[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5433 Introduced in House (IH)]
<DOC>
117th CONGRESS
1st Session
H. R. 5433
To protect the privacy of internet users by reinforcing online privacy
rights and through the establishment of a national Do Not Track system,
and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
September 30, 2021
Mr. Posey (for himself, Mr. Gohmert, and Mr. Mullin) introduced the
following bill; which was referred to the Committee on Energy and
Commerce
_______________________________________________________________________
A BILL
To protect the privacy of internet users by reinforcing online privacy
rights and through the establishment of a national Do Not Track system,
and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Renew Effective
Protection of Americans' Information Rights Act'' or the ``REPAIR
Act''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
TITLE I--DATA PRIVACY BILL OF RIGHTS
Sec. 101. Short title.
Sec. 102. Policy of the United States.
Sec. 103. Findings.
Sec. 104. Rights relating to transparency.
Sec. 105. Right to delete.
Sec. 106. Right to correct inaccuracies.
Sec. 107. Right to controls.
Sec. 108. Right to data minimization.
Sec. 109. Right to data security.
Sec. 110. Prohibition of service offers conditioned on waivers of
privacy rights.
Sec. 111. Scope of coverage.
Sec. 112. Small business exception.
Sec. 113. Application and enforcement.
Sec. 114. State privacy protections.
Sec. 115. Severability.
Sec. 116. Definitions.
Sec. 117. Effective date.
TITLE II--DO NOT TRACK
Sec. 201. Short title.
Sec. 202. Establishment of Do Not Track system.
Sec. 203. Do Not Track: requirements for operators; prohibited acts.
Sec. 204. Scope of coverage.
Sec. 205. Application and enforcement.
Sec. 206. State privacy protections.
Sec. 207. Severability.
Sec. 208. Definitions.
Sec. 209. Effective date.
TITLE I--DATA PRIVACY BILL OF RIGHTS
SEC. 101. SHORT TITLE.
This title may be cited as the ``Data Privacy Bill of Rights Act''.
SEC. 102. POLICY OF THE UNITED STATES.
It is the policy of the United States that individuals have
fundamental rights to secure and protect their privacy in data
collected from and about them by firms doing business with them as
provided for in this title and that it is also a fundamental purpose of
the Federal Government to defend and enforce such privacy rights.
SEC. 103. FINDINGS.
Congress finds the following:
(1) Individuals are endowed with rights to secure and
protect data related to their lives, their patterns of movement
and commercial exchange and any other information that is
classified as sensitive pursuant to this title.
(2) Individuals have a right to complete transparency with
respect to the exchanges they make in terms of a complete
accounting of both the nonpecuniary and pecuniary costs
allocated to and collected from them.
(3) While the internet and other technologies have produced
enormous benefits to the Nation, they have also had
unintentional consequences in eroding individual data privacy
rights.
(4) The Nation needs to update individual rights to include
adequate and effective protections to secure and sustain
individual rights to data privacy.
(5) That protection of individual data privacy rights
should be secured with due consideration of the collateral
rights of entities to pursue businesses while assuring complete
transparency to individuals as relates to their data and the
role that such data plays in the entities' business models.
SEC. 104. RIGHTS RELATING TO TRANSPARENCY.
(a) Right to Access.--Upon the verified request of an individual, a
covered entity shall provide to the individual--
(1) in a portable format, without licensing restrictions,
the covered data of the individual that is collected,
processed, or transferred by the covered entity; and
(2) in a human-readable format that a reasonable individual
can understand--
(A) a copy of the covered data of the individual
that is collected, processed, or transferred by the
covered entity;
(B) a list of each category of third party to which
the covered entity has transferred the covered data of
the individual; and
(C) the identity of each such third party and a
description of the covered data that was transferred to
such third party and the purpose of the transfer.
(b) Right to Immediate Notification of Collection.--
(1) In general.--On every website or application landing
page, the second-party operator of a covered internet platform
shall display, immediately when the page is accessed by an
individual, an easily identifiable indicator that provides a
real-time notification of whether or not the covered data of
the individual is being actively collected by the covered
internet platform or any program of a third-party operator that
appears on the covered internet platform.
(2) Contents of notification.--The notification required by
paragraph (1) shall include (or provide a link to or other
convenient means of accessing) the following information:
(A) The types of data being collected.
(B) The purposes for which such data is processed.
(C) The categories of such data transferred to
third parties.
(D) The categories of third parties to which such
data is transferred.
(E) The identity of each third party to which such
data is transferred.
(F) How long such data will be retained by the
second-party operator, any third-party operator, and
any third party (as applicable).
(G) A description of individuals' privacy rights
under this title.
(H) The contact information for the representatives
for privacy and data security inquires of the second-
party operator, any third-party operator, and any third
party (as applicable).
(3) Responsibility of third-party operators.--A third-party
operator of a program that appears on a covered internet
platform shall, if the program collects any covered data of a
user of the platform, ensure that the second-party operator of
the platform provides the notification required by paragraph
(1) and that the notification includes the information required
by paragraph (2) with respect to the program.
(c) Right To Receive Privacy Policy.--
(1) In general.--A covered entity shall make publicly and
persistently available, in a conspicuous and readily accessible
manner, a privacy policy that provides a detailed and accurate
representation of the activities of the covered entity with
respect to the collection, processing, and transfer of covered
data.
(2) Contents of privacy policy.--The privacy policy
required by paragraph (1) shall include, at a minimum, the
following:
(A) An easy-to-understand explanation of the policy
of the covered entity with respect to the collection,
processing, and transfer of covered data (including
clear descriptions that avoid technical and legal
jargon to the extent practicable).
(B) The identity of and contact information for the
covered entity, including the contact information for
the covered entity's representative for privacy and
data security inquiries.
(C) Each category of covered data the covered
entity collects and the processing purposes for which
such data is collected.
(D) Whether the covered entity transfers covered
data and, if so--
(i) each category of service provider or
third party to which the covered entity
transfers covered data and the purposes for
which such data is transferred to each such
category; and
(ii) the identity of each third party to
which the covered entity transfers covered data
and the purposes for which such data is
transferred to such third party.
