[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 8152 Introduced in House (IH)]
<DOC>
117th CONGRESS
2d Session
H. R. 8152
To provide consumers with foundational data privacy rights, create
strong oversight mechanisms, and establish meaningful enforcement.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
June 21, 2022
Mr. Pallone (for himself, Mrs. Rodgers of Washington, Ms. Schakowsky,
and Mr. Bilirakis) introduced the following bill; which was referred to
the Committee on Energy and Commerce
_______________________________________________________________________
A BILL
To provide consumers with foundational data privacy rights, create
strong oversight mechanisms, and establish meaningful enforcement.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``American Data
Privacy and Protection Act''.
(b) Table of Contents.--The table of contents of this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
TITLE I--DUTY OF LOYALTY
Sec. 101. Data minimization.
Sec. 102. Loyalty duties.
Sec. 103. Privacy by design.
Sec. 104. Loyalty to individuals with respect to pricing.
TITLE II--CONSUMER DATA RIGHTS
Sec. 201. Consumer awareness.
Sec. 202. Transparency.
Sec. 203. Individual data ownership and control.
Sec. 204. Right to consent and object.
Sec. 205. Data protections for children and minors.
Sec. 206. Third-party collecting entities.
Sec. 207. Civil rights and algorithms.
Sec. 208. Data security and protection of covered data.
Sec. 209. Small business protections.
Sec. 210. Unified opt-out mechanisms.
TITLE III--CORPORATE ACCOUNTABILITY
Sec. 301. Executive responsibility.
Sec. 302. Service providers and third parties.
Sec. 303. Technical compliance programs.
Sec. 304. Commission approved compliance guidelines.
Sec. 305. Digital content forgeries.
TITLE IV--ENFORCEMENT, APPLICABILITY, AND MISCELLANEOUS
Sec. 401. Enforcement by the Federal Trade Commission.
Sec. 402. Enforcement by State attorneys general.
Sec. 403. Enforcement by individuals.
Sec. 404. Relationship to Federal and State laws.
Sec. 405. Severability.
Sec. 406. COPPA.
Sec. 407. Authorization of appropriations.
Sec. 408. Effective date.
SEC. 2. DEFINITIONS.
In this Act:
(1) Affirmative express consent.--
(A) In general.--The term ``affirmative express
consent'' means an affirmative act by an individual
that clearly communicates the individual's freely
given, specific, informed, and unambiguous
authorization for an act or practice, in response to a
specific request from a covered entity that meets the
requirements of subparagraph (B).
(B) Request requirements.--The requirements of this
subparagraph with respect to a request from a covered
entity to an individual are the following:
(i) The request is provided to the
individual in a clear and conspicuous
standalone disclosure made through the primary
medium used to offer the covered entity's
product or service.
(ii) The request includes a description of
the act or practice for which the individual's
consent is sought and--
(I) clearly states the specific
categories of covered data that the
covered entity shall collect, process,
and transfer for each act or practice;
(II) clearly distinguishes between
any act or practice which is necessary
to fulfill a request of the individual
and any act or practice which is for
another purpose; and
(III) includes a prominent heading
and is written in easy-to-understand
language that would enable a reasonable
individual to identify and understand
the processing purpose for which
consent is sought and the covered data
to be collected, processed, or
transferred by the covered entity for
such processing purpose.
(iii) The request clearly explains the
individual's applicable rights related to
consent.
(iv) The request shall be made in a manner
readily accessible to and usable by individuals
with disabilities.
(v) The request shall be made available to
the public in each language in which the
covered entity provides a product or service
for which authorization is sought or in which
the covered entity carries out any activity
related to any product or service for which the
covered data of the individual may be
collected, processed, or transferred.
(C) Express consent required.--A covered entity
shall not infer that an individual has provided
affirmative express consent to an act or practice from
the inaction of the individual or the individual's
continued use of a service or product provided by the
covered entity.
(D) Pretextual consent prohibited.--A covered
entity shall not obtain or attempt to obtain the
affirmative express consent of an individual through--
(i) the use of any false, fictitious,
fraudulent, or materially misleading statement
or representation; or
(ii) the design, modification, or
manipulation of any user interface with the
purpose or substantial effect of obscuring,
subverting, or impairing a reasonable
individual's autonomy, decision making, or
choice to provide such consent or any covered
data.
(2) Algorithm.--The term ``algorithm'' means a
computational process that uses machine learning, natural
language processing, artificial intelligence techniques, or
other computational processing techniques of similar or greater
complexity that makes a decision or facilitate human decision
making with respect to covered data, including to determine the
provision of products or services or to rank, order, promote,
recommend, amplify, or similarly determine the delivery or
display of information to an individual.
(3) Biometric information.--
(A) In general.--The term ``biometric information''
means any covered data generated from the technological
processing of an individual's unique biological,
physical, or physiological characteristics that is
linked or reasonably linkable to an individual
including--
(i) fingerprints;
(ii) voice prints;
(iii) iris or retina scans;
(iv) facial mapping or hand mapping,
geometry, or templates; or
(v) gait or personally identifying physical
movements.
(B) Exclusion.--The term ``biometric information''
does not include--
(i) a digital or physical photograph;
(ii) an audio or video recording; or
(iii) data generated from a digital or
physical photograph, or an audio or video
recording that cannot be used to identify an
individual.
(4) Collect; collection.--The terms ``collect'' and
``collection'' mean buying, renting, gathering, obtaining,
receiving, accessing, or otherwise acquiring covered data by
any means.
(5) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(6) Common branding.--The term ``common branding'' means a
name, service mark, or trademark that is shared by 2 or more
entities.
(7) Control.--The term ``control'' means, with respect to
an entity--
(A) ownership of, or the power to vote, more than
50 percent of the outstanding shares of any class of
voting security of the entity;
(B) control over the election of a majority of the
directors of the entity (or of individuals exercising
similar functions); or
(C) the power to exercise a controlling influence
over the management of the entity.
(8) Covered data.--
(A) In general.--The term ``covered data'' means
information that identifies or is linked or reasonably
linkable, alone or in combination with other
information, to an individual or a device that
identifies or is linked or reasonably linkable to an
individual, and may include derived data and unique
identifiers.
(B) Exclusions.--The term ``covered data'' does not
include--
(i) de-identified data;
(ii) employee data;
(iii) publicly available information; or
(iv) inferences made exclusively from
multiple independent sources of publicly
available information that do not reveal
sensitive covered data with respect to an
individual.
(C) Employee data defined.--For purposes of
subparagraph (B), the term ``employee data'' means--
(i) information relating to a job applicant
collected by a covered entity acting as a
prospective employer of such job applicant in
the course of the application, or hiring
process, provided that such information is
collected, processed, or transferred by the
prospective employer solely for purposes
related to the employee's status as a current
or former job applicant of such employer;
(ii) the business contact information of an
employee, including the employee's name,
position or title, business telephone number,
business address, or business email address
that is provided to an employer by an employee
who is acting in a professional capacity,
provided that such information is collected,
processed, or transferred solely for purposes
related to such employee's professional
activities;
(iii) emergency contact information
collected by an employer that relates to an
employee of that employer, provided that such
information is collected, processed, or
transferred solely for the purpose of having an
emergency contact on file for the employee; or
(iv) information relating to an employee
(or a spouse, dependent, other covered family
member, or beneficiary of such employee) that
is necessary for the employer to collect,
process, or transfer solely for the purpose of
administering benefits to which such employee
(or spouse, dependent, other covered family
member, or beneficiary of such employee) is
entitled on the basis of the employee's
position with that employer.
(9) Covered entity.--
(A) The term ``covered entity''--
(i) means any entity or any person, other
than an individual acting in a non-commercial
context, that alone or jointly with others
determines the purposes and means of
collecting, processing, or transferring covered
data and--
(I) is subject to the Federal Trade
Commission Act (15 U.S.C. 41 et seq.);
(II) is a common carrier subject to
the Communications Act of 1934 (47
U.S.C. 151 et seq.) and all Acts
amendatory thereof and supplementary
thereto title II of the Communications
Act of 1934 (47 U.S.C. 201-231) as
currently enacted or subsequently
amended; or
(III) is an organization not
organized to carry on business for
their own profit or that of their
members; and
(ii) includes any entity or person that
controls, is controlled by, or is under common
control with another covered entity.
(B) Exclusions.--The term ``covered entity'' does
not include--
(i) a governmental entity such as a body,
authority, board, bureau, commission, district,
agency, or political subdivision of the
Federal, State, or local government; or
(ii) a person or an entity that is
collecting, processing, or transferring covered
data on behalf of or a Federal, State, Tribal,
territorial, or local government entity.
(10) De-identified data.--The term ``de-identified data''
means information that does not identify and is not linked or
reasonably linkable to an individual or an individual's device,
regardless of whether the information is aggregated, provided
that the covered entity--
(A) takes reasonable technical, administrative, and
physical measures to ensure that the information
cannot, at any point, be used to re-identify any
individual or device;
(B) publicly commits in a clear and conspicuous
manner--
(i) to process and transfer the information
solely in a de-identified form without any
reasonable means for re-identification; and
(ii) to not attempt to re-identify the
information with any individual or device; and
(C) contractually obligates any person or entity
that receives the information from the covered entity
to comply with all of the provisions of this paragraph.
(11) Derived data.--The term ``derived data'' means covered
data that is created by the derivation of information, data,
assumptions, correlations, inferences, predictions, or
conclusions from facts, evidence, or another source of
information or data about an individual or an individual's
device.
(12) Device.--The term ``device'' means any electronic
equipment capable of transmitting or receiving covered data
that is designed for use by one or more individuals.
(13) Employee.--The term ``employee'' means (regardless of
whether such employee is paid, unpaid, or employed on a
temporary basis) an employee, director, officer, staff member,
an individual working as a contractor, trainee, volunteer, or
intern of an employer.
(14) Executive agency.--The ``Executive agency'' has the
meaning set forth in section 105 of title 5, United States
Code.
(15) Genetic information.--The term ``genetic information''
means any covered data, regardless of its format, that concerns
an individual's genetic characteristics, including--
(A) raw sequence data that results from the
sequencing of an individual's complete extracted or a
portion of the extracted deoxyribonucleic acid (DNA);
or
(B) genotypic and phenotypic information that
results from analyzing the raw sequence data.
(16) Individual.--The term ``individual'' means a natural
person residing in the United States.
(17) Large data holder.--The term ``large data holder''
means a covered entity or service provider that, in the most
recent calendar year--
(A) had annual gross revenues of $250,000,000 or
more; and
(B) collected, processed, or transferred--
(i) the covered data of more than 5,000,000
individuals or devices that identify or are
linked or reasonably linkable to 1 or more
individuals; and
(ii) the sensitive covered data of more
than 200,000 individuals or devices that
identify or are linked or reasonably linkable
to 1 or more individuals.
(C) Exclusions.--The term ``large data holder''
does not include any instance where the covered entity
or service provider would qualify as a large data
holder solely on account of collecting, or processing--
(i) personal email addresses;
(ii) personal telephone numbers; or
(iii) log-in information of an individual
or device to allow the individual or device to
log in to an account administered by the
covered entity or service provider.
(D) Revenue.--For purposes of this determining
whether any covered entity or service provider is a
large data holder, the term ``revenue'' as it relates
to any covered entity or service provider that is not
organized to carry on business for its own profit or
that of its members, means the gross receipts the
covered entity or service provider received in whatever
form from all sources without subtracting any costs or
expenses, and includes contributions, gifts, grants,
dues or other assessments, income from investments, or
proceeds from the sale of real or personal property.
(18) Market research.--The term ``market research'' means
the collection, processing, or transfer of covered data as
reasonably necessary and proportionate to investigate the
market for or marketing of products, services, or ideas, where
the covered data is not--
(A) integrated into any product or service;
(B) otherwise used to contact any individual or
individual's device; or
(C) used to advertise or market to any individual
or individual's device.
(19) Material.--The term ``material'' means with respect to
an act, practice, or representation of a covered entity
(including a representation made by the covered entity in a
privacy policy or similar disclosure to individuals), involving
the collection, processing, or transfer of covered data that
such act, practice, or representation is likely to affect an
individual's decision or conduct regarding a product or
service.
