[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5703 Introduced in House (IH)]
<DOC>
116th CONGRESS
2d Session
H. R. 5703
To amend the Children's Online Privacy Protection Act of 1998 to update
and expand the coverage of such Act, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
January 29, 2020
Ms. Castor of Florida introduced the following bill; which was referred
to the Committee on Energy and Commerce
_______________________________________________________________________
A BILL
To amend the Children's Online Privacy Protection Act of 1998 to update
and expand the coverage of such Act, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
This Act may be cited as the ``Protecting the Information of our
Vulnerable Children and Youth Act'' or the ``PRIVCY ACT''.
SEC. 2. DEFINITIONS.
Section 1302 of the Children's Online Privacy Protection Act of
1998 (15 U.S.C. 6501) is amended--
(1) in paragraph (1)--
(A) by inserting ``or `children''' after ``child'';
and
(B) by inserting ``or individuals, respectively,''
after ``individual'';
(2) by striking paragraph (10);
(3) by redesignating paragraphs (2) through (9) as
paragraphs (3) through (10), respectively;
(4) inserting after paragraph (1) the following:
``(2) Young consumer.--The term `young consumer' means an
individual over the age of 12 and under the age of 18.'';
(5) by amending paragraph (3) (as so redesignated) to read
as follows:
``(3) Covered entity.--The term `covered entity' means--
``(A) any organization, corporation, trust,
partnership, sole proprietorship, unincorporated
association, or venture over which the Commission has
authority pursuant to section 5(a)(2) of the Federal
Trade Commission Act (15 U.S.C. 45(a)(2));
``(B) notwithstanding section 5(a)(2) of the
Federal Trade Commission Act (15 U.S.C. 45(a)(2)),
common carriers; and
``(C) notwithstanding sections 4 and 5(a)(2) of the
Federal Trade Commission Act (15 U.S.C. 44 and
45(a)(2)), any nonprofit organization, including any
organization described in section 501(c) of the
Internal Revenue Code of 1986 that is exempt from
taxation under section 501(a) of the Internal Revenue
Code of 1986.'';
(6) by amending paragraph (5) (as so redesignated) to read
as follows:
``(5) Disclose.--The term `disclose' means to intentionally
or unintentionally release, transfer, sell, disseminate, share,
publish, lease, license, make available, allow access to, fail
to restrict access to, or otherwise communicate covered
information.'';
(7) by amending paragraph (9) (as so redesignated) to read
as follows:
``(9) Covered information.--The term `covered
information'--
``(A) means any information, linked or reasonably
linkable to a specific young consumer or child, or
consumer device of a young consumer or child;
``(B) may include--
``(i) a name, alias, home or other physical
address, online identifier, Internet Protocol
address, email address, account name, Social
Security number, physical characteristics or
description, telephone number, State
identification card number, driver's license
number, where applicable, passport number, or
other similar identifier;
``(ii) race, religion, sex, sexual
orientation, sexual behavior, familial status,
gender identity, disability, age, political
affiliation, or national origin;
``(iii) commercial information, including
records relating to personal property, products
or services purchased, obtained, or considered,
or other purchasing or consuming histories or
tendencies;
``(iv) biometric information;
``(v) Internet or other electronic network
activity information, including browsing
history, search history, and information
regarding a young consumer's or child's
interaction with an Internet website,
application, or advertisement;
``(vi) geolocation information;
``(vii) audio, electronic, visual, thermal,
olfactory, or similar information;
``(viii) education information;
``(ix) health information;
``(x) facial recognition information;
``(xi) contents of and parties to
information, including with respect to
electronic mail, text messages, picture
messages, voicemails, audio conversations, and
video conversations;
``(xii) financial information, including
bank account numbers, credit card numbers,
debit card numbers, or insurance policy
numbers, where applicable;
``(xiii) inferences drawn from any of the
information described in this paragraph to
create a profile about a young consumer or
child reflecting the young consumer's or
child's preferences, characteristics,
psychological trends, predispositions,
behavior, attitudes, intelligence, abilities,
and aptitudes; and
``(C) does not include--
``(i) information that is processed solely
for the purpose of employment of a young
consumer;
``(ii) de-identified information.'';
(8) by amending paragraph (10) (as so redesignated) to read
as follows:
``(10) Verifiable consent.--The term `verifiable consent'
means express, affirmative consent freely given by a young
consumer, or by the parent of a child, to the processing of
covered information of that young consumer or child,
respectively--
``(A) that is specific, informed, and unambiguous;
``(B) that is given separately for each process of
specific types of covered information;
``(C) where the young consumer or parent of a
child, as applicable, has not received any financial or
other incentive in exchange for such consent; and
``(D) that is given before any processing occurs,
at a time and in a context in which the young consumer
or parent of a child, as applicable, would reasonably
expect to make choices concerning such processing.'';
(9) by redesignating paragraphs (11) and (12) as paragraphs
(12) and (13), respectively; and
(10) by adding at the end the following:
``(14) Process.--The term `process' means any operation or
set of operations which is performed on covered information,
whether or not by automated means, including collecting,
creating, acquiring, disclosing, recording, deriving,
inferring, obtaining, assembling, organizing, structuring,
storing, retaining, adapting or altering, using, or retrieving
covered information.
