[House Report 117-669]
[From the U.S. Government Publishing Office]
117th Congress } { Report
HOUSE OF REPRESENTATIVES
2d Session } { 117-669
======================================================================
AMERICAN DATA PRIVACY AND PROTECTION ACT
_______
December 30, 2022.--Committed to the Committee of the Whole House on
the State of the Union and ordered to be printed
_______
Mr. Pallone, from the Committee on Energy and Commerce, submitted the
following
R E P O R T
[To accompany H.R. 8152]
The Committee on Energy and Commerce, to whom was referred
the bill (H.R. 8152) to provide consumers with foundational
data privacy rights, create strong oversight mechanisms, and
establish meaningful enforcement, having considered the same,
reports favorably thereon with an amendment and recommends that
the bill as amended do pass.
CONTENTS
Page
I. Purpose and Summary.............................................36
II. Background and Need for the Legislation.........................37
III. Committee Hearings..............................................41
IV. Committee Consideration.........................................43
V. Committee Votes.................................................43
VI. Oversight Findings..............................................47
VII. New Budget Authority, Entitlement Authority, and Tax Expenditure47
VIII.Federal Mandates Statement......................................47
IX. Statement of General Performance Goals and Objectives...........47
X. Duplication of Federal Programs.................................47
XI. Committee Cost Estimate.........................................47
XII. Earmarks, Limited Tax Benefits, and Limited Tariff Benefits.....48
XIII.Advisory Committee Statement....................................48
XIV. Applicability to Legislative Branch.............................48
XV. Section-by-Section Analysis of the Legislation..................48
XVI. Changes in Existing Law Made by the Bill, as Reported...........64
The amendment is as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``American Data
Privacy and Protection Act''.
(b) Table of Contents.--The table of contents of this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
TITLE I--DUTY OF LOYALTY
Sec. 101. Data minimization.
Sec. 102. Loyalty duties.
Sec. 103. Privacy by design.
Sec. 104. Loyalty to individuals with respect to pricing.
TITLE II--CONSUMER DATA RIGHTS
Sec. 201. Consumer awareness.
Sec. 202. Transparency.
Sec. 203. Individual data ownership and control.
Sec. 204. Right to consent and object.
Sec. 205. Data protections for children and minors.
Sec. 206. Third-party collecting entities.
Sec. 207. Civil rights and algorithms.
Sec. 208. Data security and protection of covered data.
Sec. 209. Small business protections.
Sec. 210. Unified opt-out mechanisms.
TITLE III--CORPORATE ACCOUNTABILITY
Sec. 301. Executive responsibility.
Sec. 302. Service providers and third parties.
Sec. 303. Technical compliance programs.
Sec. 304. Commission approved compliance guidelines.
Sec. 305. Digital content forgeries.
TITLE IV--ENFORCEMENT, APPLICABILITY, AND MISCELLANEOUS
Sec. 401. Enforcement by the Federal Trade Commission.
Sec. 402. Enforcement by States.
Sec. 403. Enforcement by persons.
Sec. 404. Relationship to Federal and State laws.
Sec. 405. Severability.
Sec. 406. COPPA.
Sec. 407. Authorization of appropriations.
Sec. 408. Effective date.
SEC. 2. DEFINITIONS.
In this Act:
(1) Affirmative express consent.--
(A) In general.--The term ``affirmative express
consent'' means an affirmative act by an individual
that clearly communicates the individual's freely
given, specific, and unambiguous authorization for an
act or practice after having been informed, in response
to a specific request from a covered entity that meets
the requirements of subparagraph (B).
(B) Request requirements.--The requirements of this
subparagraph with respect to a request from a covered
entity to an individual are the following:
(i) The request is provided to the individual
in a clear and conspicuous standalone
disclosure made through the primary medium used
to offer the covered entity's product or
service, or only if the product or service is
not offered in a medium that permits the making
of the request under this paragraph, another
medium regularly used in conjunction with the
covered entity's product or service.
(ii) The request includes a description of
the processing purpose for which the
individual's consent is sought and--
(I) clearly states the specific
categories of covered data that the
covered entity shall collect, process,
and transfer necessary to effectuate
the processing purpose; and
(II) includes a prominent heading and
is written in easy-to-understand
language that would enable a reasonable
individual to identify and understand
the processing purpose for which
consent is sought and the covered data
to be collected, processed, or
transferred by the covered entity for
such processing purpose.
(iii) The request clearly explains the
individual's applicable rights related to
consent.
(iv) The request is made in a manner
reasonably accessible to and usable by
individuals with disabilities.
(v) The request is made available to the
individual in each covered language in which
the covered entity provides a product or
service for which authorization is sought.
(vi) The option to refuse consent shall be at
least as prominent as the option to accept, and
the option to refuse consent shall take the
same number of steps or fewer as the option to
accept.
(vii) Processing or transferring any covered
data collected pursuant to affirmative express
consent for a different processing purpose than
that for which affirmative express consent was
obtained shall require affirmative express
consent for the subsequent processing purpose.
(C) Express consent required.--A covered entity may
not infer that an individual has provided affirmative
express consent to an act or practice from the inaction
of the individual or the individual's continued use of
a service or product provided by the covered entity.
(D) Pretextual consent prohibited.--A covered entity
may not obtain or attempt to obtain the affirmative
express consent of an individual through--
(i) the use of any false, fictitious,
fraudulent, or materially misleading statement
or representation; or
(ii) the design, modification, or
manipulation of any user interface with the
purpose or substantial effect of obscuring,
subverting, or impairing a reasonable
individual's autonomy, decision making, or
choice to provide such consent or any covered
data.
(2) Authentication.--The term ``authentication'' means the
process of verifying an individual or entity for security
purposes.
(3) Biometric information.--
(A) In general.--The term ``biometric information''
means any covered data generated from the technological
processing of an individual's unique biological,
physical, or physiological characteristics that is
linked or reasonably linkable to an individual,
including--
(i) fingerprints;
(ii) voice prints;
(iii) iris or retina scans;
(iv) facial or hand mapping, geometry, or
templates; or
(v) gait or personally identifying physical
movements.
(B) Exclusion.--The term ``biometric information''
does not include--
(i) a digital or physical photograph;
(ii) an audio or video recording; or
(iii) data generated from a digital or
physical photograph, or an audio or video
recording, that cannot be used to identify an
individual.
(4) Collect; collection.--The terms ``collect'' and
``collection'' mean buying, renting, gathering, obtaining,
receiving, accessing, or otherwise acquiring covered data by
any means.
(5) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(6) Control.--The term ``control'' means, with respect to an
entity--
(A) ownership of, or the power to vote, more than 50
percent of the outstanding shares of any class of
voting security of the entity;
(B) control over the election of a majority of the
directors of the entity (or of individuals exercising
similar functions); or
(C) the power to exercise a controlling influence
over the management of the entity.
(7) Covered algorithm.--The term ``covered algorithm'' means
a computational process that uses machine learning, natural
language processing, artificial intelligence techniques, or
other computational processing techniques of similar or greater
complexity and that makes a decision or facilitates human
decision-making with respect to covered data, including to
determine the provision of products or services or to rank,
order, promote, recommend, amplify, or similarly determine the
delivery or display of information to an individual.
(8) Covered data.--
(A) In general.--The term ``covered data'' means
information that identifies or is linked or reasonably
linkable, alone or in combination with other
information, to an individual or a device that
identifies or is linked or reasonably linkable to an
individual, and may include derived data and unique
persistent identifiers.
(B) Exclusions.--The term ``covered data'' does not
include--
(i) de-identified data;
(ii) employee data;
(iii) publicly available information; or
(iv) inferences made exclusively from
multiple independent sources of publicly
available information that do not reveal
sensitive covered data with respect to an
individual.
(C) Employee data defined.--For purposes of
subparagraph (B), the term ``employee data'' means--
(i) information relating to a job applicant
collected by a covered entity acting as a
prospective employer of such job applicant in
the course of the application, or hiring
process, if such information is collected,
processed, or transferred by the prospective
employer solely for purposes related to the
employee's status as a current or former job
applicant of such employer;
(ii) information processed by an employer
relating to an employee who is acting in a
professional capacity for the employer,
provided that such information is collected,
processed, or transferred solely for purposes
related to such employee's professional
activities on behalf of the employer;
(iii) the business contact information of an
employee, including the employee's name,
position or title, business telephone number,
business address, or business email address
that is provided to an employer by an employee
who is acting in a professional capacity, if
such information is collected, processed, or
transferred solely for purposes related to such
employee's professional activities on behalf of
the employer;
(iv) emergency contact information collected
by an employer that relates to an employee of
that employer, if such information is
collected, processed, or transferred solely for
the purpose of having an emergency contact on
file for the employee and for processing or
transferring such information in case of an
emergency; or
(v) information relating to an employee (or a
spouse, dependent, other covered family member,
or beneficiary of such employee) that is
necessary for the employer to collect, process,
or transfer solely for the purpose of
administering benefits to which such employee
(or spouse, dependent, other covered family
member, or beneficiary of such employee) is
entitled on the basis of the employee's
position with that employer.
(9) Covered entity.--
(A) In general.--The term ``covered entity''--
(i) means any entity or any person, other
than an individual acting in a non-commercial
context, that alone or jointly with others
determines the purposes and means of
collecting, processing, or transferring covered
data and--
(I) is subject to the Federal Trade
Commission Act (15 U.S.C. 41 et seq.);
(II) is a common carrier subject to
the Communications Act of 1934 (47
U.S.C. 151 et seq.) and all Acts
amendatory thereof and supplementary
thereto; or
(III) is an organization not
organized to carry on business for its
own profit or that of its members; and
(ii) includes any entity or person that
controls, is controlled by, or is under common
control with the covered entity.
(B) Exclusions.--The term ``covered entity'' does not
include--
(i) a Federal, State, Tribal, territorial, or
local government entity such as a body,
authority, board, bureau, commission, district,
agency, or political subdivision of the Federal
Government or a State, Tribal, territorial, or
local government;
(ii) a person or an entity that is
collecting, processing, or transferring covered
data on behalf of a Federal, State, Tribal,
territorial, or local government entity, in so
far as such person or entity is acting as a
service provider to the government entity; or
(iii) an entity that serves as a
congressionally designated nonprofit, national
resource center, and clearinghouse to provide
assistance to victims, families, child-serving
professionals, and the general public on
missing and exploited children issues.
(C) Non-application to service providers.--An entity
shall not be considered to be a covered entity for
purposes of this Act in so far as the entity is acting
as a service provider (as defined in paragraph (29)).
(10) Covered language.--The term ``covered language'' means
the ten languages with the most users in the United States,
according to the most recent United States Census.
(11) Covered minor.--The term ``covered minor'' means an
individual under the age of 17.
(12) De-identified data.--The term ``de-identified data''
means information that does not identify and is not linked or
reasonably linkable to a distinct individual or a device,
regardless of whether the information is aggregated, and if the
covered entity or service provider--
(A) takes reasonable technical measures to ensure
that the information cannot, at any point, be used to
re-identify any individual or device that identifies or
is linked or reasonably linkable to an individual;
(B) publicly commits in a clear and conspicuous
manner--
(i) to process and transfer the information
solely in a de-identified form without any
reasonable means for re-identification; and
(ii) to not attempt to re-identify the
information with any individual or device that
identifies or is linked or reasonably linkable
to an individual; and
(C) contractually obligates any person or entity that
receives the information from the covered entity or
service provider--
(i) to comply with all of the provisions of
this paragraph with respect to the information;
and
(ii) to require that such contractual
obligations be included contractually in all
subsequent instances for which the data may be
received.
(13) Derived data.--The term ``derived data'' means covered
data that is created by the derivation of information, data,
assumptions, correlations, inferences, predictions, or
conclusions from facts, evidence, or another source of
information or data about an individual or an individual's
device.
(14) Device.--The term ``device'' means any electronic
equipment capable of collecting, processing, or transferring
covered data that is used by one or more individuals.
(15) Employee.--The term ``employee'' means an individual who
is an employee, director, officer, staff member individual
working as an independent contractor that is not a service
provider, trainee, volunteer, or intern of an employer,
regardless of whether such individual is paid, unpaid, or
employed on a temporary basis.
(16) Executive agency.--The ``Executive agency'' has the
meaning given such term in section 105 of title 5, United
States Code.
(17) First party advertising or marketing.--The term ``first
party advertising or marketing'' means advertising or marketing
conducted by a first party either through direct communications
with a user such as direct mail, email, or text message
communications, or advertising or marketing conducted entirely
within the first-party context, such as in a physical location
operated by the first party, or on a web site or app operated
by the first party.
(18) Genetic information.--The term ``genetic information''
means any covered data, regardless of its format, that concerns
an individual's genetic characteristics, including--
(A) raw sequence data that results from the
sequencing of the complete, or a portion of the,
extracted deoxyribonucleic acid (DNA) of an individual;
or
(B) genotypic and phenotypic information that results
from analyzing raw sequence data described in
subparagraph (A).
(19) Individual.--The term ``individual'' means a natural
person residing in the United States.
(20) Knowledge.--
(A) In general.--The term ``knowledge'' means--
(i) with respect to a covered entity that is
a covered high-impact social media company, the
entity knew or should have known the individual
was a covered minor;
(ii) with respect to a covered entity or
service provider that is a large data holder,
and otherwise is not a covered high-impact
social media company, that the covered entity
knew or acted in willful disregard of the fact
that the individual was a covered minor; and
(iii) with respect to a covered entity or
service provider that does not meet the
requirements of clause (i) or (ii), actual
knowledge.
(B) Covered high-impact social media company.--For
purposes of this paragraph, the term ``covered high-
impact social media company'' means a covered entity
that provides any internet-accessible platform where--
(i) such covered entity generates
$3,000,000,000 or more in annual revenue;
(ii) such platform has 300,000,000 or more
monthly active users for not fewer than 3 of
the preceding 12 months on the online product
or service of such covered entity; and
(iii) such platform constitutes an online
product or service that is primarily used by
users to access or share, user-generated
content.
(21) Large data holder.--
(A) In general.--The term ``large data holder'' means
a covered entity or service provider that, in the most
recent calendar year--
(i) had annual gross revenues of $250,000,000
or more; and
(ii) collected, processed, or transferred--
(I) the covered data of more than
5,000,000 individuals or devices that
identify or are linked or reasonably
linkable to 1 or more individuals,
excluding covered data collected and
processed solely for the purpose of
initiating, rendering, billing for,
finalizing, completing, or otherwise
collecting payment for a requested
product or service; and
(II) the sensitive covered data of
more than 200,000 individuals or
devices that identify or are linked or
reasonably linkable to 1 or more
individuals.
(B) Exclusions.--The term ``large data holder'' does
not include any instance in which the covered entity or
service provider would qualify as a large data holder
solely on the basis of collecting or processing--
(i) personal email addresses;
(ii) personal telephone numbers; or
(iii) log-in information of an individual or
device to allow the individual or device to log
in to an account administered by the covered
entity or service provider.
(C) Revenue.--For purposes of determining whether any
covered entity or service provider is a large data
holder, the term ``revenue'', with respect to any
covered entity or service provider that is not
organized to carry on business for its own profit or
that of its members--
(i) means the gross receipts the covered
entity or service provider received, in
whatever form, from all sources, without
subtracting any costs or expenses; and
(ii) includes contributions, gifts, grants,
dues or other assessments, income from
investments, and proceeds from the sale of real
or personal property.
(22) Market research.--The term ``market research'' means the
collection, processing, or transfer of covered data as
reasonably necessary and proportionate to investigate the
market for or marketing of products, services, or ideas, where
the covered data is not--
(A) integrated into any product or service;
(B) otherwise used to contact any individual or
individual's device; or
(C) used to advertise or market to any individual or
individual's device.
(23) Material.--The term ``material'' means, with respect to
an act, practice, or representation of a covered entity
(including a representation made by the covered entity in a
privacy policy or similar disclosure to individuals) involving
the collection, processing, or transfer of covered data, that
such act, practice, or representation is likely to affect a
reasonable individual's decision or conduct regarding a product
or service.
(24) Precise geolocation information.--
(A) In general.--The term ``precise geolocation
information'' means information that is derived from a
device or technology that reveals the past or present
physical location of an individual or device that
identifies or is linked or reasonably linkable to 1 or
more individuals, with sufficient precision to identify
street level location information of an individual or
device or the location of an individual or device
within a range of 1,850 feet or less.
(B) Exclusion.--The term ``precise geolocation
information'' does not include geolocation information
identifiable or derived solely from the visual content
of a legally obtained image, including the location of
the device that captured such image.
(25) Process.--The term ``process'' means to conduct or
direct any operation or set of operations performed on covered
data, including analyzing, organizing, structuring, retaining,
storing, using, or otherwise handling covered data.
(26) Processing purpose.--The term ``processing purpose''
means a reason for which a covered entity or service provider
collects, processes, or transfers covered data that is specific
and granular enough for a reasonable individual to understand
the material facts of how and why the covered entity or service
provider collects, processes, or transfers the covered data.
(27) Publicly available information.--
(A) In general.--The term ``publicly available
information'' means any information that a covered
entity or service provider has a reasonable basis to
believe has been lawfully made available to the general
public from--
(i) Federal, State, or local government
records, if the covered entity collects,
processes, and transfers such information in
accordance with any restrictions or terms of
use placed on the information by the relevant
government entity;
(ii) widely distributed media;
(iii) a website or online service made
available to all members of the public, for
free or for a fee, including where all members
of the public, for free or for a fee, can log
in to the website or online service;
(iv) a disclosure that has been made to the
general public as required by Federal, State,
or local law; or
(v) the visual observation of the physical
presence of an individual or a device in a
public place, not including data collected by a
device in the individual's possession.
(B) Clarifications; limitations.--
(i) Available to all members of the public.--
For purposes of this paragraph, information
from a website or online service is not
available to all members of the public if the
individual who made the information available
via the website or online service has
restricted the information to a specific
audience.
(ii) Other limitations.--The term ``publicly
available information'' does not include--
(I) any obscene visual depiction (as
defined in section 1460 of title 18,
United States Code);
(II) any inference made exclusively
from multiple independent sources of
publicly available information that
reveals sensitive covered data with
respect to an individual;
(III) biometric information;
(IV) publicly available information
that has been combined with covered
data;
(V) genetic information, unless
otherwise made available by the
individual to whom the information
pertains as described in clause (ii) or
(iii) of subparagraph (A); or
(VI) intimate images known to be
nonconsensual.
(28) Sensitive covered data.--
(A) In general.--The term ``sensitive covered data''
means the following types of covered data:
(i) A government-issued identifier, such as a
Social Security number, passport number, or
driver's license number, that is not required
by law to be displayed in public.
(ii) Any information that describes or
reveals the past, present, or future physical
health, mental health, disability, diagnosis,
or healthcare condition or treatment of an
individual.
(iii) A financial account number, debit card
number, credit card number, or information that
describes or reveals the income level or bank
account balances of an individual, except that
the last four digits of a debit or credit card
number shall not be deemed sensitive covered
data.
(iv) Biometric information.
(v) Genetic information.
(vi) Precise geolocation information.
(vii) An individual's private communications
such as voicemails, emails, texts, direct
messages, or mail, or information identifying
the parties to such communications, voice
communications, video communications, and any
information that pertains to the transmission
of such communications, including telephone
numbers called, telephone numbers from which
calls were placed, the time calls were made,
call duration, and location information of the
parties to the call, unless the covered entity
or a service provider acting on behalf of the
covered entity is the sender or an intended
recipient of the communication. Communications
are not private for purposes of this clause if
such communications are made from or to a
device provided by an employer to an employee
insofar as such employer provides conspicuous
notice that such employer may access such
communications.
(viii) Account or device log-in credentials,
or security or access codes for an account or
device.
(ix) Information identifying the sexual
behavior of an individual in a manner
inconsistent with the individual's reasonable
expectation regarding the collection,
processing, or transfer of such information.
(x) Calendar information, address book
information, phone or text logs, photos, audio
recordings, or videos, maintained for private
use by an individual, regardless of whether
such information is stored on the individual's
device or is accessible from that device and is
backed up in a separate location. Such
information is not sensitive for purposes of
this paragraph if such information is sent from
or to a device provided by an employer to an
employee insofar as such employer provides
conspicuous notice that it may access such
information.
(xi) A photograph, film, video recording, or
other similar medium that shows the naked or
undergarment-clad private area of an
individual.
(xii) Information revealing the video content
requested or selected by an individual
collected by a covered entity that is not a
provider of a service described in section
102(4). This clause does not include covered
data used solely for transfers for independent
video measurement.
(xiii) Information about an individual when
the covered entity or service provider has
knowledge that the individual is a covered
minor.
(xiv) An individual's race, color, ethnicity,
religion, or union membership.
(xv) Information identifying an individual's
online activities over time and across third
party websites or online services.
(xvi) Any other covered data collected,
processed, or transferred for the purpose of
identifying the types of covered data listed in
clauses (i) through (xv).
(B) Rulemaking.--The Commission may commence a
rulemaking pursuant to section 553 of title 5, United
States Code, to include in the definition of
``sensitive covered data'' any other type of covered
data that may require a similar level of protection as
the types of covered data listed in clauses (i) through
(xvi) of subparagraph (A) as a result of any new method
of collecting, processing, or transferring covered
data.
(29) Service provider.--
(A) In general.--The term ``service provider'' means
a person or entity that--
(i) collects, processes, or transfers covered
data on behalf of, and at the direction of, a
covered entity or a Federal, State, Tribal,
territorial, or local government entity; and
(ii) receives covered data from or on behalf
of a covered entity or a Federal, State,
Tribal, territorial, or local government
entity.
(B) Treatment with respect to service provider
data.--A service provider that receives service
provider data from another service provider as
permitted under this Act shall be treated as a service
provider under this Act with respect to such data.
(30) Service provider data.--The term ``service provider
data'' means covered data that is collected or processed by or
has been transferred to a service provider by or on behalf of a
covered entity, a Federal, State, Tribal, territorial, or local
government entity, or another service provider for the purpose
of allowing the service provider to whom such covered data is
transferred to perform a service or function on behalf of, and
at the direction of, such covered entity or Federal, State,
Tribal, territorial, or local government entity.
(31) State.--The term ``State'' means any of the 50 States,
the District of Columbia, the Commonwealth of Puerto Rico, the
Virgin Islands of the United States, Guam, American Samoa, or
the Commonwealth of the Northern Mariana Islands.
