[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2701 Introduced in House (IH)]

<DOC>






118th CONGRESS
  1st Session
                                H. R. 2701

   To provide for individual rights relating to privacy of personal 
information, to establish privacy and security requirements for covered 
 entities relating to personal information, and to establish an agency 
 to be known as the Digital Privacy Agency to enforce such rights and 
                 requirements, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             April 19, 2023

Ms. Eshoo (for herself and Ms. Lofgren) introduced the following bill; 
  which was referred to the Committee on Energy and Commerce, and in 
addition to the Committees on the Judiciary, House Administration, and 
    Science, Space, and Technology, for a period to be subsequently 
   determined by the Speaker, in each case for consideration of such 
 provisions as fall within the jurisdiction of the committee concerned

_______________________________________________________________________

                                 A BILL


 
   To provide for individual rights relating to privacy of personal 
information, to establish privacy and security requirements for covered 
 entities relating to personal information, and to establish an agency 
 to be known as the Digital Privacy Agency to enforce such rights and 
                 requirements, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Online Privacy Act 
of 2023''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. General provisions.
Sec. 4. Limitation on disclosing nonredacted government records.
Sec. 5. Privacy considerations for legislative branch agencies.
Sec. 6. Criminal prohibition on doxxing.
                       TITLE I--INDIVIDUAL RIGHTS

Sec. 101. Right of access.
Sec. 102. Right of correction.
Sec. 103. Right of deletion.
Sec. 104. Right of portability.
Sec. 105. Right to human review of automated decisions.
Sec. 106. Right to individual autonomy.
Sec. 107. Right to be informed.
Sec. 108. Right to impermanence.
Sec. 109. Exemptions, exceptions, fees, timelines, and rules of 
                            construction for rights under this title.
  TITLE II--REQUIREMENTS FOR COVERED ENTITIES, SERVICE PROVIDERS, AND 
                             THIRD PARTIES

Sec. 201. Minimization.
Sec. 202. Minimization and records of access by employees and 
                            contractors.
Sec. 203. Prohibitions on disclosing of personal information.
Sec. 204. Disclosing to entities not subject to United States 
                            jurisdiction or not compliant with this 
                            Act.
Sec. 205. Prohibition on re-identification.
Sec. 206. Restrictions on collecting, processing, maintaining, and 
                            disclosing contents of communications.
Sec. 207. Prohibition on discriminatory processing.
Sec. 208. Requirements for notice and consent processes and privacy 
                            policies.
Sec. 209. Prohibition on ``dark patterns'' in notice and consent 
                            processes and privacy policies.
Sec. 210. Notice and consent required.
Sec. 211. Privacy policy.
Sec. 212. Information security requirements.
Sec. 213. Notification of data breach or data-sharing abuse.
                   TITLE III--DIGITAL PRIVACY AGENCY

Sec. 301. Establishment; Director and Deputy Director.
Sec. 302. Agency powers and authorities.
Sec. 303. Reporting and audit requirements.
Sec. 304. Relation to other agencies.
Sec. 305. Personnel.
Sec. 306. Office of Civil Rights.
Sec. 307. Complaints of individuals.
Sec. 308. Advisory boards.
Sec. 309. Authorization of appropriations.
                         TITLE IV--ENFORCEMENT

Sec. 401. Investigations and administrative discovery.
Sec. 402. Hearings and adjudication proceedings.
Sec. 403. Litigation authority.
Sec. 404. Enforcement by States.
Sec. 405. Private rights of action.
Sec. 406. Relief available.
Sec. 407. Referral for criminal proceedings.
Sec. 408. Whistleblower enforcement.
                     TITLE V--RELATION TO OTHER LAW

Sec. 501. Effective date.
Sec. 502. Relation to other Federal law.
Sec. 503. Relation to State law.
Sec. 504. Severability.
                   TITLE VI--NIST AND NSF ACTIVITIES

Sec. 601. National Institute of Standards and Technology privacy 
                            research and development.
Sec. 602. National privacy awareness and education initiative.
Sec. 603. National Science Foundation privacy research.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Agency.--The term ``Agency'' means the Digital Privacy 
        Agency established in section 301.
            (2) Agency investigator.--The term ``Agency investigator'' 
        means any attorney or investigator employed by the Agency who 
        is charged with the duty of enforcing or carrying into effect 
        any provision of this Act or a rule or order prescribed under 
        this Act.
            (3) Behavioral personalization.--
                    (A) In general.--The term ``behavioral 
                personalization'' means the processing of an 
                individual's personal information, using an algorithm, 
                model, or other means--
                            (i) built using--
                                    (I) that individual's personal 
                                information collected over a period of 
                                time; or
                                    (II) an aggregate of the 
                                information of one or more similarly 
                                situated individuals; and
                            (ii) designed to--
                                    (I) alter, influence, guide, or 
                                predict that individual's behavior;
                                    (II) tailor or personalize a 
                                product or service to that individual; 
                                or
                                    (III) filter, sort, limit, promote, 
                                display or otherwise differentiate 
                                between specific content or categories 
                                of content that would otherwise be 
                                accessible to that individual.
                    (B) Exclusions.--The term ``behavioral 
                personalization'' does not include the use of 
                historical personal information to merely prevent the 
                display of or provide additional information about 
                previously accessed content.
            (4) Collect.--The term ``collect'' includes, with respect 
        to personal information or the contents of any communication, 
        obtaining such information or contents in any manner, except 
        when solely transmitting, routing, providing intermediate 
        storage for, or providing connections for such personal 
        information or communication through a system or network.
            (5) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (6) Contents.--The term ``contents'', when used with 
        respect to communication, has the meaning given such term in 
        section 2510 of title 18, United States Code.
            (7) Covered entity.--
                    (A) In general.--The term ``covered entity'' means 
                a person who--
                            (i) intentionally collects, processes, or 
                        maintains personal information; and
                            (ii) sends or receives such personal 
                        information over the internet or a similar 
                        communications network.
                    (B) Exclusion.--The term ``covered entity'' does 
                not include a natural person, except to the extent such 
                person is engaged in a commercial activity that is more 
                than de minimis.
            (8) Custodian.--The term ``custodian'' means the custodian 
        or any deputy custodian designated by the Agency.
            (9) Data breach.--The term ``data breach'' means 
        unauthorized access to or acquisition of personal information 
        or contents of communications maintained by such covered 
        entity.
            (10) Data-sharing abuse.--The term ``data-sharing abuse'' 
        means processing, by a third party, of personal information or 
        contents of communications disclosed by a covered entity to the 
        third party, for any purpose other than--
                    (A) a purpose specified by the covered entity to 
                the third party at the time such personal information 
                or contents of communications was disclosed; or
                    (B) a purpose to which the individual to whom the 
                information relates has consented.
            (11) De-identify.--
                    (A) In general.--The term ``de-identify'' means, 
                with respect to information, performing actions so that 
                such information cannot reasonably identify, relate to, 
                describe, reference, be capable of being associated 
                with, or be linked, directly or indirectly, to a 
                particular individual or device, but only to the extent 
                that the covered entity that uses such information--
                            (i) has performed such actions using best 
                        practices for the types of data such 
                        information contains;
                            (ii) has implemented technical safeguards 
                        that prohibit re-identification of the 
                        individual with whom such information was 
                        linked;
                            (iii) has implemented business processes 
                        that specifically prohibit re-identification of 
                        the information;
                            (iv) has implemented business processes to 
                        prevent inadvertent release of such 
                        information; and
                            (v) makes no attempt to re-identify such 
                        information.
                    (B) Determination by the director.--The Director 
                may determine that a methodology of de-identifying 
                personal information is insufficient for the purposes 
                of this paragraph.
            (12) Director.--The term ``Director'' means the Director of 
        the Agency.
            (13) Disclose.--The term ``disclose'' means, with respect 
        to personal information or contents of communication, to sell, 
        release, transfer, share, disseminate, make available, or 
        otherwise cause to be communicated, such information or 
        contents to a third party.
            (14) Documentary material.--The term ``documentary 
        material'' includes the original or any copy of any book, 
        document, record, report, memorandum, paper, communication, 
        tabulation, chart, logs, electronic files, or other data or 
        data compilations stored in any medium.
            (15) Federal agency.--The term ``Federal agency'' has the 
        meaning given to the term ``agency'' in section 3371 of title 
        5, United States Code.
            (16) Federal privacy laws.--The term ``Federal privacy 
        laws'' includes the laws and regulations described in section 
        502.
            (17) Government entity.--The term ``government entity'' 
        means--
                    (A) a Federal agency;
                    (B) a State or political subdivision thereof;
                    (C) or any agency, authority, or instrumentality of 
                a State or political subdivision thereof.
            (18) Individual.--The term ``individual'' means a natural 
        person residing in the United States.
            (19) Indian tribe.--The term ``Indian Tribe'' has the 
        meaning given such term in section 4(e) of the Indian Self-
        Determination and Education Assistance Act (25 U.S.C. 5304(e)).
            (20) Maintain.--The term ``maintain'' means, with respect 
        to personal information or the contents of any communication, 
        to store, secure, or otherwise cause the retention of such 
        information or contents, or to take actions necessary for 
        storing, securing, or otherwise causing the retention of such 
        information or contents.
            (21) Nonpublic information.--The term ``nonpublic 
        information'' means information that has not been disclosed in 
        a criminal, civil, or administrative proceeding, in a 
        government investigation, report, or audit, or by the news 
        media or other public source of information, and that was not 
        obtained in violation of the law.
            (22) Personal information.--
                    (A) In general.--The term ``personal information'' 
                means any information maintained by a covered entity 
                that, on its own or combined with other information, is 
                linked or reasonably linkable to a specific individual 
                or a specific device, including de-identified personal 
                information and the means to behavioral personalization 
                created for or linked to a specific individual.
                    (B) Exclusions.--The term ``personal information'' 
                does not include--
                            (i) publicly available information linked 
                        to an individual; or
                            (ii) information derived or inferred from 
                        personal information, if the derived or 
                        inferred information is not linked or 
                        reasonably linkable to a specific individual.
            (23) Privacy harm.--The term ``privacy harm'' means an 
        adverse consequence or a potential adverse consequence to an 
        individual, a group of individuals, or society caused from 
        collecting, processing, maintaining, or disclosing of personal 
        information or contents of communications, including--
                    (A) direct or indirect financial loss or economic 
                harm;
                    (B) physical harm;
                    (C) psychological harm, including anxiety, 
                embarrassment, fear, and other trauma;
                    (D) adverse outcomes or decisions with respect to 
                the eligibility of an individual for rights, benefits, 
                or privileges in employment (including hiring, firing, 
                promotion, demotion, and compensation), credit and 
                insurance (including denial of an application or 
                obtaining less favorable terms), housing, education, 
                professional certification, or the provision of health 
                care and related services;
                    (E) stigmatization or reputational harm;
                    (F) price discrimination;
                    (G) adverse consequences that affect the private 
                life of an individual, including private family matters 
                and actions and communications within the home of such 
                individual or a similar physical, online, or digital 
                location where such individual has a reasonable 
                expectation that personal information will not be 
                collected, processed, or maintained;
                    (H) the chilling of free expression or action of an 
                individual, a group of individuals, or society, due to 
                perceived or actual pervasive and excessive collecting, 
                processing, disclosing, or maintaining of personal 
                information or contents of communications;
                    (I) impairing the autonomy of an individual, a 
                group of individuals, or society; and
                    (J) other adverse consequences or potential adverse 
                consequences, consistent with the provisions of this 
                Act, as determined by the Director.
            (24) Privacy-preserving computing.--
                    (A) In general.--The term ``privacy-preserving 
                computing'' means the collecting, processing, 
                disclosing, or maintaining of personal information that 
                has been encrypted or otherwise rendered unintelligible 
                using a means that cannot be reversed by a covered 
                entity, or a covered entity's service provider, such 
                that--
                            (i) if such personal information could be 
                        rendered intelligible through cooperation or 
                        sharing of cryptographic secrets by multiple 
                        persons, the covered entity has both technical 
                        safeguards and business processes to prevent 
                        such cooperation or sharing;
                            (ii) if such personal information is 
                        rendered intelligible within a hardware 
                        processing unit or other means of performing 
                        operations on the information, there are 
                        technical safeguards that, during the normal 
                        course of operation--
                                    (I) prevent rendering personal 
                                information intelligible anywhere but 
                                within the hardware processing unit or 
                                other means of performing operations; 
                                and
                                    (II) make the exporting or 
                                otherwise observing of such 
                                intelligible information, or the 
                                cryptographic secret used to protect 
                                such information, impossible; and
                            (iii) if the result of such processing of 
                        the personal information is also personal 
                        information, such result must be unintelligible 
                        to the covered entity or service provider and 
                        protected by privacy-preserving computing.
                    (B) Insufficient methodologies.--The Director may 
                determine that a methodology of privacy-preserving 
                computing is insufficient for the purposes of this 
                definition.
            (25) Process.--The term ``process'' means to perform or 
        cause to be performed any operation or set of operations on 
        personal information or contents of communication, whether or 
        not by automated means.
            (26) Protected class.--The term ``protected class'' means 
        the actual or perceived race, color, ethnicity, national 
        origin, religion, sex (including sexual orientation and gender 
        identity or expression), familial status, or disability of an 
        individual or group of individuals.
            (27) Publicly available information.--The term ``publicly 
        available information''--
                    (A) means--
                            (i) information that is lawfully made 
                        available from a government entity;
                            (ii) information linked to a public 
                        individual or official that is made publicly 
                        accessible, without restrictions on 
                        accessibility other than the general 
                        authorization to access the services used to 
                        make the information accessible;
                            (iii) information of an individual that--
                                    (I) is made publicly accessible by 
                                such individual, without restrictions 
                                on accessibility other than the general 
                                authorization to access the services 
                                used to make the information 
                                accessible; and
                                    (II) such individual has the 
                                ability to delete or change without 
                                relying on a request under section 102 
                                or 103; and
                    (B) does not include--
                            (i) biometric information of an individual 
                        collected by a covered entity without the 
                        individual's knowledge;
                            (ii) information used for a purpose that is 
                        not compatible with the purpose for which the 
                        information is maintained and made available in 
                        government records;
                            (iii) information obtained from government 
                        records for the purpose of selling such 
                        information; or
                            (iv) information used to contact or locate 
                        a private individual either physically or 
                        electronically.
            (28) Reasonable mechanism.--The term ``reasonable 
        mechanism'' means, in the case of a mechanism for individuals 
        to exercise a right under title I or interact with a covered 
        entity under title II, a mechanism that--
                    (A) is equivalent in availability and ease of use 
                to that of other mechanisms for communicating or 
                interacting with the covered entity; and
                    (B) includes an online means of exercising such 
                right or engaging in such interaction, if such 
                individuals communicate or interact with such covered 
                entity through an online medium or if such covered 
                entity provides information processing services through 
                a public or widely available application programming 
                interface (or similar mechanism).
            (29) Sell and sale.--
                    (A) In general.--The terms ``sell'' and ``sale'' 
                mean the disclosing of personal information for 
                monetary consideration or for a thing of value by a 
                covered entity to a third party for the purposes of 
                processing, maintaining or disclosing such personal 
                information at the third party's discretion.
                    (B) Exclusions.--The terms ``sell'' and ``sale'' do 
                not include--
                            (i) the disclosing of personal information 
                        of an individual to a third party with which 
                        the individual has a direct relationship for 
                        purposes of providing a product or service 
                        requested by the individual or otherwise in a 
                        manner that is consistent with an individual's 
                        reasonable expectations considering the context 
                        in which the individual provided the personal 
                        information to the covered entity;
                            (ii) the disclosing or transfer of personal 
                        information to a subsidiary or an affiliate of 
                        the covered entity; or
                            (iii) the disclosing or transfer of 
                        personal information to a third party as an 
                        asset that is part of a merger, acquisition, 
                        bankruptcy, or other transaction in which the 
                        third party assumes control of all or part of 
                        the covered entity's assets, unless personal 
                        information makes up the majority of the value 
                        of the assets of which the third party assumes 
                        control.
            (30) Service provider.--
                    (A) In general.--The term ``service provider'' 
                means a covered entity that--
                            (i) processes, discloses, or maintains 
                        personal information, where such covered entity 
                        does not process, disclose, or maintain the 
                        personal information other than in accordance 
                        with the directions and on behalf of another 
                        covered entity;
                            (ii) does not directly collect personal 
                        information from or control the mechanism for 
                        collecting personal information from an 
                        individual;
                            (iii) does not earn revenue from 
                        processing, maintaining, or disclosing personal 
                        information disclosed to such covered entity by 
                        another covered entity except by providing 
                        contracted services to such other covered 
                        entity;
                            (iv) does not disclose personal information 
                        to another covered entity unless such personal 
                        information was provided by such other covered 
                        entity or resulted from maintaining or 
                        processing performed on personal information 
                        exclusively provided by such other covered 
                        entity;
                            (v) does not offer services that allow 
                        another covered entity to target specific 
                        individuals using personal information not 
                        provided by such other covered entity;
                            (vi) with respect to personal information 
                        processed or maintained by such covered entity 
                        on behalf of another covered entity, assists 
                        such other covered entity in complying with 
                        title I, including providing tools for such 
                        other covered entity to comply with such 
                        requirements if requested; and
                            (vii) does not link the personal 
                        information provided by another covered entity 
                        to personal information from any other source.
                    (B) Treatment.--A covered entity shall be treated 
                as a service provider under this Act only to the extent 
                that such covered entity is acting as a service 
                provider, as defined in subparagraph (A).
            (31) Significant privacy harm.--The term ``significant 
        privacy harm'' means adverse consequences to an individual 
        arising from the collecting, processing, maintaining, or 
        disclosing of personal information or contents of 
        communications, limited to subparagraph (A), (B), or (D) of 
        paragraph (23).
            (32) Small business.--The term ``small business'' means a 
        covered entity that--
                    (A) does not earn revenue from the sale of personal 
                information;
                    (B) earns less than half of annual revenues from 
                the processing of personal information for targeted or 
                personalized advertising;
                    (C) has not, in combination with each subsidiary 
                and affiliate of the service, maintained personal 
                information of 250,000 or more individuals for 3 or 
                more of the preceding 12 months;
                    (D) has fewer than 200 employees; and
                    (E) received less than $25,000,000 in gross revenue 
                in the preceding 12-month period.
            (33) State.--The term ``State'' means each State of the 
        United States, the District of Columbia, each commonwealth, 
        territory, or possession of the United States, and each 
        federally recognized Indian Tribe.
            (34) State attorney general.--The term ``State attorney 
        general'' means, with respect to a State, the attorney general 
        or chief law enforcement officer of the State, or another 
        official or agency designated by the State to bring civil 
        actions on behalf of the State or the residents of the State.
            (35) State privacy regulator.--The term ``State privacy 
        regulator'' means an agency or instrumentality of a State that 
        has the primary purpose of administering, implementing, or 
        enforcing a privacy law or associated rules or regulations.
            (36) Third party.--The term ``third party'' means, with 
        respect to a covered entity, a person--
                    (A) to which such covered entity disclosed personal 
                information; and
                    (B) that is not--
                            (i) such covered entity;
                            (ii) a subsidiary or corporate affiliate of 
                        such covered entity; or
                            (iii) a service provider of such covered 
                        entity.
            (37) Users.--The term ``users'' means, with respect to a 
        product or service, the monthly active users, subscribers, or 
        customers (or a reasonable proxy or substitute therefor 
        determined by the Director) of such product or service.
            (38) Violation.--The term ``violation'' means, except where 
        otherwise specified, any act or omission that, if proved, would 
        constitute a violation of any provision of this Act or a rule 
        or order issued pursuant to this Act.