``(15) De-identified information and related terms.--
``(A) The term `de-identified information' means
information that has been de-identified by a covered
entity, where the covered entity publicly discloses the
methods it uses to de-identify information.
``(B) The term `de-identify' means the removal of
identifying information from information such that the
information is not reasonably linkable to a specific
young consumer or child or consumer device of a young
consumer or child.
``(C) The term `re-identify' means to link
information that has been de-identified to a specific
young consumer or child or consumer device of a young
consumer or child.
``(16) State.--The term `State' means each of the several
States, the District of Columbia, each territory of the United
States, and each federally recognized Indian Tribe.
``(17) Service provider.--The term `service provider' means
a covered entity that processes covered information at the
direction of, and for the sole benefit of, another covered
entity, and--
``(A) is contractually or legally prohibited from
processing such covered information for any other
purpose; and
``(B) complies with all of the requirements of this
Act.''.
SEC. 3. UNFAIR OR DECEPTIVE ACTS OR PRACTICES.
Section 1303 of the Children's Online Privacy Protection Act of
1998 (15 U.S.C. 6502) is amended--
(1) in the section heading, by striking ``collection and
use of personal information from and about children on the
internet'' and inserting ``processing of covered information
from and about young consumers or children'';
(2) by amending subsection (a) to read as follows:
``(a) Acts Prohibited.--It is unlawful for a covered entity that
has actual or constructive knowledge that such covered entity is
processing covered information about a young consumer or child to
process such information in a manner that violates the regulations
prescribed under subsection (b).'';
(3) by amending subsection (b) to read as follows:
``(b) In General.--Not later than 1 year after the date of
enactment of the Protecting the Information of our Vulnerable Children
and Youth Act, the Commission shall, under section 553 of title 5,
United States Code, revise regulations issued under this Act prior to
such date of enactment and issue additional regulations as necessary
that implement the requirements and prohibitions set forth in
paragraphs (1) through (7). The Commission shall have the authority to
revise such regulations every 7 years or as it determines necessary due
to changes in or emerging technology.