(32) State privacy authority.--The term ``State privacy
authority'' means--
(A) the chief consumer protection officer of a State;
or
(B) a State consumer protection agency with expertise
in data protection, including the California Privacy
Protection Agency.
(33) Substantial privacy risk.--The term ``substantial
privacy risk'' means the collection, processing, or transfer of
covered data in a manner that may result in any reasonably
foreseeable substantial physical injury, economic injury,
highly offensive intrusion into the privacy expectations of a
reasonable individual under the circumstances, or
discrimination on the basis of race, color, religion, national
origin, sex, or disability.
(34) Targeted advertising.--The term ``targeted
advertising''--
(A) means presenting to an individual or device
identified by a unique identifier, or groups of
individuals or devices identified by unique
identifiers, an online advertisement that is selected
based on known or predicted preferences,
characteristics, or interests associated with the
individual or a device identified by a unique
identifier; and
(B) does not include--
(i) advertising or marketing to an individual
or an individual's device in response to the
individual's specific request for information
or feedback;
(ii) contextual advertising, which is when an
advertisement is displayed based on the content
in which the advertisement appears and does not
vary based on who is viewing the advertisement;
or
(iii) processing covered data solely for
measuring or reporting advertising or content,
performance, reach, or frequency, including
independent measurement.
(35) Third party.--The term ``third party''--
(A) means any person or entity, including a covered
entity, that--
(i) collects, processes, or transfers covered
data that the person or entity did not collect
directly from the individual linked or linkable
to such covered data; and
(ii) is not a service provider with respect
to such data; and
(B) does not include a person or entity that collects
covered data from another entity if the 2 entities are
related by common ownership or corporate control, but
only if a reasonable consumer's reasonable expectation
would be that such entities share information.
(36) Third-party collecting entity.--
(A) In general.--The term ``third-party collecting
entity''--
(i) means a covered entity whose principal
source of revenue is derived from processing or
transferring covered data that the covered
entity did not collect directly from the
individuals linked or linkable to the covered
data; and
(ii) does not include a covered entity
insofar as such entity processes employee data
collected by and received from a third party
concerning any individual who is an employee of
the third party for the sole purpose of such
third party providing benefits to the employee.
(B) Principal source of revenue defined.--For
purposes of this paragraph, the term ``principal source
of revenue'' means, for the prior 12-month period,
either--
(i) more than 50 percent of all revenue of
the covered entity; or
(ii) obtaining revenue from processing or
transferring the covered data of more than
5,000,000 individuals that the covered entity
did not collect directly from the individuals
linked or linkable to the covered data.
(C) Non-application to service providers.--An entity
may not be considered to be a third-party collecting
entity for purposes of this Act if the entity is acting
as a service provider.
(37) Third party data.--The term ``third party data'' means
covered data that has been transferred to a third party.
(38) Transfer.--The term ``transfer'' means to disclose,
release, disseminate, make available, license, rent, or share
covered data orally, in writing, electronically, or by any
other means.
(39) Unique persistent identifier.--The term ``unique
identifier''--
(A) means an identifier to the extent that such
identifier is reasonably linkable to an individual or
device that identifies or is linked or reasonably
linkable to 1 or more individuals, including a device
identifier, Internet Protocol address, cookie, beacon,
pixel tag, mobile ad identifier, or similar technology,
customer number, unique pseudonym, user alias,
telephone number, or other form of persistent or
probabilistic identifier that is linked or reasonably
linkable to an individual or device; and
(B) does not include an identifier assigned by a
covered entity for the specific purpose of giving
effect to an individual's exercise of affirmative
express consent or opt-outs of the collection,
processing, and transfer of covered data pursuant to
section 204 or otherwise limiting the collection,
processing, or transfer of such information.
(40) Widely distributed media.--The term ``widely distributed
media'' means information that is available to the general
public, including information from a telephone book or online
directory, a television, internet, or radio program, the news
media, or an internet site that is available to the general
public on an unrestricted basis, but does not include an
obscene visual depiction (as defined in section 1460 of title
18, United States Code).
TITLE I--DUTY OF LOYALTY
SEC. 101. DATA MINIMIZATION.
(a) In General.--A covered entity may not collect, process, or
transfer covered data unless the collection, processing, or transfer is
limited to what is reasonably necessary and proportionate to--
(1) provide or maintain a specific product or service
requested by the individual to whom the data pertains; or
(2) effect a purpose permitted under subsection (b).
(b) Permissible Purposes.--A covered entity may collect, process, or
transfer covered data for any of the following purposes if the
collection, processing, or transfer is limited to what is reasonably
necessary and proportionate to such purpose:
(1) To initiate, manage, or complete a transaction or fulfill
an order for specific products or services requested by an
individual, including any associated routine administrative,
operational, and account-servicing activity such as billing,
shipping, delivery, storage, and accounting.
(2) With respect to covered data previously collected in
accordance with this Act, notwithstanding this exception--
(A) to process such data as necessary to perform
system maintenance or diagnostics;
(B) to develop, maintain, repair, or enhance a
product or service for which such data was collected;
(C) to conduct internal research or analytics to
improve a product or service for which such data was
collected;
(D) to perform inventory management or reasonable
network management;
(E) to protect against spam; or
(F) to debug or repair errors that impair the
functionality of a service or product for which such
data was collected.
(3) To authenticate users of a product or service.
(4) To fulfill a product or service warranty.
(5) To prevent, detect, protect against, or respond to a
security incident. For purposes of this paragraph, security is
defined as network security and physical security and life
safety, including an intrusion or trespass, medical alerts,
fire alarms, and access control security.
(6) To prevent, detect, protect against, or respond to fraud,
harassment, or illegal activity. For purposes of this
paragraph, the term ``illegal activity'' means a violation of a
Federal, State, or local law punishable as a felony or
misdemeanor that can directly harm.
(7) To comply with a legal obligation imposed by Federal,
Tribal, local, or State law, or to investigate, establish,
prepare for, exercise, or defend legal claims involving the
covered entity or service provider.
(8) To prevent an individual, or group of individuals, from
suffering harm where the covered entity or service provider
believes in good faith that the individual, or group of
individuals, is at risk of death, serious physical injury, or
other serious health risk.
(9) To effectuate a product recall pursuant to Federal or
State law.
(10)(A) To conduct a public or peer-reviewed scientific,
historical, or statistical research project that--
(i) is in the public interest; and
(ii) adheres to all relevant laws and regulations
governing such research, including regulations for the
protection of human subjects, or is excluded from
criteria of the institutional review board.
(B) Not later than 18 months after the date of enactment of
this Act, the Commission should issue guidelines to help
covered entities ensure the privacy of affected users and the
security of covered data, particularly as data is being
transferred to and stored by researchers. Such guidelines
should consider risks as they pertain to projects using covered
data with special considerations for projects that are exempt
under part 46 of title 45, Code of Federal Regulations (or any
successor regulation) or are excluded from the criteria for
institutional review board review.
(11) To deliver a communication that is not an advertisement
to an individual, if the communication is reasonably
anticipated by the individual within the context of the
individual's interactions with the covered entity.
(12) To deliver a communication at the direction of an
individual between such individual and one or more individuals
or entities.
(13) To transfer assets to a third party in the context of a
merger, acquisition, bankruptcy, or similar transaction when
the third party assumes control, in whole or in part, of the
covered entity's assets, only if the covered entity, in a
reasonable time prior to such transfer, provides each affected
individual with--
(A) a notice describing such transfer, including the
name of the entity or entities receiving the
individual's covered data and their privacy policies as
described in section 202; and
(B) a reasonable opportunity to withdraw any
previously given consents in accordance with the
requirements of affirmative express consent under this
Act related to the individual's covered data and a
reasonable opportunity to request the deletion of the
individual's covered data, as described in section 203.
(14) To ensure the data security and integrity of covered
data, as described in section 208.
(15) With respect to covered data previously collected in
accordance with this Act, a service provider acting at the
direction of a government entity, or a service provided to a
government entity by a covered entity, and only insofar as
authorized by statute, to prevent, detect, protect against or
respond to a public safety incident, including trespass,
natural disaster, or national security incident. This paragraph
does not permit, however, the transfer of covered data for
payment or other valuable consideration to a government entity.
(16) With respect to covered data collected in accordance
with this Act, notwithstanding this exception, to process such
data as necessary to provide first party advertising or
marketing of products or services provided by the covered
entity for individuals who are not-covered minors.
(17) With respect to covered data previously collected in
accordance with this Act, notwithstanding this exception and
provided such collection, processing, and transferring
otherwise complies with the requirements of this Act, including
section 204(c), to provide targeted advertising.
(c) Guidance.--The Commission shall issue guidance regarding what is
reasonably necessary and proportionate to comply with this section.
Such guidance shall take into consideration--
(1) the size of, and the nature, scope, and complexity of the
activities engaged in by, the covered entity, including whether
the covered entity is a large data holder, nonprofit
organization, covered entity meeting the requirements of
section 209, third party, or third-party collecting entity;
(2) the sensitivity of covered data collected, processed, or
transferred by the covered entity;
(3) the volume of covered data collected, processed, or
transferred by the covered entity; and
(4) the number of individuals and devices to which the
covered data collected, processed, or transferred by the
covered entity relates.
(d) Deceptive Marketing of a Product or Service.--A covered entity or
service provider may not engage in deceptive advertising or marketing
with respect to a product or service offered to an individual.
(e) Journalism.--Nothing in this Act shall be construed to limit or
diminish First Amendment freedoms guaranteed under the Constitution.
SEC. 102. LOYALTY DUTIES.
Notwithstanding section 101 and unless an exception applies, with
respect to covered data, a covered entity or service provider may not--
(1) collect, process, or transfer a Social Security number,
except when necessary to facilitate an extension of credit,
authentication, fraud and identity fraud detection and
prevention, the payment or collection of taxes, the enforcement
of a contract between parties, or the prevention,
investigation, or prosecution of fraud or illegal activity, or
as otherwise required by Federal, State, or local law;
(2) collect or process sensitive covered data, except where
such collection or processing is strictly necessary to provide
or maintain a specific product or service requested by the
individual to whom the covered data pertains, or is strictly
necessary to effect a purpose enumerated in paragraphs (1)
through (12) and (14) through (15) of section 101(b);
(3) transfer an individual's sensitive covered data to a
third party, unless--
(A) the transfer is made pursuant to the affirmative
express consent of the individual;
(B) the transfer is necessary to comply with a legal
obligation imposed by Federal, State, Tribal, or local
law, or to establish, exercise, or defend legal claims;
(C) the transfer is necessary to prevent an
individual from imminent injury where the covered
entity believes in good faith that the individual is at
risk of death, serious physical injury, or serious
health risk;
(D) with respect to covered data collected in
accordance with this Act, notwithstanding this
exception, a service provider acting at the direction
of a government entity, or a service provided to a
government entity by a covered entity, and only insofar
as authorized by statute, the transfer is necessary to
prevent, detect, protect against or respond to a public
safety incident including trespass, natural disaster,
or national security incident. This paragraph does not
permit, however, the transfer of covered data for
payment or other valuable consideration to a government
entity;
(E) in the case of the transfer of a password, the
transfer is necessary to use a designated password
manager or is to a covered entity for the exclusive
purpose of identifying passwords that are being re-used
across sites or accounts;
(F) in the case of the transfer of genetic
information, the transfer is necessary to perform a
medical diagnosis or medical treatment specifically
requested by an individual, or to conduct medical
research in accordance with conditions of section
101(b)(10); or
(G) to transfer assets in the manner described in
paragraph (13) of section 101(b); or
(4) in the case of a provider of broadcast television
service, cable service, satellite service, streaming media
service, or other video programming service described in
section 713(h)(2) of the Communications Act of 1934 (47 U.S.C.
613(h)(2)), transfer to an unaffiliated third party covered
data that reveals the video content or services requested or
selected by an individual from such service, except with the
affirmative express consent of the individual or pursuant to
one of the permissible purposes enumerated in paragraphs (1)
through (15) of section 101(b).
SEC. 103. PRIVACY BY DESIGN.
(a) Policies, Practices, and Procedures.--A covered entity and a
service provider shall establish, implement, and maintain reasonable
policies, practices, and procedures that reflect the role of the
covered entity or service provider in the collection, processing, and
transferring of covered data and that--
(1) consider applicable Federal laws, rules, or regulations
related to covered data the covered entity or service provider
collects, processes, or transfers;
(2) identify, assess, and mitigate privacy risks related to
covered minors (including, if applicable, with respect to a
covered entity that is not an entity meeting the requirements
of section 209, in a manner that considers the developmental
needs of different age ranges of covered minors) to result in
reasonably necessary and proportionate residual risk to covered
minors;
(3) mitigate privacy risks, including substantial privacy
risks, related to the products and services of the covered
entity or the service provider, including in the design,
development, and implementation of such products and services,
taking into account the role of the covered entity or service
provider and the information available to it; and
(4) implement reasonable training and safeguards within the
covered entity and service provider to promote compliance with
all privacy laws applicable to covered data the covered entity
collects, processes, or transfers or covered data the service
provider collects, processes, or transfers on behalf of the
covered entity and mitigate privacy risks, including
substantial privacy risks, taking into account the role of the
covered entity or service provider and the information
available to it.
(b) Factors to Consider.--The policies, practices, and procedures
established by a covered entity and a service provider under subsection
(a), shall correspond with, as applicable--
(1) the size of the covered entity or the service provider
and the nature, scope, and complexity of the activities engaged
in by the covered entity or service provider, including whether
the covered entity or service provider is a large data holder,
nonprofit organization, entity meeting the requirements of
section 209, third party, or third-party collecting entity,
taking into account the role of the covered entity or service
provider and the information available to it;
(2) the sensitivity of the covered data collected, processed,
or transferred by the covered entity or service provider;
(3) the volume of covered data collected, processed, or
transferred by the covered entity or service provider;
(4) the number of individuals and devices to which the
covered data collected, processed, or transferred by the
covered entity or service provider relates; and
(5) the cost of implementing such policies, practices, and
procedures in relation to the risks and nature of the covered
data.
(c) Commission Guidance.--Not later than 1 year after the date of
enactment of this Act, the Commission shall issue guidance as to what
constitutes reasonable policies, practices, and procedures as required
by this section. The Commission shall consider unique circumstances
applicable to nonprofit organizations, to entities meeting the
requirements of section 209, and to service providers.
SEC. 104. LOYALTY TO INDIVIDUALS WITH RESPECT TO PRICING.
(a) Retaliation Through Service or Pricing Prohibited.--A covered
entity may not retaliate against an individual for exercising any of
the rights guaranteed by the Act, or any regulations promulgated under
this Act, including denying goods or services, charging different
prices or rates for goods or services, or providing a different level
of quality of goods or services.
(b) Rules of Construction.--Nothing in subsection (a) may be
construed to--
(1) prohibit the relation of the price of a service or the
level of service provided to an individual to the provision, by
the individual, of financial information that is necessarily
collected and processed only for the purpose of initiating,
rendering, billing for, or collecting payment for a service or
product requested by the individual;
(2) prohibit a covered entity from offering a different
price, rate, level, quality or selection of goods or services
to an individual, including offering goods or services for no
fee, if the offering is in connection with an individual's
voluntary participation in a bona fide loyalty program;
(3) require a covered entity to provide a bona fide loyalty
program that would require the covered entity to collect,
process, or transfer covered data that the covered entity
otherwise would not collect, process, or transfer;
(4) prohibit a covered entity from offering a financial
incentive or other consideration to an individual for
participation in market research;
(5) prohibit a covered entity from offering different types
of pricing or functionalities with respect to a product or
service based on an individual's exercise of a right under
section 203(a)(3); or
(6) prohibit a covered entity from declining to provide a
product or service insofar as the collection and processing of
covered data is strictly necessary for such product or service.
(c) Bona Fide Loyalty Program Defined.--For purposes of this section,
the term ``bona fide loyalty program'' includes rewards, premium
features, discount or club card programs.
TITLE II--CONSUMER DATA RIGHTS
SEC. 201. CONSUMER AWARENESS.
(a) In General.--Not later than 90 days after the date of enactment
of this Act, the Commission shall publish, on the public website of the
Commission, a webpage that describes each provision, right, obligation,
and requirement of this Act, listed separately for individuals and for
covered entities and service providers, and the remedies, exemptions,
and protections associated with this Act, in plain and concise language
and in an easy-to-understand manner.
(b) Updates.--The Commission shall update the information published
under subsection (a) on a quarterly basis as necessitated by any change
in law, regulation, guidance, or judicial decisions.
(c) Accessibility.--The Commission shall publish the information
required to be published under subsection (a) in the ten languages with
the most users in the United States, according to the most recent
United States Census.
SEC. 202. TRANSPARENCY.
(a) In General.--Each covered entity shall make publicly available,
in a clear, conspicuous, not misleading, and easy-to-read and readily
accessible manner, a privacy policy that provides a detailed and
accurate representation of the data collection, processing, and
transfer activities of the covered entity.
(b) Content of Privacy Policy.--A covered entity or service provider
shall have a privacy policy that includes, at a minimum, the following:
(1) The identity and the contact information of--
(A) the covered entity or service provider to which
the privacy policy applies (including the covered
entity's or service provider's points of contact and
generic electronic mail addresses, as applicable for
privacy and data security inquiries); and
(B) any other entity within the same corporate
structure as the covered entity or service provider to
which covered data is transferred by the covered
entity.
(2) The categories of covered data the covered entity or
service provider collects or processes.
(3) The processing purposes for each category of covered data
the covered entity or service provider collects or processes.
(4) Whether the covered entity or service provider transfers
covered data and, if so, each category of service provider and
third party to which the covered entity or service provider
transfers covered data, the name of each third-party collecting
entity to which the covered entity or service provider
transfers covered data, and the purposes for which such data is
transferred to such categories of service providers and third
parties or third-party collecting entities, except for a
transfer to a governmental entity pursuant to a court order or
law that prohibits the covered entity or service provider from
disclosing such transfer, except for transfers to governmental
entities pursuant to a court order or law that prohibits the
covered entity from disclosing the transfer.
(5) The length of time the covered entity or service provider
intends to retain each category of covered data, including
sensitive covered data, or, if it is not possible to identify
that timeframe, the criteria used to determine the length of
time the covered entity or service provider intends to retain
categories of covered data.
(6) A prominent description of how an individual can exercise
the rights described in this Act.
(7) A general description of the covered entity's or service
provider's data security practices.
(8) The effective date of the privacy policy.
(9) Whether or not any covered data collected by the covered
entity or service provider is transferred to, processed in,
stored in, or otherwise accessible to the People's Republic of
China, Russia, Iran, or North Korea.
(c) Languages.--The privacy policy required under subsection (a)
shall be made available to the public in each covered language in which
the covered entity or service provider--
(1) provides a product or service that is subject to the
privacy policy; or
(2) carries out activities related to such product or
service.
(d) Accessibility.--The covered entity or service provider shall also
provide the disclosures under this section in a manner that is
reasonably accessible to and usable by individuals with disabilities.
(e) Material Changes.--
(1) Affirmative express consent.--If a covered entity makes a
material change to its privacy policy or practices, the covered
entity shall notify each individual affected by such material
change before implementing the material change with respect to
any prospectively collected covered data and, except as
provided in paragraphs (1) through (15) of section 101(b),
provide a reasonable opportunity for each individual to
withdraw consent to any further materially different
collection, processing, or transfer of previously collected
covered data under the changed policy.
(2) Notification.--The covered entity shall take all
reasonable electronic measures to provide direct notification
regarding material changes to the privacy policy to each
affected individual, in each covered language in which the
privacy policy is made available, and taking into account
available technology and the nature of the relationship.
(3) Clarification.--Nothing in this section may be construed
to affect the requirements for covered entities under section
102 or 204.
(4) Log of material changes.--Each large data holder shall
retain copies of previous versions of its privacy policy for at
least 10 years beginning after the date of enactment of this
Act and publish them on its website. Such large data holder
shall make publicly available, in a clear, conspicuous, and
readily accessible manner, a log describing the date and nature
of each material change to its privacy policy over the past 10
years. The descriptions shall be sufficient for a reasonable
individual to understand the material effect of each material
change. The obligations in this paragraph shall not apply to
any previous versions of a large data holder's privacy policy,
or any material changes to such policy, that precede the date
of enactment of this Act.
(f) Short-form Notice to Consumers by Large Data Holders.--
(1) In general.--In addition to the privacy policy required
under subsection (a), a large data holder that is a covered
entity shall provide a short-form notice of its covered data
practices in a manner that is--
(A) concise, clear, conspicuous, and not misleading;
(B) readily accessible to the individual, based on
what is reasonably anticipated within the context of
the relationship between the individual and the large
data holder;
(C) inclusive of an overview of individual rights and
disclosures to reasonably draw attention to data
practices that may reasonably be unexpected to a
reasonable person or that involve sensitive covered
data; and
(D) no more than 500 words in length.
(2) Rulemaking.--The Commission shall issue a rule pursuant
to section 553 of title 5, United States Code, establishing the
minimum data disclosures necessary for the short-form notice
required under paragraph (1), which shall not exceed the
content requirements in subsection (b) and shall include
templates or models of short-form notices.
SEC. 203. INDIVIDUAL DATA OWNERSHIP AND CONTROL.
(a) Access to, and Correction, Deletion, and Portability of, Covered
Data.--In accordance with subsections (b) and (c), a covered entity
shall provide an individual, after receiving a verified request from
the individual, with the right to--
(1) access--
(A) in a human-readable format that a reasonable
individual can understand and download from the
internet, the covered data (except covered data in a
back-up or archival system) of the individual making
the request that is collected, processed, or
transferred by the covered entity or any service
provider of the covered entity within the 24 months
preceding the request;
(B) the categories of any third party, if applicable,
and an option for consumers to obtain the names of any
such third party as well as and the categories of any
service providers to whom the covered entity has
transferred for consideration the covered data of the
individual, as well as the categories of sources from
which the covered data was collected; and
(C) a description of the purpose for which the
covered entity transferred the covered data of the
individual to a third party or service provider;
(2) correct any verifiable substantial inaccuracy or
substantially incomplete information with respect to the
covered data of the individual that is processed by the covered
entity and instruct the covered entity to make reasonable
efforts to notify all third parties or service providers to
which the covered entity transferred such covered data of the
corrected information;
(3) delete covered data of the individual that is processed
by the covered entity and instruct the covered entity to make
reasonable efforts to notify all third parties or service
provider to which the covered entity transferred such covered
data of the individual's deletion request; and
(4) to the extent technically feasible, export to the
individual or directly to another entity the covered data of
the individual that is processed by the covered entity,
including inferences linked or reasonably linkable to the
individual but not including other derived data, without
licensing restrictions that limit such transfers in--
(A) a human-readable format that a reasonable
individual can understand and download from the
internet; and
(B) a portable, structured, interoperable, and
machine-readable format.