SEC. 3. GENERAL PROVISIONS.

    (a) Rules of Construction With Respect to Personal Information and 
Individuals.--In this Act--
            (1) any reference to information as being of or belonging 
        to an individual shall be construed to mean that such 
        information is linked or reasonably linkable to such individual 
        as described in section 2(21)(A); and
            (2) any reference to any communication as being of or 
        belonging to an individual shall be construed to mean that such 
        individual is party to such communication.
    (b) Prohibition on Waivers.--
            (1) In general.--The provisions under this Act may not be 
        waived. Any agreement purporting to waive compliance with or 
        modifying any provision of this Act shall be void as contrary 
        to public policy.
            (2) Prohibition on predispute arbitration agreements.--No 
        predispute arbitration agreement shall be valid or enforceable 
        with respect to any claims under this Act.
    (c) Journalism Protection.--
            (1) In general.--Covered entities engaged in journalism 
        shall not be subject to the obligations imposed under this Act 
        to the extent that those obligations directly infringe on the 
        journalism rather than the business practices of the covered 
        entity, so long as the covered entity has technical safeguards 
        and business processes that prevent the collecting, processing, 
        maintaining, or disclosing of such personal information for 
        business practices other than journalism.
            (2) Journalism.--The term ``journalism'' includes the 
        collecting, maintaining, processing, and disclosing of personal 
        information about a public individual or official, or that 
        otherwise concerns matters of public interest, for 
        dissemination to the public.
    (d) Small Business Compliance Ramp.--Upon losing its status as a 
small business, a covered entity shall have nine months to comply with 
provisions of this Act that a small business is exempt from complying 
with.
    (e) Prohibition on Collecting, Maintaining, Processing, or 
Disclosing Personal Information.--A covered entity may not collect, 
maintain, process, or disclose personal information using a channel of 
interstate commerce unless such covered entity is in compliance with 
all requirements of this Act.

SEC. 4. LIMITATION ON DISCLOSING NONREDACTED GOVERNMENT RECORDS.

    (a) In General.--A government entity may not use a channel of 
interstate commerce to disclose the personal information of an 
individual in a government record without an agreement prohibiting the 
recipient of such information from selling the information without the 
express consent of the individual.
    (b) Exception.--Notwithstanding subsection (a), nothing in this 
section shall prohibit the disclosure of personal information using a 
channel of interstate commerce to another government entity without 
consent of the individual.

SEC. 5. PRIVACY CONSIDERATIONS FOR LEGISLATIVE BRANCH AGENCIES.

    (a) Government Publishing Office.--
            (1) Privacy responsibilities of the director.--
                    (A) In general.--Chapter 3 of title 44, United 
                States Code, is amended by inserting at the end the 
                following:
``Sec. 319. Privacy responsibilities of the Director of the Government 
              Publishing Office
    ``The Director of the Government Publishing Office shall identify 
and implement appropriate measures to prevent the disclosure of 
personal information by the Government Publishing Office and to 
minimize the risk of privacy harms in its operations.''.
                    (B) Clerical amendment.--The table of sections for 
                chapter 3 of title 44, United States Code, is amended 
                by inserting after the item relating to section 318 the 
                following:

``319. Privacy responsibilities of the Director of the Government 
                            Publishing Office.''.
            (2) Privacy safeguards for published documents.--Section 
        1701 of title 44, United States Code, is amended by striking 
        ``the publication.'' in the last sentence of the first 
        paragraph and inserting ``the publication, and only after 
        conducting an appropriate review or implementing other 
        appropriate measures to prevent the disclosure of personal 
        information and minimize the risks of privacy harms in such 
        publication.''.
            (3) Privacy safeguards in the depository library program.--
        Section 1902 of title 44, United States Code, is amended by 
        inserting at the end the following: ``The Superintendent of 
        Documents shall assess the risks of disclosure of personal 
        information and related privacy harms in publications made 
        available to and by depository libraries and shall implement 
        appropriate measures to minimize such risks, including to the 
        extent necessary by imposing obligations upon depository 
        libraries.''.
    (b) Library of Congress.--The first paragraph under the center 
heading ``Library of Congress'' under the center heading 
``LEGISLATIVE'' of the Act entitled ``An Act Making appropriations for 
the legislative, executive, and judicial expenses of the Government for 
the fiscal year ending June thirtieth, eighteen hundred and ninety-
eight, and for other purposes'', approved February 19, 1897 (2 U.S.C. 
136), is amended by striking at the end ``Library.'' and inserting 
``Library, including by identifying and implementing appropriate 
measures to prevent the disclosure of personal information by the 
Library and to minimize the risk of privacy harms in its operations.''.
    (c) Smithsonian Institution.--Section 7 of the Act entitled ``An 
Act to establish the `Smithsonian Institution' for the increase and 
diffusion of knowledge among men'', approved August 10, 1846 (20 U.S.C. 
46), is amended by adding at the end the following: ``The Secretary 
shall assess the risks of disclosure of personal information by the 
institution and related privacy harms and shall implement appropriate 
measures to minimize such risks.''.
    (d) Chief Administrative Officer of the House of Representatives.--
            (1) In general.--Subchapter III of chapter 55 of title 2, 
        United States Code, is amended by inserting at the end the 
        following:
``Sec. 5549. Privacy responsibilities
    ``The Chief Administrative Officer of the House of Representatives 
shall identify and implement appropriate measures to prevent the 
disclosure of personal information and to minimize the risk of privacy 
harms in its areas of operational and financial responsibility.''.
            (2) Clerical amendment.--The table of sections for 
        subchapter III of chapter 55 of title 2, United States Code, is 
        amended by inserting after the item relating to section 5548 
        the following:

``5549. Privacy responsibilities.''.

SEC. 6. CRIMINAL PROHIBITION ON DOXXING.

    (a) In General.--Chapter 41 of title 18, United States Code, is 
amended by adding at the end the following:
``Sec. 881. Disclosing of personal information with the intent to cause 
              harm
    ``(a) In General.--Whoever uses a channel of interstate or foreign 
commerce to knowingly disclose an individual's personal information 
with the intent--
            ``(1) to threaten, intimidate, or harass any person, incite 
        or facilitate the commission of a crime of violence against any 
        person, or place any person in reasonable fear of death or 
        serious bodily injury; or
            ``(2) that the information will be used to threaten, 
        intimidate, or harass any person, incite or facilitate the 
        commission of a crime of violence against any person, or place 
        any person in reasonable fear of death or serious bodily 
        injury,
shall be fined under this title or imprisoned not more than 5 years, or 
both.
    ``(b) Definitions.--In this section:
            ``(1) Contents.--The term `contents' when used with respect 
        to communication, has the meaning given such term in section 
        2510 of title 18, United States Code.
            ``(2) Disclose.--The term `disclose' means, with respect to 
        personal information or contents of communication, to sell, 
        release, transfer, share, disseminate, make available, or 
        otherwise cause to be communicated such information or contents 
        to a third party.
            ``(3) Government entity.--The term `government entity' 
        means--
                    ``(A) a Federal agency (as such term is defined in 
                section 3371 of title 5, United States Code);
                    ``(B) a State or political subdivision thereof; or
                    ``(C) any agency, authority, or instrumentality of 
                a State or political subdivision thereof.
            ``(4) Individual.--The term `individual' means a natural 
        person residing in the United States.
            ``(5) Personal information.--
                    ``(A) In general.--The term `personal information' 
                means any information maintained by a person that, on 
                its own or combined with other information, is linked 
                or reasonably linkable to a specific individual.
                    ``(B) Exclusions.--The term `personal information' 
                does not include--
                            ``(i) publicly available information linked 
                        to an individual; or
                            ``(ii) information derived or inferred from 
                        personal information, if the derived or 
                        inferred information is not linked or 
                        reasonably linkable to a specific individual.
            ``(6) Publicly available information.--The term `publicly 
        available information'--
                    ``(A) means--
                            ``(i) information that is lawfully made 
                        available from a government entity;
                            ``(ii) information linked to a public 
                        individual or official that is made publicly 
                        accessible, without restrictions on 
                        accessibility other than the general 
                        authorization to access the services used to 
                        make the information accessible;
                            ``(iii) information of an individual that--
                                    ``(I) is made publicly accessible 
                                by such individual, without 
                                restrictions on accessibility other 
                                than the general authorization to 
                                access the services used to make the 
                                information accessible; and
                                    ``(II) such individual has the 
                                ability to delete or change; and
                    ``(B) does not include--
                            ``(i) biometric information of an 
                        individual collected by a covered entity 
                        without the individual's knowledge;
                            ``(ii) information used for a purpose that 
                        is not compatible with the purpose for which 
                        the information is maintained and made 
                        available in government records;
                            ``(iii) information obtained from 
                        government records for the purpose of selling 
                        such information; or
                            ``(iv) information used to contact or 
                        locate a private individual either physically 
                        or electronically.
            ``(7) State.--The term `State' means each State of the 
        United States, the District of Columbia, each commonwealth, 
        territory, or possession of the United States, and each 
        federally recognized Indian Tribe.''.
    (b) Clerical Amendment.--The table of sections for chapter 41 of 
title 18, United States Code, is amended by inserting after the item 
relating to section 880 the following:

``881. Disclosing of personal information with the intent to cause 
                            harm.''.

                       TITLE I--INDIVIDUAL RIGHTS

SEC. 101. RIGHT OF ACCESS.

    (a) In General.--A covered entity shall make available a reasonable 
mechanism by which an individual may access--
            (1) the categories of personal information and contents of 
        communications of such individual that is maintained by such 
        covered entity, including, in the case of personal information 
        that such covered entity did not collect from such individual, 
        how and from whom such covered entity obtained such personal 
        information;
            (2) a list of the third parties, subsidiaries, and 
        corporate affiliates, to which such covered entity has 
        disclosed and from which such covered entity has, at any time 
        on or after the effective date of this Act, obtained the 
        personal information of such individual;
            (3) a concise and clear description of the business or 
        commercial purposes of such covered entity--
                    (A) for collecting, processing, or maintaining the 
                personal information of such individual; and
                    (B) for disclosing to a third party the personal 
                information of such individual; and
            (4) a list of automated decision-making processes that an 
        individual has a right to request human review of under section 
        105 with a concise and clear description of the implications 
        and intended effects of each such process.
    (b) Exception for Publicly Accessible Information.--A covered 
entity that makes available information required in subsection (a) 
shall be considered in compliance with such requirements if the covered 
entity provides an individual with instructions on how to access a 
public posting of such information, including in a privacy policy, if 
the instructions are easy and do not require payment.
    (c) Small Businesses Excluded.--Subsection (a)(3) does not apply to 
a small business.

SEC. 102. RIGHT OF CORRECTION.

    (a) Dispute by Individual.--A covered entity shall make available a 
reasonable mechanism by which an individual may dispute the accuracy or 
completeness of personal information linked to such individual that is 
maintained by such covered entity if such information is processed in 
any way, by such covered entity, a third party of such covered entity, 
or a service provider of such covered entity that may increase 
reasonably foreseeable significant privacy harms.
    (b) Correction by Covered Entity.--A covered entity receiving a 
dispute under subsection (a) shall--
            (1) correct or complete (as the case may be) the disputed 
        information and notify such individual that the correction or 
        completion has been made; or
            (2) notify such individual that--
                    (A) the disputed information is correct or 
                complete;
                    (B) such covered entity lacks sufficient 
                information to correct or complete the disputed 
                information; or
                    (C) such covered entity is denying the request for 
                correction or completion in reliance on an exemption or 
                exception provided by section 109(g).
    (c) Small Businesses Excluded.--This section does not apply to a 
small business.

SEC. 103. RIGHT OF DELETION.

    (a) Request by Individual.--A covered entity shall make available a 
reasonable mechanism by which an individual may request the deletion of 
personal information and contents of communications of such individual 
maintained by such covered entity, including any such information that 
such covered entity acquired from a third party or inferred from other 
information maintained by such covered entity.
    (b) Deletion by Covered Entity.--A covered entity receiving a 
request for deletion under subsection (a) shall--
            (1) delete such information and notify such individual that 
        such information has been deleted; or
            (2) notify such individual that such covered entity is 
        denying the request for deletion in reliance on an exemption or 
        exception provided by section 109(g).

SEC. 104. RIGHT OF PORTABILITY.

    (a) Determination of Portable Categories.--
            (1) Annual determination.--Not less frequently than once 
        per calendar year, the Director shall--
                    (A) establish categories of products and services 
                offered by covered entities, based on similarities in 
                the products and services;
                    (B) determine which categories established under 
                subparagraph (A) are portable categories; and
                    (C) publish in the Federal Register a list of 
                portable categories determined under subparagraph (B).
            (2) Opportunity for public comment.--Before publishing the 
        final list under paragraph (1)(C), the Director shall--
                    (A) publish a draft of such list in the Federal 
                Register; and
                    (B) provide an opportunity for public comment on 
                such draft list.
    (b) Exercise of Right.--
            (1) In general.--A covered entity that offers a product or 
        service in a portable category and that maintains personal 
        information or the contents of any communications of an 
        individual shall make available to such individual a reasonable 
        mechanism by which such individual may--
                    (A) download, in a format that is structured, 
                commonly used, and machine readable--
                            (i) any such personal information that such 
                        individual has provided to such covered entity, 
                        with the option to download such information by 
                        category that is accessible under section 101; 
                        and
                            (ii) the contents of any such 
                        communications; and
                    (B) using a real-time application programming 
                interface, or similar mechanism, transmit all such 
                personal information (whether or not provided to such 
                covered entity by such individual) and the contents of 
                any such communication from such covered entity to 
                another covered entity in accordance with subsection 
                (c).
            (2) Requirements for application programming interface.--
        The application programming interface, or similar mechanism, 
        required by paragraph (1)(B) shall--
                    (A) be publicly documented;
                    (B) allow the option of obtaining any personal 
                information of an individual that the individual has 
                provided to the covered entity, if such information is 
                accessible under section 101;
                    (C) include a publicly available, fully functional 
                test version for development purposes; and
                    (D) be of similar quality to mechanisms used 
                internally by the covered entity.
    (c) Requirements for Access to an Application Programming 
Interface.--
            (1) Access.--Except as provided in paragraph (2)(A), a 
        covered entity shall provide access to the application 
        programming interface or similar mechanism required by 
        subsection (b)(1)(B) upon the request of another covered entity 
        if the requesting covered entity has self-certified, using the 
        procedures established by the Director under paragraph (3)(A), 
        that such requesting covered entity--
                    (A) is a covered entity;
                    (B) can have personal information disclosed to it 
                under section 204;
                    (C) is, at the time of the self-certification, in 
                compliance with all applicable requirements of this Act 
                (including provisions a small business is otherwise 
                exempt from complying with);
                    (D) will continue to comply with all requirements 
                of this Act; and
                    (E) will only use such application programming 
                interface or similar mechanism at the express request 
                of an individual.
            (2) Denial of access.--
                    (A) In general.--A covered entity may deny access 
                to the application programming interface or similar 
                mechanism required by subsection (b)(1)(B) if such 
                covered entity has an objective, reasonable belief that 
                the requesting covered entity has failed to meet the 
                requirements for self-certification under paragraph 
                (1).
                    (B) Review.--In accordance with the procedures 
                established under paragraph (3)(B), a covered entity 
                the request of which is denied under subparagraph (A) 
                may petition the Director for review of the denial. If 
                the Director finds that such denial is unreasonable, 
                the Director shall impose a penalty, to be established 
                in such procedures, on the covered entity that denied 
                the request.
            (3) Certification and review procedures.--The Director 
        shall establish--
                    (A) procedures for a covered entity to self-certify 
                under paragraph (1); and
                    (B) procedures for the review of petitions under 
                paragraph (2)(B), including penalties for unreasonable 
                denials.
    (d) Small Businesses Excluded.--This section does not apply to a 
small business.
    (e) Portable Category Defined.--In this section, the term 
``portable category'' means a category of products and services 
established by the Director under subsection (a)(1)(A)--
            (1) for which the sum obtained by adding the number of 
        users or estimated users of each product or service in such 
        category is greater than 10,000,000; and
            (2) that--
                    (A) has an estimated Herfindahl-Hirschman Index of 
                2,000 or greater;
                    (B) has 3 or fewer covered entities offering 
                products and services in such category; or
                    (C) the Director otherwise determines that a 
                category would benefit from encouraging increased 
                competition.

