[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3045 Introduced in House (IH)]
<DOC>
118th CONGRESS
1st Session
H. R. 3045
To affirm user ownership of their data, prohibit entities from
requiring the transfer or monetization of private data in exchange for
services, prohibit the collection of third-party contact information
without written consent, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
May 2, 2023
Mr. Cloud introduced the following bill; which was referred to the
Committee on Energy and Commerce
_______________________________________________________________________
A BILL
To affirm user ownership of their data, prohibit entities from
requiring the transfer or monetization of private data in exchange for
services, prohibit the collection of third-party contact information
without written consent, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``You Own the Data Act'' or ``YODA''.
SEC. 2. FINDINGS.
Congress finds the following:
(1) Governments exist to protect individual rights to life,
liberty, and property.
(2) The protection of civil liberties, including the rights
to private property and privacy from unwarranted searches and
seizures, is one of the hallmarks of a free society.
(3) It is appropriate for Congress to enact laws to protect
individuals from data collection by third parties.
(4) Data is the property of the user, as the user creates
the data.
(5) A user maintains ownership of the data of such user,
even when such data is sold or leased with the consent of such
user.
(6) Technology should empower the individual and the
productivity of the individual.
(7) Individuals should have reasonable access to and use of
popularly available consumer technologies without abdicating
the rights of such individuals to privacy and anonymity.
SEC. 3. PROHIBITION ON SHARING USER CONTACTS WITHOUT WRITTEN CONSENT
AND CLARIFYING USER ACCESS TO DATA.
(a) Prohibition on Access to User Contacts.--It shall be unlawful
for a covered entity to ask a user to share the contacts or information
about the contacts of the user unless the user and the contacts of the
user consent to such use in writing.
(b) Access to, and Correction, Deletion, and Portability of,
Covered Data.--
(1) In general.--Subject to paragraphs (2) and (3), a
covered entity shall provide a user, immediately or as quickly
as possible and in no case later than 90 days after receiving a
verified request from the user, with the ability to
reasonably--
(A) access--
(i) if applicable, a list of each third
party and service provider to whom the covered
entity has transferred or shared the covered
data of the user;
(ii) the covered data of the user, or an
accurate representation of the covered data of
the user, including data aggregation that is a
readable summary, that is held or has been
processed by the covered entity or any service
provider of the covered entity; and
(iii) if a covered entity transfers covered
data, a description of the covered data that
was transferred and the purpose for which the
third party requested the data;
(B) request that the covered entity--
(i) correct material inaccuracies or
materially incomplete information with respect
to the covered data of the user that is
maintained by the covered entity;
(ii) delete or de-identify covered data of
the user that is or has been maintained by the
covered entity;
(iii) notify any service provider or third
party to which the covered entity transferred
such covered data of the corrected information;
and
(iv) provide contact information to the
user of any service provider or third party
that the covered data of the user was
transferred to so that the user may make
requests described in this subparagraph; and
(C) to the extent that is technically feasible,
provide covered data of the user that is or has been
generated and submitted to the covered entity by the
user and maintained by the covered entity in a
portable, structured, and machine-readable format that
is not subject to licensing restrictions.
(2) Frequency and cost of access.--A covered entity shall--
(A) provide a user with the opportunity to exercise
the rights described in paragraph (1) not less than
twice in any 12-month period; and
(B) fulfill the responsibilities described in
paragraph (1) free of charge.
(3) Prohibition on retaliation.--A covered entity shall
provide the same quality of goods or services, at the same
price or rate, regardless of whether a user took an action
described under paragraph (1).
(4) Retention of data.--A covered entity that collects data
on a user's browsing history or biometric data and information
shall delete the data within 60 days after the date on which
the data was collected.
(c) Data Minimization and Contextuality.--
(1) Collection and use of information.--A commercial data
operator shall limit the collection and sharing of information
by the operator with third parties to what is reasonably
necessary to provide a service or conduct an activity that a
consumer has requested or is reasonably necessary for fraud
prevention.
(2) Retention of information.--A commercial data operator
that collects the personal information of a consumer shall
limit the use and retention of that information to what is
reasonably necessary to provide a service or conduct an
activity that a consumer has requested or a related operational
purpose. Any data collected or retained by a commercial data
operator solely for security or fraud prevention may not be
used for operational purposes.
(3) Monetization.--Monetization of personal information
shall not be considered reasonably necessary to provide a
service or conduct an activity that a consumer has requested or
reasonably necessary for security or fraud prevention.
(d) Consumer Choice and Control.--
(1) Commercial data operator.--A commercial data operator
shall provide a prominently and conspicuously displayed icon a
user may click to opt out of data collection on every unique
website, mobile application, or computer application.
(2) Covered entities.--Within 2 years after the date of the
enactment of this Act, a covered entity shall take reasonable
steps, taking account of available technology, to provide users
the ability to directly delete the covered data collected by
the covered entity.
(e) Default Settings.--A covered entity may require, through terms
of service or otherwise, that a user must consent to the transfer of
covered data in order to use the service of the covered entity.
(f) Policies Regarding Data From Minors.--A covered entity may not
collect, retain, or transfer the covered data of a user to a third
party without affirmative consent from the parent or guardian of the
user if the user is below the age of 18 years old, where technically
feasible.
(g) Prohibition on Tracking Cookies Without User Consent.--A
commercial data operator--
(1) unless authorized by the user, may not track cookies,
including on mobile applications; and
(2) shall provide the same services to users who do not
authorize tracking cookies.
(h) Transparency.--
(1) Privacy notice.--A covered entity shall provide users
with a clear, comprehensible, accurate, and continuously
available privacy notice that--
(A) describes in detail the information collected
by the operator, how that information would be used,
and whether the information would be sold or shared
with any third party; and
(B) is 1,000 words or less.
