[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[H.R. 8014 Introduced in House (IH)]
<DOC>
119th CONGRESS
2d Session
H. R. 8014
To provide for individual rights relating to privacy of personal
information, to establish privacy and security requirements for covered
entities relating to personal information, and to establish an agency
to be known as the Digital Privacy Agency to enforce such rights and
requirements, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
March 19, 2026
Ms. Lofgren introduced the following bill; which was referred to the
Committee on Energy and Commerce, and in addition to the Committees on
the Judiciary, and Science, Space, and Technology, for a period to be
subsequently determined by the Speaker, in each case for consideration
of such provisions as fall within the jurisdiction of the committee
concerned
_______________________________________________________________________
A BILL
To provide for individual rights relating to privacy of personal
information, to establish privacy and security requirements for covered
entities relating to personal information, and to establish an agency
to be known as the Digital Privacy Agency to enforce such rights and
requirements, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Online Privacy Act
of 2026''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. General provisions.
Sec. 4. Limitation on disclosing nonredacted government records.
Sec. 5. Criminal prohibition on doxxing.
TITLE I--INDIVIDUAL RIGHTS
Sec. 101. Right of access.
Sec. 102. Right of correction.
Sec. 103. Right of deletion.
Sec. 104. Right of portability.
Sec. 105. Right to human review of automated decisions.
Sec. 106. Right to individual autonomy.
Sec. 107. Right to be informed.
Sec. 108. Right to impermanence.
Sec. 109. Exemptions, exceptions, fees, timelines, and rules of
construction for rights under this title.
TITLE II--REQUIREMENTS FOR COVERED ENTITIES, SERVICE PROVIDERS, AND
THIRD PARTIES
Sec. 201. Minimization.
Sec. 202. Minimization and records of access by employees and
contractors.
Sec. 203. Prohibitions on disclosing of personal information.
Sec. 204. Disclosing to entities not subject to United States
jurisdiction or not compliant with this
Act.
Sec. 205. Prohibition on re-identification.
Sec. 206. Restrictions on collecting, processing, maintaining, and
disclosing contents of communications.
Sec. 207. Prohibition on discriminatory processing.
Sec. 208. Requirements for notice and consent processes and privacy
policies.
Sec. 209. Prohibition on ``dark patterns'' in notice and consent
processes and privacy policies.
Sec. 210. Notice and consent required.
Sec. 211. Privacy policy.
Sec. 212. Information security requirements.
Sec. 213. Notification of data breach or data-sharing abuse.
TITLE III--DIGITAL PRIVACY AGENCY
Sec. 301. Establishment; Director and Deputy Director.
Sec. 302. Agency powers and authorities.
Sec. 303. Reporting and audit requirements.
Sec. 304. Relation to other agencies.
Sec. 305. Personnel.
Sec. 306. Office of Civil Rights.
Sec. 307. Complaints of individuals.
Sec. 308. Advisory boards.
Sec. 309. Authorization of appropriations.
TITLE IV--ENFORCEMENT
Sec. 401. Investigations and administrative discovery.
Sec. 402. Hearings and adjudication proceedings.
Sec. 403. Litigation authority.
Sec. 404. Enforcement by States.
Sec. 405. Private rights of action.
Sec. 406. Relief available.
Sec. 407. Referral for criminal proceedings.
Sec. 408. Whistleblower enforcement.
TITLE V--RELATION TO OTHER LAW
Sec. 501. Effective date.
Sec. 502. Relation to other Federal law.
Sec. 503. Relation to State law.
Sec. 504. Severability.
TITLE VI--NIST AND NSF ACTIVITIES
Sec. 601. National Institute of Standards and Technology privacy
research and development.
Sec. 602. National privacy awareness and education initiative.
Sec. 603. National Science Foundation privacy research.
SEC. 2. DEFINITIONS.
In this Act:
(1) Behavioral personalization.--
(A) In general.--The term ``behavioral
personalization'' means the processing of the personal
information of an individual, using an algorithm,
model, or other means--
(i) built using--
(I) that individual's personal
information collected over a period of
time; or
(II) an aggregate of the
information of one or more similarly
situated individuals; and
(ii) designed to--
(I) alter, influence, guide, or
predict that individual's behavior;
(II) tailor or personalize a
product or service to that individual;
or
(III) filter, sort, limit, promote,
display or otherwise differentiate
between specific content or categories
of content that would otherwise be
accessible to that individual.
(B) Exclusions.--The term ``behavioral
personalization'' does not include the use of
historical personal information to merely prevent the
display of or provide additional information about
previously accessed content.
(2) Collect.--The term ``collect'' includes, with respect
to personal information or the contents of any communication,
obtaining such information or contents in any manner, except
when solely transmitting, routing, providing intermediate
storage for, or providing connections for such personal
information or communication through a system or network.
(3) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(4) Contents.--The term ``contents'', when used with
respect to communication, has the meaning given such term in
section 2510 of title 18, United States Code.
(5) Covered entity.--
(A) In general.--The term ``covered entity'' means
a person who--
(i) intentionally collects, processes, or
maintains personal information; and
(ii) sends or receives such personal
information over the internet or a similar
communications network.
(B) Exclusion.--The term ``covered entity'' does
not include a natural person, except to the extent such
person is engaged in a commercial activity that is more
than de minimis.
(C) De minimis defined.--In this paragraph, the
term ``de minimis'' means incidental commercial
activity by a natural person that--
(i) generates not more than $5,000 in gross
revenue in a 12-month period; or
(ii) involves the personal information of
fewer than 5,000 individuals in such period.
(6) Custodian.--The term ``custodian'' means the custodian
or any deputy custodian designated by the Director of the
Digital Privacy Agency.
(7) Data breach.--The term ``data breach'' means
unauthorized access to or acquisition of personal information
or contents of communications maintained by such covered
entity.
(8) Data-sharing abuse.--The term ``data-sharing abuse''
means processing, by a third party, of personal information or
contents of communications disclosed by a covered entity to the
third party, for any purpose other than--
(A) a purpose specified by the covered entity to
the third party at the time such personal information
or contents of communications was disclosed; or
(B) a purpose to which the individual to whom the
information relates has consented.
(9) De-identify.--
(A) In general.--The term ``de-identify'' means,
with respect to information, performing actions so that
such information cannot reasonably identify, relate to,
describe, reference, be capable of being associated
with, or be linked, directly or indirectly, to a
particular individual or device, but only to the extent
that the covered entity that uses such information--
(i) has performed such actions using best
practices for the types of data such
information contains;
(ii) has implemented technical safeguards
that prohibit re-identification of the
individual with whom such information was
linked;
(iii) has implemented business processes
that specifically prohibit re-identification of
the information;
(iv) has implemented business processes to
prevent inadvertent release of such
information; and
(v) makes no attempt to re-identify such
information.
(B) Determination by the director.--The Director
may determine that a methodology of de-identifying
personal information is insufficient for the purposes
of this paragraph.
(10) Digital privacy agency.--The term ``Digital Privacy
Agency'' means the Digital Privacy Agency established under
section 301.
(11) Digital privacy agency investigator.--The term
``Digital Privacy agency investigator'' means any attorney or
investigator employed by the Digital Privacy Agency who is
charged with the enforcement of or carrying out of any
provision of this Act or a rule or order prescribed under this
Act.
(12) Director.--The term ``Director'' means the Director of
the Digital Privacy Agency.
(13) Disclose.--The term ``disclose'' means, with respect
to personal information or contents of communication, to sell,
release, transfer, share, disseminate, make available, or
otherwise cause to be communicated, such information or
contents to a third party.
(14) Documentary material.--The term ``documentary
material'' includes the original or any copy of any book,
document, record, report, memorandum, paper, communication,
tabulation, chart, logs, electronic files, or other data or
data compilations stored in any medium.
(15) Federal agency.--The term ``Federal agency'' has the
meaning given that term in section 3371 of title 5, United
States Code.
(16) Federal privacy laws.--The term ``Federal privacy
laws'' includes the laws and regulations described in section
502.
(17) Government entity.--The term ``government entity''
means--
(A) a Federal agency;
(B) a State or political subdivision thereof; or
(C) any agency, authority, or instrumentality of a
State or political subdivision thereof.
(18) Individual.--The term ``individual'' means a natural
person residing in the United States.
(19) Indian tribe.--The term ``Indian Tribe'' has the
meaning given such term in section 4(e) of the Indian Self-
Determination and Education Assistance Act (25 U.S.C. 5304(e)).
(20) Maintain.--The term ``maintain'' means, with respect
to personal information or the contents of any communication,
to store, secure, or otherwise cause the retention of such
information or contents, or to take actions necessary for
storing, securing, or otherwise causing the retention of such
information or contents.
(21) Nonpublic information.--The term ``nonpublic
information'' means information that has not been disclosed in
a criminal, civil, or administrative proceeding, in a
government investigation, report, or audit, or by the news
media or other public source of information, and that was not
obtained in violation of the law.
(22) Personal information.--
(A) In general.--The term ``personal information''
means any information maintained by a covered entity
that, on its own or combined with other information, is
linked or reasonably linkable to a specific individual
or a specific device, including de-identified personal
information and the means to behavioral personalization
created for or linked to a specific individual.
(B) Exclusions.--The term ``personal information''
does not include--
(i) publicly available information linked
to an individual if that information was not
unlawfully made public; or
(ii) information derived or inferred from
personal information, if the derived or
inferred information is not linked or
reasonably linkable to a specific individual.
(23) Privacy harm.--The term ``privacy harm'' means an
adverse consequence or a potential adverse consequence to an
individual, a group of individuals, or society caused from
collecting, processing, maintaining, or disclosing of personal
information or contents of communications, including--
(A) direct or indirect financial loss or economic
harm;
(B) physical harm;
(C) psychological harm, including anxiety,
embarrassment, fear, and other trauma;
(D) adverse outcomes or decisions with respect to
the eligibility of an individual for rights, benefits,
or privileges in employment (including hiring, firing,
promotion, demotion, and compensation), credit and
insurance (including denial of an application or
obtaining less favorable terms), housing, education,
professional certification, or the provision of health
care and related services;
(E) stigmatization or reputational harm;
(F) price discrimination;
(G) adverse consequences that affect the private
life of an individual, including private family matters
and actions and communications within the home of such
individual or a similar physical, online, or digital
location where such individual has a reasonable
expectation that personal information will not be
collected, processed, or maintained;
(H) the chilling of free expression or action of an
individual, a group of individuals, or society, due to
perceived or actual pervasive and excessive collecting,
processing, disclosing, or maintaining of personal
information or contents of communications;
(I) impairing the autonomy of an individual, a
group of individuals, or society; and
(J) other adverse consequences or potential adverse
consequences, consistent with the provisions of this
Act, as determined by the Director.
(24) Privacy-preserving computing.--
(A) In general.--The term ``privacy-preserving
computing'' means the collecting, processing,
disclosing, or maintaining of personal information that
has been encrypted or otherwise rendered unintelligible
using a means that cannot be reversed by a covered
entity, or a covered entity's service provider, such
that--
(i) if such personal information could be
rendered intelligible through cooperation or
sharing of cryptographic secrets by multiple
persons, the covered entity has both technical
safeguards and business processes to prevent
such cooperation or sharing;
(ii) if such personal information is
rendered intelligible within a hardware
processing unit or other means of performing
operations on the information, there are
technical safeguards that, during the normal
course of operation--
(I) prevent rendering personal
information intelligible anywhere but
within the hardware processing unit or
other means of performing operations;
and
(II) make the exporting or
otherwise observing of such
intelligible information, or the
cryptographic secret used to protect
such information, impossible; and
(iii) if the result of such processing of
the personal information is also personal
information, such result must be unintelligible
to the covered entity or service provider and
protected by privacy-preserving computing.
(B) Insufficient methodologies.--The Director may
determine that a methodology of privacy-preserving
computing is insufficient for the purposes of this
definition.
(25) Process.--The term ``process'' means to perform or
cause to be performed any operation or set of operations on
personal information or contents of communication, whether or
not by automated means.
(26) Protected class.--The term ``protected class'' means
the actual or perceived race, color, ethnicity, national
origin, religion, sex (including sexual orientation and gender
identity or expression), familial status, or disability of an
individual or group of individuals.
(27) Publicly available information.--The term ``publicly
available information''--
(A) means--
(i) information that is lawfully made
available from a government entity;
(ii) information linked to a public
individual or official that is made publicly
accessible, without restrictions on
accessibility other than the general
authorization to access the services used to
make the information accessible; or
(iii) information of an individual that--
(I) is made publicly accessible by
such individual, without restrictions
on accessibility other than the general
authorization to access the services
used to make the information
accessible; and
(II) such individual has the
ability to delete or change without
relying on a request under section 102
or 103; and
(B) does not include--
(i) biometric information of an individual
collected by a covered entity without the
individual's knowledge;
(ii) information used for a purpose that is
not compatible with the purpose for which the
information is maintained and made available in
government records;
(iii) information obtained from government
records for the purpose of selling such
information; or
(iv) information used to contact or locate
a private individual either physically or
electronically.
(28) Reasonable mechanism.--The term ``reasonable
mechanism'' means, in the case of a mechanism for individuals
to exercise a right under title I or interact with a covered
entity under title II, a mechanism that--
(A) is equivalent in availability and ease of use
to that of other mechanisms for communicating or
interacting with the covered entity; and
(B) includes an online means of exercising such
right or engaging in such interaction, if such
individuals communicate or interact with such covered
entity through an online medium or if such covered
entity provides information processing services through
a public or widely available application programming
interface (or similar mechanism).
(29) Sell and sale.--
(A) In general.--The terms ``sell'' and ``sale''
mean the disclosing of personal information for
monetary consideration or for a thing of value by a
covered entity to a third party for the purposes of
processing, maintaining or disclosing such personal
information at the third party's discretion.
(B) Exclusions.--The terms ``sell'' and ``sale'' do
not include--
(i) the disclosing of personal information
of an individual to a third party with which
the individual has a direct relationship for
purposes of providing a product or service
requested by the individual or otherwise in a
manner that is consistent with an individual's
reasonable expectations considering the context
in which the individual provided the personal
information to the covered entity;
(ii) the disclosing or transfer of personal
information to a subsidiary or an affiliate of
the covered entity; or
(iii) the disclosing or transfer of
personal information to a third party as an
asset that is part of a merger, acquisition,
bankruptcy, or other transaction in which the
third party assumes control of all or part of
the covered entity's assets, unless personal
information makes up the majority of the value
of the assets of which the third party assumes
control.
(30) Service provider.--
(A) In general.--The term ``service provider''
means a covered entity that--
(i) processes, discloses, or maintains
personal information, where such covered entity
does not process, disclose, or maintain the
personal information other than in accordance
with the directions and on behalf of another
covered entity;
(ii) does not directly collect personal
information from or control the mechanism for
collecting personal information from an
individual;
(iii) does not earn revenue from
processing, maintaining, or disclosing personal
information disclosed to such covered entity by
another covered entity except by providing
contracted services to such other covered
entity;
(iv) does not disclose personal information
to another covered entity unless such personal
information was provided by such other covered
entity or resulted from maintaining or
processing performed on personal information
exclusively provided by such other covered
entity;
(v) does not offer services that allow
another covered entity to target specific
individuals using personal information not
provided by such other covered entity;
(vi) with respect to personal information
processed or maintained by such covered entity
on behalf of another covered entity, assists
such other covered entity in complying with
title I, including providing tools for such
other covered entity to comply with such
requirements if requested; and
(vii) does not link the personal
information provided by another covered entity
to personal information from any other source.
(B) Treatment.--A covered entity shall be treated
as a service provider under this Act only to the extent
that such covered entity is acting as a service
provider, as defined in subparagraph (A).
(31) Significant privacy harm.--The term ``significant
privacy harm'' means adverse consequences to an individual
arising from the collecting, processing, maintaining, or
disclosing of personal information or contents of
communications, limited to subparagraph (A), (B), or (D) of
paragraph (23).