SEC. 105. RIGHT TO HUMAN REVIEW OF AUTOMATED DECISIONS.

    For any decision by a covered entity based solely on automated 
processing of personal information of an individual, if such processing 
materially increases reasonably foreseeable significant privacy harms 
for such individual, such covered entity shall--
            (1) inform such individual of what personal information is 
        being or may be used for such decision;
            (2) make available a reasonable mechanism by which such 
        individual may request human review of such decision, upon 
        request or in a publicly accessible location; and
            (3) if such individual requests such a review, conduct such 
        review within a reasonable amount of time after such request.

SEC. 106. RIGHT TO INDIVIDUAL AUTONOMY.

    (a) In General.--A covered entity shall not collect, process, 
maintain, or disclose an individual's personal information to--
            (1) create, improve upon, or maintain;
            (2) process with; or
            (3) otherwise link an individual with;
an algorithm, model, or other means designed for behavioral 
personalization, without the affirmative express consent of that 
individual.
    (b) Consent.--A covered entity must obtain express affirmative 
consent from an individual before it may provide a behaviorally 
personalized version of a product or service, and not less than every 
calendar year thereafter. Where consent is denied, a covered entity 
must provide the product or service without behavioral personalization.
    (c) Exceptions to Providing Product or Service.--
            (1) Where the offering of a substantially similar product 
        or service without behavioral personalization is infeasible, a 
        covered entity shall provide, to the greatest extent feasible, 
        a core aspect or part of the product or service that can be 
        offered without behavioral personalization.
            (2) Where no core aspect or part of the product or service 
        can function in a substantially similar function without 
        behavioral personalization, a covered entity may deny providing 
        an individual use of such product or service if such individual 
        does not consent to behavioral personalization as required in 
        subsection (a).
    (d) Exception to Behavioral Processing.--Notwithstanding 
subsections (a) and (b), a covered entity may process personal 
information to create or operate behavioral personalization algorithms, 
models, or other mechanisms for the purpose of increasing the usability 
of the product or service provided by a covered entity that--
            (1) are built using aggregated personal information that is 
        representative of all the personal information the covered 
        entity maintains; and
            (2) have an output that is both uniform across the 
        individuals that use the product or service and independent of 
        a specific individual's inherent or behavioral characteristics.
    (e) Usability.--The term ``usability'' as used in subsection (d) 
does not include optimizations or other alterations to the product or 
service that are made with the primary purpose of increasing the amount 
of time an individual engages with or uses the product or service, 
unless such increase benefits the individual.
    (f) Small Businesses Excluded.--This section does not apply to a 
small business.

SEC. 107. RIGHT TO BE INFORMED.

    A covered entity that collects personal information of an 
individual with whom such covered entity does not have an existing 
relationship (as of the time of the collecting), if such personal 
information includes contact information, shall notify such individual 
within 30 days, in writing if possible and at no charge to the 
individual, that such covered entity has collected the personal 
information of such individual.

SEC. 108. RIGHT TO IMPERMANENCE.

    (a) Limitation on Maintaining of Personal Information.--A covered 
entity shall not maintain personal information for more time than 
expressly consented to by an individual whose personal information is 
being maintained.
    (b) Consent.--A covered entity must obtain express affirmative 
consent from an individual before maintaining the personal information 
of such individual for any duration. Such consent may be obtained for 
categories of personal information and shall give an individual options 
to affirmatively choose granting a covered entity consent for various 
durations, at least including--
            (1) for no longer than needed to complete the specific 
        request or transaction (including a reasonable estimate of such 
        duration by the covered entity);
            (2) until consent is revoked; and
            (3) one or more additional durations based on reasonable 
        expectations and norms for maintaining the category of personal 
        information.
    (c) Exception for Implied Consent.--Where the long-term maintaining 
of personal information is, on its face, obvious and a core feature of 
the product or service at the request of the individual, and the 
personal information is maintained only to provide such product or 
service, subsections (a) and (b) shall not apply.

SEC. 109. EXEMPTIONS, EXCEPTIONS, FEES, TIMELINES, AND RULES OF 
              CONSTRUCTION FOR RIGHTS UNDER THIS TITLE.

    (a) Exemptions for Personal Information for Particular Purposes.--
            (1) In general.--This title does not apply with respect to 
        personal information that is collected, processed, maintained, 
        or disclosed for any of the following purposes (or a 
        combination of such purposes), where a covered entity has 
        technical safeguards and business processes that limit 
        collecting, processing, maintaining, or disclosing of such 
        personal information to the following purposes:
                    (A) Detecting, responding to, or preventing 
                security incidents or threats.
                    (B) Protecting against malicious, deceptive, 
                fraudulent, or illegal activity.
                    (C) A good faith response to, or compliance with, a 
                valid subpoena, court order, or warrant (including a 
                subpoena and court order obtained by an entity that is 
                not a government entity) or otherwise providing 
                information as required by law.
                    (D) Protecting a legally recognized privilege or 
                other legal right.
                    (E) Protecting public safety.
                    (F) Collecting, processing, or maintaining by an 
                employer pursuant to an employer-employee relationship 
                of records about employees or employment status, 
                except--
                            (i) where the information would not be 
                        reasonably expected to be collected in the 
                        context of an employee's regular duties; or
                            (ii) was disclosed to the employer by a 
                        third party.
                    (G) Preventing prospective abuses of a service by 
                an individual whose account has been previously 
                terminated.
                    (H) Routing a communication through a 
                communications network or resolving the location of a 
                host or client on a communications network.
                    (I) Providing transparency in advertising or 
                origination of user-generated content.
            (2) Re-identification.--Where compliance with this title 
        would require the re-identification of de-identified personal 
        information, and the covered entity does not already maintain 
        the information necessary for such re-identification, the 
        covered entity shall be exempt from such compliance, except for 
        requirements under section 106.
            (3) Disclosing.--A covered entity relying on an exemption 
        under paragraph (1) with respect to personal information shall 
        disclose in the privacy policy maintained by such entity under 
        section 211--
                    (A) the reason for which such information is 
                collected, processed, maintained, or disclosed; and
                    (B) a description of the rights provided by this 
                title that are not available with respect to such 
                personal information by reason of such exemption.
    (b) Exceptions for Particular Requests.--
            (1) In general.--A covered entity may deny the request of 
        an individual under this title if--
                    (A) such covered entity cannot confirm the identity 
                of such individual;
                    (B) such covered entity determines that granting 
                the request of such individual would create a 
                legitimate risk to the privacy, security, safety, or 
                other rights of another individual;
                    (C) such covered entity determines that granting 
                the request of such individual would create a 
                legitimate risk to free expression; or
                    (D) the personal information requested to be 
                corrected under section 102 or deleted under section 
                103--
                            (i) is necessary to the completion of a 
                        transaction initiated before such request was 
                        made or the performance of a contract entered 
                        into before such request was made;
                            (ii) was collected specifically for the 
                        completion of such transaction or the 
                        performance of such contract; and
                            (iii) would undermine the integrity of a 
                        legally significant transaction.
            (2) Limitations on requests for additional information to 
        confirm identity.--A covered entity may not deny a request of 
        an individual under paragraph (1)(A) on the basis of the 
        refusal of such individual to provide additional personal 
        information to such covered entity to confirm the identity of 
        such individual--
                    (A) if the identity of such individual can 
                reasonably be confirmed using personal information of 
                such individual that such covered entity (as of the 
                time of the request) already maintains; or
                    (B) if such individual has an existing relationship 
                (as of the time of the request) with such covered 
                entity, such individual has confirmed the identity of 
                such individual to such covered entity in the same 
                manner as for other transactions of a similar 
                sensitivity.
    (c) Exemption for Service Providers.--This title does not apply to 
a service provider.
    (d) Exemption for Privacy-Preserving Computing.--Except for 
sections 101, 105, and 106, this title does not apply to personal 
information secured using privacy-preserving computing.
    (e) Timeline for Complying With a Request.--Without undue delay but 
not longer than 30 days after the request, a covered entity that 
receives a request under this title must--
            (1) comply with such request; or
            (2) inform such individual of the reason for denying such 
        request, as allowed under subsection (a) or (b).
    (f) Fees Prohibited.--
            (1) In general.--Except as provided in paragraph (2), a 
        covered entity may not charge a fee to an individual for a 
        request made under this title.
            (2) Unfounded or excessive requests.--If a request under 
        this title is unfounded or excessive, a covered entity may 
        charge a reasonable fee that reflects the estimated 
        administrative costs of complying with such request.
            (3) Agency notice.--If a covered entity plans to charge a 
        fee under paragraph (2), it must notify the Agency at least 7 
        days before charging such fee.
            (4) Agency review.--The Director may reject any fee that a 
        covered entity plans to charge for a request made under this 
        title if the Agency finds--
                    (A) such fee to be unreasonable relative to 
                reasonable administrative costs of complying with a 
                request under this title; or
                    (B) such request is not unfounded or excessive.
    (g) Rules of Construction.--Nothing in this title shall be 
construed to require a covered entity to--
            (1) take an action that would convert information that is 
        not personal information into personal information;
            (2) collect or maintain personal information or contents of 
        communication that the covered entity would otherwise not 
        maintain (including record of an individual exercising rights 
        under this title); or
            (3) maintain personal information or contents of 
        communication longer than the covered entity would otherwise 
        maintain such personal information.
    (h) Regulations.--The Director shall promulgate regulations to 
implement this section.

  TITLE II--REQUIREMENTS FOR COVERED ENTITIES, SERVICE PROVIDERS, AND 
                             THIRD PARTIES

SEC. 201. MINIMIZATION.

    (a) Articulated Basis.--A covered entity shall have a reasonable, 
articulated basis for collecting, processing, maintaining, and 
disclosing of personal information that takes into account the 
reasonable business needs of the covered entity and minimum amount of 
personal information necessary for providing the service, balanced with 
the intrusion on the privacy of, potential privacy harms to, and 
reasonable expectations of individuals to whom the personal information 
relates.
    (b) Minimization of Collecting, Processing, Maintaining, and 
Disclosing.--
            (1) Collecting.--A covered entity may not collect more 
        personal information than is reasonably needed to provide a 
        product or service that an individual has requested.
            (2) Processing.--A covered entity may not process personal 
        information for a purpose other than the purpose for which such 
        information was originally collected from the individual or in 
        the case of a service provider, a purpose other than that which 
        is in accordance with the directions of a covered entity.
            (3) Maintaining.--A covered entity may not maintain 
        personal information once such information is no longer needed 
        for the purpose for which such information was originally 
        collected from the individual or in the case of a service 
        provider, a purpose other than that which is in accordance with 
        the directions of a covered entity.
            (4) Disclosing.--A covered entity may not disclose personal 
        information for a purpose other than the purpose for which such 
        information was originally collected from the individual or in 
        the case of a service provider, a purpose other than that which 
        is in accordance with the directions of a covered entity.
    (c) Ancillary Collecting, Processing, Maintaining, and 
Disclosing.--Notwithstanding subsection (b), a covered entity may 
collect, process, disclose, or maintain personal information beyond 
limitations under subsection (b) only if such covered entity complies 
with this subsection.
            (1) No notice or consent required.--A covered entity may 
        collect, process, or maintain personal information without 
        additional notice or consent if the purpose for such 
        collecting, processing, or maintaining is substantially similar 
        to the type of personal information and purpose for which such 
        personal information was originally collected and such 
        ancillary collecting, processing, or maintaining will not 
        result in additional or increased privacy harms.
            (2) Notice required.--A covered entity shall provide notice 
        of ancillary collecting, processing, maintaining, or disclosing 
        of personal information in the case of one, but not more than 
        one, of the following instances:
                    (A) Such ancillary collecting, processing, 
                maintaining, or disclosing may result in additional or 
                increased privacy harms (but not increased significant 
                privacy harms), and is substantially similar to the 
                purpose for which such personal information was 
                originally collected.
                    (B) Such ancillary collecting, processing, 
                maintaining, or disclosing is not substantially similar 
                to the purpose for which such personal information was 
                originally collected, but will not result in additional 
                or increased privacy harms.
                    (C) Such ancillary collecting, processing, 
                maintaining, or disclosing may result in additional or 
                increased privacy harms (but not increased significant 
                privacy harms) and the purpose is not substantially 
                similar to the purpose for which such personal 
                information was originally collected, so long as the 
                personal information is secured using privacy-
                preserving computing.
            (3) Notice and consent required.--For scenarios not covered 
        under paragraph (1) or (2), and notwithstanding sections 
        208(b)(2) and (3), a covered entity shall provide notice of and 
        obtain consent for ancillary collecting, processing, 
        maintaining, or disclosing of personal information.
    (d) Substitution.--In cases in which personal information can be 
replaced with artificial personal information, personal information 
that has been de-identified, or the random personal information of one 
or more individuals without substantially reducing the utility of the 
data or requiring an unreasonable amount of effort, such a replacement 
shall take place.

SEC. 202. MINIMIZATION AND RECORDS OF ACCESS BY EMPLOYEES AND 
              CONTRACTORS.

    (a) Minimization.--A covered entity shall restrict access to 
personal information and contents of communications by the employees or 
contractors of such covered entity based on an articulated balance 
between the potential for privacy harm, reasonable expectations of 
individuals to whom the personal information relates, and reasonable 
business needs.
    (b) Records of Access.--
            (1) In general.--A covered entity shall maintain records 
        identifying each instance in which an employee or a contractor 
        of such covered entity accesses personal information or 
        contents of communications if disclosing such personal 
        information or contents of communication, or a data breach or 
        data-sharing abuse involving such personal information or 
        contents of communication, may foreseeably result in increased 
        privacy harms.
            (2) Information required.--The records required by 
        paragraph (1) shall include the following:
                    (A) A unique identifier for the employee or 
                contractor accessing personal information or contents 
                of communications.
                    (B) The date and time of access.
                    (C) The fields of information accessed.
                    (D) The individuals whose personal information was 
                accessed or the contents of whose communications were 
                accessed.
            (3) Small businesses excluded.--This subsection does not 
        apply to a small business.

SEC. 203. PROHIBITIONS ON DISCLOSING OF PERSONAL INFORMATION.

    (a) Consent for Disclosing Required.--
            (1) In general.--A covered entity may not intentionally 
        disclose personal information unless the covered entity obtains 
        consent of the individual whose personal information is being 
        disclosed for each category of third party to which such 
        personal information will be disclosed. Such covered entity 
        must also provide such individual with notice of--
                    (A) each category of third party;
                    (B) the personal information to be disclosed; and
                    (C) a concise and clear description of the business 
                or commercial purpose for disclosing such personal 
                information.
            (2) Additional requirements for sale of personal 
        information.--
                    (A) In general.--A covered entity may not 
                intentionally sell personal information unless the 
                covered entity--
                            (i) obtains the consent required by 
                        paragraph (1) for disclosing such personal 
                        information; and
                            (ii) provides the individual to whom such 
                        personal information relates with the identity 
                        of the specific third party to which such 
                        personal information will be disclosed.
                    (B) Disclosing services.--Subparagraph (A) shall 
                not apply to a covered entity in a case in which an 
                individual is directing the covered entity to disclose 
                the personal information of such individual for the 
                sole purpose of procuring goods or services, or offers 
                for goods or services, for such individual, if there is 
                a reasonable mechanism for the individual to withdraw 
                consent.
            (3) Requirement to include original purpose of 
        collecting.--A covered entity may not intentionally disclose 
        personal information without including the purpose for which 
        the personal information was originally collected.
            (4) Exception for privacy-preserving computing.--
        Notwithstanding paragraph (1), consent is not required for 
        disclosing (not including selling) personal information secured 
        using privacy-preserving computing.
            (5) Exception for de-identified personal information.--
        Notwithstanding paragraph (1), consent is not required for 
        disclosing (not including selling) de-identified personal 
        information where the disclosed personal information is limited 
        to the narrowest possible scope likely to yield the intended 
        benefit and contractual obligations are in place that 
        prohibit--
                    (A) re-identification of the disclosed personal 
                information; and
                    (B) the processing of additional personal 
                information in combination with the disclosed personal 
                information that would allow for the re-identification 
                of the disclosed personal information.
    (b) Disclosing for Advertising or Marketing Purposes.--
            (1) In general.--A covered entity may not intentionally 
        disclose for advertising or marketing purposes a unique 
        identifier or any other personal information that would allow 
        information disclosed to be linked to information relating to 
        the same individual or device disclosed in the past.
            (2) Treatment of certain types of information.--Disclosing 
        personal information or contents of communication for 
        advertising or marketing purposes may not be treated as 
        violating paragraph (1) by reason of including any or all of 
        the following:
                    (A) Internet Protocol addresses truncated to no 
                more than the first 24 bits for Internet Protocol 
                version 4 and the first 48 bits for Internet Protocol 
                version 6, or for a successor protocol truncated to 
                limit the precision of the identifier to a network 
                address of the internet access provider.
                    (B) Geolocation information truncated to allow no 
                more than the equivalent of two decimal degrees of 
                precision at the equator or prime meridian, or an 
                equivalent precision in another geolocation standard.
                    (C) A general description of a device, browser, or 
                operating system, or any combination thereof.
                    (D) An identifier that is unique to a disclosure.

