[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 8818 Introduced in House (IH)]
<DOC>
118th CONGRESS
2d Session
H. R. 8818
To provide Americans with foundational data privacy rights, create
strong oversight mechanisms, and establish meaningful enforcement, and
for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
June 25, 2024
Mrs. Rodgers of Washington (for herself, Mr. Pallone, Mr. Bilirakis,
and Ms. Schakowsky) introduced the following bill; which was referred
to the Committee on Energy and Commerce
_______________________________________________________________________
A BILL
To provide Americans with foundational data privacy rights, create
strong oversight mechanisms, and establish meaningful enforcement, and
for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``American Privacy
Rights Act of 2024''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
TITLE I--AMERICAN PRIVACY RIGHTS
Sec. 101. Definitions.
Sec. 102. Data minimization.
Sec. 103. Privacy by design.
Sec. 104. Transparency.
Sec. 105. Individual control over covered data.
Sec. 106. Opt-out rights and universal mechanisms.
Sec. 107. Interference with consumer rights.
Sec. 108. Prohibition on denial of service and waiver of rights.
Sec. 109. Data security and protection of covered data.
Sec. 110. Executive responsibility.
Sec. 111. Service providers and third parties.
Sec. 112. Data brokers.
Sec. 113. Commission-approved compliance guidelines.
Sec. 114. Privacy-enhancing technology pilot program.
Sec. 115. Enforcement by Federal Trade Commission.
Sec. 116. Enforcement by States.
Sec. 117. Enforcement by persons.
Sec. 118. Relation to other laws.
Sec. 119. Children's Online Privacy Protection Act of 1998.
Sec. 120. Data protections for covered minors.
Sec. 121. Termination of FTC rulemaking on commercial surveillance and
data security.
Sec. 122. Severability.
Sec. 123. Innovation rulemakings.
Sec. 124. Effective date.
TITLE II--CHILDREN'S ONLINE PRIVACY PROTECTION ACT 2.0
Sec. 201. Short title.
Sec. 202. Online collection, use, disclosure, and deletion of personal
information of children.
Sec. 203. Study and reports on mobile and online application oversight
and enforcement.
Sec. 204. Severability.
TITLE I--AMERICAN PRIVACY RIGHTS
SEC. 101. DEFINITIONS.
In this title:
(1) Affirmative express consent.--
(A) In general.--The term ``affirmative express
consent'' means an affirmative act by an individual
that--
(i) clearly communicates the authorization
of the individual for an act or practice; and
(ii) is provided in response to a specific
request from a covered entity, or a service
provider on behalf of a covered entity, that
meets the requirements of subparagraph (B).
(B) Request requirements.--The requirements of this
subparagraph with respect to a request are the
following:
(i) The request is provided to the
individual in a clear and conspicuous
standalone disclosure.
(ii) The request includes a description of
each act or practice for which the consent of
the individual is sought and--
(I) clearly distinguishes between
an act or practice that is necessary,
proportionate, and limited to fulfill a
request of the individual and an act or
practice that is for another purpose;
(II) clearly states the specific
categories of covered data that the
covered entity shall collect, process,
retain, or transfer under each such act
or practice; and
(III) is written in easy-to-
understand language and includes a
prominent heading that would enable a
reasonable individual to identify and
understand each such act or practice.
(iii) The request clearly explains the
applicable rights of the individual related to
consent.
(iv) The request is made in a manner
reasonably accessible to and usable by
individuals living with disabilities.
(v) The request is made available to the
individual in the language in which the covered
entity provides a product or service for which
authorization is sought.
(vi) The option to refuse consent is at
least as prominent as the option to provide
consent, and the option to refuse consent takes
no more than 1 additional step as compared to
the number of steps necessary to provide
consent.
(vii) With respect to affirmative express
consent sought for the collection, processing,
retention, or transfer of biometric information
or genetic information, the request includes
the length of time the covered entity or
service provider intends to retain the
biometric information or genetic information
or, if it is not possible to identify the
length of time, the criteria used to determine
the length of time the covered entity or
service provider intends to retain the
biometric information or genetic information.
(C) Express consent required.--Affirmative express
consent to an act or practice may not be inferred from
the inaction of an individual or the continued use by
an individual of a service or product provided by an
entity.
(D) Withdrawal of affirmative express consent.--
(i) In general.--A covered entity shall
provide an individual with a means to withdraw
affirmative express consent previously provided
by the individual.
(ii) Requirements.--The means to withdraw
affirmative express consent described in clause
(i) shall be--
(I) clear and conspicuous; and
(II) as easy for a reasonable
individual to use as the mechanism by
which the individual provided
affirmative express consent.
(E) Children and teens.--If a covered entity has
knowledge that--
(i) an individual is a child, only a parent
of the child may provide affirmative express
consent on behalf of the child; or
(ii) an individual is a teen, a parent or
the teen may provide affirmative express
consent on behalf of the teen.
(2) Biometric information.--
(A) In general.--The term ``biometric information''
means any covered data that allows or confirms the
unique identification or verification of an individual
and is generated from the measurement or processing of
unique biological, physical, or physiological
characteristics, including--
(i) fingerprints;
(ii) voice prints;
(iii) iris or retina imagery scans;
(iv) facial or hand mapping, geometry, or
templates; and
(v) gait.
(B) Exclusion.--The term ``biometric information''
does not include--
(i) a digital or physical photograph;
(ii) an audio or video recording; or
(iii) data derived from a digital or
physical photograph or an audio or video
recording that cannot be used to identify or
authenticate a specific individual.
(3) Child.--The term ``child'' means an individual under
the age of 13.
(4) Clear and conspicuous.--The term ``clear and
conspicuous'' means, with respect to a disclosure, that the
disclosure is difficult to miss and easily understandable by
ordinary consumers.