``(1) Transparency.--Such regulations shall require a
covered entity to develop and make publicly available at all
times and in a machine-readable format, a privacy policy, in a
manner that is clear, easily understood, and written in plain
and concise language, that includes--
``(A) the categories of covered information that
the covered entity processes about young consumers and
children;
``(B) how and under what circumstances covered
information is collected directly from a young consumer
or child;
``(C) the categories and the sources of any covered
information processed by a covered entity that is not
collected directly from a young consumer or child;
``(D) a description of the purposes for which the
covered entity processes covered information,
including--
``(i) a description of whether and how the
covered entity customizes products or services,
or adjusts the prices of products or services
for young consumers or children or based in any
part on processing of covered information;
``(ii) a description of whether and how the
covered entity, or the covered entity's
affiliates or service providers, de-identifies
information, including the methods used to de-
identify such information; and
``(iii) a description of whether and how
the covered entity, or the covered entity's
affiliates or service providers, generates or
uses any consumer score to make decisions
concerning a young consumer or child, and the
source or sources of any such consumer score;
``(E) a description of how long and the
circumstances under which the covered entity retains
covered information;
``(F) a description of all of the purposes for
which the covered entity discloses covered information
with service providers and, on a biennial basis, the
categories of service providers;
``(G) a description of whether and for what
purposes the covered entity discloses information to
third parties;
``(H) whether a covered entity sells or otherwise
shares covered information with data brokers or
processes covered information for targeted advertising;
``(I) whether a covered entity collects covered
information about young consumers or children over time
and across different websites or mobile applications
when a young consumer or child uses the covered
entity's website or mobile application;
``(J) how a young consumer or a parent of a child
can exercise their rights to access, correct, and
delete such young consumer's or child's covered
information as set forth under paragraph (5);
``(K) how a young consumer or a parent of a child
can grant, withhold, or withdraw the consent required
under paragraph (2), including how to modify consent
for the processing of covered information, and the
consequences of withholding, withdrawing, or modifying
such consent;
``(L) the effective date of the notice; and
``(M) how the covered entity will communicate
material changes of the privacy policy to the young
consumer or the parent of a child.
``(2) Consent required.--
``(A) In general.--Such regulations shall require a
covered entity that has actual or constructive
knowledge that such covered entity is processing
covered information about a young consumer or child--
``(i) to provide clear and concise notice
to a young consumer or the parent of a child of
the items of covered information about such
young consumer or child, respectively, that is
processed by such covered entity and how such
covered entity processes such covered
information and obtain verifiable consent for
such processing; and
``(ii) if such covered entity determines,
including through constructive knowledge, that
such covered entity has not obtained verifiable
consent for the processing of covered
information about a young consumer or child,
to, not later than 48 hours after such
determination--
``(I) obtain verifiable consent; or
``(II) delete all covered
information about such young consumer
or child.
``(B) When consent not required.--Such regulations
shall provide that verifiable consent under this
paragraph is not required in the case of--
``(i) online contact information collected
from a young consumer or child that--
``(I) is used only to respond
directly on a one-time basis to a
specific request from the young
consumer or child;
``(II) is not used to re-contact
the young consumer or child; and
``(III) is not retained by the
covered entity after responding as
described in subclause (I);
``(ii) a request for the name or online
contact information of a young consumer or the
parent of a child that is used for the sole
purpose of obtaining verifiable consent or
providing notice under subparagraph (A)(i) and
where such information is not retained by the
covered entity if verifiable consent is not
obtained within 48 hours; or
``(iii) the processing of such information
by the covered entity is necessary--
``(I) to respond to judicial
process; or
``(II) to the extent permitted
under other provisions of law, to
provide information to law enforcement
agencies or for an investigation on a
matter related to public safety.
``(C) Withdrawal of consent.--Such regulations
shall further provide a young consumer or the parent of
a child, as applicable, a mechanism to withdraw his or
her consent at any time in a manner that is as easy as
the mechanism to give consent. Such withdrawal of
consent shall not be construed to affect the lawfulness
of any processing based on verifiable consent before
such withdrawal.
``(D) Prohibition on limiting or discontinuing
service.--Such regulations shall prohibit a covered
entity from refusing to provide a service, or
discontinuing a service provided, to a young consumer
or child, if the young consumer or parent of the child,
as applicable, refuses to consent, or withdraws
consent, to the processing of any covered information
not essential to the covered entity to provide such
service.
``(3) Retention of data.--
``(A) Retention limitations.--Subject to the
exceptions provided in subparagraph (B), such
regulations shall prohibit a covered entity from
keeping, retaining, or otherwise storing covered
information for longer than is reasonably necessary for
the purposes for which the covered information is
processed.
``(B) Exceptions.--Further retention of covered
information shall not be considered to be incompatible
with the purposes of processing described in
subparagraph (A) if such processing is necessary and
done solely for the purposes of--
``(i) compliance with laws, regulations, or
other legal obligations;
``(ii) preventing risks to the health or
safety of a child or young adults or groups of
children or young adults; or
``(iii) repairing errors that impair
existing functionality.
