[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 2968 Introduced in Senate (IS)]
<DOC>
116th CONGRESS
1st Session
S. 2968
To provide consumers with foundational data privacy rights, create
strong oversight mechanisms, and establish meaningful enforcement.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
December 3, 2019
Ms. Cantwell (for herself, Mr. Schatz, Ms. Klobuchar, and Mr. Markey)
introduced the following bill; which was read twice and referred to the
Committee on Commerce, Science, and Transportation
_______________________________________________________________________
A BILL
To provide consumers with foundational data privacy rights, create
strong oversight mechanisms, and establish meaningful enforcement.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Consumer Online
Privacy Rights Act''.
(b) Table of Contents.--The table of contents of this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. Effective date.
TITLE I--DATA PRIVACY RIGHTS
Sec. 101. Duty of loyalty.
Sec. 102. Right to access and transparency.
Sec. 103. Right to delete.
Sec. 104. Right to correct inaccuracies.
Sec. 105. Right to controls.
Sec. 106. Right to data minimization.
Sec. 107. Right to data security.
Sec. 108. Civil rights.
Sec. 109. Prohibition on waiver of rights.
Sec. 110. Limitations and applicability.
TITLE II--OVERSIGHT AND RESPONSIBILITY
Sec. 201. Executive responsibility.
Sec. 202. Privacy and data security officers; comprehensive privacy and
data security programs; risk assessments
and compliance.
Sec. 203. Service providers and third parties.
Sec. 204. Whistleblower protections.
Sec. 205. Digital content forgeries.
TITLE III--MISCELLANEOUS
Sec. 301. Enforcement, civil penalties, and applicability.
Sec. 302. Relationship to Federal and State laws.
Sec. 303. Severability.
Sec. 304. Authorization of appropriations.
SEC. 2. DEFINITIONS.
In this Act:
(1) Affirmative express consent.--
(A) In general.--The term ``affirmative express
consent'' means an affirmative act by an individual
that clearly communicates the individual's
authorization for an act or practice, in response to a
specific request that meets the requirements of
subparagraph (B).
(B) Request requirements.--The requirements of this
subparagraph with respect to a request from a covered
entity to an individual are the following:
(i) The request is provided to the
individual in a standalone disclosure.
(ii) The request includes a description of
each act or practice for which the individual's
consent is sought and--
(I) clearly distinguishes between
an act or practice which is necessary
to fulfill a request of the individual
and an act or practice which is for
another purpose; and
(II) is written in easy-to-
understand language and includes a
prominent heading that would enable a
reasonable individual to identify and
understand the act or practice.
(iii) The request clearly explains the
individual's applicable rights related to
consent.
(C) Express consent required.--An entity shall not
infer that an individual has provided affirmative
express consent to an act or practice from the inaction
of the individual or the individual's continued use of
a service or product provided by the entity.
(2) Algorithmic decision-making.--The term ``algorithmic
decision-making'' means a computational process, including one
derived from machine learning, statistics, or other data
processing or artificial intelligence techniques that makes a
decision or facilitates human decision-making with respect to
covered data.
(3) Biometric information.--
(A) In general.--The term ``biometric information''
means any covered data generated from the measurement
or specific technological processing of an individual's
biological, physical, or physiological characteristics,
including--
(i) fingerprints;
(ii) voice prints;
(iii) iris or retina scans;
(iv) facial scans or templates;
(v) deoxyribonucleic acid (DNA)
information; and
(vi) gait.
(B) Exclusions.--Such term does not include writing
samples, written signatures, photographs, voice
recordings, demographic data, or physical
characteristics such as height, weight, hair color, or
eye color, provided that such data is not used for the
purpose of identifying an individual's unique
biological, physical, or physiological characteristics.
(4) Collect; collection.--The terms ``collect'' and
``collection'' mean buying, renting, gathering, obtaining,
receiving, accessing, or otherwise acquiring covered data by
any means, including by passively or actively observing the
individual's behavior.
(5) Common branding.--The term ``common branding'' means a
shared name, servicemark, or trademark.
(6) Control.--The term ``control'' means, with respect to
an entity--
(A) ownership of, or the power to vote, more than
50 percent of the outstanding shares of any class of
voting security of the entity;
(B) control in any manner over the election of a
majority of the directors of the entity (or of
individuals exercising similar functions); or
(C) the power to exercise a controlling influence
over the management of the entity.
(7) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(8) Covered data.--
(A) In general.--The term ``covered data'' means
information that identifies, or is linked or reasonably
linkable to an individual or a consumer device,
including derived data.
(B) Exclusions.--Such term does not include--
(i) de-identified data;
(ii) employee data; and
(iii) public records.
(9) Covered entity.--
(A) In general.--The term ``covered entity'' means
any entity or person that--
(i) is subject to the Federal Trade
Commission Act (15 U.S.C. 41 et seq.); and
(ii) processes or transfers covered data.
(B) Inclusion of commonly controlled and commonly
branded entities.--Such term includes any entity or
person that controls, is controlled by, is under common
control with, or shares common branding with a covered
entity.
(C) Exclusion of small business.--Such term does
not include a small business.
(10) De-identified data.--Term ``de-identified data'' means
information that cannot reasonably be used to infer information
about, or otherwise be linked to, an individual, a household,
or a device used by an individual or household, provided that
the entity--
(A) takes reasonable measures to ensure that the
information cannot be reidentified, or associated with,
an individual, a household, or a device used by an
individual or household;
(B) publicly commits in a conspicuous manner--
(i) to process and transfer the information
in a de-identified form; and
(ii) not to attempt to reidentify or
associate the information with any individual,
household, or device used by an individual or
household; and
(C) contractually obligates any person or entity
that receives the information from the covered entity
to comply with all of the provisions of this paragraph.
(11) Derived data.--The term ``derived data'' means covered
data that is created by the derivation of information, data,
assumptions, or conclusions from facts, evidence, or another
source of information or data about an individual, household,
or device used by an individual or household.