SEC. 204. DISCLOSING TO ENTITIES NOT SUBJECT TO UNITED STATES 
              JURISDICTION OR NOT COMPLIANT WITH THIS ACT.

    (a) Prohibition.--A covered entity may not intentionally disclose 
personal information to any entity that--
            (1) is not subject to the jurisdiction of the United 
        States; or
            (2) is not in compliance with all requirements of this Act.
    (b) Exception.--Notwithstanding subsection (a), a covered entity 
may disclose personal information where that personal information is 
limited to an identifier created primarily for the purpose of sending 
or receiving electronic communications and the sole purpose of 
disclosing is to send or receive an electronic communication at the 
request of the individual whose personal information is being 
disclosed.
    (c) Safe Harbors for Disclosing.--Notwithstanding subsection (a), a 
covered entity may disclose personal information to another covered 
entity (the receiving covered entity) that is not subject to the 
jurisdiction of the United States if either--
            (1) the receiving covered entity has entered into an 
        agreement, as described in subsection (e), with the Agency, 
        and--
                    (A) the covered entity has a reasonable belief that 
                the receiving covered entity is sufficiently solvent to 
                compensate victims or pay fines for violations of this 
                Act;
                    (B) a contract between the covered entity and 
                receiving covered entity requires that the receiving 
                covered entity complies with this Act, and the covered 
                entity has reason to believe the receiving covered 
                entity is compliant with this Act; and
                    (C) a contract between the covered entity and the 
                receiving covered entity prohibits the receiving 
                covered entity from using the disclosed personal 
                information for any purpose other than provided in the 
                contract; or
            (2) the covered entity has--
                    (A) entered into an agreement with the receiving 
                covered entity that--
                            (i) requires the receiving covered entity 
                        to comply with this Act;
                            (ii) prohibits the receiving covered entity 
                        from using the disclosed personal information 
                        for any purpose other than provided in the 
                        contract;
                            (iii) requires the receiving covered entity 
                        to indemnify the covered entity against 
                        violations of this Act committed by the 
                        receiving covered entity for any amount the 
                        covered entity is unable to pay of a judgment 
                        for such violation;
                            (iv) grants the covered entity the 
                        authority to audit, including physical access 
                        to electronic devices and data, the receiving 
                        covered entity's compliance with this Act and 
                        the contract; and
                            (v) requires the receiving covered entity 
                        to assist the covered entity in responding to 
                        and complying with any court orders, Agency 
                        orders, or the exercising of an individual's 
                        rights under this Act;
                    (B) actual knowledge that the receiving covered 
                entity is in compliance with this Act and not using 
                personal information contrary to their agreement;
                    (C) actual knowledge that the receiving covered 
                entity is sufficiently solvent to compensate victims or 
                pay fines for violations of this Act;
                    (D) an auditing and compliance program to ensure 
                the receiving covered entity's continued compliance 
                with this Act and contract terms;
                    (E) filed with the Agency the terms of said 
                contract, proof of its actual knowledge of the 
                receiving covered entity's compliance with this Act and 
                contract terms, and documents detailing its auditing 
                and compliance program for approval and publication by 
                the Agency; and
                    (F) entered into an agreement with the Agency where 
                the covered entity agrees to accept, respond to, or 
                comply with a court order, Agency order, or request by 
                an individual regarding actions taken by the receiving 
                covered entity with respect to covered information it 
                has disclosed.
    (d) Liability for Violation by Receiving Covered Entity; Failure To 
Report.--For the purposes of subsection (c)(2), the covered entity 
shall be jointly liable for a violation of this Act by the receiving 
covered entity regarding the personal information the covered entity 
disclosed, except where the covered entity was the first to notify the 
Agency of the violation, in which case, it shall be severally liable. 
Where the covered entity should reasonably have known of a violation of 
this Act by the receiving covered entity and fails to disclose the 
violation to the Agency, each day of continuance of the failure to 
report such violation shall be treated as a separate violation.
    (e) Agency Agreements.--Upon the request of a covered entity not 
subject to the jurisdiction of the United States, the Agency shall 
enter into an agreement with the covered entity that includes, but is 
not limited to, the following conditions:
            (1) The principal place of business for the covered entity 
        must be in a country that allows for the domestication of a 
        United States court decision for civil fines payable to a 
        government entity and injunctive relief. Where a foreign court 
        refuses to enforce a United States court decision under this 
        Act, the agreement, and all other agreements with covered 
        entities with a principal place of business in the same 
        jurisdiction, shall be void.
            (2) The covered entity agrees to comply with this Act.
            (3) The covered entity agrees to be subject to this Act 
        with choice of venue being a United States court.
            (4) The covered entity agrees to comply with Agency 
        investigative requests or orders, and United States court 
        orders or decisions under this Act.
            (5) The covered entity consents to United States Federal 
        court personal jurisdiction for the sole purpose of enforcing 
        this Act.
            (6) Where enforcement of the decision requires the use of a 
        foreign court, the covered entity agrees to pay reasonable 
        attorney fees necessary to enforce the judgment.
            (7) A default judgment, failure to comply with Agency 
        investigative requests or orders, or failure to comply with 
        United States court orders or decisions shall result in the 
        immediate termination of the agreement.
    (f) Rule of Construction Against Data Localization.--Nothing in 
this section shall be construed to require the localization of 
processing or maintaining personal information by a covered entity to 
within the United States, or limit internal disclosing of personal 
information within a covered entity or to subsidiary or corporate 
affiliate of such covered entity, regardless of the country in which 
the covered entity will process, disclose, or maintain that personal 
information.

SEC. 205. PROHIBITION ON RE-IDENTIFICATION.

    (a) In General.--Except as required under title I, a covered entity 
shall not use personal information collected from an individual, 
acquired from a third party, or acquired from publicly available 
information to re-identify an individual from de-identified 
information.
    (b) Third-Party Prohibition.--A covered entity that discloses de-
identified information to a third party shall prohibit such third party 
from re-identifying an individual using such de-identified information.
    (c) Exception.--Subsection (a) shall not apply to qualified 
research entities, as determined by the Director, conducting research 
not for commercial purposes.

SEC. 206. RESTRICTIONS ON COLLECTING, PROCESSING, MAINTAINING, AND 
              DISCLOSING CONTENTS OF COMMUNICATIONS.

    (a) In General.--A covered entity may not collect, process, 
maintain, or disclose the contents of any communication, regardless of 
whether the sender or intended recipient of the communication is an 
individual, other person, or an electronic device, for any purpose 
other than--
            (1) transmitting or displaying the communication to any 
        intended recipient or the original sender, or maintaining such 
        communications for such purposes;
            (2) detecting, responding to, or preventing security 
        incidents or threats;
            (3) providing services to assist in the drafting or 
        creation of the content of a communication;
            (4) processing expressly requested by the sender or 
        intended recipient, if the sender or intended recipient can 
        terminate such processing using a reasonable mechanism;
            (5) disclosing otherwise required by law;
            (6) filtering a communication where primary purpose of the 
        communication is the commercial advertisement or promotion of a 
        commercial product or service of a covered entity; or
            (7) detecting or enforcing an abuse or violation of the 
        terms of service of the covered entity that would result in 
        either a temporary or permanent ban from using the service.
    (b) Intended Recipient.--A covered entity is not considered an 
intended recipient of a communication, or any communication used in the 
creation of the content of said communication, where--
            (1) at least one intended recipient is a natural person 
        other than an employee or contractor of the covered entity;
            (2) at least one intended recipient is a person other than 
        the covered entity; or
            (3) a purpose of the covered entity's service is to 
        maintain, at the direction of the sender, the content of said 
        communication for more than a transitory period.
    (c) Sender.--The sender of a communication is the person for whom 
the communication, and its content, is disclosed at the direction of 
and on behalf of.
            (1) Where the sender is a natural person, they shall be the 
        sender of the entire content of the communication, regardless 
        of the original author of any portion of the content.
            (2) Otherwise, a sender shall be the sender of only the 
        content it was an original author of, or content it received as 
        an intended recipient.
    (d) Exception for Publicly Available Communications.--Subsection 
(a) shall not apply where the contents of communication are made 
publicly accessible by the sender without restrictions on accessibility 
other than the general authorization to access the services used to 
make the information accessible.
    (e) Encryption Protection.--A covered entity shall not--
            (1) prohibit or prevent a person from encrypting or 
        otherwise rendering unintelligible the content of a 
        communication using a means that prevents the covered entity 
        from being able to decrypt or otherwise render intelligible 
        said content; and
            (2) require or cause a person to disclose or circumvent the 
        means described in paragraph (1) to the covered entity that 
        would allow it to render the content intelligible.
    (f) Service Providers Safe Harbor.--A service provider shall not be 
held liable for a violation of this section if such service provider is 
acting at the direction of and on behalf of a covered entity and has a 
reasonable belief that the covered entity's directions are in 
compliance with this section.

SEC. 207. PROHIBITION ON DISCRIMINATORY PROCESSING.

    (a) Discrimination in Economic Opportunities.--A covered entity 
shall not process personal information or contents of communication for 
advertising, marketing, soliciting, offering, selling, leasing, 
licensing, renting, or otherwise commercially contracting for 
employment, finance, health care, credit, insurance, housing, or 
education opportunities in a manner that discriminates against or 
otherwise makes opportunities unavailable on the basis of an 
individual's protected class status.
    (b) Public Accommodations.--A covered entity shall not process 
personal information in a manner that segregates, discriminates in, or 
otherwise makes unavailable the goods, services, facilities, 
privileges, advantages, or accommodations of any place of public 
accommodation on the basis of the protected class status of an 
individual or a group of individuals.
    (c) Regulations.--The Director shall promulgate regulations to 
implement this section.

SEC. 208. REQUIREMENTS FOR NOTICE AND CONSENT PROCESSES AND PRIVACY 
              POLICIES.

    (a) Minimum Threshold.--The Director shall establish minimum 
thresholds that covered entities must meet for the percentage of 
individuals who understand a notice or consent process or privacy 
policy required by this Act. In establishing such minimum thresholds, 
the Director shall--
            (1) vary required thresholds on types and scale of 
        reasonably foreseeable privacy harms; and
            (2) take into account expectations of individuals, 
        potential privacy harms, and individuals' awareness of privacy 
        harms.
    (b) Consent Revocation.--A covered entity shall make available a 
reasonable mechanism by which an individual may revoke consent for any 
consent given under this Act.
    (c) Safe Harbor.--
            (1) Approval procedures.--The Director shall develop 
        procedures for analyzing and approving data submitted by a 
        covered entity to establish that a notice and consent process 
        or privacy policy of such covered entity meets the threshold 
        established under subsection (a).
            (2) Presumption.--If a covered entity submits testing data 
        to and receives an approval from the Director under paragraph 
        (1) establishing that a notice or consent process or privacy 
        policy of such covered entity meets the threshold established 
        under subsection (a), such notice or consent process or privacy 
        policy shall be presumed to have met such threshold. Such 
        presumption may be rebutted by clear and convincing evidence.
            (3) Public availability of approved processes and policies 
        and associated testing data.--The Director shall make publicly 
        available online the notice and consent processes and privacy 
        policies and associated testing data that the Director approves 
        under paragraph (1).
            (4) Small business adoption of notice or consent process of 
        another covered entity.--
                    (A) In general.--If a small business adopts a 
                notice or consent process of another covered entity 
                that collects, processes, maintains, or discloses 
                personal information in substantially the same way as 
                such small business, if the process of such other 
                covered entity has been approved under paragraph (1), 
                the process of such small business shall receive the 
                presumption under paragraph (2).
                    (B) Ability to freely use approved process.--A 
                covered entity whose notice or consent process is 
                approved under paragraph (1) shall permit a small 
                business to freely use such process, or a derivative 
                thereof, as described in subparagraph (A).
                    (C) No published process.--In the case of a small 
                business for which there is no approved notice or 
                consent process published under paragraph (3) of a 
                covered entity that collects, processes, maintains, or 
                discloses personal information in substantially the 
                same way as such small business, any requirement under 
                this title for a notice or consent process to be 
                objectively shown to meet the threshold established by 
                the Director under subsection (a) shall not apply to 
                such small business. Nothing in the preceding sentence 
                exempts a small business from the requirement to use 
                such notice or consent process or that such process be 
                concise and clear.
                    (D) Inapplicability to privacy policy.--Paragraph 
                (4) does not apply with respect to a privacy policy.
            (5) Minor changes.--A covered entity may make minor changes 
        in a notice or consent process or privacy policy approved under 
        paragraph (1) and retain the presumption under paragraph (2) 
        for such process or policy without retesting or resubmission of 
        testing data to the Director.

SEC. 209. PROHIBITION ON ``DARK PATTERNS'' IN NOTICE AND CONSENT 
              PROCESSES AND PRIVACY POLICIES.

    In providing notice, obtaining consent, or maintaining a privacy 
policy as required by this title, a covered entity may not 
intentionally take any action that substantially impairs, obscures, or 
subverts the ability of an individual to--
            (1) understand the contents of such notice or such privacy 
        policy;
            (2) understand the process for granting such consent;
            (3) make a decision regarding whether to grant or withdraw 
        such consent; or
            (4) act on any such decision.

SEC. 210. NOTICE AND CONSENT REQUIRED.

    (a) Notice.--A covered entity shall provide an individual with 
notice of the personal information such covered entity collects, 
processes, maintains, and discloses through a process that is concise 
and clear and can be objectively shown to meet the threshold 
established by the Director under section 208(a).
    (b) Consent.--
            (1) Express consent required.--Except as provided in 
        paragraphs (2) and (3), a covered entity may not collect from 
        an individual personal information that creates or increases 
        the risk of foreseeable privacy harms, or process or maintain 
        any such personal information collected from an individual, 
        unless such entity obtains the express consent of such 
        individual to the collecting, processing, or maintaining (or 
        any combination thereof) of such information through a process 
        that is concise and clear and can be objectively shown to meet 
        the threshold established by the Director under section 208(a).
            (2) Exception for implied consent.--Notwithstanding 
        paragraph (1), express consent is not required for collecting, 
        processing, or maintaining personal information if the 
        collecting, processing, or maintaining is, on its face, obvious 
        and necessary to provide a service at the request of the 
        individual and the personal information is collected, 
        processed, or maintained only for such request. Nothing in this 
        paragraph shall be construed to exempt the covered entity from 
        the requirement of subsection (a) to provide notice to such 
        individual with respect to such collecting, processing, or 
        maintaining.
            (3) Exemption for privacy-preserving computing.--
        Notwithstanding paragraph (1), except with regard to consent 
        for purposes of section 106, express consent is not required 
        for collecting, processing, or maintaining personal information 
        secured using privacy-preserving computing. Nothing in this 
        paragraph shall be construed to exempt the covered entity from 
        the requirement of subsection (a) to provide notice to such 
        individual with respect to such collecting, processing, or 
        maintaining.
    (c) Service Providers Excluded.--This section does not apply to a 
service provider if such service provider has a reasonable belief that 
a covered entity for which it processes, maintains, or discloses 
personal information is in compliance with this section.

SEC. 211. PRIVACY POLICY.

    (a) Policy Required.--A covered entity shall maintain a privacy 
policy relating to the practices of such entity regarding the 
collecting, processing, maintaining, and disclosing of personal 
information.
    (b) Contents.--The privacy policy required by subsection (a) shall 
contain the following:
            (1) A general description of the practices of the covered 
        entity regarding the collecting, processing, maintaining, and 
        disclosing of personal information.
            (2) A description of how individuals may exercise the 
        rights provided by title I.
            (3) A clear and concise summary of the following:
                    (A) The categories of personal information 
                collected or otherwise obtained by the covered entity.
                    (B) The business or commercial purposes of the 
                covered entity for collecting, processing, maintaining, 
                or disclosing personal information.
                    (C) The categories and a list of third parties to 
                which the covered entity discloses personal 
                information.
            (4) A description of the personal information that the 
        covered entity maintains that the covered entity does not 
        collect from individuals and how the covered entity obtains 
        such personal information.
            (5) A list of the third parties to which the covered entity 
        has disclosed personal information.
            (6) A list of the third parties from which the covered 
        entity has obtained personal information at any time on or 
        after the effective date of this Act.
            (7) The articulated basis for the collecting, processing, 
        disclosing, and maintaining of personal information, as 
        required under section 201(a).
    (c) Exemption for Personal Information for Particular Purposes.--
The privacy policy required by subsection (a) is not required to 
contain information relating to personal information that is collected, 
processed, maintained, or disclosed exclusively for any of the purposes 
described in paragraph (1) of section 109(a) (or a combination of such 
purposes), except as provided in paragraph (2) of such section.
    (d) Availability of Privacy Policy.--
            (1) Form and manner.--The privacy policy required by 
        subsection (a) shall be--
                    (A) clear and in plain language; and
                    (B) made publicly available in a prominent location 
                on an ongoing basis.
            (2) Timing.--The privacy policy required by subsection (a) 
        shall be made available as required by paragraph (1) before the 
        covered entity collects personal information after the 
        effective date of this Act.
    (e) Small Businesses Excluded.--Subsections (b)(7) and (d) do not 
apply to a small business.
    (f) Service Providers Excluded.--This section does not apply to a 
service provider if such service provider has a reasonable belief that 
a covered entity for which it processes, maintains, or discloses 
personal information is in compliance with this section.

