processing or transfer of information by a covered entity for that purpose.</text></subsection><subsection id="id29efb501c50a4a5ab3d5b15c325c554c"><enum>(f)</enum><header>Applicability of other data privacy requirements</header><text>A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6801">15 U.S.C. 6801 et seq.</external-xref>), the Health Information Technology for Economic and Clinical Health Act (<external-xref legal-doc="usc" parsable-cite="usc/42/17931">42 U.S.C. 17931 et seq.</external-xref>), part C of title XI of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d">42 U.S.C. 1320d et seq.</external-xref>), the Fair Credit Reporting Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1681">15 U.S.C. 1681 et seq.</external-xref>), the Family Educational Rights and Privacy Act (<external-xref legal-doc="usc" parsable-cite="usc/20/1232g">20 U.S.C. 1232g</external-xref>; part 99 of title 34, Code of Federal Regulations), or the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-2">42 U.S.C. 1320d–2</external-xref> note), and is in compliance with the data privacy requirements of such regulations, part, title, or Act (as applicable), shall be deemed to be in compliance with the related requirements of this title, except for section 107, with respect to data subject to the requirements of such regulations, part, title, or Act. Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance describing the implementation of this subsection.</text></subsection><subsection id="id22ab8700a35543ff9aee4d5c93b78c7c"><enum>(g)</enum><header>Applicability of other data security requirements</header><text>A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6801">15 U.S.C. 6801 et seq.</external-xref>), the Health Information Technology for Economic and Clinical Health Act (<external-xref legal-doc="usc" parsable-cite="usc/42/17931">42 U.S.C. 17931 et seq.</external-xref>), part C of title XI of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d">42 U.S.C. 1320d et seq.</external-xref>), or the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-2">42 U.S.C. 1320d–2</external-xref> note), and is in compliance with the information security requirements of such regulations, part, title, or Act (as applicable), shall be deemed to be in compliance with the requirements of section 107 with respect to data subject to the requirements of such regulations, part, title, or Act. Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance describing the implementation of this subsection.</text></subsection><subsection id="id81e9c45ea0284317b07a0c98611c0030"><enum>(h)</enum><header>In general</header><text>The Commission shall have authority under section 553 of title 5, United States Code, to promulgate regulations necessary to carry out the provisions of this title.</text></subsection></section><enum>II</enum><header>Oversight and responsibility</header><section id="id97961da75bb840349cc69fc2198f34ee"><enum>201.</enum><header>Executive responsibility</header><subsection id="idecaaa9d087bc4b8a8f88a332187d8c4d"><enum>(a)</enum><header>In general</header><text>Beginning 1 year after the date of enactment of this Act, the chief executive officer of a covered entity that is a large data holder (or, if the entity does not have a chief executive officer, the highest ranking officer of the entity) and each privacy officer and data security officer of such entity shall annually certify to the Commission, in a manner specified by the Commission, that the entity maintains—</text><paragraph id="idfcf5710838844719af303cc204aa1c9e"><enum>(1)</enum><text>adequate internal controls to comply with this Act; and</text></paragraph><paragraph id="id22aea6c8b37b4378987cb741a77aa8d7"><enum>(2)</enum><text>reporting structures to ensure that such certifying officers are involved in, and are responsible for, decisions that impact the entity’s compliance with this Act.</text></paragraph></subsection><subsection id="id09655b10674544ed9d6dca271171aa33"><enum>(b)</enum><header>Requirements</header><text>A certification submitted under subsection (a) shall be based on a review of the effectiveness of a covered entity’s internal controls and reporting structures that is conducted by the certifying officers no more than 90 days before the submission of the certification.</text></subsection></section><section id="id49497dfcb39f4860a7e4655868d1263e"><enum>202.