[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 919 Introduced in Senate (IS)]
<DOC>
117th CONGRESS
1st Session
S. 919
To establish duties for online service providers with respect to end
user data that such providers collect and use.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
March 23, 2021
Mr. Schatz (for himself, Ms. Cortez Masto, Mr. Sanders, Mr. Merkley,
Ms. Hassan, Ms. Baldwin, Mr. Booker, Mr. Murphy, Mr. Durbin, Ms.
Klobuchar, Mr. Bennet, Ms. Duckworth, Mrs. Murray, Mr. Markey, Mr. Van
Hollen, Mr. Heinrich, Ms. Smith, and Mr. Manchin) introduced the
following bill; which was read twice and referred to the Committee on
Commerce, Science, and Transportation
_______________________________________________________________________
A BILL
To establish duties for online service providers with respect to end
user data that such providers collect and use.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Data Care Act of 2021''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(2) End user.--The term ``end user'' means an individual
who engages with an online service provider or logs into or
uses services provided by the online service provider over the
internet or any other digital network.
(3) Individual identifying data.--The term ``individual
identifying data'' means any data that is--
(A) collected over the internet or any other
digital network; and
(B) linked, or reasonably linkable, to--
(i) a specific end user; or
(ii) a computing device that is associated
with or routinely used by an end user.
(4) Online service provider.--The term ``online service
provider'' means an entity that--
(A) is engaged in interstate commerce over the
internet or any other digital network; and
(B) in the course of business, collects individual
identifying data about end users, including in a manner
that is incidental to the business conducted.
(5) Sensitive data.--The term ``sensitive data'' means any
data that includes--
(A) a social security number;
(B) personal information (as defined in section
1302 of the Children's Online Privacy Protection Act of
1998 (15 U.S.C. 6501)) collected from a child (as
defined in such section 1302);
(C) a driver's license number, passport number,
military identification number, or any other similar
number issued on a government document used to verify
identity;
(D) a financial account number, credit or debit
card number, or any required security code, access
code, or password that is necessary to permit access to
a financial account of an individual;
(E) unique biometric data such as a finger print,
voice print, a retina or iris image, or any other
unique physical representation;
(F) information sufficient to access an account of
an individual, such as user name and password or email
address and password;
(G) the first and last name of an individual, or
first initial and last name, or other unique identifier
in combination with--
(i) the month, day, and year of birth of
the individual;
(ii) the maiden name of the mother of the
individual; or
(iii) the past or present precise
geolocation of the individual;
(H) information that relates to--
(i) the past, present, or future physical
or mental health or condition of an individual;
or
(ii) the provision of health care to an
individual; and
(I) the nonpublic communications or other nonpublic
user-created content of an individual.
SEC. 3. PROVIDER DUTIES.
(a) In General.--An online service provider shall fulfill the
duties of care, loyalty, and confidentiality under paragraphs (1), (2),
and (3), respectively, of subsection (b).
(b) Duties.--
(1) Duty of care.--An online service provider shall--
(A) reasonably secure individual identifying data
from unauthorized access; and
(B) subject to subsection (d), promptly inform an
end user of any breach of the duty described in
subparagraph (A) of this paragraph with respect to
sensitive data of that end user.
(2) Duty of loyalty.--An online service provider may not
use individual identifying data, or data derived from
individual identifying data, in any way that--
(A) will benefit the online service provider to the
detriment of an end user; and
(B)(i) will result in reasonably foreseeable and
material physical or financial harm to an end user; or
(ii) would be unexpected and highly offensive to a
reasonable end user.