(b) Individual Autonomy.--A covered entity may not condition,
effectively condition, attempt to condition, or attempt to effectively
condition the exercise of a right described in subsection (a) through--
(1) the use of any false, fictitious, fraudulent, or
materially misleading statement or representation; or
(2) the design, modification, or manipulation of any user
interface with the purpose or substantial effect of obscuring,
subverting, or impairing a reasonable individual's autonomy,
decision making, or choice to exercise such right.
(c) Timing.--
(1) In general.--Subject to subsections (d) and (e), each
request under subsection (a) shall be completed by any--
(A) large data holder within 45 days of such request
from an individual, unless it is demonstrably
impracticable or impracticably costly to verify such
individual;
(B) covered entity that is not a large data holder or
a covered entity meeting the requirements of section
209 within 60 days of such request from an individual,
unless it is demonstrably impracticable or
impracticably costly to verify such individual; or
(C) covered entity meeting the requirements of
section 209 within 90 days of such request from an
individual, unless it is demonstrably impracticable or
impracticably costly to verify such individual.
(2) Extension.--A response period set forth in this
subsection may be extended once by 45 additional days when
reasonably necessary, considering the complexity and number of
the individual's requests, so long as the covered entity
informs the individual of any such extension within the initial
45-day response period, together with the reason for the
extension.
(d) Frequency and Cost of Access.--A covered entity--
(1) shall provide an individual with the opportunity to
exercise each of the rights described in subsection (a); and
(2) with respect to--
(A) the first 2 times that an individual exercises
any right described in subsection (a) in any 12-month
period, shall allow the individual to exercise such
right free of charge; and
(B) any time beyond the initial 2 times described in
subparagraph (A), may allow the individual to exercise
such right for a reasonable fee for each request.
(e) Verification and Exceptions.--
(1) Required exceptions.--A covered entity may not permit an
individual to exercise a right described in subsection (a), in
whole or in part, if the covered entity--
(A) cannot reasonably verify that the individual
making the request to exercise the right is the
individual whose covered data is the subject of the
request or an individual authorized to make such a
request on the individual's behalf;
(B) reasonably believes that the request is made to
interfere with a contract between the covered entity
and another individual;
(C) determines that the exercise of the right would
require access to or correction of another individual's
sensitive covered data;
(D) reasonably believes that the exercise of the
right would require the covered entity to engage in an
unfair or deceptive practice under section 5 of the
Federal Trade Commission Act (15 U.S.C. 45); or
(E) reasonably believes that the request is made to
further fraud, support criminal activity, or the
exercise of the right presents a data security threat.
(2) Additional information.--If a covered entity cannot
reasonably verify that a request to exercise a right described
in subsection (a) is made by the individual whose covered data
is the subject of the request (or an individual authorized to
make such a request on the individual's behalf), the covered
entity--
(A) may request that the individual making the
request to exercise the right provide any additional
information necessary for the sole purpose of verifying
the identity of the individual; and
(B) may not process or transfer such additional
information for any other purpose.
(3) Permissive exceptions.--
(A) In general.--A covered entity may decline, with
adequate explanation to the individual, to comply with
a request to exercise a right described in subsection
(a), in whole or in part, that would--
(i) require the covered entity to retain any
covered data collected for a single, one-time
transaction, if such covered data is not
processed or transferred by the covered entity
for any purpose other than completing such
transaction;
(ii) be demonstrably impracticable or
prohibitively costly to comply with, and the
covered entity shall provide a description to
the requestor detailing the inability to comply
with the request;
(iii) require the covered entity to attempt
to re-identify de-identified data;
(iv) require the covered entity to maintain
covered data in an identifiable form or
collect, retain, or access any data in order to
be capable of associating a verified individual
request with covered data of such individual;
(v) result in the release of trade secrets or
other privileged or confidential business
information;
(vi) require the covered entity to correct
any covered data that cannot be reasonably
verified as being inaccurate or incomplete;
(vii) interfere with law enforcement,
judicial proceedings, investigations, or
reasonable efforts to guard against, detect,
prevent, or investigate fraudulent, malicious,
or unlawful activity, or enforce valid
contracts;
(viii) violate Federal or State law or the
rights and freedoms of another individual,
including under the Constitution of the United
States;
(ix) prevent a covered entity from being able
to maintain a confidential record of deletion
requests, maintained solely for the purpose of
preventing covered data of an individual from
being recollected after the individual
submitted a deletion request and requested that
the covered entity no longer collect, process,
or transfer such data;
(x) fall within an exception enumerated in
the regulations promulgated by the Commission
pursuant to subparagraph (D); or
(xi) with respect to requests for deletion--
(I) unreasonably interfere with the
provision of products or services by
the covered entity to another person it
currently serves;
(II) delete covered data that relates
to a public figure and for which the
requesting individual has no reasonable
expectation of privacy;
(III) delete covered data reasonably
necessary to perform a contract between
the covered entity and the individual;
(IV) delete covered data that the
covered entity needs to retain in order
to comply with professional ethical
obligations;
(V) delete covered data that the
covered entity reasonably believes may
be evidence of unlawful activity or an
abuse of the covered entity's products
or services; or
(VI) for private elementary and
secondary schools as defined by State
law and private institutions of higher
education as defined by title I of the
Higher Education Act of 1965, delete
covered data that would unreasonably
interfere with the provision of
education services by or the ordinary
operation of the school or institution.
(B) Partial compliance.--In a circumstance that would
allow a denial pursuant to subparagraph (A), a covered
entity shall partially comply with the remainder of the
request if it is possible and not unduly burdensome to
do so.
(C) Number of requests.--For purposes of subparagraph
(A)(ii), the receipt of a large number of verified
requests, on its own, may not be considered to render
compliance with a request demonstrably impracticable.
(D) Further exceptions.--The Commission may, by
regulation as described in subsection (g), establish
additional permissive exceptions necessary to protect
the rights of individuals, alleviate undue burdens on
covered entities, prevent unjust or unreasonable
outcomes from the exercise of access, correction,
deletion, or portability rights, or as otherwise
necessary to fulfill the purposes of this section. In
establishing such exceptions, the Commission should
consider any relevant changes in technology, means for
protecting privacy and other rights, and beneficial
uses of covered data by covered entities.
(f) Large Data Holder Metrics Reporting.--A large data holder that is
a covered entity shall, for each calendar year in which it was a large
data holder, do the following:
(1) Compile the following metrics for the prior calendar
year:
(A) The number of verified access requests under
subsection (a)(1).
(B) The number of verified deletion requests under
subsection (a)(3).
(C) The number of requests to opt-out of covered data
transfers under section 204(b).
(D) The number of requests to opt-out of targeted
advertising under section 204(c).
(E) The number of requests in each of subparagraphs
(A) through (D) that such large data holder (i)
complied with in whole or in part and (ii) denied.
(F) The median or mean number of days within which
such large data holder substantively responded to the
requests in each of subparagraphs (A) through (D).
(2) Disclose by July 1 of each applicable calendar year the
information compiled in paragraph (1) within such large data
holder's privacy policy required under section 202 or on the
publicly accessible website of such large data holder that is
accessible from a hyperlink included in the privacy policy.
(g) Regulations.--Not later than 2 years after the date of enactment
of this Act, the Commission shall promulgate regulations, pursuant to
section 553 of title 5, United States Code, as necessary to establish
processes by which covered entities are to comply with the provisions
of this section. Such regulations shall take into consideration--
(1) the size of, and the nature, scope, and complexity of the
activities engaged in by the covered entity, including whether
the covered entity is a large data holder, nonprofit
organization, covered entity meeting the requirements of
section 209, third party, or third-party collecting entity;
(2) the sensitivity of covered data collected, processed, or
transferred by the covered entity;
(3) the volume of covered data collected, processed, or
transferred by the covered entity;
(4) the number of individuals and devices to which the
covered data collected, processed, or transferred by the
covered entity relates; and
(5) after consulting the National Institute of Standards and
Technology, standards for ensuring the deletion of covered data
under this Act where appropriate.
(h) Accessibility.--A covered entity shall facilitate the ability of
individuals to make requests under subsection (a) in any covered
language in which the covered entity provides a product or service. The
mechanisms by which a covered entity enables individuals to make
requests under subsection (a) shall be readily accessible and usable by
with individuals with disabilities.
SEC. 204. RIGHT TO CONSENT AND OBJECT.
(a) Withdrawal of Consent.--A covered entity shall provide an
individual with a clear and conspicuous, easy-to-execute means to
withdraw any affirmative express consent previously provided by the
individual that is as easy to execute by a reasonable individual as the
means to provide consent, with respect to the processing or transfer of
the covered data of the individual.
(b) Right to Opt Out of Covered Data Transfers.--
(1) In general.--A covered entity--
(A) may not transfer or direct the transfer of the
covered data of an individual to a third party if the
individual objects to the transfer; and
(B) shall allow an individual to object to such a
transfer through an opt-out mechanism, as described in
section 210.
(2) Exception.--Except as provided in section 206(b)(3)(C), a
covered entity need not allow an individual to opt out of the
collection, processing, or transfer of covered data made
pursuant to the exceptions in paragraphs (1) through (15) of
section 101(b).
(c) Right to Opt Out of Targeted Advertising.--
(1) A covered entity or service provider that directly
delivers a targeted advertisement shall--
(A) prior to engaging in targeted advertising to an
individual or device and at all times thereafter,
provide such individual with a clear and conspicuous
means to opt out of targeted advertising;
(B) abide by any opt-out designation by an individual
with respect to targeted advertising and notify the
covered entity that directed the service provider to
deliver the targeted advertisement of the opt-out
decision; and
(C) allow an individual to make an opt-out
designation with respect to targeted advertising
through an opt-out mechanism, as described in section
210.
(2) A covered entity or service provider that receives an
opt-out notification pursuant to paragraph (1)(B) or this
paragraph shall abide by such opt-out designations by an
individual and notify any other person that directed the
covered entity or service provider to serve, deliver, or
otherwise handle the advertisement of the opt-out decision.
(d) Individual Autonomy.--A covered entity may not condition,
effectively condition, attempt to condition, or attempt to effectively
condition the exercise of any individual right under this section
through--
(1) the use of any false, fictitious, fraudulent, or
materially misleading statement or representation; or
(2) the design, modification, or manipulation of any user
interface with the purpose or substantial effect of obscuring,
subverting, or impairing a reasonable individual's autonomy,
decision making, or choice to exercise any such right.
SEC. 205. DATA PROTECTIONS FOR CHILDREN AND MINORS.
(a) Prohibition on Targeted Advertising to Children and Minors.--A
covered entity may not engage in targeted advertising to any individual
if the covered entity has knowledge that the individual is a covered
minor.
(b) Data Transfer Requirements Related to Covered Minors.--
(1) In general.--A covered entity may not transfer or direct
the transfer of the covered data of a covered minor to a third
party if the covered entity--
(A) has knowledge that the individual is a covered
minor; and
(B) has not obtained affirmative express consent from
the covered minor or the covered minor's parent or
guardian.
(2) Exception.--A covered entity or service provider may
collect, process, or transfer covered data of an individual the
covered entity or service provider knows is under the age of 18
solely in order to submit information relating to child
victimization to law enforcement or to the nonprofit, national
resource center and clearinghouse congressionally designated to
provide assistance to victims, families, child-serving
professionals, and the general public on missing and exploited
children issues.
(c) Youth Privacy and Marketing Division.--
(1) Establishment.--There is established within the
Commission in the privacy bureau established in this Act, a
division to be known as the ``Youth Privacy and Marketing
Division'' (in this section referred to as the ``Division'').
(2) Director.--The Division shall be headed by a Director,
who shall be appointed by the Chair of the Commission.
(3) Duties.--The Division shall be responsible for assisting
the Commission in addressing, as it relates to this Act--
(A) the privacy of children and minors; and
(B) marketing directed at children and minors.
(4) Staff.--The Director of the Division shall hire adequate
staff to carry out the duties described in paragraph (3),
including by hiring individuals who are experts in data
protection, digital advertising, data analytics, and youth
development.
(5) Reports.--Not later than 2 years after the date of
enactment of this Act, and annually thereafter, the Commission
shall submit to the Committee on Commerce, Science, and
Transportation of the Senate and the Committee on Energy and
Commerce of the House of Representatives a report that
includes--
(A) a description of the work of the Division
regarding emerging concerns relating to youth privacy
and marketing practices; and
(B) an assessment of how effectively the Division
has, during the period for which the report is
submitted, assisted the Commission to address youth
privacy and marketing practices.
(6) Publication.--Not later than 10 days after the date on
which a report is submitted under paragraph (5), the Commission
shall publish the report on its website.
(d) Report by the Inspector General.--
(1) In general.--Not later than 2 years after the date of
enactment of this Act, and biennially thereafter, the Inspector
General of the Commission shall submit to the Commission and to
the Committee on Commerce, Science, and Transportation of the
Senate and the Committee on Energy and Commerce of the House of
Representatives a report regarding the safe harbor provisions
in section 1304 of the Children's Online Privacy Protection Act
of 1998 (15 U.S.C. 6503), which shall include--
(A) an analysis of whether the safe harbor provisions
are--
(i) operating fairly and effectively; and
(ii) effectively protecting the interests of
children and minors; and
(B) any proposal or recommendation for policy changes
that would improve the effectiveness of the safe harbor
provisions.
(2) Publication.--Not later than 10 days after the date on
which a report is submitted under paragraph (1), the Commission
shall publish the report on the website of the Commission.
SEC. 206. THIRD-PARTY COLLECTING ENTITIES.
(a) Notice.--Each third-party collecting entity shall place a clear,
conspicuous, not misleading, and readily accessible notice on the
website or mobile application of the third-party collecting entity (if
the third-party collecting entity maintains such a website or mobile
application) that--
(1) notifies individuals that the entity is a third-party
collecting entity using specific language that the Commission
shall develop through rulemaking under section 553 of title 5,
United States Code;
(2) includes a link to the website established under
subsection (b)(3); and
(3) is reasonably accessible to and usable by individuals
with disabilities.
(b) Third-party Collecting Entity Registration.--
(1) In general.--Not later than January 31 of each calendar
year that follows a calendar year during which a covered entity
acted as a third-party collecting entity and processed covered
data pertaining to more than 5,000 individuals or devices that
identify or are linked or reasonably linkable to an individual,
such covered entity shall register with the Commission in
accordance with this subsection.
(2) Registration requirements.--In registering with the
Commission as required under paragraph (1), a third-party
collecting entity shall do the following:
(A) Pay to the Commission a registration fee of $100.
(B) Provide the Commission with the following
information:
(i) The legal name and primary physical,
email, and internet addresses of the third-
party collecting entity.
(ii) A description of the categories of
covered data the third-party collecting entity
processes and transfers.
(iii) The contact information of the third-
party collecting entity, including a contact
person, a telephone number, an e-mail address,
a website, and a physical mailing address.
(iv) A link to a website through which an
individual may easily exercise the rights
provided under this subsection.
(3) Third-party collecting entity registry.--The Commission
shall establish and maintain on a website a searchable,
publicly available, central registry of third-party collecting
entities that are registered with the Commission under this
subsection that includes the following:
(A) A listing of all registered third-party
collecting entities and a search feature that allows
members of the public to identify individual third-
party collecting entities.
(B) For each registered third-party collecting
entity, the information provided under paragraph
(2)(B).
(C)(i) A ``Do Not Collect'' registry link and
mechanism by which an individual may, easily submit a
request to all registered third-party collecting
entities that are not consumer reporting agencies (as
defined in section 603(f) of the Fair Credit Reporting
Act (15 U.S.C. 1681a(f))), and to the extent such
third-party collecting entities are not acting as
consumer reporting agencies (as so defined), to--
(I) delete all covered data related to such
individual that the third-party collecting
entity did not collect from such individual
directly or when acting as a service provider;
and
(II) ensure that the third-party collecting
entity no longer collects covered data related
to such individual without the affirmative
express consent of such individual, except
insofar as the third-party collecting entity is
acting as a service provider.
(ii) Each third-party collecting entity that receives
such a request from an individual shall delete all the
covered data of the individual not later than 30 days
after the request is received by the third-party
collecting entity.
(iii) Notwithstanding the provisions of clauses (i)
and (ii), a third-party collecting entity may decline
to fulfill a ``Do Not Collect'' request from an
individual who it has actual knowledge has been
convicted of a crime related to the abduction or sexual
exploitation of a child, and the data the entity is
collecting is necessary to effectuate the purposes of a
national or State-run sex offender registry or the
congressionally designated entity that serves as the
nonprofit national resource center and clearinghouse to
provide assistance to victims, families, child-serving
professionals, and the general public on missing and
exploited children issues.
(c) Penalties.--
(1) In general.--A third-party collecting entity that fails
to register or provide the notice as required under this
section shall be liable for--
(A) a civil penalty of $100 for each day the third-
party collecting entity fails to register or provide
notice as required under this section, not to exceed a
total of $10,000 for any year; and
(B) an amount equal to the registration fees due
under paragraph (2)(A) of subsection (b) for each year
that the third-party collecting entity failed to
register as required under paragraph (1) of such
subsection.
(2) Rule of construction.--Nothing in this subsection shall
be construed as altering, limiting, or affecting any
enforcement authorities or remedies under this Act.
SEC. 207. CIVIL RIGHTS AND ALGORITHMS.
(a) Civil Rights Protections.--
(1) In general.--A covered entity or a service provider may
not collect, process, or transfer covered data in a manner that
discriminates in or otherwise makes unavailable the equal
enjoyment of goods or services on the basis of race, color,
religion, national origin, sex, or disability.
(2) Exceptions.--This subsection shall not apply to--
(A) the collection, processing, or transfer of
covered data for the purpose of--
(i) a covered entity's or a service
provider's self-testing to prevent or mitigate
unlawful discrimination; or
(ii) diversifying an applicant, participant,
or customer pool; or
(B) any private club or group not open to the public,
as described in section 201(e) of the Civil Rights Act
of 1964 (42 U.S.C. 2000a(e)).
(b) FTC Enforcement Assistance.--
(1) In general.--Whenever the Commission obtains information
that a covered entity or service provider may have collected,
processed, or transferred covered data in violation of
subsection (a), the Commission shall transmit such information
as allowable under Federal law to any Executive agency with
authority to initiate enforcement actions or proceedings
relating to such violation.
(2) Annual report.--Not later than 3 years after the date of
enactment of this Act, and annually thereafter, the Commission
shall submit to Congress a report that includes a summary of--
(A) the types of information the Commission
transmitted to Executive agencies under paragraph (1)
during the previous 1-year period; and
(B) how such information relates to Federal civil
rights laws.
(3) Technical assistance.--In transmitting information under
paragraph (1), the Commission may consult and coordinate with,
and provide technical and investigative assistance, as
appropriate, to such Executive agency.
(4) Cooperation with other agencies.--The Commission may
implement this subsection by executing agreements or memoranda
of understanding with the appropriate Executive agencies.
(c) Covered Algorithm Impact and Evaluation.--
(1) Covered algorithm impact assessment.--
(A) Impact assessment.--Notwithstanding any other
provision of law, not later than 2 years after the date
of enactment of this Act, and annually thereafter, a
large data holder that uses a covered algorithm in a
manner that poses a consequential risk of harm to an
individual or group of individuals, and uses such
covered algorithm solely or in part, to collect,
process, or transfer covered data shall conduct an
impact assessment of such algorithm in accordance with
subparagraph (B).
(B) Impact assessment scope.--The impact assessment
required under subparagraph (A) shall provide the
following:
(i) A detailed description of the design
process and methodologies of the covered
algorithm.
(ii) A statement of the purpose and proposed
uses of the covered algorithm.
(iii) A detailed description of the data used
by the covered algorithm, including the
specific categories of data that will be
processed as input and any data used to train
the model that the covered algorithm relies on,
if applicable.
(iv) A description of the outputs produced by
the covered algorithm.
(v) An assessment of the necessity and
proportionality of the covered algorithm in
relation to its stated purpose.
(vi) A detailed description of steps the
large data holder has taken or will take to
mitigate potential harms from the covered
algorithm to an individual or group of
individuals, including related to--
(I) covered minors;
(II) making or facilitating
advertising for, or determining access
to, or restrictions on the use of
housing, education, employment,
healthcare, insurance, or credit
opportunities;
(III) determining access to, or
restrictions on the use of, any place
of public accommodation, particularly
as such harms relate to the protected
characteristics of individuals,
including race, color, religion,
national origin, sex, or disability;
(IV) disparate impact on the basis of
individuals' race, color, religion,
national origin, sex, or disability
status; or
(V) disparate impact on the basis of
individuals' political party
registration status.
(2) Algorithm design evaluation.--Notwithstanding any other
provision of law, not later than 2 years after the date of
enactment of this Act, a covered entity or service provider
that knowingly develops a covered algorithm that is designed
to, solely or in part, to collect, process, or transfer covered
data in furtherance of a consequential decision shall prior to
deploying the covered algorithm in interstate commerce evaluate
the design, structure, and inputs of the covered algorithm,
including any training data used to develop the covered
algorithm, to reduce the risk of the potential harms identified
under paragraph (1)(B).
(3) Other considerations.--
(A) Focus.--In complying with paragraphs (1) and (2),
a covered entity and a service provider may focus the
impact assessment or evaluation on any covered
algorithm, or portions of a covered algorithm, that
will be put to use and may reasonably contribute to the
risk of the potential harms identified under paragraph
(1)(B).
(B) Availability.--
(i) In general.--A covered entity and a
service provider--
(I) shall, not later than 30 days
after completing an impact assessment
or evaluation, submit the impact
assessment or evaluation conducted
under paragraph (1) or (2) to the
Commission;
(II) shall, upon request, make such
impact assessment and evaluation
available to Congress; and
(III) may make a summary of such
impact assessment and evaluation
publicly available in a place that is
easily accessible to individuals.