(5) Coarse geolocation information.--The term ``coarse
geolocation information'' means information that reveals the
present physical location of an individual or device identified
by a unique persistent identifier at the ZIP Code attribution
level (except, if a geographic area attributed to a ZIP Code is
equal to or less than the area of a circle with a radius of
1,850 feet or less, at a level greater than a geographic area
equal to the area of a circle with a radius of 1,850 feet).
(6) Collect.--The term ``collect'' means, with respect to
covered data, to buy, rent, gather, obtain, receive, access, or
otherwise acquire the covered data by any means.
(7) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(8) Common branding.--The term ``common branding'' means a
name, service mark, or trademark that is shared by 2 or more
entities.
(9) Connected device.--The term ``connected device'' means
a device that is capable of connecting to the internet.
(10) Contextual advertising.--The term ``contextual
advertising'' means displaying or presenting an advertisement
that--
(A) does not vary based on the identity of the
individual recipient; and
(B) is based solely on--
(i) the content of a webpage or online
service;
(ii) a specific request of the individual
for information or feedback; or
(iii) coarse geolocation information.
(11) Control.--The term ``control'' means, with respect to
an entity--
(A) ownership of, or the power to vote, more than
50 percent of the outstanding shares of any class of
voting security of the entity;
(B) control over the election of a majority of the
directors of the entity (or of individuals exercising
similar functions); or
(C) the power to exercise a controlling influence
over the management of the entity.
(12) Covered data.--
(A) In general.--The term ``covered data'' means
information that identifies or is linked or reasonably
linkable, alone or in combination with other
information, to an individual or a device that
identifies or is linked or reasonably linkable to 1 or
more individuals.
(B) Exclusions.--The term ``covered data'' does not
include--
(i) de-identified data;
(ii) employee information;
(iii) publicly available information;
(iv) inferences made exclusively from
multiple independent sources of publicly
available information, if such inferences--
(I) do not reveal information about
an individual that meets the definition
of the term ``sensitive covered data''
with respect to the individual; and
(II) are not combined with covered
data;
(v) information in the collection of a
library, archive, or museum, if--
(I) the collection is--
(aa) open to the public or
routinely made available to
researchers who are not
affiliated with the library,
archive, or museum; and
(bb) composed of lawfully
acquired materials with respect
to which all licensing
conditions are met; and
(II) the library, archive, or
museum has--
(aa) a public service
mission; and
(bb) trained staff or
volunteers to provide
professional services normally
associated with libraries,
archives, or museums; or
(vi) on-device data.
(13) Covered entity.--
(A) In general.--The term ``covered entity'' means
any entity that, alone or jointly with others,
determines the purposes and means of collecting,
processing, retaining, or transferring covered data
and--
(i) is subject to the Federal Trade
Commission Act (15 U.S.C. 41 et seq.);
(ii) is a common carrier subject to title
II of the Communications Act of 1934 (47 U.S.C.
201 et seq.); or
(iii) is an organization not organized to
carry on business for its own profit or that of
its members.
(B) Inclusion.--The term ``covered entity''
includes any entity that controls, is controlled by, or
is under common control with another covered entity.
(C) Exclusions.--The term ``covered entity'' does
not include--
(i) a Federal, State, Tribal, or local
government entity, such as a body, authority,
board, bureau, commission, district, agency, or
other political subdivision of the Federal
Government or a State, Tribal, or local
government;
(ii) an entity that is collecting,
processing, retaining, or transferring covered
data on behalf of a Federal, State, Tribal, or
local government entity, to the extent that
such entity is acting as a service provider to
the government entity;
(iii) a small business;
(iv) an individual acting at their own
direction and in a non-commercial context;
(v) the National Center for Missing and
Exploited Children; or
(vi) except with respect to requirements
under section 109, a nonprofit organization
whose primary mission is to prevent,
investigate, or deter fraud, to train anti-
fraud professionals, or to educate the public
about fraud, including insurance fraud,
securities fraud, and financial fraud, to the
extent the organization collects, processes,
retains, or transfers covered data in
furtherance of such primary mission.
(D) Nonapplication to service providers.--An entity
may not be considered to be a ``covered entity'' for
the purposes of this title, insofar as the entity is
acting as a service provider.
(14) Covered high-impact social media company.--
(A) In general.--The term ``covered high-impact
social media company'' means a covered entity that
provides any internet-accessible platform that--
(i) generates $3,000,000,000 or more in
global annual revenue, including the revenue
generated by any affiliate of such covered
entity;
(ii) has 300,000,000 or more global monthly
active users for not fewer than 3 of the
preceding 12 months; and
(iii) constitutes an online product or
service that is primarily used by users to
access or share user-generated content.
(B) Treatment of certain services and
applications.--A service or application may not be
considered to constitute an online product or service
described in subparagraph (A)(iii) solely on the basis
of providing any of the following:
(i) Email.
(ii) Career or professional development
networking opportunities.
(iii) Reviews of products, services,
events, or destinations.
(iv) A platform for use in a public or
private school under the direction of the
school.
(v) File collaboration.
(vi) Cloud storage.
(vii) Closed video or audio communications
services.
(viii) A wireless messaging service,
including such a service provided through short
messaging service or multimedia messaging
service protocols, that is not a component of,
or linked to, a platform of a covered high-
impact social media company, if the predominant
or exclusive function is direct messaging
consisting of the transmission of text, photos,
or videos that are sent by electronic means,
and if messages are transmitted from the sender
to a recipient and are not posted within a
platform of a covered high-impact social media
company or publicly.
(15) Covered minor.--The term ``covered minor'' means an
individual under the age of 17.
(16) Dark patterns.--The term ``dark patterns'' means a
user interface designed or manipulated with the substantial
effect of subverting or impairing user autonomy, decision-
making, or choice.
(17) Data broker.--
(A) In general.--The term ``data broker'' means a
covered entity whose principal source of revenue is
derived from processing or transferring covered data
that the covered entity did not collect directly from
the individuals linked or linkable to the covered data.