``(4) Limitation on disclosing covered information to third
parties.--
``(A) Disclosures.--Such regulations shall prohibit
a covered entity from disclosing covered information to
a third party unless the covered entity has a written
agreement with such third party that--
``(i) specifies all of the purposes for
which the third party may process the covered
information for which the covered entity has
verifiable consent;
``(ii) prohibits the third party from
processing covered information for any purpose
other than the purposes specified under clause
(i); and
``(iii) requires the third party to provide
at least the same privacy and security
protections as the covered entity; or
``(B) Responsibilities of covered entities
regarding third parties.--Such regulations shall
require a covered entity--
``(i) to perform reasonable due diligence
in selecting any third party to enter into an
agreement under subparagraph (A) and to
exercise reasonable oversight over all such
third parties to assure compliance with the
requirements of this Act; and
``(ii) if the covered entity has actual or
constructive knowledge that a third party has
violated the agreement described in
subparagraph (A) to--
``(I) to the extent practicable,
promptly take steps to ensure
compliance with such agreement; and
``(II) promptly report to the
Commission that such a violation
occurred.
``(5) Right to access, correct, and delete covered
information.--
``(A) Access.--Such regulations shall require a
covered entity, upon request of a young consumer or the
parent of a child and after proper identification of
such young consumer or parent, to promptly provide to
such young consumer or parent, as applicable--
``(i) access to all covered information
pertaining to such young consumer or child
including a description of--
``(I) each type of covered
information processed by the covered
entity pertaining to the young consumer
or child, as applicable;
``(II) each purpose for which the
covered entity processes each category
of covered information pertaining to
the young consumer or child, as
applicable;
``(III) the names of each third
party to which the covered entity
disclosed the covered information;
``(IV) each source other than the
young consumer or child, as applicable,
from which the covered entity obtained
covered information pertaining to that
young consumer or child, as applicable;
``(V) how long the covered
information will be retained or stored
by the covered entity and, if not
known, the criteria the covered entity
uses to determine how long the covered
information will be retained or stored
by the covered entity; and
``(VI) with respect to any consumer
score of the young consumer or child,
as applicable, processed by the covered
entity, of--
``(aa) how such consumer
score is used by the covered
entity to make decisions with
respect to that young consumer
or child, as applicable; and
``(bb) the source that
created the consumer score if
not created by the covered
entity; and
``(ii) a simple and reasonable mechanism by
which a young consumer or parent of a child may
request access to the information described
under clause (i), as applicable.
``(B) Deletion.--Such regulations shall require a
covered entity, subject to the exceptions established
under subparagraph (D)--
``(i) to establish a simple and reasonable
mechanism by which a young consumer or parent
of a child with respect to whom the covered
entity processes covered information may
request the covered entity to delete any
covered information (or any component thereof);
and
``(ii) to delete such covered information
not later than 45 days after receiving such
request.
``(C) Correction.--Such regulations shall require a
covered entity, subject to the exceptions established
under subparagraph (D)--
``(i) to provide each young consumer or
parent of a child with respect to whom the
covered entity processes covered information,
as applicable, a simple and reasonable
mechanism by which that young consumer or
parent may submit a request to the entity--
``(I) to dispute the accuracy or
completeness of that covered
information, or part or component
thereof; and
``(II) to request that such covered
information, or part or component
thereof, be corrected for accuracy or
completeness; and
``(ii) not later than 45 days after
receiving a request under clause (i)--
``(I) to determine whether the
covered information disputed or
requested to be corrected is inaccurate
or incomplete; and
``(II) to correct the accuracy or
completeness of any covered information
determined by the covered entity to be
inaccurate or incomplete.