(E) How long covered data processed by the covered
entity will be retained by the covered entity or a
third party and a description of the covered entity's
data minimization policies.
(F) How individuals can exercise the individual
rights described in this title.
(G) A description of the covered entity's data
security policies.
(H) The effective date of the privacy policy.
(3) Languages.--A covered entity shall make the privacy
policy required under paragraph (1) available to the public in
all of the languages in which the covered entity provides a
product or service or carries out any other activities to which
the privacy policy relates.
(d) Right To Consent to Material Changes.--If a material change to
the privacy policy of a covered entity required under subsection (c)
would weaken privacy protections for covered data, the covered entity
may not apply such change to the covered data of an individual that was
collected before the change takes effect without obtaining the
affirmative express consent of the individual to the change.
SEC. 105. RIGHT TO DELETE.
(a) In General.--A covered entity, upon the verified request of an
individual, shall--
(1) at the option of the individual--
(A) delete, or allow the individual to delete, any
information in the covered data of the individual that
is processed by the covered entity; or
(B) take action to disable or mask the
identification of the individual connected to any
information in the covered data of the individual that
is processed by the covered entity;
(2) inform any service provider or third party to which the
covered entity transferred such data of the request of the
individual under paragraph (1); and
(3) direct the service provider or third party to honor the
request.
(b) Service Providers and Third Parties.--In the case of a service
provider or third party that is informed under paragraph (2) of
subsection (a) and directed to honor under paragraph (3) of such
subsection the request of an individual under paragraph (1) of such
subsection, the service provider or third party shall, in accordance
with the request, delete the information or take action to disable or
mask the identification of the individual.
SEC. 106. RIGHT TO CORRECT INACCURACIES.
(a) In General.--A covered entity, upon the verified request of an
individual, shall--
(1) correct, or allow the individual to correct, inaccurate
or incomplete information in the covered data of the individual
that is processed by the covered entity;
(2) inform any service provider or third party to which the
covered entity transferred such data of the request of the
individual under paragraph (1) and of the corrected
information; and
(3) direct the service provider or third party to honor the
request.
(b) Service Providers and Third Parties.--In the case of a service
provider or third party that is informed under paragraph (2) of
subsection (a) and directed to honor under paragraph (3) of such
subsection the request of an individual under paragraph (1) of such
subsection, the service provider or third party shall, in accordance
with the request, correct the information.
SEC. 107. RIGHT TO CONTROLS.
(a) Sense of Congress.--It is the sense of Congress that--
(1) the term ``privacy policy'' is deceptive;
(2) such policies are in fact data collection policies; and
(3) covered data is the private property of the individual
about whom the data has been collected and should be treated as
such.
(b) Requirement for Affirmative Express Consent for Collection,
Processing, or Transfer of Covered Data.--
(1) In general.--A covered entity may not collect, process,
or transfer to a third party the covered data of an individual
without obtaining the affirmative express consent of the
individual to the collection, processing, or transfer through a
process established under the rule issued by the Commission
under paragraph (3).
(2) Right to withdraw affirmative express consent.--A
covered entity shall permit an individual to withdraw the
affirmative express consent of the individual to the
collection, processing, or transfer to a third party of the
covered data of the individual through a process established
under the rule issued by the Commission under paragraph (3).
(3) Rulemaking.--
(A) In general.--Not later than 1 year after the
date of the enactment of this Act, the Commission shall
issue a rule under section 553 of title 5, United
States Code, establishing one or more acceptable
processes for a covered entity to follow in requesting
the affirmative express consent of an individual to the
collection, processing, or transfer of the covered data
of the individual and in permitting an individual to
withdraw such consent.
(B) Requirements.--The processes established by the
Commission under subparagraph (A) shall--
(i) include clear and conspicuous requests
for affirmative express consent and consumer-
friendly mechanisms to allow an individual to
provide and withdraw affirmative express
consent;
(ii) allow an individual to provide and
withdraw affirmative express consent--
(I) for the collection, processing,
or transfer of some or all (at the
option of the individual) of the
covered data of the individual; and
(II) for the transfer of the
covered data of the individual to some
or all (at the option of the
individual) third parties;
(iii) allow an individual to view the
status of affirmative express consent provided
or withdrawn;
(iv) be privacy protective; and
(v) be informed by the Commission's
experience developing and implementing the
National Do Not Call Registry.
SEC. 108. RIGHT TO DATA MINIMIZATION.
(a) In General.--A covered entity may not collect, process, or
transfer the covered data of an individual beyond what is reasonably
necessary, proportionate, and limited to the purposes for which the
individual provides affirmative express consent to the collection,
processing, or transfer.
(b) Rule of Construction.--Nothing in subsection (a) may be
construed to authorize any collection, processing, or transfer of
covered data that is prohibited by any other provision of this title.
SEC. 109. RIGHT TO DATA SECURITY.
(a) In General.--A covered entity shall establish, implement, and
maintain reasonable data security practices to protect the
confidentiality, integrity, and accessibility of covered data. Such
data security practices shall be appropriate to the volume and nature
of the covered data at issue.
(b) Specific Requirements.--Data security practices required under
subsection (a) shall include, at a minimum, the following:
(1) Assess vulnerabilities.--Identifying and assessing any
reasonably foreseeable risks to, and vulnerabilities in, each
system maintained by the covered entity that collects,
processes, or transfers covered data, including unauthorized
access to or risks to covered data, human vulnerabilities,
access rights, and use of service providers. Such activities
shall include a plan to receive and respond to unsolicited
reports of vulnerabilities by entities and individuals.
(2) Preventive and correction action.--Taking preventive
and corrective action to mitigate any risks or vulnerabilities
to covered data identified by the covered entity, which may
include implementing administrative, technical, or physical
safeguards or changes to data security practices or the
architecture, installation, or implementation of network or
operating software.
(3) Information retention and disposal.--Deleting covered
data that is required to be deleted or is no longer necessary
for the purpose for which the data was collected unless the
individual to whom the data relates provides affirmative
express consent to the retention of the data. Such process
shall include data hygiene practices to ensure ongoing
compliance with this paragraph.