(B) Principal source of revenue.--For purposes of
this paragraph, the term ``principal source of
revenue'' means, for the prior 12-month period--
(i) revenue that constitutes greater than
50 percent of all revenue of the covered entity
during such period; or
(ii) revenue obtained from processing and
transferring the covered data of more than
5,000,000 individuals that the covered entity
did not collect directly from the individuals
linked or linkable to the covered data.
(C) Non-application to service providers.--The term
``data broker'' does not include an entity to the
extent that such entity is acting as a service
provider.
(18) De-identified data.--
(A) In general.--The term ``de-identified data''
means information that cannot reasonably be used to
infer or derive the identity of an individual, and does
not identify and is not linked or reasonably linkable
to an individual or a device that identifies or is
linked or reasonably linkable to an individual,
regardless of whether the information is aggregated, if
the relevant covered entity or service provider--
(i) takes reasonable physical,
administrative, and technical measures to
ensure that the information cannot, at any
point, be used to re-identify any individual or
device that identifies or is linked or
reasonably linkable to an individual;
(ii) publicly commits in a clear and
conspicuous manner to--
(I) process, retain, or transfer
the information solely in a de-
identified form without any reasonable
means for re-identification; and
(II) not attempt to re-identify the
information with any individual or
device that identifies or is linked or
reasonably linkable to an individual,
except as necessary, limited, and
proportionate to test the effectiveness
of the measures described in clause
(i); and
(iii) contractually obligates any entity
that receives the information from the covered
entity or service provider to--
(I) comply with clauses (i) and
(ii) with respect to the information;
and
(II) require that such contractual
obligations be included contractually
in all subsequent instances in which
the information may be received.
(B) Health information.--The term ``de-identified
data'' includes health information (as defined in
section 1171 of the Social Security Act (42 U.S.C.
1320d)) that has been de-identified in accordance with
section 164.514(b) of title 45, Code of Federal
Regulations, except that if such information is
subsequently provided to an entity that is not an
entity subject to parts 160 and 164 of such title 45,
such entity shall comply with clauses (ii) and (iii) of
subparagraph (A) for the information to be considered
de-identified under this title.
(19) Derived data.--The term ``derived data'' means covered
data that is created by the derivation of information, data,
assumptions, correlations, inferences, predictions, or
conclusions from facts, evidence, or another source of
information.
(20) Device.--The term ``device'' means any electronic
equipment capable of collecting, processing, retaining, or
transferring covered data that is used by 1 or more
individuals, including a connected device or a portable
connected device.
(21) Direct mail targeted advertising.--The term ``direct
mail targeted advertising'' means advertising or marketing
using third-party data through a direct communication with an
individual via direct mail.
(22) Disability.--The term ``disability'' has the meaning
given such term in section 3 of the Americans with Disabilities
Act of 1990 (42 U.S.C. 12102).
(23) Email targeted advertising.--The term ``email targeted
advertising'' means advertising or marketing using third-party
data through a direct communication with an individual via
email.
(24) Employee.--The term ``employee'' means an individual
who is an employee, director, officer, staff member, paid
intern, individual working as an independent contractor (who is
not a service provider), volunteer, or unpaid intern of an
employer, regardless of whether such individual is paid,
unpaid, or engaged on a temporary basis.
(25) Employee information.--The term ``employee
information'' means information, including biometric
information or genetic information--
(A) about an individual related to the course of
employment or application for employment of the
individual (including on a contract or temporary
basis), if such information is collected, retained,
processed, or transferred by the employer or the
service provider of the employer solely for purposes
necessary for the employment or application of the
individual;
(B) that is emergency contact information for an
individual who is an employee or job applicant of an
employer, if such information is collected, retained,
processed, or transferred by the employer or the
service provider of the employer solely for the purpose
of having an emergency contact for such individual on
file; or
(C) about an individual who is an employee or
former employee of an employer, or a relative,
dependent, or beneficiary of the employee or former
employee, and collected, retained, processed, or
transferred for the purpose of administering benefits,
including enrollment and disenrollment for benefits, to
which the employee, former employee, relative,
dependent, or beneficiary is entitled on the basis of
the employment of the employee or former employee with
the employer, if such information is collected,
retained, processed, or transferred by the employer or
the service provider of the employer solely for the
purpose of administering such benefits.
(26) Entity.--The term ``entity'' means an individual, a
trust, a partnership, an association, an organization, a
company, and a corporation.
(27) Executive agency.--The term ``Executive agency'' has
the meaning given such term in section 105 of title 5, United
States Code.
(28) Federated nonprofit organization.--The term
``federated nonprofit organization'' means a network or system
of 2 or more entities, described in section 501(c)(3) of the
Internal Revenue Code of 1986 and exempt from taxation under
section 501(a) of such Code, that share common branding.
(29) First party.--The term ``first party''--
(A) means a consumer-facing covered entity with
which a consumer intends and expects to interact; and
(B) includes any entities with which the covered
entity shares common branding.
(30) First-party advertising.--
(A) In general.--The term ``first-party
advertising'' means advertising or marketing by a first
party using the first-party data of the first party and
not other forms of covered data and carried out--
(i) through direct communications with an
individual, such as direct mail, email (subject
to the CAN-SPAM Act of 2003 (15 U.S.C. 7701 et
seq.) and the regulations promulgated under
such Act), or text message communications
(subject to section 227 of the Communications
Act of 1934 (47 U.S.C. 227) and the regulations
promulgated under such section); or
(ii) entirely--
(I) in a physical location operated
by the first party;
(II) in the case of a first party
that is not a covered high-impact
social media company, on a website,
online service, online application, or
mobile application operated by the
first party, through display or
presentation of an online advertisement
that promotes a product or service
(whether offered by the first party or
not offered by the first party) to an
individual or device identified by a
unique persistent identifier, or group
of individuals or devices identified by
unique persistent identifiers; or
(III) in the case of a first party
that is a covered high-impact social
media company, on a website, online
service, online application, or mobile
application operated by the first
party, through display or presentation
of an online advertisement that
promotes a product or service offered
by the first party to an individual or
device identified by a unique
persistent identifier, or group of
individuals or devices identified by
unique persistent identifiers.