``(D) Exceptions.--Such regulations shall permit a
covered entity to deny a request made under
subparagraphs (A), (B), or (C) if--
``(i) the covered entity is unable to
verify the identity of the young consumer or
parent of a child making the request after
making a reasonable effort to verify the
identity of such young consumer or parent; or
``(ii) with respect to the request made,
the covered entity determines that--
``(I) the entity is limited from
doing so by law, legally recognized
privilege, or other legal obligation;
or
``(II) fulfilling the request would
create a legitimate risk to the
privacy, security, or safety of someone
other than the young consumer or child,
as applicable; or
``(iii) with respect to a request to
correct covered information made under
subparagraph (C) or a request to delete covered
information made under subparagraph (D), the
covered entity determines that the retention of
the covered information is necessary to--
``(I) complete the transaction with
the young consumer or child, as
applicable, for which the covered
information was collected;
``(II) provide a product or service
affirmatively requested by the young
consumer or parent of a child, as
applicable;
``(III) perform a contract with the
young consumer or a parent of a child,
as applicable, including a contract for
billing, financial reporting, or
accounting;
``(IV) to keep a record of the
covered information for law enforcement
purposes; or
``(V) identify and repair errors
that impair the functionality of the
Internet website or online service; or
``(iv) the covered information is used in
public or peer-reviewed scientific, medical, or
statistical research in the public interest
that adheres to commonly accepted ethical
standards or laws, with informed consent
consistent with section 50.20 of title 21, Code
of Federal Regulations, provided that the
research must already be in progress at the
time of request to access, correct, or delete
is made under subparagraphs (A), (B), or (C).
``(E) Prohibition on limiting or discontinuing
service.--Such regulations shall prohibit a covered
entity from refusing to provide a service, or
discontinuing a service provided, to a young consumer
or child, if the young consumer or parent of the child,
as applicable, exercises any of the rights set forth in
regulations under this paragraph.
``(6) Additional prohibited practices with respect to young
consumers and children.--
``(A) In general.--Such regulations shall prohibit
a covered entity from--
``(i) processing any covered information in
a manner that is inconsistent with what a
reasonable young consumer or parent of a child
would expect in the context of a particular
transaction or the young consumer's or parent's
relationship with such covered entity or
seeking to obtain verifiable consent for such
processing;
``(ii) providing targeting advertisements
or engaging in other marketing to a specific
child, based on that child's covered
information or behavior, or based on the
covered information or behavior of children who
are similar to that child in gender, income
level, age, race, or ethnicity; and
``(iii) conditioning the participation of a
child in a game, sweepstakes, or other contest
on consenting to the processing of more covered
information than is necessary for such child to
participate.
``(B) Exceptions.--Nothing in subparagraph (A)
shall prohibit a covered entity from processing covered
information if necessary solely for purposes of--
``(i) detecting and preventing security
incidents;
``(ii) preventing imminent danger to the
personal safety of an individual or group of
individuals;
``(iii) identifying and repairing errors
that impair the functionality of the Internet
website or online service; or
``(iv) complying with any Federal, State,
or local law, rule, regulation, or other legal
obligation, including civil, criminal, or
regulatory inquiries, investigations,
subpoenas, disclosures of information required
by a court order or other properly executed
compulsory process.
``(C) De-identified information.--Such regulations
shall prohibit a covered entity that de-identifies
information, and any third party with which the covered
entity discloses such de-identified information, from
re-identifying, or attempting to re-identify, any
information that the covered entity has de-identified.
Such regulations shall also require a covered entity to
contractually prohibit any third party with which the
covered entity discloses such de-identified information
from re-identifying or attempting to re-identify such
information.
``(7) Security requirements.--
``(A) In general.--Such regulations shall require a
covered entity to establish and implement reasonable
security policies, practices, and procedures for the
treatment and protection of covered information, taking
into consideration--
``(i) the size, nature, scope, and
complexity of the activities engaged in by such
covered entity;
``(ii) the sensitivity of any covered
information at issue;
``(iii) the state of the art in
administrative, technical, and physical
safeguards for protecting such information; and
``(iv) the cost of implementing such
policies, practices, and procedures.
``(B) Specific requirements.--Such regulations
shall require the policies, practices, and procedures
established pursuant to regulations issued under
subparagraph (A) to include the following:
``(i) A written security policy with
respect to the processing of such covered
information.
``(ii) The identification of an officer or
other individual as the point of contact with
responsibility for the management of
information security.
``(iii) A process for identifying and
assessing any reasonably foreseeable
vulnerabilities in the system or systems
maintained by such covered entity that contains
such covered information, including regular
monitoring for a breach of security of such
system or systems.