</enum><header>Privacy and data security officers; comprehensive privacy and data security programs; risk assessments and compliance</header><subsection id="idb05f29fc0a8a4cb9b098cd5b27acf99d"><enum>(a)</enum><header>Privacy and data security officer</header><text>A covered entity shall designate—</text><paragraph id="id76d9674f8262498498eb5534c1af7dfa"><enum>(1)</enum><text>1 or more qualified employees as privacy officers; and</text></paragraph><paragraph id="idceab27285c13444da592ccf5b27eb500"><enum>(2)</enum><text>1 or more qualified employees (in addition to any employee designated under paragraph (1)) as data security officers.</text></paragraph></subsection><subsection id="id63c614bcaa9443c792427a4a09abdd29"><enum>(b)</enum><header>Comprehensive privacy and data security programs, risk assessments, and compliance</header><text>An employee who is designated by a covered entity as a privacy officer or a data security officer shall be responsible for, at a minimum—</text><paragraph id="idad76b34fbdbe44eab580164e4d547781"><enum>(1)</enum><text>implementing a comprehensive written data privacy program and data security program to safeguard the privacy and security of covered data throughout the life cycle of development and operational practices of the covered entity’s products or services;</text></paragraph><paragraph id="idfe215058090c4e6888ea246fb0accddd"><enum>(2)</enum><text>annually conducting privacy and data security risk assessments, data hygiene, and other quality control practices; and</text></paragraph><paragraph id="ide08123f303e74ff599837c33cc1573b2"><enum>(3)</enum><text>facilitating the covered entity’s ongoing compliance with this Act.</text></paragraph></subsection></section><section id="id4f176d723d0a419cad91a1abf25718db"><enum>203.</enum><header>Service providers and third parties</header><subsection id="id70be7f8c74b248b38ad69a8fdc2228bd"><enum>(a)</enum><header>Service providers</header><text>A service provider—</text><paragraph id="id37719d1d59054b86b15faa41b2ae0659"><enum>(1)</enum><text>shall not process service provider data for any processing purpose other than one performed on behalf of, and at the direction of, the covered entity that transferred such data to the service provider, except that a service provider may process data to comply with a legal obligation or the establishment, exercise, or defense of legal claims;</text></paragraph><paragraph id="id7c11d7bb2ba24e7e9cbf742b044ce4a1"><enum>(2)</enum><text>shall not transfer service provider data to a third party without the affirmative express consent, obtained by, or on behalf of, the covered entity, of the individual to whom the service provider data is linked or reasonably linkable;</text></paragraph><paragraph id="idab0c0fcac7644c889bdbb2f7c035218e"><enum>(3)</enum><text>shall delete or de-identify service provider data after the agreed upon end of the provision of services;</text></paragraph><paragraph id="idbdc697466d51482da9d2be3ec1b4c7c2"><enum>(4)</enum><text>is exempt from the requirements of sections 102(a), 103, 104, and 105(a) with respect to service provider data, but shall, to the extent practicable—</text><subparagraph id="idfa50b2cfd5c443a0909d041f4b7eddb4"><enum>(A)</enum><text>assist the covered entity from which it received the service provider data in fulfilling requests made by individuals under such sections; and</text></subparagraph><subparagraph id="id1f3b28a0ff354697aa36caed687d682c"><enum>(B)</enum><text>shall delete, de-identify, or correct (as applicable), any service provider data that is subject to a verified request from an individual described in section 103 or 104; and</text></subparagraph></paragraph><paragraph id="idac9849c550d14478a4a0fed5a7670970"><enum>(5)</enum><text>is exempt from the requirements of section 106 with respect to service provider data, but shall have the same responsibilities and obligations as a covered entity with respect to such data under all other provisions of this Act.</text></paragraph></subsection><subsection id="id3b3a9ed7761b4f648f3b102349da186d"><enum>(b)</enum><header>Third parties</header><text>A third party—</text><paragraph id="idde3973663ddb494697de396755ad57ee"><enum>(1)</enum><text>shall not process third party data for a purpose that is inconsistent with the expectations of a reasonable individual;</text></paragraph><paragraph id="idd9cc9e1d43ae446992c2bd4491daf423"><enum>(2)</enum><text>may reasonably rely on representations made by the covered entity that transferred third party data regarding the expectation of a reasonable individual, provided the third party conducts reasonable due diligence on the representations of the covered entity and finds those representations to be credible; and</text></paragraph><paragraph id="idaad7279ffafc492b8ffce6ba14fe0a5f"><enum>(3)</enum><text>upon receipt of any third party data, is exempt from the requirements of section 105(c) with respect to such data, but shall have the same responsibilities and obligations as a covered entity with respect to such data under all other provisions of this Act.