(20) Precise geolocation information.--
(A) In general.--The term ``precise geolocation
information'' means information that reveals the past
or present physical location of an individual, or
device that identifies or is linked or reasonably
linkable to 1 or more individuals, with sufficient
precision to identify street level location information
or an individual's location within a range of 1,000
feet or less.
(B) Exclusion.--The term ``precise geolocation
information'' does not mean geolocation information
identifiable solely from the visual content of an
image.
(21) Process.--The term ``process'' means to conduct or
direct any operation or set of operations performed on covered
data including analyzing, organizing, structuring, retaining,
storing, using, or otherwise handling covered data.
(22) Processing purpose.--The term ``processing purpose''
means a reason for which a covered entity collects, processes,
or transfers covered data that is specific and granular enough
for a reasonable individual to understand the material facts of
how and why the covered entity collects, processes, or
transfers the covered data.
(23) Publicly available information.--
(A) In general.--The term ``publicly available
information'' means any information that a covered
entity has a reasonable basis to believe has been
lawfully made available to the general public from--
(i) Federal, State, or local government
records provided that the covered entity
collects, processes, and transfers such
information in accordance with any restrictions
or terms of use placed on the information by
the relevant government entity;
(ii) widely distributed media;
(iii) a website or online service made
available to all members of the public, for
free or for a fee, including where all members
of the public can log-in to the website or
online service;
(iv) a disclosure that has been made to the
general public as required by Federal, State,
or local law; or
(v) a visual observation of an individual's
physical presence in a public place by another
person, not including data collected by a
device in the individual's possession.
(B) Clarifications; limitations.--
(i) Available to all members of the
public.--For purposes of this paragraph,
information from a website or online service is
not available to all members of the public if
the individual who made the information
available via the website or online service has
restricted the information to a specific
audience.
(ii) Other limitations.--The term
``publicly available information'' does not
include--
(I) any obscene visual depiction
(as defined for purposes of section
1460 of title 18, United States Code);
(II) inferences made exclusively
from multiple independent sources of
publicly available information that do
not reveal sensitive covered data with
respect to an individual;
(III) biometric information;
(IV) publicly available information
that has been combined with covered
data;
(V) genetic information; or
(VI) known nonconsensual intimate
images.
(24) Sensitive covered data.--
(A) In general.--The term ``sensitive covered
data'' means the following forms of covered data:
(i) A government-issued identifier, such as
a social security number, passport number, or
driver's license number, that is not required
by law to be displayed in public.
(ii) Any information that describes or
reveals the past, present, or future physical
health, mental health, disability, diagnosis,
or healthcare condition or treatment of an
individual.
(iii) A financial account number, debit
card number, credit card number, or information
about income level or bank account balances.
(iv) Biometric information.
(v) Genetic information.
(vi) Precise geolocation information.
(vii) An individual's private
communications such as voicemails, emails,
texts, direct messages, or mail, or information
identifying the parties to such communications,
voice communications, and any information that
pertains to the transmission of such
communications, including telephone numbers
called, telephone numbers from which calls were
placed, the time calls were made, call
duration, and location information of the
parties to the call, unless the covered entity
is the sender or an intended recipient of the
communication. Communications are not private
for purposes of this paragraph if such
communications are made from or to a device
provided by an employer to an employee insofar
as such employer provides conspicuous notice
that it may access such communications.
(viii) Account or device log-in
credentials, or security or access codes for an
account or device.
(ix) Information identifying the sexual
orientation or sexual behavior of an individual
in a manner inconsistent with the individual's
reasonable expectation regarding disclosure of
such information.
(x) Calendar information, address book
information, phone or text logs, photos, audio
recordings, or videos maintained for private
use by an individual, regardless of whether
such information is stored on the individual's
device or in a separate location on an
individual's device, regardless of whether such
information is backed up in a separate
location.
(xi) A photograph, film, video recording,
or other similar medium that shows the naked or
undergarment-clad private area of an
individual.
(xii) Information that reveals the video
content or services requested or selected by an
individual from a provider of broadcast
television service, cable service, satellite
service or streaming media service.
(xiii) Information about an individual when
the covered entity knows that the individual is
under the age of 17.
(xiv) Any other covered data collected,
processed, or transferred for the purpose of
identifying the above data types.
(B) Rulemaking.--The Commission may commence a
rulemaking pursuant to section 553 of title 5, United
States Code, to include any additional category of
covered data under this definition that may require a
similar level of protection as the data listed in
clauses (i) through (xvi) of subparagraph (A) as a
result of any new method of collecting, processing, or
transferring covered data.
(25) Service provider.--The term ``service provider'' means
a person or entity that collects, processes, or transfers
covered data on behalf of, and at the direction of, a covered
entity and which receives covered data from or on behalf of a
covered entity pursuant to a written contract, provided that
the contract meets the requirements of section 302.
(26) Service provider data.--The term ``service provider
data'' means covered data that is collected or processed by or
has been transferred to a service provider by a covered entity
for the purpose of allowing the service provider to perform a
service or function on behalf of, and at the direction of, such
covered entity.
(27) State.--The term ``State'' means any of the 50 States,
the District of Columbia, the Commonwealth of Puerto Rico, the
Virgin Islands, Guam, American Samoa, the Northern Mariana
Islands, or the Trust Territory of the Pacific Islands.
(28) State privacy authority.--
(A) In general.--The term ``State Privacy
Authority'' means--
(i) the chief consumer protection officer
of a State; or
(ii) a State consumer protection agency
with expertise in data protection.
(29) Substantial privacy risk.--The term ``substantial
privacy risk'' means the collection, processing, or transfer of
covered data in a manner that may result in any reasonably
foreseeable material physical injury, economic injury, highly
offensive intrusion into the reasonable privacy expectations of
an individual under the circumstances, or discrimination on the
basis of race, color, religion, national origin, sex, or
disability.
(30) Targeted advertising.--The term ``targeted
advertising''--
(A) means displaying to an individual or device
identified by a unique identifier an online
advertisement or content that is selected based on
known or predicted preferences, characteristics, or
interests associated with the individual or a device
identified by a unique identifier; and
(B) does not include--
(i) advertising or marketing to an
individual or an individual's device in
response to the individual's specific request
for information or feedback;
(ii) contextual advertising, which is when
an advertisement is displayed based on the
content or location in which the advertisement
appears and does not vary based on who is
viewing the advertisement; or
(iii) processing covered data solely for
measuring or reporting advertising or content,
performance, reach, or frequency, including
independent measurement.
(31) Third party.--The term ``third party''--
(A) means any person or entity that--
(i) collects, processes, or transfers
third-party data; and
(ii) is not a service provider with respect
to such data; and
(B) does not include a person or entity that
collects covered data from another entity if the 2
entities are related by common ownership or corporate
control and share common branding, unless one of those
is a large data holder or those entities are each
related to a large data holder through common ownership
or corporate control.
(32) Third-party collecting entity.--
(A) In general.--The term ``third-party collecting
entity''--
(i) means a covered entity whose principal
source of revenue is derived from processing or
transferring the covered data that the covered
entity did not collect directly from the
individuals linked or linkable to the covered
data; and
(ii) does not include a covered entity in
so far as such entity processes employee data
collected by and received from a third party
concerning any individual who is an employee of
the third party for the sole purpose of such
third party providing benefits to the employee.
(B) Principal source of revenue defined.--For
purposes of this paragraph, ``principal source of
revenue'' means, for the prior 12-month period,
either--
(i) more than 50 percent of all revenue of
the covered entity; or
(ii) obtaining revenue from processing or
transferring the covered data of more than
5,000,000 individuals that the covered entity
did not collect directly from the individuals
to which the covered data pertains.
(C) Non-application to service providers.--An
entity shall not be considered to be a third-party
collecting entity for purposes of this Act if the
entity is acting as a service provider (as defined in
this section).
(33) Third-party data.--The term ``third-party data'' means
covered data that has been transferred to a third party by a
covered entity.
(34) Transfer.--The term ``transfer'' means to disclose,
release, share, disseminate, make available, or license in
writing, electronically, or by any other means.
(35) Unique identifier.--The term ``unique identifier''
means an identifier to the extent that such identifier is
reasonably linkable to an individual or device that identifies
or is linked or reasonably linkable to 1 or more individuals,
including a device identifier, an Internet Protocol address,
cookies, beacons, pixel tags, mobile ad identifiers, or similar
technology, customer number, unique pseudonym, or user alias,
telephone numbers, or other forms of persistent or
probabilistic identifiers that are linked or reasonably
linkable to an individual or device.
(36) Widely distributed media.--The term ``widely
distributed media'' means information that is available to the
general public, including information from a telephone book or
online directory, a television, internet, or radio program, the
news media, or an internet site that is available to the
general public on an unrestricted basis, but does not include
an obscene visual depiction (as defined in section 1460 of
title 18, United States Code).
TITLE I--DUTY OF LOYALTY
SEC. 101. DATA MINIMIZATION.
(a) In General.--A covered entity shall not collect, process, or
transfer covered data unless the collection, processing, or transfer is
limited to what is reasonably necessary and proportionate to--
(1) provide, or maintain a specific product or service
requested by the individual to whom the data pertains;
(2) deliver a communication that is reasonably anticipated
by the individual recipient within the context of the
individual's interactions with the covered entity; or
(3) effect a purpose expressly permitted under subsection
(b).
(b) Permissible Purposes.--A covered entity or service provider may
collect, process, or transfer covered data for any of the following
purposes provided that the covered entity or service provider can
demonstrate that collection, processing, or transfer complies with all
other applicable laws not preempted in section 404 and provisions of
this Act and is limited to what is reasonably necessary and
proportionate to such purpose:
(1) To initiate or complete a transaction or fulfill an
order or service specifically requested by an individual,
including any associated routine administrative activity such
as billing, shipping, delivery, and accounting, including the
collection, processing, or transferring of the last four digits
of a credit card number.
(2) With respect to covered data previously collected in
accordance with this Act, notwithstanding this exception, to
process such data as necessary to perform system maintenance or
diagnostics, to maintain a product or service for which such
data was collected, to conduct internal research or analytics,
to improve a product or service for which such data was
collected and to perform inventory management or reasonable
network management, to protect against spam, or to debug or
repair errors that impair the functionality of a service or
product for which such data was collected.
(3) To authenticate users of a product or service.
(4) To prevent, detect, protect against, or respond to a
security incident, or fulfill a product or service warranty.
For purposes of this paragraph, security is defined as network
security as well as intrusion, medical alerts, fire alarms, and
access control security.
(5) To prevent, detect, protect against or respond to
fraud, harassment, or illegal activity. For the purposes of
this paragraph, illegal activity means a violation of a
Federal, State, or local law punishable as a felony or
misdemeanor that can directly harm another person.
(6) To comply with a legal obligation imposed by Federal,
Tribal, Local, or State law, or to establish, exercise, or
defend legal claims.
(7) To prevent an individual, or groups of individuals,
from suffering harm where the covered entity or service
provider believes in good faith that the individual, or groups
of individuals, is at risk of death, serious physical injury,
or other serious health risk.
(8) To effectuate a product recall pursuant to Federal or
State law.
(9)(A) To conduct a public or peer-reviewed scientific,
historical, or statistical research project that--
(i) is in the public interest;
(ii) adheres to all relevant laws governing such
research; and
(iii) adheres to the regulations for human subject
research established under part 46 of title 45, Code of
Federal Regulations (or a successor regulations).
(B) The Commission should set forth within 18 months of the
enactment of this Act guidelines to help covered entities
ensure the privacy of affected users and the security of
covered data, particularly as data is being transferred to and
stored by researchers.
(10) To deliver a communication at the direction of an
individual between the communicating individual and one or more
individuals or entities.
(11) With respect to covered data previously collected in
accordance with this Act, notwithstanding this exception, to
process such data as necessary to provide first party marketing
or advertising of products or services provided by the covered
entity.
(12) Otherwise complies with the requirements of this Act,
including section 204(c), to provide a targeted advertisement.
(c) Guidance.--The Commission shall issue guidance regarding what
is reasonably necessary and proportionate to comply with this section.