(ii) Trade secrets.--Covered entities and
service providers may redact and segregate any
trade secret (as defined in section 1839 of
title 18, United States Code) or other
confidential or proprietary information from
public disclosure under this subparagraph and
the Commission shall abide by its obligations
under section 6(f) of the Federal Trade
Commission Act (15 U.S.C. 46(f)) in regard to
such information.
(C) Enforcement.--The Commission may not use any
information obtained solely and exclusively through a
covered entity or a service provider's disclosure of
information to the Commission in compliance with this
section for any purpose other than enforcing this Act
with the exception of enforcing consent orders,
including the study and report provisions in paragraph
(6). This subparagraph does not preclude the Commission
from providing this information to Congress in response
to a subpoena.
(4) Guidance.--Not later than 2 years after the date of
enactment of this Act, the Commission shall, in consultation
with the Secretary of Commerce, or their respective designees,
publish guidance regarding compliance with this section.
(5) Rulemaking and exemption.--The Commission shall have
authority under section 553 of title 5, United States Code, to
promulgate regulations as necessary to establish processes by
which a large data holder--
(A) shall submit an impact assessment to the
Commission under paragraph (3)(B)(i)(I); and
(B) may exclude from this subsection any covered
algorithm that presents low or minimal consequential
risk of harm to an individual or group of individuals.
(6) Study and report.--
(A) Study.--The Commission, in consultation with the
Secretary of Commerce or the Secretary's designee,
shall conduct a study, to review any impact assessment
or evaluation submitted under this subsection. Such
study shall include an examination of--
(i) best practices for the assessment and
evaluation of covered algorithms; and
(ii) methods to reduce the risk of harm to
individuals that may be related to the use of
covered algorithms.
(B) Report.--
(i) Initial report.--Not later than 3 years
after the date of enactment of this Act, the
Commission, in consultation with the Secretary
of Commerce or the Secretary's designee, shall
submit to Congress a report containing the
results of the study conducted under
subparagraph (A), together with recommendations
for such legislation and administrative action
as the Commission determines appropriate.
(ii) Additional reports.--Not later than 3
years after submission of the initial report
under clause (i), and as the Commission
determines necessary thereafter, the Commission
shall submit to Congress an updated version of
such report.
SEC. 208. DATA SECURITY AND PROTECTION OF COVERED DATA.
(a) Establishment of Data Security Practices.--
(1) In general.--A covered entity or service provider shall
establish, implement, and maintain reasonable administrative,
technical, and physical data security practices and procedures
to protect and secure covered data against unauthorized access
and acquisition.
(2) Considerations.--The reasonable administrative,
technical, and physical data security practices required under
paragraph (1) shall be appropriate to--
(A) the size and complexity of the covered entity or
service provider;
(B) the nature and scope of the covered entity or the
service provider's collecting, processing, or
transferring of covered data;
(C) the volume and nature of the covered data
collected, processed, or transferred by the covered
entity or service provider;
(D) the sensitivity of the covered data collected,
processed, or transferred;
(E) the current state of the art (and limitations
thereof) in administrative, technical, and physical
safeguards for protecting such covered data; and
(F) the cost of available tools to improve security
and reduce vulnerabilities to unauthorized access and
acquisition of such covered data in relation to the
risks and nature of the covered data.
(b) Specific Requirements.--The data security practices of the
covered entity and of the service provider required under subsection
(a) shall include, for each respective entity's own system or systems,
at a minimum, the following practices:
(1) Assess vulnerabilities.--Identifying and assessing any
material internal and external risk to, and vulnerability in,
the security of each system maintained by the covered entity
that collects, processes, or transfers covered data, or service
provider that collects, processes, or transfers covered data on
behalf of the covered entity, including unauthorized access to
or risks to such covered data, human vulnerabilities, access
rights, and the use of service providers. With respect to large
data holders, such activities shall include a plan to receive
and reasonably respond to unsolicited reports of
vulnerabilities by any entity or individual and by performing a
reasonable investigation of such reports.
(2) Preventive and corrective action.--Taking preventive and
corrective action designed to mitigate reasonably foreseeable
risks or vulnerabilities to covered data identified by the
covered entity or service provider, consistent with the nature
of such risk or vulnerability and the entity's role in
collecting, processing, or transferring the data. Such action
may include implementing administrative, technical, or physical
safeguards or changes to data security practices or the
architecture, installation, or implementation of network or
operating software, among other actions.
(3) Evaluation of preventive and corrective action.--
Evaluating and making reasonable adjustments to the action
described in paragraph (2) in light of any material changes in
technology, internal or external threats to covered data, and
the covered entity or service provider's own changing business
arrangements or operations.
(4) Information retention and disposal.--Disposing of covered
data in accordance with a retention schedule that shall require
the deletion of covered data when such data is required to be
deleted by law or is no longer necessary for the purpose for
which the data was collected, processed, or transferred, unless
an individual has provided affirmative express consent to such
retention. Such disposal shall include destroying, permanently
erasing, or otherwise modifying the covered data to make such
data permanently unreadable or indecipherable and unrecoverable
to ensure ongoing compliance with this section. Service
providers shall establish practices to delete or return covered
data to a covered entity as requested at the end of the
provision of services unless retention of the covered data is
required by law, consistent with section 302(a)(6).
(5) Training.--Training each employee with access to covered
data on how to safeguard covered data and updating such
training as necessary.
(6) Designation.--Designating an officer, employee, or
employees to maintain and implement such practices.
(7) Incident response.--Implementing procedures to detect,
respond to, or recover from security incidents, including
breaches.
(c) Regulations.--The Commission may promulgate, in accordance with
section 553 of title 5, United States Code, technology-neutral
regulations to establish processes for complying with this section. The
Commission shall consult with the National Institute of Standards and
Technology in establishing such processes.
SEC. 209. SMALL BUSINESS PROTECTIONS.
(a) Establishment of Exemption.--Any covered entity or service
provider that can establish that it met the requirements described in
subsection (b) for the period of the 3 preceding calendar years (or for
the period during which the covered entity or service provider has been
in existence if such period is less than 3 years) shall--
(1) be exempt from compliance with section 203(a)(4),
paragraphs (1) through (3) and (5) through (7) of section
208(b), and section 301(c); and
(2) at the covered entity's sole discretion, have the option
of complying with section 203(a)(2) by, after receiving a
verified request from an individual to correct covered data of
the individual under such section, deleting such covered data
in its entirety instead of making the requested correction.
(b) Exemption Requirements.--The requirements of this subsection are,
with respect to a covered entity or a service provider, the following:
(1) The covered entity or service provider's average annual
gross revenues during the period did not exceed $41,000,000.
(2) The covered entity or service provider, on average, did
not annually collect or process the covered data of more than
200,000 individuals during the period beyond the purpose of
initiating, rendering, billing for, finalizing, completing, or
otherwise collecting payment for a requested service or
product, so long as all covered data for such purpose was
deleted or de-identified within 90 days, except when necessary
to investigate fraud or as consistent with a covered entity's
return policy.
(3) The covered entity or service provider did not derive
more than 50 percent of its revenue from transferring covered
data during any year (or part of a year if the covered entity
has been in existence for less than 1 year) that occurs during
the period.
(c) Revenue Defined.--For purposes of this section, the term
``revenue'' as it relates to any covered entity or service provider
that is not organized to carry on business for its own profit or that
of its members, means the gross receipts the covered entity or service
provider received in whatever form from all sources without subtracting
any costs or expenses, and includes contributions, gifts, grants, dues
or other assessments, income from investments, or proceeds from the
sale of real or personal property.
SEC. 210. UNIFIED OPT-OUT MECHANISMS.
(a) In General.--For the rights established under subsection (b) of
section 204, subsection (c) of section 204 (except as provided for
under section 101(b)(16)), and section 206(b)(3)(C), following public
notice and opportunity to comment and not later than 18 months after
the date of enactment of this Act, the Commission shall establish or
recognize one or more acceptable privacy protective, centralized
mechanisms, including global privacy signals such as browser or device
privacy settings, other tools offered by covered entities or service
providers, and registries of identifiers, for individuals to exercise
all such rights through a single interface for a covered entity or
service provider to utilize to allow an individual to make such opt out
designations with respect to covered data related to such individual.
(b) Requirements.--Any such centralized opt-out mechanism shall--
(1) require covered entities or service providers acting on
behalf of covered entities to inform individuals about the
centralized opt-out choice;
(2) not be required to be the default setting, but may be the
default setting provided that in all cases the mechanism
clearly represents the individual's affirmative, freely given,
and unambiguous choice to opt out;
(3) be consumer-friendly, clearly described, and easy-to-use
by a reasonable individual;
(4) permit the covered entity or service provider acting on
behalf of a covered entity to have an authentication process
the covered entity or service provider acting on behalf of a
covered entity may use to determine if the mechanism represents
a legitimate request to opt out;
(5) be provided in any covered language in which the covered
entity provides products or services subject to the opt-out;
and
(6) be provided in a manner that is reasonably accessible to
and usable by individuals with disabilities.
TITLE III--CORPORATE ACCOUNTABILITY
SEC. 301. EXECUTIVE RESPONSIBILITY.
(a) In General.--Beginning 1 year after the date of enactment of this
Act, an executive officer of a large data holder shall annually
certify, in good faith, to the Commission, in a manner specified by the
Commission by regulation under section 553 of title 5, United States
Code, that the entity maintains--
(1) internal controls reasonably designed to comply with this
Act; and
(2) internal reporting structures to ensure that such
certifying executive officer is involved in and responsible for
the decisions that impact the compliance by the large data
holder with this Act.
(b) Requirements.--A certification submitted under subsection (a)
shall be based on a review of the effectiveness of the internal
controls and reporting structures of the large data holder that is
conducted by the certifying executive officer not more than 90 days
before the submission of the certification. A certification submitted
under subsection (a) is made in good faith if the certifying officer
had, after a reasonable investigation, reasonable ground to believe and
did believe, at the time that certification was submitted, that the
statements therein were true and that there was no omission to state a
material fact required to be stated therein or necessary to make the
statements therein not misleading.
(c) Designation of Privacy and Data Security Officer.--
(1) In general.--A covered entity or service provider that
have more than 15 employees, shall designate--
(A) 1 or more qualified employees as privacy
officers; and
(B) 1 or more qualified employees (in addition to any
employee designated under subparagraph (A)) as data
security officers.
(2) Requirements for officers.--An employee who is designated
by a covered entity or a service provider as a privacy officer
or a data security officer pursuant to paragraph (1) shall, at
a minimum--
(A) implement a data privacy program and data
security program to safeguard the privacy and security
of covered data in compliance with the requirements of
this Act; and
(B) facilitate the covered entity or service
provider's ongoing compliance with this Act.
(3) Additional requirements for large data holders.--A large
data holder shall designate at least 1 of the officers
described in paragraph (1) to report directly to the highest
official at the large data holder as a privacy protection
officer who shall, in addition to the requirements in paragraph
(2), either directly or through a supervised designee or
designees--
(A) establish processes to periodically review and
update the privacy and security policies, practices,
and procedures of the large data holder, as necessary;
(B) conduct biennial and comprehensive audits to
ensure the policies, practices, and procedures of the
large data holder ensure the large data holder is in
compliance with this Act and ensure such audits are
accessible to the Commission upon request;
(C) develop a program to educate and train employees
about compliance requirements of this Act;
(D) maintain updated, accurate, clear, and
understandable records of all material privacy and data
security practices undertaken by the large data holder;
and
(E) serve as the point of contact between the large
data holder and enforcement authorities.
(d) Large Data Holder Privacy Impact Assessments.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act or 1 year after the date on which a
covered entity first meets the definition of large data holder,
whichever is earlier, and biennially thereafter, each covered
entity that is a large data holder shall conduct a privacy
impact assessment that weighs the benefits of the large data
holder's covered data collecting, processing, and transfer
practices against the potential adverse consequences of such
practices, including substantial privacy risks, to individual
privacy.
(2) Assessment requirements.--A privacy impact assessment
required under paragraph (1) shall be--
(A) reasonable and appropriate in scope given--
(i) the nature of the covered data collected,
processed, and transferred by the large data
holder;
(ii) the volume of the covered data
collected, processed, and transferred by the
large data holder; and
(iii) the potential material risks posed to
the privacy of individuals by the collecting,
processing, and transfer of covered data by the
large data holder;
(B) documented in written form and maintained by the
large data holder unless rendered out of date by a
subsequent assessment conducted under paragraph (1);
and
(C) approved by the privacy protection officer
designated in subsection (c)(3) of the large data
holder, as applicable.
(3) Additional factors to include in assessment.--In
assessing the privacy risks, including substantial privacy
risks, the large data holder must include reviews of the means
by which technologies, including blockchain and distributed
ledger technologies and other emerging technologies, are used
to secure covered data.
(e) Other Privacy Impact Assessments.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act and biennially thereafter, each covered
entity that is not large data holder and does not meet the
requirements for covered entities under section 209 shall
conduct a privacy impact assessment. Such assessment shall
weigh the benefits of the covered entity's covered data
collecting, processing, and transfer practices that may cause a
substantial privacy risk against the potential material adverse
consequences of such practices to individual privacy.
(2) Assessment requirements.--A privacy impact assessment
required under paragraph (1) shall be--
(A) reasonable and appropriate in scope given--
(i) the nature of the covered data collected,
processed, and transferred by the covered
entity;
(ii) the volume of the covered data
collected, processed, and transferred by the
covered entity; and
(iii) the potential risks posed to the
privacy of individuals by the collecting,
processing, and transfer of covered data by the
covered entity; and
(B) documented in written form and maintained by the
covered entity unless rendered out of date by a
subsequent assessment conducted under paragraph (1).
(3) Additional factors to include in assessment.--In
assessing the privacy risks, including substantial privacy
risks, the covered entity may include reviews of the means by
which technologies, including blockchain and distributed ledger
technologies and other emerging technologies, are used to
secure covered data.
SEC. 302. SERVICE PROVIDERS AND THIRD PARTIES.
(a) Service Providers.--A service provider--
(1) shall adhere to the instructions of a covered entity and
only collect, process, and transfer service provider data to
the extent necessary and proportionate to provide a service
requested by the covered entity, as set out in the contract
required by subsection (b), and this paragraph does not require
a service provider to collect, process, or transfer covered
data if the service provider would not otherwise do so;
(2) may not collect, process, or transfer service provider
data if the service provider has actual knowledge that a
covered entity violated this Act with respect to such data;
(3) shall assist a covered entity in responding to a request
made by an individual under section 203 or 204, by either--
(A) providing appropriate technical and
organizational measures, taking into account the nature
of the processing and the information reasonably
available to the service provider, for the covered
entity to comply with such request for service provider
data; or
(B) fulfilling a request by a covered entity to
execute an individual rights request that the covered
entity has determined should be complied with, by
either--
(i) complying with the request pursuant to
the covered entity's instructions; or
(ii) providing written verification to the
covered entity that it does not hold covered
data related to the request, that complying
with the request would be inconsistent with its
legal obligations, or that the request falls
within an exception to section 203 or 204;
(4) may engage another service provider for purposes of
processing service provider data on behalf of a covered entity
only after providing that covered entity with notice and
pursuant to a written contract that requires such other service
provider to satisfy the obligations of the service provider
with respect to such service provider data, including that the
other service provider be treated as a service provider under
this Act;
(5) shall, upon the reasonable request of the covered entity,
make available to the covered entity information necessary to
demonstrate the compliance of the service provider with the
requirements of this Act, which may include making available a
report of an independent assessment arranged by the service
provider on terms agreed to by the service provider and the
covered entity, providing information necessary to enable the
covered entity to conduct and document a privacy impact
assessment required by subsection (d) or (e) of section 301,
and making available the report required under section
207(c)(2);
(6) shall, at the covered entity's direction, delete or
return all covered data to the covered entity as requested at
the end of the provision of services, unless retention of the
covered data is required by law;
(7) shall develop, implement, and maintain reasonable
administrative, technical, and physical safeguards that are
designed to protect the security and confidentiality of covered
data the service provider processes consistent with section
208; and
(8) shall allow and cooperate with, reasonable assessments by
the covered entity or the covered entity's designated assessor;
alternatively, the service provider may arrange for a qualified
and independent assessor to conduct an assessment of the
service provider's policies and technical and organizational
measures in support of the obligations under this Act using an
appropriate and accepted control standard or framework and
assessment procedure for such assessments. The service provider
shall provide a report of such assessment to the covered entity
upon request.
(b) Contracts Between Covered Entities and Service Providers.--
(1) Requirements.--A person or entity may only act as a
service provider pursuant to a written contract between the
covered entity and the service provider, or a written contract
between one service provider and a second service provider as
described under subsection (a)(4), if the contract--
(A) sets forth the data processing procedures of the
service provider with respect to collection,
processing, or transfer performed on behalf of the
covered entity or service provider;
(B) clearly sets forth--
(i) instructions for collecting, processing,
or transferring data;
(ii) the nature and purpose of collecting,
processing, or transferring;
(iii) the type of data subject to collecting,
processing, or transferring;
(iv) the duration of processing; and
(v) the rights and obligations of both
parties, including a method by which the
service provider shall notify the covered
entity of material changes to its privacy
practices;
(C) does not relieve a covered entity or a service
provider of any requirement or liability imposed on
such covered entity or service provider under this Act;
and
(D) prohibits--
(i) collecting, processing, or transferring
covered data in contravention to subsection
(a); and
(ii) combining service provider data with
covered data which the service provider
receives from or on behalf of another person or
persons or collects from the interaction of the
service provider with an individual, provided
that such combining is not necessary to
effectuate a purpose described in paragraphs
(1) through (15) of section 101(b) and is
otherwise permitted under the contract required
by this subsection.
(2) Contract terms.--Each service provider shall retain
copies of previous contracts entered into in compliance with
this subsection with each covered entity to which it provides
requested products or services.
(c) Relationship Between Covered Entities and Service Providers.--
(1) Determining whether a person is acting as a covered
entity or service provider with respect to a specific
processing of covered data is a fact-based determination that
depends upon the context in which such data is processed.
(2) A person that is not limited in its processing of covered
data pursuant to the instructions of a covered entity, or that
fails to adhere to such instructions, is a covered entity and
not a service provider with respect to a specific processing of
covered data. A service provider that continues to adhere to
the instructions of a covered entity with respect to a specific
processing of covered data remains a service provider. If a
service provider begins, alone or jointly with others,
determining the purposes and means of the processing of covered
data, it is a covered entity and not a service provider with
respect to the processing of such data.
(3) A covered entity that transfers covered data to a service
provider or a service provider that transfers covered data to a
covered entity or another service provider, in compliance with
the requirements of this Act, is not liable for a violation of
this Act by the service provider or covered entity to whom such
covered data was transferred, if at the time of transferring
such covered data, the covered entity or service provider did
not have actual knowledge that the service provider or covered
entity would violate this Act.
(4) A covered entity or service provider that receives
covered data in compliance with the requirements of this Act is
not in violation of this Act as a result of a violation by a
covered entity or service provider from which such data was
received.
(d) Third Parties.--A third party--
(1) shall not process third party data for a processing
purpose other than, in the case of sensitive covered data, the
processing purpose for which the individual gave affirmative
express consent or to effect a purpose enumerated in paragraph
(1), (3), or (5) of section 101(b) and, in the case of non-
sensitive data, the processing purpose for which the covered
entity made a disclosure pursuant to section 202(b)(4); and
(2) for purposes of paragraph (1), may reasonably rely on
representations made by the covered entity that transferred the
third party data if the third party conducts reasonable due
diligence on the representations of the covered entity and
finds those representations to be credible.
(e) Additional Obligations on Covered Entities.--
(1) In general.--A covered entity or service provider shall
exercise reasonable due diligence in--
(A) selecting a service provider; and
(B) deciding to transfer covered data to a third
party.
(2) Guidance.--Not later than 2 years after the date of
enactment of this Act, the Commission shall publish guidance
regarding compliance with this subsection, taking into
consideration the burdens on large data holders, covered
entities who are not large data holders, and covered entities
meeting the requirements of section 209.
(f) Rule of Construction.--Solely for the purposes of this section,
the requirements for service providers to contract with, assist, and
follow the instructions of covered entities shall be read to include
requirements to contract with, assist, and follow the instructions of a
government entity if the service provider is providing a service to a
government entity.
SEC. 303. TECHNICAL COMPLIANCE PROGRAMS.
(a) In General.--Not later than 3 years after the date of enactment
of this Act, the Commission shall promulgate regulations under section
553 of title 5, United States Code, to establish a process for the
proposal and approval of technical compliance programs under this
section used by a covered entity to collect, process, or transfer
covered data.
(b) Scope of Programs.--The technical compliance programs established
under this section shall, with respect to a technology, product,
service, or method used by a covered entity to collect, process, or
transfer covered data--
(1) establish publicly available guidelines for compliance
with this Act; and
(2) meet or exceed the requirements of this Act.
(c) Approval Process.--
(1) In general.--Any request for approval, amendment, or
repeal of a technical compliance program may be submitted to
the Commission by any person, including a covered entity, a
representative of a covered entity, an association of covered
entities, or a public interest group or organization. Within 90
days after the request is made, the Commission shall publish
the request and provide an opportunity for public comment on
the proposal.
(2) Expedited response to requests.--Beginning 1 year after
the date of enactment of this Act, the Commission shall act
upon a request for the proposal and approval of a technical
compliance program not later than 1 year after the filing of
the request, and shall set forth publicly in writing the
conclusions of the Commission with regard to such request.
(d) Right to Appeal.--Final action by the Commission on a request for
approval, amendment, or repeal of a technical compliance program, or
the failure to act within the 1-year period after a request for
approval, amendment, or repeal of a technical compliance program is
made under subsection (c), may be appealed to a Federal district court
of the United States of appropriate jurisdiction as provided for in
section 702 of title 5, United States Code.
(e) Effect on Enforcement.--
(1) In general.--Prior to commencing an investigation or
enforcement action against any covered entity under this Act,
the Commission and State attorney general shall consider the
covered entity's history of compliance with any technical
compliance program approved under this section and any action
taken by the covered entity to remedy noncompliance with such
program. If such enforcement action described in section 403 is
brought, the covered entity's history of compliance with any
technical compliance program approved under this section and
any action taken by the covered entity to remedy noncompliance
with such program shall be taken into consideration when
determining liability or a penalty. The covered entity's
history of compliance with any technical compliance program
shall not affect any burden of proof or the weight given to
evidence in an enforcement or judicial proceeding.
(2) Commission authority.--Approval of a technical compliance
program shall not limit the authority of the Commission,
including the Commission's authority to commence an
investigation or enforcement action against any covered entity
under this Act or any other Act.