</text></paragraph></subsection><subsection id="id4e7f472e770a4327ba73b90dd823983b"><enum>(c)</enum><header>Additional obligations on covered entities</header><paragraph id="idf8938c5d347343a2a7ce342385e7cf24"><enum>(1)</enum><header>In general</header><text>A covered entity shall—</text><subparagraph id="idd9b3cc6d7c184c8da26ac7e1685cb1a1"><enum>(A)</enum><text>exercise reasonable due diligence in selecting a service provider and conduct reasonable oversight of its service providers to ensure compliance with the applicable requirements of this section; and</text></subparagraph><subparagraph id="ida2dc3ef408db40459910b2d234a078e9"><enum>(B)</enum><text>exercise reasonable due diligence in deciding to transfer covered data to a third party, and conduct oversight of third parties to which it transfers data to ensure compliance with the applicable requirements of this subsection.</text></subparagraph></paragraph><paragraph id="id3a136eefb9d24483857ce1f3e65560f6"><enum>(2)</enum><header>Guidance</header><text>Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance for covered entities regarding compliance with this subsection.</text></paragraph></subsection><subsection id="id08c1402919bd4205a9dfb1531dc1469e"><enum>(d)</enum><header>In general</header><text>The Commission shall have authority under section 553 of title 5, United States Code, to promulgate regulations necessary to carry out the provisions of this section.</text></subsection></section><section id="idd21e274fa73948db8679c3ab64cd71c7"><enum>204.</enum><header>Whistleblower protections</header><subsection id="id06985b800b2141ff96428b50080afa6f"><enum>(a)</enum><header>In general</header><text>A covered entity shall not, directly or indirectly, discharge, demote, suspend, threaten, harass, or in any other manner discriminate against a covered individual of the covered entity because—</text><paragraph id="id834351d9fffb43eca03ab9d28f6615d1"><enum>(1)</enum><text>the covered individual, or anyone perceived as assisting the covered individual, takes (or the covered entity suspects that the covered individual has taken or will take) a lawful action in providing to the Federal Government or the attorney general of a State information relating to any act or omission that the covered individual reasonably believes to be a violation of this Act or any regulation promulgated under this Act;</text></paragraph><paragraph id="id3d617fa027f54fad9b6db9fd0b1115e6"><enum>(2)</enum><text>the covered individual provides information that the covered individual reasonably believes evidences such a violation to—</text><subparagraph id="id0bed48aa8a2e4a359e673e10141a09d6"><enum>(A)</enum><text>a person with supervisory authority over the covered individual at the covered entity; or</text></subparagraph><subparagraph id="id391857eec1774e5899d86e881ff762f3"><enum>(B)</enum><text>another individual working for the covered entity who the covered individual reasonably believes has the authority to investigate, discover, or terminate the violation or to take any other action to address the violation;</text></subparagraph></paragraph><paragraph id="id084d3dd5975e45e6bc5ff9222e3cb267"><enum>(3)</enum><text>the covered individual testifies (or the covered entity expects that the covered individual will testify) in an investigation or judicial or administrative proceeding concerning such a violation; or</text></paragraph><paragraph id="id312a4d25c1f54dde8dd55640108fa470"><enum>(4)</enum><text>the covered individual assists or participates (or the covered entity expects that the covered individual will assist or participate) in such an investigation or judicial or administrative proceeding, or the covered individual takes any other action to assist in carrying out the purposes of this Act.