(3) Duty of confidentiality.--An online service provider--
(A) may not disclose or sell individual identifying
data to, or share individual identifying data with, any
other person except as consistent with the duties of
care and loyalty under paragraphs (1) and (2),
respectively;
(B) may not disclose or sell individual identifying
data to, or share individual identifying data with, any
other person unless that person enters into a contract
with the online service provider that imposes on the
person the same duties of care, loyalty, and
confidentiality toward the applicable end user as are
imposed on the online service provider under this
subsection; and
(C) shall take reasonable steps to ensure that the
practices of any person to whom the online service
provider discloses or sells, or with whom the online
service provider shares, individual identifying data
fulfill the duties of care, loyalty, and
confidentiality assumed by the person under the
contract described in subparagraph (B), including by
auditing, on a regular basis, the data security and
data information practices of any such person.
(c) Application of Duties to Third Parties.--If an online service
provider transfers or otherwise provides access to individual
identifying data to another person, the requirements of paragraphs (1),
(2), and (3) of subsection (b) shall apply to such person with respect
to such data in the same manner that such requirements apply to the
online service provider.
(d) Expansion of Duty To Inform Regarding Breaches.--The Commission
may promulgate regulations under section 553 of title 5, United States
Code, to apply the breach notification requirement under subsection
(b)(1)(B) with respect to specific categories of individual identifying
data other than sensitive data, as the Commission determines necessary.
(e) Exceptions.--
(1) Regulations.--The Commission may promulgate regulations
under section 553 of title 5, United States Code, to exempt
categories of online service providers or persons described in
subsection (c) from the requirement under subsection (a) or
subsection (c) (as applicable).
(2) Considerations.--In promulgating regulations under
paragraph (1), the Commission shall consider, among other
factors--
(A) the privacy risks posed by the use of
individual identifying data by an online service
provider or person described in subsection (c) based
on--
(i) the size of the provider or person;
(ii) the complexity of the offerings of the
provider;
(iii) the nature and scope of the
activities of the provider or person; and
(iv) the sensitivity of the consumer
information handled by the provider or person;
and
(B) the costs and benefits of applying the
requirement under subsection (a) or subsection (c) (as
applicable) to online service providers or persons with
particular combinations of characteristics considered
under subparagraph (A) of this paragraph.
SEC. 4. ENFORCEMENT.
(a) Enforcement by Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
section 3 by an online service provider or a person described
in section 3(c) shall be treated as a violation of a rule
defining an unfair or deceptive act or practice prescribed
under section 18(a)(1)(B) of the Federal Trade Commission Act
(15 U.S.C. 57a(a)(1)(B)).
(2) Powers of commission.--
(A) In general.--Except as provided in subparagraph
(C), the Commission shall enforce this Act in the same
manner, by the same means, and with the same
jurisdiction, powers, and duties as though all
applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated
into and made a part of this Act.
(B) Privileges and immunities.--Except as provided
in subparagraph (C), any person who violates section 3
shall be subject to the penalties and entitled to the
privileges and immunities provided in the Federal Trade
Commission Act (15 U.S.C. 41 et seq.).
(C) Nonprofit organizations and common carriers.--
Notwithstanding section 4 or 5(a)(2) of the Federal
Trade Commission Act (15 U.S.C. 44, 45(a)(2)) or any
jurisdictional limitation of the Commission, the
Commission shall also enforce this Act, in the same
manner provided in subparagraphs (A) and (B) of this
paragraph, with respect to--
(i) organizations not organized to carry on
business for their own profit or that of their
members; and
(ii) common carriers subject to the
Communications Act of 1934 (47 U.S.C. 151 et
seq.).
(3) Rulemaking authority.--The Commission shall promulgate
regulations under this Act in accordance with section 553 of
title 5, United States Code.
(b) Enforcement by States.--
(1) Authorization.--Subject to paragraph (3), in any case
in which the attorney general of a State has reason to believe
that an interest of the residents of the State has been or is
threatened or adversely affected by the engagement of an online
service provider or a person described in section 3(c) in a
practice that violates section 3, the attorney general of the
State may, as parens patriae, bring a civil action against the
online service provider or person on behalf of the residents of
the State in an appropriate district court of the United States
to obtain appropriate relief, including civil penalties in the
amount determined under paragraph (2).