(32) Small business.--The term ``small business'' means a
covered entity that--
(A) does not earn revenue from the sale of personal
information;
(B) earns less than half of annual revenues from
the processing of personal information for targeted or
personalized advertising;
(C) has not, in combination with each subsidiary
and affiliate of the service, maintained personal
information of 250,000 or more individuals for 3 or
more of the preceding 12 months;
(D) has fewer than 200 employees; and
(E) received less than $25,000,000 in gross revenue
in the preceding 12-month period.
(33) State.--The term ``State'' means each State of the
United States, the District of Columbia, each commonwealth,
territory, or possession of the United States, and each
federally recognized Indian Tribe.
(34) State attorney general.--The term ``State attorney
general'' means, with respect to a State, the attorney general
or chief law enforcement officer of the State, or another
official or agency designated by the State to bring civil
actions on behalf of the State or the residents of the State.
(35) State privacy regulator.--The term ``State privacy
regulator'' means an agency or instrumentality of a State that
has the primary purpose of administering, implementing, or
enforcing a privacy law or associated rules or regulations.
(36) Third party.--The term ``third party'' means, with
respect to a covered entity, a person--
(A) to which such covered entity disclosed personal
information; and
(B) that is not--
(i) such covered entity;
(ii) a subsidiary or corporate affiliate of
such covered entity; or
(iii) a service provider of such covered
entity.
(37) Users.--The term ``users'' means, with respect to a
product or service, the monthly active users, subscribers, or
customers (or a reasonable proxy or substitute therefor
determined by the Director) of such product or service.
(38) Violation.--The term ``violation'' means, except where
otherwise specified, any act or omission that, if proved, would
constitute a violation of any provision of this Act or a rule
or order issued pursuant to this Act.
SEC. 3. GENERAL PROVISIONS.
(a) Rules of Construction With Respect to Personal Information and
Individuals.--In this Act--
(1) any reference to information as being of or belonging
to an individual shall be construed to mean that such
information is linked or reasonably linkable to such individual
as described in section 2(21)(A); and
(2) any reference to any communication as being of or
belonging to an individual shall be construed to mean that such
individual is party to such communication.
(b) Prohibition on Waivers.--
(1) In general.--The provisions under this Act may not be
waived. Any agreement purporting to waive compliance with or
modifying any provision of this Act shall be void as contrary
to public policy.
(2) Prohibition on predispute arbitration agreements.--No
predispute arbitration agreement shall be valid or enforceable
with respect to any claims under this Act.
(c) Journalism Protection.--
(1) In general.--Covered entities engaged in journalism
shall not be subject to the obligations imposed under this Act
to the extent that those obligations directly infringe on the
journalism rather than the business practices of the covered
entity, so long as the covered entity has technical safeguards
and business processes that prevent the collecting, processing,
maintaining, or disclosing of such personal information for
business practices other than journalism.
(2) Journalism.--The term ``journalism'' includes the
collecting, maintaining, processing, and disclosing of personal
information about a public individual or official, or that
otherwise concerns matters of public interest, for
dissemination to the public.
(d) Small Business Compliance Ramp.--Upon losing its status as a
small business, a covered entity shall have nine months to comply with
provisions of this Act that a small business is exempt from complying
with.
(e) Prohibition on Collecting, Maintaining, Processing, or
Disclosing Personal Information.--A covered entity may not collect,
maintain, process, or disclose personal information using a channel of
interstate commerce unless such covered entity is in compliance with
all requirements of this Act.
SEC. 4. LIMITATION ON DISCLOSING NONREDACTED GOVERNMENT RECORDS.
(a) In General.--A government entity may not use a channel of
interstate commerce to disclose the personal information of an
individual in a government record without an agreement prohibiting the
recipient of such information from selling the information without the
express consent of the individual.
(b) Exception.--Notwithstanding subsection (a), this section does
not prohibit the disclosure of personal information using a channel of
interstate commerce to another government entity without consent of the
individual.
SEC. 5. CRIMINAL PROHIBITION ON DOXXING.
(a) In General.--Chapter 41 of title 18, United States Code, is
amended by adding at the end the following:
``Sec. 881. Disclosing of personal information with the intent to cause
harm
``(a) In General.--Whoever uses a channel of interstate or foreign
commerce to knowingly disclose an individual's personal information
with the intent--
``(1) to threaten, intimidate, or harass any person, incite
or facilitate the commission of a crime of violence against any
person, or place any person in reasonable fear of death or
serious bodily injury; or
``(2) that the information will be used to threaten,
intimidate, or harass any person, incite or facilitate the
commission of a crime of violence against any person, or place
any person in reasonable fear of death or serious bodily
injury,
shall be fined under this title or imprisoned not more than 5 years, or
both.
``(b) Digital Privacy Agency.--
``(1) Support functions.--The Director of the Digital
Privacy Agency may--
``(A) receive complaints and refer credible
complaints to the Attorney General;
``(B) coordinate with appropriate law enforcement
agencies to support investigations; and
``(C) provide technical assistance upon the request
of the Attorney General.
``(2) Rule of construction.--Nothing in this section shall
be construed to authorize the Digital Privacy Agency to
prosecute an offense under this section.
``(c) Definitions.--In this section:
``(1) Contents.--The term `contents' when used with respect
to communication, has the meaning given such term in section
2510 of this title.
``(2) Disclose.--The term `disclose' means, with respect to
personal information or contents of communication, to sell,
release, transfer, share, disseminate, make available, or
otherwise cause to be communicated such information or contents
to a third party.
``(3) Government entity.--The term `government entity'
means--
``(A) a Federal agency (as that term is defined in
section 3371 of title 5);
``(B) a State or political subdivision thereof; or
``(C) any agency, authority, or instrumentality of
a State or political subdivision thereof.
``(4) Individual.--The term `individual' means a natural
person residing in the United States.
``(5) Personal information.--
``(A) In general.--The term `personal information'
means any information maintained by a person that, on
its own or combined with other information, is linked
or reasonably linkable to a specific individual.
``(B) Exclusions.--The term `personal information'
does not include--
``(i) publicly available information linked
to an individual; or
``(ii) information derived or inferred from
personal information, if the derived or
inferred information is not linked or
reasonably linkable to a specific individual.
``(6) Publicly available information.--The term `publicly
available information'--
``(A) means--
``(i) information that is lawfully made
available from a government entity;
``(ii) information linked to a public
individual or official that is made publicly
accessible, without restrictions on
accessibility other than the general
authorization to access the services used to
make the information accessible; or
``(iii) information of an individual that--
``(I) is made publicly accessible
by such individual, without
restrictions on accessibility other
than the general authorization to
access the services used to make the
information accessible; and
``(II) such individual has the
ability to delete or change; and
``(B) does not include--
``(i) biometric information of an
individual collected by a covered entity
without the individual's knowledge;
``(ii) information used for a purpose that
is not compatible with the purpose for which
the information is maintained and made
available in government records;
``(iii) information obtained from
government records for the purpose of selling
such information; or
``(iv) information used to contact or
locate a private individual either physically
or electronically.
``(7) State.--The term `State' means each State of the
United States, the District of Columbia, each commonwealth,
territory, or possession of the United States, and each
federally recognized Indian Tribe.''.
(b) Clerical Amendment.--The table of sections for chapter 41 of
title 18, United States Code, is amended by inserting after the item
relating to section 880 the following:
``881. Disclosing of personal information with the intent to cause
harm.''.
TITLE I--INDIVIDUAL RIGHTS
SEC. 101. RIGHT OF ACCESS.
(a) In General.--A covered entity shall make available a reasonable
mechanism by which an individual may access--
(1) the categories of personal information and contents of
communications of such individual that is maintained by such
covered entity, including, in the case of personal information
that such covered entity did not collect from such individual,
how and from whom such covered entity obtained such personal
information;
(2) a list of the third parties, subsidiaries, and
corporate affiliates, to which such covered entity has
disclosed and from which such covered entity has, at any time
on or after the effective date of this Act, obtained the
personal information of such individual;
(3) a concise and clear description of the business or
commercial purposes of such covered entity--
(A) for collecting, processing, or maintaining the
personal information of such individual; and
(B) for disclosing to a third party the personal
information of such individual; and
(4) a list of automated decision-making processes that an
individual has a right to request human review of under section
105 with a concise and clear description of the implications
and intended effects of each such process.
(b) Exception for Publicly Accessible Information.--A covered
entity that makes available information required in subsection (a)
shall be considered in compliance with such requirements if the covered
entity provides an individual with instructions on how to access a
public posting of such information, including in a privacy policy, if
the instructions are easy and do not require payment.
(c) Small Businesses Excluded.--Subsection (a)(3) does not apply to
a small business.
SEC. 102. RIGHT OF CORRECTION.
(a) Dispute by Individual.--A covered entity shall make available a
reasonable mechanism by which an individual may dispute the accuracy or
completeness of personal information linked to such individual that is
maintained by such covered entity if such information is processed in
any way, by such covered entity, a third party of such covered entity,
or a service provider of such covered entity that may increase
reasonably foreseeable significant privacy harms.
(b) Correction by Covered Entity.--A covered entity receiving a
dispute under subsection (a) shall--
(1) correct or complete (as the case may be) the disputed
information and notify such individual that the correction or
completion has been made; or
(2) notify such individual that--
(A) the disputed information is correct or
complete;
(B) such covered entity lacks sufficient
information to correct or complete the disputed
information; or
(C) such covered entity is denying the request for
correction or completion in reliance on an exemption or
exception provided by section 109(g).
(c) Small Businesses Excluded.--This section does not apply to a
small business.
SEC. 103. RIGHT OF DELETION.
(a) Request by Individual.--A covered entity shall make available a
reasonable mechanism by which an individual may request the deletion of
personal information and contents of communications of such individual
maintained by such covered entity, including any such information that
such covered entity acquired from a third party or inferred from other
information maintained by such covered entity.
(b) Deletion by Covered Entity.--A covered entity receiving a
request for deletion under subsection (a) shall--
(1) delete such information and notify such individual that
such information has been deleted; or
(2) notify such individual that such covered entity is
denying the request for deletion in reliance on an exemption or
exception provided by section 109(g).
SEC. 104. RIGHT OF PORTABILITY.
(a) Determination of Portable Categories.--
(1) Annual determination.--Not less frequently than once
per calendar year, the Director shall--
(A) establish categories of products and services
offered by covered entities, based on similarities in
the products and services;
(B) determine which categories established under
subparagraph (A) are portable categories; and
(C) publish in the Federal Register a list of
portable categories determined under subparagraph (B).
(2) Opportunity for public comment.--Before publishing the
final list under paragraph (1)(C), the Director shall--
(A) publish a draft of such list in the Federal
Register; and
(B) provide an opportunity for public comment on
such draft list.
(b) Exercise of Right.--
(1) In general.--A covered entity that offers a product or
service in a portable category and that maintains personal
information or the contents of any communications of an
individual shall make available to such individual a reasonable
mechanism by which such individual may--
(A) download, in a format that is structured,
commonly used, and machine readable--
(i) any such personal information that such
individual has provided to such covered entity,
with the option to download such information by
category that is accessible under section 101;
and
(ii) the contents of any such
communications; and
(B) using a real-time application programming
interface, or similar mechanism, transmit all such
personal information (whether or not provided to such
covered entity by such individual) and the contents of
any such communication from such covered entity to
another covered entity in accordance with subsection
(c).
(2) Requirements for application programming interface.--
The application programming interface, or similar mechanism,
required by paragraph (1)(B) shall--
(A) be publicly documented;
(B) allow the option of obtaining any personal
information of an individual that the individual has
provided to the covered entity, if such information is
accessible under section 101;
(C) include a publicly available, fully functional
test version for development purposes; and
(D) be of similar quality to mechanisms used
internally by the covered entity.
(c) Requirements for Access to an Application Programming
Interface.--
(1) Access.--Except as provided in paragraph (2)(A), a
covered entity shall provide access to the application
programming interface or similar mechanism required by
subsection (b)(1)(B) upon the request of another covered entity
if the requesting covered entity has self-certified, using the
procedures established by the Director under paragraph (3)(A),
that such requesting covered entity--
(A) is a covered entity;
(B) can have personal information disclosed to it
under section 204;
(C) is, at the time of the self-certification, in
compliance with all applicable requirements of this Act
(including provisions a small business is otherwise
exempt from complying with);
(D) will continue to comply with all requirements
of this Act; and
(E) will only use such application programming
interface or similar mechanism at the express request
of an individual.
(2) Denial of access.--
(A) In general.--A covered entity may deny access
to the application programming interface or similar
mechanism required by subsection (b)(1)(B) if such
covered entity has an objective, reasonable belief that
the requesting covered entity has failed to meet the
requirements for self-certification under paragraph
(1).
(B) Review.--In accordance with the procedures
established under paragraph (3)(B), a covered entity
the request of which is denied under subparagraph (A)
may petition the Director for review of the denial. If
the Director finds that such denial is unreasonable,
the Director shall impose a penalty, to be established
in such procedures, on the covered entity that denied
the request.
(3) Certification and review procedures.--The Director
shall establish--
(A) procedures for a covered entity to self-certify
under paragraph (1); and
(B) procedures for the review of petitions under
paragraph (2)(B), including penalties for unreasonable
denials.
(d) Small Businesses Excluded.--This section does not apply to a
small business.
(e) Portable Category Defined.--In this section, the term
``portable category'' means a category of products and services
established by the Director under subsection (a)(1)(A)--
(1) for which the sum obtained by adding the number of
users or estimated users of each product or service in such
category is greater than 10,000,000; and
(2) that--
(A) has an estimated Herfindahl-Hirschman Index of
2,000 or greater;
(B) has 3 or fewer covered entities offering
products and services in such category; or
(C) the Director otherwise determines that a
category would benefit from encouraging increased
competition.
SEC. 105. RIGHT TO HUMAN REVIEW OF AUTOMATED DECISIONS.
For any decision by a covered entity based solely on automated
processing of personal information of an individual, if such processing
materially increases reasonably foreseeable significant privacy harms
for such individual, such covered entity shall--
(1) inform such individual of what personal information is
being or may be used for such decision;
(2) make available a reasonable mechanism by which such
individual may request human review of such decision, upon
request or in a publicly accessible location; and
(3) if such individual requests such a review, conduct such
review within a reasonable amount of time after such request.
SEC. 106. RIGHT TO INDIVIDUAL AUTONOMY.
(a) In General.--A covered entity may not, without the affirmative
express consent of an individual, collect, process, maintain, or
disclose the personal information of the individual to create, improve
upon, maintain, process, or otherwise link the individual with an
algorithm, model, or other means designed for behavioral
personalization.
(b) Consent.--
(1) Consent required.--A covered entity shall obtain
express affirmative consent from an individual before the
entity provides a behaviorally personalized version of a
product or service, and not less than every calendar year
thereafter.
(2) Denial of consent.--For a case in which consent is
denied, the covered entity shall provide the product or service
without behavioral personalization, except as provided in
subsection (c).
(c) Exceptions to Providing Product or Service.--
(1) Infeasibility.--For a case in which the offering of a
substantially similar product or service without behavioral
personalization is infeasible, a covered entity shall provide,
to the greatest extent feasible, a core aspect or part of the
product or service that can be offered without behavioral
personalization.
(2) Denial for inability to function.--For a case in which
a core aspect or part of the product or service is not able to
function in a substantially similar function without behavioral
personalization, a covered entity may deny providing an
individual use of such product or service if such individual
does not consent to behavioral personalization as required in
subsection (a).
(d) Exception to Behavioral Processing.--Notwithstanding
subsections (a) and (b), a covered entity may process personal
information to create or operate behavioral personalization algorithms,
models, or other mechanisms for the purpose of increasing the usability
of the product or service provided by a covered entity that--
(1) are built using aggregated personal information that is
representative of all the personal information the covered
entity maintains; and
(2) have an output that is both uniform across the
individuals that use the product or service and independent of
a specific individual's inherent or behavioral characteristics.