Such guidance shall take into consideration--
(1) the size of, and the nature, scope, and complexity of
the activities engaged in by the covered entity, including
whether the covered entity is a large data holder, nonprofit
organization, covered entities meeting the requirements of
section 209, service provider, third party, or third-party
collecting entity;
(2) the sensitivity of covered data collected, processed,
or transferred by the covered entity;
(3) the volume of covered data collected, processed, or
transferred by the covered entity; and
(4) the number of individuals and devices to which the
covered data collected, processed, or transferred by the
covered entity relates.
(d) Deceptive Marketing of a Product or Service.--A covered entity,
service provider, or third party is prohibited from engaging in
deceptive advertising or marketing with respect to a product or service
provided to an individual.
SEC. 102. LOYALTY DUTIES.
(a) Restricted Data Practices.--Notwithstanding section 101 and
unless an exception applies, with respect to covered data, a covered
entity shall not--
(1) collect, process, or transfer a social security number,
except when necessary to facilitate extensions of credit,
authentication, the payment and collection of taxes, the
enforcement of a contract between parties, or the prevention,
investigation, and prosecution of fraud or illegal activity;
(2) collect or process sensitive covered data, except where
such collection or processing is strictly necessary to provide
or maintain a specific product or service requested by the
individual to whom the covered data pertains, or to effect a
purpose enumerated in section 101(b)(1) through (10);
(3) transfer an individual's sensitive covered data to a
third party, unless--
(A) the transfer is made pursuant to the
affirmative express consent of the individual;
(B) the transfer is necessary to comply with a
legal obligation imposed by Federal, State, or local
law, or to establish, exercise, or defend legal claims;
(C) the transfer is necessary to prevent an
individual from imminent injury where the covered
entity believes in good faith that the individual is at
risk of death or serious physical injury;
(D) the transfer of biometric information is
necessary to facilitate data security or
authentication;
(E) the transfer of a password is necessary to use
a designated password manager or is to a covered entity
for the exclusive purpose of identifying passwords that
are being re-used across sites or accounts; or
(F) the transfer of genetic information is
necessary to perform a medical diagnosis or medical
treatment specifically requested by an individual, or
to conduct medical research in accordance with
conditions of section 101(b)(9); or
(4) collect, process, or transfer an individual's
aggregated internet search or browsing history, except with the
affirmative express consent of the individual or pursuant to
one of the permissible purposes enumerated in section 101(b)(1)
through (10).
SEC. 103. PRIVACY BY DESIGN.
(a) Policies, Practices, and Procedures.--A covered entity and a
service provider shall establish, implement, and maintain reasonable
policies, practices, and procedures regarding the collection,
processing, and transfer of covered data to--
(1) consider Federal laws, rules, or regulations related to
covered data the covered entity or service provider collects,
processes, or transfers;
(2) identify, assess, and mitigate privacy risks related to
individuals under the age of 17, if applicable;
(3) mitigate privacy risks, including substantial privacy
risks, related to the products and services of the covered
entity or the service provider, including their design,
development, and implementation; and
(4) implement reasonable training and safeguards within the
covered entity and service provider to promote compliance with
all privacy laws applicable to covered data the covered entity
collects, processes, or transfers or covered data the service
provider collects, processes, or transfers on behalf of the
covered entity and mitigate privacy risks, including
substantial privacy risks.
(b) Factors To Consider.--The policies, practices, and procedures
established by a covered entity and a service provider under subsection
(a), shall correspond with--
(1) the size of the covered entity or the service provider
and the nature, scope, and complexity of the activities engaged
in by the covered entity, including whether the covered entity
is a large data holder, nonprofit organization, covered
entities meeting the requirements of section 209, third party,
or third-party collecting entity;
(2) the sensitivity of the covered data collected,
processed, or transferred by the covered entity or service
provider;
(3) the volume of covered data collected, processed, or
transferred by the covered entity or service provider;
(4) the number of individuals and devices to which the
covered data collected, processed, or transferred by the
covered entity or service provider relates; and
(5) the cost of implementing such policies, practices, and
procedures in relation to the risks and nature of the covered
data.
(c) Commission Guidance.--Not later than 1 year after the date of
enactment of this Act, the Commission shall issue guidance as to what
constitutes reasonable policies, practices, and procedures as required
by this section. The Commission shall consider unique circumstances
applicable to nonprofit organizations and covered entities meeting the
requirements of section 209.
SEC. 104. LOYALTY TO INDIVIDUALS WITH RESPECT TO PRICING.
(a) Conditional Service or Pricing Prohibited.--A covered entity
shall not deny or condition or effectively condition the provision of a
service or product to an individual based on the individual's agreement
to waive (or refusal to waive) any requirements under this Act or any
regulations promulgated under this Act or terminate a service or
otherwise refuse to provide a service or product to an individual as a
consequence of the individual's refusal to provide such a waiver.
(b) Rules of Construction.--Nothing in subsection (a) shall be
construed to--
(1) prohibit the relation of the price of a service or the
level of service provided to an individual to the provision, by
the individual, of financial information that is necessarily
collected and processed only for the purpose of initiating,
rendering, billing for, or collecting payment for a service or
product requested by the individual;
(2) prohibit a covered entity from offering a loyalty
program that provides discounted or free products or services,
or other consideration, in exchange for an individual's
continued business with the covered entity, provided that such
program otherwise complies with the requirements of this Act
and any regulations promulgated under this Act;
(3) require a covered entity to provide a loyalty program
that would require the covered entity to collect, process, or
transfer covered data that it otherwise would not;
(4) prohibit a covered entity from offering a financial
incentive or other consideration to an individual for
participation in market research; or
(5) prohibit a covered entity from offering different types
of pricing or functionalities with respect to a product or
service based on an individual's exercise of a right in section
203(a)(3).
TITLE II--CONSUMER DATA RIGHTS
SEC. 201. CONSUMER AWARENESS.
(a) In General.--Not later than 90 days after the date of enactment
of this Act, the Commission shall publish, on the public website of the
Commission, a web page that describes each provision, right,
obligation, and requirement of this Act, listed separately for
individuals and for covered entities and service providers, and the
remedies, exemptions, and protections associated with this Act in plain
and concise language and in an easy-to-understand manner.
(b) Updates.--The Commission shall update the information published
under subsection (a) on a quarterly basis as necessitated by any change
in law, regulation, guidance, or judicial decisions.
(c) Accessibility.--The Commission shall publish materials
disclosed pursuant to subsection (a) in the ten languages with the most
users in the United States, according to the most recent U.S. Census.
The Commission shall ensure the website is readily accessible to and
usable by individuals with disabilities.
SEC. 202. TRANSPARENCY.
(a) In General.--Each covered entity and service provider shall
make publicly available, in a clear, conspicuous, not misleading, and
readily accessible manner, a privacy policy that provides a detailed
and accurate representation of the entity's data collection,
processing, and transfer activities.
(b) Content of Privacy Policy.--The privacy policy required under
subsection (a) shall include, at a minimum, the following:
(1) The identity and the contact information of--
(A) the covered entity or service provider
(including the covered entity's or service provider's
points of contact, generic electronic mail addresses,
and phone numbers of the covered entity, as applicable
for privacy and data security inquiries); and
(B) any other entity within the same corporate
structure as, and under common branding with, the
covered entity or service provider to which covered
data is transferred by the covered entity.
(2) The categories of covered data the covered entity or
service provider collects or processes.
(3) The processing purposes for each category of covered
data the covered entity or service provider collects or
processes.
(4) Whether the covered entity or service provider
transfers covered data and, if so, each category of service
provider and third party to which the covered entity or service
provider transfers covered data, the name of each third-party
collecting entity to which the covered entity or service
provider transfers covered data, and the purposes for which
such data is transferred to such categories of service
providers and third parties or third-party collecting entities,
except for transfers to governmental entities pursuant to a
court order or law that prohibits the covered entity from
disclosing such transfer.
(5) The length of time the covered entity or service
provider intends to retain each category of covered data,
including sensitive covered data, or, if it is not possible to
identify that time frame, the criteria used to determine the
length of time the covered entity intends to retain categories
of covered data.
(6) A prominent description of how an individual can
exercise the rights described in this Act.
(7) A general description of the covered entity's or
service provider's data security practices.
(8) The effective date of the privacy policy.
(9) Whether or not any covered data collected by the
covered entity or service provider is transferred to, processed
in, stored in or otherwise accessible to the People's Republic
of China, Russia, Iran, or North Korea.
(c) Languages.--The privacy policy required under subsection (a)
shall be made available to the public in each language in which the
covered entity or service provider--
(1) provides a product or service that is subject to the
privacy policy; or
(2) carries out activities related to such product or
service.
(d) Accessibility.--The covered entity or service provider shall
also provide the disclosures under this section in a manner that is
readily accessible to and usable by individuals with disabilities.
(e) Material Changes.--
(1) Affirmative express consent.--If a covered entity makes
a material change to its privacy policy or practices, the
covered entity shall notify each individual affected by such
material change before implementing the material change with
respect to any previously collected covered data and, except as
provided in section 101(b), provide a reasonable opportunity
for each individual to withdraw consent to any further
materially different collection, processing, or transferring of
covered data under the changed policy.
(2) Notification.--The covered entity shall take all
reasonable measures to provide direct notification regarding
material changes to the privacy policy to each affected
individual, in each language that the privacy policy is made
available, and taking into account available technology and the
nature of the relationship.
(3) Clarification.--Nothing in this section shall be
construed to affect the requirements for covered entities under
section 102 or 204.
(4) Log of material changes.--Each large data holder shall
retain copies of previous versions of its privacy policy for at
least 10 years and publish them on its website. It shall make
publicly available, in a clear, conspicuous, and readily
accessible manner, a log describing the data and nature of each
material change over the past 10 years. The descriptions shall
be sufficient for a reasonable individual to understand the
material effect of each material change.
(f) Short-Form Notice to Consumers by Large Data Holders.--
(1) In general.--In addition to the privacy policy required
under subsection (a), a large data holder must provide a short-
form notice of its covered data practices in a manner that is--
(A) concise, clear, and conspicuous;
(B) readily accessible, based on the way an
individual interacts with the large data holder and its
products or services and what is reasonably anticipated
within the context of the relationship;
(C) inclusive of an overview of individual rights
and disclosures to reasonably draw attention to data
practices that may reasonably be unexpected or that
involve sensitive covered data; and
(D) no more than 500 words in length.
(2) Rulemaking.--The Commission shall issue a rule pursuant
to section 553 of title 5, United States Code, establishing the
minimum data disclosures necessary for the short-form notice
which shall not exceed the content requirements in subsection
(b) and shall include templates and/or models of short-form
notices.
SEC. 203. INDIVIDUAL DATA OWNERSHIP AND CONTROL.
(a) Access to, and Correction, Deletion, and Portability of,
Covered Data.--Subject to subsections (b) and (c), a covered entity
shall provide an individual, after receiving a verified request from
the individual, with the right to--
(1) access--
(A) the covered data, except covered data in back-
up or archival systems, of the individual in a human-
readable format that a reasonable individual can
understand and download from the internet, that is
collected, processed, or transferred by the covered
entity or any service provider of the covered entity
within the 24 months preceding the request;
(B) the name of any third party and the categories
of any service providers to whom the covered entity has
transferred for consideration the covered data of the
individual, as well as the categories of sources from
which the covered data was collected; and
(C) a description of the purpose for which the
covered entity transferred the covered data of the
individual to a third party or service provider;
(2) correct any verifiably material inaccuracy or
materially incomplete information with respect to the covered
data of the individual that is processed by the covered entity
and instruct the covered entity to notify any third party, or
service provider to which the covered entity transferred such
covered data of the corrected information;
(3) delete covered data of the individual that is processed
by the covered entity and instruct the covered entity to notify
any third party, or service provider to which the covered
entity transferred such covered data of the individual's
deletion request; and
(4) to the extent technically feasible, export covered data
to the individual or directly to another entity, except for
derived data, of the individual that is processed by the
covered entity without licensing restrictions that limit such
transfers, in--
(A) a human-readable format that a reasonable
individual can understand and download from the
internet; and
(B) a portable, structured, interoperable, and
machine-readable format.
