[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 8543 Introduced in House (IH)]
<DOC>
117th CONGRESS
2d Session
H. R. 8543
To require notice regarding the collection of ambient noise by certain
internet-connected devices, to limit the disclosure and retention of
information collected through such noise, and to require a mechanism by
which such collection may be deactivated and reactivated, and for other
purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
July 27, 2022
Mr. Scalise introduced the following bill; which was referred to the
Committee on Energy and Commerce
_______________________________________________________________________
A BILL
To require notice regarding the collection of ambient noise by certain
internet-connected devices, to limit the disclosure and retention of
information collected through such noise, and to require a mechanism by
which such collection may be deactivated and reactivated, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Earning Approval of Voice External
Sound Databasing Retained on People Act'' or the ``EAVESDROP Act''.
SEC. 2. NOTICES REQUIRED FOR COLLECTION OF AMBIENT NOISE BY COVERED
DEVICE.
(a) One-Time Notice at First Power-On.--A manufacturer of a covered
device shall provide to the user who powers on the device for the first
time a notice that contains--
(1) a description of how and under what circumstances
covered information is collected by the manufacturer through
the covered device; and
(2) a description of the purposes for which the
manufacturer processes such covered information, including--
(A) a description of how long and the circumstances
under which the manufacturer retains such covered
information; and
(B) whether the manufacturer discloses such covered
information to third parties or processes such covered
information for targeted advertising.
(b) Notice When Material Change to Operating System or Firmware.--
When there is a material change to the operating system or firmware of
a covered device, the manufacturer of the covered device shall provide
a notice that the covered device collects covered information. Such
notice shall include--
(1) a statement informing the user that the covered device
is collecting covered information;
(2) a description of--
(A) the covered information collected by the
manufacturer through the covered device; and
(B) the covered information collected by the
manufacturer through the covered device that the
manufacturer processes; and
(3) instructions on how an owner of the covered device can
deactivate the collection of covered information by the covered
device using the mechanism required by section 3.
(c) Form.--The notices required by subsections (a) and (b)--
(1) shall be provided electronically in--
(A) audio format; and
(B) text format, which may include providing a link
to a website or other means for accessing the notices
online;
(2) shall be clear, easily understood, and provided in
plain and concise language; and
(3) when a covered device is powered on for the first time,
may be provided to the user as a single, combined notice.
(d) Subsequent Availability of Information Provided in Notices.--
The manufacturer of a covered device shall ensure that the notices
required by subsections (a) and (b) are accessible at any time after
being provided under such subsections.
SEC. 3. DEACTIVATION AND REACTIVATION OF COLLECTION OF AMBIENT NOISE.
A manufacturer of a covered device shall provide a reasonable and
easy mechanism by which an owner of the device may--
(1) deactivate the ability of the device to collect covered
information; and
(2) if the ability of the device to collect covered
information has been deactivated under paragraph (1),
reactivate such ability.
SEC. 4. AUTHORIZED DISCLOSURES OF COVERED INFORMATION.
(a) In General.--A manufacturer of a covered device may disclose
covered information to a third party only if the manufacturer is acting
in good faith and only for the following purposes:
(1) To respond to or comply with a valid subpoena, court
order, or warrant (including a subpoena or court order obtained
by a person that is not a government entity), or to provide
information as otherwise required by law.
(2) To respond to a circumstance that would cause a
reasonable person to believe that disclosure of the covered
information to the third party is necessary to prevent physical
harm to an individual.
(b) Notice of Disclosure.--
(1) Requirement.--Unless prohibited by law, a manufacturer
of a covered device shall notify a user of such device whose
covered information is disclosed to a third party by such
manufacturer.
(2) Contents.--The notice required by paragraph (1) shall
include--
(A) a description of the covered information
disclosed;
(B) a justification for the necessity of the
disclosure; and
(C) the name of the third party to which the
manufacturer disclosed the covered information.
(3) Timing.--The notice required by paragraph (1) shall be
provided to the user not later than 7 days after such notice
can be legally, safely, and practicably provided.
