[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 3456 Introduced in Senate (IS)]
<DOC>
116th CONGRESS
2d Session
S. 3456
To protect the privacy of consumers.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
March 12, 2020
Mr. Moran introduced the following bill; which was read twice and
referred to the Committee on Commerce, Science, and Transportation
_______________________________________________________________________
A BILL
To protect the privacy of consumers.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Consumer Data
Privacy and Security Act of 2020''.
(b) Table of Contents.--The table of contents of this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. Collection and processing of personal data.
Sec. 4. Right to know.
Sec. 5. Individual control.
Sec. 6. Security.
Sec. 7. Accountability.
Sec. 8. Rules relating to service providers.
Sec. 9. Enforcement.
Sec. 10. Relation to other laws.
Sec. 11. Commission resources.
Sec. 12. Guidance and reporting.
Sec. 13. Severability.
Sec. 14. Effective date.
SEC. 2. DEFINITIONS.
In this Act:
(1) Biometric information.--The term ``biometric
information'' means information, resulting from specific
technical processing related to the physical, biological,
physiological, genetic, or behavioral characteristics of an
individual, that identifies the individual.
(2) Collection.--The term ``collection'' means acquiring
personal data by any means, including by receiving, purchasing,
or leasing the data or by observing or interacting with the
individual to whom the data relates.
(3) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(4) Covered entity.--
(A) In general.--The term ``covered entity'' means
any entity that--
(i) alone, or jointly with others,
determines the purpose and means of collecting
or processing personal data; and
(ii) is--
(I) a person over which the
Commission has authority pursuant to
section 5(a)(2) of the Federal Trade
Commission Act (15 U.S.C. 45(a)(2));
(II) a common carrier subject to
the Communications Act of 1934 (47
U.S.C. 151 et seq.) and Acts amendatory
thereof and supplementary thereto; or
(III) a nonprofit organization,
including any organization that is not
organized to carry on business for its
own profit or that of its members.
(B) Limitation.--An entity shall not be considered
to be a covered entity with respect to personal data to
the extent that the entity is a service provider with
respect to such data.
(5) De-identify.--The term ``de-identify'' means, with
respect to personal data held by a covered entity or service
provider, that the covered entity or service provider--
(A) alters, anonymizes, or aggregates the data so
that there is a reasonable basis for expecting that the
data could not be linked (including by the entity or
service provider) as a practical matter to a specific
individual;
(B) publicly commits to refrain from attempting to
re-identify the data with a specific individual, and
adopts controls to prevent such identification; and
(C) causes the data to be covered by a contractual
or other legally enforceable prohibition on each entity
to which the covered entity or service provider
discloses the data from attempting to use the data to
identify a specific individual and requires the same of
all onward disclosures.
(6) Delete.--The term ``delete'' means to remove or destroy
information such that the information is not able to be
retrieved in the ordinary course of business.
(7) Individual.--The term ``individual'' means a natural
person residing in the United States.
(8) Material change.--The term ``material change'' means a
change to a policy or practice of a covered entity or service
provider that--
(A) relates to the collection or processing of
personal data by the covered entity or service
provider;
(B) is likely to affect the conduct or decision of
a reasonable individual with respect to any personal
data of the individual that is subject to such policy
or practice; and
(C) in the case of a service provider, is made at
the direction of the covered entity on whose behalf the
service provider is performing a service or function.
(9) Personal data.--
(A) In general.--The term ``personal data'' means
information that identifies or is linked or reasonably
linkable to a specific individual.
(B) Linked or reasonably linkable.--
(i) In general.--For purposes of
subparagraph (A), information held by a covered
entity or service provider is linked or
reasonably linkable to a specific individual if
it can be used on its own or in combination
with other information held by, or readily
accessible to, the covered entity or service
provider to identify the individual.
(ii) Application to device-level
identifiers.--A persistent identifier that is
used to identify a specific individual over
time and across services and platforms,
including a customer number held in a cookie, a
static Internet Protocol (IP) address, a
processor or device serial number, or another
unique device identifier, shall be considered
information that is linked or reasonably
linkable to the individual for purposes of
subparagraph (A).
(C) Exclusion.--The term ``personal data'' does not
include--
(i) de-identified data;
(ii) data that has been rendered unreadable
or indecipherable;
(iii) information about employees or
employment status collected or used by an
employer pursuant to an employer-employee
relationship, including information related to
prospective employees and relevant application
materials;
(iv) publicly available information;
(v) data that has undergone
pseudonymization; or
(vi) employee data.
(D) Employee data.--For purposes of subparagraph
(C), the term ``employee data'' means information
collected by a covered entity or the service provider
of a covered entity that is--
(i) contact information for an individual
or the individual's emergency contact that is
collected in the course of the individual's
employment or application for employment
(including on a contract or temporary basis)
with the covered entity, provided that such
information is retained or processed by the
covered entity or service provider solely for
purposes related to the individual's employment
or application for employment with the covered
entity; or
(ii) information about an individual who is
an employee or former employee of the covered
entity (or a relative of such an individual)
that is necessary to administer benefits to
which such individual or relative is entitled
on the basis of the individual's employment
with the covered entity, provided that such
data is retained or processed by the covered
entity or service provider solely for the
purpose of administering such benefits.
(10) Pseudonymization.--The term ``pseudonymization'' means
the processing of personal data so that the personal data can
no longer be attributed or reasonably linked to a specific
individual without the use of additional information, provided
that such additional information--
(A) is kept separately; and
(B) is subject to technical and organizational
measures to ensure that the personal data is not
attributed to a specific individual.
(11) Privacy officer.--The term ``privacy officer'' means
an individual designated by a covered entity or service
provider under section 7(b)(1) to be the privacy officer of the
covered entity.
(12) Processing.--The term ``processing'' means any
operation or set of operations performed on personal data,
including the analysis, organization, structuring, retaining,
using, disclosing, transmitting, sharing, transferring,
selling, licensing, or otherwise handling of personal data.
(13) Publicly available information.--
(A) In general.--The term ``publicly available
information'' means any information that a covered
entity or service provider has a reasonable basis to
believe is lawfully made available to the general
public from--
(i) a Federal, State, or local government
record;
(ii) widely distributed media; or
(iii) a disclosure to the general public
that is made voluntarily by an individual, or
required to be made by a Federal, State, or
local law.
(B) Reasonable basis to believe.--For purposes of
subparagraph (A), reasonable bases for believing that
information is lawfully made available to the general
public shall include a written determination by a
covered entity or service provider that the information
is of a type that is lawfully made available to the
general public.
