[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3045 Introduced in House (IH)]

<DOC>






118th CONGRESS
  1st Session
                                H. R. 3045

    To affirm user ownership of their data, prohibit entities from 
requiring the transfer or monetization of private data in exchange for 
 services, prohibit the collection of third-party contact information 
            without written consent, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                              May 2, 2023

  Mr. Cloud introduced the following bill; which was referred to the 
                    Committee on Energy and Commerce

_______________________________________________________________________

                                 A BILL


 
    To affirm user ownership of their data, prohibit entities from 
requiring the transfer or monetization of private data in exchange for 
 services, prohibit the collection of third-party contact information 
            without written consent, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``You Own the Data Act'' or ``YODA''.

SEC. 2. FINDINGS.

    Congress finds the following:
            (1) Governments exist to protect individual rights to life, 
        liberty, and property.
            (2) The protection of civil liberties, including the rights 
        to private property and privacy from unwarranted searches and 
        seizures, is one of the hallmarks of a free society.
            (3) It is appropriate for Congress to enact laws to protect 
        individuals from data collection by third parties.
            (4) Data is the property of the user, as the user creates 
        the data.
            (5) A user maintains ownership of the data of such user, 
        even when such data is sold or leased with the consent of such 
        user.
            (6) Technology should empower the individual and the 
        productivity of the individual.
            (7) Individuals should have reasonable access to and use of 
        popularly available consumer technologies without abdicating 
        the rights of such individuals to privacy and anonymity.

SEC. 3. PROHIBITION ON SHARING USER CONTACTS WITHOUT WRITTEN CONSENT 
              AND CLARIFYING USER ACCESS TO DATA.