(12) Employee data.--The term ``employee data'' means--
(A) covered data that is collected by a covered
entity or the covered entity's service provider about
an individual in the course of the individual's
employment or application for employment (including on
a contract or temporary basis) provided that such data
is retained or processed by the covered entity or the
covered entity's service provider solely for purposes
necessary for the individual's employment or
application for employment;
(B) covered data that is collected by a covered
entity or the covered entity's service provider that is
emergency contact information for an individual who is
an employee, contractor, or job applicant of the
covered entity provided that such data is retained or
processed by the covered entity or the covered entity's
service provider solely for the purpose of having an
emergency contact for such individual on file; and
(C) covered data that is collected by a covered
entity or the covered entity's service provider about
an individual (or a relative of an individual) who is
an employee or former employee of the covered entity
for the purpose of administering benefits to which such
individual or relative is entitled on the basis of the
individual's employment with the covered entity,
provided that such data is retained or processed by the
covered entity or the covered entity's service provider
solely for the purpose of administering such benefits.
(13) Executive agency.--The term ``Executive agency'' has
the meaning given such term in section 105 of title 5, United
States Code.
(14) Individual.--The term ``individual'' means a natural
person residing in the United States, however identified,
including by any unique identifier.
(15) Large data holder.--The term ``large data holder''
means a covered entity that, in the most recent calendar year--
(A) processed or transferred the covered data of
more than 5,000,000 individuals, devices used by
individuals or households, or households; or
(B) processed or transferred the sensitive covered
data of more than 100,000 individuals, devices used by
individuals or households, or households.
(16) Process.--The term ``process'' means any operation or
set of operations performed on covered data including
collection, analysis, organization, structuring, retaining,
using, or otherwise handling covered data.
(17) Processing purpose.--The term ``processing purpose''
means an adequately specific and granular reason for which a
covered entity processes covered data that clearly describes
the processing activity.
(18) Publicly available information.--
(A) In general.--The term ``publicly available
information'' means--
(i) information that a covered entity has a
reasonable basis to believe is lawfully made
available to the general public from widely
distributed media; and
(ii) information that is directly and
voluntarily disclosed to the general public by
the individual to whom the information relates.
(B) Limitation.--Such term does not include--
(i) information derived from publicly
available information;
(ii) biometric information; or
(iii) nonpublicly available information
that has been combined with publicly available
information.
(19) Public records.--The term ``public records'' means
information that is lawfully made available from Federal,
State, or local government records provided that the covered
entity processes and transfers such information in accordance
with any restrictions or terms of use placed on the information
by the relevant government entity.
(20) Sensitive covered data.--The term ``sensitive covered
data'' means the following forms of covered data:
(A) A government-issued identifier, such as a
Social Security number, passport number, or driver's
license number.
(B) Any information that describes or reveals the
past, present, or future physical health, mental
health, disability, or diagnosis of an individual.
(C) A financial account number, debit card number,
credit card number, or any required security or access
code, password, or credentials allowing access to any
such account.
(D) Biometric information.
(E) Precise geolocation information that reveals
the past or present actual physical location of an
individual or device.
(F) The content or metadata of an individual's
private communications or the identity of the parties
to such communications unless the covered entity is an
intended recipient of the communication.
(G) An email address, telephone number, or account
log-in credentials.
(H) Information revealing an individual's race,
ethnicity, national origin, religion, or union
membership in a manner inconsistent with the
individual's reasonable expectation regarding
disclosure of such information.
(I) Information revealing the sexual orientation or
sexual behavior of an individual in a manner
inconsistent with the individual's reasonable
expectation regarding disclosure of such information.
(J) Information revealing online activities over
time and across third party websites or online
services.
(K) Calendar information, address book information,
phone or text logs, photos, or videos maintained on an
individual's device.
(L) A photograph, film, video recording, or other
similar medium that shows the naked or undergarment-
clad private area of an individual.
(M) Any other covered data processed or transferred
for the purpose of identifying the above data types.
(N) Any other covered data that the Commission
determines to be sensitive covered data through a
rulemaking pursuant to section 553 of title 5, United
States Code.
(21) Service provider.--
(A) In general.--The term ``service provider''
means a covered entity that processes or transfers
covered data in the course of performing a service or
function on behalf of, and at the direction of, another
covered entity, but only to the extent that such
processing or transferral--
(i) relates to the performance of such
service or function; or
(ii) is necessary to comply with a legal
obligation or to establish, exercise, or defend
legal claims.
(B) Exclusion.--Such term does not include a
covered entity that processes or transfers the covered
data outside of the direct relationship between the
service provider and the covered entity.
(22) Service provider data.--The term ``service provider
data'' means covered data that is collected by or has been
transferred to a service provider by a covered entity for the
purpose of allowing the service provider to perform a service
or function on behalf of, and at the direction of, such covered
entity.
(23) Small business.--
(A) In general.--The term ``small business'' means
an entity that can establish that, with respect to the
3 preceding calendar years (or for the period during
which the entity has been in existence if, as of such
date, such period is less than 3 years) the entity does
not--
(i) maintain annual average gross revenue
in excess of $25,000,000;
(ii) annually process the covered data of
an average of 100,000 or more individuals,
households, or devices used by individuals or
households; and
(iii) derive 50 percent or more of its
annual revenue from transferring individuals'
covered data.
(B) Common control; common branding.--For purposes
of subparagraph (A), the annual average gross revenue,
data processing volume, and percentage of annual
revenue of an entity shall include the revenue and
processing activities of any person that controls, is
controlled by, is under common control with, or shares
common branding with such entity.
(24) Third party.--The term ``third party''--
(A) means any person or entity that--
(i) processes or transfers third party
data; and
(ii) is not a service provider with respect
to such data; and
(B) does not include a person or entity that
collects covered data from another entity if the two
entities are related by common ownership or corporate
control and share common branding.
(25) Third party data.--The term ``third party data'' means
covered data that is transferred to a third party by a covered
entity.
(26) Transfer.--The term ``transfer'' means to disclose,
release, share, disseminate, make available, sell, license, or
otherwise communicate covered data by any means to a service
provider or third party--
(A) in exchange for consideration; or
(B) for a commercial purpose.