</text></paragraph></subsection><subsection id="id55f7749a6cdf498cb3f79440819104b5"><enum>(b)</enum><header>Enforcement</header><text>An individual who alleges discharge or other discrimination in violation of subsection (a) may bring an action governed by the rules, procedures, statute of limitations, and legal burdens of proof in section 42121(b) of title 49, United States Code. If the individual has not received a decision within 180 days and there is no showing that such delay is due to the bad faith of the claimant, the individual may bring an action for a jury trial, governed by the burden of proof in section 42121(b) of title 49, United States Code, in the appropriate district court of the United States for the following relief:</text><paragraph id="id3481c72f885e452fad32e8abba53c42a"><enum>(1)</enum><text>Temporary relief while the case is pending.</text></paragraph><paragraph id="id8e7c328bc7cf4daaa86a58ab68badda9"><enum>(2)</enum><text>Reinstatement with the same seniority status that the individual would have had, but for the discharge or discrimination.</text></paragraph><paragraph id="idfba8e565e96644d2b70ceaf5a28dcf2a"><enum>(3)</enum><text>Three times the amount of back pay otherwise owed to the individual, with interest.</text></paragraph><paragraph id="id584de14702e54711a1f7b24be777df6e"><enum>(4)</enum><text>Consequential and compensatory damages, and compensation for litigation costs, expert witness fees, and reasonable attorneys’ fees.</text></paragraph></subsection><subsection id="id909a46fa51134981baaf187fbefc20c7"><enum>(c)</enum><header>Waiver of rights and remedies</header><text>The rights and remedies provided for in this section shall not be waived by any policy form or condition of employment, including by a predispute arbitration agreement.</text></subsection><subsection id="id87ce4def78994b6ba7a4e508e3b034f8"><enum>(d)</enum><header>Predispute arbitration agreements</header><text>No predispute arbitration agreement shall be valid or enforceable if the agreement requires arbitration of a dispute arising under this section.</text></subsection><subsection id="idce247d86818a436385fca0daf5b0bc06"><enum>(e)</enum><header>Covered Individual defined</header><text>In this section, the term <term>covered individual</term> means an applicant, current or former employee, contractor, subcontractor, grantee, or agent of an employer.</text></subsection></section><section id="ide476817e1b314c779509698e347a186c"><enum>205.</enum><header>Digital content forgeries</header><subsection id="id6a8b269411e74ae694a64ff52c612801"><enum>(a)</enum><header>Reports</header><text>Not later than 1 year after the date of enactment of this Act, and annually thereafter, the Director of the National Institute of Standards and Technology shall publish a report regarding digital content forgeries.</text></subsection><subsection id="id266D2912A2354D0BA0AEE81104DBD37B"><enum>(b)</enum><header>Requirements</header><text>Each report under subsection (a) shall include the following:</text><paragraph id="id46f54922e8784bff941a08d7bd0d7bf8"><enum>(1)</enum><text>A definition of digital content forgeries along with accompanying explanatory materials. The definition developed pursuant to this section shall not supersede any other provision of law or be construed to limit the authority of any executive agency related to digital content forgeries.</text></paragraph><paragraph id="ida3f34eeb5c774442895458b3ac81127b"><enum>(2)</enum><text>A description of the common sources in the United States of digital content forgeries and commercial sources of digital content forgery technologies.</text></paragraph><paragraph id="idba0d868594b54224828320274815ef66"><enum>(3)</enum><text>An assessment of the uses, applications, and harms of digital content forgeries.</text></paragraph><paragraph id="id9c14942a6f5f4527b33703e86f2444c3"><enum>(4)</enum><text>An analysis of the methods and standards available to identify digital content forgeries as well as a description of the commercial technological counter-measures that are, or could be, used to address concerns with digital content forgeries, which may include the provision of warnings to viewers of suspect content.</text></paragraph><paragraph id="id35ef5f1f5ba64ef287c80066edb2770f"><enum>(5)</enum><text>A description of the types of digital content forgeries, including those used to commit fraud, cause harm or violate any provision of law.</text></paragraph><paragraph id="id475D24D330A84F73AC6952E936A6C478"><enum>(6)</enum><text>Any other information determined appropriate by the Director.</text></paragraph></subsection></section><enum>III</enum><header>Miscellaneous</header><section id="id2085c3f192b14d87b05b9d04fbb4e48c"><enum>301.