(e) Usability.--The term ``usability'' as used in subsection (d)
does not include optimizations or other alterations to the product or
service that are made with the primary purpose of increasing the amount
of time an individual engages with or uses the product or service,
unless such increase benefits the individual.
(f) Small Businesses Excluded.--This section does not apply to a
small business.
SEC. 107. RIGHT TO BE INFORMED.
A covered entity that collects personal information of an
individual with whom such covered entity does not have an existing
relationship (as of the time of the collecting), if such personal
information includes contact information, shall notify such individual
within 30 days after receipt of such information, in writing if
possible and at no charge to the individual, that such covered entity
has collected the personal information of such individual.
SEC. 108. RIGHT TO IMPERMANENCE.
(a) Limitation on Maintaining of Personal Information.--A covered
entity may not maintain personal information for more time than
expressly consented to by an individual whose personal information is
being maintained.
(b) Consent.--A covered entity shall obtain express affirmative
consent from an individual before maintaining the personal information
of such individual for any duration. Such consent may be obtained for
categories of personal information and shall give an individual options
to affirmatively choose granting a covered entity consent for various
durations, at least including--
(1) for no longer than needed to complete the specific
request or transaction (including a reasonable estimate of such
duration by the covered entity);
(2) until consent is revoked; and
(3) one or more additional durations based on reasonable
expectations and norms for maintaining the category of personal
information.
(c) Exception for Implied Consent.--Where the long-term maintaining
of personal information is, on its face, obvious and a core feature of
the product or service at the request of the individual, and the
personal information is maintained only to provide such product or
service, subsections (a) and (b) shall not apply.
SEC. 109. ADDITIONAL RIGHTS AND EXCEPTIONS.
(a) In General.--The Director may, by rule and subject to notice
and comment, establish procedural requirements and narrowly tailored
exceptions governing the exercise of rights under this title, limited
to the following:
(1) Identity verification and authentication procedures.
(2) Standardized formats and reasonable mechanisms for
submitting and fulfilling requests.
(3) Reasonable limits to prevent fraud, abuse, or excessive
and duplicative requests.
(4) Timelines and recordkeeping requirements consistent
with this title.
(5) Narrowly tailored exceptions necessary to prevent a
legitimate risk to the privacy, security, or safety of another
individual, or to protect free expression, consistent with
section 110(b).
(b) Limitations.--The Director may not create any new substantive
right or broadly waive compliance with this title.
SEC. 110. EXEMPTIONS, EXCEPTIONS, FEES, TIMELINES, AND RULES OF
CONSTRUCTION FOR RIGHTS UNDER THIS TITLE.
(a) Exemptions for Personal Information for Particular Purposes.--
(1) In general.--This title does not apply with respect to
personal information that is collected, processed, maintained,
or disclosed for any of the following purposes (or a
combination of such purposes), where a covered entity has
technical safeguards and business processes that limit
collecting, processing, maintaining, or disclosing of such
personal information to the following purposes:
(A) Detecting, responding to, or preventing
security incidents or threats.
(B) Protecting against malicious, deceptive,
fraudulent, or illegal activity.
(C) A good faith response to, or compliance with, a
valid subpoena, court order, or warrant (including a
subpoena and court order obtained by an entity that is
not a government entity) or otherwise providing
information as required by law.
(D) Protecting a legally recognized privilege or
other legal right.
(E) Protecting public safety.
(F) Collecting, processing, or maintaining by an
employer pursuant to an employer-employee relationship
of records about employees or employment status,
except--
(i) where the information would not be
reasonably expected to be collected in the
context of an employee's regular duties; or
(ii) was disclosed to the employer by a
third party.
(G) Preventing prospective abuses of a service by
an individual whose account has been previously
terminated.
(H) Routing a communication through a
communications network or resolving the location of a
host or client on a communications network.
(I) Providing transparency in advertising or
origination of user-generated content.
(2) Re-identification.--Where compliance with this title
would require the re-identification of de-identified personal
information, and the covered entity does not already maintain
the information necessary for such re-identification, the
covered entity shall be exempt from such compliance, except for
requirements under section 106.
(3) Disclosing.--A covered entity relying on an exemption
under paragraph (1) with respect to personal information shall
disclose in the privacy policy maintained by such entity under
section 211--
(A) the reason for which such information is
collected, processed, maintained, or disclosed; and
(B) a description of the rights provided by this
title that are not available with respect to such
personal information by reason of such exemption.
(b) Exceptions for Particular Requests.--
(1) In general.--A covered entity may deny the request of
an individual under this title if--
(A) such covered entity cannot confirm the identity
of such individual;
(B) such covered entity determines that granting
the request of such individual would create a
legitimate risk to the privacy, security, safety, or
other rights of another individual;
(C) such covered entity determines that granting
the request of such individual would create a
legitimate risk to free expression; or
(D) the personal information requested to be
corrected under section 102 or deleted under section
103--
(i) is necessary to the completion of a
transaction initiated before such request was
made or the performance of a contract entered
into before such request was made;
(ii) was collected specifically for the
completion of such transaction or the
performance of such contract; and
(iii) would undermine the integrity of a
legally significant transaction.
(2) Limitations on requests for additional information to
confirm identity.--A covered entity may not deny a request of
an individual under paragraph (1)(A) on the basis of the
refusal of such individual to provide additional personal
information to such covered entity to confirm the identity of
such individual--
(A) if the identity of such individual can
reasonably be confirmed using personal information of
such individual that such covered entity (as of the
time of the request) already maintains; or
(B) if such individual has an existing relationship
(as of the time of the request) with such covered
entity, such individual has confirmed the identity of
such individual to such covered entity in the same
manner as for other transactions of a similar
sensitivity.
(c) Exemption for Service Providers.--This title does not apply to
a service provider.
(d) Exemption for Privacy-Preserving Computing.--Except for
sections 101, 105, and 106, this title does not apply to personal
information secured using privacy-preserving computing.
(e) Timeline for Complying With a Request.--Without undue delay but
not longer than 30 days after the request, a covered entity that
receives a request under this title must--
(1) comply with such request; or
(2) inform such individual of the reason for denying such
request, as allowed under subsection (a) or (b).
(f) Fees Prohibited.--
(1) In general.--Except as provided in paragraph (2), a
covered entity may not charge a fee to an individual for a
request made under this title.
(2) Unfounded or excessive requests.--If a request under
this title is unfounded or excessive, a covered entity may
charge a reasonable fee that reflects the estimated
administrative costs of complying with such request.
(3) Agency notice.--If a covered entity plans to charge a
fee under paragraph (2), it must notify the Digital Privacy
Agency at least 7 days before charging such fee.
(4) Agency review.--The Director may reject any fee that a
covered entity plans to charge for a request made under this
title if the Director finds--
(A) such fee to be unreasonable relative to
reasonable administrative costs of complying with a
request under this title; or
(B) such request is not unfounded or excessive.
(g) Rules of Construction.--Nothing in this title shall be
construed to require a covered entity to--
(1) take an action that would convert information that is
not personal information into personal information;
(2) collect or maintain personal information or contents of
communication that the covered entity would otherwise not
maintain (including a record of an individual exercising rights
under this title); or
(3) maintain personal information or contents of
communication longer than the covered entity would otherwise
maintain such personal information.
TITLE II--REQUIREMENTS FOR COVERED ENTITIES, SERVICE PROVIDERS, AND
THIRD PARTIES
SEC. 201. MINIMIZATION.
(a) Articulated Basis.--A covered entity shall have a reasonable,
articulated basis for collecting, processing, maintaining, and
disclosing of personal information that takes into account the
reasonable business needs of the covered entity and minimum amount of
personal information necessary for providing the service, balanced with
the intrusion on the privacy of, potential privacy harms to, and
reasonable expectations of individuals to whom the personal information
relates.
(b) Minimization of Collecting, Processing, Maintaining, and
Disclosing.--
(1) Collecting.--A covered entity may not collect more
personal information than is reasonably needed to provide a
product or service that an individual has requested.
(2) Processing.--A covered entity may not process personal
information for a purpose other than the purpose for which such
information was originally collected from the individual or in
the case of a service provider, a purpose other than that which
is in accordance with the directions of a covered entity.
(3) Maintaining.--A covered entity may not maintain
personal information once such information is no longer needed
for the purpose for which such information was originally
collected from the individual or in the case of a service
provider, a purpose other than that which is in accordance with
the directions of a covered entity.
(4) Disclosing.--A covered entity may not disclose personal
information for a purpose other than the purpose for which such
information was originally collected from the individual or in
the case of a service provider, a purpose other than that which
is in accordance with the directions of a covered entity.
(c) Ancillary Collecting, Processing, Maintaining, and
Disclosing.--Notwithstanding subsection (b), a covered entity may
collect, process, disclose, or maintain personal information beyond
limitations under subsection (b) only if such covered entity complies
with this subsection.
(1) No notice or consent required.--A covered entity may
collect, process, or maintain personal information without
additional notice or consent if the purpose for such
collecting, processing, or maintaining is substantially similar
to the type of personal information and purpose for which such
personal information was originally collected and such
ancillary collecting, processing, or maintaining will not
result in additional or increased privacy harms.
(2) Notice required.--A covered entity shall provide notice
of ancillary collecting, processing, maintaining, or disclosing
of personal information in the case of one, but not more than
one, of the following instances:
(A) Such ancillary collecting, processing,
maintaining, or disclosing may result in additional or
increased privacy harms (but not increased significant
privacy harms), and is substantially similar to the
purpose for which such personal information was
originally collected.
(B) Such ancillary collecting, processing,
maintaining, or disclosing is not substantially similar
to the purpose for which such personal information was
originally collected, but will not result in additional
or increased privacy harms.
(C) Such ancillary collecting, processing,
maintaining, or disclosing may result in additional or
increased privacy harms (but not increased significant
privacy harms), and the purpose is not substantially
similar to the purpose for which such personal
information was originally collected, so long as the
personal information is secured using privacy-
preserving computing.
(3) Notice and consent required.--For scenarios not covered
under paragraph (1) or (2), and notwithstanding sections
208(b)(2) and (3), a covered entity shall provide notice of and
obtain consent for ancillary collecting, processing,
maintaining, or disclosing of personal information.
(d) Substitution.--In cases in which personal information can be
replaced with artificial personal information, personal information
that has been de-identified, or the random personal information of one
or more individuals without substantially reducing the utility of the
data or requiring an unreasonable amount of effort, such a replacement
shall take place.
SEC. 202. MINIMIZATION AND RECORDS OF ACCESS BY EMPLOYEES AND
CONTRACTORS.
(a) Minimization.--A covered entity shall restrict access to
personal information and contents of communications by the employees or
contractors of such covered entity based on an articulated balance
between the potential for privacy harm, reasonable expectations of
individuals to whom the personal information relates, and reasonable
business needs.
(b) Records of Access.--
(1) In general.--A covered entity shall maintain records
identifying each instance in which an employee or a contractor
of such covered entity accesses personal information or
contents of communications if disclosing such personal
information or contents of communication, or a data breach or
data-sharing abuse involving such personal information or
contents of communication, may foreseeably result in increased
privacy harms.
(2) Information required.--The records required by
paragraph (1) shall include the following:
(A) A unique identifier for the employee or
contractor accessing personal information or contents
of communications.
(B) The date and time of access.
(C) The fields of information accessed.
(D) The individuals whose personal information was
accessed or the contents of whose communications were
accessed.
(3) Small businesses excluded.--This subsection does not
apply to a small business.
SEC. 203. PROHIBITIONS ON DISCLOSING OF PERSONAL INFORMATION.
(a) Consent for Disclosing Required.--
(1) In general.--A covered entity may not intentionally
disclose personal information unless the covered entity obtains
consent of the individual whose personal information is being
disclosed for each category of third party to which such
personal information will be disclosed. Such covered entity
must also provide such individual with notice of--
(A) each category of third party;
(B) the personal information to be disclosed; and
(C) a concise and clear description of the business
or commercial purpose for disclosing such personal
information.
(2) Additional requirements for sale of personal
information.--
(A) In general.--A covered entity may not
intentionally sell personal information unless the
covered entity--
(i) obtains the consent required by
paragraph (1) for disclosing such personal
information; and
(ii) provides the individual to whom such
personal information relates with the identity
of the specific third party to which such
personal information will be disclosed.
(B) Disclosing services.--Subparagraph (A) shall
not apply to a covered entity in a case in which an
individual is directing the covered entity to disclose
the personal information of such individual for the
sole purpose of procuring goods or services, or offers
for goods or services, for such individual, if there is
a reasonable mechanism for the individual to withdraw
consent.
(3) Requirement to include original purpose of
collecting.--A covered entity may not intentionally disclose
personal information without including the purpose for which
the personal information was originally collected.
(4) Exception for privacy-preserving computing.--
Notwithstanding paragraph (1), consent is not required for
disclosing (not including selling) personal information secured
using privacy-preserving computing.
(5) Exception for de-identified personal information.--
Notwithstanding paragraph (1), consent is not required for
disclosing (not including selling) de-identified personal
information where the disclosed personal information is limited
to the narrowest possible scope likely to yield the intended
benefit and contractual obligations are in place that
prohibit--
(A) re-identification of the disclosed personal
information; and
(B) the processing of additional personal
information in combination with the disclosed personal
information that would allow for the re-identification
of the disclosed personal information.
(b) Disclosing for Advertising or Marketing Purposes.--
(1) In general.--A covered entity may not intentionally
disclose for advertising or marketing purposes a unique
identifier or any other personal information that would allow
information disclosed to be linked to information relating to
the same individual or device disclosed in the past.
(2) Treatment of certain types of information.--Disclosing
personal information or contents of communication for
advertising or marketing purposes may not be treated as
violating paragraph (1) by reason of including any or all of
the following:
(A) Internet Protocol addresses truncated to no
more than the first 24 bits for Internet Protocol
version 4 and the first 48 bits for Internet Protocol
version 6, or for a successor protocol truncated to
limit the precision of the identifier to a network
address of the internet access provider.
(B) Geolocation information truncated to allow no
more than the equivalent of two decimal degrees of
precision at the equator or prime meridian, or an
equivalent precision in another geolocation standard.
(C) A general description of a device, browser, or
operating system, or any combination thereof.
(D) An identifier that is unique to a disclosure.
SEC. 204. DISCLOSING TO ENTITIES NOT SUBJECT TO UNITED STATES
JURISDICTION OR NOT COMPLIANT WITH THIS ACT.
(a) Prohibition.--A covered entity may not intentionally disclose
personal information to any entity that--
(1) is not subject to the jurisdiction of the United
States; or
(2) is not in compliance with all requirements of this Act.
(b) Exception.--Notwithstanding subsection (a), a covered entity
may disclose personal information where that personal information is
limited to an identifier created primarily for the purpose of sending
or receiving electronic communications and the sole purpose of
disclosing is to send or receive an electronic communication at the
request of the individual whose personal information is being
disclosed.