(27) Unique identifier.--The term ``unique identifier''
means an identifier that is reasonably linkable to an
individual, household, or device used by an individual or
household, including a device identifier, an Internet Protocol
address, cookies, beacons, pixel tags, mobile ad identifiers,
or similar technology, customer number, unique pseudonym, or
user alias, telephone numbers, or other forms of persistent or
probabilistic identifiers that can be used to identify a
particular individual, a household, or a device.
(28) Widely distributed media.--The term ``widely
distributed media'' means information that is available to the
general public, including information from a telephone book or
online directory, a television, internet, or radio program, the
news media, or an internet site that is available to the
general public on an unrestricted basis, but does not include
an obscene visual depiction as defined in section 1460 of title
18, United States Code.
SEC. 3. EFFECTIVE DATE.
This Act shall take effect on the date that is 180 days after the
date of enactment of this Act.
TITLE I--DATA PRIVACY RIGHTS
SEC. 101. DUTY OF LOYALTY.
(a) In General.--A covered entity shall not--
(1) engage in a deceptive data practice or a harmful data
practice; or
(2) process or transfer covered data in a manner that
violates any provision of this Act.
(b) Definitions.--
(1) Deceptive data practice.--The term ``deceptive data
practice'' means an act or practice involving the processing or
transfer of covered data in a manner that constitutes a
deceptive act or practice in violation of section 5(a)(1) of
the Federal Trade Commission Act (15 U.S.C. 45(a)(1)).
(2) Harmful data practice.--The term ``harmful data
practice'' means the processing or transfer of covered data in
a manner that causes or is likely to cause any of the
following:
(A) Financial, physical, or reputational injury to
an individual.
(B) Physical or other offensive intrusion upon the
solitude or seclusion of an individual or the
individual's private affairs or concerns, where such
intrusion would be offensive to a reasonable person.
(C) Other substantial injury to an individual.
SEC. 102. RIGHT TO ACCESS AND TRANSPARENCY.
(a) Right To Access.--A covered entity, upon the verified request
of an individual, shall provide the individual, in a human-readable
format that a reasonable individual can understand, with--
(1) a copy or accurate representation of the covered data
of the individual processed or transferred by the covered
entity; and
(2) the name of any third party to whom covered data of the
individual has been transferred by the covered entity and a
description of the purpose for which the entity transferred
such data to such third party.
(b) Right to Transparency.--A covered entity shall make publicly
and persistently available, in a conspicuous and readily accessible
manner, a privacy policy that provides a detailed and accurate
representation of the entity's data processing and data transfer
activities. Such privacy policy shall include, at a minimum--
(1) the identity and the contact information of the covered
entity, including the contact information for the covered
entity's representative for privacy and data security
inquiries;
(2) each category of data the covered entity collects and
the processing purposes for which such data is collected;
(3) whether the covered entity transfers covered data and,
if so--
(A) each category of service provider and third
party to which the covered entity transfers covered
data and the purposes for which such data is
transferred to such categories; and
(B) the identity of each third party to which the
covered entity transfers covered data and the purposes
for which such data is transferred to such third party,
except for transfers to governmental entities pursuant
to a court order or law that prohibits the covered
entity from disclosing such transfer;
(4) how long covered data processed by the covered entity
will be retained by the covered entity and a description of the
covered entity's data minimization policies;
(5) how individuals can exercise the individual rights
described in this title;
(6) a description of the covered entity's data security
policies; and
(7) the effective date of the privacy policy.
(c) Languages.--A covered entity shall make the privacy policy
required under this section available to the public in all of the
languages in which the covered entity provides a product or service or
carries out any other activities to which the privacy policy relates.
(d) Right To Consent to Material Changes.--A covered entity shall
not make a material change to its privacy policy or practices with
respect to previously collected covered data that would weaken the
privacy protections applicable to such data without first obtaining
prior affirmative express consent from the individuals affected. The
covered entity shall provide direct notification, where possible,
regarding material changes to affected individuals, taking into account
available technology and the nature of the relationship.
SEC. 103. RIGHT TO DELETE.
A covered entity, upon the verified request of an individual,
shall--
(1) delete, or allow the individual to delete, any
information in the covered data of the individual that is
processed by the covered entity; and
(2) inform any service provider or third party to which the
covered entity transferred such data of the individual's
deletion request.
SEC. 104. RIGHT TO CORRECT INACCURACIES.
A covered entity, upon the verified request of an individual,
shall--
(1) correct, or allow the individual to correct, inaccurate
or incomplete information in the covered data of the individual
that is processed by the covered entity; and
(2) inform any service provider or third party to which the
covered entity transferred such data of the corrected
information.
SEC. 105. RIGHT TO CONTROLS.
(a) Right to Data Portability.--A covered entity, upon the verified
request of an individual, shall export the individual's covered data,
except for derived data, without licensing restrictions--
(1) in a human-readable format that allows the individual
to understand such covered data of the individual; and
(2) in a structured, interoperable, and machine-readable
format that includes all covered data or other information that
the covered entity collected to the extent feasible.
(b) Right To Opt Out of Transfers.--
(1) In general.--A covered entity--
(A) shall not transfer an individual's covered data
to a third party if the individual objects to the
transfer; and
(B) shall allow an individual to object to the
covered entity transferring covered data of the
individual to a third party through a process
established under the rule issued by the Commission
pursuant to paragraph (2).
(2) Rulemaking.--
(A) In general.--Not later than 18 months after the
date of enactment of this Act, the Commission shall
issue a rule under section 553 of title 5, United
States Code, establishing one or more acceptable
processes for covered entities to follow in allowing
individuals to opt out of transfers of covered data.
(B) Requirements.--The processes established by the
Commission pursuant to this subparagraph shall--
(i) be centralized, to the extent feasible,
to minimize the number of opt-out designations
of a similar type that a consumer must make;
(ii) include clear and conspicuous opt-out
notices and consumer friendly mechanisms to
allow an individual to opt out of transfers of
covered data;
(iii) allow an individual that objects to a
transfer of covered data to view the status of
such objection;
(iv) allow an individual that objects to a
transfer of covered data to change the status
of such objection;
(v) be privacy protective; and
(vi) be informed by the Commission's
experience developing and implementing the
National Do Not Call Registry.