(14) Sensitive personal data.--The term ``sensitive
personal data'' means personal data that is--
(A) a unique, government-issued identifier, such as
a social security number, passport number, driver's
license number, or taxpayer identification number;
(B) a user name or email address in combination
with a password or security question and answer that
would permit access to an online account;
(C) biometric information of an individual;
(D) the content of a wire communication, oral
communication, or electronic communication, as those
terms are defined in section 2510 of title 18, United
States Code, to which the individual is a party, unless
the covered entity is the intended recipient of the
communication;
(E) information that relates to--
(i) the past, present, or future diagnosed
physical or mental health or condition of an
individual;
(ii) the provision of health care to an
individual; or
(iii) the past, present, or future payment
for the provision of health care to an
individual;
(F) a financial account number, debit card number,
credit card number, if combined with an access code,
password, or credentials that provide access to such an
account;
(G) the race or ethnicity of the individual;
(H) the religious beliefs or affiliation of the
individual;
(I) the sexual orientation of the individual;
(J) the precise geolocation of an individual that
is technically derived and that is capable of
determining with reasonable specificity the past or
present actual physical location of the individual more
precisely than a zip code, street, or town or city
level; or
(K) such other specific categories of personal data
as the Commission may define by rule issued in
accordance with section 553 of title 5, United States
Code, the collection or processing of which could lead
to reasonably foreseeable harm to an individual.
(15) Service provider.--The term ``service provider'' means
an entity that collects or processes personal data on behalf
of, and at the direction of, a covered entity to which the
service provider is unaffiliated, but only--
(A) with respect to the personal data collected or
processed on the behalf of, and at the direction of,
such covered entity; and
(B) to the extent that the collection or
processing--
(i) is on the behalf of, and at the
direction of, such covered entity; or
(ii) is permitted under section 3(c).
(16) Small business.--The term ``small business'' means any
covered entity or service provider that--
(A) for the most recent 6-month period--
(i) employs not more than 500 employees;
and
(ii) maintains less than $50,000,000 in
average gross receipts for the previous 3
years; and
(B) collects or processes on an annual basis--
(i) the personal data of fewer than
1,000,000 individuals; or
(ii) the sensitive personal data of fewer
than 100,000 individuals.
(17) Third party.--
(A) In general.--The term ``third party'' means a
covered entity that receives third party personal data
from an unaffiliated covered entity, but only with
respect to such third party personal data.
(B) Third party personal data.--For purposes of
subparagraph (A), the term ``third party personal
data'' means personal data that a covered entity
discloses to another unaffiliated covered entity and
such disclosure--
(i) is not directed by the individual to
whom the personal data relates; and
(ii) is not necessary to complete a
transaction or fulfill a request made by the
individual to whom such data relates.
(18) Unaffiliated.--The term ``unaffiliated'' means, with
respect to two or more entities, that the entities do not share
interrelated operations, common management, centralized control
of labor relations, or common ownership or financial control.
SEC. 3. COLLECTION AND PROCESSING OF PERSONAL DATA.
(a) Requirements.--
(1) In general.--Except as provided in paragraphs (2) and
(3), a covered entity shall not collect or process personal
data of an individual unless--
(A) the individual has consented explicitly or
implicitly to such collection or processing for a
specific purpose, in accordance with subsection (b); or
(B) the covered entity collects or processes the
personal data in accordance with a permissible purpose
described in subsection (c).
(2) Application to third parties.--
(A) In general.--A covered entity that is a third
party with respect to the personal data of an
individual may collect or process such personal data
without directly obtaining the individual's consent as
required under paragraph (1)(A) if--
(i) the covered entity from whom the third
party received the personal data of the
individual involved--
(I) has provided the individual
with notice of--
(aa) the fact that the
covered entity would disclose
the individual's personal data
to the third party; and
(bb) the purposes for which
the third party will collect or
process the personal data of
the individual; and
(II) the individual has consented
to such disclosure and such collection
or processing of the individual's
personal data; or
(ii) the third party collects or process
the personal data in accordance with a
permissible purpose described in subsection
(c).
(B) Notice and consent requirement for different or
additional collection or processing.--A covered entity
that is a third party with respect to the personal data
of an individual shall obtain the consent of such
individual in accordance with subsection (b) before
collecting or processing such personal data if the
specific purpose for such collection or processing--
(i) is not a purpose described in paragraph
(1), (2), (4), or (6) of subsection (c); and
(ii) is different from, or in addition to,
the purpose for any collection or processing to
which the individual previously consented in
accordance with subsection (b).
(C) Duty to exercise reasonable due diligence prior
to reliance on covered entity representations.--For
purposes of subparagraph (A), a covered entity that is
a third party with respect to the personal data of an
individual may reasonably rely on representations made
by the covered entity from whom the third party
received such data regarding the notice provided to,
and the consent obtained from, such individual,
provided that the third party has determined, after
exercising reasonable due diligence, that the covered
entity is credible.
(3) Notice and consent obtained by service providers.--A
service provider may provide notice to, and obtain consent
from, an individual in accordance with subsection (b) on behalf
of a covered entity.
(b) Consent.--
(1) In general.--
(A) Implicit consent.--Except as provided in
subparagraph (B), an individual shall be deemed to have
consented to a request to collect or process the
individual's personal data if the individual fails to
decline the request after being provided with the
notice described in paragraph (2) and a reasonable
amount of time to respond to the request.
(B) Express affirmative consent requirement.--
(i) In general.--The express affirmative
consent of an individual is required to collect
or process the personal data of the individual
if the collection or processing--
(I) involves sensitive personal
data of the individual; or
(II) involves the disclosure of
personal data to a third party for a
purpose that is not described in
subsection (c).
(ii) Requirements for valid express
affirmative consent.--For purposes of clause
(i), the express affirmative consent of an
individual to a request to collect or process
the personal data of the individual--
(I) shall be clearly, prominently,
and unmistakably stated;
(II) shall be provided in response
to a request that includes the notice
described in paragraph (2); and
(III) cannot be inferred from
inaction.
(2) Notice required.--
(A) In general.--In requesting the consent of an
individual to collect or process the individual's
personal data, a covered entity shall provide the
individual with notice, in a concise, meaningful,
timely, prominent, and easy-to-understand format, that
includes--
(i) the types of personal data collected
and processed;
(ii) a description of the purposes for
which the covered entity seeks to collect or
process that individual's personal data; and
(iii) the information described in
subparagraph (B).
(B) Contents.--The notice provided by a covered
entity under subparagraph (A) shall include--
(i) information on how the individual may
access the privacy policy of the covered entity
described in section 4(a);
(ii) information on how the individual may
exercise the rights provided for under this
Act; and
(iii) notice of whether the collection or
processing by the covered entity--
(I) includes the disclosure of
personal data to third parties; or
(II) involves sensitive personal
data.
(C) Separation.--If consent is obtained in the
context of a notice that also concerns matters other
than the collection or processing of personal data, the
request for consent shall be presented in a manner that
is clearly distinguishable from the other matters.
(3) Withdrawal of consent.--
(A) In general.--A covered entity shall provide an
individual with the means to withdraw previously given
consent to collect or process the personal data of the
individual--
(i) at any time and place that is
reasonably practicable; and
(ii) in a manner that is as accessible as
reasonably practicable.