(3) Rule of construction.--Nothing in this subsection shall
provide any individual, class of individuals, or person with
any right to seek discovery of any non-public Commission
deliberation or activity or impose any pleading requirement on
the Commission if the Commission brings an enforcement action
of any kind.
SEC. 304. COMMISSION APPROVED COMPLIANCE GUIDELINES.
(a) Application for Compliance Guideline Approval.--
(1) In general.--A covered entity that is not a third-party
collecting entity and meets the requirements of section 209, or
a group of such covered entities, may apply to the Commission
for approval of 1 or more sets of compliance guidelines
governing the collection, processing, and transfer of covered
data by the covered entity or group of covered entities.
(2) Application requirements.--Such application shall
include--
(A) a description of how the proposed guidelines will
meet or exceed the requirements of this Act;
(B) a description of the entities or activities the
proposed set of compliance guidelines is designed to
cover;
(C) a list of the covered entities that meet the
requirements of section 209 and are not third-party
collecting entities, if any are known at the time of
application, that intend to adhere to the compliance
guidelines; and
(D) a description of how such covered entities will
be independently assessed for adherence to such
compliance guidelines, including the independent
organization not associated with any of the covered
entities that may participate in guidelines that will
administer such guidelines.
(3) Commission review.--
(A) Initial approval.--
(i) Public comment period.--Within 90 days
after the receipt of proposed guidelines
submitted pursuant to paragraph (2), the
Commission shall publish the application and
provide an opportunity for public comment on
such compliance guidelines.
(ii) Approval.--The Commission shall approve
an application regarding proposed guidelines
under paragraph (2) if the applicant
demonstrates that the compliance guidelines--
(I) meet or exceed requirements of
this Act;
(II) provide for the regular review
and validation by an independent
organization not associated with any of
the covered entities that may
participate in the guidelines and that
is approved by the Commission to
conduct such reviews of the compliance
guidelines of the covered entity or
entities to ensure that the covered
entity or entities continue to meet or
exceed the requirements of this Act;
and
(III) include a means of enforcement
if a covered entity does not meet or
exceed the requirements in the
guidelines, which may include referral
to the Commission for enforcement
consistent with section 401 or referral
to the appropriate State attorney
general for enforcement consistent with
section 402.
(iii) Timeline.--Within 1 year after
receiving an application regarding proposed
guidelines under paragraph (2), the Commission
shall issue a determination approving or
denying the application and providing its
reasons for approving or denying such
application.
(B) Approval of modifications.--
(i) In general.--If the independent
organization administering a set of guidelines
makes material changes to guidelines previously
approved by the Commission, the independent
organization shall submit the updated
guidelines to the Commission for approval. As
soon as feasible, the Commission shall publish
the updated guidelines and provide an
opportunity for public comment.
(ii) Timeline.--The Commission shall approve
or deny any material change to the guidelines
within 1 year after receipt of the submission
for approval.
(b) Withdrawal of Approval.--If at any time the Commission determines
that the guidelines previously approved no longer meet the requirements
of this Act or a regulation promulgated under this Act or that
compliance with the approved guidelines is insufficiently enforced by
the independent organization administering the guidelines, the
Commission shall notify the covered entities or group of such entities
and the independent organization of the determination of the Commission
to withdraw approval of such guidelines and the basis for doing so.
Within180 days after receipt of such notice, the covered entity or
group of such entities and the independent organization may cure any
alleged deficiency with the guidelines or the enforcement of such
guidelines and submit each proposed cure to the Commission. If the
Commission determines that such cures eliminate the alleged deficiency
in the guidelines, then the Commission may not withdraw approval of
such guidelines on the basis of such determination.
(c) Deemed Compliance.--A covered entity that is eligible to
participate under subsection (a)(1) and participates in guidelines
approved under this section shall be deemed in compliance with the
relevant provisions of this Act if such covered entity is in compliance
with such guidelines.
SEC. 305. DIGITAL CONTENT FORGERIES.
(a) Reports.--Not later than 1 year after the date of enactment of
this Act, and annually thereafter, the Secretary of Commerce or the
Secretary's designee shall publish a report regarding digital content
forgeries.
(b) Requirements.--Each report under subsection (a) shall include the
following:
(1) A definition of digital content forgeries along with
accompanying explanatory materials.
(2) A description of the common sources of digital content
forgeries in the United States and commercial sources of
digital content forgery technologies.
(3) An assessment of the uses, applications, and harms of
digital content forgeries.
(4) An analysis of the methods and standards available to
identify digital content forgeries as well as a description of
the commercial technological counter-measures that are, or
could be, used to address concerns with digital content
forgeries, which may include the provision of warnings to
viewers of suspect content.
(5) A description of the types of digital content forgeries,
including those used to commit fraud, cause harm, or violate
any provision of law.
(6) Any other information determined appropriate by the
Secretary of Commerce or the Secretary's designee.
TITLE IV--ENFORCEMENT, APPLICABILITY, AND MISCELLANEOUS
SEC. 401. ENFORCEMENT BY THE FEDERAL TRADE COMMISSION.
(a) Bureau of Privacy.--
(1) In general.--The Commission shall establish within the
Commission a new bureau to be known as the ``Bureau of
Privacy'', which shall be of similar structure, size,
organization, and authority as the existing bureaus within the
Commission related to consumer protection and competition.
(2) Mission.--The mission of the Bureau established under
paragraph (1) shall be to assist the Commission in carrying out
the duties of the Commission under this Act and related duties
under other provisions of law.
(3) Timeline.--The Bureau required to be established under
paragraph (1) shall be established, staffed, and fully
operational not later than 1 year after the date of enactment
of this Act.
(b) Office of Business Mentorship.--The Director of the Bureau
established under subsection (a)(1) shall establish within the Bureau
an office to be known as the ``Office of Business Mentorship'' to
provide guidance and education to covered entities and service
providers regarding compliance with this Act. Covered entities or
service providers may request advice from the Commission or the Office
with respect to a course of action that the covered entity or service
provider proposes to pursue and that may relate to the requirements of
this Act.
(c) Enforcement by the Federal Trade Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
this Act or a regulation promulgated under this Act shall be
treated as a violation of a rule defining an unfair or
deceptive act or practice prescribed under section 18(a)(1)(B)
of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(2) Powers of the commission.--
(A) In general.--Except as provided in paragraphs
(3), (4), and (5), the Commission shall enforce this
Act and the regulations promulgated under this Act in
the same manner, by the same means, and with the same
jurisdiction, powers, and duties as though all
applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated
into and made a part of this Act.
(B) Privileges and immunities.--Any person who
violates this Act or a regulation promulgated under
this Act shall be subject to the penalties and entitled
to the privileges and immunities provided in the
Federal Trade Commission Act (15 U.S.C. 41 et seq.).
(3) Limiting certain actions unrelated to this act.--If the
Commission brings a civil action alleging that an act or
practice violates this Act or a regulation promulgated under
this Act, the Commission may not seek a cease and desist order
against the same defendant under section 5(b) of the Federal
Trade Commission Act (15 U.S.C. 45(b)) to stop that same act or
practice on the grounds that such act or practice constitutes
an unfair or deceptive act or practice.
(4) Common carriers and nonprofit organizations.--
Notwithstanding any jurisdictional limitation of the Commission
with respect to consumer protection or privacy, the Commission
shall enforce this Act and the regulations promulgated under
this Act, in the same manner provided in paragraphs (1), (2),
(3), and (5), with respect to common carriers subject to the
Communications Act of 1934 (47 U.S.C. 151 et seq.) and all Acts
amendatory thereof and supplementary thereto and organizations
not organized to carry on business for their own profit or that
of their members.
(5) Privacy and security victims relief fund.--
(A) Establishment.--There is established in the
Treasury of the United States a separate fund to be
known as the ``Privacy and Security Victims Relief
Fund'' in this paragraph referred to as the ``Victims
Relief Fund'').
(B) Deposits.--Notwithstanding section 3302 of title
31, United States Code, in any judicial or
administrative action to enforce this Act or a
regulation promulgated under this Act, the amount of
any civil penalty obtained against a covered entity or
service provider, or any other monetary relief ordered
to be paid by a covered entity or service provider to
provide redress, payment, compensation, or other relief
to individuals that cannot be located or the payment of
which would otherwise not be practicable, shall be
deposited into the Victims Relief Fund.
(C) Use of funds.--
(i) Use by commission.--Amounts in the
Victims Relief Fund shall be available to the
Commission, without fiscal year limitation, to
provide redress, payment, compensation, or
other monetary relief to individuals affected
by an act or practice for which relief has been
obtained under this Act.
(ii) Other permissible uses.--To the extent
that the individuals described in clause (i)
cannot be located or such redress, payments,
compensation, or other monetary relief are
otherwise not practicable, the Commission may
use such funds for the purpose of--
(I) funding the activities of the
Office of Business Mentorship
established under subsection (b); or
(II) engaging in technological
research that the Commission considers
necessary to enforce or administer this
Act.
SEC. 402. ENFORCEMENT BY STATES.
(a) Civil Action.--In any case in which the attorney general or State
Privacy Authority of a State has reason to believe that an interest of
the residents of that State has been, may be, or is adversely affected
by a violation of this Act or a regulation promulgated under this Act
by a covered entity or service provider, the attorney general or State
Privacy Authority may bring a civil action in the name of the State, or
as parens patriae on behalf of the residents of the State. Any such
action shall be brought exclusively in an appropriate Federal district
court of the United States to--
(1) enjoin such act or practice;
(2) enforce compliance with this Act or such regulation;
(3) obtain damages, civil penalties, restitution, or other
compensation on behalf of the residents of such State; or
(4) obtain reasonable attorneys' fees and other litigation
costs reasonably incurred.
(b) Rights of the Commission.--
(1) In general.--Except as provided in paragraph (2), the
attorney general or State Privacy Authority of a State shall
notify the Commission in writing prior to initiating a civil
action under subsection (a). Such notification shall include a
copy of the complaint to be filed to initiate such action. Upon
receiving such notification, the Commission may intervene in
such action as a matter of right pursuant to the Federal Rules
of Civil Procedure.
(2) Feasibility.--If the notification required by paragraph
(1) is not feasible, the attorney general or State Privacy
Authority shall notify the Commission immediately after
initiating the civil action.
(c) Actions by the Commission.--In any case in which a civil action
is instituted by or on behalf of the Commission for violation of this
Act or a regulation promulgated under this Act, no attorney general or
State Privacy Authority of a State may, during the pendency of such
action, institute a civil action against any defendant named in the
complaint in the action instituted by or on behalf of the Commission
for a violation of this Act or a regulation promulgated under this Act
that is alleged in such complaint, if such complaint alleges such
violation affected the residents of such State or individuals
nationwide. If the Commission brings a civil action against a covered
entity or service provider for a violation of this Act or a regulation
promulgated under this Act that affects the interests of the residents
of a State, the attorney general or State Privacy Authority of such
State may intervene in such action as a matter of right pursuant to the
Federal Rules of Civil Procedure.
(d) Rule of Construction.--Nothing in this section may be construed
to prevent the attorney general or State Privacy Authority of a State
from exercising the powers conferred on the attorney general or State
Privacy Authority to conduct investigations, to administer oaths or
affirmations, or to compel the attendance of witnesses or the
production of documentary or other evidence.
(e) Preservation of State Powers.--Except as provided in subsection
(c), nothing in this section may be construed as altering, limiting, or
affecting the authority of the attorney general or State Privacy
Authority of a State to--
(1) bring an action or other regulatory proceeding arising
solely under the law in effect in the State that is preempted
by this Act or under another applicable Federal law; or
(2) exercise the powers conferred on the attorney general or
State Privacy Authority by the laws of the State, including the
ability to conduct investigations, administer oaths or
affirmations, or compel the attendance of witnesses or the
production of documentary or other evidence.
SEC. 403. ENFORCEMENT BY PERSONS.
(a) Enforcement by Persons.--
(1) In general.--Beginning on the date that is 2 years after
the date on which this Act takes effect, any person or class of
persons for a violation of this Act or a regulation promulgated
under this Act by a covered entity or service provider may
bring a civil action against such entity in any Federal court
of competent jurisdiction.
(2) Relief.--In a civil action brought under paragraph (1) in
which a plaintiff prevails, the court may award the plaintiff--
(A) an amount equal to the sum of any compensatory
damages;
(B) injunctive relief;
(C) declaratory relief; and
(D) reasonable attorney's fees and litigation costs.
(3) Rights of the commission and state attorneys general.--
(A) In general.--Prior to a person bringing a civil
action under paragraph (1), such person shall notify
the Commission and the attorney general of the State
where such person resides in writing that such person
intends to bring a civil action under such paragraph.
Upon receiving such notice, the Commission and State
attorney general shall each or jointly make a
determination and respond to such person not later than
60 days after receiving such notice, as to whether they
will intervene in such action pursuant to the Federal
Rules of Civil Procedure. If a state attorney general
does intervene, they shall only be heard with respect
to the interests of the residents of their State
(B) Retained authority.--Subparagraph (A) may not be
construed to limit the authority of the Commission or
any applicable State attorney general or State Privacy
Authority to later commence a proceeding or civil
action or intervene by motion if the Commission or
State attorney general or State Privacy Authority does
not commence a proceeding or civil action within the
60-day period.
(C) Bad faith.--Any written communication from
counsel for an aggrieved party to a covered entity or
service provider requesting a monetary payment from
that covered entity or service provider regarding a
specific claim described in a letter sent pursuant to
subsection (d), not including filings in court
proceedings, arbitrations, mediations, judgment
collection processes, or other communications related
to previously initiated litigation or arbitrations,
shall be considered to have been sent in bad faith and
shall be unlawful as defined in this Act, if the
written communication was sent prior to the date that
is 60 days after either a State attorney general or the
Commission has received the notice required under
subparagraph (A).
(4) FTC study.--Beginning on the date that is 5 years after
the date of enactment of this Act and every 5 years thereafter,
the Commission's Bureau of Economics and Bureau of Privacy
shall assist the Commission in conducting a study to determine
the economic impacts in the United States of demand letters
sent pursuant to this section and the scope of the rights of a
person under this section to bring forth civil actions against
covered entities and service providers. Such study shall
include the following:
(A) The impact on insurance rates in the United
States.
(B) The impact on the ability of covered entities to
offer new products or services.
(C) The impact on the creation and growth of new
startup companies, including new technology companies.
(D) Any emerging risks, benefits, and long-term
trends in relevant marketplaces, supply chains, and
labor availability.
(E) The impact on reducing, preventing, or
remediating harms to individuals, including from fraud,
identity theft, spam, discrimination, defective
products, and violations of rights.
(F) The impact on the volume and severity of data
security incidents, and the ability to respond to data
security incidents.
(G) Other intangible direct and indirect costs and
benefits to individuals.
(5) Report to congress.--Not later than 5 years after the
first day on which persons and classes of persons are able to
bring civil actions under this subsection, and annually
thereafter, the Commission shall submit to the Committee on
Energy and Commerce of the House of Representatives and the
Committee on Commerce, Science, and Transportation of the
Senate a report that contains the results of the study
conducted under paragraph (4).
(b) Arbitration Agreements and Pre-dispute Joint Action Waivers.--
(1) Pre-dispute arbitration agreements.--
(A) Notwithstanding any other provision of law, no
pre-dispute arbitration agreement with respect to an
individual under the age of 18 is enforceable with
regard to a dispute arising under this Act.
(B) Notwithstanding any other provision of law, no
pre-dispute arbitration agreement is enforceable with
regard to a dispute arising under this Act concerning a
claim related to gender or partner-based violence or
physical harm.
(2) Pre-dispute joint-action waivers.--Notwithstanding any
other provision of law, no pre-dispute joint-action waiver with
respect to an individual under the age of 18 is enforceable
with regard to a dispute arising under this Act.
(3) Definitions.--For purposes of this subsection:
(A) Pre-dispute arbitration agreement.--The term
``pre-dispute arbitration agreement'' means any
agreement to arbitrate a dispute that has not arisen at
the time of the making of the agreement.
(B) Pre-dispute joint-action waiver.--The term ``pre-
dispute joint-action waiver'' means an agreement,
whether or not part of a pre-dispute arbitration
agreement, that would prohibit or waive the right of 1
of the parties to the agreement to participate in a
joint, class, or collective action in a judicial,
arbitral, administrative, or other related forum,
concerning a dispute that has not yet arisen at the
time of the making of the agreement.
(c) Right to Cure.--
(1) Notice.--Subject to paragraph (3), with respect to a
claim under this section for--
(A) injunctive relief; or
(B) an action against a covered entity or service
provider that meets the requirements of section 209 of
this Act, such claim may be brought by a person or
class of persons if--prior to asserting such claim--the
person or class or persons provides to the covered
entity or service provider 45 days' written notice
identifying the specific provisions of this Act the
person or class of persons alleges have been or are
being violated.
(2) Effect of cure.--Subject to paragraph (3), in the event a
cure is possible, if within the 45 days the covered entity or
service provider demonstrates to the court that it has cured
the noticed violation or violations and provides the person or
class of persons an express written statement that the
violation or violations has been cured and that no further
violations shall occur, a claim for injunctive relief shall not
be permitted and may be reasonably dismissed.
(3) Rule of construction.--The notice described in paragraph
(1) and the reasonable dismissal in paragraph (2) shall not
apply more than once to any alleged underlying violation by the
same covered entity.
(d) Demand Letter.--If a person or a identified members of a class of
persons represented by counsel in regard to an alleged violation or
violations of the Act and has correspondence sent to a covered entity
or service provider by counsel alleging a violation or violations of
the provisions of this Act and requests a monetary payment, such
correspondence shall include the following language: ``Please visit the
website of the Federal Trade Commission for a general description of
your rights under the American Data Privacy and Protection Act''
followed by a hyperlink to the webpage of the Commission required under
section 201. If such correspondence does not include such language and
hyperlink, a civil action brought under this section by such person or
identified members of the class of persons represented by counsel may
be dismissed without prejudice and shall not be reinstated until such
person or persons has complied with this subsection.
(e) Applicability.--
(1) In general.--This section shall only apply to a claim
alleging a violation of section 102, 104, 202, 203, 204,
205(a), 205(b), 206(b)(3)(C), 207(a), 208(a), or 302, or a
regulation promulgated under any such section.
(2) Exception.--This section shall not apply to any claim
against a covered entity that has less than $25,000,000 per
year in revenue, collects, processes, or transfers the covered
data of fewer than 50,000 individuals, and derives less than 50
percent of its revenue from transferring covered data.
SEC. 404. RELATIONSHIP TO FEDERAL AND STATE LAWS.
(a) Federal Law Preservation.--
(1) In general.--Nothing in this Act or a regulation
promulgated under this Act may be construed to limit--
(A) the authority of the Commission, or any other
Executive agency, under any other provision of law;
(B) any requirement for a common carrier subject to
section 64.2011 of title 47, Code of Federal
Regulations (or any successor regulation) regarding
information security breaches; or
(C) any other provision of Federal law, except as
otherwise provided in this Act.
(2) Antitrust savings clause.--
(A) Full application of the antitrust law.--Nothing
in this Act may be construed to modify, impair or
supersede the operation of the antitrust law or any
other provision of law.
(B) No immunity from the antitrust law.--Nothing in
the regulatory regime adopted by this Act shall be
construed as operating to limit any law deterring
anticompetitive conduct or diminishing the need for
full application of the antitrust law. Nothing in this
Act explicitly or implicitly precludes the application
of the antitrust law.
(C) Definition of antitrust law.--For purposes of
this section, the term antitrust law has the same
meaning as in subsection (a) of the first section of
the Clayton Act (15 U.S.C. 12), except that such term
includes section 5 of the Federal Trade Commission Act
(15 U.S.C. 45) to the extent that such section 5
applies to unfair methods of competition.
(3) Applicability of other privacy requirements.--A covered
entity that is required to comply with title V of the Gramm-
Leach-Bliley Act (15 U.S.C. 6801 et seq.), the Health
Information Technology for Economic and Clinical Health Act (42
U.S.C. 17931 et seq.), part C of title XI of the Social
Security Act (42 U.S.C. 1320d et seq.), the Fair Credit
Reporting Act (15 U.S.C. 1681 et seq.), the Family Educational
Rights and Privacy Act (20 U.S.C. 1232g; part 99 of title 34,
Code of Federal Regulations) to the extent such covered entity
is a school as defined in 20 U.S.C. 1232g(a)(3) or 34 C.F.R.
99.1(a), section 444 of the General Education Provisions Act
(commonly known as the ``Family Educational Rights and Privacy
Act of 1974'') (20 U.S.C. 1232g) and part 99 of title 34, Code
of Federal Regulations (or any successor regulation), the
Confidentiality of Alcohol and Drug Abuse Patient Records at 42
U.S.C. 290dd-2 and its implementing regulations at 42 CFR part
2, the Genetic Information Non-discrimination Act (GINA), or
the regulations promulgated pursuant to section 264(c) of the
Health Insurance Portability and Accountability Act of 1996 (42
U.S.C. 1320d-2 note), and is in compliance with the data
privacy requirements of such regulations, part, title, or Act
(as applicable), shall be deemed to be in compliance with the
related requirements of this Act, except for section 208,
solely and exclusively with respect to data subject to the
requirements of such regulations, part, title, or Act. Not
later than 1 year after the date of enactment of this Act, the
Commission shall issue guidance describing the implementation
of this paragraph.
(4) Applicability of other data security requirements.--A
covered entity that is required to comply with title V of the
Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), the Health
Information Technology for Economic and Clinical Health Act (42
U.S.C. 17931 et seq.), part C of title XI of the Social
Security Act (42 U.S.C. 1320d et seq.), or the regulations
promulgated pursuant to section 264(c) of the Health Insurance
Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2
note), and is in compliance with the information security
requirements of such regulations, part, title, or Act (as
applicable), shall be deemed to be in compliance with the
requirements of section 208, solely and exclusively with
respect to data subject to the requirements of such
regulations, part, title, or Act. Not later than 1 year after
the date of enactment of this Act, the Commission shall issue
guidance describing the implementation of this paragraph.
(b) Preemption of State Laws.--
(1) In general.--No State or political subdivision of a State
may adopt, maintain, enforce, prescribe, or continue in effect
any law, regulation, rule, standard, requirement, or other
provision having the force and effect of law of any State, or
political subdivision of a State, covered by the provisions of
this Act, or a rule, regulation, or requirement promulgated
under this Act.