(4) Comprehensive data security program.--Implementation of
a comprehensive data security program, including--
(A) designation of an employee responsible for data
security;
(B) training for all employees with access to
covered data on how to safeguard covered data and
protect individual privacy, and updating that training
as necessary; and
(C) due diligence with regard to the data security
practices of service providers to which the covered
entity transfers covered data.
SEC. 110. PROHIBITION OF SERVICE OFFERS CONDITIONED ON WAIVERS OF
PRIVACY RIGHTS.
A covered entity may not--
(1) condition, or effectively condition, provision of the
service on agreement by an individual to waive privacy rights
guaranteed by law or regulation, including this title; or
(2) terminate the service or otherwise refuse to provide
the service as a direct or indirect consequence of the refusal
of a user to waive any privacy rights described in this title.
SEC. 111. SCOPE OF COVERAGE.
(a) General Exceptions.--Notwithstanding any other provision of
this title, a covered entity may collect, process, or transfer covered
data for any of the following purposes, if the collection, processing,
or transfer is reasonably necessary, proportionate, and limited to such
purpose:
(1) To initiate or complete a transaction or to fulfill an
order or provide a service specifically requested by an
individual, including associated routine administrative
activities such as billing, shipping, financial reporting, and
accounting.
(2) To perform internal system maintenance, diagnostics,
product or service management, inventory management, or network
management.
(3) To prevent, detect, or respond to a security incident
or trespassing, provide a secure environment, or maintain the
safety and security of a product, service, or individual.
(4) To protect against malicious, deceptive, fraudulent, or
illegal activity.
(5) To comply with a legal obligation or the establishment,
exercise, analysis, or defense of legal claims or rights, or as
required or specifically authorized by law.
(6) To comply with a civil, criminal, or regulatory
inquiry, investigation, subpoena, or summons by an Executive
agency.
(7) To cooperate with an Executive agency or a law
enforcement official acting under the authority of an Executive
or State agency concerning conduct or activity that the
Executive agency or law enforcement official reasonably and in
good faith believes may violate Federal, State, or local law,
or pose a threat to public safety or national security.
(8) To address risks to the safety of an individual or
group of individuals, or to ensure customer safety, including
by authenticating individuals in order to provide access to
large venues open to the public.
(9) To effectuate a product recall pursuant to Federal or
State law.
(10) To conduct public or peer-reviewed scientific,
historical, or statistical research that--
(A) is in the public interest;
(B) adheres to all applicable ethics and privacy
laws; and
(C) is approved, monitored, and governed by an
institutional review board or other oversight entity
that meets standards promulgated by the Commission
pursuant to section 553 of title 5, United States Code.
(11) To transfer covered data to a service provider.
(12) For a purpose identified by the Commission pursuant to
a regulation promulgated under subsection (b).
(b) Additional Purposes.--The Commission may promulgate regulations
under section 553 of title 5, United States Code, identifying
additional purposes for which a covered entity may collect, process, or
transfer covered data and protect individual rights to data privacy in
accordance with this title.
SEC. 112. SMALL BUSINESS EXCEPTION.
Sections 103, 104, 105, and 106 do not apply in the case of a
person who can establish that, for the 3 preceding calendar years (or
for the period during which the person has been in existence if such
period is less than 3 years)--
(1) the average annual gross revenues of the person did not
exceed $50,000,000;
(2) on average, the person annually processed the covered
data of less than 1,000,000 individuals;
(3) the person never employed more than 500 individuals at
any one time; and
(4) the person derived less than 50 percent of the revenues
of the person from transferring covered data.
SEC. 113. APPLICATION AND ENFORCEMENT.
(a) General Application.--The requirements of this title apply,
according to their terms, to--
(1) those persons, partnerships, and corporations over
which the Commission has authority pursuant to section 5(a)(2)
of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)); and
(2) notwithstanding sections 4 and 5(a)(2) of such Act (15
U.S.C. 44; 45(a)(2))--
(A) common carriers described in such section
5(a)(2); and
(B) organizations not organized to carry on
business for their own profit or that of their members.
(b) Enforcement by the Commission.--
(1) In general.--Except as otherwise provided, this title
and the regulations prescribed under this title shall be
enforced by the Commission under the Federal Trade Commission
Act (15 U.S.C. 41 et seq.).
(2) Unfair or deceptive acts or practices.--A violation of
this title or a regulation prescribed under this title shall be
treated as a violation of a rule defining an unfair or
deceptive act or practice prescribed under section 18(a)(1)(B)
of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(3) Actions by the commission.--
(A) In general.--Except as provided in subparagraph
(B) and subsection (a), the Commission shall prevent
any person from violating this title or a regulation
prescribed under this title in the same manner, by the
same means, and with the same jurisdiction, powers, and
duties as though all applicable terms and provisions of
the Federal Trade Commission Act (15 U.S.C. 41 et seq.)
were incorporated into and made a part of this title,
and any person who violates this title or a regulation
prescribed under this title shall be subject to the
penalties and entitled to the privileges and immunities
provided in the Federal Trade Commission Act.
(B) Penalties.--
(i) In general.--Notwithstanding section
5(m) of the Federal Trade Commission Act (15
U.S.C. 45(m)), a civil penalty recovered for a
violation of this title or a regulation
prescribed under this title may be in excess of
the amounts provided for in that section, if
such penalty meets the requirements of this
subparagraph.
(ii) Penalty for negligent violation.--In
the case of a person who negligently violates
this title or a regulation prescribed under
this title, such person shall be liable for a
civil penalty that does not exceed $50 for
every individual affected by such violation for
every day during which the person is in
violation of this title or such regulation as
described in this clause.
(iii) Penalty for willful or reckless
violation.--In the case of a person who
willfully or recklessly violates this title or
a regulation prescribed under this title, such
person shall be liable for a civil penalty
that--
(I) is not less than $100,000; and
(II) does not exceed $1,000 for
every individual affected by such
violation for every day during which
the person is in violation of this
title or such regulation as described
in this clause.