(B) Exclusion.--The term ``first-party
advertising'' does not include contextual advertising.
(31) First-party data.--The term ``first-party data'' means
covered data collected directly from an individual by a first
party, including based on a visit by the individual to or use
by the individual of a physical location, website, online
service, online application, or mobile application operated by
the first party.
(32) Genetic information.--The term ``genetic information''
means any covered data, regardless of format, that concerns the
genetic characteristics of an identified or identifiable
individual, including--
(A) raw sequence data that results from the
sequencing of the complete, or a portion of, extracted
deoxyribonucleic acid (DNA) of an individual; or
(B) genotypic and phenotypic information that
results from analyzing raw sequence data described in
subparagraph (A).
(33) Health information.--The term ``health information''
means information that describes or reveals the past, present,
or future physical health, mental health, disability,
diagnosis, or health condition, status, or treatment of an
individual, including the precise geolocation information of
such treatment.
(34) Individual.--The term ``individual'' means a natural
person residing in the United States.
(35) Knowledge.--
(A) In general.--The term ``knowledge'' means, with
respect to whether an individual is a child, teen, or
covered minor, actual knowledge or knowledge fairly
implied on the basis of objective circumstances.
(B) Rule of construction.--For purposes of
enforcing this title or a regulation promulgated under
this title, a determination as to whether a covered
entity has knowledge fairly implied on the basis of
objective circumstances that an individual is a child,
teen, or covered minor shall rely on competent and
reliable evidence, taking into account the totality of
the circumstances, including whether a reasonable and
prudent person under the circumstances would have known
that the individual is a child, teen, or covered minor.
Nothing in this title, including a determination
described in the preceding sentence, may be construed
to require a covered entity to--
(i) affirmatively collect any covered data
with respect to the age of a child, teen, or
covered minor that the covered entity is not
already collecting in the normal course of
business; or
(ii) implement an age gating or age
verification functionality.
(C) Commission guidance.--
(i) In general.--Not later than 180 days
after the date of the enactment of this Act,
the Commission shall issue guidance to provide
information, including best practices and
examples, for covered entities to use in
understanding whether a covered entity has
knowledge fairly implied on the basis of
objective circumstances that an individual is a
child, teen, or covered minor.
(ii) Limitation.--No guidance issued by the
Commission under clause (i) confers any rights
on any person, State, or locality, or operates
to bind the Commission or any person, State, or
locality to the approach recommended in such
guidance. Any enforcement action brought
pursuant to this title by the Commission, or by
the attorney general of a State, the chief
consumer protection officer of a State, or an
officer or office of a State authorized to
enforce privacy or data security laws
applicable to covered entities or service
providers, shall allege a specific violation of
a provision of this title, and the Commission
or the attorney general, chief consumer
protection officer, or other authorized officer
or office of the State, as applicable, may not
base an enforcement action on, or as applicable
execute a consent order based on, practices
that are alleged to be inconsistent with any
such guidance, unless the practices allegedly
violate this title.
(36) Large data holder.--
(A) In general.--The term ``large data holder''
means a covered entity or service provider that, in the
most recent calendar year, had an annual gross revenue
of not less than $250,000,000 and, subject to
subparagraph (B), collected, processed, retained, or
transferred--
(i) the covered data of--
(I) more than 5,000,000
individuals;
(II) more than 15,000,000 portable
connected devices that identify or are
linked or reasonably linkable to 1 or
more individuals; or
(III) more than 35,000,000
connected devices that identify or are
linked or reasonable linkable to 1 or
more individuals; or
(ii) the sensitive covered data of--
(I) more than 200,000 individuals;
(II) more than 300,000 portable
connected devices that identify or are
linked or reasonable linkable to 1 or
more individuals; or
(III) more than 700,000 connected
devices that identify or are linked or
reasonably linkable to 1 or more
individuals.
(B) Exclusions.--For the purposes of subparagraph
(A), a covered entity or service provider may not be
considered a large data holder solely on the basis of
collecting, processing, retaining, or transferring to a
service provider--
(i) personal mailing or email addresses;
(ii) personal telephone numbers;
(iii) log-in information of an individual
or device to allow the individual or device to
log in to an account administered by the
covered entity; or
(iv) in the case of a covered entity that
is a seller of goods or services (other than an
entity that facilitates payment, such as a
bank, credit card processor, mobile payment
system, or payment platform), credit, debit, or
mobile payment information necessary and used
to initiate, render, bill for, finalize,
complete, or otherwise facilitate payments for
such goods or services.
(C) Definition of annual gross revenue.--For the
purposes of subparagraph (A), the term ``annual gross
revenue'', with respect to a covered entity or service
provider--
(i) means the gross receipts the covered
entity or service provider received, in
whatever form from all sources, without
subtracting any costs or expenses; and
(ii) includes contributions, gifts, grants,
dues or other assessments, income from
investments, and proceeds from the sale of real
or personal property.
(37) Market research.--The term ``market research'' means
the collection, processing, retention, or transfer of covered
data, with affirmative express consent, that is necessary,
proportionate, and limited to measure and analyze the market or
market trends of products, services, advertising, or ideas, if
the covered data is not--
(A) integrated into any product or service;
(B) otherwise used to contact any individual or
device of an individual; or
(C) used for targeted advertising or to otherwise
market to any individual or device of an individual.