(4) Form.--The notice required by paragraph (1) shall be
provided to the user in a written form (such as by mail or e-
mail), if the manufacturer has the necessary contact
information for the user. If the manufacturer does not have
such contact information, the manufacturer shall provide such
notice in a manner consistent with how a typical user interacts
with the covered device.
(5) Rule of construction.--Nothing in this subsection shall
be construed to require a manufacturer of a covered device to--
(A) take an action that would convert information
that is not covered information into covered
information;
(B) collect or retain information that the
manufacturer would otherwise not collect or retain; or
(C) retain covered information longer than the
manufacturer would otherwise retain such information.
SEC. 5. RETENTION OF COVERED INFORMATION.
A manufacturer of a covered device may not retain covered
information for longer than is reasonably necessary for the express
purposes for which the covered information is collected.
SEC. 6. SAFE HARBOR.
(a) Deemed Compliance.--A manufacturer of a covered device shall be
deemed to be in compliance with the requirements of this Act if such
manufacturer complies with a set of self-regulatory guidelines, issued
by representatives of the marketing or covered devices industries, or
by other persons, that is approved under subsection (b).
(b) Approval of Guidelines.--
(1) In general.--Not later than 180 days after receiving a
request for approval of a set of self-regulatory guidelines
described in subsection (a), after notice and comment, the
Commission shall--
(A) if the Commission determines that such set of
guidelines meets the requirements of this Act, approve
such set of guidelines; and
(B) if the Commission determines that such set of
guidelines does not meet the requirements of this Act,
deny approval of such set of guidelines.
(2) Written conclusions.--The Commission shall set forth in
writing its conclusions relating to a determination under
paragraph (1).
(c) Appeals.--Final action by the Commission on a request for
approval of a set of self-regulatory guidelines described in subsection
(a), or the failure of the Commission to act on such a request by the
time required by subsection (b)(1), may be appealed to a district court
of the United States of appropriate jurisdiction as provided for in
section 706 of title 5, United States Code.
SEC. 7. ENFORCEMENT.
(a) Enforcement by Federal Trade Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
this Act shall be treated as a violation of a rule defining an
unfair or deceptive act or practice prescribed under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)).
(2) Actions by the commission.--The Commission shall
enforce this Act in the same manner, by the same means, and
with the same jurisdiction, powers, and duties as though all
applicable terms and provisions of the Federal Trade Commission
Act (15 U.S.C. 41 et seq.) were incorporated into and made a
part of this Act, and any person who violates this Act shall be
subject to the penalties and entitled to the privileges and
immunities provided in the Federal Trade Commission Act.
(b) Enforcement by State Attorneys General.--
(1) In general.--If the attorney general of a State has
reason to believe that any person has committed or is
committing a violation of this Act that affects one or more
residents of such State, such attorney general may bring a
civil action exclusively in an appropriate district court of
the United States to--
(A) enjoin further such violation by the defendant;
(B) enforce compliance with this Act;
(C) obtain civil penalties in the amount provided
for under subsection (a);
(D) obtain other remedies permitted under State
law; or
(E) obtain damages, restitution, or other
compensation on behalf of residents of such State.
(2) Rule of construction.--For purposes of bringing a civil
action under paragraph (1), nothing in this subsection may be
construed to prevent the attorney general of a State from
exercising the powers conferred on such attorney general by the
laws of such State to conduct investigations, administer oaths
or affirmations, or compel the attendance of witnesses or the
production of documentary and other evidence.
(3) Actions by other state officials.--
(A) In general.--In addition to civil actions
brought by attorneys general under paragraph (1), any
other officer of a State who is authorized by such
State to do so, except for any private person on behalf
of such State, may bring a civil action under paragraph
(1), subject to the same requirements and limitations
that apply under this subsection to civil actions
brought by attorneys general.
(B) Savings provision.--Nothing in this subsection
may be construed to prohibit an authorized official of
a State from initiating or continuing any proceeding in
a court of such State for a violation of any civil or
criminal law of such State.
SEC. 8. DEFINITIONS.