(2) State law preservation.--Paragraph (1) may not be
construed to preempt, displace, or supplant the following State
laws, rules, regulations, or requirements:
(A) Consumer protection laws of general
applicability, such as laws regulating deceptive,
unfair, or unconscionable practices, except that the
fact of a violation of this Act or a regulation
promulgated under this Act may not be pleaded as an
element of any violation of such a law.
(B) Civil rights laws.
(C) Provisions of laws, in so far as, that govern the
privacy rights or other protections of employees,
employee information, students, or student information.
(D) Laws that address notification requirements in
the event of a data breach.
(E) Contract or tort law.
(F) Criminal laws.
(G) Civil laws governing fraud, theft (including
identity theft), unauthorized access to information or
electronic devices, unauthorized use of information,
malicious behavior, or similar provisions of law.
(H) Civil laws regarding cyberstalking,
cyberbullying, nonconsensual pornography, sexual
harassment, child abuse material, child pornography,
child abduction or attempted child abduction, coercion
or enticement of a child for sexual activity, or child
sex trafficking.
(I) Public safety or sector specific laws unrelated
to privacy or security.
(J) Provisions of law, insofar as such provisions
address public records, criminal justice information
systems, arrest records, mug shots, conviction records,
or non-conviction records.
(K) Provisions of law, insofar as such provisions
address banking records, financial records, tax
records, Social Security numbers, credit cards,
consumer and credit reporting and investigations,
credit repair, credit clinics, or check-cashing
services.
(L) Provisions of law, insofar as such provisions
address facial recognition or facial recognition
technologies, electronic surveillance, wiretapping, or
telephone monitoring.
(M) The Biometric Information Privacy Act (740 ICLS
14 et seq.) and the Genetic Information Privacy Act
(410 ILCS 513 et seq.).
(N) Provisions of laws, in so far as, such provisions
to address unsolicited email or text messages,
telephone solicitation, or caller identification.
(O) Provisions of laws, in so far as, such provisions
address health information, medical information,
medical records, HIV status, or HIV testing.
(P) Provisions of laws, in so far as, such provisions
pertain to public health activities, reporting, data,
or services.
(Q) Provisions of law, insofar as such provisions
address the confidentiality of library records.
(R) Section 1798.150 of the California Civil Code (as
amended on November 3, 2020 by initiative Proposition
24, Section 16).
(S) Laws pertaining to the use of encryption as a
means of providing data security.
(3) CPPA enforcement.--Notwithstanding any other provisions
of law, the California Privacy Protection Agency established
under 1798.199.10(a) of the California Privacy Rights Act may
enforce this Act, in the same manner, it would otherwise
enforce the California Consumer Privacy Act, Section 1798.1050
et. seq.
(4) Nonapplication of fcc privacy laws and regulations to
certain covered entities.--Notwithstanding any other provision
of law, sections 222, 338(i), and 631 of the Communications Act
of 1934 (47 U.S.C. 222; 338(i); 551), and any regulations and
orders promulgated by the Federal Communications Commission
under any such section, do not apply to any covered entity with
respect to the collection, processing, transfer, or security of
covered data or its equivalent, and the related privacy and
data security activities of a covered entity that would
otherwise be regulated under such sections shall be governed
exclusively by the provisions of this Act, except for--
(A) any emergency services, as defined in section 7
of the Wireless Communications and Public Safety Act of
1999 (47 U.S.C. 615b);
(B) subsections (b) and (g) of section 222 of the
Communications Act of 1934 (47 U.S.C. 222); and
(C) any obligation of an international treaty related
to the exchange of traffic implemented and enforced by
the Federal Communications Commission.
(c) Preservation of Common Law or Statutory Causes of Action for
Civil Relief.--Nothing in this Act, nor any amendment, standard, rule,
requirement, assessment, or regulation promulgated under this Act, may
be construed to preempt, displace, or supplant any Federal or State
common law rights or remedies, or any statute creating a remedy for
civil relief, including any cause of action for personal injury,
wrongful death, property damage, or other financial, physical,
reputational, or psychological injury based in negligence, strict
liability, products liability, failure to warn, an objectively
offensive intrusion into the private affairs or concerns of the
individual, or any other legal theory of liability under any Federal or
State common law, or any State statutory law.
SEC. 405. SEVERABILITY.
If any provision of this Act, or the application thereof to any
person or circumstance, is held invalid, the remainder of this Act, and
the application of such provision to other persons not similarly
situated or to other circumstances, shall not be affected by the
invalidation.
SEC. 406. COPPA.
(a) In General.--Nothing in this Act may be construed to relieve or
change any obligation that a covered entity or other person may have
under the Children's Online Privacy Protection Act of 1998 (15 U.S.C.
6501 et seq.).
(b) Updated Regulations.--Not later than 180 days after the date of
enactment of this Act, the Commission shall amend its rules issued
pursuant to the regulations promulgated by the Commission under the
Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et
seq.) to make reference to the additional requirements placed on
covered entities under this Act, in addition to the requirements under
the Children's Online Privacy Protection Act of 1998 that may already
apply to certain covered entities.
SEC. 407. AUTHORIZATION OF APPROPRIATIONS.
There are authorized to be appropriated to the Commission such sums
as may be necessary to carry out this Act.
SEC. 408. EFFECTIVE DATE.
This Act shall take effect on the date that is 180 days after the
date of enactment of this Act.
I. PURPOSE AND SUMMARY
H.R. 8152, the ``American Data Privacy and Protection
Act,'' establishes a preemptive national consumer privacy and
data security framework built around limitations for
collecting, processing, and transferring individuals'
information, obligations for covered entities and service
providers, and providing individuals with control with respect
to their personal information. Certain covered data is
considered sensitive and subject to additional restrictions and
there are further protections for minors under 17 years old.
Covered entities may not use covered data in any manner that
discriminates or makes unavailable the equal enjoyment of goods
or services on the basis of protected classes. Large businesses
are subject to additional requirements while small and midsize
businesses are exempted from certain provisions and eligible to
participate in certain technical compliance programs. The
Federal Trade Commission (FTC) is the primary federal regulator
tasked with administration. H.R. 8152 provides for federal,
state, and private enforcement.
II. BACKGROUND AND NEED FOR LEGISLATION
Advances in modern technologies have created unparalleled
advances in consumer goods and services, and the level and
detail of personal information entities now collect has
followed suit. Accordingly, the lack of a national consumer
privacy and data security standard is more pronounced in this
increasingly digital world. One 2021 study showed that 70
percent of companies increased their collection of personal
consumer data despite 86 percent of consumers citing data
privacy as a growing concern.\1\
---------------------------------------------------------------------------
\1\KPMG, Corporate Data Responsibility: Bridging the Consumer Trust
Gap (Aug. 2021) (https://advisory.kpmg.us/articles/2021/bridging-the-
trust-chasm.html).
---------------------------------------------------------------------------
With the increase of data collection and skyrocketing value
of personal information, many countries have passed
comprehensive legislation to address privacy and data security.
For instance, in 2016, the European Union adopted the General
Data Protection Regulation (GDPR), in 2018, Brazil passed the
General Data Protection Law, and in 2021, the People's Republic
of China passed the Personal Information Protection Law. To
date, over 100 countries have their own version of a
comprehensive privacy and data security law, with many
incorporating requirements from the GDPR in the absence of a
U.S. law, such as Canada, the United Kingdom, and India. While
other countries have led in national laws protecting personal
information, the United States does not have a national
consumer privacy and data security standard.
Instead, the United States generally relies on sector-
specific privacy-related federal statutes that establish
varying degrees of privacy and data security protections,
impose different collection and use limitations on various
entities, and provide consumers with varying degrees of
individual rights.\2\ These laws include: the Health Insurance
Portability and Accountability Act, which protects information
collected by a health care provider, health plan, health care
clearinghouse, and the business associates of such entities;\3\
the Family Educational Rights and Privacy Act, which regulates
the collection of student data by public school officials and
those they designate;\4\ the Children's Online Privacy
Protection Act of 1998 (COPPA), which covers data for children
aged 12 and under with respect to online services directed to
children;\5\ the Genetic Information Nondiscrimination Act,
which prohibits misuse of genetic data in employment or
insurance decisions;\6\ and the Gramm-Leach-Bliley Act and the
Fair Credit Reporting Act, which apply to financial
institutions and credit reporting agencies.\7\
---------------------------------------------------------------------------
\2\Lindsey Barrett, Confiding in Con Men: U.S. Privacy Law, the
GDPR, and Information Fiduciaries, Seattle University Law Review (Apr.
9, 2019).
\3\Health Insurance Portability and Accountability Act, Pub. L. No.
104-191.
\4\20 U.S.C. Sec. 1232g.
\5\15 U.S.C. Sec. 6501, et seq.
\6\Genetic Information Nondiscrimination Act, Pub. L. No. 110-233.
\7\15 U.S.C. Sec. Sec. 6801-6809; 15 U.S.C. Sec. 1681 et seq.
---------------------------------------------------------------------------
Many different types of data and entities are not covered
by those or other sector-specific laws. To bridge those gaps,
Congress must pass a national, comprehensive consumer privacy
and data security law. To date, Americans have been forced to
rely on the FTC's unfair or deceptive acts or practices
authority under section 5 of the FTC Act.\8\
---------------------------------------------------------------------------
\8\15 U.S.C. Sec. 45.
---------------------------------------------------------------------------
The FTC authority is limited to cases in which: (i) the
agency can prove substantial, unavoidable injury from conduct
not outweighed by benefits to consumers or competition; or (ii)
companies fail to live up to their own promises regarding data
practices, regardless of whether such practices themselves are
harmful.\9\ There is no federal requirement for entities to
make any such promises.\10\
---------------------------------------------------------------------------
\9\Federal Trade Commission, FTC Report to Congress on Privacy and
Security (Sep. 13, 2021).
\10\Id.
---------------------------------------------------------------------------
The FTC is also limited in the relief it may obtain. The
agency lacks first-offense civil penalty authority outside of
very limited circumstances such as violations of regulations.
The Supreme Court unanimously held in April 2021 that the FTC
exceeded their authority and determined that the FTC may not
obtain monetary relief for consumers who have been harmed
solely by using the agency's authority under section 13(b) of
the FTC Act.\11\
---------------------------------------------------------------------------
\11\AMG Capital Mgmt., LLC v. FTC, 141 U.S. 1341 (2021).
---------------------------------------------------------------------------
A growing number of states have tried to fill the federal
consumer privacy and data security void by passing laws
addressing consumer privacy and data security protections,
including California, Virginia, Colorado, Utah, and
Connecticut. These state laws materially vary in their scope,
protections, obligations, and enforcement mechanisms.\12\
---------------------------------------------------------------------------
\12\Mayer Brown, Connecticut Passes Comprehensive Privacy Law:
Comparing to Other States, (www.mayerbrown.com/en/perspectives-events/
publications/2022/05/connecticut-passes-comprehensive-privacy-law-
comparing-to-other-state-privacy-laws) (May 11, 2022).
---------------------------------------------------------------------------
One consequence of the current state by state approach to
comprehensively regulating consumer privacy and data security
is that many entities do not have the resources or wherewithal
to comply with numerous state laws that have conflicting
requirements. One organization recently concluded that absent a
national consumer privacy law, the growing patchwork of state
consumer privacy laws may burden companies with multiple,
duplicative compliance costs. This organization estimates that
the out-of-state costs from every state passing a comprehensive
consumer privacy law could exceed $1 trillion over ten years,
with at least $200 billion hitting small businesses.\13\
---------------------------------------------------------------------------
\13\ Daniel Castro et al., The Looming Cost of a Patchwork of State
Privacy Laws, Information Technology and Innovation Foundation (ITIF),
(https://itif.org/publications/2022/01/24/looming-cost-patchwork-state-
privacy-laws/) (Jan. 24, 2022).
---------------------------------------------------------------------------
The lack of a national consumer privacy framework also
means that businesses may generally monitor themselves without
regulatory oversight and collect, use, share, or sell data
without meaningful limits on what is permitted. In many cases,
this includes an individual's most sensitive personal
information such as health information, precise geolocation
history, and government-issued identifiers like social security
numbers. Furthermore, once that data is in the hands of third
parties it may be further sold, combined, and used, often
without the individual's knowledge or consent.\14\
---------------------------------------------------------------------------
\14\The State of Consumer Data Privacy Laws in the US (and Why It
Matters), New York Times (Sept. 6, 2021).
---------------------------------------------------------------------------
Additionally, the sectoral approach to regulating data
privacy at the federal level does not provide national baseline
anti-discrimination protections regarding the use of personal
information. Although the Supreme Court has repeatedly affirmed
that individuals are entitled to protection of their privacy
regardless of changes in technology and that an individual's
personal information may not be used against them improperly,
these concerns persist.\15\ Federal law does not currently
extend prohibitions to all instances of collecting, processing,
or transferring covered data in any manner that discriminates
in the provision of goods and services on the basis of
protected classes in line with Supreme Court precedent.\16\
---------------------------------------------------------------------------
\15\See, e.g., Olmstead v. United States, 277 U.S. 471 (1928)
(Brandeis, J. dissenting); Katz v. United States, 389 U.S. 437 (1967);
Carpenter v. United States, 138 S. Ct. 2206 (2018); NAACP v. Alabama,
357 U.S. 449 (1958).
\16\See, e.g., Shelley v. Kramer, 334 U.S. 1 (1948); Havens Realty
Corp. v. Coleman, 455 U.S. 363 (1982); Pittsburgh Press Co. v.
Pittsburgh Commission on Human Relations, 413 U.S. 376 (1973); Lawrence
v. Texas, 539 U.S. 558 (2003); Bostock v. Clayton County, 140 S. Ct.
1731 (2020).
---------------------------------------------------------------------------
Online privacy harms are well-documented, including
unwanted observation from excessive data collection and
secondary use, discrimination, harms to children and teens from
manipulation and targeting, thwarted consumer expectations, and
more.\17\ Americans are increasingly concerned by the tradeoff
of providing their data in exchange for products and services,
with 73 percent now saying this is an ``unjustified use'' of
their information.\18\
---------------------------------------------------------------------------
\17\6 Examples of Online Privacy Violation, Cyber News (Apr. 15,
2020); Danielle Keats Citron & Daniel J. Solove, Privacy Harms, 102
Boston Univ. L. Rev. Online 793, 848 (2021)
\18\Americans Widely Distrust Facebook, TikTok and Instagram with
Their Data, Poll Finds, Washington Post (Dec. 22, 2021).
---------------------------------------------------------------------------
As more data is collected on individuals by more products
and services necessary for everyday life, Americans are subject
to more risks from bad actors seeking to abuse lax privacy and
data security regulation. As more data is collected by Big Tech
on individuals by more products and services necessary for
everyday life, Americans are subject to more risks. In the
absence of federal consumer privacy and data security laws,
that delineate best practices, Big Tech CEOs determine such
practices on their own. This has created an environment where
Big Tech also entices user's dependency on their platforms
through products like password managers and de facto identities
that follow users across the internet. As such products have
become essential to an individual's ability to access their
virtual lives, Big Tech's data collection and usage practices
have positioned them to scrape and benefit from vast troves of
personal information.\19\
---------------------------------------------------------------------------
\19\The Security Risks of Logging in With Facebook, Wired (Apr. 19,
2018).
---------------------------------------------------------------------------
The coronavirus disease of 2019 (COVID-19) pandemic
exacerbated these concerns, particularly for children. During
the pandemic, schools drastically increased the use of certain
technologies as tools to aid learning while children attended
school remotely, and one study found that 90 percent of these
remote learning tools recommended by schools tracked students
and sent their information to advertising companies.\20\
---------------------------------------------------------------------------
\20\Remote Learning Apps Shared Children's Data at a `Dizzying
Scale,' Washington Post (May 24, 2022).
---------------------------------------------------------------------------
As children were unable to return to school, many took
solace in social media platforms to interact with their
classmates and friends. Platforms that collect more and more
data in order to direct more content to increase children and
teen's activity have created a toxic environment for them. This
is particularly problematic for teen girls, who have been made
especially vulnerable as social media platforms use engagement
tools and algorithmically recommended content to emphasize body
image, leading to decreased self-worth, higher rates of
suicide, and other harmful mental health effects.\21\
---------------------------------------------------------------------------
\21\The Dangerous Experiment on Teen Girls, The Atlantic (Nov. 21,
2021).
---------------------------------------------------------------------------
Moreover, while algorithms aid many Americans in their
everyday lives, to advance these algorithms in a manner that
benefits all of society, algorithms need to be tested and
designed in ways that do not discriminate against individuals
unintentionally. For instance, a report has shown data can be
used in ways that disadvantages vulnerable communities and
targets people of color, frequently with regard to eligibility
for essential products and services such as home loans.\22\
Some companies have voluntarily created impact assessments to
test, measure, and better understand how their algorithms work
when deployed in the real world. However, many large companies,
including social media, continue to deploy algorithms that may
pose a consequential risk to many Americans, including but not
limited to risks based on race, color, religion, national
origin, sex, disability status, and political party
registration status. As such, it is important that these large
companies examine and better work to prevent such algorithms
from causing harm to users.
---------------------------------------------------------------------------
\22\See, e.g., Disparity in Home Lending Costs Minorities Millions,
Research Finds, CBS News (Nov. 15, 2019).
---------------------------------------------------------------------------
Data security is also essential to protect consumers. The
United States has recently seen a dramatic increase in
ransomware attacks, from both state-sponsored and rogue
international actors.\23\ In light of these attacks by bad
actors, legislation must also require businesses to ensure
competent data security practices and examine how to design and
implement reasonable policies for how they collect, process,
and transfer individuals' information across borders. Given
some of these intrusions have been associated with certain
foreign actors, it is important that legislation also requires
Americans to be notified when their data is accessible by
China, Russia, North Korea, and Iran. In examining different
ways to increase privacy protections, businesses may
incorporate emerging technologies into every level of their
data security practices like blockchain technology, which uses
mechanisms such as decentralized identities and zero-knowledge
proofs that enable information to be shared in ways that
maintain the privacy of individuals while allowing more
individual ownership over their data, as well as artificial
intelligence.
---------------------------------------------------------------------------
\23\See generally, Treasury Sanctions IRGC--Affiliated Cyber
Actions for Roles in Ransomware Activity, U.S. Department of Treasury
(Sept. 14, 2022), and, 2021 Trends Show Increase Globalized Threat of
Ransomware, Cybersecurity & Infrastructure Security Agency (Feb. 10,
2022).
---------------------------------------------------------------------------
American consumers overwhelmingly support federal privacy
and data security legislation.\24\ Over half of American adults
now say they have decided not to use a product or service due
to worries over the use of their data.\25\ According to one
recent poll examining provisions of H.R. 8152, 87 percent of
respondents supported banning the sale of individual data to
third parties without explicit consent, 86 percent supported
requiring that companies minimize the data they collect from
individuals, 86 percent supported increasing online data
privacy protections for children under 17, and 82 percent
supported a right for individuals to bring lawsuits if their
data privacy is violated.\26\
---------------------------------------------------------------------------
\24\See, e.g., Voters Overwhelmingly Back Major Provisions of
Proposed Federal Data Privacy Law, Morning Consult (June 15, 2022).
\25\Pew Research Center, Half of Americans Have Decided Not to Use
a Product or Service Because of Privacy Concerns (Apr. 14, 2020)
(www.pewresearch.org/fact-tank/2020/04/14/half-of-americans-have-
decided-not-to-use-a-product-or-service-because-of-privacy-concerns/).
\26\Id.
---------------------------------------------------------------------------
III. COMMITTEE HEARINGS
For the purposes of section 3(c) of rule XIII of the Rules
of the House of Representatives, the following hearings were
used to develop or consider H.R. 8152:
The Subcommittee on Digital Commerce and Consumer
Protection held an information hearing on November 1, 2017. The
hearing was entitled, ``Securing Consumers' Credit Data in the
Age of Digital Commerce.'' The Subcommittee received testimony
from:
Francis Creighton, President and CEO,
Consumer Data Industry Association;
James Norton, Adjunct Lecturer, Johns
Hopkins University Zanvyll Krieger School of Arts and
Sciences;
Anne P. Fortney, Esq., Partner Emeritus,
Hudson Cook; and
Bruce Schneier, Adjunct Lecturer in Public
Policy, Harvard.
The Subcommittee on Digital Commerce and Consumer
Protection held an informational hearing on June 14, 2018. The
hearing was entitled, ``Understanding the Digital Advertising
Ecosystem.'' The Subcommittee received testimony from:
Dr. Howard Beales, Professor of Strategic
Management and Public Policy, George Washington
University;
Rachel Glasser, Global Chief Privacy
Officer, Wunderman;
Michael Zaneis, President and CEO,
Trustworthy Accountability Group; and
Justin Brookman, Director, Privacy and
Technology Policy, Consumers Union.
The Subcommittee on Digital Commerce and Consumer
Protection held an informational hearing on Wednesday, July 18,
2018. The hearing was entitled, ``Oversight of the Federal
Trade Commission.'' The Subcommittee received testimony from:
The Honorable Joseph Simons, Chairman,
Federal Trade Commission
The Honorable Maureen Ohlhausen,
Commissioner, Federal Trade Commission;
The Honorable Noah Phillips, Commissioner,
Federal Trade Commission;
The Honorable Rohit Chopra, Commissioner,
Federal Trade Commission; and,
The Honorable Rebecca Slaughter,
Commissioner, Federal Trade Commission.
The Subcommittee on Consumer Protection and Commerce held
an informational hearing on February 26, 2019. The hearing was
entitled, ``Protecting Consumer Privacy in the Era of Big
Data.'' The Subcommittee received testimony from:
Roslyn Layton, Ph.D., Visiting Scholar,
American Enterprise Institute;
David Grimaldi, Executive Vice President for
Public Policy, IAB;
Denise Zheng, Vice President, Technology,
Innovation, Business Roundtable;
Brandi Collins, Senior Campaign Director,
Media, Democracy & Economic Justice, Color of Change;
and
Nuala O'Connor, President and CEO, Center
for Democracy & Technology.