(B) Effect.--A withdrawal made under subparagraph
(A)--
(i) shall take effect without undue delay;
(ii) shall remain in effect until the
individual revokes or limits that denial or
withdrawal; and
(iii) shall not apply to any collection or
processing of personal data that occurred
before the date on which the withdrawal is
made.
(c) Permissible Purposes.--A covered entity or service provider may
collect or process the personal data of an individual without consent
to the extent that such collection or processing is reasonably
necessary and limited to the following purposes (except that a covered
entity that is a third party with respect to personal data may not
collect or process such data without consent for the purposes described
in paragraphs (3), (5), and (6)):
(1) Provision of service or performance of a contract.--
To--
(A) provide a service, perform a contract, or
conduct a transaction that the individual has
initiated; or
(B) take steps in furtherance of the request
initiated by the individual prior to providing the
service or entering into a contract or transaction.
(2) Compliance with laws.--To comply with a Federal, State,
or local law or another applicable legal requirement, including
a subpoena, summons, or other properly executed compulsory
process, or to exercise or defend a legal claim, as
specifically authorized by law.
(3) Immediate danger.--To prevent imminent danger to the
personal safety of any individual, including by effectuating a
product recall pursuant to Federal or State law.
(4) Fraud prevention and protection of security.--To
protect the rights, property, services, or information systems
of the covered entity or service provider, or any individual,
including to investigate a possible crime or to protect against
security threats, abuse, malicious conduct, deception, fraud,
theft, unauthorized transactions, or any other unlawful
activity.
(5) Research.--In the case of a covered entity only, to
conduct research that--
(A) is performed for the primary purpose of
advancing a broadly recognized public interest;
(B) is performed by the covered entity (or by a
service provider at the direction of the covered
entity) and is not disclosed to any third party;
(C) is broadly compatible with the purposes for
which the data was originally collected or processed;
and
(D) adheres to all applicable ethics and privacy
laws.
(6) Operational purposes.--To--
(A) perform internal operations or analytics for a
product or service offered by the covered entity or
service provider, such as billing, shipping, internal
systems maintenance, diagnostics, inventory management,
financial reporting or accounting, serving an internet
website, or network management;
(B) use on a short-term, transient basis, provided
that the personal data--
(i) is not disclosed to a third party; and
(ii) is not used to build a persistent
profile of the individual;
(C) in the case of a covered entity only, market or
advertise a service or product to an individual if the
personal data used for the marketing or advertising was
collected directly from the individual by the covered
entity or by a service provider on behalf of the
covered entity;
(D) improve a product, service, or activity used,
requested, or authorized by the individual, including
analytics, forecasting, the repair of errors that
impair existing intended functionality, actions to
verify or maintain quality or safety of the product,
service, or activity, or the ongoing provision of
customer service and support by the covered entity or
service provider; or
(E) other additional specific categories of
operational purposes that the Commission may define by
rule, issued in accordance with section 553 of title 5,
United States Code.
(d) Limiting the Retention of Sensitive Personal Data.--A covered
entity shall delete or de-identify sensitive personal data, and shall
direct its service providers to delete or de-identify sensitive
personal data, after the data is no longer reasonably necessary to
accomplish the intended purposes permitted by this section, unless such
deletion or de-identification is impossible or demonstrably
impracticable.
(e) Bankruptcy.--If a covered entity or service provider commences
a case under title 11 of the United States Code, and the case or any
proceeding under the case is expected to lead to the disclosure of the
personal data of any individual, the covered entity or service provider
shall, in a reasonable amount of time before the disclosure, provide
each individual whose personal data is subject to the disclosure with--
(1) a notice of the proposed disclosure, including--
(A) the name of each third party to which the
personal data will be disclosed; and
(B) a description of the policies and practices
relating to personal data of each such third party; and
(2) the opportunity to--
(A) deny consent, or withdraw previously given
consent, to the disclosure of the personal data; or
(B) request that the covered entity or service
provider delete or de-identify the personal data.
SEC. 4. RIGHT TO KNOW.
(a) In General.--A covered entity shall make publicly available, in
a clear and prominent location and in easy-to-understand language, a
privacy policy that includes--
(1) a clear and specific description of the entity's
policies and practices with respect to personal data;
(2) a clear and specific description of the rights of
individuals with respect to their personal data (including the
rights described in section 5) and information on how to
exercise those rights; and
(3) the information described in subsection (c).
(b) Availability of Previous Versions.--A covered entity shall make
publicly available any previous version of a privacy policy required
under subsection (a).
(c) Contents.--A privacy policy required under subsection (a) shall
include--
(1) the identity and the contact details of the covered
entity, including, where applicable, the representative of the
covered entity for purposes of privacy inquiries or its privacy
officer;
(2) a clear description of each category of personal data
collected by the covered entity and the purposes for which each
such category is collected and processed;
(3) a clear description of any relevant retention periods
(if possible) and any criteria and other information with
respect to the deletion or de-identification of personal data
collected and processed by the covered entity;
(4) whether, and for what purposes, the covered entity
discloses personal data to third parties, each category of
personal data disclosed to third parties, and the types of
third parties to which those categories of personal data are
disclosed;
(5) whether, and for what purposes, the covered entity
receives personal data from third parties, the categories of
personal data received from third parties, and the types of
third parties from which the covered entity receives personal
data;
(6) a clear description of the process by which the covered
entity informs individuals of material changes to its policies
and practices with respect to its collection and processing of
personal data;
(7) the specific steps an individual may take to minimize
the collection or processing by the covered entity of the
individual's personal data, and the relevant implications to
the individual from minimizing such collection or processing;
and
(8) the effective date of the privacy policy.
(d) Exceptions.--A covered entity shall not be required to make
available a privacy policy under this subsection with respect to the
collection or processing of personal data that is reasonably necessary
and limited to--
(1) an in-person transaction where the personal data is not
processed for further purposes incompatible with that
transaction;
(2) comply a Federal, State, or local law or another
applicable legal requirement, including a subpoena, summons, or
other properly executed compulsory process;
(3) prevent imminent danger to the personal safety of any
individual; or
(4) protect the rights or data security of the covered
entity, a service provider of the covered entity, or any
individual, including to investigate a possible crime or to
protect against security threats, abuse, fraud, theft,
unauthorized transactions, or any other unlawful activity.
(e) Material Changes.--
(1) In general.--A covered entity, upon any material change
to the privacy policy of the covered entity or a material
change to the privacy policy of a service provider that is made
at the direction of the covered entity--
(A) shall notify each individual whose personal
data is collected or processed by the covered entity,
or a service provider on behalf of the covered entity,
with a description of the material change, including--
(i) change to the categories of personal
data the covered entity or service provider
processes;
(ii) change to the purposes for which the
covered entity or service provider processes
personal data;
(iii) change to the manner in which the
covered entity or service provider discloses
personal data to third parties; and
(iv) which, if any, changes are
retroactive; and
(B) shall not process (or, in the case of a
material change to the privacy policy of a service
provider that is directed by the covered entity, shall
not direct the service provider to process) any
sensitive personal data of an individual that was
collected by the covered entity or service provider
before the effective date of the material change in a
manner that is inconsistent with the privacy policy
that was applicable at the time such data was collected
until the individual provides express affirmative
consent to such processing.