(b) Individual Autonomy.--A covered entity shall not condition,
effectively condition, attempt to condition, or attempt to effectively
condition the exercise of any individual rights under this section
through--
(1) through the use of any false, fictitious, fraudulent,
or materially misleading statement or representation; or
(2) the design, modification, or manipulation of any user
interface with the purpose or substantial effect of obscuring,
subverting, or impairing a reasonable individual's autonomy,
decision making, or choice to exercise any such rights.
(c) Timing.--
(1) Subject to subsections (d) and (e)(1) each request
shall be completed by any--
(A) large data holder within 45 days of
verification of such request from an individual;
(B) covered entity that is not considered a large
data holder or a covered entity described in section
209 within 60 days of verification of such request from
an individual; or
(C) covered entity as described in section 209
within 90 days of verification of such request from an
individual.
(2) A response period set forth in this subsection may be
extended once by 45 additional days when reasonably necessary,
considering the complexity and number of the individual's
requests, so long as the covered entity informs the individual
of any such extension within the initial 45-day response
period, together with the reason for the extension.
(d) Frequency and Cost of Access.--A covered entity--
(1) shall provide an individual with the opportunity to
exercise each of the rights described in subsection (a); and
(2) with respect to--
(A) the first 2 times that an individual exercises
any right described in subsection (a) in any 12-month
period, shall allow the individual to exercise such
right free of charge; and
(B) any time beyond the initial 2 times described
in subparagraph (A), may allow the individual to
exercise such right for a reasonable fee for each
request.
(e) Verification and Exceptions.--
(1) Required exceptions.--A covered entity shall not permit
an individual to exercise a right described in subsection (a),
in whole or in part, if the covered entity--
(A) cannot reasonably verify that the individual
making the request to exercise the right is the
individual whose covered data is the subject of the
request or an individual authorized to make such a
request on the individual's behalf;
(B) reasonably believes that the request is made to
interfere with a contract between the covered entity
and another individual;
(C) determines that the exercise of the right would
require access to or correction of another individual's
sensitive covered data; or
(D) reasonably believes that the exercise of the
right would require the covered entity to engage in an
unfair or deceptive practice under section 5 of the
Federal Trade Commission Act (15 U.S.C. 45).
(2) Additional information.--If a covered entity cannot
reasonably verify that a request to exercise a right described
in subsection (a) is made by the individual whose covered data
is the subject of the request (or an individual authorized to
make such a request on the individual's behalf), the covered
entity--
(A) may request that the individual making the
request to exercise the right provide any additional
information necessary for the sole purpose of verifying
the identity of the individual; and
(B) shall not process or transfer such additional
information for any other purpose.
(3) Permissive exceptions.--
(A) In general.--A covered entity may decline to
comply with a request to exercise a right described in
subsection (a), in whole or in part, that would--
(i) require the covered entity to retain
any covered data collected for a single, one-
time transaction, if such covered data is not
processed or transferred by the covered entity
for any purpose other than completing such
transaction;
(ii) be impossible or demonstrably
impracticable to comply with, and the covered
entity shall provide a description to the
requestor detailing the inability to comply
with the request;
(iii) require the covered entity to attempt
to re-identify de-identified data;
(iv) result in the release of trade
secrets, or other privileged, or confidential
business information;
(v) require the covered entity to correct
any covered data that cannot be reasonably
verified as being inaccurate or incomplete;
(vi) interfere with law enforcement,
judicial proceedings, investigations, or
reasonable efforts to guard against, detect, or
investigate malicious or unlawful activity, or
enforce valid contracts;
(vii) violate Federal or State law or the
rights and freedoms of another individual,
including under the Constitution of the United
States;
(viii) prevent a covered entity from being
able to maintain a confidential record of
deletion requests, maintained solely for the
purpose of preventing covered data of an
individual who has submitted a deletion request
and requests that the covered entity no longer
collect, process, or transfer such data;
(ix) fall within an exception enumerated in
the regulations promulgated by the Commission
pursuant to paragraph (D); or
(x) with respect to requests for deletion--
(I) unreasonably interfere with the
provision of products or services by
the covered entity to another person it
currently serves;
(II) delete covered data that
relates to a public figure and for
which the requesting individual has no
reasonable expectation of privacy;
(III) delete covered data
reasonably necessary to perform a
contract between the covered entity and
the individual;
(IV) delete covered data that the
covered entity needs to retain in order
to comply with professional ethical
obligations; or
(V) delete covered data that the
covered entity reasonably believes may
be evidence of unlawful activity or an
abuse of the covered entity's products
or services.
(B) Partial compliance.--In a circumstance that
would allow a denial pursuant to paragraph (A), a
covered entity shall partially comply with the
remainder of the request if it is possible and not
unduly burdensome to do so.
(C) Number of requests.--For purposes of this
paragraph, the receipt of a large number of verified
requests, on its own, shall not be considered to render
compliance with a request demonstrably impossible.
(D) Further exceptions.--The Commission may, by
regulation as described in subsection (f), establish
additional permissive exceptions necessary to protect
the rights of individuals, alleviate undue burdens on
covered entities, prevent unjust or unreasonable
outcomes from the exercise of access, correction,
deletion, or portability rights, or as otherwise
necessary to fulfill the purposes of this section. In
creating such exceptions, the Commission should
consider any relevant changes in technology, means for
protecting privacy and other rights, and beneficial
uses of covered data by covered entities.
(f) Regulations.--Within two years of the date of enactment of this
Act, the Commission may promulgate regulations, pursuant to section 553
of title 5, United States Code (5 U.S.C. 553), as necessary to
establish processes by which covered entities are to comply with the
provisions of this section. Such regulations shall take into
consideration--
(1) the size of, and the nature, scope, and complexity of
the activities engaged in by the covered entity, including
whether the covered entity is a large data holder, nonprofit
organization, covered entities meeting the requirements of
section 209, service provider, third party, or third-party
collecting entity;
(2) the sensitivity of covered data collected, processed,
or transferred by the covered entity;
(3) the volume of covered data collected, processed, or
transferred by the covered entity; and
(4) the number of individuals and devices to which the
covered data collected, processed, or transferred by the
covered entity relates.
(g) Accessibility.--A covered entity shall facilitate the ability
for individuals to make requests under this section in any of the ten
languages with the most users in the United States, according to the
most recent U.S. Census, if the covered entity provides service in such
language. The mechanisms by which a covered entity enables individuals
to make requests under this section shall be readily accessible and
usable by with disabilities.
SEC. 204. RIGHT TO CONSENT AND OBJECT.
(a) Withdrawal of Consent.--A covered entity shall provide an
individual with a clear and conspicuous, easy-to-execute means to
withdraw any affirmative express consent previously provided by the
individual that is as easy to execute by a reasonable individual as the
means to provide consent, with respect to the processing or transfer of
the covered data of the individual.
(b) Right To Opt Out of Covered Data Transfers.--
(1) In general.--A covered entity--
(A) shall not transfer the covered data of an
individual to a third party if the individual objects
to the transfer; and
(B) shall allow an individual to object to such
transfer through an opt-out mechanism, as described in
section 210, if applicable.
(2) Exception.--An individual may not opt out of the
collection, processing, and transfer of covered data made
pursuant to the exceptions in sections 101(b)(1) through (11)
of this Act.
(c) Right To Opt Out of Targeted Advertising.--A covered entity
that engages in targeted advertising shall--
(1) prior to engaging in such targeted advertising and at
all times thereafter, provide an individual with a clear and
conspicuous means to opt out of targeted advertising;
(2) abide by such opt-out designations by an individual;
and
(3) allow an individual to prohibit such targeted
advertising through an opt-out mechanism, as described in
section 210, if applicable.
(d) Individual Autonomy.--A covered entity shall not condition,
effectively condition, attempt to condition, or attempt to effectively
condition the exercise of any individual rights under this section
through--
(1) through the use of any false, fictitious, fraudulent,
or materially misleading statement or representation; or
(2) the design, modification, or manipulation of any user
interface with the purpose or substantial effect of obscuring,
subverting, or impairing a reasonable individual's autonomy,
decision making, or choice to exercise any such rights.
SEC. 205. DATA PROTECTIONS FOR CHILDREN AND MINORS.
(a) Prohibition on Targeted Advertising to Children and Minors.--A
covered entity shall not engage in targeted advertising to any
individual under the age of 17 if the covered entity knows that the
individual is under the age of 17.
(b) Data Transfer Requirements Related to Minors.--A covered entity
shall not transfer the covered data of an individual to a third party
without affirmative express consent from the individual or the
individual's parent or guardian if the covered entity knows that the
individual under the age of 17.
(c) Knowledge.--The knowledge requirement in subsections (a) and
(b), shall not be construed to require the affirmative collection or
processing of any data with respect to the age of an individual or a
proxy thereof, or to require that a covered entity implement an age
gating regime. Rather, the determination of whether an individual is
under 17 shall be based on the covered data collected directly from an
individual or a proxy thereof that the covered entity would otherwise
collect in the normal course of business.
(d) Youth Privacy and Marketing Division.--
(1) Establishment.--There is established within the
Commission a division to be known as the ``Youth Privacy and
Marketing Division'' (in this section referred to as the
``Division'').
(2) Director.--The Division shall be headed by a Director,
who shall be appointed by the Chair of the Commission.
(3) Duties.--The Division shall be responsible for
assisting the Commission in addressing, as it relates to this
Act--
(A) the privacy of children and minors; and
(B) marketing directed at children and minors.
(4) Staff.--The Director of the Division shall hire
adequate staff to carry out the duties described in paragraph
(3), including by hiring individuals who are experts in data
protection, digital advertising, data analytics, and youth
development.
(5) Reports.--Not later than 1 year after the date of
enactment of this Act, and annually thereafter, the Commission
shall submit to the Committee on Commerce, Science, and
Transportation of the Senate and the Committee on Energy and
Commerce of the House of Representatives a report that
includes--
(A) a description of the work of the Division
regarding emerging concerns relating to youth privacy
and marketing practices; and
(B) an assessment of how effectively the Division
has, during the period for which the report is
submitted, assisting the Commission to address youth
privacy and marketing practices.
(6) Publication.--Not later than 10 days after the date on
which a report is submitted under paragraph (5), the Commission
shall publish the report on its website.
(e) Report by the Inspector General.--
(1) In general.--Not later than 2 years after the date of
enactment of this Act, and biennially thereafter, the Inspector
General of the Commission shall submit to the Commission and to
the Committee on Commerce, Science, and Transportation of the
Senate and the Committee on Energy and Commerce of the House of
Representatives a report regarding the safe harbor provisions
in section 1307 of the Children's Online Privacy Protection Act
of 1998 (15 U.S.C. 6503), which shall include--
(A) an analysis of whether the safe harbor
provisions are--
(i) operating fairly and effectively; and
(ii) effectively protecting the interests
of children and minors; and
(B) any proposal or recommendation for policy
changes that would improve the effectiveness of the
safe harbor provisions.
(2) Publication.--Not later than 10 days after the date on
which a report is submitted under paragraph (1), the Commission
shall publish the report on the website of the Commission.
SEC. 206. THIRD-PARTY COLLECTING ENTITIES.
(a) Notice.--Each third-party collecting entity shall place a clear
and conspicuous notice on the website or mobile application of the
third-party collecting entity (if the third-party collecting entity
maintains such a website or mobile application) that--
(1) notifies individuals that the entity is a third-party
collecting entity using specific language that the Commission
shall develop through rulemaking under section 553 of title 5,
United States Code; and
(2) includes a link to the website established under
subsection (b)(3).
(b) Third-Party Collecting Entity Registration.--
(1) In general.--Not later than January 31 of each calendar
year that follows a calendar year during which a covered entity
acted as a third-party collecting entity and processed covered
data pertaining to more than 5,000 individuals or devices that
identify or are linked or reasonably linkable to an individual,
such covered entity shall register with the Commission in
accordance with this subsection.
(2) Registration requirements.--In registering with the
Commission as required under paragraph (1), a third-party
collecting entity shall do the following:
(A) Pay to the Commission a registration fee of
$100.
(B) Provide the Commission with the following
information:
(i) The legal name and primary physical,
email, and internet addresses of the third-
party collecting entity.
(ii) A description of the categories of
data the third-party collecting entity
processes and transfers.
(iii) The contact information of the third-
party collecting entity, including a contact
person, telephone number, an e-mail address, a
website, and a physical mailing address.