(c) Enforcement by State Attorneys General.--
(1) In general.--
(A) Civil actions.--In any case in which the
attorney general of a State has reason to believe that
an interest of the residents of that State has been or
is threatened or adversely affected by the engagement
of any person in an act or practice that violates this
title or a regulation prescribed under this title, the
State, as parens patriae, may bring a civil action on
behalf of the residents of the State in a district
court of the United States or a State court of
appropriate jurisdiction to--
(i) enjoin that act or practice;
(ii) enforce compliance with this title or
such regulation;
(iii) obtain damages, statutory damages in
the same amount as the penalties that the
Commission may obtain under section 5(m) of the
Federal Trade Commission Act (15 U.S.C. 45(m))
and subsection (b)(3)(B) of this section,
restitution, or other compensation on behalf of
residents of the State; or
(iv) obtain such other relief as the court
may consider to be appropriate.
(B) Notice.--
(i) In general.--Before filing an action
under subparagraph (A), the attorney general of
the State involved shall provide to the
Commission--
(I) written notice of that action;
and
(II) a copy of the complaint for
that action.
(ii) Exemption.--
(I) In general.--Clause (i) does
not apply with respect to the filing of
an action by an attorney general of a
State under this paragraph if the
attorney general of the State
determines that it is not feasible to
provide the notice described in that
clause before the filing of the action.
(II) Notification.--In an action
described in subclause (I), the
attorney general of a State shall
provide notice and a copy of the
complaint to the Commission at the same
time as the attorney general files the
action.
(2) Intervention.--
(A) In general.--On receiving notice under
paragraph (1)(B), the Commission shall have the right
to intervene in the action that is the subject of the
notice.
(B) Effect of intervention.--If the Commission
intervenes in an action under paragraph (1), it shall
have the right--
(i) to be heard with respect to any matter
that arises in that action; and
(ii) to file a petition for appeal.
(3) Construction.--For purposes of bringing any civil
action under paragraph (1), nothing in this title shall be
construed to prevent an attorney general of a State from
exercising the powers conferred on the attorney general by the
laws of that State to--
(A) conduct investigations;
(B) administer oaths or affirmations; or
(C) compel the attendance of witnesses or the
production of documentary and other evidence.
(4) Actions by the commission.--In any case in which an
action is instituted by or on behalf of the Commission for
violation of this title or a regulation prescribed under this
title, no State may, during the pendency of that action,
institute an action under paragraph (1) against any defendant
named in the complaint in the action instituted by or on behalf
of the Commission for that violation.
(5) Venue; service of process.--
(A) Venue.--Any action brought under paragraph (1)
may be brought in--
(i) a district court of the United States
that meets applicable requirements relating to
venue under section 1391 of title 28, United
States Code; or
(ii) a State court of competent
jurisdiction.
(B) Service of process.--In an action brought under
paragraph (1) in a district court of the United States,
process may be served wherever the defendant--
(i) is an inhabitant; or
(ii) may be found.
SEC. 114. STATE PRIVACY PROTECTIONS.
Nothing in this title shall preempt any State law, regulation, or
other requirement having the force or effect of law that is more
protective of the privacy of individuals than the requirements of this
title.
SEC. 115. SEVERABILITY.
If any provision of this title or the application of a provision of
this title to any person or circumstance is held to be invalid or
unconstitutional, the remainder of this title, or the application of
such provision to any other person or circumstance, shall not be
affected.
SEC. 116. DEFINITIONS.
In this title:
(1) Affirmative express consent.--
(A) In general.--The term ``affirmative express
consent'' means an affirmative act by an individual
that clearly communicates the individual's
authorization for an act or practice, in response to a
specific request that meets the requirements of
subparagraph (B).
(B) Request requirements.--The requirements of this
subparagraph with respect to a request from a covered
entity to an individual are the following:
(i) The request is provided to the
individual in a standalone disclosure.
(ii) The request includes a description of
each act or practice for which the individual's
consent is sought and--
(I) clearly distinguishes between
an act or practice which is necessary
to fulfill a request of the individual
and an act or practice which is for
another purpose; and
(II) is written in easy-to-
understand language and includes a
prominent heading that would enable a
reasonable individual to identify and
understand the act or practice.
(iii) The request clearly explains the
individual's applicable rights related to
consent.
(C) Express consent required.--A covered entity may
not infer that an individual has provided affirmative
express consent to an act or practice from the inaction
of the individual or the individual's continued use of
a service or product provided by the covered entity.
(D) Prior consent required.--In the case of any
requirement of this title for a covered entity to
obtain affirmative express consent for an act or
practice, the covered entity shall obtain such consent
before engaging in the act or practice.
(2) Collect; collection.--The terms ``collect'' and
``collection'' mean, with respect to the covered data of an
individual, buying, renting, gathering, obtaining, receiving,
accessing, or otherwise acquiring such data by any means,
including by passively or actively observing the individual's
behavior.
(3) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(4) Connected device.--The term ``connected device'' means
a physical object that--
(A) is capable of connecting to the internet,
either directly or indirectly through a network, to
communicate information at the direction of an
individual; and
(B) has computer processing capabilities for
collecting, sending, receiving, or analyzing data.
(5) Control.--The term ``control'' means, with respect to
an entity--
(A) ownership of, or the power to vote, more than
50 percent of the outstanding shares of any class of
voting security of the entity;
(B) control in any manner over the election of a
majority of the directors of the entity (or of
individuals exercising similar functions); or
(C) the power to exercise a controlling influence
over the management of the entity.
(6) Covered data.--
(A) In general.--The term ``covered data'' means
information that identifies or is linked or reasonably
linkable to an individual or a connected device that is
linked or reasonably linkable to an individual.
(B) Linked or reasonably linkable.--For purposes of
subparagraph (A), information held by a covered entity
is linked or reasonably linkable to an individual or a
connected device if, as a practical matter, it can be
used on its own or in combination with other
information held by, or readily accessible to, the
covered entity to identify such individual or such
device.
(C) Exclusions.--Such term does not include--
(i) aggregated data;
(ii) de-identified data;
(iii) data of an individual processed by
the covered entity in the capacity of the
covered entity as the employer of the
individual; or
(iv) publicly available information.
