Standard terms of service summary statement

(a)

Deadline for terms of service summary statement

Not later than 360 days after the date of the enactment of this Act, the Commission shall issue a rule under section 553 of title 5, United States Code, with regard to a covered entity that publishes or has published a terms of service—(1)that requires the covered entity to include a truthful and non-misleading short-form terms of service summary statement on the website of the entity;(2)that requires the covered entity to include a truthful and non-misleading graphic data flow diagram on the website of the entity; and(3)that requires the covered entity to display the full terms of service of the entity in an interactive data format.(b)

No New Contractual Obligation

The requirement to include a summary statement described in subsection (a)(1) does not create any new contractual obligation.(c)

Requirements for short-Form terms of service summary statement

(1)

In general

The short-form terms of service summary statement described in subsection (a)(1)—(A)shall be accessible to individuals with low levels of literacy and individuals with disabilities, be machine readable, and include tables, graphic icons, hyperlinks, or other means as the Commission may require; and(B)may be presented differently depending on the interface or type of device on which the statement is being accessed by the user.(2)

Location of summary statement and graphic data flow diagram

The summary statement described in subsection (a)(1) shall be placed at the top of the permanent terms of service page of the covered entity, and the graphic data flow diagram described in subsection (a)(2) shall be located immediately below such summary statement. (3)

Contents of summary statement

The summary statement described in subsection (a)(1) shall include the following:(A)The categories of sensitive information that the covered entity processes.(B)The sensitive information that is required for the basic functioning of the service and what sensitive information is needed for additional features and future feature development.(C)A summary of the legal liabilities of a user and any rights transferred from the user to the covered entity, such as mandatory arbitration, class action waiver, any licensing or sale by the covered entity of the content of the user, and any waiver of moral rights.(D)Historical versions of the terms of service and change logs.(E)If the covered entity provides user deletion services, directions for how the user can delete sensitive information or discontinue the use of sensitive information.(F)A list of data breaches from the previous 3 years reported to consumers under existing Federal and State laws.(G)The effort required by a user to read the entire terms of service text, such as through the total word count and approximate time to read the statement.(H)Any other information the Commission determines to be necessary if that information is included in the terms of service by the covered entity.(4)

Additional information required by the Commission

In the rule issued under subsection (a), the Commission shall include a list of other information the Commission determines to be necessary under paragraph (3)(H).(d)

Guidance on graphic data flow diagrams

Not later than 360 days after the date of the enactment of this Act, the Commission shall publish guidelines on how a covered entity can graphically display how the sensitive information of a user is shared with a subsidiary or corporate affiliate of such entity and how such sensitive information is shared with third parties.(e)

Interactive data format terms of service

Not later than 360 days after the date of the enactment of this Act, the Commission shall issue a rule under section 553 of title 5, United States Code, that requires a covered entity to tag portions of the terms of services of the entity according to an interactive data format.(f)

Enforcement

(1)

Enforcement by the Commission

(A)

Unfair or deceptive acts or practices

A violation of this Act or a regulation promulgated under this Act shall be treated as a violation of a rule defining an unfair or deceptive act or practice under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).(B)

Powers of the Commission

(i)

In general

The Commission shall enforce this section and the regulations promulgated under this section in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this section. (ii)

Privileges and immunities

Any person who violates this section or a regulation promulgated under this section shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act. (iii)

Authority persevered

Nothing in this section shall be construed to limit the authority of the Commission under any other provision of law.(2)

Enforcement by States

(A)

In general

In any case in which the attorney general of a State has reason to believe that an interest of at least 1,000 residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that violates this section or a regulation promulgated under this section, the attorney general of the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction—(i)to enjoin that practice;(ii)to enforce compliance with this section;(iii)to obtain damages, restitution, or other compensation on behalf of such residents; and(iv)to obtain such other relief as the court may consider to be appropriate.(B)

Rights of the Commission

(i)

Notice to the Commission

(I)

In general

Except as provided in subclause (III), the attorney general of a State shall notify the Commission in writing that the attorney general intends to bring a civil action under subparagraph (A) before initiating the civil action. (II)

Contents

The notification required by subclause (I) with respect to a civil action shall include a copy of the complaint to be filed to initiate the civil action.(III)

Exemption

If it is not feasible for the attorney general of a State to provide the notification required by subclause (I) before initiating a civil action under subparagraph (A), the attorney general shall notify the Commission immediately upon instituting the civil action. (ii)

Intervention by the Commission

The Commission may—(I)intervene in any civil action brought by the attorney general of a State under subparagraph (A); and(II)upon intervening—(aa)be heard on all matters arising in the civil action; and(bb)file petitions for appeal.(C)

Construction

Nothing in this paragraph may be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to—(i)conduct investigations;(ii)administer oaths or affirmations; or(iii)compel the attendance of witnesses or the production of documentary and other evidence.(D)

Actions by the Commission

In any case in which an action is instituted by or on behalf of the Commission for a violation of this section or a regulation promulgated under this section, a State may not, during the pendency of that action, institute a separate action under subparagraph (A) against any defendant named in the complaint in the action instituted by or on behalf of the Commission for that violation.(E)

Venue; Service of process

(i)

Venue

Any action brought under subparagraph (A) may be brought in—(I)the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code; or(II)another court of competent jurisdiction.(ii)

Service of process

In an action brought under paragraph (1), process may be served in any district in which the defendant—(I)is an inhabitant; or(II)may be found.(g)

Definitions

In this section:(1)

Commission

The term Commission means the Federal Trade Commission.(2)

Covered entity

The term covered entity—(A)means any person that operates a website located on the internet or an online service that is operated for commercial purposes; and(B)does not include a small business concern (as defined in section 3 of the Small Business Act (15 U.S.C. 632)).(3)

Disability

The term disability has the meaning given the term in section 3 of the Americans with Disabilities Act of 1990 (42 U.S.C. 12102).(4)

Interactive data format

The term interactive data format means an electronic data format in which pieces of information are identified using an interactive data standard, such as eXtensible Markup Language (commonly known as XML), that is a standardized list of electronic tags that mark the information described in subsection (c)(3) within the terms of service of a covered entity.(5)

Moral rights

The term moral rights means the rights conferred by section 106A(a) of title 17, United States Code.(6)

Process

The term process means any operation or set of operations performed on sensitive information, including collection, analysis, organization, structuring, retaining, using, or otherwise handling sensitive information. (7)

Sensitive information

The term sensitive information means any of the following:(A)Health information.(B)Biometric information.(C)Precise geolocation information.(D)Social security number.(E)Information concerning the race, color, religion, national origin, sex, age, or disability of an individual.(F)The content and parties to a communication.(G)Audio and video recordings captured through a consumer device.(H)Financial information, including a bank account number, credit card number, debit card number, or insurance policy number.(I)Online browsing history, which means information revealing online activities over time or across websites or online services not owned or operated by the covered entity.(8)

State

The term State means each of the several States, the District of Columbia, each commonwealth, territory, or possession of the United States, and each Federally recognized Indian Tribe. (9)

Third party

The term third party means, with respect to a covered entity, a person—(A)to which the covered entity disclosed sensitive information; and(B)that is not—(i)the covered entity;(ii)a subsidiary or corporate affiliate of the covered entity; or(iii)a service provider of the covered entity.