</enum><header>Enforcement, civil penalties, and applicability</header><subsection id="id6df00f3465fe46759f27e561495b34cd"><enum>(a)</enum><header>Enforcement by the Federal Trade Commission</header><paragraph id="iddf04b0ef7c78491abda1d783d0455967"><enum>(1)</enum><header>New bureau</header><subparagraph id="ide9927c84a9c7478cac2372ecbc52ccdb"><enum>(A)</enum><header>In general</header><text>The Commission shall establish a new Bureau within the Commission comparable in structure, size, organization, and authority to the existing Bureaus with the Commission related to consumer protection and competition.</text></subparagraph><subparagraph id="id52c0f6bd53744f9ea6d79eb2ab0d6264"><enum>(B)</enum><header>Mission</header><text>The mission of the Bureau established under this paragraph shall be to assist the Commission in exercising the Commission’s authority under this Act and under other Federal laws addressing privacy, data security, and related issues.</text></subparagraph><subparagraph id="id2ca278b1c2e94e5187fb0c8a735ab75d"><enum>(C)</enum><header>Timeline</header><text>Such Bureau shall be established, staffed, and fully operational within 2 years of enactment of this Act.</text></subparagraph></paragraph><paragraph id="idb6c4b218341049829420dfe55d886fea"><enum>(2)</enum><header>Treatment as violation of rule</header><text>A violation of this Act or a regulation promulgated under this Act shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/57a">15 U.S.C. 57a(a)(1)(B)</external-xref>).</text></paragraph><paragraph id="id8fd3481355c644999032ef4796ac1577"><enum>(3)</enum><header>Powers of Commission</header><subparagraph id="id6998c712a8a941b79e2af1a128bb3050"><enum>(A)</enum><header>In general</header><text>Except as provided in subparagraph (C), the Commission shall enforce this Act and the regulations promulgated under this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>) were incorporated into and made a part of this Act.</text></subparagraph><subparagraph id="idded545ef688e4c49b5cab07e33328099"><enum>(B)</enum><header>Privileges and immunities</header><text>Any person who violates this Act or a regulation promulgated under this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>).</text></subparagraph><subparagraph id="id76331199396d44feb5d1cde03e86766c"><enum>(C)</enum><header>Independent litigation authority</header><text>The Commission may commence, defend, or intervene in, and supervise the litigation of any civil action under this subsection (including an action to collect a civil penalty) and any appeal of such action in its own name by any of its attorneys designated by it for such purpose. The Commission shall notify the Attorney General of any such action and may consult with the Attorney General with respect to any such action or request the Attorney General on behalf of the Commission to commence, defend, or intervene in any such action.</text></subparagraph></paragraph><paragraph id="id99da31250ac54201bde551c13198dd92"><enum>(4)</enum><header>Data privacy and security relief fund</header><subparagraph id="id039086dfc64740fbbe032483a567b1d4"><enum>(A)</enum><header>Establishment of relief fund</header><text>There is established in the Treasury of the United States a separate fund to be known as the <quote>Data Privacy and Security Relief Fund</quote> (referred to in this paragraph as the <quote>Relief Fund</quote>).</text></subparagraph><subparagraph id="id05b8ed8374e44c0cb16c5bf3aa29b81f"><enum>(B)</enum><header>Deposits</header><clause id="id11ddba446b7e49829aeeb46fc0227328"><enum>(i)</enum><header>Deposits from the commission</header><text>The Commission shall deposit into the Relief Fund the amount of any civil penalty obtained against any covered entity in any judicial or administrative action the Commission commences to enforce this Act or a regulation promulgated under this Act.</text></clause><clause id="id2ede794f7d524dd391855eb20900e32d"><enum>(ii)</enum><header>Deposits from the attorney general</header><text>The Attorney General of the United States shall deposit into the Relief Fund the amount of any civil penalty obtained against any covered entity in any judicial or administrative action the Attorney General commences on behalf of the Commission to enforce this Act or a regulation promulgated under this Act.