(38) Material change.--The term ``material change'' means,
with respect to treatment of covered data, a change by an
entity that would likely affect the decision of an individual
to engage with and provide covered data to the entity,
including providing affirmative express consent for, or opting
out of, the collection, processing, retention, or transfer of
covered data pertaining to such individual.
(39) Mobile application.--The term ``mobile application''--
(A) means a software program that runs on the
operating system of--
(i) a cellular telephone;
(ii) a tablet computer; or
(iii) a similar portable computing device
that transmits data over a wireless connection;
and
(B) includes a service or application offered via a
connected device.
(40) On-device data.--
(A) In general.--The term ``on-device data'' means
data collected, retained, and processed solely on the
device of an individual.
(B) Limitation.--Data collected, retained, and
processed solely on the device of an individual may be
considered ``on-device data'' only if--
(i) such data is not transferred by a
covered entity or service provider;
(ii) the relevant covered entity clearly
and conspicuously provides the device owner
with controls that allow the owner to access,
correct, delete, and export such data
consistent with the rights provided with
respect to covered data pursuant to section
105;
(iii) the relevant covered entity provides
easy-to-understand instructions on how the
device owner can access such controls; and
(iv) the relevant covered entity
establishes, implements, and maintains
reasonable data security practices, consistent
with section 109, to protect--
(I) the confidentiality, integrity,
and availability of the on-device data;
and
(II) on device data against
unauthorized access.
(41) Online activity profile.--The term ``online activity
profile'' means covered data that identifies the online
activities of an individual (or a device linked or reasonably
linkable to an individual) over time and across third-party
websites, online services, online applications, or mobile
applications that do not share common branding and that is
collected, processed, retained, or transferred for the purpose
of evaluating, analyzing, or predicting the behaviors or
characteristics of an individual.
(42) Online application.--The term ``online application''--
(A) means an internet-connected software program;
and
(B) includes a service or application offered via a
connected device.
(43) Parent.--The term ``parent'' means a legal guardian.
(44) Portable connected device.--The term ``portable
connected device'' means a portable device that is capable of
connecting to the internet over a wireless connection,
including a smartphone, tablet computer, laptop computer,
smartwatch, or similar portable device.
(45) Precise geolocation information.--
(A) In general.--The term ``precise geolocation
information'' means information that reveals the past
or present physical location of an individual or device
with sufficient precision to identify the location of
such individual or device within a geographic area that
is equal to or less than the area of a circle with a
radius of 1,850 feet or less.
(B) Exclusions.--The term ``precise geolocation
information'' does not include information derived
solely from--
(i) a digital or physical photograph;
(ii) an audio or visual recording; or
(iii) metadata associated with a digital or
physical photograph or an audio or visual
recording that cannot be linked to an
individual.
(46) Process.--The term ``process'' means, with respect to
covered data, any operation or set of operations performed on
the covered data, including analyzing, organizing, structuring,
using, modifying, or otherwise handling the covered data.
(47) Publicly available information.--
(A) In general.--The term ``publicly available
information'' means any information that a covered
entity has a reasonable basis to believe has been
lawfully made available to the general public by--
(i) Federal, State, or local government
records, if the covered entity collects,
processes, retains, and transfers such
information in accordance with any restrictions
or terms of use placed on the information by
the relevant government entity;
(ii) widely distributed media;
(iii) a website or online service made
available to all members of the public, for
free or for a fee, including where all members
of the public can log in to the website or
online service; or
(iv) a disclosure to the general public
that is required to be made by Federal, State,
or local law.
(B) Clarifications; limitations.--
(i) Available to all members of the
public.--For purposes of this paragraph,
information from a website or online service is
not available to all members of the public if
the individual to whom the information pertains
has restricted the information to a specific
audience or maintained a default setting that
restricts the information to a specific
audience.
(ii) Business contact information.--The
term ``publicly available information''
includes business contact information of an
individual acting in a business or professional
context that is made available on a website or
online service made available to all members of
the public, including the name, position or
title, business telephone number, business
email address, or business address of the
individual.
(iii) Other limitations.--The term
``publicly available information'' does not
include--
(I) any obscene visual depiction
(as such term is used in section 1460
of title 18, United States Code);
(II) derived data from publicly
available information that reveals
information about an individual that
meets the definition of the term
``sensitive covered data'';
(III) biometric information;
(IV) genetic information, unless
made publicly available by the
individual to whom the information
pertains by a means described in clause
(ii) or (iii) of subparagraph (A);
(V) covered data that is created
through the combination of covered data
with publicly available information;
(VI) intimate images, authentic or
computer-generated, known to be
nonconsensual; or
(VII) sensitive covered data made
available by a data broker.
(48) Retain.--The term ``retain'' means, with respect to
covered data, to store, maintain, save, or otherwise keep such
data, regardless of format.
(49) Sensitive covered data.--
(A) In general.--The term ``sensitive covered
data'' means the following forms of covered data:
(i) A government-issued identifier,
including a Social Security number, passport
number, or driver's license number, that is not
required by law to be displayed in public.
(ii) Any information that describes or
reveals the past, present, or future physical
health, mental health, disability, diagnosis,
or health condition, status, or treatment of an
individual.
(iii) Genetic information.
(iv) A financial account number, debit card
number, credit card number, or any required
security or access code, password, or
credentials allowing access to any such account
or card, except that the last four digits of an
account number, debit card number, or credit
card number may not be considered sensitive
covered data.
(v) Biometric information.
(vi) Precise geolocation information.
(vii) The private communications of an
individual (such as voicemails, or other voice
or video communications, emails, texts, direct
messages, or mail) or information identifying
the parties to such communications, information
contained in telephone bills, and any
information that pertains to the transmission
of private voice or video communications,
including numbers called, numbers from which
calls were placed, the time calls were made,
call duration, and location information of the
parties to the call, unless the relevant
covered entity or service provider is an
intended recipient of the communication.
(viii) Unencrypted or unredacted account or
device log-in credentials.