(2) Direct notice of material change to affected
individuals.--A covered entity shall, if operationally and
technically feasible, directly provide the notice of a material
change required under paragraph (1)(A) to each affected
individual, taking into account available technology and the
nature of the relationship between the covered entity and the
individual.
(3) Public notice of material change.--Where directly
providing the notice of a material change required under
paragraph (1)(A) to each affected individual is impossible or
demonstrably impracticable, a covered entity--
(A) shall publish the notice in a reasonably
prominent location; and
(B) shall not process personal data that was
collected by the covered entity before the effective
date of the material change in a manner that is
inconsistent with the privacy policy that was
applicable at the time such data was collected until
after the notice has been so published for a period of
time that is reasonably sufficient to give affected
individuals the opportunity to exercise their rights
with respect to their personal data.
SEC. 5. INDIVIDUAL CONTROL.
(a) Privacy Controls.--Each covered entity shall--
(1) provide each individual whose personal data is
collected or processed by the covered entity with a reasonably
accessible, clear and conspicuous, and easy-to-use means to
exercise the individual's rights established under this section
with respect to such data;
(2) if applicable, offer the means required under paragraph
(1) through the same means that the individual routinely uses
to interact with the covered entity; and
(3) make the means required under paragraph (1) available
at no additional cost to the individual.
(b) Right To Access.--
(1) In general.--A covered entity shall, in response to a
verified request from an individual--
(A) confirm whether or not the covered entity has
collected or processed the personal data of the
individual; and
(B) if the covered entity has collected or
processed the personal data of the individual, provide,
within a reasonable time after receiving the request,
the individual with--
(i) a copy, or an accurate representation,
of the personal data pertaining to the
individual collected and processed by the
covered entity; and
(ii) a list of the categories of third
parties to which the covered entity has
disclosed the personal data of the individual,
if applicable.
(2) Ease of access.--
(A) Format.--The covered entity shall provide the
information described in paragraph (1)(B) in an
electronic format unless--
(i) the individual requests to receive the
information by other means; or
(ii) providing the information
electronically is impossible or demonstrably
impracticable.
(B) Data portability.--If a covered entity provides
an individual with information in an electronic format
under subparagraph (A), the covered entity shall, where
technically feasible and reasonably practicable,
provide the individual with--
(i) the ability to export the personal data
generated and submitted by the individual in a
structured, commonly-used, and machine-readable
format; and
(ii) the ability to transmit such
information to another entity without
constraints or conditions.
(c) Rights to Accuracy and Correction.--
(1) In general.--A covered entity shall establish
reasonable procedures designed to--
(A) ensure that the personal data that the covered
entity collects and processes with respect to an
individual is accurate and up-to-date; and
(B) provide individuals with the ability to submit
a verified request to the covered entity to--
(i) dispute the accuracy and completeness
of such personal data; and
(ii) request the appropriate correction of
such personal data.
(2) Dispute and correction.--Each covered entity shall
ensure that the ability of an individual to dispute or request
that the covered entity correct personal data as described in
paragraph (1) is provided in a manner that is appropriate and
reasonable based on the benefits and risks of harm to the
individual regarding the accuracy of the personal data.
(3) Exceptions for publicly available information.--A
covered entity shall not be required to verify the accuracy of
publicly available information if the covered entity has
reasonable procedures to ensure that the publicly available
information assembled or maintained by the covered entity
accurately reflects the information available to the general
public.
(d) Right to Erasure.--
(1) In general.--Except for personal data collected and
processed in accordance with a permissible purpose described in
section 3(c), upon a verified request from an individual, a
covered entity shall, without undue delay, delete or de-
identify the personal data of the individual, and shall direct
any service providers of the covered entity to delete or de-
identify such data.
(2) Special considerations.--In determining whether a
covered entity that is a small business has complied with a
verified request under paragraph (1) in a timely fashion, the
Commission shall take into account the amount of time that the
entity requires to comply with the request considering the
technical feasibility, cost, and burden to the entity of
complying with the request.
(e) Frequency and Cost To Exercise Rights.--
(1) In general.--A covered entity--
(A) shall comply with a verified request from any
individual to exercise each of the rights described in
subsections (b), (c), and (d) not less frequently than
twice in any 12-month period; and
(B) the first 2 times that an individual makes a
verified request described in subparagraph (A) in any
12-month period, shall comply with such requests
without any charge to the individual.
(2) Manifestly unfounded and excessive requests.--If an
individual submits a manifestly unfounded or frivolous request
to exercise a right under subsection (b), (c), or (d), or an
excessive number of requests under such subsections, the
covered entity may--
(A) charge a reasonable fee, taking into account
the administrative costs of providing the personal
data, communication, or taking the action requested by
the individual; or
(B) refuse to act on the request.
(f) Verified Request.--
(1) In general.--A request to exercise a right described in
this section shall only be considered a ``verified request'' if
the covered entity verifies that the individual making the
request is the individual whose personal data is the subject of
the request.
(2) Verification of identity.--
(A) In general.--A covered entity shall make a
reasonable effort to verify the identity of any
individual who submits a request to exercise a right
under this section.
(B) Additional information.--If a covered entity
cannot verify the identity of the individual submitting
a request under this subsection, the covered entity--
(i) may request that the individual provide
such additional information as is necessary to
confirm the identity of the individual; and
(ii) shall only process additional
information provided under clause (i) for the
purpose of verifying the identity of the
individual.
(g) Declination of Requests.--
(1) In general.--A covered entity--
(A) shall decline to act on a request under this
section where, after undertaking a reasonable effort,
the entity cannot verify that the individual making the
request is the individual whose personal data is the
subject of the request;
(B) may decline to act on a request under this
section where fulfilling the request would--
(i) require the covered entity or a service
provider of the covered entity to retain any
personal data collected for a single, one-time
transaction, if such personal data is not
processed for additional purposes;
(ii) be impossible or demonstrably
impracticable, or require any steps or measures
to re-identify, or otherwise alter or
manipulate, information that is de-identified;
(iii) be contrary to the legitimate
interests of the covered entity or a service
provider of the covered entity, such as
completing a transaction, repairing
functionality or errors, or performing a
contract between the covered entity and the
individual;
(iv) impair the ability of the covered
entity or a service provider of the covered
entity to detect or respond to a security
incident, provide a secure environment, or
protect against malicious, deceptive,
fraudulent, or illegal activity;
(v) hinder compliance with a legal
obligation or legally recognized privilege,
such as a requirement to retain certain
information, or the establishment, exercise, or
defense of legal claims;
(vi) interfere with research (conducted in
accordance with section 3(c)(5)) when the
deletion of the personal data is likely to
render impossible or seriously impair such
research; or
(vii) create a legitimate risk to the
privacy, security, safety, or other rights of
the individual, an individual other than the
requester, or the covered entity, based on a
reasonable individualized determination by the
covered entity; and
(C) shall not be required to act on a request under
this section if the covered entity is unable to fulfill
the request because--
(i) the covered entity requires the
assistance of a service provider to fulfill the
request; and
(ii) the service provider has informed the
covered entity that the service provider is
unable to assist the covered entity in
fulfilling the request for a reason specified
in section 8(c)(3)(A)(ii)(IV).