``(iv) A process for taking preventive and
corrective action to mitigate against any
vulnerabilities identified in the process
required by clause (iii), which may include--
``(I) implementing any changes to
the security practices, architecture,
installation, or implementation of
network or operating software; and
``(II) regular testing or otherwise
monitoring the effectiveness of the
safeguards.
``(v) A process for determining if the
covered information is no longer needed and
deleting such covered information by shredding,
permanently erasing, or otherwise modifying the
covered information contained in such data to
make such covered information permanently
unreadable or indecipherable.
``(vi) A process for overseeing persons who
have access to covered information, including
through Internet-connected devices, by--
``(I) taking reasonable steps to
select and retain persons that are
capable of maintaining appropriate
safeguards for the covered information
or Internet-connected devices at issue;
and
``(II) requiring all such persons
to implement and maintain such security
measures.
``(vii) A process for employee training and
supervision for implementation of the policies,
practices, and procedures required by this
subsection.
``(viii) A written plan or protocol for
internal and public response in the event of a
breach of security.
``(C) Periodic assessment and consume privacy and
data security modernization.--Such regulations shall
require a covered entity, not less frequently than
every 12 months, to monitor, evaluate, and adjust, as
appropriate, the policies, practices, and procedures of
such covered entity in light of any relevant changes
in--
``(i) technology;
``(ii) internal or external threats and
vulnerabilities to covered information; and
``(iii) the changing business arrangements
of the covered entity.
``(D) Submission of policies to the ftc.--Such
regulations shall require a covered entity to submit
the policies, practices, and procedures of the covered
entity to the Commission in conjunction with a
notification of a breach of security required by any
Federal or State statute or regulation or upon request
of the Commission.''; and
(4) in subsection (c)--
(A) by inserting ``subsection (a)(2) or'' after
``violation of''; and
(B) by striking ``under subsection (a)'' and
inserting ``under subsection (b)''.
SEC. 4. REPEAL OF SAFE HARBORS PROVISION AND CONFORMING AMENDMENTS.
(a) In General.--Section 1304 of the Children's Online Privacy
Protection Act of 1998 (15 U.S.C. 6503) is repealed.
(b) Conforming Amendments.--The Children's Online Privacy
Protection Act of 1998 (15 U.S.C. 6501 et seq.) is amended--
(1) by striking ``operator'' each place it appears and
inserting ``covered entity'';
(2) in section 1303(c), by striking ``sections 1304 and
1306'' and inserting ``section 1306''; and
(3) in section 1305(b), by striking paragraph (3).
SEC. 5. ADMINISTRATION AND APPLICABILITY OF ACT.
(a) Enforcement by Federal Trade Commission.--Section 1306(d) of
the Children's Online Privacy Protection Act of 1998 (15 U.S.C.
6505(d)) is amended--
(1) in the first sentence, by striking ``this title. Any
entity'' and inserting ``this title, and any entity'';
(2) by striking ``The Commission shall prevent'' and
inserting the following:
``(1) In general.--Except as provided in paragraphs (2)
through (4), the Commission shall prevent''; and
(3) by adding at the end the following:
``(2) Increased civil penalty amount.--In the case of a
civil penalty under subsection (l) or (m) of section 5 of the
Federal Trade Commission Act (15 U.S.C. 45) relating to acts or
practices in violation of any provision of this title or a
regulation prescribed under this title, the maximum dollar
amount per violation shall be $63,795.
``(3) Nature of relief available.--In any action commenced
by the Commission under section 19(a) of the Federal Trade
Commission Act (15 U.S.C. 57a(a)) to enforce this title, the
Commission shall seek all appropriate relief described in
subsection (b) of such section, and may, notwithstanding such
subsection, seek any exemplary or punitive damages.''.
(b) Enforcement by Certain Other Agencies.--Section 1306 of the
Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6505) is
further amended--
(1) in subsection (b)--
(A) in paragraph (1), by striking ``, in the case
of'' and all that follows and inserting the following:
``by the appropriate Federal banking agency, with
respect to any insured depository institution (as those
terms are defined in section 3 of that Act (12 U.S.C.