(iv) Link to a website through which an
individual may easily exercise the rights
provided under this subsection.
(3) Third-party collecting entity registry.--The Commission
shall establish and maintain on a website a searchable,
publicly available, central registry of third-party collecting
entities that are registered with the Commission under this
subsection that includes the following:
(A) A listing of all registered third-party
collecting entities and a search feature that allows
members of the public to identify individual third-
party collecting entities.
(B) For each registered third-party collecting
entity, the information described in paragraph (2).
(C) A ``Do Not Collect'' registry link and
mechanism by which an individual may, after the
Commission has verified the identity of the individual
or individual's parent or guardian, which may include
tokenization, easily submit a request to all registered
third-party collecting entities that are not consumer
reporting agencies, and to the extent they are not
acting as consumer reporting agencies, as defined in
section 603(f) of the Fair Credit Reporting Act (15
U.S.C. 1681a(f)) to--
(i) delete all covered data related to such
individual that the third-party collecting
entity did not collect from the individual
directly or when acting as a service provider;
and
(ii) ensure that any third-party collecting
entity no longer collects covered data related
to such individual without the affirmative
express consent of such individual, except
insofar as such covered entity is acting as a
service provider. Each third-party collecting
entity that receives such a request from an
individual shall delete all the covered data of
the individual not later than 30 days after the
request is received by the third-party
collecting entity.
(c) Penalties.--A third-party collecting entity that fails to
register or provide the notice as required under this section shall be
liable for--
(1) a civil penalty of $50 for each day it fails to
register or provide notice as required under this subsection,
not to exceed a total of $10,000 for any year; and
(2) an amount equal to the registration fees due under
paragraph (2) of subsection (b) for each year that it failed to
register as required under paragraph (1) of such subsection.
SEC. 207. CIVIL RIGHTS AND ALGORITHMS.
(a) Civil Rights Protections.--
(1) In general.--A covered entity or a service provider may
not collect, process, or transfer covered data in a manner that
discriminates in or otherwise makes unavailable the equal
enjoyment of goods or services on the basis of race, color,
religion, national origin, sex, or disability.
(2) Exceptions.--This subsection shall not apply to--
(A) the collection, processing, or transfer of
covered data for the purpose of--
(i) a covered entity's or a service
provider's self-testing to prevent or mitigate
unlawful discrimination; or
(ii) diversifying an applicant,
participant, or customer pool; or
(B) any private club or group not open to the
public, as described in section 201(e) of the Civil
Rights Act of 1964 (42 U.S.C. 2000a(e)).
(b) FTC Enforcement Assistance.--
(1) In general.--Whenever the Commission obtains
information that a covered entity or service provider may have
collected, processed, or transferred covered data in violation
of subsection (a), the Commission shall transmit such
information as allowable under Federal law to any Executive
agency with authority to initiate enforcement actions or
proceedings relating to such violation.
(2) Annual report.--Not later than 3 years after the date
of enactment of this Act, and annually thereafter, the
Commission shall submit to Congress a report that includes a
summary of--
(A) the types of information the Commission
transmitted to Federal agencies under paragraph (1)
during the previous 1-year period; and
(B) how such information relates to Federal civil
rights laws.
(3) Technical assistance.--In transmitting information
under paragraph (1), the Commission may consult and coordinate
with, and provide technical and investigative assistance, as
appropriate, to such Executive agency.
(4) Cooperation with other agencies.--The Commission may
implement this subsection by executing agreements or memoranda
of understanding with the appropriate Federal agencies.
(c) Algorithm Impact and Evaluation.--
(1) Algorithm impact assessment.--
(A) Impact assessment.--Notwithstanding any other
provision of law, not later than 2 years after the date
of enactment of this Act, and annually thereafter, a
large data holder that uses an algorithm that may cause
potential harm to an individual, and uses such
algorithm solely or in part, to collect, process, or
transfer covered data must conduct an impact assessment
of such algorithm in accordance with subparagraph (B).
(B) Impact assessment scope.--The impact assessment
required under subparagraph (A) shall provide the
following:
(i) A detailed description of the design
process and methodologies of the algorithm.
(ii) A statement of the purpose, proposed
uses, and foreseeable capabilities outside of
the articulated proposed use of the algorithm.
(iii) A detailed description of the data
used by the algorithm, including the specific
categories of data that will be processed as
input and any data used to train the model that
the algorithm relies on.
(iv) A description of the outputs produced
by the algorithm.
(v) An assessment of the necessity and
proportionality of the algorithm in relation to
its stated purpose, including reasons for the
superiority of the algorithm over nonautomated
decision-making methods.
(vi) A detailed description of steps the
large data holder has taken or will take to
mitigate potential harms to individuals,
including potential harms related to--
(I) any individual under the age of
17;
(II) making or facilitating
advertising for, or determining access
to, or restrictions on the use of
housing, education, employment,
healthcare, insurance, or credit
opportunities;
(III) determining access to, or
restrictions on the use of, any place
of public accommodation, particularly
as such harms relate to the protected
characteristics of individuals,
including race, color, religion,
national origin, sex, or disability; or
(IV) disparate impact on the basis
of individuals' race, color, religion,
national origin, sex, or disability
status.
(2) Algorithm design evaluation.--Notwithstanding any other
provision of law, not later than 2 years after the date of
enactment of this Act, a covered entity or service provider
that knowingly develops an algorithm, solely or in part, to
collect, process, or transfer covered data or publicly
available information shall prior to deploying the algorithm in
interstate commerce evaluate the design, structure, and inputs
of the algorithm, including any training data used to develop
the algorithm, to reduce the risk of the potential harms
identified under paragraph (1)(B).
(3) Other considerations.--
(A) Focus.--In complying with paragraph (1) or (2),
a covered entity and a service provider may focus the
impact assessment or evaluation on any algorithm, or
portions of an algorithm, that may reasonably
contribute to the risk of the potential harms
identified under paragraph (1)(B).
(B) External, independent auditor or researcher.--
To the extent possible, a covered entity and a service
provider shall utilize an external, independent auditor
or researcher to conduct an impact assessment under
paragraph (1) or an evaluation under paragraph (2).
(C) Availability.--
(i) In general.--A covered entity and a
service provider--
(I) shall, not later than 30 days
after completing an impact assessment
or evaluation, submit the impact
assessment and evaluation conducted
under paragraphs (1) and (2) to the
Commission;
(II) shall, upon request, make such
impact assessment and evaluation
available to Congress; and
(III) may make a summary of such
impact assessment and evaluation
publicly available in a place that is
easily accessible to individuals.
(ii) Trade secrets.--Covered entities and
service providers must make all submissions
under this section to the Commission in
unredacted form, but a covered entity and a
service provider may redact and segregate any
trade secrets (as defined in section 1839 of
title 18, United States Code) from public
disclosure under this subparagraph.
(D) Enforcement.--The Commission may not use any
information obtained solely and exclusively through a
covered entity or a service provider's disclosure of
information to the Commission in compliance with this
section for any purpose other than enforcing this Act,
including the study and report provisions in paragraph
6 of this section. This provision shall not preclude
the Commission from providing this information to
Congress in response to a subpoena or official
Congressional request.
(4) Guidance.--Not later than 2 years after the date of
enactment of this Act, the Commission shall, in consultation
with the Secretary of Commerce, or their respective designees,
publish guidance regarding compliance with this section.
(5) Rulemaking and exemption.--The Commission shall have
authority under section 553 of title 5, United States Code, to
promulgate regulations as necessary to establish processes by
which a large data holder--
(A) shall submit an impact assessment to the
Commission under paragraph (3)(C)(i)(I); and
(B) may exclude from this subsection any algorithm
that presents low or minimal risk for potential for
harms to individuals (as identified under paragraph
(1)(B)).
(6) Study and report.--
(A) Study.--The Commission, in consultation with
the Secretary of Commerce or the Secretary's designee,
shall conduct a study, to review any impact assessment
or evaluation submitted under this paragraph. Such
study shall include an examination of--
(i) best practices for the assessment and
evaluation of algorithms; and
(ii) methods to reduce the risk of harm to
individuals that may be related to the use of
algorithms.
(B) Report.--
(i) Initial report.--Not later than 3 years
after the date of enactment of this Act, the
Commission, in consultation with the Secretary
of Commerce or the Secretary's designee, shall
submit to Congress a report containing the
results of the study conducted under subsection
(a), together with recommendations for such
legislation and administrative action as the
Commission determines appropriate.
(ii) Additional reports.--Not later than 3
years after submission of the initial report
under clause (i), and as the Commission
determines necessary thereafter, the Commission
shall submit to Congress an updated version of
such report.
SEC. 208. DATA SECURITY AND PROTECTION OF COVERED DATA.
(a) Establishment of Data Security Practices.--
(1) In general.--A covered entity or service provider shall
establish, implement, and maintain reasonable administrative,
technical, and physical data security practices and procedures
to protect and secure covered data against unauthorized access
and acquisition.
(2) Considerations.--The reasonable administrative,
technical, and physical data security practices required under
paragraph (1) shall be appropriate to--
(A) the size and complexity of the covered entity
or service provider;
(B) the nature and scope of the covered entity or
the service provider's collecting, processing, or
transferring of covered data;
(C) the volume and nature of the covered data
collected, processed, or transferred by the covered
entity or service provider;
(D) the sensitivity of the covered data collected,
processed, or transferred;
(E) the current state of the art in administrative,
technical, and physical safeguards for protecting such
covered data; and
(F) the cost of available tools to improve security
and reduce vulnerabilities to unauthorized access and
acquisition of such covered data in relation to the
risks and nature of the covered data.
(b) Specific Requirements.--The data security practices required
under subsection (a) shall include, at a minimum, the following
practices:
(1) Assess vulnerabilities.--Identifying and assessing any
material internal and external risk to, and vulnerability in,
the security of each system maintained by the covered entity
that collects, processes, or transfers covered data, or service
provider that collects, processes, or transfers covered data on
behalf of the covered entity, including unauthorized access to
or risks to such covered data, human vulnerabilities, access
rights, and the use of service providers. With respect to large
data holders, such activities shall include a plan to receive
and respond to unsolicited reports of vulnerabilities by any
entity or individual.
(2) Preventive and corrective action.--Taking preventive
and corrective action designed to mitigate any reasonably
foreseeable risks or vulnerabilities to covered data identified
by the covered entity or service provider, consistent with the
nature of such risk or vulnerability, which may include
implementing administrative, technical, or physical safeguards
or changes to data security practices or the architecture,
installation, or implementation of network or operating
software, among other actions.
(3) Evaluation of preventive and corrective action.--
Evaluating and making reasonable adjustments to the safeguards
described in paragraph (2) in light of any material changes in
technology, internal or external threats to covered data, and
the covered entity or service provider's own changing business
arrangements or operations.
(4) Information retention and disposal.--Disposing of
covered data that is required to be deleted by law or is no
longer necessary for the purpose for which the data was
collected, processed, or transferred, unless an individual has
provided affirmative express consent to such retention. Such
disposal shall include destroying, permanently erasing, or
otherwise modifying the covered data to make such data
permanently unreadable or indecipherable and unrecoverable to
ensure ongoing compliance with this section.
(5) Training.--Training each employee with access to
covered data on how to safeguard covered data and updating such
training as necessary.
(6) Designation.--Designating an officer, employee, or
employees to maintain and implement such practices.
(7) Incident response.--Implementing procedures to detect,
respond to, or recover from security incidents or breaches.
(c) Regulations.--The Commission may promulgate in accordance with
section 553 of title 5, United States Code, technology-neutral
regulations to establish processes for complying with this section.
(d) Applicability of Other Information Security Laws.--A covered
entity that is required to comply with title V of the Gramm-Leach-
Bliley Act (15 U.S.C. 6801 et seq.) or the Health Information
Technology for Economic and Clinical Health Act (42 U.S.C. 17931 et
seq.), and is in compliance with the information security requirements
of such Act as determined by the enforcement authority in such Act,
shall be deemed to be in compliance with the requirements of this
section with respect to any data covered by such information security
requirements.
SEC. 209. SMALL BUSINESS PROTECTIONS.
