[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 2225 Introduced in Senate (IS)]

<DOC>






118th CONGRESS
  1st Session
                                S. 2225

  To require covered entities to issue a short-form terms of service 
               summary statement, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             July 11, 2023

Mr. Cassidy (for himself and Mr. Lujan) introduced the following bill; 
    which was read twice and referred to the Committee on Commerce, 
                      Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
  To require covered entities to issue a short-form terms of service 
               summary statement, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Terms-of-service Labeling, Design, 
and Readability Act'' or the ``TLDR Act''.

SEC. 2. STANDARD TERMS OF SERVICE SUMMARY STATEMENT.

    (a) Deadline for Terms of Service Summary Statement.--Not later 
than 360 days after the date of the enactment of this Act, the 
Commission shall issue a rule under section 553 of title 5, United 
States Code, with regard to a covered entity that publishes or has 
published a terms of service--
            (1) that requires the covered entity to include a truthful 
        and non-misleading short-form terms of service summary 
        statement on the website of the entity;
            (2) that requires the covered entity to include a truthful 
        and non-misleading graphic data flow diagram on the website of 
        the entity; and
            (3) that requires the covered entity to display the full 
        terms of service of the entity in an interactive data format.
    (b) No New Contractual Obligation.--The requirement to include a 
summary statement described in subsection (a)(1) does not create any 
new contractual obligation.
    (c) Requirements for Short-Form Terms of Service Summary 
Statement.--
            (1) In general.--The short-form terms of service summary 
        statement described in subsection (a)(1)--
                    (A) shall be accessible to individuals with low 
                levels of literacy and individuals with disabilities, 
                be machine readable, and include tables, graphic icons, 
                hyperlinks, or other means as the Commission may 
                require; and
                    (B) may be presented differently depending on the 
                interface or type of device on which the statement is 
                being accessed by the user.
            (2) Location of summary statement and graphic data flow 
        diagram.--The summary statement described in subsection (a)(1) 
        shall be placed at the top of the permanent terms of service 
        page of the covered entity, and the graphic data flow diagram 
        described in subsection (a)(2) shall be located immediately 
        below such summary statement.
            (3) Contents of summary statement.--The summary statement 
        described in subsection (a)(1) shall include the following:
                    (A) The categories of sensitive information that 
                the covered entity processes.
                    (B) The sensitive information that is required for 
                the basic functioning of the service and what sensitive 
                information is needed for additional features and 
                future feature development.
                    (C) A summary of the legal liabilities of a user 
                and any rights transferred from the user to the covered 
                entity, such as mandatory arbitration, class action 
                waiver, any licensing or sale by the covered entity of 
                the content of the user, and any waiver of moral 
                rights.
                    (D) Historical versions of the terms of service and 
                change logs.
                    (E) If the covered entity provides user deletion 
                services, directions for how the user can delete 
                sensitive information or discontinue the use of 
                sensitive information.
                    (F) A list of data breaches from the previous 3 
                years reported to consumers under existing Federal and 
                State laws.
                    (G) The effort required by a user to read the 
                entire terms of service text, such as through the total 
                word count and approximate time to read the statement.
                    (H) Any other information the Commission determines 
                to be necessary if that information is included in the 
                terms of service by the covered entity.
            (4) Additional information required by the commission.--In 
        the rule issued under subsection (a), the Commission shall 
        include a list of other information the Commission determines 
        to be necessary under paragraph (3)(H).
    (d) Guidance on Graphic Data Flow Diagrams.--Not later than 360 
days after the date of the enactment of this Act, the Commission shall 
publish guidelines on how a covered entity can graphically display how 
the sensitive information of a user is shared with a subsidiary or 
corporate affiliate of such entity and how such sensitive information 
is shared with third parties.
    (e) Interactive Data Format Terms of Service.--Not later than 360 
days after the date of the enactment of this Act, the Commission shall 
issue a rule under section 553 of title 5, United States Code, that 
requires a covered entity to tag portions of the terms of services of 
the entity according to an interactive data format.
    (f) Enforcement.--
            (1) Enforcement by the commission.--
                    (A) Unfair or deceptive acts or practices.--A 
                violation of this Act or a regulation promulgated under 
                this Act shall be treated as a violation of a rule 
                defining an unfair or deceptive act or practice under 
                section 18(a)(1)(B) of the Federal Trade Commission Act 
                (15 U.S.C. 57a(a)(1)(B)).
                    (B) Powers of the commission.--
                            (i) In general.--The Commission shall 
                        enforce this section and the regulations 
                        promulgated under this section in the same 
                        manner, by the same means, and with the same 
                        jurisdiction, powers, and duties as though all 
                        applicable terms and provisions of the Federal 
                        Trade Commission Act (15 U.S.C. 41 et seq.) 
                        were incorporated into and made a part of this 
                        section.
                            (ii) Privileges and immunities.--Any person 
                        who violates this section or a regulation 
                        promulgated under this section shall be subject 
                        to the penalties and entitled to the privileges 
                        and immunities provided in the Federal Trade 
                        Commission Act.
                            (iii) Authority persevered.--Nothing in 
                        this section shall be construed to limit the 
                        authority of the Commission under any other 
                        provision of law.
            (2) Enforcement by states.--
                    (A) In general.--In any case in which the attorney 
                general of a State has reason to believe that an 
                interest of at least 1,000 residents of that State has 
                been or is threatened or adversely affected by the 
                engagement of any person in a practice that violates 
                this section or a regulation promulgated under this 
                section, the attorney general of the State, as parens 
                patriae, may bring a civil action on behalf of the 
                residents of the State in a district court of the 
                United States of appropriate jurisdiction--