(ix) Information revealing the sexual
behavior of an individual in a manner
inconsistent with the reasonable expectation of
the individual regarding disclosure of such
information.
(x) Calendar information, address book
information, phone, text, or electronic logs,
photographs, audio recordings, or videos
intended for private use.
(xi) A photograph, film, video recording,
or other similar medium that shows the naked or
undergarment-clad private area of an
individual.
(xii) Information revealing the extent or
content of the access, viewing, or other use by
an individual of any video programming (as
defined in section 713(h)(2) of the
Communications Act of 1934 (47 U.S.C.
613(h)(2))), including programming provided by
a provider of broadcast television service,
cable service, satellite service, or streaming
media service, but only with regard to the
transfer of such information to a third party
(excluding any such information used solely for
transfers for independent video measurement).
(xiii) Information collected by a covered
entity that is not a provider of a service
described in clause (xii) that reveals the
video content requested or selected by an
individual (excluding any such information used
solely for transfers for independent video
measurement).
(xiv) Information revealing the race,
ethnicity, national origin, religion, or sex of
an individual in a manner inconsistent with the
reasonable expectation of the individual
regarding disclosure of such information.
(xv) An online activity profile.
(xvi) Information about a covered minor.
(xvii) Information that reveals the status
of an individual as a member of the Armed
Forces.
(xviii) Neural data.
(xix) Any other covered data collected,
processed, retained, or transferred for the
purpose of identifying a type of information
described in any of clauses (i) through
(xviii).
(B) Third party.--For the purposes of subparagraph
(A)(xii), the term ``third party'' does not include an
entity that--
(i) is related by common ownership or
corporate control to the provider of broadcast
television service or streaming media service;
and
(ii) provides video programming as
described in such subparagraph.
(50) Service provider.--
(A) In general.--The term ``service provider''
means an entity that collects, processes, retains, or
transfers covered data for the purpose of performing 1
or more services or functions on behalf of, and at the
direction of--
(i) a covered entity or another service
provider; or
(ii) a Federal, State, Tribal, or local
government entity.
(B) Rule of construction.--
(i) In general.--An entity is a covered
entity and not a service provider with respect
to a specific collecting, processing,
retaining, or transferring of covered data, if
the entity, alone or jointly with others,
determines the purposes and means of the
specific collecting, processing, retaining, or
transferring of data.
(ii) Instructions.--An entity that is not
limited in its collecting, processing,
retaining, or transferring of covered data
pursuant to the instructions of a covered
entity, another service provider, or a Federal,
State, Tribal, or local government entity, or
that fails to adhere to such instructions, is a
covered entity and not a service provider with
respect to a specific collecting, processing,
retaining, or transferring of such data. If a
service provider begins, alone or jointly with
others, determining the purposes and means of
collecting, processing, retaining, or
transferring covered data, the entity is a
covered entity with respect to such data.
(iii) Context required.--Whether an entity
is a covered entity or a service provider
depends on the facts surrounding how, and the
context in which, data is collected, processed,
retained, or transferred.
(51) Small business.--
(A) In general.--The term ``small business'' means
an entity (including any affiliate of the entity)--
(i) that has average annual gross revenues
for the period of the 3 preceding calendar
years (or for the period during which the
entity has been in existence, if such period is
less than 3 calendar years) not exceeding
$40,000,000, indexed to the Producer Price
Index reported by the Bureau of Labor
Statistics;
(ii) that, on average for the period
described in clause (i), did not annually
collect, process, retain, or transfer the
covered data of more than 200,000 individuals
for any purpose other than initiating,
rendering, billing for, finalizing, completing,
or otherwise collecting payment for a requested
service or product; and
(iii) that did not, during the period
described in clause (i), transfer covered data
to a third party in exchange for revenue or
anything of value, except for purposes of
initiating, rendering, billing for, finalizing,
completing, or otherwise collecting payment for
a requested service or product or facilitating
web analytics that are not used to create an
online activity profile.
(B) Nonprofit revenue.--For purposes of
subparagraph (A)(i), the term ``revenue'', as such term
relates to any entity that is not organized to carry on
business for its own profit or that of its members,
means the gross receipts the entity received, in
whatever form from all sources, without subtracting any
costs or expenses, and includes contributions, gifts,
grants (except for grants from the Federal Government),
dues or other assessments, income from investments, or
proceeds from the sale of real or personal property.
(52) State.--The term ``State'' means each of the 50
States, the District of Columbia, the Commonwealth of Puerto
Rico, the Virgin Islands of the United States, Guam, American
Samoa, and the Commonwealth of the Northern Mariana Islands.
(53) Substantial privacy harm.--The term ``substantial
privacy harm'' means--
(A) any alleged financial harm of not less than
$10,000; or
(B) any alleged physical or mental harm to an
individual that involves--
(i) treatment by a licensed, credentialed,
or otherwise bona fide health care provider,
hospital, community health center, clinic,
hospice, or residential or outpatient facility
for medical, mental health, or addiction care;
or
(ii) physical injury, highly offensive
intrusion into the privacy expectations of a
reasonable individual under the circumstances,
or discrimination on the basis of race, color,
religion, national origin, sex, or disability.
(54) Targeted advertising.--The term ``targeted
advertising''--
(A) means displaying or presenting an online
advertisement to an individual or to a device
identified by a unique persistent identifier (or to a
group of individuals or devices identified by unique
persistent identifiers), if the advertisement is
selected based, in whole or in part, on known or
predicted preferences or interests associated with the
individual or device;
(B) includes--
(i) an online advertisement by a covered
high-impact social media company for a product
or service that is not a product or service
offered by the covered high-impact social media
company; and
(ii) an online advertisement for a product
or service based on the previous interaction of
an individual or a device identified by a
unique persistent identifier with such product
or service on a website or online service that
does not share common branding or affiliation
with the website or online service displaying
or presenting the advertisement; and
(C) excludes contextual advertising and first-party
advertising.