In this Act:
(1) Ambient noise.--The term ``ambient noise'' means human
dialogue or any other sound that occurs in the range of the
microphone of a covered device, other than during a period
that--
(A) begins when a user of the device says a wake
word or uses another mechanism (such as pressing a
button on the device) to activate any electronic
function of the device; and
(B) ends--
(i) when the performance of the task or
assistance requested by the user has been
completed; or
(ii) if the user activates an electronic
function of the device as described in
subparagraph (A) but does not request the
performance of a task or assistance within a
reasonable time thereafter, at the expiration
of such reasonable time.
(2) Collect.--The term ``collect'' means, with respect to
covered information, obtaining such information in any manner,
except when solely transmitting, routing, providing
intermediate storage for, or providing connections for such
covered information through a system or network.
(3) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(4) Contents.--The term ``contents'', when used with
respect to a communication, has the meaning given such term in
section 2510 of title 18, United States Code.
(5) Covered device.--The term ``covered device''--
(A) means an internet-connected device--
(i) a component of which is a microphone;
and
(ii) that collects covered information; and
(B) does not include any device that is solely
marketed as a microphone.
(6) Covered information.--The term ``covered information''
means any information (including contents of a communication,
date of birth, sex, height, weight, and geolocation
information) that--
(A) is obtained through the collection of ambient
noise by a covered device; and
(B) is linked or reasonably linkable to an
individual.
(7) Data broker.--The term ``data broker'' means a person
whose principal source of revenue is derived from processing or
transferring the covered information of individuals with whom
the person does not have a direct relationship on behalf of
third parties and for the use of third parties.
(8) Disclose.--The term ``disclose'' means, with respect to
covered information, to sell, release, transfer, share,
disseminate, make available, or otherwise communicate or cause
to be communicated such information to a third party.
(9) Government entity.--The term ``government entity''
means a Federal agency, State, local government, or other
organization, as such terms are defined in section 3371 of
title 5, United States Code.
(10) Material.--The term ``material'' means, with respect
to a change to the operating system or firmware of a covered
device, that--
(A) the change affects the treatment of covered
information by the covered device or the manufacturer;
and
(B) knowledge of the change may affect the decision
of an average consumer of whether or not to continue
using the device.
(11) Owner.--The term ``owner'' means, with respect to a
covered device, any individual who is in possession of the
device.
(12) Process.--The term ``process'' means to perform or
cause to be performed any operation or set of operations on
covered information, whether or not by automated means.
(13) Retain.--The term ``retain'' means, with respect to
covered information, to store, secure, or otherwise maintain or
cause the maintenance of such information.
(14) Service provider.--
(A) In general.--The term ``service provider''
means a person who collects, uses, or discloses covered
information for the sole purpose of, and only to the
extent that such person is, conducting business
activities on behalf of, for the benefit of, under
instruction of, and under contractual agreement with
another person.
(B) Limitation of application.--A person shall only
be considered a service provider in the course of
activities described in subparagraph (A).
(C) Exclusion.--The term ``service provider'' does
not include a data broker.
(15) State.--The term ``State'' means each State of the
United States, the District of Columbia, each commonwealth,
territory, or possession of the United States, and each
federally recognized Indian Tribe.
(16) Third party.--The term ``third party'' means, with
respect to a person, another person (including a government
entity) that--
(A) does not (directly or indirectly) control, is
not (directly or indirectly) controlled by, and is not
(directly or indirectly) under common control with the
first person; and
(B) is not a service provider of the first person.
(17) Wake word.--The term ``wake word'' means a word or
phrase used to initiate an electronic function of a covered
device.
SEC. 9. EFFECTIVE DATE.
This Act (except for section 6) shall take effect--
(1) if the Commission first approves a set of self-
regulatory guidelines under section 6 before the date that is 1
year after the date of the enactment of this Act, on the date
that is 1 year after the date of the enactment of this Act;
(2) if the Commission first approves a set of self-
regulatory guidelines under section 6 on or after the date that
is 1 year after the date of the enactment of this Act but
before the date that is 2 years after the date of the enactment
of this Act, on the date on which the Commission approves such
set of guidelines; or
(3) if the Commission does not approve a set of self-
regulatory guidelines under section 6 before the date that is 2
years after the date of the enactment of this Act, on the date
that is 2 years after the date of the enactment of this Act.
<all>