The Subcommittee on Consumer Protection and Commerce held
an informational hearing on January 8, 2020. The hearing was
entitled, ``Americans at Risk: Manipulation and Deception in
the Digital Age.'' The Subcommittee received testimony from:
Monika Bickert, Head of Product Policy and
Counterterrorism, Facebook;
Joan Donovan, Ph.D., Research Director of
the Technology and Social Change Project, Shorenstein
Center on Media, Politics, and Public Policy, Harvard
Kennedy School;
Tristan Harris, Executive Director, Center
for Humane Technology; and
Justin (Gus) Hurwitz, Associate Professor of
Law, Director of the NU Governance and Technology
Center, University of Nebraska College of Law, Director
of Law & Economics Programs, International Center for
Law & Economics.
The Subcommittee on Consumer Protection and Commerce held
an informational hearing on March 11, 2021. The hearing was
entitled, ``Kids Online During COVID: Child Safety in an
Increasingly Digital Age.'' The Subcommittee received testimony
from:
Ariel Fox Johnson, Senior Counsel, Global
Policy, Common Sense Media;
Dr. Nusheen Ameenuddin, Chair, Council on
Communications and Media, American Academy of
Pediatrics; and
Corey A. DeAngelis, Director of School
Choice, Reason Foundation, Adjunct Scholar, Cato
Institute, Executive Director, Educational Freedom
Institute.
The Subcommittee on Consumer Protection and Commerce held a
legislative hearing on July 28, 2021. The hearing was entitled
``Transforming the FTC: Legislation to Modernize Consumer
Protection.'' The Subcommittee received testimony from:
The Honorable Lina Khan, Chair, Federal
Trade Commission;
The Honorable Noah Joshua Phillips,
Commissioner, Federal Trade Commission;
The Honorable Rohit Chopra, Commissioner,
Federal Trade Commission;
The Honorable Rebecca K. Slaughter,
Commissioner, Federal Trade Commission;
The Honorable Christine S. Wilson,
Commissioner, Federal Trade Commission;
David Vladeck, Professor of Law, Georgetown
University Law Center;
Sally Greenberg, Executive Director,
National Consumers League; and
Graham Dufault, Senior Director for Public
Policy, ACT The App Association.
The Subcommittee on Consumer Protection and Commerce held a
legislative hearing on June 14, 2022. The hearing was entitled,
``Protecting America's Consumers: Bipartisan Legislation to
Strengthen Data Privacy and Security.'' The Subcommittee
received testimony from the following witnesses:
Caitriona Fitzgerald, Deputy Director,
Electronic Privacy Information Center
David Brody, Managing Attorney, Digital
Justice Initiative, Lawyers' Committee for Civil Rights
Under Law;
Bertram Lee, Senior Policy Counsel, Data
Decision Making and Artificial Intelligence, Future of
Privacy Forum;
Jolina Cuaresma, Senior Counsel, Privacy &
Technology Policy, Common Sense Media;
John Miller, Senior Vice President of Policy
and General Counsel, Information Technology Industry
Council;
Graham Dufault, Senior Director for Public
Policy, ACT The App Association;
Doug Kantor, General Counsel, National
Association of Convenience Stores; and
The Honorable Maureen K. Ohlhausen, Co-
Chair, 21st Century Privacy Coalition.
IV. COMMITTEE CONSIDERATION
H.R. 8152, the ``American Data Privacy and Protection
Act'', was introduced on June 21, 2022, by Representatives
Pallone (D-NJ), Rodgers (R-WA), Schakowsky (D-IL), and
Bilirakis (R-FL) and was referred to the Committee on Energy
and Commerce. Subsequently, on June 22, 2021, the bill was
referred to the Subcommittee on Consumer Protection and
Commerce. A legislative hearing was held on June 14, 2022.
On June 23, 2022, the Subcommittee on Consumer Protection
and Commerce met in open markup session, pursuant to notice, to
consider H.R. 8152 and seven other bills. During consideration
of the bill, an amendment in the nature of a substitute (AINS),
offered by Representative Pallone, was agreed to by a voice
vote. Four amendments offered during consideration of the bill
were withdrawn. Upon conclusion of consideration of the bill,
the Subcommittee on Consumer Protection and Commerce agreed to
report the bill favorably to the full Committee, amended, by a
voice vote.
On July 20, 2022, the full Committee met in open markup
session, pursuant to notice, to consider H.R. 8152 and five
other bills. During consideration of the bill, an AINS, offered
by Representative Pallone, was agreed to by a voice vote. An
amendment to the AINS, offered by Representative Eshoo (D-CA),
was not agreed to by a roll call vote of 8 yeas to 48 nays. Six
amendments to the AINS were agreed to by a voice vote. Four
other amendments to the AINS offered during consideration of
the bill were withdrawn. Upon conclusion of consideration of
the bill, the full Committee agreed to a motion on final
passage offered by Representative Pallone, Chairman of the
Committee, to order H.R. 8152 reported favorably to the House,
amended, by a roll call vote of 53 yeas to 2 nays.
V. COMMITTEE VOTES
Clause 3(b) of rule XIII of the Rules of the House of
Representatives requires the Committee to list each record vote
on the motion to report legislation and amendments thereto. The
Committee advises that there was two record votes taken on H.R.
8152, including a motion by Mr. Pallone ordering H.R. 8152
favorably reported to the House, amended. The motion on final
passage of the bill was approved by a record vote of 53 yeas to
2 nays. The following are the record votes taken during
Committee consideration, including the names of those members
voting for and against:
VI. OVERSIGHT FINDINGS
Pursuant to clause 3(c)(1) of rule XIII and clause 2(b)(1)
of rule X of the Rules of the House of Representatives, the
oversight findings and recommendations of the Committee are
reflected in the descriptive portion of the report.
VII. NEW BUDGET AUTHORITY, ENTITLEMENT AUTHORITY, AND TAX EXPENDITURES
Pursuant to 3(c)(2) of rule XIII of the Rules of the House
of Representatives, the Committee adopts as its own the
estimate of new budget authority, entitlement authority, or tax
expenditures or revenues contained in the cost estimate
prepared by the Director of the Congressional Budget Office
pursuant to section 402 of the Congressional Budget Act of
1974.
The Committee has requested but not received from the
Director of the Congressional Budget Office a statement as to
whether this bill contains any new budget authority, spending
authority, credit authority, or an increase or decrease in
revenues or tax expenditures.
VIII. FEDERAL MANDATES STATEMENT
The Committee adopts as its own the estimate of Federal
mandates prepared by the Director of the Congressional Budget
Office pursuant to section 423 of the Unfunded Mandates Reform
Act.
IX. STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES
Pursuant to clause 3(c)(4) of rule XIII, the general
performance goal or objective of this legislation is to
establish a preemptive national consumer privacy and data
security framework to protect consumer data by providing
individual rights related to their personal data, imposing
obligations on covered entities and service providers with
respect to the collection, processing, and transfer of such
data, prohibiting discrimination in providing goods and
services using personal information, and creating federal,
state, and individual enforcement mechanisms.
X. DUPLICATION OF FEDERAL PROGRAMS
Pursuant to clause 3(c)(5) of rule XIII, no provision of
H.R. 8152 is known to be duplicative of another Federal
program, including any program that was included in a report to
Congress pursuant to section 21 of Public Law 111-139 or the
most recent Catalog of Federal Domestic Assistance.
XI. COMMITTEE COST ESTIMATE
Pursuant to clause 3(d)(1) of rule XIII, the Committee
adopts as its own the cost estimate prepared by the Director of
the Congressional Budget Office pursuant to section 402 of the
Congressional Budget Act of 1974.
XII. EARMARKS, LIMITED TAX BENEFITS, AND LIMITED TARIFF BENEFITS
Pursuant to clause 9(e), 9(f), and 9(g) of rule XXI, the
Committee finds that H.R. 8152 contains no earmarks, limited
tax benefits, or limited tariff benefits.
XIII. ADVISORY COMMITTEE STATEMENT
No advisory committee within the meaning of section 5(b) of
the Federal Advisory Committee Act was created by this
legislation.
XIV. APPLICABILITY TO LEGISLATIVE BRANCH
The Committee finds that the legislation does not relate to
the terms and conditions of employment or access to public
services or accommodations within the meaning of section
102(b)(3) of the Congressional Accountability Act.
XV. SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION
Section 1. Short title; table of contents
This section designates that the short title may be cited
as the ``American Data Privacy and Protection Act'' and
provides a table of contents.
Sec. 2. Definitions
This section defines terms used in the Act. Key definitions
are summarized below.
Subsection (9) defines ``covered entity'' to include any
entity that collects, processes, or transfers covered data and
is subject to the jurisdiction of the FTC, including
nonprofits, and telecommunications common carriers. Government
entities, service providers, and any congressionally designated
nonprofit, national resource center, and clearinghouse to
assist the public on missing and exploited child issues are
expressly excluded.
Subsection (29) defines ``service providers'' as persons or
entities that collect, process, or transfer covered data on
behalf of and at the direction of a covered entity or
government entity and receives covered data from or on behalf
of such an entity. This covered data is defined in subsection
(3) as ``service provider data'' and any service provider that
receives service provider data from another service provider is
treated as a service provider under the Act.
Subsection (36) defines ``third-party collecting entities''
as a subset of covered entities that for the prior 12-month
period derived more than 50 percent of all revenue from or
obtained revenue from processing or transferring the covered
data of more than five million individuals that the covered
entity did not collect directly from the individuals linked or
linkable to the covered data. The extent to which an entity is
acting as a service provider or is processing employee data
(defined in subsection 8(c)) is not included in determining
whether a covered entity is a third-party collecting entity.
Subsection (21) defines ``large data holders'' as covered
entities or service providers that in the most recent calendar
year had: (i) gross revenues of $250 million or more; and (ii)
collected, processed, or transferred covered data of over five
million individuals or devices and the sensitive covered data
of 200,000 individuals/devices in the most recent calendar
year, excluding log-in information, phone numbers, and email
addresses. Revenue for purposes of this definition with respect
to nonprofit entities is defined as total gross receipts
received in any form from all sources.
Subsection (35) defines ``third party'' as any person,
including a covered entity, that collects, processes, or
transfers covered data it did not collect directly from the
individual to whom the data pertains and is not a service
provider with respect to such data. Third parties do not
include entities related by common ownership or control as
defined in subsection (6) where a reasonable individual would
expect the entities to share information.
Subsection (8) defines ``covered data'' as information,
alone or in combination with other information, identifying,
linked, or reasonably linkable to an individual or device
linkable to an individual. This may include derived data
(defined in subsection (13)) and unique persistent identifiers
(defined in subsection (39)) but does not include de-identified
data (defined in subsection (12)), employee data (defined in
subsection (8)(c)), or publicly available information (defined
in subsection (27)). ``Employee'' is defined in subsection
(15).
Subsection (14) defines ``device'' as any electronic
equipment capable of collecting, processing, or transferring
covered data that is used by individuals.
Subsection (19) defines ``individual'' as any natural
person residing in the United States. Subsection (11) defines
``covered minor'' as any individual under the age of 17.
Subsection (28) defines ``sensitive covered data'' as a
subset of covered data categories that include: any information
related to covered minors; government-issued identifiers not
required to be displayed in public such as social security and
passport numbers; past, present, and future health, diagnosis,
disability, or treatment information; financial account, debit
card, and credit card numbers along with any access code,
password, or credentials; biometric information (defined in
subsection (3)); genetic information (defined in subsection
(18)); past or present precise geolocation information (defined
in subsection (24)); private communications such as voicemail,
email, text or information identifying parties to
communications; any account or device log-in credentials;
information revealing race, color, ethnicity, religion, or
union membership status, information revealing sexual behavior
that violates an individual's reasonable expectations on
disclosure; information revealing online activities over time
and across third party websites or online services; calendar,
address book, phone, text, photos, audio and video recordings
maintained for private use on a device; photos or videos of
naked or undergarment-clad private areas; and information
revealing video content requested by individuals using
consumer-generated TV, cable, or streaming media services.
Any other covered data collected, processed, or transferred
for the purpose of identifying sensitive covered data is also
considered sensitive. The FTC is granted rulemaking authority
under the Administrative Procedure Act (APA) to specify
additional categories of covered data within the sensitive
covered data definition where those categories require similar
protection as a result of new methods for collecting or
processing covered data.
Subsection (4) defines ``collect'' to mean acquiring
covered data by any means.
Subsection (25) defines ``process''' to mean conducting or
directing any operation or set of operations performed on or
otherwise handling covered data.
Subsection (38) defines ``transfer'' to mean disclosing,
making available, or licensing covered data by any means or in
any way.
Subsection (34) defines ``targeted advertising'' as
presenting to an individual, individuals, or device(s)
identified by a unique identifier an online advertisement that
is selected based on known or predicted preferences,
characteristics, or interests. It does not include responses to
an individual's specific request for information; contextual
advertising when an advertisement is displayed based on the
content of a webpage or online service; or processing of data
solely used for measuring or reporting advertising metrics.
Subsection (17) defines ``first party advertising or
marketing'' as such activities conducted by the first party
entity that operates a consumer-facing website or physical
location either (i) through direct communication with an
individual; or (ii) entirely within the first-party context.
Subsection (1) defines ``affirmative express consent'' to
provide the conditions necessary for covered entities and
service providers to obtain consent as required under the Act,
including prohibiting pretextual consent, preventing silence or
use of a product or service as consent, requiring reasonably
accessible means to consent, and prohibiting manipulative
designs or materially misleading representations to obtain
consent.
Subsection (7) defines ``covered algorithm'' as a
computational process that uses machine learning, natural
language processing, artificial intelligence techniques, or
other computational processing techniques of similar or greater
complexity, that makes a decision or facilitates human
decision-making with respect to covered data.
Subsection (20) defines ``knowledge'' using a tiered
approach in regard to covered minors based on the entity
involved. A knew or should have known standard applies to
``covered high-impact social media companies'' with platforms
primarily used by individuals for user-generated content, at
least $3 billion in annual revenue, and 300 million monthly
active users for 3 of the prior 12 months; a knew or acted in
``willful disregard'' of an individual's age standard applies
to all other large data holders, including service providers;
and an actual knowledge standard applies to all other covered
entities and service providers.
Subsection (32) defines ``state privacy authority'' as
either the chief consumer protection officer of a state or any
state consumer protection agency with expertise in data
protection, including the California Privacy Protection Agency
(CPPA).
TITLE I--DUTY OF LOYALTY
Sec. 101. Data minimization
Subsection (a) imposes a baseline duty on all covered
entities not to collect, process, or transfer covered data
beyond what is reasonably necessary and proportionate to
provide a particular requested product or service or to affect
a permitted purpose under subsection (b), regardless of any
consent or transparency requirements.
Subsection (b) sets out 17 enumerated permissible purposes
for which covered entities may collect, process, or transfer
covered data. If the use of covered data does not fit one of
these categories or is not covered by subsection (a) it is per
se prohibited. These permissible purposes include the use of
covered data to: complete transactions and routine
administrative, operational, or account-servicing activity such
as billing, delivery, storage, and accounting; with respect to
data previously collected in accordance with the act, perform
system maintenance, and related internal functions using
covered data already lawfully collected under the Act, develop,
maintain, repair, or enhance a product or service for which
such data was collected, to conduct internal research or
analytics to improve a product or service, to perform inventory
management or network management, protect against spam, or
debug or repair errors that impair the functionality of the
requested product or service; authenticate users; fulfill
warranties; prevent, detect, and respond to network and
physical security incidents; prevent, detect, and respond to
fraud, harassment, and illegal activity capable of direct harm;
comply with legal obligations and defend legal claims; prevent
death or serious injury; effectuate product recalls pursuant to
law; conduct public or peer-reviewed research meeting certain
requirements; deliver reasonably anticipated, non-advertising
communications; deliver communications at the direction of an
individual; transfer assets to a third party in merger,
acquisition, bankruptcy, or similar transaction after providing
notice and opportunity for withdrawing prior consent; ensure
data security and integrity pursuant to section 208; transfer
previously collected covered data in accordance with the Act to
a government entity provided it is not for consideration and
pursuant to statutory authorization to prevent, detect, or
protect against public safety incidents, natural disasters, or
national security incidents; with respect to previously
collected covered data providing first-party marketing of goods
and services provided by the covered entity to individuals 17
and older; and with respect to previously collected covered
data providing targeted advertising that otherwise complies
with the Act.
Subsection (c) requires the FTC to issue guidance to help
establish what is ``reasonably necessary and proportionate'' to
comply with this section taking into account specific
characteristics of the covered entity and its covered data
activities.
Subsection (d) prohibits covered entities and service
providers from engaging in deceptive advertising or marketing
of any product or service.
Sec. 102. Loyalty duties
Subsection (1) prohibits collecting, processing, or
transferring Social Security numbers except for credit
extension, authentication, fraud prevention, paying or
collecting taxes, enforcing contracts, or as required by law.
Subsection (2) requires any collection or processing of
sensitive covered data to be limited to what is strictly
necessary for specific products or services requested by
individuals or certain permitted purposes, which do not include
first-party marketing or targeted advertising purposes.
Subsection (3) prohibits the transfer of sensitive covered
data to third parties except (i) with affirmative express
consent; (ii) to comply with law; (iii) prevent imminent risk
of death or serious injury; (iv) transferring previously
collected covered data to a government entity provided it is
not for consideration and pursuant to statutory authorization
to prevent, detect, or protect against public safety incidents,
natural disasters, or national security incidents; (v)
transferring passwords for use across sites or accounts; (vi)
transferring genetic information for requested medical
diagnosis or treatment or research; or (vii) transferring
assets as described in section 101(b)(13).
Subsection (4) specifies that providers of broadcast
television services, cable services, satellite services,
streaming media services, or other non-consumer-generated video
programming services may only transfer covered data revealing
content or services requested by users with affirmative express
consent or pursuant to a permissible purpose in section
101(b)(1)-(15).
Sec. 103. Privacy by design
This section requires covered entities and service
providers to implement reasonable policies, practices, and
procedures for collecting, processing, and transferring covered
data including training, risk mitigation (including substantial
privacy risks), and compliance. These should correspond to the
entity's size, complexity, activities related to covered data,
the types and amount of covered data the entity engages with,
and the cost of implementation compared to the risks posed.
Privacy by design must also take into account the particular
privacy risks related to covered minors with heightened
requirements for entities not meeting the criteria for entities
defined in section 209.
The FTC must issue guidance on reasonable policies,
practices, and procedures under this section within one year of
enactment.
Sec. 104. Loyalty to individuals with respect to pricing
This section prohibits covered entities from retaliating
against an individual for exercising any rights guaranteed by
the Act, including denying goods or services, discriminating in
the price or rate for goods or services, or providing a
different level of quality of goods or services.
This prohibition does not prevent covered entities from
differentiating the price of or levels of services based on an
individual providing financial information necessarily
collected and used for payment when an individual specifically
requests a product. Covered entities are also not prevented
from offering bona fide loyalty programs that provide rewards,
premium features, discounts, or club card programs in exchange
for continued business on a voluntary basis. Covered entities
may also charge different prices based on individuals
exercising deletion rights under section 203(a)(3), provide
financial incentives for market research participation, and
decline to provide products or services where certain
collecting or processing of covered data is strictly necessary.
TITLE II--CONSUMER DATA RIGHTS
Sec. 201. Consumer awareness
Within 90 days of enactment, the FTC must publish a public
web page describing all provisions of the Act in plain
language, listed separately to help advise individuals and
covered entities of their rights and obligations under the Act.
The web page must be updated for changes in law. The
information must be published in the ten languages with the
most speakers in the United States.
Sec. 202. Transparency
Covered entities must provide individuals with privacy
policies detailing their data collection, processing, and
transfer activities in a readily available and understandable
manner.
Covered entities and service providers must have privacy
policies that include contact information, the affiliates of
the covered entity that it transfers covered data to, and the
purposes for each category of covered data the entity collects,
processes, and transfers. Covered entities and service
providers must specify the third-party collecting entities to
whom they transfer covered data and for what purposes. Privacy
policies must be provided in every covered language the entity
provides or carries out products/services under the policy and
in an accessible manner for individuals with disabilities.
Privacy policies must also state how individuals may
exercise their rights under the Act and how long the entity
intends to retain covered data. Privacy policies must be
provided in all languages in which covered entities conduct
business related to the covered data. Any material changes to a
covered entity's privacy policy requires the covered entity to
notify individuals and provide an opportunity to withdraw
consent before further processing the covered data of those
individuals. Covered entities and service providers must
specify whether any covered data they handle is accessible by
China, Russia, Iran, or North Korea.
Finally, large data holders must keep a log of publicly
available material changes to their policies for the prior ten
years after enactment of the Act and provide short-form notices
of their covered data practices pursuant to minimum
requirements established in FTC regulations issued in
accordance with the Administrative Procedure Act (APA).
Sec. 203. Individual data ownership and control
Subsection (a) establishes individual rights to access,
correct, delete, and port covered data that pertains to them.
The right to access includes obtaining covered data possessed
by the covered entity within 24 months preceding the request in
a human-readable and downloadable format that individuals may
understand without expertise; the categories of any other
entities their data was transferred to and the names of any
such third parties upon request; the categories of sources used
to collect any covered data; and the purposes for transferring
the data. The rights to correct and delete covered data also
require covered entities to notify other entities to whom
covered data was transferred of the corrected information or
desire to have the covered data deleted. To the extent
technologically feasible, individuals also have the right to
export their covered data in human-readable and a machine-
readable, interoperable, portable format.
Subsection (b) prevents the use of dark patterns or other
manipulative measures with the purpose or substantial effect of
impairing individual autonomy in exercising such a decision to
exercise any rights under this section.
Subsection (c) establishes staggered time limits for
covered entities to comply with requests based on the size of
the entity.
Subsection (d) allows for reasonable fees for the exercise
of the third and subsequent exercises of each of the rights
described in (a) within one 12-month period.
Subsection (e) states that covered entities are not
required to comply with individual requests under this section
where they are unable to verify the identity of the individual
making the request; reasonably believe the request would
interfere with a contract between the covered entity and
another individual; determine that completing the request would
require access to or correction of another individual's
sensitive covered data; reasonably believe the exercise of the
request would require the entity to engage in an unfair or
deceptive act or practice; or reasonably believe the request
would further fraud, support criminal activity, or the exercise
of the right presents a data security threat. Covered entities
may seek additional information for verification purposes.
These individual rights are subject to covered entities rights
to limited permissive exceptions for covered data use, such as
complying with law enforcement or judicial proceedings. Covered
entities must partially comply with requests where feasible.
Subsection (f) requires covered entities that are large
data holders to annually compile metrics of requests and
responses and disclose such metrics publicly.