(a) In General.--
(1) Any covered entity or service provider that can
establish that it met the requirements described in paragraph
(2) for the period of the 3 preceding calendar years (or for
the period during which the covered entity has been in
existence if such period is less than 3 years) shall--
(A) be exempt from compliance with sections
203(a)(4), 208(b)(1)-(3), (5)-(7), and 301(c); and
(B) at the covered entity's sole discretion, have
the option of complying with section 203(a)(2) by,
after receiving a verified request from an individual
to correct covered data of the individual under such
section, deleting such covered data in its entirety
instead of making the requested correction.
(2) Exemption requirements.--The requirements of this
paragraph are, with respect to a covered entity or a service
provider and a period, the following:
(A) The covered entity or service provider's
average annual gross revenues during the period did not
exceed $41,000,000.
(B) The covered entity or service provider, on
average, did not annually collect or process the
covered data of more than 200,000 individuals during
the period beyond the purpose of initiating, rendering,
billing for, finalizing, completing, or otherwise
collecting payment for a requested service or product,
so long as all covered data for such purpose is deleted
or de-identified within 90 days.
(C) The covered entity or service provider did not
derive more than 50 percent of its revenue from
transferring covered data during any year (or part of a
year if the covered entity has been in existence for
less than 1 year) that occurs during the period.
(3) Definition.--For purposes of this section, the term
``revenue'' as it relates to any covered entity that is not
organized to carry on business for its own profit or that of
their members, means the gross receipts the covered entity
received in whatever form from all sources without subtracting
any costs or expenses, and includes contributions, gifts,
grants, dues or other assessments, income from investments, or
proceeds from the sale of real or personal property.
(4) Journalism.--Nothing in this Act shall be construed to
limit or diminish First Amendment freedoms to gather and
publish information guaranteed under the Constitution.
SEC. 210. UNIFIED OPT-OUT MECHANISMS.
For the rights established under sections 204(b) and (c), and
section 206(c)(3)(D) not later than 18 months after the date of
enactment of this Act, the Commission shall establish one or more
acceptable privacy protective, centralized mechanisms, including global
privacy signals such as browser or device privacy settings, for
individuals to exercise all such rights through a single interface for
a covered entity to utilize to allow an individual to make such opt out
designations with respect to covered data related to such individual.
TITLE III--CORPORATE ACCOUNTABILITY
SEC. 301. EXECUTIVE RESPONSIBILITY.
(a) In General.--Beginning 1 year after the date of enactment of
this Act, an executive officer of a large data holder shall annually
certify, in good faith, to the Commission, in a manner specified by the
Commission by regulation under section 553 of title 5, United States
Code, that the entity maintains--
(1) internal controls reasonably designed to comply with
this Act; and
(2) reporting structures to ensure that such certifying
officers are involved in, and are responsible for, decisions
that impact the entity's compliance with this Act.
(b) Requirements.--A certification submitted under subsection (a)
shall be based on a review of the effectiveness of a large data
holder's internal controls and reporting structures that is conducted
by the certifying officers not more than 90 days before the submission
of the certification.
(c) Designation of Privacy and Data Security Officer.--
(1) In general.--A covered entity and a service provider
shall designate--
(A) 1 or more qualified employees as privacy
officers; and
(B) 1 or more qualified employees (in addition to
any employee designated under subparagraph (A)) as data
security officers.
(2) Requirements for officers.--An employee who is
designated by a covered entity or a service provider as a
privacy officer or a data security officer shall, at a
minimum--
(A) implement a data privacy program and data
security program to safeguard the privacy and security
of covered data in compliance with the requirements of
this Act; and
(B) facilitate the covered entity or service
provider's ongoing compliance with this Act.
(3) Additional requirements for large data holders.--A
large data holder shall designate at least 1 of the officers
described in paragraph (1) of this subsection to report
directly to the highest official at the large data holder as a
privacy protection officer who shall, in addition to the
requirements in paragraph (2), either directly or through a
supervised designee or designees--
(A) establish processes to periodically review and
update the privacy and security policies, practices,
and procedures of the large data holder, as necessary;
(B) conduct biennial and comprehensive audits to
ensure the policies, practices, and procedures of the
large data holder work to ensure the company is in
compliance with all applicable laws and ensure such
audits are accessible to the Commission upon such
request;
(C) develop a program to educate and train
employees about compliance requirements;
(D) maintain updated, accurate, clear, and
understandable records of all privacy and data security
practices undertaken by the large data holder; and
(E) serve as the point of contact between the large
data holder and enforcement authorities.
(d) Large Data Holder Privacy Impact Assessments.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act or 1 year after the date that a covered
entity or service provider first meets the definition of large
data holder, whichever is earlier, and biennially thereafter,
each large data holder shall conduct a privacy impact
assessment that weighs the benefits of the large data holder's
covered data collecting, processing, and transfer practices
against the potential adverse consequences of such practices to
individual privacy.
(2) Assessment requirements.--A privacy impact assessment
required under paragraph (1) shall be--
(A) reasonable and appropriate in scope given--
(i) the nature of the covered data
collected, processed, and transferred by the
large data holder;
(ii) the volume of the covered data
collected, processed, and transferred by the
large data holder; and
(iii) the potential risks posed to the
privacy of individuals by the collecting,
processing, and transfer of covered data by the
large data holder;
(B) documented in written form and maintained by
the large data holder unless rendered out of date by a
subsequent assessment conducted under paragraph (1);
and
(C) approved by the privacy protection officer
designated in subsection (c)(3) of the large data
holder.
(3) Additional factors to include in assessment.--In
assessing the privacy risks, including substantial privacy
risks, the large data holder may include reviews of the means
by which technologies, including blockchain and distributed
ledger technologies and other emerging technologies, are used
to secure covered data.
SEC. 302. SERVICE PROVIDERS AND THIRD PARTIES.
(a) Service Providers.--A service provider--
(1) shall only collect, process, and transfer service
provider data to the extent strictly necessary and
proportionate to provide a service requested by the covered
entity. This paragraph shall not require a service provider to
collect or process covered data if the service provider would
not otherwise do so;
(2) shall not collect, process, or transfer service
provider data if the service provider has actual knowledge that
the covered entity violated this Act with respect to such data;
(3) shall assist a covered entity in fulfilling the covered
entity's obligation to respond to individual rights requests
pursuant to section 203, by appropriate technical and
organizational measures, taking into account the nature of the
processing and the information reasonably available to the
service provider;
(4) may engage another service provider for purposes of
processing service provider data on behalf of a covered entity
only after providing the covered entity that is directing the
services or functions of the service provider with respect to
such service provider data with notice, and pursuant to a
written contract that requires such other service provider to
satisfy the obligations of the service provider with respect to
such service provider data;
(5) shall upon the reasonable request of the covered
entity, make available to the covered entity information
necessary to demonstrate the service provider's compliance with
the obligations in this Act, which may include making available
a report of an independent assessment arranged by the service
provider on terms agreed to by the parties and making the
report required under section 207(c)(2) as applicable;
(6) shall, at the covered entity's direction, delete or
return all covered data to the covered entity as requested at
the end of the provision of services, unless retention of the
covered data is required by law;
(7) shall not transfer service provider data to any person
with the exception of another service provider without the
affirmative express consent, obtained by the covered entity
with the direct relationship to the individual that is
directing the services or functions of the service provider
with respect to the service provider data, of the individual to
whom the service provider data is linked or reasonably
linkable;
(8) shall develop, implement, and maintain reasonable
administrative, technical, and physical safeguards that are
designed to protect the security and confidentiality of covered
data it processes consistent with section 208; and
(9) shall be exempt from the requirements of section 202(d)
with respect to service provider data but shall provide direct
notification regarding material changes to its privacy policy
to each covered entity with which it provides services or
functions as a service provider, in each language that the
privacy policy is made available. Compliance with this
provision does not alleviate any obligations the service
provider has to the covered entity to which it provides
services or functions as a service provider.
(b) Contracts Between Covered Entities and Service Providers.--A
person or entity may act as a service provider pursuant to a written
contract between the covered entity and the service provider, or a
written contract between one service provider and a second service
provider as permitted in section 302(a)(4), provided that the
contract--
(1) governs the service provider's data processing
procedures with respect to processing or transfer performed on
behalf of the covered entity or service provider;
(2) clearly sets forth--
(A) instructions for processing data;
(B) the nature and purpose of processing;
(C) the type of data subject to processing;
(D) the duration of processing; and
(E) the rights and obligations of both parties;
(3) does not relieve a covered entity or a service provider
of an obligation under this Act; and
(4) prohibits--
(A) collecting, processing, or transferring covered
data in contravention to subsection (a); and
(B) combining service provider data with covered
data which the service provider receives from or on
behalf of another person or persons or collects from
its own interaction with an individual. The contract
may, subject to agreement with the service provider,
permit a covered entity to monitor the service
provider's compliance with the contract through
measures including, but not limited to, ongoing manual
reviews and automated scans, and regular assessments,
audits, or other technical and operational testing at
least once every 12 months.
(c) Relationship Between Covered Entities and Service Providers.--
(1) Determining whether a person is acting as a covered
entity or service provider with respect to a specific
processing of data is a fact-based determination that depends
upon the context in which such data is processed.
(2) A covered entity or service provider that transfers
covered data to a service provider, in compliance with the
requirements of this Act, is not liable for a violation of this
Act by the service provider to whom such covered data was
transferred, this Act provided that, at the time of
transferring such covered data, the covered entity or service
provider did not know or have reason to know that the service
provider would likely commit a violation of this Act.
(3) A covered entity or service provider that receives
covered data in compliance with the requirements of this Act is
not in violation of this Act as a result of a violation by a
covered entity or service provider from which it receives such
covered data.
(d) Third Parties.--A third party--
(1) shall not process third-party data for a processing
purpose other than, in the case of sensitive covered data, the
processing purpose for which the individual gave affirmative
express consent and, in the case of non-sensitive data, the
processing purpose for which the covered entity made a
disclosure pursuant to section 204(b)(4);
(2) for purposes of paragraph (1), may reasonably rely on
representations made by the covered entity that transferred the
third-party data, provided that the third party conducts
reasonable due diligence on the representations of the covered
entity and finds those representations to be credible; and
(3) shall be exempt from the requirements of section 204
with respect to third-party data, but shall otherwise have the
same responsibilities and obligations as a covered entity with
respect to such data under all other provisions of this Act.
(e) Additional Obligations on Covered Entities.--
(1) In general.--A covered entity or service provider shall
exercise reasonable due diligence in--
(A) selecting a service provider; and
(B) deciding to transfer covered data to a third
party.
(2) Guidance.--Not later than 2 years after the date of
enactment of this Act, the Commission shall publish guidance
regarding compliance with this subsection, taking into
consideration the burdens on small- and medium-sized covered
entities.
SEC. 303. TECHNICAL COMPLIANCE PROGRAMS.
(a) In General.--Not later than 1 year after the date of the
enactment of this Act, the Commission shall promulgate regulations
under section 553 of title 5, United States Code, to establish a
process for the proposal and approval of technical compliance programs
under this section specific to any technology, product, service, or
method used by a covered entity to collect, process, or transfer
covered data.
(b) Scope of Programs.--The technical compliance programs
established under this section shall, with respect to a technology,
product, service, or method used by a covered entity to collect,
process, or transfer covered data--
(1) establish guidelines for compliance with this Act;
(2) meet or exceed the requirements of this Act; and
(3) be made publicly available to any individual whose
covered data is collected, processed, or transferred using such
technology, product, service, or method.
(c) Approval Process.--
(1) In general.--Any request for approval, amendment, or
repeal of a technical compliance program may be submitted to
the Commission by any person, including a covered entity, a
representative of a covered entity, an association of covered
entities, or a public interest group or organization. Within 90
days, the Commission shall publish the request and provide an
opportunity for public comment on the proposal.
(2) Expedited response to requests.--Beginning 1 year after
the date of enactment of this Act, the Commission shall act
upon a request for the proposal and approval of a technical
compliance program not later than 180 days after the filing of
the request, and shall set forth publicly in writing its
conclusions with regard to such request.