(c) Safe Harbors for Disclosing.--Notwithstanding subsection (a), a
covered entity may disclose personal information to another covered
entity (the receiving covered entity) that is not subject to the
jurisdiction of the United States if either--
(1) the receiving covered entity has entered into an
agreement, as described in subsection (e), with the Digital
Privacy Agency, and--
(A) the covered entity has a reasonable belief that
the receiving covered entity is sufficiently solvent to
compensate victims or pay fines for violations of this
Act;
(B) a contract between the covered entity and
receiving covered entity requires that the receiving
covered entity complies with this Act, and the covered
entity has reason to believe the receiving covered
entity is compliant with this Act; and
(C) a contract between the covered entity and the
receiving covered entity prohibits the receiving
covered entity from using the disclosed personal
information for any purpose other than provided in the
contract; or
(2) the covered entity has--
(A) entered into an agreement with the receiving
covered entity that--
(i) requires the receiving covered entity
to comply with this Act;
(ii) prohibits the receiving covered entity
from using the disclosed personal information
for any purpose other than provided in the
contract;
(iii) requires the receiving covered entity
to indemnify the covered entity against
violations of this Act committed by the
receiving covered entity for any amount the
covered entity is unable to pay of a judgment
for such violation;
(iv) grants the covered entity the
authority to audit, including physical access
to electronic devices and data, the receiving
covered entity's compliance with this Act and
the contract; and
(v) requires the receiving covered entity
to assist the covered entity in responding to
and complying with any court orders, Digital
Privacy Agency orders, or the exercising of an
individual's rights under this Act;
(B) actual knowledge that the receiving covered
entity is in compliance with this Act and not using
personal information contrary to their agreement;
(C) actual knowledge that the receiving covered
entity is sufficiently solvent to compensate victims or
pay fines for violations of this Act;
(D) an auditing and compliance program to ensure
the receiving covered entity's continued compliance
with this Act and contract terms;
(E) filed with the Digital Privacy Agency the terms
of said contract, proof of its actual knowledge of the
receiving covered entity's compliance with this Act and
contract terms, and documents detailing its auditing
and compliance program for approval and publication by
the Digital Privacy Agency; and
(F) entered into an agreement with the Digital
Privacy Agency where the covered entity agrees to
accept, respond to, or comply with a court order,
Digital Privacy Agency order, or request by an
individual regarding actions taken by the receiving
covered entity with respect to covered information it
has disclosed.
(d) Liability for Violation by Receiving Covered Entity; Failure To
Report.--For the purposes of subsection (c)(2), the covered entity
shall be jointly liable for a violation of this Act by the receiving
covered entity regarding the personal information the covered entity
disclosed, except where the covered entity was the first to notify the
Digital Privacy Agency of the violation, in which case, it shall be
severally liable. Where the covered entity should reasonably have known
of a violation of this Act by the receiving covered entity and fails to
disclose the violation to the Digital Privacy Agency, each day of
continuance of the failure to report such violation shall be treated as
a separate violation.
(e) Agency Agreements.--Upon the request of a covered entity not
subject to the jurisdiction of the United States, the Digital Privacy
Agency shall enter into an agreement with the covered entity that
includes, but is not limited to, the following conditions:
(1) The principal place of business for the covered entity
must be in a country that allows for the domestication of a
United States court decision for civil fines payable to a
government entity and injunctive relief. Where a foreign court
refuses to enforce a United States court decision under this
Act, the agreement, and all other agreements with covered
entities with a principal place of business in the same
jurisdiction, shall be void.
(2) The covered entity agrees to comply with this Act.
(3) The covered entity agrees to be subject to this Act
with choice of venue being a United States court.
(4) The covered entity agrees to comply with Digital
Privacy Agency investigative requests or orders, and United
States court orders or decisions under this Act.
(5) The covered entity consents to United States Federal
court personal jurisdiction for the sole purpose of enforcing
this Act.
(6) Where enforcement of the decision requires the use of a
foreign court, the covered entity agrees to pay reasonable
attorney fees necessary to enforce the judgment.
(7) A default judgment, failure to comply with Digital
Privacy Agency investigative requests or orders, or failure to
comply with United States court orders or decisions shall
result in the immediate termination of the agreement.
(f) Rule of Construction Against Data Localization.--Nothing in
this section shall be construed to require the localization of
processing or maintaining personal information by a covered entity to
within the United States, or limit internal disclosing of personal
information within a covered entity or to subsidiary or corporate
affiliate of such covered entity, regardless of the country in which
the covered entity will process, disclose, or maintain that personal
information.
SEC. 205. PROHIBITION ON RE-IDENTIFICATION.
(a) In General.--Except as required under title I, a covered entity
shall not use personal information collected from an individual,
acquired from a third party, or acquired from publicly available
information to re-identify an individual from de-identified
information.
(b) Third-Party Prohibition.--A covered entity that discloses de-
identified information to a third party shall prohibit such third party
from re-identifying an individual using such de-identified information.
(c) Exception.--Subsection (a) shall not apply to qualified
research entities, as determined by the Director, conducting research
not for commercial purposes.
SEC. 206. RESTRICTIONS ON COLLECTING, PROCESSING, MAINTAINING, AND
DISCLOSING CONTENTS OF COMMUNICATIONS.
(a) In General.--A covered entity may not collect, process,
maintain, or disclose the contents of any communication, regardless of
whether the sender or intended recipient of the communication is an
individual, other person, or an electronic device, for any purpose
other than--
(1) transmitting or displaying the communication to any
intended recipient or the original sender, or maintaining such
communications for such purposes;
(2) detecting, responding to, or preventing security
incidents or threats;
(3) providing services to assist in the drafting or
creation of the content of a communication;
(4) processing expressly requested by the sender or
intended recipient, if the sender or intended recipient can
terminate such processing using a reasonable mechanism;
(5) disclosing otherwise required by law;
(6) filtering a communication where the primary purpose of
the communication is the commercial advertisement or promotion
of a commercial product or service of a covered entity; or
(7) detecting or enforcing an abuse or violation of the
terms of service of the covered entity that would result in
either a temporary or permanent ban from using the service.
(b) Intended Recipient.--A covered entity is not considered an
intended recipient of a communication, or any communication used in the
creation of the content of said communication, where--
(1) at least one intended recipient is a natural person
other than an employee or contractor of the covered entity;
(2) at least one intended recipient is a person other than
the covered entity; or
(3) a purpose of the covered entity's service is to
maintain, at the direction of the sender, the content of said
communication for more than a transitory period.
(c) Sender.--The sender of a communication is the person for whom
the communication, and its content, is disclosed at the direction of
and on behalf of.
(1) Where the sender is a natural person, they shall be the
sender of the entire content of the communication, regardless
of the original author of any portion of the content.
(2) Otherwise, a sender shall be the sender of only the
content it was an original author of, or content it received as
an intended recipient.
(d) Exception for Publicly Available Communications.--Subsection
(a) shall not apply where the contents of communication are made
publicly accessible by the sender without restrictions on accessibility
other than the general authorization to access the services used to
make the information accessible.
(e) Encryption Protection.--A covered entity shall not--
(1) prohibit or prevent a person from encrypting or
otherwise rendering unintelligible the content of a
communication using a means that prevents the covered entity
from being able to decrypt or otherwise render intelligible
said content; and
(2) require or cause a person to disclose or circumvent the
means described in paragraph (1) to the covered entity that
would allow it to render the content intelligible.
(f) Service Providers Safe Harbor.--A service provider shall not be
held liable for a violation of this section if such service provider is
acting at the direction of and on behalf of a covered entity and has a
reasonable belief that the covered entity's directions are in
compliance with this section.
SEC. 207. PROHIBITION ON DISCRIMINATORY PROCESSING.
(a) Discrimination in Economic Opportunities.--A covered entity may
not process personal information or contents of communication for
advertising, marketing, soliciting, offering, selling, leasing,
licensing, renting, or otherwise commercially contracting for
employment, finance, health care, credit, insurance, housing, or
education opportunities in a manner that discriminates against or
otherwise makes opportunities unavailable on the basis of the protected
class status of an individual.
(b) Public Accommodations.--A covered entity may not process
personal information in a manner that segregates, discriminates in, or
otherwise makes unavailable the goods, services, facilities,
privileges, advantages, or accommodations of any place of public
accommodation on the basis of the protected class status of an
individual or a group of individuals.
(c) Disparate Impact Authority.--Not later than 6 months after the
date of the enactment of this Act, the Director shall issue additional
requirements related to a disparate impact standard that--
(1) describes other circumstances in which an individual or
group of individuals may be harmed by an action of a covered
entity through the processing of personal information or
contents of communication of the protected class status of that
individual in a manner not described in subsection (a) or (b);
(2) prohibits such action; and
(3) provides for enforcement under this Act or through
regulation.
(d) Regulations.--Not later than one year after the date of the
enactment of this Act, the Director shall promulgate regulations to
implement this section and may define any term used under this section,
including ``discriminates against'' and ``otherwise makes opportunities
unavailable''.
SEC. 208. REQUIREMENTS FOR NOTICE AND CONSENT PROCESSES AND PRIVACY
POLICIES.
(a) Minimum Threshold.--The Director shall establish minimum
thresholds that covered entities must meet for the percentage of
individuals who understand a notice or consent process or privacy
policy required by this Act. In establishing such minimum thresholds,
the Director shall--
(1) vary required thresholds on types and scale of
reasonably foreseeable privacy harms; and
(2) take into account expectations of individuals,
potential privacy harms, and individuals' awareness of privacy
harms.
(b) Consent Revocation.--A covered entity shall make available a
reasonable mechanism by which an individual may revoke consent for any
consent given under this Act.
(c) Safe Harbor.--
(1) Approval procedures.--The Director shall develop
procedures for analyzing and approving data submitted by a
covered entity to establish that a notice and consent process
or privacy policy of such covered entity meets the threshold
established under subsection (a).
(2) Presumption.--If a covered entity submits testing data
to and receives an approval from the Director under paragraph
(1) establishing that a notice or consent process or privacy
policy of such covered entity meets the threshold established
under subsection (a), such notice or consent process or privacy
policy shall be presumed to have met such threshold. Such
presumption may be rebutted by clear and convincing evidence.
(3) Public availability of approved processes and policies
and associated testing data.--The Director shall make publicly
available online the notice and consent processes and privacy
policies and associated testing data that the Director approves
under paragraph (1).
(4) Small business adoption of notice or consent process of
another covered entity.--
(A) In general.--If a small business adopts a
notice or consent process of another covered entity
that collects, processes, maintains, or discloses
personal information in substantially the same way as
such small business, if the process of such other
covered entity has been approved under paragraph (1),
the process of such small business shall receive the
presumption under paragraph (2).
(B) Ability to freely use approved process.--A
covered entity whose notice or consent process is
approved under paragraph (1) shall permit a small
business to freely use such process, or a derivative
thereof, as described in subparagraph (A).
(C) No published process.--In the case of a small
business for which there is no approved notice or
consent process published under paragraph (3) of a
covered entity that collects, processes, maintains, or
discloses personal information in substantially the
same way as such small business, any requirement under
this title for a notice or consent process to be
objectively shown to meet the threshold established by
the Director under subsection (a) shall not apply to
such small business. Nothing in the preceding sentence
exempts a small business from the requirement to use
such notice or consent process or that such process be
concise and clear.
(D) Inapplicability to privacy policy.--Paragraph
(4) does not apply with respect to a privacy policy.
(5) Minor changes.--A covered entity may make minor changes
in a notice or consent process or privacy policy approved under
paragraph (1) and retain the presumption under paragraph (2)
for such process or policy without retesting or resubmission of
testing data to the Director.
SEC. 209. PROHIBITION ON ``DARK PATTERNS'' IN NOTICE AND CONSENT
PROCESSES AND PRIVACY POLICIES.
In providing notice, obtaining consent, or maintaining a privacy
policy as required by this title, a covered entity may not
intentionally take any action that substantially impairs, obscures, or
subverts the ability of an individual to--
(1) understand the contents of such notice or such privacy
policy;
(2) understand the process for granting such consent;
(3) make a decision regarding whether to grant or withdraw
such consent; or
(4) act on any such decision.
SEC. 210. NOTICE AND CONSENT REQUIRED.
(a) Notice.--A covered entity shall provide an individual with
notice of the personal information such covered entity collects,
processes, maintains, and discloses through a process that is concise
and clear and can be objectively shown to meet the threshold
established by the Director under section 208(a).
(b) Consent.--
(1) Express consent required.--Except as provided in
paragraphs (2) and (3), a covered entity may not collect from
an individual personal information that creates or increases
the risk of foreseeable privacy harms, or process or maintain
any such personal information collected from an individual,
unless such entity obtains the express consent of such
individual to the collecting, processing, or maintaining (or
any combination thereof) of such information through a process
that is concise and clear and can be objectively shown to meet
the threshold established by the Director under section 208(a).
(2) Exception for implied consent.--Notwithstanding
paragraph (1), express consent is not required for collecting,
processing, or maintaining personal information if the
collecting, processing, or maintaining is, on its face, obvious
and necessary to provide a service at the request of the
individual and the personal information is collected,
processed, or maintained only for such request. Nothing in this
paragraph shall be construed to exempt the covered entity from
the requirement of subsection (a) to provide notice to such
individual with respect to such collecting, processing, or
maintaining.
(3) Exemption for privacy-preserving computing.--
Notwithstanding paragraph (1), except with regard to consent
for purposes of section 106, express consent is not required
for collecting, processing, or maintaining personal information
secured using privacy-preserving computing. Nothing in this
paragraph shall be construed to exempt the covered entity from
the requirement of subsection (a) to provide notice to such
individual with respect to such collecting, processing, or
maintaining.
(c) Service Providers Excluded.--This section does not apply to a
service provider if such service provider has a reasonable belief that
a covered entity for which it processes, maintains, or discloses
personal information is in compliance with this section.
SEC. 211. PRIVACY POLICY.
(a) Policy Required.--A covered entity shall maintain a privacy
policy relating to the practices of such entity regarding the
collecting, processing, maintaining, and disclosing of personal
information.
(b) Contents.--The privacy policy required by subsection (a) shall
contain the following:
(1) A general description of the practices of the covered
entity regarding the collecting, processing, maintaining, and
disclosing of personal information.
(2) A description of how individuals may exercise the
rights provided by title I.
(3) A clear and concise summary of the following:
(A) The categories of personal information
collected or otherwise obtained by the covered entity.
(B) The business or commercial purposes of the
covered entity for collecting, processing, maintaining,
or disclosing personal information.
(C) The categories and a list of third parties to
which the covered entity discloses personal
information.
(4) A description of the personal information that the
covered entity maintains that the covered entity does not
collect from individuals and how the covered entity obtains
such personal information.
(5) A list of the third parties to which the covered entity
has disclosed personal information.
(6) A list of the third parties from which the covered
entity has obtained personal information at any time on or
after the effective date of this Act.
(7) The articulated basis for the collecting, processing,
disclosing, and maintaining of personal information, as
required under section 201(a).
(c) Exemption for Personal Information for Particular Purposes.--
The privacy policy required by subsection (a) is not required to
contain information relating to personal information that is collected,
processed, maintained, or disclosed exclusively for any of the purposes
described in paragraph (1) of section 109(a) (or a combination of such
purposes), except as provided in paragraph (2) of such section.
(d) Availability of Privacy Policy.--
(1) Form and manner.--The privacy policy required by
subsection (a) shall be--
(A) clear and in plain language; and
(B) made publicly available in a prominent location
on an ongoing basis.
(2) Timing.--The privacy policy required by subsection (a)
shall be made available as required by paragraph (1) before the
covered entity collects personal information after the
effective date of this Act.
(e) Small Businesses Excluded.--Subsections (b)(7) and (d) do not
apply to a small business.
(f) Service Providers Excluded.--This section does not apply to a
service provider if such service provider has a reasonable belief that
a covered entity for which it processes, maintains, or discloses
personal information is in compliance with this section.
SEC. 212. INFORMATION SECURITY REQUIREMENTS.
(a) In General.--A covered entity shall establish and implement
reasonable information security policies, practices, and procedures for
the protection of personal information collected, processed,
maintained, or disclosed by such covered entity, taking into
consideration--
(1) the nature, scope, and complexity of the activities
engaged in by such covered entity;
(2) the sensitivity of any personal information at issue;
(3) the current state of the art in administrative,
technical, and physical safeguards for protecting such
information; and
(4) the cost of implementing such administrative,
technical, and physical safeguards.
(b) Specific Policies, Practices, and Procedures.--The policies,
practices, and procedures required by subsection (a) shall include the
following:
(1) A written security policy with respect to collecting,
processing, maintaining, and disclosing of personal
information. Such policy shall be made publicly available in a
prominent location on an ongoing basis, except that the
publicly available version is not required to contain
information that would compromise a purpose described in
section 109(a)(1).