SEC. 212. INFORMATION SECURITY REQUIREMENTS.

    (a) In General.--A covered entity shall establish and implement 
reasonable information security policies, practices, and procedures for 
the protection of personal information collected, processed, 
maintained, or disclosed by such covered entity, taking into 
consideration--
            (1) the nature, scope, and complexity of the activities 
        engaged in by such covered entity;
            (2) the sensitivity of any personal information at issue;
            (3) the current state of the art in administrative, 
        technical, and physical safeguards for protecting such 
        information; and
            (4) the cost of implementing such administrative, 
        technical, and physical safeguards.
    (b) Specific Policies, Practices, and Procedures.--The policies, 
practices, and procedures required by subsection (a) shall include the 
following:
            (1) A written security policy with respect to collecting, 
        processing, maintaining, and disclosing of personal 
        information. Such policy shall be made publicly available in a 
        prominent location on an ongoing basis, except that the 
        publicly available version is not required to contain 
        information that would compromise a purpose described in 
        section 109(a)(1).
            (2) A process for identifying and assessing reasonably 
        foreseeable security vulnerabilities in the system or systems 
        used by such covered entity that contain personal information, 
        which shall include regular monitoring for vulnerabilities or 
        data breaches involving such system or systems.
            (3) A process for taking action designed to mitigate 
        against vulnerabilities identified in the process required by 
        paragraph (2), which may include implementing any changes to 
        security practices and the architecture, installation, or 
        implementation of network or operating software, or for 
        regularly testing or otherwise monitoring the effectiveness of 
        the existing safeguards.
            (4) A process for determining if personal information is no 
        longer needed and disposing of personal information by 
        shredding, permanently erasing, or otherwise modifying the 
        medium on which such personal information is maintained to make 
        such personal information permanently unreadable or 
        indecipherable.
            (5) A process for overseeing persons who have access to 
        personal information, including through network-connected 
        devices.
            (6) A process for employee training and supervision for 
        implementation of the policies, practices, and procedures 
        required by this section.
            (7) A written plan or protocol for internal and public 
        response in the event of a data breach or data-sharing abuse.
    (c) Regulations.--The Director, in consultation with the 
Cybersecurity and Infrastructure Security Agency and the National 
Institute of Standards and Technology, shall promulgate regulations to 
implement this section.
    (d) Small Businesses Assistance.--The Director, in consultation 
with the Cybersecurity and Infrastructure Security Agency, the National 
Institute of Standards and Technology, the Small Business 
Administration, the Minority Business Development Agency, and small 
businesses, shall develop policy templates, toolkits, tip sheets, 
configuration guidelines for commonly used hardware and software, 
interactive tools, and other materials to assist small businesses with 
complying with this section.

SEC. 213. NOTIFICATION OF DATA BREACH OR DATA-SHARING ABUSE.

    (a) Notification of Agency.--
            (1) In general.--In the case of a data breach or data-
        sharing abuse with respect to personal information maintained 
        by a covered entity, such covered entity shall, without undue 
        delay and, if feasible, not later than 72 hours after becoming 
        aware of such data breach or data-sharing abuse, notify the 
        Director of such data breach or data-sharing abuse, unless such 
        data breach or data-sharing abuse is unlikely to create or 
        increase foreseeable privacy harms.
            (2) Reasons for delay.--If the notification required by 
        paragraph (1) is made more than 72 hours after the covered 
        entity becomes aware of the data breach or data-sharing abuse, 
        such notification shall be accompanied by a statement of the 
        reasons for the delay.
    (b) Notification of Other Covered Entity.--In the case of a data 
breach or data-sharing abuse with respect to personal information 
maintained by a covered entity that such covered entity obtained from 
another covered entity, the covered entity experiencing such data 
breach or data-sharing abuse shall, without undue delay and, if 
feasible, not later than 72 hours after becoming aware of such data 
breach or data-sharing abuse, notify such other covered entity of such 
data breach or data-sharing abuse, unless such data breach or data-
sharing abuse is unlikely to create or increase foreseeable privacy 
harms. A covered entity receiving notice under this subsection of a 
data breach or data-sharing abuse shall notify any other covered entity 
from which the covered entity receiving notice obtained personal 
information involved in such data breach or data-sharing abuse, in the 
same manner as required under the preceding sentence for the covered 
entity experiencing such data breach or data-sharing abuse.
    (c) Notification of Individuals.--
            (1) In general.--In the case of a data breach or data-
        sharing abuse with respect to personal information maintained 
        by a covered entity (or a data breach or data-sharing abuse 
        about which a covered entity is notified under subsection (b)), 
        if such covered entity has a relationship with an individual 
        whose personal information was involved or potentially involved 
        in such data breach or data-sharing abuse, such covered entity 
        shall notify such individual of such data breach or data-
        sharing abuse not later than 14 days after becoming aware of 
        such data breach or data-sharing abuse (or, in the case of a 
        data breach or data-sharing abuse about which a covered entity 
        is notified under subsection (b), not later than 14 days after 
        being so notified), if such data breach or data-sharing abuse 
        creates or increases foreseeable privacy harms.
            (2) Medium of notification.--A covered entity shall notify 
        an individual as required by paragraph (1) through--
                    (A) the same medium through which such individual 
                routinely interacts with such covered entity; and
                    (B) one additional medium of notification, if such 
                covered entity has the personal information necessary 
                to make a notification through such an additional 
                medium without causing excessive financial burden for 
                such covered entity.
    (d) Rule of Construction.--This section shall not apply to a 
covered entity if a person uses personal information obtained from a 
data breach or data-sharing abuse not involving such covered entity.

                   TITLE III--DIGITAL PRIVACY AGENCY

SEC. 301. ESTABLISHMENT; DIRECTOR AND DEPUTY DIRECTOR.

    (a) Agency Established.--There is established an independent agency 
in the executive branch to be known as the ``Digital Privacy Agency'', 
which shall implement and enforce this Act.
    (b) Director.--
            (1) In general.--There is established the position of the 
        Director, who shall serve as the head of the Agency.
            (2) Appointment.--Subject to paragraph (3), the Director 
        shall be appointed by the President, by and with the advice and 
        consent of the Senate.
            (3) Qualification.--The President shall nominate the 
        Director who, by reason of professional background and 
        experience, is especially qualified to lead the Agency based on 
        their knowledge and expertise in--
                    (A) privacy;
                    (B) information security;
                    (C) technology; and
                    (D) civil rights and civil liberties.
            (4) Term.--
                    (A) In general.--The Director shall serve for a 
                term of 6 years.
                    (B) Expiration of term.--An individual may serve as 
                Director after the expiration of the term for which 
                appointed, until a successor has been appointed and 
                qualified.
            (5) Compensation.--
                    (A) In general.--The Director shall be compensated 
                at the rate prescribed for level II of the Executive 
                Schedule under section 5313 of title 5, United States 
                Code.
                    (B) Conforming amendment.--Section 5313 of title 5, 
                United States Code, is amended by inserting after the 
                item relating to the ``Chief Executive Officer, United 
                States International Development Finance Corporation.'' 
                the following new item: ``Director of the Digital 
                Privacy Agency.''.
    (c) Deputy Director.--There is established the position of Deputy 
Director, who shall--
            (1) be appointed by the Director; and
            (2) serve as acting Director in the absence or 
        unavailability of the Director, notwithstanding section 3345 of 
        title 5, United States Code.
    (d) Service Restriction.--No Director or Deputy Director may hold 
any office, position, or employment in any covered entity during the 
period of service of such person as Director or Deputy Director.
    (e) Offices.--The Director shall establish a principal office and 
field offices of the Agency in locations that have high levels of 
activity by covered entities, as determined by the Director.

SEC. 302. AGENCY POWERS AND AUTHORITIES.

    (a) Powers of the Agency.--The Director is authorized to establish 
the general policies of the Agency with respect to all executive and 
administrative functions, including--
            (1) establishing of rules for conducting the general 
        business of the Agency, in a manner not inconsistent with this 
        Act;
            (2) binding the Agency and enter into contracts;
            (3) directing the establishment and continued operation of 
        divisions or other offices within the Agency, in order to carry 
        out the responsibilities of the Agency under this Act, and to 
        satisfy the requirements of other applicable law;
            (4) coordinating and overseeing the operation of all 
        administrative, enforcement, and research activities of the 
        Agency;
            (5) adopting and using a seal;
            (6) determining the character of and the necessity for the 
        obligations and expenditures of the Agency;
            (7) appointing and supervising of personnel employed by the 
        Agency;
            (8) distributing business among personnel appointed and 
        supervised by the Director and among administrative units of 
        the Agency;
            (9) using and expending of funds;
            (10) implementing this Act through rules, orders, guidance, 
        interpretations, statements of policy, investigations, and 
        enforcement actions; and
            (11) performing such other functions as may be authorized 
        or required by law.
    (b) Delegation of Authority.--The Director may delegate to any duly 
authorized employee, representative, or agent any power vested in the 
Director or the Agency by law, except that the Director may not 
delegate the power to appoint the Deputy Director under section 301(c).
    (c) Autonomy of Agency Regarding Recommendations and Testimony.--No 
officer or agency of the United States shall have any authority to 
require the Director or any other officer of the Agency to submit 
legislative recommendations, or testimony or comments on legislation, 
to any officer or agency of the United States for approval, comments, 
or review prior to the submission of such recommendations, testimony, 
or comments to the Congress, if such recommendations, testimony, or 
comments to the Congress include a statement indicating that the views 
expressed therein are those of the Director or such officer, and do not 
necessarily reflect the views of the President.
    (d) Rulemaking Authority.--
            (1) In general.--The Director may prescribe rules and issue 
        orders and guidance, as may be necessary or appropriate to 
        enable the Agency to implement, administer, and carry out the 
        purposes and objectives of this Act, and to prevent evasions 
        thereof.
            (2) Regulations.--The Agency may issue regulations after 
        notice and comment in accordance with section 553 of title 5, 
        United States Code, as may be necessary to implement, 
        administer, and carry out this Act.
    (e) Consultations.--In implementing or enforcing this Act, the 
Director may consult with--
            (1) Federal agencies that have--
                    (A) jurisdiction over Federal privacy laws; and
                    (B) expertise in privacy or information security;
            (2) State attorneys general, State privacy regulators, and 
        other State agencies that have expertise in privacy or 
        information security;
            (3) international and intergovernmental bodies that conduct 
        activities relating to the privacy or information security;
            (4) agencies of other countries that are similar to the 
        Agency or have expertise in privacy or information security;
            (5) privacy and information security experts in academia, 
        government, civil society, or industry; and
            (6) advisory boards of the Agency established under section 
        308, as appropriate.

SEC. 303. REPORTING AND AUDIT REQUIREMENTS.

    (a) Reports Required.--
            (1) In general.--Not later than 6 months after the date of 
        the enactment of this Act, and every 6 months thereafter, the 
        Director shall submit a report to the President and to the 
        Committee on Energy and Commerce, the Committee on the 
        Judiciary, and the Committee on Appropriations of the House of 
        Representatives and the Committee on Commerce, Science, and 
        Transportation, the Committee on the Judiciary, and the 
        Committee on Appropriations of the Senate, and shall publish 
        such report on the website of the Agency.
            (2) Contents.--Each report required by subsection (a) shall 
        include--
                    (A) a discussion of the significant problems faced 
                by individuals with respect to the privacy or security 
                of personal information;
                    (B) a justification of the budget request of the 
                Agency for the preceding year, unless a justification 
                for such year was included in the preceding report 
                submitted under such subsection;
                    (C) a list of the significant rules and orders 
                adopted by the Agency, as well as other significant 
                initiatives conducted by the Agency, during the 
                preceding 6-month period and the plan of the Agency for 
                rules, orders, or other initiatives to be undertaken 
                during the upcoming 6-month period;
                    (D) an analysis of complaints about the privacy or 
                security of personal information that the Agency has 
                received and collected in the database described in 
                section 307(a) during the preceding 6-month period;
                    (E) a list, with a brief statement of the issues, 
                of the public enforcement actions to which the Agency 
                was a party during the preceding 6-month period; and
                    (F) an assessment of significant actions by State 
                attorneys general or State privacy regulators relating 
                to this Act or the rules prescribed under this Act 
                during the preceding 6-month period.
    (b) Annual Audits.--The Director shall order an annual independent 
audit of the operations and budget of the Agency.

SEC. 304. RELATION TO OTHER AGENCIES.

    (a) Coordination.--
            (1) In general.--With respect to covered entities and 
        service providers, to the extent that Federal law authorizes 
        the Agency and another Federal agency to enforce a Federal 
        privacy law, the other Federal agency shall coordinate with the 
        Agency to promote consistent enforcement of this Act and the 
        other Federal privacy law.
            (2) Referral.--Any Federal agency authorized to enforce 
        Federal privacy laws may recommend in writing to the Agency 
        that the Agency initiate an enforcement proceeding, as the 
        Agency is authorized by that Federal privacy law or by this 
        Act.
    (b) Transfers From the Commission.--
            (1) Transfers of authority.--
                    (A) Transfer of rulemaking and certain other 
                authorities under federal privacy laws.--The Agency 
                shall have all powers and duties under the Federal 
                privacy laws to prescribe rules, issue guidelines, or 
                to conduct studies or issue reports mandated by such 
                laws, that were vested in the Commission on the 
                effective date of this Act. The authority of the 
                Commission under Federal privacy laws to prescribe 
                rules, issue guidelines, or conduct a study or issue a 
                report mandated under such law shall be transferred to 
                the Agency on the effective date of this Act.
                    (B) Transfer of enforcement authority.--The Agency 
                may enforce a rule prescribed by the Commission under--
                            (i) Federal privacy laws; or
                            (ii) the Federal Trade Commission Act (15 
                        U.S.C. 41 et seq.) related to unfair or 
                        deceptive acts or practices relating to 
                        privacy, information security, identity theft, 
                        data abuses, and related matters.
            (2) Transfer of privacy employees.--Any employee of the 
        Commission employed in a division, bureau, office, or other 
        subdivision of the Commission with the primary responsibility 
        of administering, investigating, or enforcing Federal privacy 
        laws or applications of the Federal Trade Commission Act (15 
        U.S.C. 41 et seq.) related to unfair or deceptive acts or 
        practices relating to privacy, information security, identity 
        theft, data abuses, and related matters shall be transferred to 
        the Agency. Such employee shall be provided with compensation 
        and benefits not less than the equivalent of compensation and 
        benefits provided to such employee on the date of enactment of 
        this Act or compensation and benefits provided to an employee 
        of the Agency in comparable position with comparable 
        experience.
    (c) Preservation of Authorities of Other Agencies.--Except as 
described in this section, no provision of this Act shall be construed 
as modifying, limiting, or otherwise affecting the operation of any 
provision of Federal law, or otherwise affecting the authority of any 
Federal agency under a Federal privacy law or any other law, including 
the ability of such Federal agency to promulgate regulations and 
enforce Federal privacy laws.

SEC. 305. PERSONNEL.