1813));'';
(B) in paragraph (6), by striking ``Federal land
bank, Federal land bank association, Federal
intermediate credit bank, or production credit
association'' and inserting ``Farm Credit Bank,
Agricultural Credit Bank (to the extent exercising the
authorities of a Farm Credit Bank), Federal Land Credit
Association, or agricultural credit association''; and
(C) by striking paragraph (2) and redesignating
paragraphs (3) through (6) as paragraphs (2) through
(5), respectively; and
(2) in subsection (c), by striking ``subsection (a)'' each
place it appears and inserting ``subsection (b)''.
SEC. 6. REVIEW.
Section 1307 of the Children's Online Privacy Protection Act of
1998 (15 U.S.C. 6506) is amended--
(1) in the matter preceding paragraph (1), by striking
``the regulations initially issued under section 1303'' and
inserting ``the regulations issued under section 1303 for the
initial implementation of the amendments made by the Protecting
the Information of our Vulnerable Children and Youth Act''; and
(2) by amending paragraph (1) to read as follows:
``(1) review the implementation of this title, including
the effect of the implementation of this title on practices
relating to the processing of covered information about young
consumers or children and young consumer's and children's
ability to obtain access to information of their choice online;
and''.
SEC. 7. PRIVATE RIGHT OF ACTION.
The Children's Online Privacy Protection Act of 1998 (15 U.S.C.
6501 et seq.) is amended--
(1) by redesignating sections 1307 and 1308 as sections
1308 and 1309, respectively; and
(2) by inserting after section 1306 the following:
``SEC. 1307. PRIVATE RIGHT OF ACTION.
``(a) Right of Action.--Any parent of a young consumer or parent of
a child alleging a violation of this title or a regulation prescribed
under this title with respect to the covered information of such young
consumer or child may bring a civil action in any court of competent
jurisdiction.
``(b) Injury in Fact.--A violation of this Act or a regulation
promulgated under this Act with respect to the covered information of a
young consumer or child constitutes an injury in fact to that young
consumer or child.
``(c) Relief.--In a civil action brought under subsection (a) in
which the plaintiff prevails, the court may award--
``(1) injunctive relief;
``(2) actual damages;
``(3) punitive damages;
``(4) reasonable attorney's fees and costs; and
``(5) any other relief that the court determines
appropriate.
``(d) Pre-Dispute Arbitration Agreements.--
``(1) In general.--No pre-dispute arbitration agreement or
pre-dispute joint-action waiver shall be valid or enforceable
with respect to any claim arising out of this Act or the
regulations issued under this Act.
``(2) Determination.--A determination as to whether and how
this Act applies to an arbitration agreement shall be
determined under Federal law by the court, rather than the
arbitrator, irrespective of whether the party opposing
arbitration challenges such agreement specifically or in
conjunction with any other term of the contract containing such
agreement.
``(3) Definitions.--As used in this subsection--
``(A) the term `pre-dispute arbitration agreement'
means any agreement to arbitrate a dispute that has not
arisen at the time of the making of the agreement; and
``(B) the term `pre-dispute joint-action waiver'
means an agreement, whether or not part of a pre-
dispute arbitration agreement, that would prohibit, or
waive the right of, one of the parties to the agreement
to participate in a joint, class, or collective action
in a judicial, arbitral, administrative, or other
forum, concerning a dispute that has not yet arisen at
the time of the making of the agreement.
``(e) Non-Waiveability.--The rights and remedies provided under
this Act may not be waived or limited by contract or otherwise.''.
SEC. 8. RELATIONSHIP TO OTHER LAW.
Section 1306 of the Children's Online Privacy Protection Act of
1998 (15 U.S.C. 6505) is further amended by adding at the end the
following:
``(f) Relationship to Other Law.--Nothing in this Act may be
construed to modify, limit, or supersede the operation of any privacy
or security provision in any other Federal statute or regulation.''.
SEC. 9. ADDITIONAL CONFORMING AMENDMENT.
The heading of title XIII of division C of the Omnibus Consolidated
and Emergency Supplemental Appropriations Act, 1999 (Public Law 105-
277; 112 Stat. 2681-728) is amended by inserting ``AND YOUNG
CONSUMER'S'' after ``CHILDREN'S''.
<all>