[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[H.R. 6227 Introduced in House (IH)]
<DOC>
116th CONGRESS
2d Session
H. R. 6227
To direct the Federal Trade Commission to issue privacy scores for
certain interactive computer services, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
March 12, 2020
Mr. Lipinski introduced the following bill; which was referred to the
Committee on Energy and Commerce
_______________________________________________________________________
A BILL
To direct the Federal Trade Commission to issue privacy scores for
certain interactive computer services, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Privacy Score Act of 2020''.
SEC. 2. PRIVACY FRAMEWORK AND SCORES.
(a) Privacy Framework.--
(1) Development.--The Commission shall develop a framework
for assessing the privacy practices of interactive computer
services (in this section referred to as the ``privacy
framework'').
(2) Framework criteria.--The privacy framework shall
include an assessment of the following criteria, with respect
to an interactive computer service:
(A) Whether the service collects, stores, uses, and
shares only covered information necessary to perform a
relevant user-facing purpose.
(B) The level of transparency of the service
regarding the privacy practices of the service,
including the extent to which the service communicates
to users the following:
(i) What covered information may be
collected.
(ii) How such information may be stored.
(iii) How such information may be used.
(iv) With whom such information may be
shared.
(C) Whether the service offers users any options to
designate preferences for covered information
collected, stored, used, or shared in excess of the
minimum information necessary to perform a relevant
user-facing purpose, and whether such preferences are
respected.
(D) The risk that covered information collected by
the service may be used to identify users, while taking
into consideration whether the identification is
necessary to perform a relevant user-facing purpose of
the service and whether a reasonable user would be
aware of such purpose.
(E) The security of sensitive covered information
collected by the service.
(F) Any other criteria the Commission determines
necessary to protect the privacy of users with respect
to covered information.
(b) Privacy Scores.--
(1) Development.--The Commission shall use the privacy
framework to develop a system for issuing a score for an
interactive computer service that reflects the extent to which
the service protects the privacy of the covered information of
users, taking into consideration the purpose of the service and
options offered to users with respect to covered information
(in this section referred to as a ``privacy score'').
(2) Issuance of score.--The Commission--
(A) shall issue a privacy score for the 100
interactive computer services that have the most unique
United States users each year (as determined by the
Commission); and
(B) may issue a privacy score for interactive
computer services not described in subparagraph (A)
with a high number of unique United States users (as
determined by the Commission).
(3) Evaluation of score.--Each year, the Commission shall
evaluate interactive computer services to determine--
(A) whether the interactive computer services
required to be issued a privacy score under paragraph
(2)(A) have changed;
(B) whether the interactive computer services
eligible to be issued a privacy score under paragraph
(2)(B) have changed; and
(C) whether to modify a privacy score previously
issued for an interactive computer service based on
changes in--
(i) the extent to which the service
protects the privacy of the covered information
of users;
(ii) the purposes of the service; or
(iii) the options offered to users with
respect to covered information collected by the
service.
(4) Publication of score.--
(A) In general.--Not later than 1 year after the
date of the enactment of this Act, the Commission shall
publish on a public website of the Commission the
privacy scores issued pursuant to paragraph (2), the
corresponding dates of issuance, and a link to the
online privacy policy of the interactive computer
service.
(B) Updates.--Beginning on the date that is 1 year
after the date on which the Commission initially
publishes the privacy scores under subparagraph (A),
and annually thereafter, the Commission shall publish
updates of such scores based on the evaluation
conducted under paragraph (3) for the relevant year.
(C) Decline in unique united states users.--
Notwithstanding the Commission determining that an
interactive computer service for which a privacy score
has been issued pursuant to paragraph (2) no longer has
a high number of unique United States users, the
Commission may continue to publish the most recently
issued score and the corresponding date of issuance.
(5) Dispute process.--Not later than 1 year after the date
of the enactment of this Act, the Commission shall establish a
process for resolving disputes related to the issuance of
privacy scores that have been raised--
(A) by an interactive computer service for which a
privacy score has been issued; or
(B) by a third party.
(6) Report.--Not later than 2 years after the date of the
publication of the initial privacy scores under paragraph
(4)(A), and annually thereafter, the Commission shall submit to
Congress a report that describes the following:
(A) The number of interactive computer services
evaluated with respect to the issuance of privacy
scores during the most recently completed year and in
total.
(B) Trends related to privacy scores, including the
number of privacy scores that the Commission issued or
modified during the most recently completed year and in
total.
(C) Any common characteristics of interactive
computer services with low privacy scores, such as
privacy policy terms, industry, location where the
service is based, type of service offered, or ownership
or control of the service.
(D) If applicable, an identification of trends in
the practices of interactive computer services with
respect to the privacy of the covered information of
users of such services, including any potential
emerging threats posed by such practices.
(E) If determined necessary by the Commission,
recommendations for congressional action to promote the
privacy of users of interactive computer services.
(c) Public Awareness and Recognition.--The Commission may--
(1) conduct public awareness campaigns to educate users
about the privacy scores issued under subsection (b); and
(2) establish a recognition program for interactive
computer services with outstanding privacy scores issued under
such subsection.
(d) Definitions.--In this section:
(1) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(2) Covered information.--The term ``covered information''
means information that is linked or that the Commission
determines is reasonably linkable to a unique user of an
interactive computer service, including--
(A) first and last name of the user;
(B) home or other physical address of the user,
including the name of a street, city, or town;
(C) email address of the user;
(D) telephone number of the user; and
(E) Social Security number of the user.
(3) Interactive computer service.--The term ``interactive
computer service'' has the meaning given the term in section
230(f) of the Communications Act of 1934 (47 U.S.C. 230(f)).
(4) Sensitive covered information.--The term ``sensitive
covered information'' means any of the following covered
information:
(A) Financial information of the user.
(B) Biometric identifiers of the user.
(C) Citizenship or immigration status of the user.
(D) Medical information of the user.
(E) Race, ethnicity, or religious affiliation of
the user.
(F) Criminal history of the user.
<all>