    (a) Personnel.--
            (1) Appointment generally.--The Director may fix the number 
        of, and appoint and direct, all employees of the Agency, in 
        accordance with the applicable provisions of title 5, United 
        States Code. The Director may appoint personnel without regard 
        to the provisions of title 5, United States Code, governing 
        appointments in the competitive service, so long as the 
        Director sets requirements, conducts recruitment, and 
        determines appointments in a fair, transparent, and equitable 
        manner.
            (2) Employees of the agency.--The Director is authorized to 
        employ privacy experts, technologists, computer scientists, 
        user experience designers and researchers, data scientists, 
        ethicists, attorneys, investigators, economists, civil rights 
        experts, and other employees as the Director considers 
        necessary to conduct the business of the Agency. Unless 
        otherwise provided expressly by law, any individual appointed 
        under this section shall be an employee, as defined in section 
        2105 of title 5, United States Code, and subject to the 
        provisions of such title and other laws generally applicable to 
        the employees of an executive agency.
            (3) Employee compensation.--The Director may fix and adjust 
        the pay and benefits of personnel as the Director considers 
        desirable, competitive, transparent, and equitable, without 
        regard to the provisions of chapter 51 and subchapter III of 
        chapter 53 of title 5, United States Code, relating to 
        classification and General Schedule pay rates, respectively.
            (4) Labor-management relations.--Chapter 71 of title 5, 
        United States Code, shall apply to the Agency and the employees 
        of the Agency.
    (b) Additional Roles.--
            (1) Chief information officer.--
                    (A) Designation of an agency cio.--Subchapter II of 
                chapter 113 of subtitle III of title 40, United States 
                Code, is amended--
                            (i) in section 11315(c) by adding ``and of 
                        the Digital Privacy Agency'' before the em dash 
                        immediately preceding paragraph (1); and
                            (ii) in section 11319(a)(1) by adding ``and 
                        the Digital Privacy Agency'' before the period.
                    (B) Responsibility.--The Chief Information Officer 
                of the Digital Privacy Agency, as designated by 
                subparagraph (A), shall ensure the Digital Privacy 
                Agency uses technology efficiency to implement, 
                administer, and enforce this Act and the rules and 
                orders issued pursuant to this Act.
            (2) Inspector general.--Section 12 of the Inspector General 
        Act of 1978 (5 U.S.C. App.) is amended--
                    (A) in paragraph (1), by inserting ``the Director 
                of the Digital Privacy Agency;'' after ``the President 
                of the Export-Import Bank;''; and
                    (B) in paragraph (2), by inserting ``the Digital 
                Privacy Agency,'' after ``the Export-Import Bank,''.
            (3) Ombud.--The Director shall appoint an ombud who shall--
                    (A) act as a liaison between the Agency and any 
                affected person with respect to any problem that such 
                person may have in dealing with the Agency that results 
                from the regulatory activities of the Agency; and
                    (B) assure that safeguards exist to encourage 
                complainants to come forward and preserve 
                confidentiality.
    (c) Authority To Accept Federal Detailees.--The Director may accept 
officers or employees of the United States or members of the Armed 
Forces on a detail from an element of the Federal Government on a 
nonreimbursable basis, as jointly agreed to by the heads of the 
receiving and detailing elements, for a period not to exceed 3 years.

SEC. 306. OFFICE OF CIVIL RIGHTS.

    The Director shall establish an Office of Civil Rights within the 
Agency that shall have following responsibilities:
            (1) Providing oversight and enforcement of this Act, rules 
        and orders issued pursuant to this Act, and Federal privacy 
        laws to ensure that collecting, processing, maintaining, and 
        disclosing of personal information is fair, equitable, and non-
        discriminatory in treatment and effect, including through the 
        implementation and enforcement of section 207.
            (2) Developing, establishing, and promoting practices that 
        affirmatively further equal opportunity to and expand access to 
        employment (including hiring, firing, promotion, demotion, and 
        compensation), credit and insurance (including denial of an 
        application or obtaining less favorable terms), housing, 
        education, professional certification, or the provision of 
        health care and related services.
            (3) Coordinating the Agency's civil rights efforts with 
        other Federal agencies and State regulators, as appropriate, to 
        promote consistent, efficient, and effective enforcement of 
        Federal civil rights laws.
            (4) Working with civil rights advocates, privacy experts, 
        and other experts (including members of the advisory boards 
        established under section 308) on the promotion of compliance 
        with the civil rights provisions under this Act, rules and 
        orders issued pursuant this Act, and Federal privacy laws.
            (5) Liaising with communities and consumers impacted by 
        practices regulated by this Act and the Agency, to ensure that 
        their needs and views are appropriately taken into account.
            (6) Providing annual reports to Congress on the efforts of 
        the Agency to fulfill its civil rights mandate.
            (7) Such additional powers and duties as the Director may 
        determine are appropriate.

SEC. 307. COMPLAINTS OF INDIVIDUALS.

    (a) In General.--The Director shall establish a unit within the 
Agency the functions of which shall include establishing a single, 
toll-free telephone number, a website, and a database or utilizing an 
existing database to facilitate the centralized collection of, 
monitoring of, and response to complaints of individuals regarding the 
privacy or security of personal information. The Director shall 
coordinate with other Federal agencies with jurisdiction over Federal 
privacy laws to route complaints to such agencies, where appropriate.
    (b) Routing Complaints to States.--To the extent practicable, State 
agencies (including State privacy regulators) may receive appropriate 
complaints from the systems established under subsection (a), if--
            (1) the State agency system has the functional capacity to 
        receive calls or electronic reports routed by the Agency 
        systems;
            (2) the State agency has satisfied any conditions of 
        participation in the system that the Agency may establish, 
        including treatment of personal information and sharing of 
        information on complaint resolution or related compliance 
        procedures and resources; and
            (3) participation by the State agency includes measures 
        necessary to provide for protection of personal information 
        that conform to the standards for protection of the 
        confidentiality of personal information and for data integrity 
        and security that apply to Federal agencies.
    (c) Data Sharing Required.--To facilitate inclusion in the reports 
required by section 303 of the matters regarding complaints of 
individuals required by subsection (a)(2)(D) of such section to be 
included in such reports, investigation and enforcement activities, and 
monitoring of the privacy and security of personal information, the 
Agency shall share information about complaints of individuals with 
Federal and State agencies (including State privacy regulators) that 
have jurisdiction over the privacy or security of personal information 
and State attorneys general, subject to the standards applicable to 
Federal agencies for the protection of the confidentiality of personal 
information and for information security and integrity. Other Federal 
agencies that have jurisdiction over the privacy or security of 
personal information shall share data relating to complaints of 
individuals regarding the privacy or security of personal information 
with the Agency, subject to the standards applicable to Federal 
agencies for the protection of confidentiality of personal information 
and for information security and integrity.
    (d) Publishing of Complaints.--
            (1) Consent required.--In collecting a complaint from an 
        individual, the Agency shall request consent for publishing the 
        complaint without any information identifying the individual.
            (2) Public database.--The Agency shall make publicly 
        available on its website a database of each complaint for which 
        it has received consent to publish the complaint from an 
        individual who provided the complaint to the Agency.
            (3) Redacting information.--When necessary, the Agency may 
        redact information from a published complaint to protect the 
        privacy of the individual.

SEC. 308. ADVISORY BOARDS.

    (a) Establishment.--The Director shall establish the following 
advisory boards to advise and consult with the Agency in the exercise 
of its functions under this Act, and to provide information on emerging 
practices relating to the treatment of personal information by covered 
entities:
            (1) The User Advisory Board, which shall be composed of 
        experts in consumer protection, privacy, civil rights, and 
        ethics.
            (2) The Research Advisory Board, which shall be composed of 
        individuals with academic and research expertise in privacy, 
        cybersecurity, computer science, innovation, design, ethics, 
        economics, law, and public policy.
            (3) The Startup Advisory Board, which shall be composed of 
        representatives of small businesses and investors in small 
        businesses.
            (4) The Product Advisory Board, which shall be composed of 
        technologists, computer scientists, designers, product 
        managers, attorneys, and other representatives of covered 
        entities.
    (b) Appointments.--The Director shall appoint members to the 
advisory boards established under subsection (a) without regard to 
party affiliation.
    (c) Meetings.--Each advisory board established under subsection (a) 
shall meet from time to time at the call of the Director, but, at a 
minimum, shall meet at least twice in each calendar year.
    (d) Compensation and Travel Expenses.--Members of the advisory 
boards established under subsection (a) who are not full-time employees 
of the United States shall--
            (1) be entitled to receive compensation at a rate fixed by 
        the Director while attending meetings of the advisory board, 
        including travel time; and
            (2) receive travel expenses, including per diem in lieu of 
        subsistence, in accordance with applicable provisions under 
        subchapter I of chapter 57 of title 5, United States Code.

SEC. 309. AUTHORIZATION OF APPROPRIATIONS.

    There are authorized to be appropriated to the Director to carry 
out this Act $550,000,000 for each of the fiscal years 2024, 2025, 
2026, 2027, and 2028.

                         TITLE IV--ENFORCEMENT

SEC. 401. INVESTIGATIONS AND ADMINISTRATIVE DISCOVERY.

    (a) Joint Investigations.--The Agency or, where appropriate, an 
Agency investigator, may conduct investigations and make requests for 
information, as authorized under this Act, on a joint basis with 
another Federal agency, a State attorney general, or a State privacy 
regulator.
    (b) Subpoenas.--
            (1) In general.--The Agency or an Agency investigator may 
        issue subpoenas for the attendance and testimony of witnesses 
        and the production of relevant papers, books, documents, or 
        other material in connection with hearings under this Act.
            (2) Failure to obey.--In the case of contumacy or refusal 
        to obey a subpoena issued pursuant to this subsection and 
        served upon any person, the district court of the United States 
        for any district in which such person is found, resides, or 
        transacts business, upon application by the Agency or an Agency 
        investigator and after notice to such person, may issue an 
        order requiring such person to appear and give testimony or to 
        appear and produce documents or other material.
            (3) Contempt.--Any failure to obey an order of the court 
        under paragraph (2) may be punished by the court as a contempt 
        thereof.
    (c) Demands.--
            (1) In general.--Whenever the Agency has reason to believe 
        that any person may be in possession, custody, or control of 
        any documentary material or tangible things, or may have any 
        information, relevant to a violation, the Agency may, before 
        the institution of any proceedings under this Act, issue in 
        writing, and cause to be served upon such person, a civil 
        investigative demand requiring such person to--
                    (A) produce such documentary material for 
                inspection and copying or reproduction in the form or 
                medium requested by the Agency;
                    (B) submit such tangible things;
                    (C) file written reports or answers to questions;
                    (D) give oral testimony concerning documentary 
                material, tangible things, or other information; or
                    (E) furnish any combination of such material, 
                answers, or testimony.
            (2) Requirements.--Each civil investigative demand shall 
        state the nature of the conduct constituting the alleged 
        violation which is under investigation and the provision of law 
        applicable to such violation.
            (3) Production of documents.--Each civil investigative 
        demand for the production of documentary material shall--
                    (A) describe each class of documentary material to 
                be produced under the demand with such definiteness and 
                certainty as to permit such material to be fairly 
                identified;
                    (B) prescribe a return date or dates which will 
                provide a reasonable period of time within which the 
                material so demanded may be assembled and made 
                available for inspection and copying or reproduction; 
                and
                    (C) identify the custodian to whom such material 
                shall be made available.
            (4) Production of things.--Each civil investigative demand 
        for the submission of tangible things shall--
                    (A) describe each class of tangible things to be 
                submitted under the demand with such definiteness and 
                certainty as to permit such things to be fairly 
                identified;
                    (B) prescribe a return date or dates which will 
                provide a reasonable period of time within which the 
                things so demanded may be assembled and submitted; and
                    (C) identify the custodian to whom such things 
                shall be submitted.
            (5) Demand for written reports or answers.--Each civil 
        investigative demand for written reports or answers to 
        questions shall--
                    (A) propound with definiteness and certainty the 
                reports to be produced or the questions to be answered;
                    (B) prescribe a date or dates at which time written 
                reports or answers to questions shall be submitted; and
                    (C) identify the custodian to whom such reports or 
                answers shall be submitted.
            (6) Oral testimony.--Each civil investigative demand for 
        the giving of oral testimony shall--
                    (A) prescribe a date, time, and place at which oral 
                testimony shall be commenced; and
                    (B) identify an Agency investigator who shall 
                conduct the investigation and the custodian to whom the 
                transcript of such investigation shall be submitted.
            (7) Service.--Any civil investigative demand issued, and 
        any enforcement petition filed, under this section may be 
        served--
                    (A) by any Agency investigator at any place within 
                the territorial jurisdiction of any court of the United 
                States; and
                    (B) upon any person who is not found within the 
                territorial jurisdiction of any court of the United 
                States--
                            (i) in such manner as the Federal Rules of 
                        Civil Procedure prescribe for service in a 
                        foreign nation; and
                            (ii) to the extent that the courts of the 
                        United States have authority to assert 
                        jurisdiction over such person, consistent with 
                        due process, the United States District Court 
                        for the District of Columbia shall have the 
                        same jurisdiction to take any action respecting 
                        compliance with this section by such person 
                        that such district court would have if such 
                        person were personally within the jurisdiction 
                        of such district court.
            (8) Method of service.--Service of any civil investigative 
        demand or any enforcement petition filed under this section may 
        be made upon a person by--
                    (A) delivering a duly executed copy of such demand 
                or petition to the individual or to any partner, 
                executive officer, managing agent, or general agent of 
                such person, or to any agent of such person authorized 
                by appointment or by law to receive service of process 
                on behalf of such person;
                    (B) delivering a duly executed copy of such demand 
                or petition to the principal office or place of 
                business of the person to be served; or
                    (C) depositing a duly executed copy in the United 
                States mails, by registered or certified mail, return 
                receipt requested, duly addressed to such person at the 
                principal office or place of business of such person.
            (9) Proof of service.--
                    (A) In general.--A verified return by the 
                individual serving any civil investigative demand or 
                any enforcement petition filed under this section 
                setting forth the manner of such service shall be proof 
                of such service.
                    (B) Return receipts.--In the case of service by 
                registered or certified mail, such return shall be 
                accompanied by the return post office receipt of 
                delivery of such demand or enforcement petition.
            (10) Production of documentary material.--The production of 
        documentary material in response to a civil investigative 
        demand shall be made under a sworn certificate, in such form as 
        the demand designates, by the person, if a natural person, to 
        whom the demand is directed or, if not a natural person, by any 
        person having knowledge of the facts and circumstances relating 
        to such production, to the effect that all of the documentary 
        material required by the demand and in the possession, custody, 
        or control of the person to whom the demand is directed has 
        been produced and made available to the custodian.
            (11) Submission of tangible things.--The submission of 
        tangible things in response to a civil investigative demand 
        shall be made under a sworn certificate, in such form as the 
        demand designates, by the person to whom the demand is directed 
        or, if not a natural person, by any person having knowledge of 
        the facts and circumstances relating to such production, to the 
        effect that all of the tangible things required by the demand 
        and in the possession, custody, or control of the person to 
        whom the demand is directed have been submitted to the 
        custodian.
            (12) Separate answers.--Each reporting requirement or 
        question in a civil investigative demand shall be answered 
        separately and fully in writing under oath, unless it is 
        objected to, in which event the reasons for the objection shall 
        be stated in lieu of an answer, and it shall be submitted under 
        a sworn certificate, in such form as the demand designates, by 
        the person, if a natural person, to whom the demand is directed 
        or, if not a natural person, by any person responsible for 
        answering each reporting requirement or question, to the effect 
        that all information required by the demand and in the 
        possession, custody, control, or knowledge of the person to 
        whom the demand is directed has been submitted.
            (13) Testimony.--
                    (A) In general.--
                            (i) Oath and recordation.--The examination 
                        of any person pursuant to a demand for oral 
                        testimony served under this subsection shall be 
                        taken before an officer authorized to 
                        administer oaths and affirmations by the laws 
                        of the United States or of the place at which 
                        the examination is held. The officer before 
                        whom oral testimony is to be taken shall put 
                        the witness on oath or affirmation and shall 
                        personally, or by any individual acting under 
                        the direction of and in the presence of the 
                        officer, record the testimony of the witness.
                            (ii) Transcription.--The testimony shall be 
                        taken stenographically and transcribed.
                    (B) Parties present.--Any Agency investigator 
                before whom oral testimony is to be taken shall exclude 
                from the place where the testimony is to be taken all 
                other persons, except the person giving the testimony, 
                the attorney for that person, the officer before whom 
                the testimony is to be taken, an investigator or 
                representative of an agency with which the Agency is 
                engaged in a joint investigation, and any stenographer 
                taking such testimony.
                    (C) Location.--The oral testimony of any person 
                taken pursuant to a civil investigative demand shall be 
                taken in the judicial district of the United States in 
                which such person resides, is found, or transacts 
                business, or in such other place as may be agreed upon 
                by the Agency investigator before whom the oral 
                testimony of such person is to be taken and such 
                person.
                    (D) Attorney representation.--
                            (i) In general.--Any person compelled to 
                        appear under a civil investigative demand for 
                        oral testimony pursuant to this subsection may 
                        be accompanied, represented, and advised by an 
                        attorney.
                            (ii) Authority.--The attorney may advise a 
                        person described in clause (i), in confidence, 
                        either upon the request of such person or upon 
                        the initiative of the attorney, with respect to 
                        any question asked of such person.
                            (iii) Objections.--A person described in 
                        clause (i), or the attorney for that person, 
                        may object on the record to any question, in 
                        whole or in part, and such person shall briefly 
                        state for the record the reason for the 
                        objection. An objection may properly be made, 
                        received, and entered upon the record when it 
                        is claimed that such person is entitled to 
                        refuse to answer the question on grounds of any 
                        constitutional or other legal right or 
                        privilege, including the privilege against 
                        self-incrimination, but such person shall not 
                        otherwise object to or refuse to answer any 
                        question, and such person or attorney shall not 
                        otherwise interrupt the oral examination.
                            (iv) Refusal to answer.--If a person 
                        described in clause (i) refuses to answer any 
                        question--
                                    (I) the Agency may petition the 
                                district court of the United States 
                                pursuant to this section for an order 
                                compelling such person to answer such 
                                question; and
                                    (II) if the refusal is on grounds 
                                of the privilege against self-
                                incrimination, the testimony of such 
                                person may be compelled in accordance 
                                with the provisions of section 6004 of 
                                title 18, United States Code.
                    (E) Transcripts.--For purposes of this subsection--
                            (i) after the testimony of any witness is 
                        fully transcribed, the Agency investigator 
                        shall afford the witness (who may be 
                        accompanied by an attorney) a reasonable 
                        opportunity to examine the transcript;
                            (ii) the transcript shall be read to or by 
                        the witness, unless such examination and 
                        reading are waived by the witness;
                            (iii) any changes in form or substance 
                        which the witness desires to make shall be 
                        entered and identified upon the transcript by 
                        the Agency investigator, with a statement of 
                        the reasons given by the witness for making 
                        such changes;
                            (iv) the transcript shall be signed by the 
                        witness, unless the witness in writing waives 
                        the signing, is ill, cannot be found, or 
                        refuses to sign; and
                            (v) if the transcript is not signed by the 
                        witness during the 30-day period following the 
                        date on which the witness is first afforded a 
                        reasonable opportunity to examine the 
                        transcript, the Agency investigator shall sign 
                        the transcript and state on the record the fact 
                        of the waiver, illness, absence of the witness, 
                        or the refusal to sign, together with any 
                        reasons given for the failure to sign.
                    (F) Certification by investigator.--The Agency 
                investigator shall certify on the transcript that the 
                witness was duly sworn by such Agency investigator and 
                that the transcript is a true record of the testimony 
                given by the witness, and the Agency investigator shall 
                promptly deliver the transcript or send it by 
                registered or certified mail to the custodian.
                    (G) Copy of transcript.--The Agency investigator 
                shall furnish a copy of the transcript (upon payment of 
                reasonable charges for the transcript) to the witness 
                only, except that the Agency may for good cause limit 
                such witness to inspection of the official transcript 
                of the testimony of such witness.
                    (H) Witness fees.--Any witness appearing for the 
                taking of oral testimony pursuant to a civil 
                investigative demand shall be entitled to the same fees 
                and mileage which are paid to witnesses in the district 
                courts of the United States.
    (d) Confidential Treatment of Demand Material.--
            (1) In general.--Documentary materials and tangible things 
        received as a result of a civil investigative demand shall be 
        subject to requirements and procedures regarding 
        confidentiality, in accordance with rules established by the 
        Agency.
            (2) Disclosure to congress.--No rule established by the 
        Agency regarding the confidentiality of materials submitted to, 
        or otherwise obtained by, the Agency shall be intended to 
        prevent disclosure to either House of Congress or to an 
        appropriate committee of the Congress, except that the Agency 
        is permitted to adopt rules allowing prior notice to any party 
        that owns or otherwise provided the material to the Agency and 
        had designated such material as confidential.
    (e) Petition for Enforcement.--
            (1) In general.--Whenever any person fails to comply with 
        any civil investigative demand duly served upon such person 
        under this section, or whenever satisfactory copying or 
        reproduction of material requested pursuant to the demand 
        cannot be accomplished and such person refuses to surrender 
        such material, the Agency, through such officers or attorneys 
        as it may designate, may file, in the district court of the 
        United States for any judicial district in which such person 
        resides, is found, or transacts business, and serve upon such 
        person, a petition for an order of such court for the 
        enforcement of this section.
            (2) Service of process.--All process of any court to which 
        application may be made as provided in this subsection may be 
        served in any judicial district.
    (f) Petition for Order Modifying or Setting Aside Demand.--
            (1) In general.--Not later than 20 days after the service 
        of any civil investigative demand upon any person under 
        subsection (c), or at any time before the return date specified 
        in the demand, whichever period is shorter, or within such 
        period exceeding 20 days after service or in excess of such 
        return date as may be prescribed in writing, subsequent to 
        service, by any Agency investigator named in the demand, such 
        person may file with the Agency a petition for an order by the 
        Agency modifying or setting aside the demand.
            (2) Compliance during pendency.--The time permitted for 
        compliance with the demand in whole or in part, as determined 
        proper and ordered by the Agency, shall not run during the 
        pendency of a petition under paragraph (1) at the Agency, 
        except that such person shall comply with any portions of the 
        demand not sought to be modified or set aside.
            (3) Specific grounds.--A petition under paragraph (1) shall 
        specify each ground upon which the petitioner relies in seeking 
        relief, and may be based upon any failure of the demand to 
        comply with the provisions of this section, or upon any 
        constitutional or other legal right or privilege of such 
        person.
    (g) Custodial Control.--At any time during which any custodian is 
in custody or control of any documentary material, tangible things, 
reports, answers to questions, or transcripts of oral testimony given 
by any person in compliance with any civil investigative demand, such 
person may file, in the district court of the United States for the 
judicial district within which the office of such custodian is 
situated, and serve upon such custodian, a petition for an order of 
such court requiring the performance by such custodian of any duty 
imposed upon such custodian by this section or rule promulgated by the 
Agency.
    (h) Jurisdiction of Court.--
            (1) In general.--Whenever any petition is filed in any 
        district court of the United States under this section, such 
        court shall have jurisdiction to hear and determine the matter 
        so presented, and to enter such order or orders as may be 
        required to carry out the provisions of this section.
            (2) Appeal.--Any final order entered as described in 
        paragraph (1) shall be subject to appeal pursuant to section 
        1291 of title 28, United States Code.