(55) Teen.--The term ``teen'' means an individual 13 years
of age or older, but under the age of 17.
(56) Third party.--The term ``third party''--
(A) means any entity that--
(i) receives covered data from another
entity that is not the individual to whom the
data pertains; and
(ii) is not a service provider with respect
to such data; and
(B) does not include an entity that collects
covered data from another entity if the 2 entities
are--
(i) related by common ownership or
corporate control; or
(ii) nonprofit entities that are part of
the same federated nonprofit organization.
(57) Third-party data.--The term ``third-party data'' means
covered data that has been transferred to a third party.
(58) Transfer.--The term ``transfer'' means, with respect
to covered data, to disclose, release, share, disseminate, make
available, sell, rent, or license the covered data (orally, in
writing, electronically, or by any other means) for
consideration of any kind or for a commercial purpose.
(59) Unique persistent identifier.--
(A) In general.--The term ``unique persistent
identifier'' means a technologically created identifier
to the extent that such identifier is reasonably
linkable to an individual or a device that identifies
or is linked or reasonably linkable to 1 or more
individuals, including device identifiers, Internet
Protocol addresses, cookies, beacons, pixel tags,
mobile ad identifiers or similar technology customer
numbers, unique pseudonyms, user aliases, telephone
numbers, or other forms of persistent or probabilistic
identifiers that are linked or reasonably linkable to 1
or more individuals or devices.
(B) Exclusion.--The term ``unique persistent
identifier'' does not include an identifier assigned by
a covered entity for the sole purpose of giving effect
to the exercise of affirmative express consent or opt
out by an individual with respect to the collecting,
processing, retaining, and transfer of covered data or
otherwise limiting the collecting, processing,
retaining, or transfer of covered data.
(60) Widely distributed media.--
(A) In general.--The term ``widely distributed
media'' means information that is available to the
general public, including information from a telephone
book or online directory, a television, internet, or
radio program, the news media, or an internet site that
is available to the general public on an unrestricted
basis.
(B) Exclusion.--The term ``widely distributed
media'' does not include an obscene visual depiction
(as such term is used in section 1460 of title 18,
United States Code).
SEC. 102. DATA MINIMIZATION.
(a) In General.--A covered entity may not collect, process, retain,
or transfer covered data of an individual or direct a service provider
to collect, process, retain, or transfer covered data of an individual
beyond what is necessary, proportionate, and limited--
(1) to provide or maintain--
(A) a specific product or service requested by the
individual to whom the data pertains, including any
associated routine administrative, operational, or
account-servicing activity, such as billing, shipping,
delivery, storage, or accounting; or
(B) a communication, that is not an advertisement,
by the covered entity to the individual reasonably
anticipated within the context of the relationship; or
(2) for a purpose expressly permitted under subsection (d).
(b) Additional Protections for Sensitive Covered Data.--Subject to
subsection (a), a covered entity may not transfer sensitive covered
data to a third party or direct a service provider to transfer
sensitive covered data to a third party without the affirmative express
consent of the individual to whom such data pertains, unless for a
purpose permitted by paragraph (2), (3), (4), (5), (6), (8), (9), (11),
(12), or (13) of subsection (d).
(c) Additional Protections for Biometric Information and Genetic
Information.--
(1) Collection.--Subject to subsection (a), a covered
entity may not collect biometric information or genetic
information or direct a service provider to collect biometric
information or genetic information without the affirmative
express consent of the individual to whom such information
pertains.
(2) Processing.--Subject to subsection (a), a covered
entity may not process biometric information or genetic
information or direct a service provider to process biometric
information or genetic information without the affirmative
express consent of the individual to whom such information
pertains, unless for a purpose permitted by paragraph (2), (3),
or (4) of subsection (d).
(3) Retention.--Subject to subsection (a), a covered entity
may not retain biometric information or direct a service
provider to retain biometric information beyond the point at
which the purpose for which an individual provided affirmative
express consent under paragraph (1) has been satisfied or
beyond the date that is 3 years after the date of the last
interaction of the individual with the covered entity or
service provider, whichever occurs first, unless for a purpose
permitted under paragraph (2), (3), or (4) of subsection (d).
(4) Transfer.--
(A) Affirmative express consent required.--Subject
to subsection (a), a covered entity may not transfer
biometric information or genetic information to a third
party or direct a service provider to transfer
biometric information or genetic information to a third
party without the affirmative express consent of the
individual to whom such information pertains, unless
for a purpose permitted by paragraph (2), (3), or (4)
of subsection (d).
(B) No transfer for payment or other valuable
consideration.--A covered entity may not transfer
biometric information or genetic information to a third
party, or direct a service provider to transfer
biometric information or genetic information to a third
party, for payment or other valuable consideration
(regardless of the purpose of the transfer, including a
purpose described in subparagraph (A)).
(d) Permitted Purposes.--Subject to the requirements in subsections
(b) and (c), a covered entity may collect, process, retain, or transfer
or direct a service provider to collect, process, retain, or transfer
covered data for the following purposes, if the covered entity or
service provider can demonstrate that the collection, processing,
retention, or transfer is necessary, proportionate, and limited to such
purpose:
(1) To protect data security as described in section 109,
protect against spam, or protect and maintain networks and
systems, including through diagnostics, debugging, and repairs.
(2) To comply with a legal obligation imposed by a Federal,
State, Tribal, or local law that is not preempted by this
title.
(3) To investigate, establish, prepare for, exercise, or
defend cognizable legal claims of the covered entity or service
provider.
(4) To transfer covered data to a Federal, State, Tribal,
or local law enforcement agency pursuant to a lawful warrant,
administrative subpoena, or other form of lawful process.
(5) To effectuate a product recall pursuant to Federal or
State law, or to fulfill a warranty.
(6) To conduct market research.