(2) Notice of reasons for declination.--If the covered
entity declines to act on a request pursuant to paragraph (1),
the covered entity shall inform the individual who made the
request of the reasons for such declination and any rights the
individual may have to appeal the decision of the covered
entity.
(h) Exception for Small Businesses.--The requirements under
subsections (b) and (c) shall not apply to a covered entity that is a
small business.
(i) Guidance.--The Commission shall, after consulting with and
soliciting comments from consumer data industry representatives, issue
guidance describing nonbinding best practices for covered entities and
service providers of different business sizes and types to develop
privacy controls as described in this section.
SEC. 6. SECURITY.
(a) In General.--Each covered entity and service provider shall
develop, document, implement, and maintain a comprehensive data
security program that contains reasonable administrative, technical,
and physical safeguards designed to protect the security,
confidentiality, and integrity of personal data from unauthorized
access, use, destruction, acquisition, modification, or disclosure.
(b) Considerations of Safeguards.--The safeguards required under
subsection (a) with respect to a covered entity or service provider
shall be appropriate to--
(1) the size, complexity, and resources of the covered
entity or service provider;
(2) the nature and scope of the activities of the covered
entity or service provider;
(3) the technical feasibility and cost of available tools,
external audits or assessments, and other measures used by the
covered entity or service provider to improve security and
reduce vulnerabilities;
(4) the sensitivity of the personal data involved; and
(5) the potential for unauthorized access, use,
destruction, acquisition, modification, or disclosure of the
personal data involved to result in economic loss, identity
theft, fraud, or physical injury to the individuals to whom
such data relates.
(c) Requirements for Program.--A comprehensive data security
program under this section shall be designed to, at a minimum--
(1) designate an employee or employees to be responsible
for overseeing and maintaining its safeguards;
(2) identify material internal and external risks to the
security and confidentiality of personal data and assess the
sufficiency of any safeguards in place to control these risks,
including consideration of risks in each relevant area of the
operations of the covered entity or service provider,
including--
(A) employee training and management;
(B) information systems, including network and
software design, as well as information processing,
storage, transmission, and disposal;
(C) detecting, preventing, and responding to
attacks, intrusions, or other systems failures; and
(D) whether the covered entity or service provider
has taken action to address and prevent reasonably
known and addressable security vulnerabilities;
(3) implement safeguards designed to control the risks
identified in the covered entity's or service provider's risk
assessment, and regularly assess the effectiveness of those
safeguards;
(4) maintain reasonable procedures to require that third
parties and service providers to whom personal data is
transferred by the covered entity or service provider involved
maintain reasonable administrative, technical, and physical
safeguards designed to protect the security and confidentiality
of personal data; and
(5) evaluate and make reasonable adjustments to the
safeguards in light of material changes in technology, internal
or external threats to personal data, and the changing business
arrangements or operations of the covered entity or service
provider.
SEC. 7. ACCOUNTABILITY.
(a) Definition of Applicable Entity.--In this section, the term
``applicable entity'' means a covered entity or service provider that,
on an annual basis, conducts collection and processing of--
(1) the personal data of more than 20,000,000 individuals;
or
(2) the sensitive personal data of more than 1,000,000
individuals.
(b) Privacy Officer.--
(1) Designation.--Each applicable entity shall--
(A) designate an employee of the applicable entity,
or an individual who is a contractor of the applicable
entity, to be the privacy officer responsible for
overseeing its policies and practices relating to the
collection and processing of personal data; and
(B) ensure that the privacy officer is involved in
all issues relating to the privacy and security of
personal data.
(2) Conflicts of interest.--The privacy officer may perform
other tasks and duties for the applicable entity, but only to
the extent that the applicable entity ensures that the
performance of those other tasks or duties does not present a
conflict of interest with respect to the duties and
responsibilities of the privacy officer role.
(3) Responsibilities.--The privacy officer shall--
(A) inform and advise the applicable entity of the
obligations of the applicable entity under this Act;
(B) monitor compliance by the applicable entity
with this Act;
(C) oversee--
(i) in the case of an applicable entity
that is a covered entity, each privacy impact
assessment carried out under subsection (c);
and
(ii) the comprehensive privacy program
implemented under subsection (d); and
(D) act as a contact for the Commission, other
Federal, State, and local authorities, and the
applicable entity with respect to matters relating to
the privacy and security of personal data.
(c) Consideration of Privacy Implications of Material Changes in
Processing Sensitive Personal Data.--
(1) In general.--If an applicable entity that is a covered
entity intends to begin a new collection or processing activity
or to make a material change in its processing of sensitive
personal data, the applicable entity shall, before beginning
the new processing activity or making the material change,
consider the privacy implications, if any of the change.
(2) Considerations.--An applicable entity that is a covered
entity shall ensure, in considering the privacy implications of
a material change as required under paragraph (1), that the
consideration is reasonable and appropriate with respect to the
sensitive personal data that will be affected by the new
processing activity or the material change in processing by
considering--
(A) the nature and volume of the sensitive personal
data; and
(B) the potential for the new processing activity
or the material change to be a proximate cause of harm
to individuals to whom the sensitive personal data
pertains.
(3) Approval.--The privacy officer shall be required to
approve the findings of a privacy impact assessment carried out
under paragraph (1) before a applicable entity that is a
covered entity may begin the new processing activity or make
the material change that is the subject of the privacy impact
assessment.
(4) Documentation.--An applicable entity that is a covered
entity shall document and maintain in written form any privacy
impact assessment carried out under paragraph (1) if the new
processing activity or material change that is the subject of
the privacy impact assessment involves sensitive personal data.