(d) Right To Appeal.--Final action by the Commission on a request
for approval, amendment, or repeal of a technical compliance program,
or the failure to act within the 180 day period after a request for
approval, amendment, or repeal of a technical compliance program is
made under subsection (c), may be appealed to a Federal district court
of the United States of appropriate jurisdiction as provided for in
section 702 of title 5, United States Code.
(e) Effect on Enforcement.--
(1) In general.--Prior to commencing an investigation or
enforcement action against any covered entity under this Act,
the Commission and State attorney general shall consider the
covered entity's history of compliance with any technical
compliance program approved under this section and any action
taken by the covered entity to remedy noncompliance with such
program. If such enforcement action described in Sec. 403 is
commenced, the covered entity's history of compliance with any
technical compliance program approved under this section and
any action taken by the covered entity to remedy noncompliance
with such program shall be taken into consideration when
determining liability or a penalty. The covered entity's
history of compliance with any technical compliance program
shall not affect any burden of proof or the weight given to
evidence in an enforcement or judicial proceeding.
(2) Commission authority.--Approval of a technical
compliance program shall not limit the authority of the
Commission, including the Commission's authority to commence an
investigation or enforcement action against any covered entity
under this Act or any other Act.
(3) Rule of construction.--Nothing in this subsection shall
provide any individual, class of individuals, or person with
any right to seek discovery of any non-public Commission
deliberations or activities or impose any pleading requirement
on the Commission should it bring an enforcement action of any
kind.
SEC. 304. COMMISSION APPROVED COMPLIANCE GUIDELINES.
(a) Application for Compliance Guideline Approval.--
(1) In general.--A covered entity that is not a third-party
collecting entity and meets the requirements of section 209, or
a group of such covered entities, may apply to the Commission
for approval of 1 or more sets of compliance guidelines
governing the collection, processing, and transfer of covered
data by the covered entity or group of covered entities.
(2) Application requirements.--Such application shall
include--
(A) a description of how the proposed guidelines
will meet or exceed the requirements of this Act;
(B) a description of the entities or activities the
proposed set of compliance guidelines is designed to
cover;
(C) a list of the covered entities that meet the
requirements of section 209 and are not third-party
collecting entities, if any are known at the time of
application, that intend to adhere to the compliance
guidelines; and
(D) a description of how such covered entities will
be independently assessed for adherence to such
compliance guidelines, including the independent
organization not associated with any of the covered
entities that may participate in guidelines that will
administer such guidelines.
(3) Commission review.--
(A) Initial approval.--
(i) Public comment period.--Within 90 days
after the receipt of proposed guidelines
submitted pursuant to paragraph (2), the
Commission shall publish the proposal and
provide an opportunity for public comment on
such compliance guidelines.
(ii) Approval.--The Commission shall
approve an application regarding proposed
guidelines under paragraph (2) if the applicant
demonstrates that the compliance guidelines--
(I) meet or exceed requirements of
this Act;
(II) provide for the regular review
and validation by an independent
organization not associated with any of
the covered entities that may
participate in the guidelines and that
is approved by the Commission to
conduct such reviews of the compliance
guidelines of the covered entity or
entities to ensure that the covered
entity or entities continue to meet or
exceed the requirements of this Act;
and
(III) include a means of
enforcement if a covered entity does
not meet or exceed the requirements in
the guidelines, which may include
referral to the Commission for
enforcement consistent with section 401
or referral to the appropriate State
attorney general for enforcement
consistent with section 402.
(iii) Timeline.--Within 1 year of receiving
an application regarding proposed guidelines
under paragraph (2), the Commission shall issue
a determination approving or denying the
application and providing its reasons for
approving or denying such application.
(B) Approval of modifications.--
(i) In general.--If the independent
organization administering a set of guidelines
makes material changes to guidelines previously
approved by the Commission, the independent
organization must submit the updated guidelines
to the Commission for approval. As soon as
feasible, the Commission shall publish the
updated guidelines and provide an opportunity
for public comment.
(ii) Timeline.--The Commission shall
approve or deny any material change to the
guidelines within 180 days after receipt of the
submission for approval.
(b) Withdrawal of Approval.--If at any time the Commission
determines that the guidelines previously approved no longer meet the
requirements of this Act or a regulation promulgated under this Act or
that compliance with the approved guidelines is insufficiently enforced
by the independent organization administering the guidelines, the
Commission shall notify the covered entities or group of such entities
and the independent organization of its determination to withdraw
approval of such guidelines and the basis for doing so. Upon receipt of
such notice, the covered entity or group of such entities and the
independent organization may cure any alleged deficiency with the
guidelines or the enforcement of such guidelines within 180 days and
submit the proposed cure or cures to the Commission. If the Commission
determines that such cures eliminate the alleged deficiency in the
guidelines, then the Commission may not withdraw approval of such
guidelines on the basis of such determination.
(c) Deemed Compliance.--A covered entity that is eligible to
participate under subsection (a)(1), and participates, in guidelines
approved under this section shall be deemed in compliance with the
relevant provisions of this Act if it is in compliance with such
guidelines.
SEC. 305. DIGITAL CONTENT FORGERIES.
(a) Reports.--Not later than 1 year after the date of enactment of
this Act, and annually thereafter, the Secretary of Commerce or the
Secretary's designee shall publish a report regarding digital content
forgeries.
(b) Requirements.--Each report under subsection (a) shall include
the following:
(1) A definition of digital content forgeries along with
accompanying explanatory materials, except that the definition
developed pursuant to this section shall not supersede any
other provision of law or be construed to limit the authority
of any Executive agency related to digital content forgeries.
(2) A description of the common sources of digital content
forgeries in the United States and commercial sources of
digital content forgery technologies.
(3) An assessment of the uses, applications, and harms of
digital content forgeries.
(4) An analysis of the methods and standards available to
identify digital content forgeries as well as a description of
the commercial technological counter-measures that are, or
could be, used to address concerns with digital content
forgeries, which may include the provision of warnings to
viewers of suspect content.
(5) A description of the types of digital content
forgeries, including those used to commit fraud, cause harm, or
violate any provision of law.
(6) Any other information determined appropriate by the
Secretary of Commerce or the Secretary's designee.
TITLE IV--ENFORCEMENT, APPLICABILITY, AND MISCELLANEOUS
SEC. 401. ENFORCEMENT BY THE FEDERAL TRADE COMMISSION.
(a) New Bureau.--
(1) In general.--The Commission shall establish within the
Commission a new bureau, the Bureau of Privacy, which shall be
comparable in structure, size, organization, and authority to
the existing Bureaus within the Commission related to consumer
protection and competition.
(2) Mission.--The mission of the bureau established under
this subsection shall be to assist the Commission in exercising
the Commission's authority under this Act and related
authorities.
(3) Timeline.--The bureau shall be established, staffed,
and fully operational not later than 1 year after the date of
enactment of this Act.
(b) Office of Business Mentorship.--The Director of the Bureau
established under subsection (a) shall establish within the Bureau an
Office of Business Mentorship to provide guidance and education to
covered entities regarding compliance with this Act. Covered entities
may request advice from the Commission or this office with respect to a
course of action which the covered entity proposes to pursue and which
may relate to the requirements of this Act.
(c) Enforcement by the Federal Trade Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
this Act or a regulation promulgated under this Act shall be
treated as a violation of a rule defining an unfair or
deceptive act or practice prescribed under section 18(a)(1)(B)
of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(2) Powers of the commission.--
(A) In general.--Except as provided in paragraphs
(3), (4), and (5), the Commission shall enforce this
Act and the regulations promulgated under this Act in
the same manner, by the same means, and with the same
jurisdiction, powers, and duties as though all
applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated
into and made a part of this Act.
(B) Privileges and immunities.--Any person who
violates this Act or a regulation promulgated under
this Act shall be subject to the penalties and entitled
to the privileges and immunities provided in the
Federal Trade Commission Act (15 U.S.C. 41 et seq.).
(3) Limiting certain actions unrelated to this act.--If the
Commission brings a civil action under this Act alleging that
an act or practice violates this Act or a regulation
promulgated under this Act, the Commission may not seek a cease
and desist order against the same defendant under section 5(b)
of the Federal Trade Commission Act (15 U.S.C. 45(b)) to stop
that same act or practice on the grounds that such act or
practice constitutes an unfair or deceptive act or practice.
(4) Common carriers and nonprofits.--Notwithstanding any
jurisdictional limitation of the Commission with respect to
consumer protection or privacy, the Commission shall enforce
this Act and the regulations promulgated under this Act, in the
same manner provided in subsections (1), (2), (3), and (5) of
this subsection, with respect to common carriers subject to the
Communications Act of 1934 (47 U.S.C. 151 et seq.) and All Acts
amendatory thereof and supplementary thereto; and organizations
not organized to carry on business for their own profit or that
of their members.
(5) Data privacy and security victims relief fund.--
(A) Establishment of victims relief fund.--There is
established in the Treasury of the United States a
separate fund to be known as the ``Privacy and Security
Victims Relief Fund'' (referred to in this paragraph as
the ``Victims Relief Fund'').
(B) Deposits.--The amount of any civil penalty
obtained against any covered entity or service provider
or any other relief ordered to provide redress,
payments or compensation, or other monetary relief to
individuals that cannot be located or the payment of
which would otherwise not be practicable in any
judicial or administrative action to enforce this Act
or a regulation promulgated under this Act shall be
deposited into the Victims Relief Fund.
(C) Use of fund amounts.--
(i) Availability to the commission.--
Notwithstanding section 3302 of title 31,
United States Code, amounts in the Victims
Relief Fund shall be available to the
Commission, without fiscal year limitation, to
provide redress, payments or compensation, or
other monetary relief to individuals affected
by an act or practice for which relief has been
obtained under this Act.
(ii) Other permissible uses.--To the extent
that individuals cannot be located or such
redress, payments or compensation, or other
monetary relief are otherwise not practicable,
the Commission may use such funds for the
purpose of--
(I) funding the activities of the
Office of Business Mentorship
established under subsection (b); or
(II) engaging in technological
research that the Commission considers
necessary to enforce or administer this
Act.
SEC. 402. ENFORCEMENT BY STATE ATTORNEYS GENERAL.
(a) Civil Action.--In any case in which the attorney general of a
State or State Privacy Authority has reason to believe that an interest
of the residents of that State has been, may be, or is adversely
affected by the engagement of any a covered entity or service provider
in an act or practice that has violated this Act or a regulation
promulgated under this Act, the attorney general of the State, or State
Privacy Authority, may bring a civil action in the name of the State,
or as parens patriae on behalf of the residents of the State. Any such
action shall be brought exclusively in an appropriate Federal district
court of the United States to--
(1) enjoin that act or practice;
(2) enforce compliance with this Act or the regulation;
(3) obtain damages, civil penalties, restitution, or other
compensation on behalf of the residents of the State; or
(4) reasonable attorneys' fees and other litigation costs
reasonably incurred.
(b) Rights of the Commission.--
(1) In general.--Except where not feasible, the attorney
general of a State or State Privacy Authority shall notify the
Commission in writing prior to initiating a civil action under
subsection (a). Such notice shall include a copy of the
complaint to be filed to initiate such action. Upon receiving
such notice, the Commission may intervene in such action as of
right pursuant to the Federal Rules of Civil Procedure.
(2) Notification timeline.--Where it is not feasible for
the attorney general of a State or State Privacy Authority to
provide the notification required by paragraph (1) before
initiating a civil action under subsection (a), the attorney
general of a State or State Privacy Authority shall notify the
Commission immediately after initiating the civil action.
(c) Actions by the Commission.--In any case in which a civil action
is instituted by or on behalf of the Commission for violation of this
Act or a regulation promulgated under this Act, no attorney general or
State Privacy Authority may, during the pendency of such action,
institute a civil action against any defendant named in the complaint
in the action instituted by or on behalf of the Commission for
violation of this Act or a regulation promulgated under this Act that
is alleged in such complaint, if the Commission's complaint alleges
such violations affected the residents of the relevant State or
individuals nationwide. In a case brought by the Commission that
affects the interests of a State, an attorney general of such State or
State Privacy Authority may intervene as of right pursuant to the
Federal Rules of Civil Procedure.
(d) Rule of Construction.--Nothing in this section shall be
construed to prevent the attorney general of a State or State Privacy
Authority from exercising the powers conferred on the attorney general
or State Privacy Authority to conduct investigations, to administer
oaths or affirmations, or to compel the attendance of witnesses or the
production of documentary or other evidence.