(2) A process for identifying and assessing reasonably
foreseeable security vulnerabilities in the system or systems
used by such covered entity that contain personal information,
which shall include regular monitoring for vulnerabilities or
data breaches involving such system or systems.
(3) A process for taking action designed to mitigate
against vulnerabilities identified in the process required by
paragraph (2), which may include implementing any changes to
security practices and the architecture, installation, or
implementation of network or operating software, or for
regularly testing or otherwise monitoring the effectiveness of
the existing safeguards.
(4) A process for determining if personal information is no
longer needed and disposing of personal information by
shredding, permanently erasing, or otherwise modifying the
medium on which such personal information is maintained to make
such personal information permanently unreadable or
indecipherable.
(5) A process for overseeing persons who have access to
personal information, including through network-connected
devices.
(6) A process for employee training and supervision for
implementation of the policies, practices, and procedures
required by this section.
(7) A written plan or protocol for internal and public
response in the event of a data breach or data-sharing abuse.
(c) Regulations.--The Director, in consultation with the
Cybersecurity and Infrastructure Security Agency and the National
Institute of Standards and Technology, shall promulgate regulations to
implement this section.
(d) Small Businesses Assistance.--The Director, in consultation
with the Cybersecurity and Infrastructure Security Agency, the National
Institute of Standards and Technology, the Small Business
Administration, the Minority Business Development Agency, and small
businesses, shall develop policy templates, toolkits, tip sheets,
configuration guidelines for commonly used hardware and software,
interactive tools, and other materials to assist small businesses with
complying with this section.
SEC. 213. NOTIFICATION OF DATA BREACH OR DATA-SHARING ABUSE.
(a) Notification of Agency.--
(1) In general.--In the case of a data breach or data-
sharing abuse with respect to personal information maintained
by a covered entity, such covered entity shall, without undue
delay and, if feasible, not later than 72 hours after becoming
aware of such data breach or data-sharing abuse, notify the
Director of such data breach or data-sharing abuse, unless such
data breach or data-sharing abuse is unlikely to create or
increase foreseeable privacy harms.
(2) Reasons for delay.--If the notification required by
paragraph (1) is made more than 72 hours after the covered
entity becomes aware of the data breach or data-sharing abuse,
such notification shall be accompanied by a statement of the
reasons for the delay.
(b) Notification of Other Covered Entity.--In the case of a data
breach or data-sharing abuse with respect to personal information
maintained by a covered entity that such covered entity obtained from
another covered entity, the covered entity experiencing such data
breach or data-sharing abuse shall, without undue delay and, if
feasible, not later than 72 hours after becoming aware of such data
breach or data-sharing abuse, notify such other covered entity of such
data breach or data-sharing abuse, unless such data breach or data-
sharing abuse is unlikely to create or increase foreseeable privacy
harms. A covered entity receiving notice under this subsection of a
data breach or data-sharing abuse shall notify any other covered entity
from which the covered entity receiving notice obtained personal
information involved in such data breach or data-sharing abuse, in the
same manner as required under the preceding sentence for the covered
entity experiencing such data breach or data-sharing abuse.
(c) Notification of Individuals.--
(1) In general.--In the case of a data breach or data-
sharing abuse with respect to personal information maintained
by a covered entity (or a data breach or data-sharing abuse
about which a covered entity is notified under subsection (b)),
if such covered entity has a relationship with an individual
whose personal information was involved or potentially involved
in such data breach or data-sharing abuse, such covered entity
shall notify such individual of such data breach or data-
sharing abuse not later than 14 days after becoming aware of
such data breach or data-sharing abuse (or, in the case of a
data breach or data-sharing abuse about which a covered entity
is notified under subsection (b), not later than 14 days after
being so notified), if such data breach or data-sharing abuse
creates or increases foreseeable privacy harms.
(2) Medium of notification.--A covered entity shall notify
an individual as required by paragraph (1) through--
(A) the same medium through which such individual
routinely interacts with such covered entity; and
(B) one additional medium of notification, if such
covered entity has the personal information necessary
to make a notification through such an additional
medium without causing excessive financial burden for
such covered entity.
(d) Rule of Construction.--This section shall not apply to a
covered entity if a person uses personal information obtained from a
data breach or data-sharing abuse not involving such covered entity.
TITLE III--DIGITAL PRIVACY AGENCY
SEC. 301. ESTABLISHMENT; DIRECTOR AND DEPUTY DIRECTOR.
(a) Agency Established.--There is established an independent agency
in the executive branch to be known as the ``Digital Privacy Agency'',
which shall implement and enforce this Act.
(b) Director.--
(1) In general.--There is established the position of the
Director, who shall serve as the head of the Digital Privacy
Agency.
(2) Appointment.--Subject to paragraph (3), the Director
shall be appointed by the President, by and with the advice and
consent of the Senate.
(3) Qualification.--The Director shall have a professional
background, experience, knowledge, and expertise in the
following:
(A) Privacy.
(B) Information security.
(C) Technology.
(D) Civil rights and civil liberties.
(4) Term.--
(A) In general.--The Director shall serve for a
term of 6 years.
(B) Expiration of term.--An individual may serve as
Director after the expiration of the term for which
appointed, until a successor has been appointed and
qualified.
(5) Compensation.--
(A) In general.--The Director shall be compensated
at the rate prescribed for level II of the Executive
Schedule under section 5313 of title 5, United States
Code.
(B) Conforming amendment.--Section 5313 of title 5,
United States Code, is amended by inserting after the
item relating to the ``Chief Executive Officer, United
States International Development Finance Corporation.''
the following new item: ``Director of the Digital
Privacy Agency.''.
(c) Deputy Director.--There is established the position of Deputy
Director, who shall be appointed by the Director.
(d) Vacancy of Office of Director.--
(1) In general.--Sections 3345 through 3349d of title 5,
United States Code (commonly known as the ``Federal Vacancies
Reform Act of 1998''), shall not apply to the office of the
Director of the Digital Privacy Agency.
(2) Line of succession.--The Deputy Director shall serve as
acting Director if the Director dies, resigns, or is otherwise
unable to perform the functions and duties of the office. The
Director shall establish a line of succession among senior
officers of the Digital Privacy Agency in the event the
position of Deputy Director is vacant to perform the functions
and duties of the Director temporarily in an acting capacity.
(e) Service Restriction.--No Director or Deputy Director may hold
any office, position, or employment in any covered entity during the
period of service of such person as Director or Deputy Director.
(f) Offices.--The Director shall establish a principal office and
field offices of the Digital Privacy Agency in locations that have high
levels of activity by covered entities, as determined by the Director.
SEC. 302. AGENCY POWERS AND AUTHORITIES.
(a) Powers of the Digital Privacy Agency.--The Director is
authorized to establish the general policies of the Digital Privacy
Agency with respect to all executive and administrative functions,
including--
(1) establishing of rules for conducting the general
business of the Digital Privacy Agency, in a manner not
inconsistent with this Act;
(2) binding the Digital Privacy Agency and entering into
contracts;
(3) directing the establishment and continued operation of
divisions or other offices within the Digital Privacy Agency,
in order to carry out the responsibilities of the Digital
Privacy Agency under this Act, and to satisfy the requirements
of other applicable law;
(4) coordinating and overseeing the operation of all
administrative, enforcement, and research activities of the
Digital Privacy Agency;
(5) adopting and using a seal;
(6) determining the character of and the necessity for the
obligations and expenditures of the Digital Privacy Agency;
(7) appointing and supervising of personnel employed by the
Digital Privacy Agency;
(8) distributing business among personnel appointed and
supervised by the Director and among administrative units of
the Digital Privacy Agency;
(9) using and expending of funds;
(10) implementing this Act through rules, orders, guidance,
interpretations, statements of policy, investigations, and
enforcement actions; and
(11) performing such other functions as may be authorized
or required by law.
(b) Delegation of Authority.--The Director may not delegate the
power to appoint the Deputy Director under section 301(c).
(c) Autonomy of Agency Regarding Recommendations and Testimony.--No
officer or agency of the United States may require the Director or any
other officer of the Digital Privacy Agency to submit legislative
recommendations, or testimony or comments on legislation, to any
officer or agency of the United States for approval, comments, or
review prior to the submission of such recommendations, testimony, or
comments to the Congress, if such recommendations, testimony, or
comments to the Congress include a statement indicating that the views
expressed therein are those of the Director or such officer, and do not
necessarily reflect the views of the President.
(d) Rulemaking Authority.--
(1) In general.--The Director may prescribe such rules and
regulations as may be necessary and appropriate, and in the
public interest, to implement, administer, and carry out this
Act, and to prevent evasions thereof.
(2) Regulations.--The Digital Privacy Agency may issue
regulations after notice and comment in accordance with section
553 of title 5, United States Code, as may be necessary to
implement, administer, and carry out this Act.
(e) Consultations.--In implementing or enforcing this Act, the
Director may consult with--
(1) Federal agencies that have--
(A) jurisdiction over Federal privacy laws; and
(B) expertise in privacy or information security;
(2) State attorneys general, State privacy regulators, and
other State agencies that have expertise in privacy or
information security;
(3) international and intergovernmental bodies that conduct
activities relating to the privacy or information security;
(4) agencies of other countries that are similar to the
Digital Privacy Agency or have expertise in privacy or
information security;
(5) privacy and information security experts in academia,
government, civil society, or industry; and
(6) advisory boards of the Digital Privacy Agency
established under section 308, as appropriate.
(f) Agency Deference.--In any action for judicial review of
regulations or orders of the Digital Privacy Agency, the reviewing
court shall defer to the reasonable interpretation by the Digital
Privacy Agency of this Act.
SEC. 303. REPORTING AND AUDIT REQUIREMENTS.
(a) Reports Required.--
(1) In general.--Not later than 6 months after the date of
the enactment of this Act, and every 6 months thereafter, the
Director shall submit a report to the President and to the
Committee on Energy and Commerce, the Committee on the
Judiciary, and the Committee on Appropriations of the House of
Representatives and the Committee on Commerce, Science, and
Transportation, the Committee on the Judiciary, and the
Committee on Appropriations of the Senate, and shall publish
such report on the website of the Digital Privacy Agency.
(2) Contents.--Each report required by subsection (a) shall
include--
(A) a discussion of the significant problems faced
by individuals with respect to the privacy or security
of personal information;
(B) a justification of the budget request of the
Digital Privacy Agency for the preceding year, unless a
justification for such year was included in the
preceding report submitted under such subsection;
(C) a list of the significant rules and orders
adopted by the Digital Privacy Agency, as well as other
significant initiatives conducted by the Digital
Privacy Agency, during the preceding 6-month period and
the plan of the Digital Privacy Agency for rules,
orders, or other initiatives to be undertaken during
the upcoming 6-month period;
(D) an analysis of complaints about the privacy or
security of personal information that the Digital
Privacy Agency has received and collected in the
database described in section 307(a) during the
preceding 6-month period;
(E) a list, with a brief statement of the issues,
of the public enforcement actions to which the Digital
Privacy Agency was a party during the preceding 6-month
period; and
(F) an assessment of significant actions by State
attorneys general or State privacy regulators relating
to this Act or the rules prescribed under this Act
during the preceding 6-month period.
(b) Annual Audits.--The Director shall order an annual independent
audit of the operations and budget of the Digital Privacy Agency.
SEC. 304. RELATION TO OTHER AGENCIES.
(a) Coordination.--
(1) In general.--With respect to covered entities and
service providers, to the extent that Federal law authorizes
the Digital Privacy Agency and another Federal agency to
enforce a Federal privacy law, the head of the other Federal
agency shall coordinate with the Director of the Digital
Privacy Agency to promote consistent enforcement of this Act
and the other Federal privacy law.
(2) Referral.--Any Federal agency authorized to enforce
Federal privacy laws may recommend in writing to the Digital
Privacy Agency that the Digital Privacy Agency initiate an
enforcement proceeding, as the Digital Privacy Agency is
authorized by that Federal privacy law or by this Act.
(b) Transfers From the Commission.--
(1) Transfers of authority.--
(A) Transfer of rulemaking and certain other
authorities under federal privacy laws.--The Digital
Privacy Agency shall have all powers and duties under
the Federal privacy laws to prescribe rules, issue
guidelines, or to conduct studies or issue reports
mandated by such laws, that were vested in the
Commission on the effective date of this Act. The
authority of the Commission under Federal privacy laws
to prescribe rules, issue guidelines, or conduct a
study or issue a report mandated under such law shall
be transferred to the Digital Privacy Agency on the
effective date of this Act.
(B) Transfer of enforcement authority.--The Digital
Privacy Agency may enforce a rule prescribed by the
Commission under--
(i) Federal privacy laws; or
(ii) the Federal Trade Commission Act (15
U.S.C. 41 et seq.) related to unfair or
deceptive acts or practices relating to
privacy, information security, identity theft,
data abuses, and related matters.
(2) Transfer of privacy employees.--Any employee of the
Commission employed in a division, bureau, office, or other
subdivision of the Commission with the primary responsibility
of administering, investigating, or enforcing Federal privacy
laws or applications of the Federal Trade Commission Act (15
U.S.C. 41 et seq.) related to unfair or deceptive acts or
practices relating to privacy, information security, identity
theft, data abuses, and related matters shall be transferred to
the Digital Privacy Agency. Such employee shall be provided
with compensation and benefits not less than the equivalent of
compensation and benefits provided to such employee on the date
of enactment of this Act or compensation and benefits provided
to an employee of the Digital Privacy Agency in comparable
position with comparable experience.
(c) Preservation of Authorities of Other Agencies.--Except as
described in this section, no provision of this Act shall be construed
as modifying, limiting, or otherwise affecting the operation of any
provision of Federal law, or otherwise affecting the authority of any
Federal agency under a Federal privacy law or any other law, including
the ability of such Federal agency to promulgate regulations and
enforce Federal privacy laws.
SEC. 305. PERSONNEL.
(a) Personnel.--
(1) Appointment generally.--The Director may fix the number
of, and appoint and direct, all employees of the Digital
Privacy Agency, in accordance with the applicable provisions of
title 5, United States Code. The Director may appoint personnel
without regard to the provisions of title 5, United States
Code, governing appointments in the competitive service, so
long as the Director sets requirements, conducts recruitment,
and determines appointments in a fair, transparent, and
equitable manner.
(2) Employees of the agency.--The Director is authorized to
employ privacy experts, technologists, computer scientists,
user experience designers and researchers, data scientists,
ethicists, attorneys, investigators, economists, civil rights
experts, and other employees as the Director considers
necessary to conduct the business of the Digital Privacy
Agency. Unless otherwise provided expressly by law, any
individual appointed under this section shall be an employee,
as defined in section 2105 of title 5, United States Code, and
subject to the provisions of such title and other laws
generally applicable to the employees of an executive agency.
(3) Employee compensation.--The Director may fix and adjust
the pay and benefits of personnel as the Director considers
desirable, competitive, transparent, and equitable, without
regard to the provisions of chapter 51 and subchapter III of
chapter 53 of title 5, United States Code, relating to
classification and General Schedule pay rates, respectively.
(4) Labor-management relations.--Chapter 71 of title 5,
United States Code, shall apply to the Digital Privacy Agency
and the employees of the Digital Privacy Agency.
(b) Additional Roles.--
(1) Chief information officer.--
(A) Designation of an agency cio.--Subchapter II of
chapter 113 of subtitle III of title 40, United States
Code, is amended--
(i) in section 11315(c) by adding ``and of
the Digital Privacy Agency'' before the em dash
immediately preceding paragraph (1); and
(ii) in section 11319(a)(1) by adding ``and
the Digital Privacy Agency'' before the period.
(B) Responsibility.--The Chief Information Officer
of the Digital Privacy Agency, as designated by
subparagraph (A), shall ensure the Digital Privacy
Agency uses technology efficiency to implement,
administer, and enforce this Act and the rules and
orders issued pursuant to this Act.