(d) Comprehensive Privacy Program.--
(1) In general.--Each applicable entity shall implement a
comprehensive privacy program to safeguard the privacy and
security of personal data collected or processed by the
applicable entity for the life cycle of development and
operational practices of its products or services, including
by--
(A) enhancing the privacy and security of personal
data collected or processed by the applicable entity
through appropriate technical or operational
safeguards, such as encryption, de-identification, and
other privacy enhancing technologies;
(B) verifying that the applicable entity's
practices relating to the collection and processing of
personal data are consistent with--
(i) the entity's policies and documentation
of such policies;
(ii) in the case of an applicable entity
that is a covered entity, representations the
entity makes to individuals; and
(iii) in the case of an applicable entity
that is a service provider, representations the
entity makes to covered entities to which the
entity provides services; and
(C) ensuring that the privacy controls of the
applicable entity are adequately accessible to, and
effective at safeguarding the expressed preferences
of--
(i) in the case of an applicable entity
that is a covered entity, each individual whose
personal data is collected or processed by the
covered entity (excluding any personal data
with respect to which the covered entity is a
third party); and
(ii) in the case of an applicable entity
that is a service provider, each covered entity
to which the entity provides services.
(2) Considerations.--In implementing a comprehensive
privacy program under paragraph (1), each applicable entity
shall--
(A) take into consideration, as applicable given
the entity's role as a covered entity or service
provider--
(i) the relevant risks to the privacy and
security of personal data against which the
applicable entity must guard in meeting the
expectations of individuals;
(ii) the requirements under this Act;
(iii) the size and complexity of the
applicable entity; and
(iv) the sensitivity and volume of the
personal data that the applicable entity
processes; and
(B) address the findings and implement the
recommendations contained in privacy impact assessments
that the applicable entity carries out under subsection
(c).
SEC. 8. RULES RELATING TO SERVICE PROVIDERS.
(a) Obligations of Covered Entities With Respect to Service
Providers.--
(1) In general.--A covered entity shall only disclose
personal data to a service provider pursuant to a contract that
is binding on both parties and meets the requirements of
subsection (b).
(2) Due diligence.--
(A) In general.--Any covered entity that discloses
personal data to a service provider shall--
(i) take reasonable steps to identify
whether the service provider has established
appropriate procedures and controls for
ensuring the privacy and security of the
personal data in a manner that complies with
the requirements of this Act, including through
reasonable representations made to the covered
entity by the service provider in the contract
governing the disclosure of personal data to
the service provider; and
(ii) investigate any circumstances for
which a reasonable person would determine that
there is a high probability that the service
provider is not in compliance with a
requirement of this Act, and, if necessary
based on the findings of such investigation,
take reasonable steps to protect the privacy
and security of any personal data disclosed by
the covered entity to the service provider that
is at risk as a result of the service
provider's noncompliance with a requirement of
this Act.
(B) Considerations.--In determining whether a
covered entity has acted reasonably in complying with
clause (i) or (ii) of subparagraph (A), the Commission
shall take into account--
(i) the size, complexity, and resources of
the covered entity and whether the covered
entity is a small business; and
(ii) the risk of harm reasonably expected
to occur as a result of the covered entity
disclosing personal data to a service provider
without complying with such clause.
(b) Contractual Requirements.--
(1) In general.--A contract between a covered entity and a
service provider governing the disclosure of personal data by
the covered entity to the service provider shall--
(A) require the service provider to only collect or
process the personal data as directed by the covered
entity;
(B) establish the purposes for, and means of, the
collecting or processing of the personal data by the
service provider, including instructions, policies, and
practices, as applicable, with which the service
provider is required to comply; and
(C) include a reasonable representation by the
service provider indicating that the service provider
has established appropriate procedures and controls to
comply with the requirements of this Act.
(2) Limitation.--No contract governing the disclosure of
personal data by a covered entity to a service provider shall
relieve a covered entity or service provider of any requirement
or obligation with respect to such personal data that is
imposed on the covered entity or service provider, as
applicable, by this Act.
(c) Service Provider Obligations.--
(1) Notice of processing of personal data to comply with
legal requirement.--In the event that a service provider is
required to process personal data in order to comply with a
legal requirement, including a subpoena, summons, or other
properly executed compulsory process, the service provider
shall inform the covered entity from which it received the
personal data involved of such legal requirement before such
processing, unless the service provider is otherwise prohibited
by law from providing such notification.
(2) Notice of change to policies or practices.--If a
service provider amends its policies or practices relating to
personal data in a manner that is relevant to compliance with
any provision of this Act, the service provider shall provide
reasonable notice in advance of such change to any covered
entity on whose behalf the service provider collects or
processes personal data.
(3) Responsibilities.--
(A) Individual control requests.--A service
provider that collects or processes personal data on
behalf of a covered entity shall, to the extent
possible, either--
(i) provide the covered entity with
appropriate technical and organizational
measures to enable the covered entity to comply
with requests to exercise rights described in
section 5 with respect to any such personal
data that is held by, and reasonably accessible
to, the service provider; or
(ii) respond to any request made by the
covered entity for assistance in complying with
a request to exercise such a right with respect
to such personal data that the covered entity
has verified as described in section 5(f) and
has determined must be complied with under this
Act by, as appropriate--
(I) in the case of a request
described in subsection (b) of section
5, providing the covered entity with
access to any relevant personal data
held by, and reasonably available to,
the service provider;
(II) in the case of a request
described in subsection (c) of such
section, by correcting any relevant
personal data held by, and reasonably
accessible to, the service provider,
and providing the covered entity with
notice of such correction;
(III) in the case of a request
described in subsection (d) of such
section, by deleting, de-identifying,
or returning to the covered entity any
relevant personal data held by, and
reasonably accessible to, the service
provider, and providing the covered
entity with notice of such action; or
(IV) informing the covered entity
that--
(aa) the service provider
does not hold any personal data
related to the request;
(bb) the service provider
cannot reasonably access any
personal data related to the
request; or
(cc) complying with the
request would be inconsistent
with a legal requirement to
which the service provider is
subject.
(B) Deletion of data upon completion of service.--
Except as otherwise required by law, as soon as
practicable after the completion of the service or
function for which a service provider collected or
processed personal data on behalf of a covered entity,
the service provider shall delete, de-identify, or
return to the covered entity all such personal data.
(C) Assurance of compliance.--
(i) In general.--Subject to clause (ii), a
service provider shall make available to a
covered entity on whose behalf the service
provider collects or processes personal data
information necessary to demonstrate the
service provider's compliance with subparagraph
(A).
(ii) Written representation of
compliance.--If the information described in
clause (i) is not technically available to a
service provider, the service provider may
comply with clause (i) by providing the covered
entity with a written representation stating
that the service provider is in compliance with
subparagraph (A).
(4) Subcontractor requirements.--A service provider that is
collecting or processing personal data on behalf of a covered
entity shall not employ a subcontractor to carry out or assist
in such collection or processing unless--
(A) the service provider has provided the covered
entity with an opportunity to object to the use of such
subcontractor; and
(B) the subcontractor is subject (pursuant to an
agreement between the service provider and the
subcontractor) to the same requirements and obligations
as the service provider with respect to the collection
and processing of the personal data.
(5) Considerations.--In determining whether a service
provider has acted reasonably in complying with this
subsection, the Commission shall take into account--
(A) the size, complexity, and resources of the
service provider and whether the service provider is a
small business; and
(B) the risk of harm reasonably expected to occur
as a result of the service provider not complying with
this subsection.