    (a) Prohibition on Access to User Contacts.--It shall be unlawful 
for a covered entity to ask a user to share the contacts or information 
about the contacts of the user unless the user and the contacts of the 
user consent to such use in writing.
    (b) Access to, and Correction, Deletion, and Portability of, 
Covered Data.--
            (1) In general.--Subject to paragraphs (2) and (3), a 
        covered entity shall provide a user, immediately or as quickly 
        as possible and in no case later than 90 days after receiving a 
        verified request from the user, with the ability to 
        reasonably--
                    (A) access--
                            (i) if applicable, a list of each third 
                        party and service provider to whom the covered 
                        entity has transferred or shared the covered 
                        data of the user;
                            (ii) the covered data of the user, or an 
                        accurate representation of the covered data of 
                        the user, including data aggregation that is a 
                        readable summary, that is held or has been 
                        processed by the covered entity or any service 
                        provider of the covered entity; and
                            (iii) if a covered entity transfers covered 
                        data, a description of the covered data that 
                        was transferred and the purpose for which the 
                        third party requested the data;
                    (B) request that the covered entity--
                            (i) correct material inaccuracies or 
                        materially incomplete information with respect 
                        to the covered data of the user that is 
                        maintained by the covered entity;
                            (ii) delete or de-identify covered data of 
                        the user that is or has been maintained by the 
                        covered entity;
                            (iii) notify any service provider or third 
                        party to which the covered entity transferred 
                        such covered data of the corrected information; 
                        and
                            (iv) provide contact information to the 
                        user of any service provider or third party 
                        that the covered data of the user was 
                        transferred to so that the user may make 
                        requests described in this subparagraph; and
                    (C) to the extent that is technically feasible, 
                provide covered data of the user that is or has been 
                generated and submitted to the covered entity by the 
                user and maintained by the covered entity in a 
                portable, structured, and machine-readable format that 
                is not subject to licensing restrictions.
            (2) Frequency and cost of access.--A covered entity shall--
                    (A) provide a user with the opportunity to exercise 
                the rights described in paragraph (1) not less than 
                twice in any 12-month period; and
                    (B) fulfill the responsibilities described in 
                paragraph (1) free of charge.
            (3) Prohibition on retaliation.--A covered entity shall 
        provide the same quality of goods or services, at the same 
        price or rate, regardless of whether a user took an action 
        described under paragraph (1).
            (4) Retention of data.--A covered entity that collects data 
        on a user's browsing history or biometric data and information 
        shall delete the data within 60 days after the date on which 
        the data was collected.
    (c) Data Minimization and Contextuality.--
            (1) Collection and use of information.--A commercial data 
        operator shall limit the collection and sharing of information 
        by the operator with third parties to what is reasonably 
        necessary to provide a service or conduct an activity that a 
        consumer has requested or is reasonably necessary for fraud 
        prevention.
            (2) Retention of information.--A commercial data operator 
        that collects the personal information of a consumer shall 
        limit the use and retention of that information to what is 
        reasonably necessary to provide a service or conduct an 
        activity that a consumer has requested or a related operational 
        purpose. Any data collected or retained by a commercial data 
        operator solely for security or fraud prevention may not be 
        used for operational purposes.
            (3) Monetization.--Monetization of personal information 
        shall not be considered reasonably necessary to provide a 
        service or conduct an activity that a consumer has requested or 
        reasonably necessary for security or fraud prevention.
    (d) Consumer Choice and Control.--
            (1) Commercial data operator.--A commercial data operator 
        shall provide a prominently and conspicuously displayed icon a 
        user may click to opt out of data collection on every unique 
        website, mobile application, or computer application.
            (2) Covered entities.--Within 2 years after the date of the 
        enactment of this Act, a covered entity shall take reasonable 
        steps, taking account of available technology, to provide users 
        the ability to directly delete the covered data collected by 
        the covered entity.
    (e) Default Settings.--A covered entity may require, through terms 
of service or otherwise, that a user must consent to the transfer of 
covered data in order to use the service of the covered entity.
    (f) Policies Regarding Data From Minors.--A covered entity may not 
collect, retain, or transfer the covered data of a user to a third 
party without affirmative consent from the parent or guardian of the 
user if the user is below the age of 18 years old, where technically 
feasible.
    (g) Prohibition on Tracking Cookies Without User Consent.--A 
commercial data operator--
            (1) unless authorized by the user, may not track cookies, 
        including on mobile applications; and
            (2) shall provide the same services to users who do not 
        authorize tracking cookies.
    (h) Transparency.--
            (1) Privacy notice.--A covered entity shall provide users 
        with a clear, comprehensible, accurate, and continuously 
        available privacy notice that--
                    (A) describes in detail the information collected 
                by the operator, how that information would be used, 
                and whether the information would be sold or shared 
                with any third party; and
                    (B) is 1,000 words or less.
            (2) Report on use of information required.--If a user 
        allows a commercial data operator to sell the covered data of 
        the user, the commercial data operator shall provide the user 
        with an annual report regarding the types of third parties with 
        whom data has been shared. The report shall include a 
        description of what information has been shared, for what 
        purpose information is shared, and a list of each third party 
        that receives data.
    (i) Data Security and Breach Notification.--A covered entity shall 
notify each user in a timely manner of any data breach with respect to 
the information of the user and provide any remedy to compensate the 
user for the breach of their information, including a credit protection 
service, fraud alert, and credit monitoring through credit reporting 
agencies.
    (j) Enforcement.--
            (1) Enforcement by the federal trade commission.--
                    (A) Unfair or deceptive acts or practices.--A 
                violation of this section shall be treated as a 
                violation of a regulation under section 18(a)(1)(B) of 
                the Federal Trade Commission Act (15 U.S.C. 
                57a(a)(1)(B)) regarding unfair or deceptive acts or 