(2) Inspector general.--Section 401 of title 5, United
States Code, is amended--
(A) in paragraph (1), by inserting ``the Digital
Privacy Agency,'' after ``the Export-Import Bank of the
United States,''; and
(B) in paragraph (3), by inserting ``the Director
of the Digital Privacy Agency;'' after ``the President
of the Export-Import Bank of the United States;''.
(3) Ombud.--The Director shall appoint an ombud who shall--
(A) act as a liaison between the Digital Privacy
Agency and any affected person with respect to any
problem that such person may have in dealing with the
Digital Privacy Agency that results from the regulatory
activities of the Digital Privacy Agency; and
(B) ensure that safeguards exist to encourage
complainants to come forward and preserve
confidentiality.
(c) Authority To Accept Federal Detailees.--The Director may accept
officers or employees of the United States or members of the Armed
Forces on a detail from an element of the Federal Government on a
nonreimbursable basis, as jointly agreed to by the heads of the
receiving and detailing elements, for a period not to exceed 3 years.
SEC. 306. OFFICE OF CIVIL RIGHTS.
The Director shall establish an Office of Civil Rights within the
Digital Privacy Agency that shall have following responsibilities:
(1) Providing oversight and enforcement of this Act, rules
and orders issued pursuant to this Act, and Federal privacy
laws to ensure that collecting, processing, maintaining, and
disclosing of personal information is fair, equitable, and non-
discriminatory in treatment and effect, including through the
implementation and enforcement of section 207.
(2) Developing, establishing, and promoting practices that
affirmatively further equal opportunity to and expand access to
employment (including hiring, firing, promotion, demotion, and
compensation), credit and insurance (including denial of an
application or obtaining less favorable terms), housing,
education, professional certification, or the provision of
health care and related services.
(3) Coordinating the Digital Privacy Agency's civil rights
efforts with other Federal agencies and State regulators, as
appropriate, to promote consistent, efficient, and effective
enforcement of Federal civil rights laws.
(4) Working with civil rights advocates, privacy experts,
and other experts (including members of the advisory boards
established under section 308) on the promotion of compliance
with the civil rights provisions under this Act, rules and
orders issued pursuant this Act, and Federal privacy laws.
(5) Liaising with communities and consumers impacted by
practices regulated by this Act and the Digital Privacy Agency,
to ensure that their needs and views are appropriately taken
into account.
(6) Providing annual reports to Congress on the efforts of
the Digital Privacy Agency to fulfill its civil rights mandate.
(7) Such additional powers and duties as the Director may
determine are appropriate.
SEC. 307. COMPLAINTS OF INDIVIDUALS.
(a) In General.--The Director shall establish a unit within the
Digital Privacy Agency the functions of which shall include
establishing a single, toll-free telephone number, a website, and a
database or utilizing an existing database to facilitate the
centralized collection of, monitoring of, and response to complaints of
individuals regarding the privacy or security of personal information.
The Director shall coordinate with other Federal agencies with
jurisdiction over Federal privacy laws to route complaints to such
agencies, where appropriate.
(b) Routing Complaints to States.--To the extent practicable, State
agencies (including State privacy regulators) may receive appropriate
complaints from the systems established under subsection (a), if--
(1) the State agency system has the functional capacity to
receive calls or electronic reports routed by the Digital
Privacy Agency systems;
(2) the State agency has satisfied any conditions of
participation in the system that the Digital Privacy Agency may
establish, including treatment of personal information and
sharing of information on complaint resolution or related
compliance procedures and resources; and
(3) participation by the State agency includes measures
necessary to provide for protection of personal information
that conform to the standards for protection of the
confidentiality of personal information and for data integrity
and security that apply to Federal agencies.
(c) Data Sharing Required.--To facilitate inclusion in the reports
required by section 303 of the matters regarding complaints of
individuals required by subsection (a)(2)(D) of such section to be
included in such reports, investigation and enforcement activities, and
monitoring of the privacy and security of personal information, the
Digital Privacy Agency shall share information about complaints of
individuals with Federal and State agencies (including State privacy
regulators) that have jurisdiction over the privacy or security of
personal information and State attorneys general, subject to the
standards applicable to Federal agencies for the protection of the
confidentiality of personal information and for information security
and integrity. Other Federal agencies that have jurisdiction over the
privacy or security of personal information shall share data relating
to complaints of individuals regarding the privacy or security of
personal information with the Digital Privacy Agency, subject to the
standards applicable to Federal agencies for the protection of
confidentiality of personal information and for information security
and integrity.
(d) Publishing of Complaints.--
(1) Consent required.--In collecting a complaint from an
individual, the Digital Privacy Agency shall request consent
for publishing the complaint without any information
identifying the individual.
(2) Public database.--The Digital Privacy Agency shall make
publicly available on its website a database of each complaint
for which it has received consent to publish the complaint from
an individual who provided the complaint to the Digital Privacy
Agency.
(3) Redacting information.--When necessary, the Digital
Privacy Agency may redact information from a published
complaint to protect the privacy of the individual.
SEC. 308. ADVISORY BOARDS.
(a) Establishment.--The Director shall establish the following
advisory boards to advise and consult with the Digital Privacy Agency
in the exercise of its functions under this Act, and to provide
information on emerging practices relating to the treatment of personal
information by covered entities:
(1) The User Advisory Board, which shall be composed of
experts in consumer protection, privacy, civil rights, and
ethics.
(2) The Research Advisory Board, which shall be composed of
individuals with academic and research expertise in privacy,
cybersecurity, computer science, innovation, design, ethics,
economics, law, and public policy.
(3) The Startup Advisory Board, which shall be composed of
representatives of small businesses and investors in small
businesses.
(4) The Product Advisory Board, which shall be composed of
technologists, computer scientists, designers, product
managers, attorneys, and other representatives of covered
entities.
(b) Appointments.--The Director shall appoint members to the
advisory boards established under subsection (a) without regard to
party affiliation.
(c) Meetings.--Each advisory board established under subsection (a)
shall meet from time to time at the call of the Director, but, at a
minimum, shall meet at least twice in each calendar year.
(d) Compensation and Travel Expenses.--Members of the advisory
boards established under subsection (a) who are not full-time employees
of the United States shall--
(1) be entitled to receive compensation at a rate fixed by
the Director while attending meetings of the advisory board,
including travel time; and
(2) receive travel expenses, including per diem in lieu of
subsistence, in accordance with applicable provisions under
subchapter I of chapter 57 of title 5, United States Code.
SEC. 309. AUTHORIZATION OF APPROPRIATIONS.
There are authorized to be appropriated to the Director to carry
out this Act $550,000,000 for each of the fiscal years 2026, 2027,
2028, 2029, and 2030.
TITLE IV--ENFORCEMENT
SEC. 401. INVESTIGATIONS AND ADMINISTRATIVE DISCOVERY.
(a) Joint Investigations.--The Digital Privacy Agency or, where
appropriate, a Digital Privacy Agency investigator, may conduct
investigations and make requests for information, as authorized under
this Act, on a joint basis with another Federal agency, a State
attorney general, or a State privacy regulator.
(b) Subpoenas.--
(1) In general.--The Digital Privacy Agency or a Digital
Privacy Agency investigator may issue subpoenas for the
attendance and testimony of witnesses and the production of
relevant papers, books, documents, or other material in
connection with hearings under this Act.
(2) Failure to obey.--In the case of contumacy or refusal
to obey a subpoena issued pursuant to this subsection and
served upon any person, the district court of the United States
for any district in which such person is found, resides, or
transacts business, upon application by the Digital Privacy
Agency or a Digital Privacy Agency investigator and after
notice to such person, may issue an order requiring such person
to appear and give testimony or to appear and produce documents
or other material.
(3) Contempt.--Any failure to obey an order of the court
under paragraph (2) may be punished by the court as a contempt
thereof.
(c) Demands.--
(1) In general.--Whenever the Digital Privacy Agency has
reason to believe that any person may be in possession,
custody, or control of any documentary material or tangible
things, or may have any information, relevant to a violation,
the Digital Privacy Agency may, before the institution of any
proceedings under this Act, issue in writing, and cause to be
served upon such person, a civil investigative demand requiring
such person to--
(A) produce such documentary material for
inspection and copying or reproduction in the form or
medium requested by the Digital Privacy Agency;
(B) submit such tangible things;
(C) file written reports or answers to questions;
(D) give oral testimony concerning documentary
material, tangible things, or other information; or
(E) furnish any combination of such material,
answers, or testimony.
(2) Requirements.--Each civil investigative demand shall
state the nature of the conduct constituting the alleged
violation which is under investigation and the provision of law
applicable to such violation.
(3) Production of documents.--Each civil investigative
demand for the production of documentary material shall--
(A) describe each class of documentary material to
be produced under the demand with such definiteness and
certainty as to permit such material to be fairly
identified;
(B) prescribe a return date or dates which will
provide a reasonable period of time within which the
material so demanded may be assembled and made
available for inspection and copying or reproduction;
and
(C) identify the custodian to whom such material
shall be made available.
(4) Production of things.--Each civil investigative demand
for the submission of tangible things shall--
(A) describe each class of tangible things to be
submitted under the demand with such definiteness and
certainty as to permit such things to be fairly
identified;
(B) prescribe a return date or dates which will
provide a reasonable period of time within which the
things so demanded may be assembled and submitted; and
(C) identify the custodian to whom such things
shall be submitted.
(5) Demand for written reports or answers.--Each civil
investigative demand for written reports or answers to
questions shall--
(A) propound with definiteness and certainty the
reports to be produced or the questions to be answered;
(B) prescribe a date or dates at which time written
reports or answers to questions shall be submitted; and
(C) identify the custodian to whom such reports or
answers shall be submitted.
(6) Oral testimony.--Each civil investigative demand for
the giving of oral testimony shall--
(A) prescribe a date, time, and place at which oral
testimony shall be commenced; and
(B) identify a Digital Privacy Agency investigator
who shall conduct the investigation and the custodian
to whom the transcript of such investigation shall be
submitted.
(7) Service.--Any civil investigative demand issued, and
any enforcement petition filed, under this section may be
served--
(A) by any Digital Privacy Agency investigator at
any place within the territorial jurisdiction of any
court of the United States; and
(B) upon any person who is not found within the
territorial jurisdiction of any court of the United
States--
(i) in such manner as the Federal Rules of
Civil Procedure prescribe for service in a
foreign nation; and
(ii) to the extent that the courts of the
United States have authority to assert
jurisdiction over such person, consistent with
due process, the United States District Court
for the District of Columbia shall have the
same jurisdiction to take any action respecting
compliance with this section by such person
that such district court would have if such
person were personally within the jurisdiction
of such district court.
(8) Method of service.--Service of any civil investigative
demand or any enforcement petition filed under this section may
be made upon a person by--
(A) delivering a duly executed copy of such demand
or petition to the individual or to any partner,
executive officer, managing agent, or general agent of
such person, or to any agent of such person authorized
by appointment or by law to receive service of process
on behalf of such person;
(B) delivering a duly executed copy of such demand
or petition to the principal office or place of
business of the person to be served; or
(C) depositing a duly executed copy in the United
States mails, by registered or certified mail, return
receipt requested, duly addressed to such person at the
principal office or place of business of such person.
(9) Proof of service.--
(A) In general.--A verified return by the
individual serving any civil investigative demand or
any enforcement petition filed under this section
setting forth the manner of such service shall be proof
of such service.
(B) Return receipts.--In the case of service by
registered or certified mail, such return shall be
accompanied by the return post office receipt of
delivery of such demand or enforcement petition.
(10) Production of documentary material.--The production of
documentary material in response to a civil investigative
demand shall be made under a sworn certificate, in such form as
the demand designates, by the person, if a natural person, to
whom the demand is directed or, if not a natural person, by any
person having knowledge of the facts and circumstances relating
to such production, to the effect that all of the documentary
material required by the demand and in the possession, custody,
or control of the person to whom the demand is directed has
been produced and made available to the custodian.
(11) Submission of tangible things.--The submission of
tangible things in response to a civil investigative demand
shall be made under a sworn certificate, in such form as the
demand designates, by the person to whom the demand is directed
or, if not a natural person, by any person having knowledge of
the facts and circumstances relating to such production, to the
effect that all of the tangible things required by the demand
and in the possession, custody, or control of the person to
whom the demand is directed have been submitted to the
custodian.
(12) Separate answers.--Each reporting requirement or
question in a civil investigative demand shall be answered
separately and fully in writing under oath, unless it is
objected to, in which event the reasons for the objection shall
be stated in lieu of an answer, and it shall be submitted under
a sworn certificate, in such form as the demand designates, by
the person, if a natural person, to whom the demand is directed
or, if not a natural person, by any person responsible for
answering each reporting requirement or question, to the effect
that all information required by the demand and in the
possession, custody, control, or knowledge of the person to
whom the demand is directed has been submitted.
(13) Testimony.--
(A) In general.--
(i) Oath and recordation.--The examination
of any person pursuant to a demand for oral
testimony served under this subsection shall be
taken before an officer authorized to
administer oaths and affirmations by the laws
of the United States or of the place at which
the examination is held. The officer before
whom oral testimony is to be taken shall put
the witness on oath or affirmation and shall
personally, or by any individual acting under
the direction of and in the presence of the
officer, record the testimony of the witness.
(ii) Transcription.--The testimony shall be
taken stenographically and transcribed.
(B) Parties present.--Any Digital Privacy Agency
investigator before whom oral testimony is to be taken
shall exclude from the place where the testimony is to
be taken all other persons, except the person giving
the testimony, the attorney for that person, the
officer before whom the testimony is to be taken, an
investigator or representative of an agency with which
the Digital Privacy Agency is engaged in a joint
investigation, and any stenographer taking such
testimony.
(C) Location.--The oral testimony of any person
taken pursuant to a civil investigative demand shall be
taken in the judicial district of the United States in
which such person resides, is found, or transacts
business, or in such other place as may be agreed upon
by the Digital Privacy Agency investigator before whom
the oral testimony of such person is to be taken and
such person.
(D) Attorney representation.--
(i) In general.--Any person compelled to
appear under a civil investigative demand for
oral testimony pursuant to this subsection may
be accompanied, represented, and advised by an
attorney.
(ii) Authority.--The attorney may advise a
person described in clause (i), in confidence,
either upon the request of such person or upon
the initiative of the attorney, with respect to
any question asked of such person.
(iii) Objections.--A person described in
clause (i), or the attorney for that person,
may object on the record to any question, in
whole or in part, and such person shall briefly
state for the record the reason for the
objection. An objection may properly be made,
received, and entered upon the record when it
is claimed that such person is entitled to
refuse to answer the question on grounds of any
constitutional or other legal right or
privilege, including the privilege against
self-incrimination, but such person shall not
otherwise object to or refuse to answer any
question, and such person or attorney shall not
otherwise interrupt the oral examination.
(iv) Refusal to answer.--If a person
described in clause (i) refuses to answer any
question--
(I) the Digital Privacy Agency may
petition the district court of the
United States pursuant to this section
for an order compelling such person to
answer such question; and
(II) if the refusal is on grounds
of the privilege against self-
incrimination, the testimony of such
person may be compelled in accordance
with the provisions of section 6004 of
title 18, United States Code.
(E) Transcripts.--For purposes of this subsection--
(i) after the testimony of any witness is
fully transcribed, the Digital Privacy Agency
investigator shall afford the witness (who may
be accompanied by an attorney) a reasonable
opportunity to examine the transcript;
(ii) the transcript shall be read to or by
the witness, unless such examination and
reading are waived by the witness;
(iii) any changes in form or substance
which the witness desires to make shall be
entered and identified upon the transcript by
the Digital Privacy Agency investigator, with a
statement of the reasons given by the witness
for making such changes;
(iv) the transcript shall be signed by the
witness, unless the witness in writing waives
the signing, is ill, cannot be found, or
refuses to sign; and
(v) if the transcript is not signed by the
witness during the 30-day period following the
date on which the witness is first afforded a
reasonable opportunity to examine the
transcript, the Digital Privacy Agency
investigator shall sign the transcript and
state on the record the fact of the waiver,
illness, absence of the witness, or the refusal
to sign, together with any reasons given for
the failure to sign.