(c) Sensitive Data.--A covered entity--
(1) shall not process the sensitive covered data of an
individual without the individual's prior, affirmative express
consent;
(2) shall not transfer the sensitive covered data of an
individual without the individual's prior, affirmative express
consent;
(3) shall provide an individual with a consumer-friendly
means to withdraw affirmative express consent to process the
sensitive covered data of the individual; and
(4) is not required to obtain prior, affirmative express
consent to process or transfer publicly available information.
SEC. 106. RIGHT TO DATA MINIMIZATION.
A covered entity shall not process or transfer covered data beyond
what is reasonably necessary, proportionate, and limited--
(1) to carry out the specific processing purposes and
transfers described in the privacy policy made available by the
covered entity as required under section 102;
(2) to carry out a specific processing purpose or transfer
for which the covered entity has obtained affirmative express
consent; or
(3) for a purpose specifically permitted under subsection
(d) of section 110.
Covered data processing and transfers consistent with this section
shall not supersede any other provision of this Act.
SEC. 107. RIGHT TO DATA SECURITY.
(a) In General.--A covered entity shall establish, implement, and
maintain reasonable data security practices to protect the
confidentiality, integrity, and accessibility of covered data. Such
data security practices shall be appropriate to the volume and nature
of the covered data at issue.
(b) Specific Requirements.--Data security practices required under
subsection (a) shall include, at a minimum, the following:
(1) Assess vulnerabilities.--Identifying and assessing any
reasonably foreseeable risks to, and vulnerabilities in, each
system maintained by the covered entity that processes or
transfers covered data, including unauthorized access to or
risks to covered data, human vulnerabilities, access rights,
and use of service providers. Such activities shall include a
plan to receive and respond to unsolicited reports of
vulnerabilities by entities and individuals.
(2) Preventive and correction action.--Taking preventive
and corrective action to mitigate any risks or vulnerabilities
to covered data identified by the covered entity, which may
include implementing administrative, technical, or physical
safeguards or changes to data security practices or the
architecture, installation, or implementation of network or
operating software.
(3) Information retention and disposal.--Disposing covered
data that is required to be deleted or is no longer necessary
for the purpose for which the data was collected unless an
individual has provided affirmative express consent to such
retention. Such process shall include destroying, permanently
erasing, or otherwise modifying the covered data to make such
data permanently unreadable or indecipherable and unrecoverable
and data hygiene practices to ensure ongoing compliance with
this subsection.
(4) Training.--Training all employees with access to
covered data on how to safeguard covered data and protect
individual privacy and updating that training as necessary.
(c) Training Guidelines.--Not later than 1 year after the date of
enactment of this Act, the Commission, in conjunction with the National
Institute of Standards and Technology, shall publish guidance for
covered entities on how to provide effective data security and privacy
training as described in subsection (b)(4).
SEC. 108. CIVIL RIGHTS.
(a) Protections.--
(1) In general.--A covered entity shall not process or
transfer covered data on the basis of an individual's or class
of individuals' actual or perceived race, color, ethnicity,
religion, national origin, sex, gender, gender identity, sexual
orientation, familial status, biometric information, lawful
source of income, or disability--
(A) for the purpose of advertising, marketing,
soliciting, offering, selling, leasing, licensing,
renting, or otherwise commercially contracting for a
housing, employment, credit, or education opportunity,
in a manner that unlawfully discriminates against or
otherwise makes the opportunity unavailable to the
individual or class of individuals; or
(B) in a manner that unlawfully segregates,
discriminates against, or otherwise makes unavailable
to the individual or class of individuals the goods,
services, facilities, privileges, advantages, or
accommodations of any place of public accommodation.
(2) Exception.--Nothing in this section shall limit a
covered entity from processing covered data for legitimate
internal testing for the purpose of preventing unlawful
discrimination or otherwise determining the extent or
effectiveness of the covered entity's compliance with this Act.
(3) FTC advisory opinions.--A covered entity may request
advice from the Commission concerning the covered entity's
potential compliance with this subsection, in accordance with
the Commission's rules of practice on advisory opinions.
(b) Algorithmic Decision-Making Impact Assessment.--
(1) Impact assessment.--Notwithstanding any other provision
of law, a covered entity engaged in algorithmic decision-
making, or in assisting others in algorithmic decision-making
for the purpose of processing or transferring covered data,
solely or in part to make or facilitate advertising for
housing, education, employment or credit opportunities, or an
eligibility determination for housing, education, employment or
credit opportunities or determining access to, or restrictions
on the use of, any place of public accommodation, must annually
conduct an impact assessment of such algorithmic decision-
making that--
(A) describes and evaluates the development of the
covered entity's algorithmic decision-making processes
including the design and training data used to develop
the algorithmic decision-making process, how the
algorithmic decision-making process was tested for
accuracy, fairness, bias and discrimination; and
(B) assesses whether the algorithmic decision-
making system produces discriminatory results on the
basis of an individual's or class of individuals'
actual or perceived race, color, ethnicity, religion,
national origin, sex, gender, gender identity, sexual
orientation, familial status, biometric information,
lawful source of income, or disability.
(2) External, independent auditor or researcher.--A covered
entity may utilize an external, independent auditor or
researcher to conduct such assessments.
(3) Availability.--The covered entity--
(A) shall make the impact assessment available to
the Commission upon request; and
(B) may make the impact assessment public.
A covered entity may redact and segregate trade secrets as
defined by section 1839 of title 18, United States Code, from
public disclosure under this subsection.
(4) Study.--Not later than 3 years after the date of
enactment of this Act, the Commission shall publish a report
containing the results of a study, using the Commission's
authority under section 6(b) of the Federal Trade Commission
Act (15 U.S.C. 46(b)), examining the use of algorithms for the
purposes described in this subsection. Not later than 3 years
after the publication of the initial report, and as necessary
thereafter, the Commission shall publish a new and updated
version of such report.
SEC. 109. PROHIBITION ON WAIVER OF RIGHTS.
A covered entity shall not condition the provision of a service or
product to an individual on the individual's agreement to waive privacy
rights guaranteed by--
(1) sections 101, 105(a), and 106 through 109 of this Act;
and
(2) sections 102 through 104, and 105(b) and (c) of this
Act, except in the case where--
(A) there exists a direct relationship between the
individual and the covered entity initiated by the
individual;
(B) the provision of the service or product
requested by the individual requires the processing or
transferring of the specific covered data of the
individual and the covered data is strictly necessary
to provide the service or product; and
(C) an individual provides affirmative express
consent to such specific limitations.