SEC. 9. ENFORCEMENT.
(a) Enforcement by the Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
this Act or a regulation promulgated under this Act shall be
treated as an unfair or deceptive act or practice in violation
of a rule promulgated under section 18(a)(1)(B) of the Federal
Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(2) Powers of the commission.--
(A) In general.--Except as provided in subparagraph
(C), the Commission shall enforce this Act and any
regulation promulgated under this Act in the same
manner, by the same means, and with the same
jurisdiction, powers, and duties as though all
applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated
into and made a part of this Act.
(B) Privileges and immunities.--Any covered entity
or service provider who violates this Act or a
regulation promulgated under this Act shall be subject
to the penalties and entitled to the privileges and
immunities provided in the Federal Trade Commission Act
(15 U.S.C. 41 et seq.).
(C) Common carriers and nonprofit organizations.--
Notwithstanding section 4, 5(a)(2), or 6 of the Federal
Trade Commission Act (15 U.S.C. 44, 45(a)(2), 46) or
any jurisdictional limitation of the Commission, the
Commission shall also enforce this Act, with respect to
common carriers and nonprofit organizations described
in section 2(4) of this Act, in the same manner
provided in subparagraphs (A) and (B) of this
paragraph.
(D) Authority preserved.--Nothing in this Act shall
be construed to limit the Commission's authority under
the Federal Trade Commission Act or any other provision
of law.
(3) Civil penalties.--
(A) In general.--Notwithstanding section 5(m) of
the Federal Trade Commission Act (15 U.S.C. 45(m)), in
an action brought by the Commission to enforce this Act
and the regulations promulgated under this Act, in
addition to any injunctive relief obtained by the
Commission in the action, a covered entity or service
provider shall be liable for a civil penalty in an
amount described in subparagraph (B) if the covered
entity or service provider, with actual knowledge,
violates this Act or a regulation promulgated under
this Act.
(B) Amount.--
(i) Calculation.--Except as provided in
clause (ii), the amount of a civil penalty
described in subparagraph (A) shall be the
number of individuals affected by a violation
described in that subparagraph multiplied by an
amount not to exceed $42,530.
(ii) Considerations.--In determining the
amount of a civil penalty to seek under
subparagraph (A) for a violation described in
that subparagraph, the Commission shall
consider, with respect to the covered entity or
service provider that committed the violation--
(I) the degree of harm associated
with the privacy and security of
personal data of individuals created by
the violation;
(II) the intent of the covered
entity or service provider in
committing the violation;
(III) the size, complexity, and
resources of the covered entity or
service provider, including if it is a
small business;
(IV) reasonable expectations
relating to privacy and security of
personal data of individuals;
(V) the degree to which the covered
entity or service provider put in place
appropriate controls or complied with
the requirements of section 7, if
applicable;
(VI) whether the covered entity or
service provider self-reported the
violation to the Commission; and
(VII) what, if any, efforts the
covered entity or service provider has
taken to mitigate any risk to the
privacy and security of personal data
of individuals created by the
processing.
(b) Enforcement by State Attorneys General.--
(1) Civil action.--In any case in which an attorney general
of a State has reason to believe that an interest of the
residents of that State has been or is threatened or adversely
affected by the engagement of any covered entity or service
provider in a practice that violates this Act or a regulation
promulgated under this Act, the attorney general of the State
may, as parens patriae, bring a civil action on behalf of the
residents of the State in an appropriate district court of the
United States to--
(A) enjoin that practice;
(B) enforce compliance with this Act or the
regulation; or
(C) in the case of a violation described in
subsection (a)(3)(A), impose a civil penalty in an
amount described in subsection (a)(3)(B).
(2) Rights of the commission.--
(A) Notice to commission.--
(i) In general.--Except as provided in
clause (iii), the attorney general of a State
shall notify the Commission in writing that the
attorney general intends to bring a civil
action under paragraph (1) not later than 10
days before initiating the civil action.
(ii) Contents.--The notification required
by clause (i) with respect to a civil action
shall include a copy of the complaint to be
filed to initiate the civil action.
(iii) Exception.--If it is not feasible for
the attorney general of a State to provide the
notification required by clause (i) before
initiating a civil action under paragraph (1),
the attorney general shall notify the
Commission immediately upon instituting the
civil action.
(B) Intervention by the commission.--The Commission
may--
(i) intervene in any civil action brought
by the attorney general of a State under
paragraph (1); and
(ii) upon intervening under clause (i)--
(I) be heard on all matters arising
in the civil action; and
(II) file petitions for appeal of a
decision in the civil action.
(3) Consolidation of actions brought by two or more state
attorneys general.--
(A) In general.--Subject to subparagraph (B), if a
civil action under paragraph (1) is pending in a
district court of the United States and one or more
civil actions are commenced pursuant to paragraph (1)
in a different district court of the United States that
involve one or more common questions of fact, all such
civil actions shall be transferred for the purposes of
consolidated pretrial proceedings and trial to the
United States District Court for the District of
Columbia.
(B) Exception.--A civil action shall not be
transferred pursuant to subparagraph (A) if pretrial
proceedings in such civil action have concluded before
the subsequent action is commenced pursuant to
paragraph (1).
(c) Limitation on State Action While Federal Action Is Pending.--If
the Commission institutes an action under subsection (a) with respect
to a violation of this Act or a regulation promulgated under this Act,
a State may not, during the pendency of that action, institute an
action under subsection (b) against any defendant named in the
complaint in the action instituted by the Commission based on the same
set of facts giving rise to the violation with respect to which the
Commission instituted the action.
(d) No Private Right of Action.--There shall be no private right of
action under this Act and nothing in this Act may be construed to
provide a basis for a private right of action.
SEC. 10. RELATION TO OTHER LAWS.
(a) Congressional Intent To Preempt State Privacy and Security
Law.--It is the express intention of Congress to promote consistency in
consumer expectations, competitive parity, and innovation through the
establishment of a uniform Federal privacy framework that preempts, and
occupies the field with respect to, the authority of any State or
political subdivision of a State over the conduct or activities of
covered entities covered by this Act (or under a law enumerated in
subsection (c)) relating to the privacy or security of personal data,
including consumer controls relating to personal data such as rights to
access, correction, and deletion.
(b) Express Preemption of State Law.--
(1) In general.--Except as provided in paragraph (2), this
Act shall supersede any provision of a law, rule, regulation,
or other requirement of any State or political subdivision of a
State to the extent that such provision relates to the privacy
or security of personal data.
(2) Preservation of state and local laws.--The provisions
of this Act shall not be construed to preempt or supersede the
applicability of any of the following laws of a State or
political subdivision of a State to the extent that such law is
not inconsistent with this Act:
(A) Laws that address notification requirements in
the event of a data breach.
(B) Rules of criminal or civil procedure.
(C) Laws that relate to the general standards of
fraud or public safety.