(7) Covered entity.--The term ``covered entity'' means any
person who--
(A) collects, processes, or transfers covered data;
and
(B) determines the purposes and means of such
collection, processing, or transfer.
(8) Covered internet platform.--
(A) In general.--The term ``covered internet
platform'' means any public-facing website, internet
application, or mobile application, including a social
network site, video sharing service, search engine, or
content aggregation service.
(B) Exclusion.--Such term does not include a
platform that is operated for the sole purpose of
conducting research that is not conducted for profit,
either directly or indirectly.
(9) Delete.--The term ``delete'' means to remove or destroy
information such that it is not maintained in human or machine-
readable form and cannot be retrieved or utilized in such form
in the normal course of business.
(10) Executive agency.--The term ``Executive agency'' has
the meaning given such term in section 105 of title 5, United
States Code.
(11) Individual.--The term ``individual'' means a natural
person residing in the United States, however identified,
including by any unique identifier.
(12) Material.--The term ``material'' means, with respect
to an act, practice, or representation of a covered entity
(including a representation made by the covered entity in a
privacy policy or similar disclosure to individuals), that such
act, practice, or representation is likely to affect an
individual's decision or conduct regarding a product or
service.
(13) Process.--The term ``process'' means to perform any
operation or set of operations on covered data, including
collection, analysis, organization, structuring, retaining,
using, transferring, or otherwise handling covered data.
(14) Processing purpose.--The term ``processing purpose''
means an adequately specific and granular reason for which a
covered entity processes covered data that clearly describes
the processing activity.
(15) Program.--The term ``program'' means, with respect to
a covered internet platform, any program that appears on the
platform, including a program that delivers advertisements to
users of the platform and a program used to log into the
platform.
(16) Publicly available information.--The term ``publicly
available information'' means information that is available to
the general public, including--
(A) any information to which the source allows
access by anyone upon request; and
(B) any information that a covered entity has a
reasonable basis to believe is lawfully made available
to the general public from Federal, State, or local
government records, widely distributed media, or
disclosures to the general public that are required to
be made by Federal, State, or local law.
(17) Research.--The term ``research'' means the scientific
analysis of information, including covered data, by a covered
entity or those with whom the covered entity is cooperating or
others acting at the direction or on behalf of the covered
entity, that is conducted for the primary purpose of advancing
scientific knowledge and may be for the commercial benefit of
the covered entity.
(18) Second-party operator.--The term ``second-party
operator'' means the operator of a covered internet platform
with which a user intends to connect, but does not include the
operator of a program that appears on the platform (if the
operator of the program is different from the operator of the
platform).
(19) Service provider.--The term ``service provider''
means, with respect to a set of covered data, a covered entity
that collects, processes, or transfers such covered data for
the purpose of performing one or more services or functions on
behalf of, and at the direction of, another covered entity
that--
(A) is not related to the covered entity providing
the service or function by common ownership or
corporate control; and
(B) does not share common branding with the covered
entity providing the service or function.
(20) State.--The term ``State'' means each State of the
United States, the District of Columbia, each commonwealth,
territory, or possession of the United States, and each
federally recognized Indian Tribe.
(21) Third party.--The term ``third party'' means with
respect to a set of covered data, a covered entity--
(A) that is not a service provider with respect to
such covered data; and
(B) that received such covered data from another
covered entity--
(i) that is not related to the covered
entity by common ownership or corporate
control; and
(ii) that does not share common branding
with the covered entity.
(22) Third-party operator.--The term ``third-party
operator'' means the operator of a program that appears on a
covered internet platform (if the operator of the program is
different from the operator of the platform).
(23) Transfer.--The term ``transfer'' means, with respect
to covered data, to disclose, release, share, disseminate, make
available, or license such data, in writing, electronically, or
by any other means, for consideration of any kind or for a
commercial purpose.
SEC. 117. EFFECTIVE DATE.
This title shall take effect on the date that is 6 months after the
date of the enactment of this Act.
TITLE II--DO NOT TRACK
SEC. 201. SHORT TITLE.
This title may be cited as the ``Do Not Track Act''.
SEC. 202. ESTABLISHMENT OF DO NOT TRACK SYSTEM.
(a) In General.--Not later than 6 months after the date of the
enactment of this Act, the Commission shall implement and enforce a Do
Not Track (DNT) system, including the program described in subsection
(b), to protect consumers from unwanted online data harvesting and
targeted advertising.
(b) Do Not Track Program.--As part of the Do Not Track system
required under this section, the Commission shall designate the DNT
signal and make available on the public website of the Commission a
simple program that--
(1) can be downloaded to any common connected device;
(2) sends the DNT signal to every covered internet platform
(except for a covered internet platform designated under
paragraph (3)) to which the device connects each time the
device connects to the platform; and
(3) permits the user of the device to designate covered
internet platforms to which the DNT signal should not be sent,
but does not exempt any covered internet platform from
receiving the signal if the platform is not so designated.
(c) Other Do Not Track Systems.--Nothing in this title may be
construed to prohibit the operator of any web browser or similar
interface or a connected device designer or manufacturer from offering
a program that sends the DNT signal to covered internet platforms, if
the program permits users to designate covered internet platforms to
which the DNT signal should not be sent.
(d) Rulemaking Authority.--The Commission may promulgate
regulations, in accordance with section 553 of title 5, United States
Code, to carry out this section.
SEC. 203. DO NOT TRACK: REQUIREMENTS FOR OPERATORS; PROHIBITED ACTS.
(a) Requirements.--
(1) Search for dnt signal.--When a connected device
connects to a covered internet platform--
(A) the second-party operator of the platform shall
ensure that the platform searches for the DNT signal;
and
(B) the third-party operator of any program that
appears on the platform shall ensure that the program
searches for the DNT signal.
(2) Mandatory notification.--
(A) In general.--Subject to subparagraph (B), if a
second-party operator of a covered internet platform
collects more data from a user of the platform than is
necessary to operate the platform, or if a third-party
operator of a program that appears on the platform
collects more data from a user of the platform than is
necessary to operate the platform, the second-party
operator or third-party operator, respectively, shall,
through a pop-up notification, provide any user whose
connected device is not sending the DNT signal with--
(i) notice of the policy of the platform or
program of collecting data beyond what is
necessary to operate the platform;
(ii) notice of the protections from data
collection and targeted advertising available
to users under this title;
(iii) notice that the user may, through the
public website of the Commission, download the
Do Not Track program described in section
202(b), including a link to such website; and
(iv) notice that the user may be able to
activate the DNT signal through the user's
device or browser.