</text></clause></subparagraph><subparagraph id="idf6d04055aa7a484b86aacdebd0c03a3d"><enum>(C)</enum><header>Use of fund amounts</header><text>Notwithstanding section 3302 of title 31, United States Code, amounts in the Relief Fund shall be available to the Commission, without fiscal year limitation, to provide redress, payments or compensation, or other monetary relief to individuals affected by an act or practice for which civil penalties have been obtained under this Act. To the extent that individuals cannot be located or such redress, payments or compensation, or other monetary relief are otherwise not practicable, the Commission may use such funds for the purpose of consumer or business education relating to data privacy and security or for the purpose of engaging in technological research that the Commission considers necessary to enforce this Act.</text></subparagraph><subparagraph id="id191f2cacd51647589c6d19a4ad182b80"><enum>(D)</enum><header>Amounts not subject to apportionment</header><text>Notwithstanding any other provision of law, amounts in the Relief Fund shall not be subject to apportionment for purposes of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/31/15">chapter 15</external-xref> of title 31, United States Code, or under any other authority.</text></subparagraph></paragraph></subsection><subsection id="idf5dddfd79e404b26b774576ab73ae09d"><enum>(b)</enum><header>Enforcement by State attorneys general</header><paragraph id="id2985bfa0875b48d585a50cb6940166e3"><enum>(1)</enum><header>Civil action</header><text>In any case in which the attorney general of a State or a consumer protection officer of a State has reason to believe that an interest of the residents of that State has been or is adversely affected by the engagement of any covered entity in an act or practice that violates this Act or a regulation promulgated under this Act, the attorney general of the State, or a consumer protection officer of the State acting on behalf of the State, as parens patriae, may bring a civil action on behalf of the residents of the State in an appropriate district court of the United States to—</text><subparagraph id="id75093dec55e34c60847aa032c2dff291"><enum>(A)</enum><text>enjoin that act or practice;</text></subparagraph><subparagraph id="ide3fff27fd4ad4b77994e2ca1bb1fffa7"><enum>(B)</enum><text>enforce compliance with this Act or the regulation;</text></subparagraph><subparagraph id="id24fe4616458b45229fa4ea62127cce14"><enum>(C)</enum><text>obtain damages, civil penalties, restitution, or other compensation on behalf of the residents of the State; or</text></subparagraph><subparagraph id="id2405d71f32594ddbb817f0c0c9c52631"><enum>(D)</enum><text>obtain such other relief as the court may consider to be appropriate.</text></subparagraph></paragraph><paragraph id="id09b4d798988742a2915490d19a6237b5"><enum>(2)</enum><header>Notice to the commission and rights of the commission</header><text>Except where not feasible, the State shall notify the Commission in writing prior to initiating a civil action under paragraph (1). Such notice shall include a copy of the complaint to be filed to initiate such action. If prior notice is not practicable, the State shall provide a copy of the complaint to the Commission immediately upon instituting the action. Upon receiving such notice, the Commission may intervene in such action and, upon intervening—</text><subparagraph id="id33826a3bca0a42cbba472913a5457dba"><enum>(A)</enum><text>be heard on all matters arising in such action; and</text></subparagraph><subparagraph id="id037af3826b4f49b79a9b17b369a865b5"><enum>(B)</enum><text>file petitions for appeal of a decision in such action.</text></subparagraph></paragraph><paragraph id="id35d5cda38b5b4d8f8494168e64538901"><enum>(3)</enum><header>Preservation of State powers</header><text>No provision of this section shall be construed as altering, limiting, or affecting the authority of a State attorney general or a consumer protection officer of a State to—</text><subparagraph id="idc3ab53aba1ad4398ac8e122c3670c638"><enum>(A)</enum><text>bring an action or other regulatory proceeding arising solely under the law in effect in that State; or</text></subparagraph><subparagraph id="ide0a31ebde3ed4fb7b5f80456e1ed0024"><enum>(B)</enum><text>exercise the powers conferred on the attorney general or on a consumer protection officer of a State by the laws of the State, including the ability to conduct investigations, to administer oaths or affirmations, or to compel the attendance of witnesses or the production of documentary or other evidence.</text></subparagraph></paragraph><paragraph id="idc0b8c61a0ca3433f9a5200a2c000984a"><enum>(4)</enum><header>Venue; service of process</header><subparagraph id="id6a7f7fdd034c43ab80f55af734007980"><enum>(A)</enum><header>Venue</header><text>Any action brought under paragraph (1) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.