(2) Report on use of information required.--If a user
allows a commercial data operator to sell the covered data of
the user, the commercial data operator shall provide the user
with an annual report regarding the types of third parties with
whom data has been shared. The report shall include a
description of what information has been shared, for what
purpose information is shared, and a list of each third party
that receives data.
(i) Data Security and Breach Notification.--A covered entity shall
notify each user in a timely manner of any data breach with respect to
the information of the user and provide any remedy to compensate the
user for the breach of their information, including a credit protection
service, fraud alert, and credit monitoring through credit reporting
agencies.
(j) Enforcement.--
(1) Enforcement by the federal trade commission.--
(A) Unfair or deceptive acts or practices.--A
violation of this section shall be treated as a
violation of a regulation under section 18(a)(1)(B) of
the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)) regarding unfair or deceptive acts or
practices.
(B) Powers of commission.--The Commission shall
enforce this section in the same manner, by the same
means, and with the same jurisdiction, powers, and
duties as though all applicable terms and provisions of
the Federal Trade Commission Act (15 U.S.C. 41 et seq.)
were incorporated into and made a part of this Act. Any
person who violates this section shall be subject to
the penalties and entitled to the privileges and
immunities provided in the Federal Trade Commission
Act.
(2) Effect on other laws.--Nothing in this section shall be
construed in any way to limit the authority of the Commission
under any other provision of law or to limit the application of
any Federal or State law.
(3) Enforcement by state attorneys general.--
(A) In general.--If the chief law enforcement
officer of a State, or an official or agency designated
by a State, has reason to believe that any person has
violated or is violating this section, the attorney
general, official, or agency of the State, in addition
to any authority it may have to bring an action in
State court under its consumer protection law, may
bring a civil action in any appropriate United States
district court or in any other court of competent
jurisdiction, including a State court, to--
(i) enjoin further such violation by such
person;
(ii) enforce compliance with this section;
(iii) obtain civil penalties; and
(iv) obtain damages, restitution, or other
compensation on behalf of residents of the
State.
(B) Notice and intervention by the federal trade
commission.--The attorney general of a State shall
provide prior written notice of any action under
subparagraph (A) to the Commission and provide the
Commission with a copy of the complaint in the action,
except in any case in which such prior notice is not
feasible, in which case the attorney general shall
serve such notice immediately upon instituting such
action. The Commission shall have the right--
(i) to intervene in the action;
(ii) upon so intervening, to be heard on
all matters arising therein; and
(iii) to file petitions for appeal.
(C) Limitation on state action while federal action
is pending.--If the Commission has instituted a civil
action for violation of this section, no State attorney
general, or official or agency of a State, may bring an
action under this paragraph during the pendency of that
action against any defendant named in the complaint of
the Commission for any violation of this section
alleged in the complaint.
(4) Private right of action.--
(A) In general.--Any individual alleging a
violation of this section or a regulation promulgated
under this section may bring a civil action in any
Federal or State court of competent jurisdiction
against a covered entity that has global annual gross
revenues of at least $50,000,000.
(B) Relief.--In a civil action brought under
subparagraph (A) in which the plaintiff prevails, the
court may award--
(i) $100 to $750 per violation;
(ii) reasonable attorney's fees and
litigation costs; and
(iii) any other relief, including equitable
or declaratory relief, that the court
determines appropriate.
(k) Definitions.--In this section:
(1) Commercial data operator.--The term ``commercial data
operator'' means an entity acting in its capacity as a consumer
online services provider or data broker that--
(A) generates a material amount of revenue from the
use, collection, processing, sale, or sharing of data
generated by a user; and
(B) has more than 100,000,000 unique monthly
visitors or users in the United States for a majority
of months during the previous 1-year period.
(2) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(3) Consent.--The term ``consent'' means an affirmative act
by an individual that clearly communicates the informed
authorization of the individual for an act or practice.
(4) Core function.--The term ``core function'' does not
mean targeted advertising or marketing.
(5) Covered data.--The term ``covered data'' means
individually, identifiable information about a user collected
online, including any of the following:
(A) Location information that would identify the
physical address of an individual.
(B) Telephone number.
(C) Email address.
(D) Social security number or other unique,
government-issued identifiers.
(E) Nonpublic personal information (as defined in
section 509 of the Gramm-Leach-Bliley Act (15 U.S.C.
6809)).
(F) Content of a personal wire communication, oral
communication, or electronic communication such as
email or direct messaging with respect to any entity
that is not the intended recipient of the
communication.
(G) Call detail records.
(H) Web browsing history, application usage
history, and the functional equivalent of either that
is not aggregated data.
(I) Biometric data and information, such as facial
and voice recognition data.
(6) Covered entity.--The term ``covered entity'' means a
commercial data broker or large online operator that collects
covered data from a user through an online platform.
(7) Data broker.--The term ``data broker'' means a covered
entity whose principal source of revenue is derived from
processing or transferring the covered data of individuals with
whom the entity does not have a direct relationship on behalf
of a third party for use by the third party.
(8) De-identify.--The term ``de-identify'' means to
separate information from the user or IP address the
information is associated with.
(9) Delete.--The term ``delete'' means to remove or destroy
information so that the information is not maintained in human
or machine-readable form and cannot be retrieved or used in
such form in the normal course of business.
(10) Large online operator.--The term ``large online
operator'' means any person that--
(A) provides an online service; and
(B) has more than 100,000,000 authenticated users
of an online service in any 30-day period.
(11) Monetization.--The term ``monetization'' means the
process of collecting, using, and storing data solely for
economic benefit.
(12) User.--The term ``user'' means an individual residing
in the United States who uses a website that collects data and
information from the user.
<all>