(B) Number and timing.--A second-party operator or
third-party operator, respectively, shall provide the
notification required by subparagraph (A)--
(i) the first time a connected device
connects to the covered internet platform; and
(ii) unless the user of the connected
device opts out of receiving the notification
required by subparagraph (A), at least every
30th time the connected device connects to the
covered internet platform.
(C) Collection of data for targeted advertising.--
For purposes of this paragraph, the second-party
operator of a covered internet platform, or the third-
party operator of a program that appears on the
platform, that collects data for the purpose of
designing or displaying advertisements for targeted
advertising shall be considered to be collecting more
data than is necessary to operate the platform.
(b) Prohibition on Data Collection and Targeted Advertising.--
(1) Second-party operators.--Subject to paragraph (3), it
shall be unlawful for a second-party operator of a covered
internet platform that receives the DNT signal from the
connected device of a user to--
(A) collect any data (other than such data as is
necessary to operate the platform) from the user;
(B) use any data collected from the user for a
secondary purpose, including for the purpose of
targeted advertising; or
(C) transfer any data collected from the user to a
third party, unless the user provides affirmative
express consent to the transfer of data in a manner
that demonstrates the user's intent for the second-
party operator to be an intermediary between the user
and the third party.
(2) Third-party operators.--
(A) In general.--It shall be unlawful for a third-
party operator of a program that receives the DNT
signal from the connected device of a user of a covered
internet platform on which the program appears to
collect any data from the user, other than, subject to
subparagraph (B), data collected for the purpose of
analyzing how or whether the user engaged with the
program.
(B) Limitations on collection of data for
engagement analytics.--Data collected for the purpose
of analyzing how or whether the user engaged with the
program, as described in subparagraph (A)--
(i) may only be collected in a de-
identified manner; and
(ii) may not be used to create or
contribute to a profile of the user.
(3) Exception for complementary services.--Notwithstanding
paragraph (1), a second-party operator of a covered internet
platform may collect additional data from a user beyond what is
necessary for the operation of the platform if the additional
data is necessary for the operation of a different covered
internet platform that is--
(A) both owned and operated by the second-party
operator;
(B) designed to complement the covered internet
platform accessed by the user; and
(C) branded as a complementary covered internet
platform to the covered internet platform accessed by
the user.
(c) Interfering With DNT Signal.--It shall be unlawful for any
person to--
(1) block or impede the ability of a covered internet
platform, or a program that appears on a covered internet
platform, to receive the DNT signal; or
(2) block or impede the ability of a connected device to
send the DNT signal.
(d) Discrimination Based on DNT Preferences.--It shall be unlawful
for a second-party operator of a covered internet platform to--
(1) deny a user access to, or service from, the platform on
the basis of receiving the DNT signal from the user; or
(2) provide a user from whom the platform receives the DNT
signal with a different level of access or service than the
level of access or service provided to a user from whom the
platform does not receive the DNT signal.
SEC. 204. SCOPE OF COVERAGE.
(a) General Exceptions.--Notwithstanding any other provision of
this title, a covered entity may collect, process, or transfer covered
data for any of the following purposes, if the collection, processing,
or transfer is reasonably necessary, proportionate, and limited to such
purpose:
(1) To initiate or complete a transaction or to fulfill an
order or provide a service specifically requested by an
individual, including associated routine administrative
activities such as billing, shipping, financial reporting, and
accounting.
(2) To perform internal system maintenance, diagnostics,
product or service management, inventory management, or network
management.
(3) To prevent, detect, or respond to a security incident
or trespassing, provide a secure environment, or maintain the
safety and security of a product, service, or individual.
(4) To protect against malicious, deceptive, fraudulent, or
illegal activity.
(5) To comply with a legal obligation or the establishment,
exercise, analysis, or defense of legal claims or rights, or as
required or specifically authorized by law.
(6) To comply with a civil, criminal, or regulatory
inquiry, investigation, subpoena, or summons by an Executive
agency.
(7) To cooperate with an Executive agency or a law
enforcement official acting under the authority of an Executive
or State agency concerning conduct or activity that the
Executive agency or law enforcement official reasonably and in
good faith believes may violate Federal, State, or local law,
or pose a threat to public safety or national security.
(8) To address risks to the safety of an individual or
group of individuals, or to ensure customer safety, including
by authenticating individuals in order to provide access to
large venues open to the public.
(9) To effectuate a product recall pursuant to Federal or
State law.
(10) To conduct public or peer-reviewed scientific,
historical, or statistical research that--
(A) is in the public interest;
(B) adheres to all applicable ethics and privacy
laws; and
(C) is approved, monitored, and governed by an
institutional review board or other oversight entity
that meets standards promulgated by the Commission
pursuant to section 553 of title 5, United States Code.
(11) To transfer covered data to a service provider.
(12) For a purpose identified by the Commission pursuant to
a regulation promulgated under subsection (b).
(b) Additional Purposes.--The Commission may promulgate regulations
under section 553 of title 5, United States Code, identifying
additional purposes for which a covered entity may collect, process, or
transfer covered data and protect individual rights to data privacy in
accordance with this title.
SEC. 205. APPLICATION AND ENFORCEMENT.
(a) General Application.--The requirements of this title apply,
according to their terms, to--
(1) those persons, partnerships, and corporations over
which the Commission has authority pursuant to section 5(a)(2)
of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)); and
(2) notwithstanding sections 4 and 5(a)(2) of such Act (15
U.S.C. 44; 45(a)(2))--
(A) common carriers described in such section
5(a)(2); and
(B) organizations not organized to carry on
business for their own profit or that of their members.
(b) Enforcement by the Commission.--
(1) In general.--Except as otherwise provided, this title
and the regulations prescribed under this title shall be
enforced by the Commission under the Federal Trade Commission
Act (15 U.S.C. 41 et seq.).