</text></subparagraph><subparagraph id="id77161bf455c34fedb8664502ecc479e8"><enum>(B)</enum><header>Service of process</header><text>In an action brought under paragraph (1), process may be served in any district in which the defendant—</text><clause id="id70f44d47431b4951b064701a33abe081"><enum>(i)</enum><text>is an inhabitant; or</text></clause><clause id="id08577f1a1c8a434c8e6f3f74e2232389"><enum>(ii)</enum><text>may be found.</text></clause></subparagraph></paragraph></subsection><subsection id="id43c584d3f3f14b0394845cf75b5bbff0"><enum>(c)</enum><header>Enforcement by individuals</header><paragraph id="id2b20f640fa1d4ac0a1653ddbfe665014"><enum>(1)</enum><header>In general</header><text>Any individual alleging a violation of this Act or a regulation promulgated under this Act may bring a civil action in any court of competent jurisdiction, State or Federal.</text></paragraph><paragraph id="idbbb07bb198f2439ba6c5763cd8a9b989"><enum>(2)</enum><header>Relief</header><text>In a civil action brought under paragraph (1) in which the plaintiff prevails, the court may award—</text><subparagraph id="id237dab2c354c4794a02757c2102a5973"><enum>(A)</enum><text>an amount not less than $100 and not greater than $1,000 per violation per day or actual damages, whichever is greater;</text></subparagraph><subparagraph id="iddfcc45d1478544fc8dfd9b683b1feffb"><enum>(B)</enum><text>punitive damages;</text></subparagraph><subparagraph id="id889e61cd5851423aa6292c3aa2f1e21e"><enum>(C)</enum><text>reasonable attorney’s fees and litigation costs; and</text></subparagraph><subparagraph id="id01b48c195ff7491a94306ca37ec180d1"><enum>(D)</enum><text>any other relief, including equitable or declaratory relief, that the court determines appropriate.</text></subparagraph></paragraph><paragraph id="id85ac0c0e0999419e8fe96867d814c7b2"><enum>(3)</enum><header>Injury in fact</header><text>A violation of this Act or a regulation promulgated under this Act with respect to the covered data of an individual constitutes a concrete and particularized injury in fact to that individual.</text></paragraph></subsection><subsection id="id53d35f98262c4d58a29e38ba2f52daca"><enum>(d)</enum><header>Invalidity of pre-Dispute arbitration agreements and pre-Dispute joint action waivers</header><paragraph id="idd8c23494730141f6ae893255a1425e2f"><enum>(1)</enum><header>In general</header><text>Notwithstanding any other provision of law, no pre-dispute arbitration agreement or pre-dispute joint action waiver shall be valid or enforceable with respect to a privacy or data security dispute arising under this Act.</text></paragraph><paragraph id="idb047394bbae04f119a274edc7e8feb72"><enum>(2)</enum><header>Applicability</header><text>Any determination as to whether or how this subsection applies to any privacy or data security dispute shall be made by a court, rather than an arbitrator, without regard to whether such agreement purports to delegate such determination to an arbitrator.</text></paragraph><paragraph id="id9c0c78f88b294abbaffdea2e501fbea4"><enum>(3)</enum><header>Definitions</header><text>For purposes of this subsection:</text><subparagraph id="ide96994c4d6bf43f6a7e7804d10a6ce59"><enum>(A)</enum><text>The term <term>pre-dispute arbitration agreement</term> means any agreement to arbitrate a dispute that has not arisen at the time of the making of the agreement.</text></subparagraph><subparagraph id="id4d95adc3e2b3416f8566fb10b33f73e8"><enum>(B)</enum><text>The term <term>pre-dispute joint-action waiver</term> means an agreement, whether or not part of a pre-dispute arbitration agreement, that would prohibit, or waive the right of, one of the parties to the agreement to participate in a joint, class, or collective action in a judicial, arbitral, administrative, or other forum, concerning a dispute that has not yet arisen at the time of the making of the agreement.</text></subparagraph><subparagraph id="idfa75668edc404e00a6cf9d546ebfe162"><enum>(C)</enum><text>The term <term>privacy or data security dispute</term> means any claim relating to an alleged violation of this Act, or a regulation promulgated under this Act, and between an individual and a covered entity.</text></subparagraph></paragraph></subsection></section><section id="id58ed4d4ce3ba4b529dccd9d2dfcb2aaf"><enum>302.