(2) Civil penalties.--An online service provider or person
described in section 3(c) that is found, in an action brought
under paragraph (1), to have knowingly or repeatedly violated
section 3 shall, in addition to any other penalty otherwise
applicable to a violation of section 3, be liable for a civil
penalty equal to the amount calculated by multiplying--
(A) the greater of--
(i) the number of days during which the
online service provider or person was not in
compliance with that section; or
(ii) the number of end users who were
harmed as a result of the violation, by
(B) an amount not to exceed the maximum civil
penalty for which a person, partnership, or corporation
may be liable under section 5(m)(1)(A) of the Federal
Trade Commission Act (15 U.S.C. 45(m)(1)(A)) (including
any adjustments for inflation).
(3) Rights of federal trade commission.--
(A) Notice to federal trade commission.--
(i) In general.--Except as provided in
clause (iii), the attorney general of a State
shall notify the Commission in writing that the
attorney general intends to bring a civil
action under paragraph (1) before initiating
the civil action.
(ii) Contents.--The notification required
under clause (i) with respect to a civil action
shall include a copy of the complaint to be
filed to initiate the civil action.
(iii) Exception.--If it is not feasible for
the attorney general of a State to provide the
notification required under clause (i) before
initiating a civil action under paragraph (1),
the attorney general shall notify the
Commission immediately upon instituting the
civil action.
(B) Intervention by federal trade commission.--The
Commission may--
(i) intervene in any civil action brought
by the attorney general of a State under
paragraph (1); and
(ii) upon intervening--
(I) be heard on all matters arising
in the civil action; and
(II) file petitions for appeal of a
decision in the civil action.
(4) Investigatory powers.--Nothing in this subsection may
be construed to prevent the attorney general of a State from
exercising the powers conferred on the attorney general by the
laws of the State to--
(A) conduct investigations;
(B) administer oaths or affirmations; or
(C) compel the attendance of witnesses or the
production of documentary or other evidence.
(5) Preemptive action by federal trade commission.--If the
Commission institutes a civil action or an administrative
action with respect to a violation of section 3, the attorney
general of a State may not, during the pendency of the action,
bring a civil action under paragraph (1) against any defendant
named in the complaint of the Commission based on the same set
of facts giving rise to the alleged violation with respect to
which the Commission instituted the action.
(6) Venue; service of process.--
(A) Venue.--Any action brought under paragraph (1)
may be brought in--
(i) the district court of the United States
that meets applicable requirements relating to
venue under section 1391 of title 28, United
States Code; or
(ii) another court of competent
jurisdiction.
(B) Service of process.--In an action brought under
paragraph (1), process may be served in any district in
which the defendant--
(i) is an inhabitant; or
(ii) may be found.
(7) Actions by other state officials.--
(A) In general.--In addition to civil actions
brought by attorneys general under paragraph (1), any
other consumer protection officer of a State who is
authorized by the State to do so may bring a civil
action under paragraph (1), subject to the same
requirements and limitations that apply under this
subsection to civil actions brought by attorneys
general.
(B) Savings provision.--Nothing in this subsection
may be construed to prohibit an authorized official of
a State from initiating or continuing any proceeding in
a court of the State for a violation of any civil or
criminal law of the State.
SEC. 5. NONENFORCEABILITY OF CERTAIN PROVISIONS WAIVING RIGHTS AND
REMEDIES.
The rights and remedies provided under this Act may not be waived
or limited by contract or otherwise.
SEC. 6. RELATION TO OTHER PRIVACY AND SECURITY LAWS.
Nothing in this Act may be construed to--
(1) modify, limit, or supersede the operation of any
privacy or security provision in any other Federal or State
statute or regulation; or
(2) limit the authority of the Commission under any other
provision of law.
SEC. 7. EFFECTIVE DATE.
(a) In General.--This Act shall take effect on the date of
enactment of this Act.
(b) Applicability.--Section 3 shall apply with respect to an online
service provider or person described in section 3(c) on and after the
date that is 180 days after the date of enactment of this Act.
<all>