(2) Unfair or deceptive acts or practices.--A violation of
this title or a regulation prescribed under this title shall be
treated as a violation of a rule defining an unfair or
deceptive act or practice prescribed under section 18(a)(1)(B)
of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(3) Actions by the commission.--
(A) In general.--Except as provided in subparagraph
(B) and subsection (a), the Commission shall prevent
any person from violating this title or a regulation
prescribed under this title in the same manner, by the
same means, and with the same jurisdiction, powers, and
duties as though all applicable terms and provisions of
the Federal Trade Commission Act (15 U.S.C. 41 et seq.)
were incorporated into and made a part of this title,
and any person who violates this title or a regulation
prescribed under this title shall be subject to the
penalties and entitled to the privileges and immunities
provided in the Federal Trade Commission Act.
(B) Penalties.--
(i) In general.--Notwithstanding section
5(m) of the Federal Trade Commission Act (15
U.S.C. 45(m)), a civil penalty recovered for a
violation of this title or a regulation
prescribed under this title may be in excess of
the amounts provided for in that section, if
such penalty meets the requirements of this
subparagraph.
(ii) Penalty for negligent violation.--In
the case of a person who negligently violates
this title or a regulation prescribed under
this title, such person shall be liable for a
civil penalty that does not exceed $50 for
every individual affected by such violation for
every day during which the person is in
violation of this title or such regulation as
described in this clause.
(iii) Penalty for willful or reckless
violation.--In the case of a person who
willfully or recklessly violates this title or
a regulation prescribed under this title, such
person shall be liable for a civil penalty
that--
(I) is not less than $100,000; and
(II) does not exceed $1,000 for
every individual affected by such
violation for every day during which
the person is in violation of this
title or such regulation as described
in this clause.
(c) Enforcement by State Attorneys General.--
(1) In general.--
(A) Civil actions.--In any case in which the
attorney general of a State has reason to believe that
an interest of the residents of that State has been or
is threatened or adversely affected by the engagement
of any person in an act or practice that violates this
title or a regulation prescribed under this title, the
State, as parens patriae, may bring a civil action on
behalf of the residents of the State in a district
court of the United States or a State court of
appropriate jurisdiction to--
(i) enjoin that act or practice;
(ii) enforce compliance with this title or
such regulation;
(iii) obtain damages, statutory damages in
the same amount as the penalties that the
Commission may obtain under section 5(m) of the
Federal Trade Commission Act (15 U.S.C. 45(m))
and subsection (b)(3)(B) of this section,
restitution, or other compensation on behalf of
residents of the State; or
(iv) obtain such other relief as the court
may consider to be appropriate.
(B) Notice.--
(i) In general.--Before filing an action
under subparagraph (A), the attorney general of
the State involved shall provide to the
Commission--
(I) written notice of that action;
and
(II) a copy of the complaint for
that action.
(ii) Exemption.--
(I) In general.--Clause (i) does
not apply with respect to the filing of
an action by an attorney general of a
State under this paragraph if the
attorney general of the State
determines that it is not feasible to
provide the notice described in that
clause before the filing of the action.
(II) Notification.--In an action
described in subclause (I), the
attorney general of a State shall
provide notice and a copy of the
complaint to the Commission at the same
time as the attorney general files the
action.
(2) Intervention.--
(A) In general.--On receiving notice under
paragraph (1)(B), the Commission shall have the right
to intervene in the action that is the subject of the
notice.
(B) Effect of intervention.--If the Commission
intervenes in an action under paragraph (1), it shall
have the right--
(i) to be heard with respect to any matter
that arises in that action; and
(ii) to file a petition for appeal.
(3) Construction.--For purposes of bringing any civil
action under paragraph (1), nothing in this title shall be
construed to prevent an attorney general of a State from
exercising the powers conferred on the attorney general by the
laws of that State to--
(A) conduct investigations;
(B) administer oaths or affirmations; or
(C) compel the attendance of witnesses or the
production of documentary and other evidence.
(4) Actions by the commission.--In any case in which an
action is instituted by or on behalf of the Commission for
violation of this title or a regulation prescribed under this
title, no State may, during the pendency of that action,
institute an action under paragraph (1) against any defendant
named in the complaint in the action instituted by or on behalf
of the Commission for that violation.
(5) Venue; service of process.--
(A) Venue.--Any action brought under paragraph (1)
may be brought in--
(i) a district court of the United States
that meets applicable requirements relating to
venue under section 1391 of title 28, United
States Code; or
(ii) a State court of competent
jurisdiction.
(B) Service of process.--In an action brought under
paragraph (1) in a district court of the United States,
process may be served wherever the defendant--
(i) is an inhabitant; or
(ii) may be found.
SEC. 206. STATE PRIVACY PROTECTIONS.
Nothing in this title shall preempt any State law, regulation, or
other requirement having the force or effect of law that is more
protective of the privacy of individuals than the requirements of this
title.
SEC. 207. SEVERABILITY.
If any provision of this title or the application of a provision of
this title to any person or circumstance is held to be invalid or
unconstitutional, the remainder of this title, or the application of
such provision to any other person or circumstance, shall not be
affected.
SEC. 208. DEFINITIONS.
In this title:
(1) Affirmative express consent.--
(A) In general.--The term ``affirmative express
consent'' means an affirmative act by an individual
that clearly communicates the individual's
authorization for an act or practice, in response to a
specific request that meets the requirements of
subparagraph (B).
(B) Request requirements.--The requirements of this
subparagraph with respect to a request from a covered
entity to an individual are the following:
(i) The request is provided to the
individual in a standalone disclosure.
(ii) The request includes a description of
each act or practice for which the individual's
consent is sought and--
(I) clearly distinguishes between
an act or practice which is necessary
to fulfill a request of the individual
and an act or practice which is for
another purpose; and
(II) is written in easy-to-
understand language and includes a
prominent heading that would enable a
reasonable individual to identify and
understand the act or practice.
(iii) The request clearly explains the
individual's applicable rights related to
consent.