SEC. 110. LIMITATIONS AND APPLICABILITY.
(a) Verification of Requests.--
(1) In general.--A covered entity shall not permit an
individual to exercise a right described in sections 102
through 105(a) if--
(A) the covered entity cannot reasonably verify
that the individual making the request to exercise the
right is the individual whose covered data is the
subject of the request or an individual authorized to
make such a request on the individual's behalf; or
(B) the covered entity reasonably believes that the
request is made to interfere with a contract between
the covered entity and another individual.
(2) Additional information.--If a covered entity cannot
reasonably verify that a request to exercise a right described
in sections 102 through 105(a) is made by the individual whose
covered data is the subject of the request (or an individual
authorized to make such a request on the individual's behalf),
the covered entity shall request the provision of additional
information necessary for the sole purpose of verifying the
identity of the individual and shall not process or transfer
such additional information for any other purpose.
(3) Burden minimization.--A covered entity shall minimize
the inconvenience to consumers relating to the verification or
authentication of requests.
(b) Cost of Access.--A covered entity shall carry out the rights
described in sections 102 through 105(a) free of charge.
(c) Exceptions to Sections 102 Through 105(b).--A covered entity
may decline to comply with an individual's request to exercise a right
described in sections 102 through 105(b) if--
(1) complying with the request would be demonstrably
impossible (for purposes of this paragraph, the receipt of a
large number of verified requests, on its own, shall not be
considered to render compliance with a request demonstrably
impossible);
(2) complying with the request would prevent the covered
entity from carrying out internal audits, performing accounting
functions, processing refunds, or fulfilling warranty claims,
provided that the covered data that is the subject of the
request is not processed or transferred for any purpose other
than such specific activities;
(3) the request is made to correct or delete publicly
available information, and then only to the extent the data is
publicly available information;
(4) complying with the request would impair the publication
of newsworthy information of legitimate public concern to the
public by a covered entity, or the processing or transfer of
information by a covered entity for such purpose;
(5) complying with the request would impair the privacy of
another individual or the rights of another to exercise free
speech; or
(6) the covered entity processes or will process the data
subject to the request for a specific purpose described in
subsection (d) of this section, and complying with the request
would prevent the covered entity from using such data for such
specific purpose.
(d) Exceptions to Affirmative Express Consent.--
(1) In general.--A covered entity may process or transfer
covered data without the individual's affirmative express
consent for any of the following purposes, provided that the
processing or transfer is reasonably necessary, proportionate,
and limited to such purpose:
(A) To complete a transaction or fulfill an order
or service specifically requested by an individual,
such as billing, shipping, or accounting.
(B) To perform system maintenance, debug systems,
or repair errors to ensure the functionality of a
product or service provided by the covered entity.
(C) To detect or respond to a security incident,
provide a secure environment, or maintain the safety of
a product or service.
(D) To protect against malicious, deceptive,
fraudulent, or illegal activity.
(E) To comply with a legal obligation or the
establishment, exercise, or defense of legal claims.
(F) To prevent an individual from suffering harm
where the covered entity believes in good faith that
the individual is in danger of suffering death or
serious physical injury.
(G) To effectuate a product recall pursuant to
Federal or State law.
(H) To conduct scientific, historical, or
statistical research in the public interest that
adheres to all other applicable ethics and privacy laws
and is approved, monitored, and governed by an
institutional review board or a similar oversight
entity that meets standards promulgated by the
Commission pursuant to section 553 of title 5, United
States Code.
(2) Biometric information.--Not later than 1 year after the
date of enactment of this Act, the Commission shall promulgate
regulations pursuant to section 553 of title 5, United States
Code, identifying privacy protective requirements for the
processing of biometric information for a purpose described in
subparagraph (C) or (D) of paragraph (1). Such regulations
shall include--
(A) strict data processing limitations, including a
prohibition on the processing of biometric information
unless the covered entity has a reasonable suspicion,
after a specific criminal incident involving the
covered entity, that the individual may engage in
criminal activity;
(B) strict data transfer limitations, including a
prohibition on the transfer of biometric information to
a third party other than to comply with a legal
obligation or to establish, exercise, or defend a legal
claim; and
(C) strict transparency obligations, including
requiring disclosures in a conspicuous and readily
accessible manner regarding specific data processing
and transfer activities.
(e) Journalism Exception.--Nothing in this title shall apply to the
publication of newsworthy information of legitimate public concern to
the public by a covered entity, or to the processing or transfer of
information by a covered entity for that purpose.
(f) Applicability of Other Data Privacy Requirements.--A covered
entity that is required to comply with title V of the Gramm-Leach-
Bliley Act (15 U.S.C. 6801 et seq.), the Health Information Technology
for Economic and Clinical Health Act (42 U.S.C. 17931 et seq.), part C
of title XI of the Social Security Act (42 U.S.C. 1320d et seq.), the
Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), the Family
Educational Rights and Privacy Act (20 U.S.C. 1232g; part 99 of title
34, Code of Federal Regulations), or the regulations promulgated
pursuant to section 264(c) of the Health Insurance Portability and
Accountability Act of 1996 (42 U.S.C. 1320d-2 note), and is in
compliance with the data privacy requirements of such regulations,
part, title, or Act (as applicable), shall be deemed to be in
compliance with the related requirements of this title, except for
section 107, with respect to data subject to the requirements of such
regulations, part, title, or Act. Not later than 1 year after the date
of enactment of this Act, the Commission shall issue guidance
describing the implementation of this subsection.
(g) Applicability of Other Data Security Requirements.--A covered
entity that is required to comply with title V of the Gramm-Leach-
Bliley Act (15 U.S.C. 6801 et seq.), the Health Information Technology
for Economic and Clinical Health Act (42 U.S.C. 17931 et seq.), part C
of title XI of the Social Security Act (42 U.S.C. 1320d et seq.), or
the regulations promulgated pursuant to section 264(c) of the Health
Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2
note), and is in compliance with the information security requirements
of such regulations, part, title, or Act (as applicable), shall be
deemed to be in compliance with the requirements of section 107 with
respect to data subject to the requirements of such regulations, part,
title, or Act. Not later than 1 year after the date of enactment of
this Act, the Commission shall issue guidance describing the
implementation of this subsection.