</enum><header>Relationship to Federal and State laws</header><subsection id="id0bd46081fbf04e60bab4a10350cde1fe"><enum>(a)</enum><header>Federal law preservation</header><text>Nothing in this Act or a regulation promulgated under this Act shall be construed to limit—</text><paragraph id="id277c54c30fd24bc78565a13ed1f0077c"><enum>(1)</enum><text>the authority of the Commission, or any other Executive agency, under any other provision of law; or</text></paragraph><paragraph id="id34b321bf5723432bb59770d6382579a6"><enum>(2)</enum><text>any other provision of Federal law unless as specifically authorized by this Act.</text></paragraph></subsection><subsection id="idb873584a7ea74898880581cbd33a158c"><enum>(b)</enum><header>State law preservation</header><text display-inline="yes-display-inline">Nothing in this Act shall be construed to preempt, displace, or supplant the following State laws, rules, regulations, or requirements:</text><paragraph id="id2b9f979e63d94edc88fa0ddb59bf3258"><enum>(1)</enum><text>Consumer protection laws of general applicability such as laws regulating deceptive, unfair, or unconscionable practices.</text></paragraph><paragraph id="idf47e8ba8559d4b3988cad4a624a0f243"><enum>(2)</enum><text>Civil rights laws.</text></paragraph><paragraph id="id08d9a16ba33048e0be52ddc793c3d464"><enum>(3)</enum><text>Laws that govern the privacy rights or other protections of employees, employee information, or students or student information.</text></paragraph><paragraph id="id7eb49a52f2044e6d9d958ec3a0160c1d"><enum>(4)</enum><text>Laws that address notification requirements in the event of a data breach.</text></paragraph><paragraph id="id8e2b86c345a4499f8d790aa06b506ccc"><enum>(5)</enum><text>Contract or tort law.</text></paragraph><paragraph id="id62d04d40a1b14ab780514f246834aa95"><enum>(6)</enum><text>Criminal laws governing fraud, theft, unauthorized access to information or unauthorized use of information, malicious behavior, and similar provisions, and laws of criminal procedure.</text></paragraph><paragraph id="idc7ca038098a649ef9b413a625b2a1896"><enum>(7)</enum><text>Laws specifying remedies or a cause of action to individuals.</text></paragraph><paragraph id="id41cae6b0017b45e2bf5222b894ad52d1"><enum>(8)</enum><text>Public safety or sector specific laws unrelated to privacy or security.</text></paragraph></subsection><subsection id="idaf9f2a3bfd9e46ecb1ecbd745e6388e3"><enum>(c)</enum><header>Preemption of directly conflicting State laws</header><text>Except as provided in subsections (b) and (d), this Act shall supersede any State law to the extent such law directly conflicts with the provisions of this Act, or a standard, rule, or regulation promulgated under this Act, and then only to the extent of such direct conflict. Any State law, rule, or regulation shall not be considered in direct conflict if it affords a greater level of protection to individuals protected under this Act.</text></subsection><subsection id="id44bad37b3cac4cae9d6889fc66f15852"><enum>(d)</enum><header>Preservation of common law or statutory causes of action for civil relief</header><text>Nothing in this Act, nor any amendment, standard, rule, requirement, assessment, law or regulation promulgated under this Act, shall be construed to preempt, displace, or supplant any Federal or State common law rights or remedies, or any statute creating a remedy for civil relief, including any cause of action for personal injury, wrongful death, property damage, or other financial, physical, reputational, or psychological injury based in negligence, strict liability, products liability, failure to warn, an objectively offensive intrusion into the private affairs or concerns of the individual, or any other legal theory of liability under any Federal or State common law, or any State statutory law.</text></subsection></section><section id="id0c4e160847dd415a9e4bbca968762f2e"><enum>303.</enum><header>Severability</header><text display-inline="no-display-inline">If any provision of this Act, or the application thereof to any person or circumstance, is held invalid, the remainder of this Act and the application of such provision to other persons not similarly situated or to other circumstances shall not be affected by the invalidation.</text></section><section id="id014504f2f7cf44d3965cbad5966e1afc"><enum>304.</enum><header>Authorization of appropriations</header><text display-inline="no-display-inline">There are authorized to be appropriated to the Commission such sums as may be necessary to carry out this Act.</text></section>