SEC. 402. HEARINGS AND ADJUDICATION PROCEEDINGS.

    (a) In General.--The Agency is authorized to conduct hearings and 
adjudication proceedings with respect to any person in the manner 
prescribed by chapter 5 of title 5, United States Code, in order to 
ensure or enforce compliance with this Act and the rules prescribed 
under this Act.
    (b) Special Rules for Cease-and-Desist Proceedings.--
            (1) Orders authorized.--
                    (A) In general.--If, in the opinion of the Agency, 
                a person is engaging or has engaged in an act or 
                omission that violates any provision of this Act or a 
                rule or order prescribed under this Act, the Agency may 
                issue and serve upon the person a notice of charges in 
                respect thereof.
                    (B) Content of notice.--The notice under 
                subparagraph (A) shall contain a statement of the facts 
                constituting the alleged violation, and shall fix a 
                time and place at which a hearing will be held to 
                determine whether an order to cease and desist should 
                issue against the person, such hearing to be held not 
                earlier than 30 days nor later than 60 days after the 
                date of service of such notice, unless an earlier or a 
                later date is set by the Agency, at the request of any 
                person so served.
                    (C) Consent.--Unless a person served under 
                subparagraph (B) appears at the hearing personally or 
                by a duly authorized representative, the person shall 
                be deemed to have consented to the issuance of the 
                cease-and-desist order.
                    (D) Procedure.--In the event of consent under 
                subparagraph (C), or if, upon the record made at any 
                such hearing, the Agency finds that any violation 
                specified in the notice of charges has been 
                established, the Agency may issue and serve upon the 
                person an order to cease and desist from the violation. 
                Such order may, by provisions which may be mandatory or 
                otherwise, require the person to cease and desist from 
                the subject act or omission, and to take affirmative 
                action to correct the conditions resulting from any 
                such violation.
            (2) Effectiveness of order.--A cease-and-desist order shall 
        become effective at the expiration of 30 days after the date of 
        service of the order under paragraph (1)(D) (except in the case 
        of a cease-and-desist order issued upon consent, which shall 
        become effective at the time specified therein), and shall 
        remain effective and enforceable as provided therein, except to 
        such extent as the order is stayed, modified, terminated, or 
        set aside by action of the Agency or a reviewing court.
            (3) Decision and appeal.--Any hearing provided for in this 
        subsection shall be held in the Federal judicial district or in 
        the territory in which the residence or principal office or 
        place of business of the person is located unless the person 
        consents to another place, and shall be conducted in accordance 
        with the provisions of chapter 5 of title 5, United States 
        Code. After such hearing, and not later than 90 days after the 
        Agency has notified each party to the proceeding that the case 
        has been submitted to the Agency for final decision, the Agency 
        shall render its decision (which shall include findings of fact 
        upon which its decision is predicated) and shall issue and 
        serve upon each such party an order or orders consistent with 
        the provisions of this section. Judicial review of any such 
        order shall be exclusively as provided in this subsection. 
        Unless a petition for review is timely filed in a court of 
        appeals of the United States, as provided in paragraph (4), and 
        thereafter until the record in the proceeding has been filed as 
        provided in paragraph (4), the Agency may at any time, upon 
        such notice and in such manner as the Agency shall determine 
        proper, modify, terminate, or set aside any such order. Upon 
        filing of the record as provided, the Agency may modify, 
        terminate, or set aside any such order with permission of the 
        court.
            (4) Appeal to court of appeals.--Any party to any 
        proceeding under this subsection may obtain a review of any 
        order served pursuant to this subsection (other than an order 
        issued with the consent of the party) by filing in the court of 
        appeals of the United States for the circuit in which the 
        residence or principal office or place of business of the party 
        is located, or in the United States Court of Appeals for the 
        District of Columbia Circuit, within 30 days after the date of 
        service of such order, a written petition praying that the 
        order of the Agency be modified, terminated, or set aside. A 
        copy of such petition shall be forthwith transmitted by the 
        clerk of the court to the Agency, and thereupon the Agency 
        shall file in the court the record in the proceeding, as 
        provided in section 2112 of title 28, United States Code. Upon 
        the filing of such petition, such court shall have 
        jurisdiction, which upon the filing of the record shall, except 
        as provided in the last sentence of paragraph (3), be 
        exclusive, to affirm, modify, terminate, or set aside, in whole 
        or in part, the order of the Agency. Review of such proceedings 
        shall be had as provided in chapter 7 of title 5, United States 
        Code. The judgment and decree of the court shall be final, 
        except that the same shall be subject to review by the Supreme 
        Court of the United States, upon certiorari, as provided in 
        section 1254 of title 28, United States Code.
            (5) No stay.--The commencement of proceedings for judicial 
        review under paragraph (4) shall not, unless specifically 
        ordered by the court, operate as a stay of any order issued by 
        the Agency.
    (c) Special Rules for Temporary Cease-and-Desist Proceedings.--
            (1) In general.--Whenever the Agency determines that the 
        violation specified in the notice of charges served upon a 
        person pursuant to subsection (b), or the continuation thereof, 
        is likely to cause the person to be insolvent or otherwise 
        prejudice the interests of individuals before the completion of 
        the proceedings conducted pursuant to subsection (b), the 
        Agency may issue a temporary order requiring the person to 
        cease and desist from any such violation and to take 
        affirmative action to prevent or remedy such insolvency or 
        other condition pending completion of such proceedings. Such 
        order may include any requirement authorized under this title. 
        Such order shall become effective upon service upon the person 
        and, unless set aside, limited, or suspended by a court in 
        proceedings authorized by paragraph (2), shall remain effective 
        and enforceable pending the completion of the administrative 
        proceedings pursuant to such notice and until such time as the 
        Agency shall dismiss the charges specified in such notice, or 
        if a cease-and-desist order is issued against the person, until 
        the effective date of such order.
            (2) Appeal.--Not later than 10 days after a person has been 
        served with a temporary cease-and-desist order, the person may 
        apply to the United States district court for the judicial 
        district in which the residence or principal office or place of 
        business of the person is located, or the United States 
        District Court for the District of Columbia, for an injunction 
        setting aside, limiting, or suspending the enforcement, 
        operation, or effectiveness of such order pending the 
        completion of the administrative proceedings pursuant to the 
        notice of charges served upon the person under subsection (b), 
        and such court shall have jurisdiction to issue such 
        injunction.
    (d) Special Rules for Enforcement of Orders.--
            (1) In general.--The Agency may in its discretion apply to 
        the United States district court within the jurisdiction of 
        which the residence or principal office or place of business of 
        a person is located, for the enforcement of any effective and 
        outstanding order issued under this section against such 
        person, and such court shall have jurisdiction and power to 
        order and require compliance with such order.
            (2) Exception.--Except as otherwise provided in this 
        section, no court shall have jurisdiction to affect by 
        injunction or otherwise the issuance or enforcement of any 
        order or to review, modify, suspend, terminate, or set aside 
        any such order.
    (e) Rules.--The Agency shall prescribe rules establishing such 
procedures as may be necessary to carry out this section.

SEC. 403. LITIGATION AUTHORITY.

    (a) In General.--If a person violates any provision of this Act or 
a rule or order prescribed under this Act, the Agency may commence a 
civil action against such person to impose a civil penalty or to seek 
all appropriate legal and equitable relief, including a permanent or 
temporary injunction as permitted by law.
    (b) Representation.--Except as provided in subsection (e), the 
Agency may act in its own name and through its own attorneys enforcing 
any provision of this Act or rules or orders issued pursuant to this 
Act or in any action, suit, or other court proceeding to which the 
Agency is a party.
    (c) Compromise of Actions.--The Agency may compromise or settle any 
action, suit, or other court proceeding to which the Agency is a party 
if such compromise is approved by the court.
    (d) Notice to the Attorney General of the United States.--
            (1) In general.--When commencing a civil action under this 
        Act or regulations or rules or orders issued pursuant to this 
        Act, the Agency shall notify the Attorney General.
            (2) Notice and coordination.--
                    (A) Notice of other actions.--In addition to any 
                notice required under paragraph (1), the Agency shall 
                notify the Attorney General concerning any action, 
                suit, or other court proceeding to which the Agency is 
                a party.
                    (B) Coordination.--In order to avoid conflicts and 
                promote consistency regarding litigation of matters 
                under Federal law, the Attorney General and the Agency 
                shall consult regarding the coordination of 
                investigations and proceedings, including by 
                negotiating an agreement for coordination not later 
                than 180 days after the effective date of this Act. The 
                agreement under this subparagraph shall include 
                provisions to ensure that parallel investigations and 
                proceedings involving this Act and the rules prescribed 
                under this Act are conducted in a manner that avoids 
                conflicts and does not impede the ability of the 
                Attorney General to prosecute violations of Federal 
                criminal laws.
                    (C) Rule of construction.--Nothing in this 
                paragraph shall be construed to limit the authority of 
                the Agency under this Act, including the authority to 
                interpret this Act.
    (e) Appearance Before the Supreme Court.--The Agency may represent 
itself in its own name before the Supreme Court of the United States, 
if the Agency makes a written request to the Attorney General within 
the 10-day period which begins on the date of entry of the judgment 
which would permit any party to file a petition for writ of certiorari, 
and the Attorney General concurs with such request or fails to take 
action within 60 days of the request of the Agency.
    (f) Forum.--Any civil action brought under this Act or regulations 
or rules or orders issued pursuant to this Act may be brought in an 
appropriate district court of the United States or an appropriate State 
court.
    (g) Time for Bringing Action.--Except as otherwise permitted by law 
or equity, no action may be brought under this Act more than 3 years 
after the date of discovery of the violation to which the action 
relates.

SEC. 404. ENFORCEMENT BY STATES.

    (a) Civil Action.--In any case in which a State attorney general or 
a State privacy regulator has reason to believe that an interest of the 
residents of a State has been or is adversely affected by any person 
who violates any provision of this Act or a rule or order prescribed 
under this Act, the State attorney general or State privacy regulator, 
as parens patriae, may bring a civil action on behalf of the residents 
of the State in an appropriate State court or an appropriate district 
court of the United States to--
            (1) enjoin further violation of such provision by the 
        defendant;
            (2) compel compliance with such provision; or
            (3) obtain relief under section 406.
    (b) Rights of Agency.--Before initiating a civil action under 
subsection (a), the State attorney general or State privacy regulator, 
as the case may be, shall notify the Agency in writing of such civil 
action. Upon receiving notice with respect to a civil action, the 
Agency may--
            (1) intervene in such action; and
            (2) upon intervening--
                    (A) be heard on all matters arising in such civil 
                action; and
                    (B) file petitions for appeal of a decision in such 
                action.
    (c) Preemptive Action by Agency.--If the Agency institutes a civil 
action for violation of any provision of this Act or a rule or order 
prescribed under this Act, no State attorney general or State privacy 
regulator may bring a civil action against any defendant named in the 
complaint of the Agency for a violation of such provision that is 
alleged in such complaint.

SEC. 405. PRIVATE RIGHTS OF ACTION.

    (a) Injunctive Relief.--A person who is aggrieved by a violation of 
this Act may bring a civil action for declaratory or injunctive relief 
in any court of competent jurisdiction in any State or in an 
appropriate district court.
    (b) Civil Action for Damages.--Except for claims under rule 23 of 
the Federal Rules of Civil Procedure or a similar judicial procedure 
authorizing an action to be brought by 1 or more representatives, a 
person who is aggrieved by a violation of this Act may bring a civil 
action for damages in any court of competent jurisdiction in any State 
or in an appropriate district court.
    (c) Nonprofit Collective Representation.--An individual shall have 
the right to appoint a nonprofit organization (as described in section 
501(c)(3) of the Internal Revenue Code of 1986 and exempt from taxation 
under section 501(a) of such Code) which has been properly constituted 
in accordance with the law, has statutory objectives which are in the 
public interest, and is active in the field of the protection of 
individual rights and freedoms with regard to the protection of privacy 
and information security to lodge the complaint on behalf of such 
individual to exercise the rights referred to in this Act on behalf of 
such individual.
            (1) A nonprofit may represent a class of aggrieved 
        individuals.
            (2) A prevailing nonprofit shall receive reasonable 
        compensation for expenses, including attorneys' fees.
            (3) Individuals shall receive an equally divided share of 
        the total damages.
    (d) State Appointment.--A State may provide that any body, 
organization, or association referred to in subsection (c), independent 
of an individual's appointment, has the right to lodge, in that State, 
a complaint with the Agency and to exercise the rights referred to in 
this Act if it considers that the rights of an individual under this 
Act have been infringed.