(F) Certification by investigator.--The Digital
Privacy Agency investigator shall certify on the
transcript that the witness was duly sworn by such
Digital Privacy Agency investigator and that the
transcript is a true record of the testimony given by
the witness, and the Digital Privacy Agency
investigator shall promptly deliver the transcript or
send it by registered or certified mail to the
custodian.
(G) Copy of transcript.--The Digital Privacy Agency
investigator shall furnish a copy of the transcript
(upon payment of reasonable charges for the transcript)
to the witness only, except that the Digital Privacy
Agency may for good cause limit such witness to
inspection of the official transcript of the testimony
of such witness.
(H) Witness fees.--Any witness appearing for the
taking of oral testimony pursuant to a civil
investigative demand shall be entitled to the same fees
and mileage which are paid to witnesses in the district
courts of the United States.
(d) Confidential Treatment of Demand Material.--
(1) In general.--Documentary materials and tangible things
received as a result of a civil investigative demand shall be
subject to requirements and procedures regarding
confidentiality, in accordance with rules established by the
Digital Privacy Agency.
(2) Disclosure to congress.--No rule established by the
Digital Privacy Agency regarding the confidentiality of
materials submitted to, or otherwise obtained by, the Digital
Privacy Agency shall be intended to prevent disclosure to
either House of Congress or to an appropriate committee of the
Congress, except that the Digital Privacy Agency is permitted
to adopt rules allowing prior notice to any party that owns or
otherwise provided the material to the Digital Privacy Agency
and had designated such material as confidential.
(e) Petition for Enforcement.--
(1) In general.--Whenever any person fails to comply with
any civil investigative demand duly served upon such person
under this section, or whenever satisfactory copying or
reproduction of material requested pursuant to the demand
cannot be accomplished and such person refuses to surrender
such material, the Digital Privacy Agency, through such
officers or attorneys as it may designate, may file, in the
district court of the United States for any judicial district
in which such person resides, is found, or transacts business,
and serve upon such person, a petition for an order of such
court for the enforcement of this section.
(2) Service of process.--All process of any court to which
application may be made as provided in this subsection may be
served in any judicial district.
(f) Petition for Order Modifying or Setting Aside Demand.--
(1) In general.--Not later than 20 days after the service
of any civil investigative demand upon any person under
subsection (c), or at any time before the return date specified
in the demand, whichever period is shorter, or within such
period exceeding 20 days after service or in excess of such
return date as may be prescribed in writing, subsequent to
service, by any Digital Privacy Agency investigator named in
the demand, such person may file with the Digital Privacy
Agency a petition for an order by the Digital Privacy Agency
modifying or setting aside the demand.
(2) Compliance during pendency.--The time permitted for
compliance with the demand in whole or in part, as determined
proper and ordered by the Digital Privacy Agency, shall not run
during the pendency of a petition under paragraph (1) at the
Digital Privacy Agency, except that such person shall comply
with any portions of the demand not sought to be modified or
set aside.
(3) Specific grounds.--A petition under paragraph (1) shall
specify each ground upon which the petitioner relies in seeking
relief, and may be based upon any failure of the demand to
comply with the provisions of this section, or upon any
constitutional or other legal right or privilege of such
person.
(g) Custodial Control.--At any time during which any custodian is
in custody or control of any documentary material, tangible things,
reports, answers to questions, or transcripts of oral testimony given
by any person in compliance with any civil investigative demand, such
person may file, in the district court of the United States for the
judicial district within which the office of such custodian is
situated, and serve upon such custodian, a petition for an order of
such court requiring the performance by such custodian of any duty
imposed upon such custodian by this section or rule promulgated by the
Digital Privacy Agency.
(h) Jurisdiction of Court.--
(1) In general.--Whenever any petition is filed in any
district court of the United States under this section, such
court shall have jurisdiction to hear and determine the matter
so presented, and to enter such order or orders as may be
required to carry out the provisions of this section.
(2) Appeal.--Any final order entered as described in
paragraph (1) shall be subject to appeal pursuant to section
1291 of title 28, United States Code.
SEC. 402. HEARINGS AND ADJUDICATION PROCEEDINGS.
(a) In General.--Except as provided in subsection (b), the Digital
Privacy Agency is authorized to conduct hearings and adjudication
proceedings with respect to any person in the manner prescribed by
subchapter II of chapter 5 of title 5, United States Code, in order to
ensure or enforce compliance with this Act and the rules prescribed
under this Act.
(b) Special Rules for Cease-and-Desist Proceedings.--
(1) Orders authorized.--
(A) In general.--If, in the opinion of the Digital
Privacy Agency, a person is engaging or has engaged in
an act or omission that violates any provision of this
Act or a rule or order prescribed under this Act, the
Digital Privacy Agency may issue and serve upon the
person a notice of charges in respect thereof.
(B) Content of notice.--The notice under
subparagraph (A) shall contain a statement of the facts
constituting the alleged violation, and shall fix a
time and place at which a hearing will be held to
determine whether an order to cease and desist should
issue against the person, such hearing to be held not
earlier than 30 days nor later than 60 days after the
date of service of such notice, unless an earlier or a
later date is set by the Digital Privacy Agency, at the
request of any person so served.
(C) Consent.--Unless a person served under
subparagraph (A) appears at the hearing personally or
by a duly authorized representative, the person shall
be deemed to have consented to the issuance of the
cease-and-desist order.
(D) Procedure.--In the event of consent under
subparagraph (C), or if, upon the record made at any
such hearing, the Digital Privacy Agency finds that any
violation specified in the notice of charges has been
established, the Digital Privacy Agency may issue an
order to cease and desist from the violation. Such
order may, by provisions which may be mandatory or
otherwise, require the person to cease and desist from
the subject act or omission, and to take affirmative
action to correct the conditions resulting from any
such violation.
(2) Effectiveness of order.--A cease-and-desist order shall
become effective at the expiration of 30 days after the date of
service of the order under paragraph (1)(D) (except in the case
of a cease-and-desist order issued upon consent, which shall
become effective 180 days after the date of service of the
notice of charges under paragraph (1)(A)), and shall remain
effective and enforceable as provided therein, except to such
extent as the order is stayed, modified, terminated, or set
aside by action of the Digital Privacy Agency or a reviewing
court.
(3) Decision and appeal.--Any hearing provided for in this
subsection shall be held in the Federal judicial district or in
the territory in which the residence or principal office or
place of business of the person is located unless the person
consents to another place, and shall be conducted in accordance
with the provisions of subchapter II of chapter 5 of title 5,
United States Code. After such hearing, and not later than 90
days after the Digital Privacy Agency has served the notice
under paragraph (1)(A), the Digital Privacy Agency shall render
its decision (which shall include findings of fact upon which
its decision is predicated) and shall issue and serve upon each
such party an order or orders consistent with the provisions of
this section. Judicial review of any such order shall be
exclusively as provided in this subsection. Unless a petition
for review is timely filed in a court of appeals of the United
States, as provided in paragraph (4), and thereafter until the
record in the proceeding has been filed as provided in
paragraph (4), the Digital Privacy Agency may at any time, upon
such notice and in such manner as the Digital Privacy Agency
shall determine proper, modify, terminate, or set aside any
such order. Upon filing of the record as provided, the Digital
Privacy Agency may modify, terminate, or set aside any such
order with permission of the court.
(4) Appeal to court of appeals.--Any party to any
proceeding under this subsection may obtain a review of any
order served pursuant to this subsection (other than an order
issued with the consent of the party) by filing in the court of
appeals of the United States for the circuit in which the
residence or principal office or place of business of the party
is located, or in the United States Court of Appeals for the
District of Columbia Circuit, within 30 days after the date of
service of such order, a written petition praying that the
order of the Digital Privacy Agency be modified, terminated, or
set aside. A copy of such petition shall be forthwith
transmitted by the clerk of the court to the Digital Privacy
Agency, and thereupon the Digital Privacy Agency shall file in
the court the record in the proceeding, as provided in section
2112 of title 28, United States Code. Upon the filing of such
petition, such court shall have jurisdiction, which upon the
filing of the record shall be exclusive, to affirm, modify,
terminate, or set aside, in whole or in part, the order of the
Digital Privacy Agency. Review of such proceedings shall be had
as provided in chapter 7 of title 5, United States Code.
(5) No stay.--The commencement of proceedings for judicial
review under paragraph (4) shall not, unless specifically
ordered by the court, operate as a stay of any order issued by
the Digital Privacy Agency.
(c) Special Rules for Temporary Cease-and-Desist Proceedings.--
(1) In general.--Whenever the Digital Privacy Agency
determines that the violation specified in the notice of
charges served upon a person pursuant to subsection (b), or the
continuation thereof, is likely to cause the person to be
insolvent or otherwise prejudice the interests of individuals
before the completion of the proceedings conducted pursuant to
subsection (b), the Digital Privacy Agency may issue a
temporary order requiring the person to cease and desist from
any such violation and to take affirmative action to prevent or
remedy such insolvency or other condition pending completion of
such proceedings. Such order may include any requirement
authorized under this title. Such order shall become effective
upon service upon the person and, unless set aside, limited, or
suspended by a court in proceedings authorized by paragraph
(2), shall remain effective and enforceable pending the
completion of the administrative proceedings pursuant to such
notice and until such time as the Digital Privacy Agency shall
dismiss the charges specified in such notice, or if a cease-
and-desist order is issued against the person, until the
effective date of such order.
(2) Appeal.--Not later than 10 days after a person has been
served with a temporary cease-and-desist order, the person may
apply to the United States district court for the judicial
district in which the residence or principal office or place of
business of the person is located, or the United States
District Court for the District of Columbia, for an injunction
setting aside, limiting, or suspending the enforcement,
operation, or effectiveness of such order pending the
completion of the administrative proceedings pursuant to the
notice of charges served upon the person under subsection (b),
and such court shall have jurisdiction to issue such
injunction.
(d) Special Rules for Enforcement of Orders.--The Digital Privacy
Agency may in its discretion apply to the United States district court
within the jurisdiction of which the residence or principal office or
place of business of a person is located, for the enforcement of any
effective and outstanding order issued under this section against such
person, and such court shall have jurisdiction and power to order and
require compliance with such order.
SEC. 403. LITIGATION AUTHORITY.
(a) In General.--If a person violates any provision of this Act or
a rule or order prescribed under this Act, the Digital Privacy Agency
may commence a civil action against such person in a court of competent
jurisdiction to impose a civil penalty or to seek all appropriate legal
and equitable relief, including a permanent or temporary injunction.
(b) Compromise of Actions.--The Digital Privacy Agency may
compromise or settle any action, suit, or other court proceeding to
which the Digital Privacy Agency is a party if such compromise is
approved by the court.
(c) Notice to the Attorney General of the United States.--
(1) In general.--When commencing a civil action under this
Act or regulations or rules or orders issued pursuant to this
Act, the Digital Privacy Agency shall notify the Attorney
General.
(2) Notice and coordination.--
(A) Notice of other actions.--In addition to any
notice required under paragraph (1), the Digital
Privacy Agency shall notify the Attorney General
concerning any action, suit, or other court proceeding
to which the Digital Privacy Agency is a party.
(B) Coordination.--In order to avoid conflicts and
promote consistency regarding litigation of matters
under Federal law, the Attorney General and the Digital
Privacy Agency shall consult regarding the coordination
of investigations and proceedings, including by
negotiating an agreement for coordination not later
than 180 days after the effective date of this Act. The
agreement under this subparagraph shall include
provisions to ensure that parallel investigations and
proceedings involving this Act and the rules prescribed
under this Act are conducted in a manner that avoids
conflicts and does not impede the ability of the
Attorney General to prosecute violations of Federal
criminal laws.
(C) Rule of construction.--Nothing in this
paragraph shall be construed to limit the authority of
the Digital Privacy Agency under this Act, including
the authority to interpret this Act.
(d) Appearance Before the Supreme Court.--The Digital Privacy
Agency may represent itself in its own name before the Supreme Court of
the United States, if the Digital Privacy Agency makes a written
request to the Attorney General within the 10-day period which begins
on the date of entry of the judgment which would permit any party to
file a petition for writ of certiorari, and the Attorney General
concurs with such request or fails to take action within 60 days of the
request of the Digital Privacy Agency.
(e) Forum.--Any civil action brought under this Act or regulations
or rules or orders issued pursuant to this Act may be brought in an
appropriate district court of the United States or an appropriate State
court.
(f) Time for Bringing Action.--Except as otherwise permitted by law
or equity, no action may be brought under this Act more than 3 years
after the date of discovery of the violation to which the action
relates.
SEC. 404. ENFORCEMENT BY STATES.
(a) Civil Action.--In any case in which a State attorney general or
a State privacy regulator has reason to believe that an interest of the
residents of a State has been or is adversely affected by any person
who violates any provision of this Act or a rule or order prescribed
under this Act, the State attorney general or State privacy regulator,
as parens patriae, may bring a civil action on behalf of the residents
of the State in an appropriate State court or an appropriate district
court of the United States to--
(1) enjoin further violation of such provision by the
defendant;
(2) compel compliance with such provision; or
(3) obtain relief under section 406.
(b) Rights of Agency.--Before initiating a civil action under
subsection (a), the State attorney general or State privacy regulator,
as the case may be, shall notify the Digital Privacy Agency in writing
of such civil action. Upon receiving notice with respect to a civil
action, the Digital Privacy Agency may--
(1) intervene in such action; and
(2) upon intervening--
(A) be heard on all matters arising in such civil
action; and
(B) file petitions for appeal of a decision in such
action.
(c) Preemptive Action by Agency.--If the Digital Privacy Agency
institutes a civil action for violation of any provision of this Act or
a rule or order prescribed under this Act, no State attorney general or
State privacy regulator may bring a civil action against any defendant
named in the complaint of the Digital Privacy Agency for a violation of
such provision that is alleged in such complaint.
SEC. 405. PRIVATE RIGHTS OF ACTION.
(a) Injunctive Relief.--A person who is aggrieved by a violation of
this Act may bring a civil action for declaratory or injunctive relief
in any court of competent jurisdiction.
(b) Civil Action for Damages.--Except for claims under rule 23 of
the Federal Rules of Civil Procedure or a similar judicial procedure
authorizing an action to be brought by 1 or more representatives, a
person who is aggrieved by a violation of this Act may bring a civil
action for damages in any court of competent jurisdiction.
(c) Nonprofit Collective Representation.--An individual shall have
the right to appoint a nonprofit organization (as described in section
501(c)(3) of the Internal Revenue Code of 1986 and exempt from taxation
under section 501(a) of such Code) which has been properly constituted
in accordance with the law, has statutory objectives which are in the
public interest, and is active in the field of the protection of
individual rights and freedoms with regard to the protection of privacy
and information security to lodge the complaint on behalf of such
individual to exercise the rights referred to in this Act on behalf of
such individual.
(1) A nonprofit may represent a class of aggrieved
individuals.
(2) A prevailing nonprofit shall receive reasonable
compensation for expenses, including attorneys' fees.
(3) Individuals shall receive an equally divided share of
the total damages.
(d) State Appointment.--A State may provide that any body,
organization, or association referred to in subsection (c), independent
of an individual's appointment, has the right to lodge, in that State,
a complaint with the Digital Privacy Agency and to exercise the rights
referred to in this Act if it considers that the rights of an
individual under this Act have been infringed.
SEC. 406. RELIEF AVAILABLE.
(a) Civil Actions and Adjudication Proceedings.--
(1) Jurisdiction.--In any civil action or any adjudication
proceeding brought by the Digital Privacy Agency, a State
attorney general, or State privacy regulator under any
provision of this Act or a rule or order prescribed under this
Act, the court or the Digital Privacy Agency (as the case may
be) shall have jurisdiction to grant any appropriate legal or
equitable relief with respect to a violation of such provision.