(h) In General.--The Commission shall have authority under section
553 of title 5, United States Code, to promulgate regulations necessary
to carry out the provisions of this title.
TITLE II--OVERSIGHT AND RESPONSIBILITY
SEC. 201. EXECUTIVE RESPONSIBILITY.
(a) In General.--Beginning 1 year after the date of enactment of
this Act, the chief executive officer of a covered entity that is a
large data holder (or, if the entity does not have a chief executive
officer, the highest ranking officer of the entity) and each privacy
officer and data security officer of such entity shall annually certify
to the Commission, in a manner specified by the Commission, that the
entity maintains--
(1) adequate internal controls to comply with this Act; and
(2) reporting structures to ensure that such certifying
officers are involved in, and are responsible for, decisions
that impact the entity's compliance with this Act.
(b) Requirements.--A certification submitted under subsection (a)
shall be based on a review of the effectiveness of a covered entity's
internal controls and reporting structures that is conducted by the
certifying officers no more than 90 days before the submission of the
certification.
SEC. 202. PRIVACY AND DATA SECURITY OFFICERS; COMPREHENSIVE PRIVACY AND
DATA SECURITY PROGRAMS; RISK ASSESSMENTS AND COMPLIANCE.
(a) Privacy and Data Security Officer.--A covered entity shall
designate--
(1) 1 or more qualified employees as privacy officers; and
(2) 1 or more qualified employees (in addition to any
employee designated under paragraph (1)) as data security
officers.
(b) Comprehensive Privacy and Data Security Programs, Risk
Assessments, and Compliance.--An employee who is designated by a
covered entity as a privacy officer or a data security officer shall be
responsible for, at a minimum--
(1) implementing a comprehensive written data privacy
program and data security program to safeguard the privacy and
security of covered data throughout the life cycle of
development and operational practices of the covered entity's
products or services;
(2) annually conducting privacy and data security risk
assessments, data hygiene, and other quality control practices;
and
(3) facilitating the covered entity's ongoing compliance
with this Act.
SEC. 203. SERVICE PROVIDERS AND THIRD PARTIES.
(a) Service Providers.--A service provider--
(1) shall not process service provider data for any
processing purpose other than one performed on behalf of, and
at the direction of, the covered entity that transferred such
data to the service provider, except that a service provider
may process data to comply with a legal obligation or the
establishment, exercise, or defense of legal claims;
(2) shall not transfer service provider data to a third
party without the affirmative express consent, obtained by, or
on behalf of, the covered entity, of the individual to whom the
service provider data is linked or reasonably linkable;
(3) shall delete or de-identify service provider data after
the agreed upon end of the provision of services;
(4) is exempt from the requirements of sections 102(a),
103, 104, and 105(a) with respect to service provider data, but
shall, to the extent practicable--
(A) assist the covered entity from which it
received the service provider data in fulfilling
requests made by individuals under such sections; and
(B) shall delete, de-identify, or correct (as
applicable), any service provider data that is subject
to a verified request from an individual described in
section 103 or 104; and
(5) is exempt from the requirements of section 106 with
respect to service provider data, but shall have the same
responsibilities and obligations as a covered entity with
respect to such data under all other provisions of this Act.
(b) Third Parties.--A third party--
(1) shall not process third party data for a purpose that
is inconsistent with the expectations of a reasonable
individual;
(2) may reasonably rely on representations made by the
covered entity that transferred third party data regarding the
expectation of a reasonable individual, provided the third
party conducts reasonable due diligence on the representations
of the covered entity and finds those representations to be
credible; and
(3) upon receipt of any third party data, is exempt from
the requirements of section 105(c) with respect to such data,
but shall have the same responsibilities and obligations as a
covered entity with respect to such data under all other
provisions of this Act.
(c) Additional Obligations on Covered Entities.--
(1) In general.--A covered entity shall--
(A) exercise reasonable due diligence in selecting
a service provider and conduct reasonable oversight of
its service providers to ensure compliance with the
applicable requirements of this section; and
(B) exercise reasonable due diligence in deciding
to transfer covered data to a third party, and conduct
oversight of third parties to which it transfers data
to ensure compliance with the applicable requirements
of this subsection.
(2) Guidance.--Not later than 1 year after the date of
enactment of this Act, the Commission shall issue guidance for
covered entities regarding compliance with this subsection.
(d) In General.--The Commission shall have authority under section
553 of title 5, United States Code, to promulgate regulations necessary
to carry out the provisions of this section.
SEC. 204. WHISTLEBLOWER PROTECTIONS.
(a) In General.--A covered entity shall not, directly or
indirectly, discharge, demote, suspend, threaten, harass, or in any
other manner discriminate against a covered individual of the covered
entity because--
(1) the covered individual, or anyone perceived as
assisting the covered individual, takes (or the covered entity
suspects that the covered individual has taken or will take) a
lawful action in providing to the Federal Government or the
attorney general of a State information relating to any act or
omission that the covered individual reasonably believes to be
a violation of this Act or any regulation promulgated under
this Act;
(2) the covered individual provides information that the
covered individual reasonably believes evidences such a
violation to--
(A) a person with supervisory authority over the
covered individual at the covered entity; or
(B) another individual working for the covered
entity who the covered individual reasonably believes
has the authority to investigate, discover, or
terminate the violation or to take any other action to
address the violation;
(3) the covered individual testifies (or the covered entity
expects that the covered individual will testify) in an
investigation or judicial or administrative proceeding
concerning such a violation; or
(4) the covered individual assists or participates (or the
covered entity expects that the covered individual will assist
or participate) in such an investigation or judicial or
administrative proceeding, or the covered individual takes any
other action to assist in carrying out the purposes of this
Act.
(b) Enforcement.--An individual who alleges discharge or other
discrimination in violation of subsection (a) may bring an action
governed by the rules, procedures, statute of limitations, and legal
burdens of proof in section 42121(b) of title 49, United States Code.