SEC. 406. RELIEF AVAILABLE.

    (a) Civil Actions and Adjudication Proceedings.--
            (1) Jurisdiction.--In any civil action or any adjudication 
        proceeding brought by the Agency, a State attorney general, or 
        State privacy regulator under any provision of this Act or a 
        rule or order prescribed under this Act, the court or the 
        Agency (as the case may be) shall have jurisdiction to grant 
        any appropriate legal or equitable relief with respect to a 
        violation of such provision.
            (2) Relief.--Relief under this section may include--
                    (A) rescission or reformation of contracts;
                    (B) refund of moneys;
                    (C) restitution;
                    (D) disgorgement or compensation for unjust 
                enrichment;
                    (E) payment of damages or other monetary relief;
                    (F) public notification regarding the violation, 
                including the costs of notification;
                    (G) limits on the activities or functions of the 
                person; and
                    (H) civil money penalties, as provided in 
                subsection (c).
            (3) No exemplary or punitive damages.--Nothing in this 
        subsection shall be construed as authorizing the imposition of 
        exemplary or punitive damages.
    (b) Recovery of Costs.--In any civil action brought by the Agency, 
State attorney general, or State privacy regulator under any provision 
of this Act or a rule or order prescribed under this Act, the Agency, 
State attorney general, or State privacy regulator may recover its 
costs in connection with prosecuting such action if the Agency or State 
attorney general is the prevailing party in the action.
    (c) Civil Money Penalty in Court and Administrative Actions.--
            (1) In general.--Any person who violates, through any act 
        or omission, any provision of this Act or a rule or order 
        issued pursuant to this Act shall forfeit and pay a civil 
        penalty under this subsection.
            (2) Penalty amount.--
                    (A) In general.--The amount of a civil penalty 
                under this subsection may not exceed, for each 
                violation, the product of--
                            (i) the maximum civil penalty for which a 
                        person, partnership, or corporation may be 
                        liable under section 5(m)(1)(A) of the Federal 
                        Trade Commission Act (15 U.S.C. 45(m)(1)(A)) 
                        for a violation of a rule under such Act 
                        respecting unfair or deceptive acts or 
                        practices, as adjusted under the Federal Civil 
                        Penalties Inflation Adjustment Act of 1990 (28 
                        U.S.C. 2461 note); and
                            (ii) the number of individuals whose 
                        personal information is affected by the 
                        violation.
                    (B) Continuing violations.--In the case of a 
                violation through continuing failure to comply with a 
                provision of this Act or a rule or order prescribed 
                under this Act, each day of continuance of such failure 
                shall be treated as a separate violation for purposes 
                of subparagraph (A).
            (3) Mitigating factors.--In determining the amount of any 
        penalty assessed under paragraph (2), the court or the Agency 
        shall take into account the appropriateness of the penalty with 
        respect to--
                    (A) the size of financial resources and good faith 
                of the person charged;
                    (B) the gravity of the violation;
                    (C) the severity of the privacy harms (including 
                both actual and potential harms) to individuals;
                    (D) any disparate impact of the privacy harms 
                (including both actual and potential harms) on 
                protected classes;
                    (E) the history of previous violations; and
                    (F) such other matters as justice may require.
            (4) Authority to modify or remit penalty.--The Agency, 
        State attorney general, or State privacy regulator may 
        compromise, modify, or remit any penalty which may be assessed 
        or has already been assessed under paragraph (2). The amount of 
        such penalty, when finally determined, shall be exclusive of 
        any sums owed by the person to the United States in connection 
        with the costs of the proceeding, and may be deducted from any 
        sums owing by the United States to the person charged.
            (5) Notice and hearing.--No civil penalty may be assessed 
        under this subsection with respect to a violation of any 
        provision of this Act or a rule or order issued pursuant to 
        this Act, unless--
                    (A) the Agency, State attorney general, or State 
                privacy regulator gives notice and an opportunity for a 
                hearing to the person accused of the violation; or
                    (B) the appropriate court has ordered such 
                assessment and entered judgment in favor of the Agency, 
                State attorney general, or State privacy regulator.

SEC. 407. REFERRAL FOR CRIMINAL PROCEEDINGS.

    If the Agency obtains evidence that any person, domestic or 
foreign, has engaged in conduct that may constitute a violation of 
Federal criminal law, the Agency shall transmit such evidence to the 
Attorney General of the United States, who may institute criminal 
proceedings under appropriate law. Nothing in this section affects any 
other authority of the Agency to disclose information.

SEC. 408. WHISTLEBLOWER ENFORCEMENT.

    (a) In General.--Any person who becomes aware, based on nonpublic 
information, that a covered entity has violated this Act may file a 
civil action for civil penalties, if prior to filing such action, the 
person files with the Director a written request for the Director to 
commence the action. The request shall include a clear and concise 
statement of the grounds for believing a cause of action exists. The 
person shall make the nonpublic information available to the Director 
upon request:
            (1) If the Director files suit within 90 days from receipt 
        of the written request to commence the action, no other action 
        may be brought unless the action brought by the Director is 
        dismissed without prejudice.
            (2) If the Director does not file suit within 90 days from 
        receipt of the written request to commence the action, the 
        person requesting the action may proceed to file a civil 
        action.
            (3) The time period within which a civil action shall be 
        commenced shall be tolled from the date of receipt by the 
        Director of the written request to either the date that the 
        civil action is dismissed without prejudice, or for 150 days, 
        whichever is later, but only for a civil action brought by the 
        person who requested the Director to commence the action.
    (b) Allocation of Civil Penalties.--If a judgment is entered 
against the defendant or defendants in an action brought pursuant to 
this section, or the matter is settled, amounts received as civil 
penalties or pursuant to a settlement of the action shall be allocated 
as follows:
            (1) If the action was brought by the Director upon a 
        request made by a person pursuant to subsection (a), the person 
        who made the request shall be entitled to 15 percent of the 
        civil penalties.
            (2) If the action was brought by the person who made the 
        request pursuant to subsection (a), that person shall receive 
        an amount the court determines is reasonable for collecting the 
        civil penalties on behalf of the government. The amount shall 
        be not less than 25 percent and not more than 50 percent of the 
        proceeds of the action and shall be paid out of the proceeds.

                     TITLE V--RELATION TO OTHER LAW

SEC. 501. EFFECTIVE DATE.

    (a) In General.--This Act shall apply beginning on the date that is 
1 year after the date of the enactment of this Act.
    (b) Authority To Promulgate Regulations and Take Certain Other 
Actions.--Nothing in subsection (a) affects the authority of the Agency 
to take an action expressly required by a provision of this Act to be 
taken before the effective date described in such subsection.

SEC. 502. RELATION TO OTHER FEDERAL LAW.

    Nothing in this Act shall be construed to modify, limit, or 
supersede the operation of any privacy or security provision in the 
following:
            (1) Section 552a of title 5, United States Code (commonly 
        known as the ``Privacy Act of 1974'').
            (2) The Right to Financial Privacy Act of 1978 (12 U.S.C. 
        3401 et seq.).
            (3) The Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).
            (4) The Fair Debt Collection Practices Act (15 U.S.C. 1692 
        et seq.).
            (5) The Children's Online Privacy Protection Act of 1998 
        (15 U.S.C. 6501 et seq.).
            (6) Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 
        et seq.).
            (7) Chapter 119, 123, or 206 of title 18, United States 
        Code.
            (8) Section 444 of the General Education Provisions Act (20 
        U.S.C. 1232g) (commonly known as the ``Family Educational 
        Rights and Privacy Act of 1974'').
            (9) Section 445 of the General Education Provisions Act (20 
        U.S.C. 1232h).
            (10) The Privacy Protection Act of 1980 (42 U.S.C. 2000aa 
        et seq.).
            (11) The regulations promulgated under section 264(c) of 
        the Health Insurance Portability and Accountability Act of 1996 
        (42 U.S.C. 1320d-2 note), as those regulations relate to--
                    (A) a person described in section 1172(a) of the 
                Social Security Act (42 U.S.C. 1320d-1(a)); or
                    (B) transactions referred to in section 1173(a)(1) 
                of the Social Security Act (42 U.S.C. 1320d-2(a)(1)).
            (12) The Communications Assistance for Law Enforcement Act 
        (47 U.S.C. 1001 et seq.).
            (13) Section 222, 227, 338, or 631 of the Communications 
        Act of 1934 (47 U.S.C. 222, 227, 338, or 551).
            (14) The E-Government Act of 2002 (44 U.S.C. 101 et seq.).
            (15) The Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et 
        seq.).
            (16) The Federal Information Security Management Act of 
        2002 (44 U.S.C. 3541 et seq.).
            (17) The Currency and Foreign Transactions Reporting Act of 
        1970, as amended (commonly known as the ``Bank Secrecy Act'') 
        (12 U.S.C. 1829b and 1951-1959, 31 U.S.C. 5311-5314 and 5316-
        5332), including the International Money Laundering Abatement 
        and Financial Anti-Terrorism Act of 2001, title III of Public 
        Law 107-56, as amended.
            (18) The National Security Act of 1947 (50 U.S.C. 3001 et 
        seq.).
            (19) The Foreign Intelligence Surveillance Act of 1978, as 
        amended (50 U.S.C. 1801 et seq.).
            (20) The Civil Rights Act of 1964 (Public Law 88-352, 78 
        Stat. 241).
            (21) The Americans with Disabilities Act (42 U.S.C. 12101 
        et seq.).
            (22) The Fair Housing Act (42 U.S.C. 3601 et seq.).
            (23) The Consumer Financial Protection Act of 2010 (12 
        U.S.C. 5481 et seq.).
            (24) The Equal Credit Opportunity Act (15 U.S.C. 1691 et 
        seq.).
            (25) The Age Discrimination in Employment Act (29 U.S.C. 
        621 et seq.).
            (26) The Genetic Information Nondiscrimination Act (Public 
        Law 110-233, 122 Stat. 881).
            (27) Subpart A of part 46 of title 45, Code of Federal 
        Regulations (commonly known as the ``Common Rule'').
            (28) The Driver's Privacy Protection Act of 1994 (18 U.S.C. 
        2721 et seq.).
            (29) The Video Privacy Protection Act (18 U.S.C. 2710 et 
        seq.).
            (30) Chapters 61, 68, 75, and 76 of the Internal Revenue 
        Code of 1986.
            (31) Section 1106 of the Social Security Act (42 U.S.C. 
        1306).
            (32) The Stored Communications Act (18 U.S.C. 2701 et 
        seq.).
            (33) Any other privacy or information security provision of 
        Federal law.

SEC. 503. RELATION TO STATE LAW.

    This Act, and any amendment, standard, rule, requirement, 
assessment, or regulation promulgated under this Act, does not annul, 
alter, affect, or exempt any person subject to the provisions of this 
Act from complying with the laws of any State or political subdivision 
of a State with respect to privacy or consumer protection, except to 
the extent that those laws are inconsistent with any provisions of this 
Act, and then only to the extent of the inconsistency. For purposes of 
this section, a law of a State or political subdivision of a State is 
not inconsistent with this Act if the protection such law affords any 
consumer is greater than the protection provided by this Act.

SEC. 504. SEVERABILITY.

    If any provision of this Act or the amendments made by this Act, or 
the application thereof, is held unconstitutional or otherwise invalid, 
the validity of the remainder of the Act, the amendments, and the 
application of such provision shall not be affected thereby.

                   TITLE VI--NIST AND NSF ACTIVITIES

SEC. 601. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY PRIVACY 
              RESEARCH AND DEVELOPMENT.

    Section 2 of the National Institute of Standards and Technology Act 
(15 U.S.C. 272) is amended by adding at the end the following:
    ``(f) Privacy Risk Management Research.--In carrying out the 
activities under subsection (c)(19), the Director shall, to the extent 
practicable and appropriate--
            ``(1) develop, and periodically update, in collaboration 
        with appropriate Federal agencies, industry, State, local, and 
        Tribal governments, civil society, other nonprofit 
        organizations, and the Information Security and Privacy 
        Advisory Board, a privacy risk management framework that covers 
        risks associated with data processing and that shall--
                    ``(A) identify voluntary, consensus-based technical 
                standards, guidelines, best practices, methodologies, 
                procedures, and processes for--
                            ``(i) developing privacy-enhanced 
                        information systems and networks, including 
                        emerging technologies; and
                            ``(ii) assessing and mitigating privacy 
                        risks to help organizations protect 
                        individuals' privacy in information systems and 
                        networks;
                    ``(B) establish common definitions and 
                characterizations for aspects of privacy risk 
                management;
                    ``(C) provide case studies and risk profiles of 
                framework implementation;
                    ``(D) provide guidance to enable organizations to 
                use the framework to meet privacy requirements from 
                Federal, State, local, and Tribal governments and 
                international policymakers;
                    ``(E) incorporate voluntary, consensus-based 
                technical standards and best practices;
                    ``(F) facilitate use by regulators and markets with 
                the aim of reducing barriers to trade; and
                    ``(G) not prescribe or otherwise require the use of 
                specific information or communications technology 
                products or services;
            ``(2) carry out research associated with mitigating privacy 
        risks associated with information systems and networks, 
        including to inform periodic updates to the privacy risk 
        management framework developed pursuant to paragraph (1);
            ``(3) in consultation with the Director of the Digital 
        Privacy Agency, the Federal Trade Commission, and other related 
        sector-specific risk management agencies, support the 
        development of guidance and risk profiles to help organizations 
        utilize the privacy risk management framework developed 
        pursuant to paragraph (1), to the extent practicable, to adopt 
        privacy requirements and regulations established by the Federal 
        Government, States, and international policymakers;
            ``(4) support activities to improve the efficacy and 
        applicability of privacy-preserving computing, de-
        identification techniques and processes, and other 
        technological means of mitigating individuals' privacy risks by 
        enhancing predictability, manageability, disassociability, and 
        confidentiality;
            ``(5) support and strategically engage in the development 
        of voluntary, consensus-based technical standards for privacy-
        enhanced systems and networks, including international 
        technical standards, through open, transparent, and consensus-
        based processes; and
            ``(6) conduct such other activities as determined necessary 
        by the Director to help public and private sector organizations 
        mitigate the privacy risks associated with information systems 
        and networks.''.

SEC. 602. NATIONAL PRIVACY AWARENESS AND EDUCATION INITIATIVE.

    (a) National Privacy Awareness and Education Initiative.--The 
Director of the National Institute of Standards and Technology, in 
consultation and collaboration with relevant Federal agencies, State, 
local, and Tribal governments, industry, educational institutions, 
civil society, and other nonprofit organizations, as appropriate, shall 
carry out privacy-related education and public awareness activities, 
including--
            (1) the widespread dissemination of privacy-related 
        technical standards and best practices identified by the 
        Director;
            (2) efforts to make privacy-related technical standards and 
        best practices usable by individuals, small-to-medium-sized 
        businesses, educational institutions, and State, local, and 
        Tribal governments;
            (3) activities to increase the awareness of privacy risks, 
        individual privacy rights, and responsibilities; and
            (4) supporting the development of technical standards and 
        best practices to describe privacy-related tasks, knowledge, 
        skills, abilities, competencies, and work roles to guide career 
        development, education, and training activities in industry, 
        academia, nonprofit organizations, and the Federal Government, 
        including support for credentialing.
    (b) Considerations.--In carrying out the authority described in 
subsection (a), the Director of the National Institute of Standards and 
Technology, in consultation with appropriate Federal agencies, shall 
leverage, to the extent practicable, the national cybersecurity 
awareness and education program under section 303 of the Cybersecurity 
Enhancement Act of 2014 (15 U.S.C. 7443).
    (c) Biennial Briefings.--Not later than one year after the date of 
the enactment of this Act and biennially thereafter, the Director of 
the National Institute of Standards and Technology shall brief the 
Committee on Commerce, Science, and Transportation of the Senate and 
the Committee on Science, Space, and Technology of the House of 
Representatives on the activities carried out pursuant to subsection 
(a).
    (d) Authorization of Appropriations.--There is authorized to be 
appropriated to carry out this section $3,000,000 for each of fiscal 
years 2024 through 2028.

SEC. 603. NATIONAL SCIENCE FOUNDATION PRIVACY RESEARCH.

    The Director of the National Science Foundation shall make awards 
on a competitive basis to institutions of higher education or non-
profit organizations (or consortia of such institutions or 
organizations) to support multidisciplinary and transdisciplinary 
socio-technical research to design, prototype, and translate to 
practice privacy-preserving technologies and increase understanding of 
the human, social, behavioral, and economic dimensions of such 
potential technologies, including research on the following:
            (1) Public understanding, expectations, and perspectives on 
        privacy.
            (2) Consumer privacy rights, including right to access, 
        correction, deletion, data portability, individual autonomy, 
        impermanence, and to be informed.
            (3) Privacy governance and transparency, including notice 
        and consent processes and the efficacy of privacy policies.
            (4) Empowering consumers for data ownership and control.
            (5) Privacy by design.
            (6) Privacy-preserving automated decision-making systems 
        and human review of automated decision-making systems.
            (7) Ensuring privacy in consumer surveillance systems.
            (8) User interfaces, including design elements that 
        deliberately obscure, mislead, coerce, or deceive consumers.
            (9) Privacy implications of emerging technologies.
            (10) Incentives to implement privacy protections.
                                 <all>