                practices.
                    (B) Powers of commission.--The Commission shall 
                enforce this section in the same manner, by the same 
                means, and with the same jurisdiction, powers, and 
                duties as though all applicable terms and provisions of 
                the Federal Trade Commission Act (15 U.S.C. 41 et seq.) 
                were incorporated into and made a part of this Act. Any 
                person who violates this section shall be subject to 
                the penalties and entitled to the privileges and 
                immunities provided in the Federal Trade Commission 
                Act.
            (2) Effect on other laws.--Nothing in this section shall be 
        construed in any way to limit the authority of the Commission 
        under any other provision of law or to limit the application of 
        any Federal or State law.
            (3) Enforcement by state attorneys general.--
                    (A) In general.--If the chief law enforcement 
                officer of a State, or an official or agency designated 
                by a State, has reason to believe that any person has 
                violated or is violating this section, the attorney 
                general, official, or agency of the State, in addition 
                to any authority it may have to bring an action in 
                State court under its consumer protection law, may 
                bring a civil action in any appropriate United States 
                district court or in any other court of competent 
                jurisdiction, including a State court, to--
                            (i) enjoin further such violation by such 
                        person;
                            (ii) enforce compliance with this section;
                            (iii) obtain civil penalties; and
                            (iv) obtain damages, restitution, or other 
                        compensation on behalf of residents of the 
                        State.
                    (B) Notice and intervention by the federal trade 
                commission.--The attorney general of a State shall 
                provide prior written notice of any action under 
                subparagraph (A) to the Commission and provide the 
                Commission with a copy of the complaint in the action, 
                except in any case in which such prior notice is not 
                feasible, in which case the attorney general shall 
                serve such notice immediately upon instituting such 
                action. The Commission shall have the right--
                            (i) to intervene in the action;
                            (ii) upon so intervening, to be heard on 
                        all matters arising therein; and
                            (iii) to file petitions for appeal.
                    (C) Limitation on state action while federal action 
                is pending.--If the Commission has instituted a civil 
                action for violation of this section, no State attorney 
                general, or official or agency of a State, may bring an 
                action under this paragraph during the pendency of that 
                action against any defendant named in the complaint of 
                the Commission for any violation of this section 
                alleged in the complaint.
            (4) Private right of action.--
                    (A) In general.--Any individual alleging a 
                violation of this section or a regulation promulgated 
                under this section may bring a civil action in any 
                Federal or State court of competent jurisdiction 
                against a covered entity that has global annual gross 
                revenues of at least $50,000,000.
                    (B) Relief.--In a civil action brought under 
                subparagraph (A) in which the plaintiff prevails, the 
                court may award--
                            (i) $100 to $750 per violation;
                            (ii) reasonable attorney's fees and 
                        litigation costs; and
                            (iii) any other relief, including equitable 
                        or declaratory relief, that the court 
                        determines appropriate.
    (k) Definitions.--In this section:
            (1) Commercial data operator.--The term ``commercial data 
        operator'' means an entity acting in its capacity as a consumer 
        online services provider or data broker that--
                    (A) generates a material amount of revenue from the 
                use, collection, processing, sale, or sharing of data 
                generated by a user; and
                    (B) has more than 100,000,000 unique monthly 
                visitors or users in the United States for a majority 
                of months during the previous 1-year period.
            (2) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (3) Consent.--The term ``consent'' means an affirmative act 
        by an individual that clearly communicates the informed 
        authorization of the individual for an act or practice.
            (4) Core function.--The term ``core function'' does not 
        mean targeted advertising or marketing.
            (5) Covered data.--The term ``covered data'' means 
        individually, identifiable information about a user collected 
        online, including any of the following:
                    (A) Location information that would identify the 
                physical address of an individual.
                    (B) Telephone number.
                    (C) Email address.
                    (D) Social security number or other unique, 
                government-issued identifiers.
                    (E) Nonpublic personal information (as defined in 
                section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 
                6809)).
                    (F) Content of a personal wire communication, oral 
                communication, or electronic communication such as 
                email or direct messaging with respect to any entity 
                that is not the intended recipient of the 
                communication.
                    (G) Call detail records.
                    (H) Web browsing history, application usage 
                history, and the functional equivalent of either that 
                is not aggregated data.
                    (I) Biometric data and information, such as facial 
                and voice recognition data.
            (6) Covered entity.--The term ``covered entity'' means a 
        commercial data broker or large online operator that collects 
        covered data from a user through an online platform.
            (7) Data broker.--The term ``data broker'' means a covered 
        entity whose principal source of revenue is derived from 
        processing or transferring the covered data of individuals with 
        whom the entity does not have a direct relationship on behalf 
        of a third party for use by the third party.
            (8) De-identify.--The term ``de-identify'' means to 
        separate information from the user or IP address the 
        information is associated with.
            (9) Delete.--The term ``delete'' means to remove or destroy 
        information so that the information is not maintained in human 
        or machine-readable form and cannot be retrieved or used in 
        such form in the normal course of business.
            (10) Large online operator.--The term ``large online 
        operator'' means any person that--
                    (A) provides an online service; and
                    (B) has more than 100,000,000 authenticated users 
                of an online service in any 30-day period.
            (11) Monetization.--The term ``monetization'' means the 
        process of collecting, using, and storing data solely for 
        economic benefit.
            (12) User.--The term ``user'' means an individual residing 
        in the United States who uses a website that collects data and 
        information from the user.
                                 <all>