                            (i) to enjoin that practice;
                            (ii) to enforce compliance with this 
                        section;
                            (iii) to obtain damages, restitution, or 
                        other compensation on behalf of such residents; 
                        and
                            (iv) to obtain such other relief as the 
                        court may consider to be appropriate.
                    (B) Rights of the commission.--
                            (i) Notice to the commission.--
                                    (I) In general.--Except as provided 
                                in subclause (III), the attorney 
                                general of a State shall notify the 
                                Commission in writing that the attorney 
                                general intends to bring a civil action 
                                under subparagraph (A) before 
                                initiating the civil action.
                                    (II) Contents.--The notification 
                                required by subclause (I) with respect 
                                to a civil action shall include a copy 
                                of the complaint to be filed to 
                                initiate the civil action.
                                    (III) Exemption.--If it is not 
                                feasible for the attorney general of a 
                                State to provide the notification 
                                required by subclause (I) before 
                                initiating a civil action under 
                                subparagraph (A), the attorney general 
                                shall notify the Commission immediately 
                                upon instituting the civil action.
                            (ii) Intervention by the commission.--The 
                        Commission may--
                                    (I) intervene in any civil action 
                                brought by the attorney general of a 
                                State under subparagraph (A); and
                                    (II) upon intervening--
                                            (aa) be heard on all 
                                        matters arising in the civil 
                                        action; and
                                            (bb) file petitions for 
                                        appeal.
                    (C) Construction.--Nothing in this paragraph may be 
                construed to prevent an attorney general of a State 
                from exercising the powers conferred on the attorney 
                general by the laws of that State to--
                            (i) conduct investigations;
                            (ii) administer oaths or affirmations; or
                            (iii) compel the attendance of witnesses or 
                        the production of documentary and other 
                        evidence.
                    (D) Actions by the commission.--In any case in 
                which an action is instituted by or on behalf of the 
                Commission for a violation of this section or a 
                regulation promulgated under this section, a State may 
                not, during the pendency of that action, institute a 
                separate action under subparagraph (A) against any 
                defendant named in the complaint in the action 
                instituted by or on behalf of the Commission for that 
                violation.
                    (E) Venue; service of process.--
                            (i) Venue.--Any action brought under 
                        subparagraph (A) may be brought in--
                                    (I) the district court of the 
                                United States that meets applicable 
                                requirements relating to venue under 
                                section 1391 of title 28, United States 
                                Code; or
                                    (II) another court of competent 
                                jurisdiction.
                            (ii) Service of process.--In an action 
                        brought under paragraph (1), process may be 
                        served in any district in which the defendant--
                                    (I) is an inhabitant; or
                                    (II) may be found.
    (g) Definitions.--In this section:
            (1) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (2) Covered entity.--The term ``covered entity''--
                    (A) means any person that operates a website 
                located on the internet or an online service that is 
                operated for commercial purposes; and
                    (B) does not include a small business concern (as 
                defined in section 3 of the Small Business Act (15 
                U.S.C. 632)).
            (3) Disability.--The term ``disability'' has the meaning 
        given the term in section 3 of the Americans with Disabilities 
        Act of 1990 (42 U.S.C. 12102).
            (4) Interactive data format.--The term ``interactive data 
        format'' means an electronic data format in which pieces of 
        information are identified using an interactive data standard, 
        such as eXtensible Markup Language (commonly known as ``XML''), 
        that is a standardized list of electronic tags that mark the 
        information described in subsection (c)(3) within the terms of 
        service of a covered entity.
            (5) Moral rights.--The term ``moral rights'' means the 
        rights conferred by section 106A(a) of title 17, United States 
        Code.
            (6) Process.--The term ``process'' means any operation or 
        set of operations performed on sensitive information, including 
        collection, analysis, organization, structuring, retaining, 
        using, or otherwise handling sensitive information.
            (7) Sensitive information.--The term ``sensitive 
        information'' means any of the following:
                    (A) Health information.
                    (B) Biometric information.
                    (C) Precise geolocation information.
                    (D) Social security number.
                    (E) Information concerning the race, color, 
                religion, national origin, sex, age, or disability of 
                an individual.
                    (F) The content and parties to a communication.
                    (G) Audio and video recordings captured through a 
                consumer device.
                    (H) Financial information, including a bank account 
                number, credit card number, debit card number, or 
                insurance policy number.
                    (I) Online browsing history, which means 
                information revealing online activities over time or 
                across websites or online services not owned or 
                operated by the covered entity.
            (8) State.--The term ``State'' means each of the several 
        States, the District of Columbia, each commonwealth, territory, 
        or possession of the United States, and each Federally 
        recognized Indian Tribe.
            (9) Third party.--The term ``third party'' means, with 
        respect to a covered entity, a person--
                    (A) to which the covered entity disclosed sensitive 
                information; and
                    (B) that is not--
                            (i) the covered entity;
                            (ii) a subsidiary or corporate affiliate of 
                        the covered entity; or
                            (iii) a service provider of the covered 
                        entity.
                                 <all>