(2) Relief.--Relief under this section may include--
(A) rescission or reformation of contracts;
(B) refund of moneys;
(C) restitution;
(D) disgorgement or compensation for unjust
enrichment;
(E) payment of damages or other monetary relief;
(F) public notification regarding the violation,
including the costs of notification;
(G) limits on the activities or functions of the
person; and
(H) civil money penalties, as provided in
subsection (c).
(3) No exemplary or punitive damages.--Nothing in this
subsection shall be construed as authorizing the imposition of
exemplary or punitive damages.
(b) Recovery of Costs.--In any civil action brought by the Digital
Privacy Agency, State attorney general, or State privacy regulator
under any provision of this Act or a rule or order prescribed under
this Act, the Digital Privacy Agency, State attorney general, or State
privacy regulator may recover its costs in connection with prosecuting
such action if the Digital Privacy Agency or State attorney general is
the prevailing party in the action.
(c) Civil Money Penalty in Court and Administrative Actions.--
(1) In general.--Any person who violates, through any act
or omission, any provision of this Act or a rule or order
issued pursuant to this Act shall forfeit and pay a civil
penalty under this subsection.
(2) Penalty amount.--
(A) In general.--The amount of a civil penalty
under this subsection may not exceed, for each
violation, the product of--
(i) the maximum civil penalty for which a
person, partnership, or corporation may be
liable under section 5(m)(1)(A) of the Federal
Trade Commission Act (15 U.S.C. 45(m)(1)(A))
for a violation of a rule under such Act
respecting unfair or deceptive acts or
practices, as adjusted under the Federal Civil
Penalties Inflation Adjustment Act of 1990 (28
U.S.C. 2461 note); and
(ii) the number of individuals whose
personal information is affected by the
violation.
(B) Continuing violations.--In the case of a
violation through continuing failure to comply with a
provision of this Act or a rule or order prescribed
under this Act, each day of continuance of such failure
shall be treated as a separate violation for purposes
of subparagraph (A).
(3) Mitigating factors.--In determining the amount of any
penalty assessed under paragraph (2), the court or the Digital
Privacy Agency shall take into account the appropriateness of
the penalty with respect to--
(A) the size of financial resources and good faith
of the person charged;
(B) the gravity of the violation;
(C) the severity of the privacy harms (including
both actual and potential harms) to individuals;
(D) any disparate impact of the privacy harms
(including both actual and potential harms) on
protected classes;
(E) the history of previous violations; and
(F) such other matters as justice may require.
(4) Authority to modify or remit penalty.--The Digital
Privacy Agency, State attorney general, or State privacy
regulator may compromise, modify, or remit any penalty which
may be assessed or has already been assessed under paragraph
(2). The amount of such penalty, when finally determined, shall
be exclusive of any sums owed by the person to the United
States in connection with the costs of the proceeding, and may
be deducted from any sums owing by the United States to the
person charged.
(5) Notice and hearing.--No civil penalty may be assessed
under this subsection with respect to a violation of any
provision of this Act or a rule or order issued pursuant to
this Act, unless--
(A) the Digital Privacy Agency, State attorney
general, or State privacy regulator gives notice and an
opportunity for a hearing to the person accused of the
violation; or
(B) the appropriate court has ordered such
assessment and entered judgment in favor of the Digital
Privacy Agency, State attorney general, or State
privacy regulator.
SEC. 407. REFERRAL FOR CRIMINAL PROCEEDINGS.
If the Digital Privacy Agency obtains evidence that any person,
domestic or foreign, has engaged in conduct that may constitute a
violation of Federal criminal law, the Digital Privacy Agency shall
transmit such evidence to the Attorney General of the United States,
who may institute criminal proceedings under appropriate law. Nothing
in this section affects any other authority of the Digital Privacy
Agency to disclose information.
SEC. 408. WHISTLEBLOWER ENFORCEMENT.
(a) In General.--Any person who becomes aware, based on nonpublic
information, that a covered entity has violated this Act may file a
civil action for civil penalties, if prior to filing such action, the
person files with the Director a written request for the Director to
commence the action. The request shall include a clear and concise
statement of the grounds for believing a cause of action exists. The
person shall make the nonpublic information available to the Director
upon request:
(1) If the Director files suit within 90 days from receipt
of the written request to commence the action, no other action
may be brought unless the action brought by the Director is
dismissed without prejudice.
(2) If the Director does not file suit within 90 days from
receipt of the written request to commence the action, the
person requesting the action may proceed to file a civil
action.
(3) The time period within which a civil action shall be
commenced shall be tolled from the date of receipt by the
Director of the written request to either the date that the
civil action is dismissed without prejudice, or for 150 days,
whichever is later, but only for a civil action brought by the
person who requested the Director to commence the action.
(b) Allocation of Civil Penalties.--If a judgment is entered
against the defendant or defendants in an action brought pursuant to
this section, or the matter is settled, amounts received as civil
penalties or pursuant to a settlement of the action shall be allocated
as follows:
(1) If the action was brought by the Director upon a
request made by a person pursuant to subsection (a), the person
who made the request shall be entitled to 15 percent of the
civil penalties.
(2) If the action was brought by the person who made the
request pursuant to subsection (a), that person shall receive
an amount the court determines is reasonable for collecting the
civil penalties on behalf of the government. The amount shall
be not less than 25 percent and not more than 50 percent of the
proceeds of the action and shall be paid out of the proceeds.
TITLE V--RELATION TO OTHER LAW
SEC. 501. EFFECTIVE DATE.
(a) In General.--This Act shall apply beginning on the date that is
1 year after the date of the enactment of this Act.
(b) Authority To Promulgate Regulations and Take Certain Other
Actions.--Nothing in subsection (a) affects the authority of the
Digital Privacy Agency to take an action expressly required by a
provision of this Act to be taken before the effective date described
in such subsection.
SEC. 502. RELATION TO OTHER FEDERAL LAW.
Nothing in this Act shall be construed to modify, limit, or
supersede the operation of any privacy or security provision in the
following:
(1) Section 552a of title 5, United States Code (commonly
known as the ``Privacy Act of 1974'').
(2) The Right to Financial Privacy Act of 1978 (12 U.S.C.
3401 et seq.).
(3) The Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).
(4) The Fair Debt Collection Practices Act (15 U.S.C. 1692
et seq.).
(5) The Children's Online Privacy Protection Act of 1998
(15 U.S.C. 6501 et seq.).
(6) Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801
et seq.).
(7) Chapter 119, 123, or 206 of title 18, United States
Code.
(8) Section 444 of the General Education Provisions Act (20
U.S.C. 1232g) (commonly known as the ``Family Educational
Rights and Privacy Act of 1974'').
(9) Section 445 of the General Education Provisions Act (20
U.S.C. 1232h).
(10) The Privacy Protection Act of 1980 (42 U.S.C. 2000aa
et seq.).
(11) The regulations promulgated under section 264(c) of
the Health Insurance Portability and Accountability Act of 1996
(42 U.S.C. 1320d-2 note), as those regulations relate to--
(A) a person described in section 1172(a) of the
Social Security Act (42 U.S.C. 1320d-1(a)); or
(B) transactions referred to in section 1173(a)(1)
of the Social Security Act (42 U.S.C. 1320d-2(a)(1)).
(12) The Communications Assistance for Law Enforcement Act
(47 U.S.C. 1001 et seq.).
(13) Section 222, 227, 338, or 631 of the Communications
Act of 1934 (47 U.S.C. 222, 227, 338, or 551).
(14) The E-Government Act of 2002 (44 U.S.C. 101 et seq.).
(15) The Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et
seq.).
(16) The Federal Information Security Management Act of
2002 (44 U.S.C. 3541 et seq.).
(17) The Currency and Foreign Transactions Reporting Act of
1970, as amended (commonly known as the ``Bank Secrecy Act'')
(12 U.S.C. 1829b and 1951-1959, 31 U.S.C. 5311-5314 and 5316-
5332), including the International Money Laundering Abatement
and Financial Anti-Terrorism Act of 2001, title III of Public
Law 107-56, as amended.
(18) The National Security Act of 1947 (50 U.S.C. 3001 et
seq.).
(19) The Foreign Intelligence Surveillance Act of 1978, as
amended (50 U.S.C. 1801 et seq.).
(20) The Civil Rights Act of 1964 (Public Law 88-352, 78
Stat. 241).
(21) The Americans with Disabilities Act (42 U.S.C. 12101
et seq.).
(22) The Fair Housing Act (42 U.S.C. 3601 et seq.).
(23) The Consumer Financial Protection Act of 2010 (12
U.S.C. 5481 et seq.).
(24) The Equal Credit Opportunity Act (15 U.S.C. 1691 et
seq.).
(25) The Age Discrimination in Employment Act (29 U.S.C.
621 et seq.).
(26) The Genetic Information Nondiscrimination Act (Public
Law 110-233, 122 Stat. 881).
(27) Subpart A of part 46 of title 45, Code of Federal
Regulations (commonly known as the ``Common Rule'').
(28) The Driver's Privacy Protection Act of 1994 (18 U.S.C.
2721 et seq.).
(29) The Video Privacy Protection Act (18 U.S.C. 2710 et
seq.).
(30) Chapters 61, 68, 75, and 76 of the Internal Revenue
Code of 1986.
(31) Section 1106 of the Social Security Act (42 U.S.C.
1306).
(32) The Stored Communications Act (18 U.S.C. 2701 et
seq.).
(33) Any other privacy or information security provision of
Federal law.
SEC. 503. RELATION TO STATE LAW.
This Act, and any amendment, standard, rule, requirement,
assessment, or regulation promulgated under this Act, does not annul,
alter, affect, or exempt any person subject to the provisions of this
Act from complying with the laws of any State or political subdivision
of a State with respect to privacy or consumer protection, except to
the extent that those laws are inconsistent with any provisions of this
Act, and then only to the extent of the inconsistency. For purposes of
this section, a law of a State or political subdivision of a State is
not inconsistent with this Act if the protection such law affords any
consumer is greater than the protection provided by this Act.
SEC. 504. SEVERABILITY.
If any provision of this Act or the amendments made by this Act, or
the application thereof, is held unconstitutional or otherwise invalid,
the validity of the remainder of the Act, the amendments, and the
application of such provision shall not be affected thereby.
TITLE VI--NIST AND NSF ACTIVITIES
SEC. 601. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY PRIVACY
RESEARCH AND DEVELOPMENT.
Section 2 of the National Institute of Standards and Technology Act
(15 U.S.C. 272) is amended by adding at the end the following:
``(f) Privacy Risk Management Research.--In carrying out the
activities under subsection (c)(19), the Director, in consultation and
collaboration with the Director of the Digital Privacy Agency, shall,
to the extent practicable and appropriate carry out the following:
``(1) Develop, and periodically update, in collaboration
with appropriate Federal agencies, industry, State, local, and
Tribal governments, civil society, other nonprofit
organizations, and the Information Security and Privacy
Advisory Board, a privacy risk management framework that covers
risks associated with data processing and that--
``(A) identifies voluntary, consensus-based
technical standards, guidelines, best practices,
methodologies, procedures, and processes for--
``(i) developing privacy-enhanced
information systems and networks, including
emerging technologies; and
``(ii) assessing and mitigating privacy
risks to help organizations protect
individuals' privacy in information systems and
networks;
``(B) establishes common definitions and
characterizations for aspects of privacy risk
management;
``(C) provides case studies and risk profiles of
framework implementation;
``(D) provides guidance to enable organizations to
use the framework to meet privacy requirements from
Federal, State, local, and Tribal governments and
international policymakers;
``(E) incorporates voluntary, consensus-based
technical standards and best practices;
``(F) facilitates use by regulators and markets
with the aim of reducing barriers to trade; and
``(G) does not prescribe or otherwise require the
use of specific information or communications
technology products or services.
``(2) Carry out research associated with mitigating privacy
risks associated with information systems and networks,
including to inform periodic updates to the privacy risk
management framework developed pursuant to paragraph (1).
``(3) In consultation with the Director of the Digital
Privacy Agency, the Federal Trade Commission, and other related
sector-specific risk management agencies, support the
development of guidance and risk profiles to help organizations
utilize the privacy risk management framework developed
pursuant to paragraph (1), to the extent practicable, to adopt
privacy requirements and regulations established by the Federal
Government, States, and international policymakers.
``(4) Support activities to improve the efficacy and
applicability of privacy-preserving computing, de-
identification techniques and processes, and other
technological means of mitigating individuals' privacy risks by
enhancing predictability, manageability, disassociability, and
confidentiality.
``(5) Support and strategically engage in the development
of voluntary, consensus-based technical standards for privacy-
enhanced systems and networks, including international
technical standards, through open, transparent, and consensus-
based processes.
``(6) Conduct such other activities as determined necessary
by the Director to help public and private sector organizations
mitigate the privacy risks associated with information systems
and networks.''.
SEC. 602. NATIONAL PRIVACY AWARENESS AND EDUCATION INITIATIVE.
(a) In General.--The Director of the National Institute of
Standards and Technology, in consultation and collaboration with the
Director of the Digital Privacy Agency, relevant Federal agencies,
State, local, and Tribal governments, industry, educational
institutions, civil society, and other nonprofit organizations, as
appropriate, shall carry out privacy-related education and public
awareness activities, including relating to the following:
(1) The widespread dissemination of privacy-related
technical standards and best practices identified by the
Director.
(2) Efforts to make privacy-related technical standards and
best practices usable by individuals, small- to medium-sized
businesses, educational institutions, and State, local, and
Tribal governments.
(3) Activities to increase the awareness of privacy risks,
individual privacy rights, and responsibilities.
(4) Supporting the development of technical standards and
best practices to describe privacy-related tasks, knowledge,
skills, competencies, and work roles to guide career
development, education, and training activities in industry,
academia, nonprofit organizations, and the Federal Government,
including support for credentialing.
(b) Considerations.--In carrying out subsection (a), the Director
of the National Institute of Standards and Technology, in consultation
with appropriate Federal agencies, shall leverage, to the extent
practicable, the national cybersecurity awareness and education program
under section 303 of the Cybersecurity Enhancement Act of 2014 (15
U.S.C. 7443).
(c) Biennial Briefings.--Not later than one year after the date of
the enactment of this Act and biennially thereafter, the Director of
the National Institute of Standards and Technology shall brief the
Committee on Commerce, Science, and Transportation of the Senate and
the Committee on Science, Space, and Technology of the House of
Representatives on the activities carried out pursuant to subsection
(a).
(d) Authorization of Appropriations.--There is authorized to be
appropriated to carry out this section $3,000,000 for each of fiscal
years 2026 through 2030.
SEC. 603. NATIONAL SCIENCE FOUNDATION PRIVACY RESEARCH.
The Director of the National Science Foundation, in consultation
and collaboration with the Director of the Digital Privacy Agency,
shall make awards on a competitive basis to institutions of higher
education or non-profit organizations (or consortia of such
institutions or organizations) to support multidisciplinary and
transdisciplinary socio-technical research to design, prototype, and
translate to practice privacy-preserving technologies and increase
understanding of the human, social, behavioral, and economic dimensions
of such technologies, including research on the following:
(1) Public understanding, expectations, and perspectives on
privacy.
(2) Consumer privacy rights, including right to access,
correction, deletion, data portability, individual autonomy,
impermanence, and to be informed.
(3) Privacy governance and transparency, including notice
and consent processes and the efficacy of privacy policies.
(4) Empowering consumers for data ownership and control.
(5) Privacy by design.
(6) Privacy-preserving automated decision-making systems
and human review of automated decision-making systems.
(7) Ensuring privacy in consumer surveillance systems.
(8) User interfaces, including design elements that
deliberately obscure, mislead, coerce, or deceive consumers.
(9) Privacy implications of emerging technologies.
(10) Incentives to implement privacy protections.
<all>