Subsection (g) requires the FTC, not later than two years
after enactment, to promulgate APA regulations as necessary to
establish processes for compliance with this section, taking
into consideration various characteristics of different covered
entities and their activities with respect to covered data.
Subsection (h) requires covered entities facilitate
individual rights requests in all covered languages and in a
manner accessible to individuals with disabilities.
Sec. 204. Right to consent and object
Subsection (a) makes clear that the means to withdraw any
affirmative express consent must be as easy to execute as the
means to provide such consent.
Subsection (b) provides individuals with the right, subject
to limited exceptions in paragraphs (1)-(15) of section 101(b),
to object to the transfer of their covered data to a third
party and individuals must be provided the right to opt-out of
such transfers through a universal opt-out mechanism as
described in section 210.
Subsection (c) provides that covered entities and service
providers that directly deliver targeted advertising must,
prior to engaging in such advertising and at all times
thereafter, provide individuals with clear and conspicuous
means to opt out, abide by any such opt-out, and allow
individuals to opt-out of targeted advertising through a
universal opt-out mechanism as described in section 210.
Service providers and covered entities providing targeted
advertising must notify each other of the opt-out designation
as applicable.
Subsection (d) prevents the use of dark patterns or other
manipulative measures with the purpose or substantial effect of
impairing individual autonomy in exercising such a decision to
opt-out.
Sec. 205. Data protections for children and minors
Covered entities are subject to additional requirements for
covered data with respect to covered minors. Subsection (a)
prohibits targeted advertising to any individual that the
covered entity has knowledge is a covered minor.
Subsection (b) prohibits the transfer of covered data of
any individual that the covered entity has knowledge is a
covered minor to third parties without affirmative express
consent of the minor or a parent or guardian unless to transfer
data in order to submit information relating to child
victimization to law enforcement or to the nonprofit, national
resource center and clearinghouse designated to provide
assistance to victims, families, child-serving professionals,
and the general public on missing and exploited children.
Subsection (c) establishes a Youth Privacy and Marketing
Division within the privacy bureau at the FTC established under
section 401, which shall be responsible for addressing privacy
and marketing concerns with respect to children and minors. The
division must submit annual reports to Congress and hire staff
that includes experts in youth development, data protection,
digital advertising, and data analytics.
Subsection (d) requires the FTC Inspector General to submit
a report to Congress every two years analyzing the fairness and
effectiveness of the safe harbor provisions in COPPA. These
reports must be published on the FTC web site.
Sec. 206. Third-party collecting entities
Subsection (a) requires that all third-party collecting
entities place a clear and conspicuous, reasonably accessible
notice on their web site and/or mobile application informing
individuals they are a third-party collecting entity using
language specified by FTC regulations. The FTC must promulgate
such regulations in accordance with APA and require a link to
the third-party collecting entity registry described under
subsection (b).
Subsection (b) directs the FTC to establish a third-party
collecting registry. Third-party collecting entities that
process covered data of more than 5,000 individuals or devices
must annually register with the FTC. Registration includes
paying a $100 fee, providing information about the third-party
collecting entity's activities, providing contact information,
and creating a link to a website where individuals may exercise
their audit rights under this section.
The FTC must establish and maintain an online, public,
searchable registry of registered third-party collecting
entities that allows individuals to look up information on
third-party collecting entities, links to and contact
information of the third-party collecting entities, and a link
and mechanism by which individuals may submit a single request
to all registered third-party collecting entities to, within 30
days, have all covered data about them deleted and ensure no
further covered data collection related to them will take
place. The FTC must establish universal opt-out mechanism(s)
under section 210 to effectuate this right.
Subsection (c) imposes penalties on third-party collecting
entities for failing to register or provide the notice required
by this section, which include civil fines of $100 per day (up
to $10,000 per year) and any unpaid registration fees. Such
penalties come in addition to other enforcement and remedies in
the Act and do not limit additional enforcement.
Sec. 207. Civil rights and algorithms
Subsection (a) provides that covered entities and service
providers may not collect, process, or transfer covered data in
a manner that discriminates or otherwise makes unavailable the
equal enjoyment of goods and services on the basis of race,
color, religion, national origin, sex, or disability in line
with current Supreme Court precedent in prohibiting
discrimination on the basis of protected classes. This does not
prevent covered entities from diversifying an applicant,
participant, or customer pool.
Subsection (b) states that, as applicable, the FTC is
required to transmit any information it obtains regarding
potential discriminatory uses of covered data to federal
executive agencies with authority to initiate proceedings
related to such a violation. The FTC must submit annual reports
to Congress on the information it sends to these agencies under
this section and how that information relates to federal civil
rights laws.
Subsection (c) requires large data holders that use covered
algorithms to assess such algorithms that are used in a manner
that poses a consequential risk of harm to an individual or
group of individuals and submit annual algorithmic impact
assessments to the FTC. These assessments must in part describe
steps the entity has taken or will take to mitigate potential
harms from covered algorithms, including any harms specifically
related to covered minors or substantial privacy risks. These
assessments must also seek to mitigate algorithmic harms
related to advertising for housing, education, employment,
healthcare, insurance, or credit, access to or restrictions on
places of public accommodation, and any disparate impact on the
basis of an individual's race, color, religion, national
origin, sex, or disability status, or a disparate impact on the
basis of individuals' political party registration status.
Algorithmic evaluations are also required at the design
phase of a covered algorithm that is designed at least in part
in furtherance of a consequential decision, including any
training data that is used to develop such algorithm. The FTC
may not use any information received solely through these
required submissions for any purpose outside enforcing this act
and consent orders. Covered entities may redact and segregate
any trade secrets or other confidential or proprietary
information from public disclosure and the Commission shall
abide by their obligations in regard to such information.
The FTC must publish guidance regarding compliance with
this section. The FTC is also granted rulemaking authority in
accordance with APA to promulgate regulations establishing
processes for submitting algorithmic impact assessments and
excluding any covered algorithms it deems to present minimal
consequential risks of harm to individuals.
Finally, the FTC must, in consultation with the Department
of Commerce (DOC), conduct a study using its authority under
section 6(b) of the FTC Act to review the algorithmic impact
assessments received under this section and submit a report to
Congress containing the results of the study. Additional
reports are required three years after the initial submission
as well as whenever the FTC deems it necessary.
Sec. 208. Data security and protection of covered data
Subsection (a) requires covered entities and service
providers to implement and maintain data security practices and
procedures that protect and secure covered data against
unauthorized use and acquisition. In determining whether such
protections are reasonable, the FTC, state enforcement
authorities, and federal courts must consider the entity's
size, complexity, activities related to covered data, the types
and amount of covered data the entity engages with, the current
state of the art in administrative, technical, and physical
safeguards for protecting covered data, and the cost of
available tools.
Subsection (b) provides specific requirements certain
covered entities and service providers must meet in order to
assess vulnerabilities, take preventive and corrective action,
evaluate their systems, and for the retention and disposal of
covered data. Such covered entities and service providers must
also provide training to all employees with access to covered
data and designate an officer or employee to maintain and
implement their data security practices.
The FTC may promulgate regulations in accordance with APA
to establish processes for compliance with this section and
shall consult with the National Institute of Standards and
Technology when doing so.
Sec. 209. Small business protections
This section sets eligibility criteria and provides
exemptions for certain entities.
Subsection (a) states that any covered entity or service
that meets the requirements of subsection (b) will be: (i)
exempt from the data portability requirements in section
203(a)(4), the data security requirements in section 208(b)
with the exception of the data retention and disposal
provisions in section 208(b)(4), and section 301(c)
requirements; and (ii) may choose to delete, rather than
correct, an individual's covered data upon receiving a verified
request in section 203(a)(2).
Subsection (b) establishes that covered entities or service
providers that for the prior three years (or the entity's
existence if less than three years): (i) earned average gross
annual revenues of $41 million or less; (ii) did not collect or
process the covered data of 200,000 individuals in a year on
average (except for processing payments and deleting covered
data for requested products/services after 90 days, except when
necessary to investigate fraud or as consistent with a covered
entity's return policy); and (iii) did not derive more than
half their revenue from transferring covered data meet the
eligibility requirements.
Subsection (c) defines revenue for purposes of this section
with respect to nonprofit entities as total gross receipts
received in any form from all sources.
Sec. 210. Unified opt-out mechanisms
Subsection (a) provides that following public notice and
opportunity for comment, within 18 months of enactment of the
Act the FTC must establish or recognize one or more acceptable,
privacy-protective, centralized opt-out mechanisms to allow
individuals to exercise their rights to opt-out of covered data
transfers in section 204(b), targeted advertising in section
204(c) (except for first-party marketing to individuals 17 and
older), and the single request to all registered third-party
collecting entities to have all covered data about them deleted
and to refrain from further covered data collection as provided
in section 206(b)(3)(C). Such mechanisms may include global
privacy signals such as browser or device privacy settings,
other tools offered by covered entities or service providers,
or registries of identifiers.
Subsection (b) sets out six criteria the opt-out mechanisms
must meet that will ensure the mechanisms inform individuals of
their choices, represent freely given choices, are easy to use,
allow for authentication of requests, are made in any covered
language that the covered entity provides products or services
subject to the opt-out, and be reasonably accessible to those
with disabilities.
TITLE III--CORPORATE ACCOUNTABILITY
Sec. 301. Executive responsibility
Subsection (a) requires that an executive officer at all
large data holders annually certify that their company
maintains reasonable internal controls and reporting structures
for compliance with the Act in the manner specified by the FTC
through APA rulemaking.
Subsection (b) requires this certification must be based on
a review conducted by the certifying officers within 90 days of
submission.
Subsection (c) requires all covered entities or service
providers with more than 15 employees to designate one or more
privacy and data security officers who must implement privacy
and data security programs and ensure ongoing compliance with
the Act. Large data holders must also designate at least one of
these officers as the privacy protection officer to report
directly to the entity's highest official. That officer is
responsible for establishing processes, conducting regular
comprehensive audits, developing training and education
programs for employees, maintaining records, and serving as the
point of contact with enforcement authorities as related to the
privacy and security requirements of the Act.
Subsection (d) requires covered entities that are large
data holders to also conduct privacy impact assessments
weighing the benefits of its covered data practices against the
potential consequences to individual privacy on a biennial
basis and have them approved by the privacy protection officer.
In assessing the privacy risks, the large data holder may
include reviews of the means by which technologies, including
blockchain and distributed ledger technologies and other
emerging technologies, are used to secure personal information.
Subsection (e) requires all covered entities that are
neither large data holders nor meet the requirements of section
209 to conduct privacy impact assessments that weigh the
benefits of the covered entity's collecting, processing, and
transfer practices that may cause a substantial privacy risk
against the potential material adverse consequences of such
practices to individual privacy.
Sec. 302. Service providers and third parties
Subsection (a) outlines the obligations of service
providers. In so far as a person acts as a service provider, it
may only collect, process, or transfer service provider data
for the purposes directed by the covered entity or government
entity it received the data from as set out in the contract
required under subsection (b). Service providers may not
collect, process, or transfer service provider data if it has
actual knowledge the covered entity violated the Act with
respect to such data. Service providers must assist the covered
entities they provide services for in fulfilling requests by
individuals to exercise their rights under sections 203 and 204
of the Act by either providing appropriate technical measures
or fulfilling the requests. Service providers may only engage
other service providers as subcontractors after providing the
relevant covered entity with notice and pursuant to a written
contract extending all responsibilities to the subcontractor.
Service providers must also make certain information available
to covered entities, delete, or return covered data as
specified, abide by data protection and confidentiality
safeguards consistent with section 208, and allow for
reasonable assessments by the covered entity.
Subsection (b) provides that contracts between covered
entities and service providers must set out clear instructions
and cannot relieve any party of any requirement or liability
imposed under the Act. Combining service provider data with
other covered data is prohibited except for limited exceptions.
Service providers must retain copies of prior contracts with
covered entities required under this section.
Subsection (c) makes clear that determining whether a
person is acting as a covered entity or service provider with
respect to covered data is a fact-based, contextual
determination and sets out how liability may be apportioned for
violations of the Act.
Subsection (d) establishes that third parties cannot
process third party data beyond the processing purpose for
which a covered entity made a disclosure under section 202 and
in the case of non-sensitive data, the processing purpose for
which the covered entity made a disclosure pursuant to section
202(b)(4).
Subsection (e) establishes that covered entities and
service providers must conduct reasonable due diligence in
selecting service providers and deciding to transfer covered
data to third parties. The FTC must issue guidance to help
entities comply with this section, including to help alleviate
potentially unreasonable compliance burdens on small entities.
Sec. 303. Technical compliance programs
Subsection (a) provides that within three years of
enactment, the FTC must promulgate regulations under the APA to
establish processes for covered entities to submit technical
compliance programs for approval.
Subsection (b) outlines that such programs are to be
specific to particular technologies, products, services, or
methods used by a covered entity to collect, process, or
transfer covered data. Such programs will establish compliance
guidelines that meet or exceed the Act's requirements and be
publicly available to individuals whose data is processed by
participating entities.
Subsection (c) requires that any application for approval
or amendment of existing programs will be made public by the
FTC along with a request for public comment within 90 days.
Subsection (d) provides the opportunity for any final
action by the FTC on a request for approval, amendment, or
appeal of a technical compliance program to be appealed to a
Federal district court of the United States.
Subsection (e) requires that the FTC and state enforcement
authorities must consider a covered entity's history of
compliance with any approved program before bringing an
enforcement action against that entity and courts in private
litigation must consider such compliance when determining
liability or penalty. However, compliance with a program under
section 303 shall not impact any burden of proof or weight
given to evidence in any enforcement or judicial proceeding.
Nothing in this section shall provide any individual with
any right to seek discovery of any non-public FTC deliberations
or activities or impose any pleading requirement on the FTC.
Sec. 304. Commission approved guidelines
Non-third-party collecting entities that meet the criteria
in section 209 are eligible to participate in FTC approved
compliance guidelines for handling covered data. Applications
for approval must include how the guidelines will meet or
exceed the Act's requirements, the entities, or activities the
guidelines intend to cover, any covered entities known at the
time of submission who want to participate, and a description
of how entities will be independently assessed for compliance.
Compliance with any approved guidelines must be assessed by an
independent organization not associated with any covered entity
participant and that organization must be identified in the
application for approval.
Any application for approval will be made public by the FTC
along with a request for public comment within 90 days. The FTC
has one year from receipt to approve a submission. Applications
must include how regular review, validation, and enforcement by
the independent organization administering the guidelines will
take place, including any referral mechanism to the FTC, if
applicable. Material changes to the guidelines must also be
submitted for approval, which the FTC must respond to in
approve or deny within one year.
The FTC may withdraw approval at any time if it believes
the guidelines no longer meet or exceed the Act's requirements
or enforcement by the independent organizing administering the
guidelines is insufficient. The FTC must notify the
participating covered entities its basis for doing so,
beginning a 180-day timeline to cure the deficiency in the
guidelines and submit the proposed cure to the FTC for
approval. If the FTC finds the deficiency is cured, then it may
not withdraw approval of the guidelines.
An entity eligible to participate in approved guidelines
remains subject to enforcement and will be deemed in compliance
with the Act if it able to illustrate compliance with the
guidelines.
Sec. 305. Digital content forgeries
This section requires that within a year after enactment
and annually after that the Department of Commerce (DOC) must
publish a report on digital content forgeries. Such reports
will define, describe, and assess digital content forgeries,
including the methods to identify and take countermeasures
against them along with anything else determined appropriate by
the Secretary of Commerce or the Secretary's designee.
TITLE IV--ENFORCEMENT, APPLICABILITY, AND MISCELLANEOUS
Sec. 401. Enforcement by the Federal Trade Commission
Subsection (a) provides that the FTC must establish a new
bureau of privacy to carry out its authority under the Act that
is comparable to the current Bureaus of Consumer Protection and
Competition. That bureau must be fully operational within a
year of enactment and include an office of business mentorship
to assist covered entities with compliance as described in
subsection (b).
Subsection (c) specifies that violations of the Act will be
treated as violations of a rule defining an unfair or deceptive
act or practice under the FTC Act, meaning the FTC may obtain
civil penalties for initial and subsequent violations, among
other relief. The FTC may generally enforce the Act akin to any
other violation under the FTC Act, but it may not bring an
action under section 5(b) of the FTC Act to stop the same
conduct that it brings an enforcement against under this Act.
This section also establishes a relief fund for victims of
entities violating the Act. Any relief obtained enforcing the
Act under this section that cannot be provided directly to
harmed individuals will be deposited there and be available to
the FTC, without fiscal year limitation, to provide relief to
individuals harmed by violations under the Act. To the extent
money in the fund cannot be used to compensate harmed
individuals, the FTC may use funds for the office of business
mentorship or to engage in technological research.
Sec. 402. Enforcement by States
State Attorneys General and state privacy authorities may
bring civil actions in federal court for injunctive relief,
enforce compliance, to obtain damages, penalties, restitution,
or other compensation, and to obtain reasonable attorney's fees
and other litigation costs. The FTC retains the right to
intervene upon receiving required notice from state enforcement
officers and no state enforcement may occur once the FTC or its
deputy has initiated an enforcement action regarding that
conduct. States retain all of their existing investigatory,
regulatory, and administrative powers and rights to bring
enforcement actions arising under existing state law, including
bringing regulatory proceedings.
Sec. 403. Enforcement by persons
Subsection (a) allows private rights of actions by
individuals harmed under the Act. Starting two years after the
date the Act takes effect, persons or classes of persons may
generally bring a civil action in federal court seeking
compensatory damages, injunctive relief, declaratory relief,
and reasonable attorney's fees and litigation costs.
Prior to initiating a civil action, individuals must notify
the FTC and the attorney general of their state of residence of
their intent to bring such an action; those agencies then have
60 days to determine if they wish to intervene pursuant to the
Federal Rules of Civil Procedure. State intervention allows
state enforcement agencies to be heard with respect to the
interests of their state residents. Demands for monetary
payments sent to covered entities or service providers prior to
the end of this period or after one of the authorities has
opted to bring an action will be considered to be made in bad
faith. All demand letters must provide a statement and link to
the FTC website established by section 201 of the Act that
describes a covered entity's rights under the Act. Failure to
properly send demand letters under subsection (d) will result
in dismissal without prejudice.
The FTC's Bureau of Economics and Bureau of Privacy must
conduct annual studies beginning five years after enactment
regarding the impact of demand letters under the Act and report
these findings to Congress.
Subsection (b) prohibits covered entities and service
providers from enforcing pre-dispute arbitration agreements or
joint action waivers with respect to minors. Pre-dispute
arbitration agreements are also unenforceable for any claims
related to gender or partner-based violence or physical harm.
Subsection (c) provides a right to cure certain violations
by all covered entities and for any violation that meet the
requirements for small business under section 209. When
individuals advance claims of injunctive relief or claims of
any relief against such entities, those entities have a right
to cure the alleged deficiency. Covered entities and service
providers must be provided 45 days written notice identifying
specific provisions the entity allegedly violated. When an
entity successfully demonstrates to a court that a cure is
achieved and no further violations will occur, demands for
injunctive relief may be reasonably dismissed.
Subsection (e) states that the rights in this section
applies to claims alleging violations of sections 102, 104,
202, 203, 204, 205(a)-(b), 206(b)(3)(C), 207(a), 208(a), or 302
and any regulation promulgated under such sections. No private
suits may be brought against a covered entity with less than
$25 million in annual revenue that collects, processes, or
transfers the covered data of fewer than 50,000 individuals and
derives less than half its revenue from transferring covered
data.
Sec. 404. Relationship to Federal and State laws
Subsection (a) provides that existing federal law and the
authority of federal agencies is generally not limited except
where specified in the Act. Nothing in the Act limits antitrust
law in any way. Covered entities subject to and in compliance
with the related data privacy and security requirements of
certain specified federal laws shall be held to be in
compliance with the related laws of the Act solely and
exclusively to the extent that covered data is subject to the
requirements in the other laws. The FTC must issue guidance for
implementation of these provisions.
Subsection (b) provides that state laws covered by the
provisions of the Act are preempted, subject to a list of
specified state laws to be preserved. That list of laws or
provisions of law includes: generally applicable consumer
protection laws; civil rights laws; employee and student
privacy protections; data breach notification laws; contract
and tort law; criminal laws; civil laws regarding fraud, theft,
identity theft, unauthorized access to electronic devices, and
unauthorized use of personal information; laws on
cyberstalking, cyberbullying, nonconsensual pornography, sexual
harassment, and child abuse; unrelated public sector and safety
laws; provisions of laws solely addressing public records and
criminal justice information; provisions of laws solely
addressing bank, financial, and tax records, Social Security
numbers, credit cards, credit reporting, credit repair, credit
clinics, and check-cashing services; provisions of laws solely
addressing facial recognition, electronic surveillance,
wiretapping, and telephone monitoring; the Illinois Biometric
and Genetic Information Privacy Acts; provisions of laws solely
addressing unsolicited email, text messages, caller
identification, and phone calls; provisions of laws solely
addressing medical information, records, and HIV status or
testing; provisions of laws solely addressing public health;
provisions of law solely addressing the confidentiality of
library records; Section 1798.150 of the California Civil Code,
as amended; and laws pertaining to encryption as a means of
data security. State common law rights or remedies and statutes
creating remedies for civil relief are not preempted or
displaced by the Act, but violations of the Act shall not be
pleaded as an element of any such cause of action.
Sections 222, 338(i), and 631 of the Communications Act of
1934 and any related Federal Communications Commission (FCC)
orders or regulations shall not apply to covered entities with
respect to the collecting, processing, or transferring covered
data under the Act and the related privacy and data security of
such a covered entity will be governed exclusively by the Act
except for emergency services, subsections (b) and (g) of
section 222 of the Communications Act of 1934, and any
obligation of an international treaty related to the exchange
of traffic implemented and enforced by the FCC.
Sec. 405. Severability
This section provides that if any provision of the Act is
held invalid, the remainder of the Act will remain valid to the
furthest extent possible.
Sec. 406. COPPA
This section states that the Act does not relieve or change
existing obligations under COPPA and that within 180 days of
enactment the FTC must amend its existing COPPA rules to
reference additional requirements to covered entities under the
Act.
Sec. 407. Authorization of appropriations
This section authorizes the FTC to be appropriated the sums
necessary to carry out the Act.
Sec. 408. Effective date
This section specifies that the Act will take effect 180
days after the date of enactment.
XVI. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
There are no changes to existing law made by the bill H.R.
8152.