If the individual has not received a decision within 180 days and there
is no showing that such delay is due to the bad faith of the claimant,
the individual may bring an action for a jury trial, governed by the
burden of proof in section 42121(b) of title 49, United States Code, in
the appropriate district court of the United States for the following
relief:
(1) Temporary relief while the case is pending.
(2) Reinstatement with the same seniority status that the
individual would have had, but for the discharge or
discrimination.
(3) Three times the amount of back pay otherwise owed to
the individual, with interest.
(4) Consequential and compensatory damages, and
compensation for litigation costs, expert witness fees, and
reasonable attorneys' fees.
(c) Waiver of Rights and Remedies.--The rights and remedies
provided for in this section shall not be waived by any policy form or
condition of employment, including by a predispute arbitration
agreement.
(d) Predispute Arbitration Agreements.--No predispute arbitration
agreement shall be valid or enforceable if the agreement requires
arbitration of a dispute arising under this section.
(e) Covered Individual Defined.--In this section, the term
``covered individual'' means an applicant, current or former employee,
contractor, subcontractor, grantee, or agent of an employer.
SEC. 205. DIGITAL CONTENT FORGERIES.
(a) Reports.--Not later than 1 year after the date of enactment of
this Act, and annually thereafter, the Director of the National
Institute of Standards and Technology shall publish a report regarding
digital content forgeries.
(b) Requirements.--Each report under subsection (a) shall include
the following:
(1) A definition of digital content forgeries along with
accompanying explanatory materials. The definition developed
pursuant to this section shall not supersede any other
provision of law or be construed to limit the authority of any
executive agency related to digital content forgeries.
(2) A description of the common sources in the United
States of digital content forgeries and commercial sources of
digital content forgery technologies.
(3) An assessment of the uses, applications, and harms of
digital content forgeries.
(4) An analysis of the methods and standards available to
identify digital content forgeries as well as a description of
the commercial technological counter-measures that are, or
could be, used to address concerns with digital content
forgeries, which may include the provision of warnings to
viewers of suspect content.
(5) A description of the types of digital content
forgeries, including those used to commit fraud, cause harm or
violate any provision of law.
(6) Any other information determined appropriate by the
Director.
TITLE III--MISCELLANEOUS
SEC. 301. ENFORCEMENT, CIVIL PENALTIES, AND APPLICABILITY.
(a) Enforcement by the Federal Trade Commission.--
(1) New bureau.--
(A) In general.--The Commission shall establish a
new Bureau within the Commission comparable in
structure, size, organization, and authority to the
existing Bureaus with the Commission related to
consumer protection and competition.
(B) Mission.--The mission of the Bureau established
under this paragraph shall be to assist the Commission
in exercising the Commission's authority under this Act
and under other Federal laws addressing privacy, data
security, and related issues.
(C) Timeline.--Such Bureau shall be established,
staffed, and fully operational within 2 years of
enactment of this Act.
(2) Treatment as violation of rule.--A violation of this
Act or a regulation promulgated under this Act shall be treated
as a violation of a rule defining an unfair or deceptive act or
practice prescribed under section 18(a)(1)(B) of the Federal
Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(3) Powers of commission.--
(A) In general.--Except as provided in subparagraph
(C), the Commission shall enforce this Act and the
regulations promulgated under this Act in the same
manner, by the same means, and with the same
jurisdiction, powers, and duties as though all
applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated
into and made a part of this Act.
(B) Privileges and immunities.--Any person who
violates this Act or a regulation promulgated under
this Act shall be subject to the penalties and entitled
to the privileges and immunities provided in the
Federal Trade Commission Act (15 U.S.C. 41 et seq.).
(C) Independent litigation authority.--The
Commission may commence, defend, or intervene in, and
supervise the litigation of any civil action under this
subsection (including an action to collect a civil
penalty) and any appeal of such action in its own name
by any of its attorneys designated by it for such
purpose. The Commission shall notify the Attorney
General of any such action and may consult with the
Attorney General with respect to any such action or
request the Attorney General on behalf of the
Commission to commence, defend, or intervene in any
such action.
(4) Data privacy and security relief fund.--
(A) Establishment of relief fund.--There is
established in the Treasury of the United States a
separate fund to be known as the ``Data Privacy and
Security Relief Fund'' (referred to in this paragraph
as the ``Relief Fund'').
(B) Deposits.--
(i) Deposits from the commission.--The
Commission shall deposit into the Relief Fund
the amount of any civil penalty obtained
against any covered entity in any judicial or
administrative action the Commission commences
to enforce this Act or a regulation promulgated
under this Act.
(ii) Deposits from the attorney general.--
The Attorney General of the United States shall
deposit into the Relief Fund the amount of any
civil penalty obtained against any covered
entity in any judicial or administrative action
the Attorney General commences on behalf of the
Commission to enforce this Act or a regulation
promulgated under this Act.
(C) Use of fund amounts.--Notwithstanding section
3302 of title 31, United States Code, amounts in the
Relief Fund shall be available to the Commission,
without fiscal year limitation, to provide redress,
payments or compensation, or other monetary relief to
individuals affected by an act or practice for which
civil penalties have been obtained under this Act. To
the extent that individuals cannot be located or such
redress, payments or compensation, or other monetary
relief are otherwise not practicable, the Commission
may use such funds for the purpose of consumer or
business education relating to data privacy and
security or for the purpose of engaging in
technological research that the Commission considers
necessary to enforce this Act.
(D) Amounts not subject to apportionment.--
Notwithstanding any other provision of law, amounts in
the Relief Fund shall not be subject to apportionment
for purposes of chapter 15 of title 31, United States
Code, or under any other authority.
(b) Enforcement by State Attorneys General.--
(1) Civil action.--In any case in which the attorney
general of a State or a consumer protection officer of a State
has reason to believe that an interest of the residents of that
State has been or is adversely affected by the engagement of
any covered entity in an act or practice that violates this Act
or a regulation promulgated under this Act, the attorney
general of the State, or a consumer protection officer of the
State acting on behalf of the State, as parens patriae, may
bring a civil action on behalf of the residents of the State in
an appropriate district court of the United States to--
(A) enjoin that act or practice;
(B) enforce compliance with this Act or the
regulation;
(C) obtain damages, civil penalties, restitution,
or other compensation on behalf of the residents of the
State; or
(D) obtain such other relief as the court may
consider to be appropriate.