(C) Express consent required.--A covered entity may
not infer that an individual has provided affirmative
express consent to an act or practice from the inaction
of the individual or the individual's continued use of
a service or product provided by the covered entity.
(D) Prior consent required.--In the case of any
requirement of this title for a covered entity to
obtain affirmative express consent for an act or
practice, the covered entity shall obtain such consent
before engaging in the act or practice.
(2) Collect; collection.--The terms ``collect'' and
``collection'' mean, with respect to the covered data of an
individual, buying, renting, gathering, obtaining, receiving,
accessing, or otherwise acquiring such data by any means,
including by passively or actively observing the individual's
behavior.
(3) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(4) Connected device.--The term ``connected device'' means
a physical object that--
(A) is capable of connecting to the internet,
either directly or indirectly through a network, to
communicate information at the direction of an
individual; and
(B) has computer processing capabilities for
collecting, sending, receiving, or analyzing data.
(5) Control.--The term ``control'' means, with respect to
an entity--
(A) ownership of, or the power to vote, more than
50 percent of the outstanding shares of any class of
voting security of the entity;
(B) control in any manner over the election of a
majority of the directors of the entity (or of
individuals exercising similar functions); or
(C) the power to exercise a controlling influence
over the management of the entity.
(6) Covered data.--
(A) In general.--The term ``covered data'' means
information that identifies or is linked or reasonably
linkable to an individual or a connected device that is
linked or reasonably linkable to an individual.
(B) Linked or reasonably linkable.--For purposes of
subparagraph (A), information held by a covered entity
is linked or reasonably linkable to an individual or a
connected device if, as a practical matter, it can be
used on its own or in combination with other
information held by, or readily accessible to, the
covered entity to identify such individual or such
device.
(C) Exclusions.--Such term does not include--
(i) aggregated data;
(ii) de-identified data;
(iii) data of an individual processed by
the covered entity in the capacity of the
covered entity as the employer of the
individual; or
(iv) publicly available information.
(7) Covered entity.--The term ``covered entity'' means any
person who--
(A) collects, processes, or transfers covered data;
and
(B) determines the purposes and means of such
collection, processing, or transfer.
(8) Covered internet platform.--
(A) In general.--The term ``covered internet
platform'' means any public-facing website, internet
application, or mobile application, including a social
network site, video sharing service, search engine, or
content aggregation service.
(B) Exclusion.--Such term does not include a
platform that is operated for the sole purpose of
conducting research that is not conducted for profit,
either directly or indirectly.
(9) DNT signal.--The term ``DNT signal'' means a signal
sent by a connected device, such as the hypertext transfer
protocol developed by the World Wide Web Consortium Working
Group on Tracking Preference Expression, that is designated by
the Commission for purposes of the Do Not Track program
required under section 202(b).
(10) Executive agency.--The term ``Executive agency'' has
the meaning given such term in section 105 of title 5, United
States Code.
(11) Individual.--The term ``individual'' means a natural
person residing in the United States, however identified,
including by any unique identifier.
(12) Process.--The term ``process'' means to perform any
operation or set of operations on covered data, including
collection, analysis, organization, structuring, retaining,
using, transferring, or otherwise handling covered data.
(13) Program.--The term ``program'' means, with respect to
a covered internet platform, any program that appears on the
platform, including a program that delivers advertisements to
users of the platform and a program used to log into the
platform.
(14) Publicly available information.--The term ``publicly
available information'' means information that is available to
the general public, including--
(A) any information to which the source allows
access by anyone upon request; and
(B) any information that a covered entity has a
reasonable basis to believe is lawfully made available
to the general public from Federal, State, or local
government records, widely distributed media, or
disclosures to the general public that are required to
be made by Federal, State, or local law.
(15) Research.--The term ``research'' means the scientific
analysis of information, including covered data, by a covered
entity or those with whom the covered entity is cooperating or
others acting at the direction or on behalf of the covered
entity, that is conducted for the primary purpose of advancing
scientific knowledge and may be for the commercial benefit of
the covered entity.
(16) Second-party operator.--The term ``second-party
operator'' means the operator of a covered internet platform
with which a user intends to connect, but does not include the
operator of a program that appears on the platform (if the
operator of the program is different from the operator of the
platform).
(17) Service provider.--The term ``service provider''
means, with respect to a set of covered data, a covered entity
that collects, processes, or transfers such covered data for
the purpose of performing one or more services or functions on
behalf of, and at the direction of, another covered entity
that--
(A) is not related to the covered entity providing
the service or function by common ownership or
corporate control; and
(B) does not share common branding with the covered
entity providing the service or function.
(18) State.--The term ``State'' means each State of the
United States, the District of Columbia, each commonwealth,
territory, or possession of the United States, and each
federally recognized Indian Tribe.
(19) Targeted advertising.--
(A) In general.--The term ``targeted advertising''
means a form of advertising in which advertisements are
displayed to a user based on the user's traits,
information from a profile about the user that is
created for the purpose of selling advertisements, or
the user's previous online or offline behavior.
(B) Limitation.--Such term does not include
contextual advertising, including--
(i) advertising that is directed to a user
based on the content of the covered internet
platform that the user is connected to; or
(ii) advertising that is directed to a user
by the second-party operator of a covered
internet platform, or by the third-party
operator of a program that appears on the
platform, based on the search terms that the
user used to arrive at the platform.
(20) Third party.--The term ``third party'' means with
respect to a set of covered data, a covered entity--
(A) that is not a service provider with respect to
such covered data; and
(B) that received such covered data from another
covered entity--
(i) that is not related to the covered
entity by common ownership or corporate
control; and
(ii) that does not share common branding
with the covered entity.
(21) Third-party operator.--The term ``third-party
operator'' means the operator of a program that appears on a
covered internet platform (if the operator of the program is
different from the operator of the platform).
(22) Transfer.--The term ``transfer'' means, with respect
to covered data, to disclose, release, share, disseminate, make
available, or license such data, in writing, electronically, or
by any other means, for consideration of any kind or for a
commercial purpose.
SEC. 209. EFFECTIVE DATE.
This title shall take effect on the date that is 6 months after the
date of the enactment of this Act.
<all>