(e) Preservation of State Powers.--Except as provided in subsection
(c), no provision of this section shall be construed as altering,
limiting, or affecting the authority of a State attorney general or
State Privacy Authority to--
(1) bring an action or other regulatory proceeding arising
solely under the laws in effect in that State; or
(2) exercise the powers conferred on the attorney general
or State Privacy Authority by the laws of the State, including
the ability to conduct investigations, administer oaths or
affirmations, or compel the attendance of witnesses or the
production of documentary or other evidence.
SEC. 403. ENFORCEMENT BY INDIVIDUALS.
(a) Enforcement by Individuals.--
(1) In general.--Beginning 4 years after the date on which
this Act takes effect, any individual who suffers an injury
that could be addressed by the relief permitted in paragraph
(2) for a violation of this Act or a regulation promulgated
under this Act by a covered entity may bring a civil action
against such entity in any Federal court of competent
jurisdiction.
(2) Relief.--In a civil action brought under paragraph (1)
in which the plaintiff prevails, the court may award the
plaintiff--
(A) an amount equal to the sum of any actual
damages sustained;
(B) injunctive relief; and
(C) reasonable attorney's fees and litigation
costs.
(3) Rights of the commission and state attorneys general.--
(A) In general.--Prior to an individual bringing a
civil action under paragraph (1), such individual must
first notify the Commission and the attorney general of
the State of the individuals residence in writing
outlining their desire to commence a civil action. Upon
receiving such notice, the Commission and State
attorney general shall make a determination, not later
than 60 days after receiving such notice, as to whether
they will independently seek to intervene in such
action, and upon intervening--
(i) be heard on all matters arising in such
action; and
(ii) file petitions for appeal of a
decision in such action.
(B) Bad faith.--Any written communication
requesting a monetary payment that is sent to a covered
entity shall be considered to have been sent in bad
faith and shall be unlawful as defined in this Act, if
the written communication was sent:
(i) Prior to the date that is 60 days after
either a State attorney general or the
Commission has received the notice required
under subparagraph (A).
(ii) After the Commission or attorney
general of a State made the determination to
independently seek civil actions against such
entity as outlined in subparagraph (A).
(4) FTC study.--Beginning on the date that is 5 years after
the date of enactment of this Act, the Commission's Bureau of
Economics shall conduct an annual study to determine the
economic impacts in the United States of demand letters and the
scope of the rights of an individual to bring forth civil
actions against covered entities. Such study shall include, but
not be limited to include the following:
(A) The impact on increasing insurance rates in the
United States.
(B) The impact on the ability of covered entities
to offer new products or services.
(C) The impact on the creation and growth of
startup companies, including tech startup companies.
(D) Any emerging risks and long-term trends in
relevant marketplaces, supply chains, and labor
availability.
(5) Report to congress.--Not later than 1 year after the
first day on which individuals are able to bring civil actions
under this subsection, and annually thereafter, the Commission
shall submit to the Committee on Energy and Commerce of the
House of Representatives and the Committee on Commerce,
Science, and Transportation of the Senate a report that
contains the results of the study conducted under paragraph
(4).
(b) Pre-Dispute Arbitration Agreements and Pre-Dispute Joint-Action
Waivers Related to Individuals Under the Age of 18.--
(1) Arbitration.--Except as provided in section 303(d), and
notwithstanding any other provision of law, no agreement for
pre-dispute arbitration with respect to an individual under the
age of 18 may limit any of the rights provided in this Act.
(2) Joint-action waivers.--Notwithstanding any other
provision of law, no agreement for pre-dispute joint-action
waiver with respect to an individual under the age of 18 may
limit any of the rights provided in this Act.
(3) Definitions.--For purposes of this subsection:
(A) Pre-dispute arbitration agreement.--The term
``pre-dispute arbitration agreement'' means any
agreement to arbitrate a dispute that has not arisen at
the time of the making of the agreement.
(B) Pre-dispute joint-action waiver.--The term
``pre-dispute joint-action waiver'' means an agreement,
whether or not part of a pre-dispute arbitration
agreement, that would prohibit or waive the right of 1
of the parties to the agreement to participate in a
joint, class, or collective action in a judicial,
arbitral, administrative, or other forum, concerning a
dispute that has not yet arisen at the time of the
making of the agreement.
(c) Right To Cure.--
(1) Notice.--Subject to paragraph (3), any action under
this section may be brought by an individual if, prior to
initiating such action against a covered entity for injunctive
relief or against a covered entity that meets the requirements
of section 210(c) for any form of relief the individual
provides to the covered entity 45 days' written notice
identifying the specific provisions of this Act the individual
alleges have been or are being violated.
(2) Effect of cure.--In the event a cure is possible, if
within the 45 days the covered entity cures the noticed
violation and provides the individual an express written
statement that the violation has been cured and that no further
violations shall occur, an action for injunctive relief may be
reasonably dismissed.
(d) Demand Letter.--If an individual or a class of individuals
sends correspondence to a covered entity alleging a violation of the
provisions of this Act and requesting a monetary payment, such
correspondence shall include the following language: ``Please visit the
website of the Federal Trade Commission to understand your rights
pursuant to this letter'' followed by a hyperlink to the web page of
the Commission required under section 201. If such correspondence does
not include such language and hyperlink, the individual or joint class
of individuals shall forfeit their rights under this section.
(e) Applicability.--This section shall only apply to any claim
alleging a violation of section 102, 104, 202, 203, 204, 205(a),
205(b), 206(c)(3)(D), 207(a), 208(a), or 302 for which relief described
in subsection (a)(2) may be granted.
SEC. 404. RELATIONSHIP TO FEDERAL AND STATE LAWS.
(a) Federal Law Preservation.--
(1) In general.--Nothing in this Act or a regulation
promulgated under this Act shall be construed to limit--
(A) the authority of the Commission, or any other
Executive agency, under any other provision of law;
(B) any requirement for a common carrier subject to
section 64.2011 of title 47, Code of Federal
Regulations, regarding information security breaches;
or
(C) any other provision of Federal law unless
specifically authorized by this Act.
(2) Applicability of other privacy requirements.--A covered
entity that is required to comply with title V of the Gramm-
Leach-Bliley Act (15 U.S.C. 6801 et seq.), the Health
Information Technology for Economic and Clinical Health Act (42
U.S.C. 17931 et seq.), part C of title XI of the Social
Security Act (42 U.S.C. 1320d et seq.), the Fair Credit
Reporting Act (15 U.S.C. 1681 et seq.), the Family Educational
Rights and Privacy Act (20 U.S.C. 1232g; part 99 of title 34,
Code of Federal Regulations), or the regulations promulgated
pursuant to section 264(c) of the Health Insurance Portability
and Accountability Act of 1996 (42 U.S.C. 1320d-2 note), and is
in compliance with the data privacy requirements of such
regulations, part, title, or Act (as applicable), shall be
deemed to be in compliance with the related requirements of
this title, except for section 208, with respect to data
subject to the requirements of such regulations, part, title,
or Act. Not later than 1 year after the date of enactment of
this Act, the Commission shall issue guidance describing the
implementation of this paragraph.
(3) Applicability of other data security requirements.--A
covered entity that is required to comply with title V of the
Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), the Health
Information Technology for Economic and Clinical Health Act (42
U.S.C. 17931 et seq.), part C of title XI of the Social
Security Act (42 U.S.C. 1320d et seq.), or the regulations
promulgated pursuant to section 264(c) of the Health Insurance
Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2
note), and is in compliance with the information security
requirements of such regulations, part, title, or Act (as
applicable), shall be deemed to be in compliance with the
requirements of section 208 with respect to data subject to the
requirements of such regulations, part, title, or Act. Not
later than 1 year after the date of enactment of this Act, the
Commission shall issue guidance describing the implementation
of this paragraph.
(b) Preemption of State Laws.--
(1) In general.--No State or political subdivision of a
State may adopt, maintain, enforce, or continue in effect any
law, regulation, rule, standard, requirement, or other
provision having the force and effect of law of any State, or
political subdivision of a State, covered by the provisions of
this Act, or a rule, regulation, or requirement promulgated
under this Act.
(2) State law preservation.--Paragraph (1) shall not be
construed to preempt, displace, or supplant the following State
laws, rules, regulations, or requirements:
(A) Consumer protection laws of general
applicability such as laws regulating deceptive,
unfair, or unconscionable practices.
(B) Civil rights laws.
(C) Laws that govern the privacy rights or other
protections of employees, employee information,
students, or student information.
(D) Laws that address notification requirements in
the event of a data breach.
(E) Contract or tort law.
(F) Criminal laws governing fraud, theft, including
identity theft, unauthorized access to information or
electronic devices, or unauthorized use of information,
malicious behavior, or similar provisions, or laws of
criminal procedure.
(G) Criminal or civil laws regarding cyberstalking,
cyberbullying, nonconsensual pornography, or sexual
harassment.
(H) Public safety or sector specific laws unrelated
to privacy or security.
(I) Laws that address public records, criminal
justice information systems, arrest records, mug shots,
conviction records, or non-conviction records.
(J) Laws that address banking records, financial
records, tax records, Social Security numbers, credit
cards, credit reporting and investigations, credit
repair, credit clinics, or check-cashing services.
(K) Laws that solely address facial recognition or
facial recognition technologies, electronic
surveillance, wiretapping, or telephone monitoring.
(L) The Biometric Information Privacy Act (740 ICLS
14 et seq.) and the Genetic Information Privacy Act
(410 ILCS et seq.).
(M) Laws to address unsolicited email messages,
telephone solicitation, or caller ID.
(N) Laws that address health information, medical
information, medical records, HIV status, or HIV
testing.
(O) Laws that address the confidentiality of
library records.
(P) Section 1798.150 of the California Civil Code
(as amended on November 3, 2020, by initiative
Proposition 24, section 16).
(3) Nonapplication of fcc privacy laws and regulations to
covered entities.--Notwithstanding any other provision of law,
sections 222, 338(i), and 631 of the Communications Act of
1934, as amended (47 U.S.C. 222, 338(i), and 551), and any
regulation promulgated by the Federal Communications Commission
under such sections, shall not apply to any covered entity with
respect to the collecting, processing, or transferring of
covered data under this Act.
(c) Preservation of Common Law or Statutory Causes of Action for
Civil Relief.--Nothing in this Act, nor any amendment, standard, rule,
requirement, assessment, law, or regulation promulgated under this Act,
shall be construed to preempt, displace, or supplant any Federal or
State common law rights or remedies, or any statute creating a remedy
for civil relief, including any cause of action for personal injury,
wrongful death, property damage, or other financial, physical,
reputational, or psychological injury based in negligence, strict
liability, products liability, failure to warn, an objectively
offensive intrusion into the private affairs or concerns of the
individual, or any other legal theory of liability under any Federal or
State common law, or any State statutory law, except that the fact of a
violation of this Act shall not be pleaded as an element of any such
cause of action.
SEC. 405. SEVERABILITY.
If any provision of this Act, or the application thereof to any
person or circumstance, is held invalid, the remainder of this Act and
the application of such provision to other persons not similarly
situated or to other circumstances shall not be affected by the
invalidation.
SEC. 406. COPPA.
(a) In General.--Nothing in this Act shall be construed to relieve
or change any obligations that a covered entity or another person may
have under the Children's Online Privacy Protection Act of 1998 (15
U.S.C. 6501 et seq.).
(b) Updated Regulations.--Not later than 180 days after the
enactment of this Act, the Commission shall amend its rules issued
pursuant to the Children's Online Privacy Protection Act of 1998 (15
U.S.C. 6501 et seq.) to make reference to the additional requirements
placed on covered entities under this Act, in addition to those already
enacted under the Children's Online Privacy Protection Act of 1998 that
may already apply to some of such covered entities.
SEC. 407. AUTHORIZATION OF APPROPRIATIONS.
There are authorized to be appropriated to the Commission such sums
as necessary to carry out this Act.
SEC. 408. EFFECTIVE DATE.
Except as otherwise provided, this Act shall take effect on the
date that is 180 days after the date of enactment of this Act.
<all>