(2) Notice to the commission and rights of the
commission.--Except where not feasible, the State shall notify
the Commission in writing prior to initiating a civil action
under paragraph (1). Such notice shall include a copy of the
complaint to be filed to initiate such action. If prior notice
is not practicable, the State shall provide a copy of the
complaint to the Commission immediately upon instituting the
action. Upon receiving such notice, the Commission may
intervene in such action and, upon intervening--
(A) be heard on all matters arising in such action;
and
(B) file petitions for appeal of a decision in such
action.
(3) Preservation of state powers.--No provision of this
section shall be construed as altering, limiting, or affecting
the authority of a State attorney general or a consumer
protection officer of a State to--
(A) bring an action or other regulatory proceeding
arising solely under the law in effect in that State;
or
(B) exercise the powers conferred on the attorney
general or on a consumer protection officer of a State
by the laws of the State, including the ability to
conduct investigations, to administer oaths or
affirmations, or to compel the attendance of witnesses
or the production of documentary or other evidence.
(4) Venue; service of process.--
(A) Venue.--Any action brought under paragraph (1)
may be brought in the district court of the United
States that meets applicable requirements relating to
venue under section 1391 of title 28, United States
Code.
(B) Service of process.--In an action brought under
paragraph (1), process may be served in any district in
which the defendant--
(i) is an inhabitant; or
(ii) may be found.
(c) Enforcement by Individuals.--
(1) In general.--Any individual alleging a violation of
this Act or a regulation promulgated under this Act may bring a
civil action in any court of competent jurisdiction, State or
Federal.
(2) Relief.--In a civil action brought under paragraph (1)
in which the plaintiff prevails, the court may award--
(A) an amount not less than $100 and not greater
than $1,000 per violation per day or actual damages,
whichever is greater;
(B) punitive damages;
(C) reasonable attorney's fees and litigation
costs; and
(D) any other relief, including equitable or
declaratory relief, that the court determines
appropriate.
(3) Injury in fact.--A violation of this Act or a
regulation promulgated under this Act with respect to the
covered data of an individual constitutes a concrete and
particularized injury in fact to that individual.
(d) Invalidity of Pre-Dispute Arbitration Agreements and Pre-
Dispute Joint Action Waivers.--
(1) In general.--Notwithstanding any other provision of
law, no pre-dispute arbitration agreement or pre-dispute joint
action waiver shall be valid or enforceable with respect to a
privacy or data security dispute arising under this Act.
(2) Applicability.--Any determination as to whether or how
this subsection applies to any privacy or data security dispute
shall be made by a court, rather than an arbitrator, without
regard to whether such agreement purports to delegate such
determination to an arbitrator.
(3) Definitions.--For purposes of this subsection:
(A) The term ``pre-dispute arbitration agreement''
means any agreement to arbitrate a dispute that has not
arisen at the time of the making of the agreement.
(B) The term ``pre-dispute joint-action waiver''
means an agreement, whether or not part of a pre-
dispute arbitration agreement, that would prohibit, or
waive the right of, one of the parties to the agreement
to participate in a joint, class, or collective action
in a judicial, arbitral, administrative, or other
forum, concerning a dispute that has not yet arisen at
the time of the making of the agreement.
(C) The term ``privacy or data security dispute''
means any claim relating to an alleged violation of
this Act, or a regulation promulgated under this Act,
and between an individual and a covered entity.
SEC. 302. RELATIONSHIP TO FEDERAL AND STATE LAWS.
(a) Federal Law Preservation.--Nothing in this Act or a regulation
promulgated under this Act shall be construed to limit--
(1) the authority of the Commission, or any other Executive
agency, under any other provision of law; or
(2) any other provision of Federal law unless as
specifically authorized by this Act.
(b) State Law Preservation.--Nothing in this Act shall be construed
to preempt, displace, or supplant the following State laws, rules,
regulations, or requirements:
(1) Consumer protection laws of general applicability such
as laws regulating deceptive, unfair, or unconscionable
practices.
(2) Civil rights laws.
(3) Laws that govern the privacy rights or other
protections of employees, employee information, or students or
student information.
(4) Laws that address notification requirements in the
event of a data breach.
(5) Contract or tort law.
(6) Criminal laws governing fraud, theft, unauthorized
access to information or unauthorized use of information,
malicious behavior, and similar provisions, and laws of
criminal procedure.
(7) Laws specifying remedies or a cause of action to
individuals.
(8) Public safety or sector specific laws unrelated to
privacy or security.
(c) Preemption of Directly Conflicting State Laws.--Except as
provided in subsections (b) and (d), this Act shall supersede any State
law to the extent such law directly conflicts with the provisions of
this Act, or a standard, rule, or regulation promulgated under this
Act, and then only to the extent of such direct conflict. Any State
law, rule, or regulation shall not be considered in direct conflict if
it affords a greater level of protection to individuals protected under
this Act.
(d) Preservation of Common Law or Statutory Causes of Action for
Civil Relief.--Nothing in this Act, nor any amendment, standard, rule,
requirement, assessment, law or regulation promulgated under this Act,
shall be construed to preempt, displace, or supplant any Federal or
State common law rights or remedies, or any statute creating a remedy
for civil relief, including any cause of action for personal injury,
wrongful death, property damage, or other financial, physical,
reputational, or psychological injury based in negligence, strict
liability, products liability, failure to warn, an objectively
offensive intrusion into the private affairs or concerns of the
individual, or any other legal theory of liability under any Federal or
State common law, or any State statutory law.
SEC. 303. SEVERABILITY.
If any provision of this Act, or the application thereof to any
person or circumstance, is held invalid, the remainder of this Act and
the application of such provision to other persons not similarly
situated or to other circumstances shall not be affected by the
invalidation.
SEC. 304. AUTHORIZATION OF APPROPRIATIONS.
There are authorized to be appropriated to the Commission such sums
as may be necessary to carry out this Act.
<all>