(D) Laws that address the privacy of any group of
students (as defined in section 444(a) of the General
Education Provisions Act (20 U.S.C. 1232g(a)) (commonly
referred to as the ``Family Educational Rights and
Privacy Act of 1974'')).
(E) Laws that address financial information held by
financial institutions (as defined in section 509 of
the Gramm-Leach-Bliley Act (15 U.S.C. 6809)).
(F) Laws that address protected health information
held by covered entities and business associates (as
such terms are defined for purposes of regulations
promulgated under section 264(c) of the Health
Insurance Portability and Accountability Act of 1996
(42 U.S.C. 1320d-2 note)).
(G) Laws governing employment and employment-
related data including data collected or used by an
employer pursuant to an employer-employee relationship.
(H) Laws protecting the right of individuals to be
free of discrimination based on race, sex, national
origin, or other suspect classification identified
under State law.
(c) Relation to Other Federal Laws.--
(1) In general.--Except as otherwise provided in paragraphs
(2) and (4), this Act shall supersede any other Federal statute
or regulation relating to the privacy or security of personal
data.
(2) Savings provision.--This Act shall not be construed to
modify, limit, or supersede the operation of any of the
following laws:
(A) The Children's Online Privacy Protection Act
(15 U.S.C. 6501 et seq.).
(B) The Communications Assistance for Law
Enforcement Act (47 U.S.C. 1001 et seq.).
(C) Section 227 of the Communications Act of 1934
(47 U.S.C. 227).
(D) Title V of the Gramm-Leach-Bliley Act (15
U.S.C. 6801 et seq.).
(E) The Fair Credit Reporting Act (15 U.S.C. 1681
et seq.).
(F) The Health Insurance Portability and
Accountability Act (Public Law 104-191).
(G) The Health Information Technology for Economic
and Clinical Health Act (42 U.S.C. 17931 et seq.).
(H) Section 444 of the General Education Provisions
Act (20 U.S.C. 1232g) (commonly referred to as the
``Family Educational Rights and Privacy Act of 1974'').
(I) The Electronic Communications Privacy Act (18
U.S.C. 2510 et seq.).
(J) The Driver's Privacy Protection Act of 1994 (18
U.S.C. 2721 et seq.).
(K) The Federal Aviation Act of 1958 (49 U.S.C.
App. 1301 et seq.).
(3) Deemed compliance.--A covered entity that is required
to comply with a law specified in paragraph (2) and is in
compliance with the data collection, processing, or security
requirements of such law shall be deemed to be in compliance
with the requirements of this Act with respect to personal data
covered by such law.
(4) Nonapplication of fcc laws and regulations to covered
entities.--Notwithstanding any other provision of law, neither
any provision of the Communications Act of 1934 (47 U.S.C. 151
et seq.) and all Acts amendatory thereof and supplementary
thereto nor any regulation promulgated by the Federal
Communications Commission under such Acts shall apply to any
covered entity with respect to the collection, use, processing,
transferring, or security of personal data, except to the
extent that such provision or regulation pertains solely to
``911'' lines or any other emergency line of a hospital,
medical provider or service office, health care facility,
poison control center, fire protection agency, or law
enforcement agency.
SEC. 11. COMMISSION RESOURCES.
(a) Appointment of Attorneys, Technologists, and Support
Personnel.--Notwithstanding any other provision of law, the Chair of
the Commission shall appoint no fewer than 440 additional individuals
to serve as personnel to enforce this Act and other laws relating to
privacy and data security that the Commission is authorized to enforce.
(b) Assessment of Commission Resources.--Not later than 1 year
after the date of enactment of this Act, the Commission shall submit to
Congress a report that includes--
(1) an assessment of the resources, including personnel,
available to the Commission to carry out this Act; and
(2) a description of any resources, including personnel--
(A) that are not available to the Commission; and
(B) that the Commission requires to effectively
carry out this Act.
(c) Authorization of Appropriations.--There are authorized to be
appropriated to the Commission such sums as may be necessary to carry
out this section.
SEC. 12. GUIDANCE AND REPORTING.
(a) International Coordination and Cooperation.--
(1) In general.--If necessary, the Commission shall
coordinate any enforcement action by the Commission under this
Act with any relevant data protection authority established by
a foreign country or any similar office of a foreign country in
a manner consistent with subsections (j) and (k) of section 6
of the Federal Trade Commission Act (15 U.S.C. 46).
(2) International interoperability.--The Secretary of
Commerce, in consultation with the Commission and the heads of
other relevant Federal agencies, shall--
(A) identify laws of foreign countries or regions
that relate to the processing of personal data for
commercial purposes;
(B) engage with relevant officials of foreign
countries or regions that have implemented laws
described in subparagraph (A) in order to identify
requirements under those laws that could disrupt cross-
border transfers of personal data;
(C) develop mechanisms and recommendations to
prevent disruptions described in subparagraph (B); and
(D) not later than 1 year after the date of
enactment of this Act, and once a year each year
thereafter for 5 years, submit to Congress a report on
the progress of efforts made under this section.
(b) Reports to Congress.--Not later than 180 days after the date of
enactment of this Act, and not less frequently than annually
thereafter, the Commission shall submit to Congress, and make available
on a public website, a report that contains information relating to--
(1) the effectiveness of this Act and regulations
promulgated under this Act;
(2) compliance with the provisions of this Act and
regulations promulgated under this Act;
(3) violations of the provisions of this Act and
regulations promulgated under this Act;
(4) enforcement actions by the Commission and State
attorneys general for violations of the provisions of this Act
and regulations promulgated under this Act;
(5) priorities of the Commission in enforcing the
provisions of this Act and regulations promulgated under this
Act; and
(6) resources needed by the Commission to fully implement
and enforce the provisions of this Act and regulations
promulgated under this Act.
(c) Study and Report by the Government Accountability Office.--Not
later than 3 years after the date of enactment of this Act, and once
every 3 years thereafter, the Comptroller General of the United States
shall submit to the President and Congress a report that surveys
Federal data privacy and security laws in order to--
(1) identify any inconsistency between the requirements
under this Act and the requirements under any law related to
the privacy and security of personal data;
(2) review the impact of the provisions of this Act on
small businesses and provide recommendations, if necessary, to
improve compliance and enforcement;
(3) provide recommendations on amending Federal data
privacy and security laws in light of changing technological
and economic trends; and
(4) detail the Federal data privacy and security
enforcement activities carried out by the Commission and other
Federal agencies.
SEC. 13. SEVERABILITY.
If any provision of this Act or the application of such provision
to any person or circumstance is held to be unconstitutional, the
remainder of this Act, and the application of the provision to any
other person or circumstance, shall not be affected.
SEC. 14. EFFECTIVE DATE.
This Act shall take effect on the date that is 1 year after the
date of enactment of this Act, except that section 10 shall take effect
upon the date of enactment of this Act.
<all>