(7) With respect to covered data previously collected in
accordance with this title, to process the covered data such
that the covered data becomes de-identified data, including in
order to--
(A) develop or enhance a product or service of the
covered entity or service provider;
(B) conduct research or analytics to improve a
product or service of the covered entity or service
provider;
(C) conduct research to investigate, establish, or
improve the effectiveness or safety of medical
products, including drugs, biologics, and medical
devices;
(D) enable the effective delivery and
administration of health care products and treatments
to patients, in compliance with Federal regulations; or
(E) monitor the safety and efficacy of health care
products and services administered to patients, in
compliance with Federal regulations.
(8) To transfer assets to a third party in the context of a
merger, acquisition, bankruptcy, or similar transaction, with
respect to which the third party assumes control, in whole or
in part, of the assets of the covered entity, but only if the
covered entity, in a reasonable time prior to such transfer,
provides each affected individual with--
(A) a notice describing such transfer, including
the name of the entity or entities receiving the
covered data of the individual and the privacy policies
of such entity or entities as described in section 104;
and
(B) a reasonable opportunity to--
(i) withdraw any previously provided
consent in accordance with the requirements of
affirmative express consent under this title
related to the covered data of the individual;
and
(ii) request the deletion of the covered
data of the individual, as described in section
105.
(9) With respect to a covered entity or service provider
that is a telecommunications carrier or a provider of a mobile
service, interconnected VoIP service, or non-interconnected
VoIP service (as such terms are defined in section 3 of the
Communications Act of 1934 (47 U.S.C. 153)), to provide call
location information in a manner described in subparagraph (A)
or (C) of section 222(d)(4) of such Act (47 U.S.C. 222(d)(4)).
(10) To prevent, detect, protect against, investigate, or
respond to fraud, excluding the transfer of covered data for
payment or other valuable consideration to a government entity.
(11) To prevent, detect, protect against, investigate, or
respond to an ongoing or imminent security incident relating to
network security or physical security, including an intrusion
or trespass, medical alert or request for a medical response,
fire alarm or request for a fire response, or access control.
(12) To prevent, detect, protect against, investigate, or
respond to an imminent or ongoing public safety incident (such
as a mass casualty event, natural disaster, or national
security incident), excluding the transfer of covered data for
payment or other valuable consideration to a government entity.
(13) Except with respect to health information, to prevent,
detect, protect against, investigate, or respond to criminal
activity or harassment, excluding the transfer of covered data
for payment or other valuable consideration to a government
entity.
(14) Except with respect to sensitive covered data, and
only with respect to covered data previously collected in
accordance with this title, to process or transfer such data to
provide first-party advertising or contextual advertising or to
measure and report on marketing performance or media
performance by the covered entity, including processing or
transferring covered data for measurement and reporting of
frequency, attribution, and performance, including by
independent entities, except that this paragraph does not
permit the processing or transfer of covered data for first-
party advertising to a covered minor as prohibited by section
120.
(15) Except with respect to sensitive covered data, and
only with respect to covered data previously collected in
accordance with this title, to process or transfer such data to
provide targeted advertising, direct mail targeted advertising,
or email targeted advertising (subject to the CAN-SPAM Act of
2003 (15 U.S.C. 7701 et seq.) and the regulations promulgated
under such Act) or to measure and report on marketing
performance or media performance, including processing or
transferring covered data for measurement and reporting of
frequency, attribution, and performance, including by
independent entities, except that this paragraph does not
permit the processing or transfer of covered data for targeted
advertising to an individual who has opted out of targeted
advertising pursuant to section 106 or to a covered minor as
prohibited by section 120.
(16) To conduct a public or peer-reviewed scientific,
historical, or statistical research project that--
(A) is in the public interest;
(B) adheres to all relevant laws and regulations
governing such research, including regulations for the
protection of human subjects, if applicable;
(C) limits transfers to third parties of sensitive
covered data to only those transfers necessary,
proportionate, and limited to carry out the research;
and
(D) prohibits the transfer of covered data to a
data broker.
(17) To conduct medical research in compliance with part 46
of title 45, Code of Federal Regulations, or parts 50 and 56 of
title 21, Code of Federal Regulations.
(e) Guidance.--Not later than 180 days after the date of the
enactment of this Act, the Commission shall issue guidance regarding
what is necessary, proportionate, and limited to comply with this
section.
(f) Journalism.--Nothing in this title may be construed to limit or
diminish journalism, including gathering, preparing, collecting,
photographing, recording, writing, editing, reporting, or investigating
news or information that concerns local, national, or international
events or other matters of public interest for dissemination to the
public.
SEC. 103. PRIVACY BY DESIGN.
(a) In General.--Each covered entity and service provider shall
establish, implement, and maintain reasonable policies, practices, and
procedures that reflect the role of the covered entity or service
provider in the collection, processing, retention, and transferring of
covered data.
(b) Requirements.--The policies, practices, and procedures required
by subsection (a) shall--
(1) identify, assess, and mitigate privacy risks related to
covered minors (including, if applicable, in a manner that
considers the developmental needs of different age ranges of
covered minors), individuals living with disabilities, and
individuals over the age of 65;
(2) mitigate privacy risks related to the products and
services of the covered entity or service provider, including
in the design, development, and implementation of such products
and services, taking into account the role of the covered
entity or service provider and the information available to the
covered entity or service provider; and
(3) implement reasonable internal training and safeguards
to promote compliance with this title and to mitigate privacy
risks, taking into account the role of the covered entity or
service provider and the information available to the covered
entity or service provider.
(c) Factors to Consider.--The policies, practices, and procedures
established by a covered entity or service provider under subsection
(a) shall align with, as applicable--
(1) the nature, scope, and complexity of the activities
engaged in by the covered entity or service provider, including
whether the covered entity or service provider is a large data
holder, nonprofit organization, or data broker, taking into
account the role of the covered entity or service provider and
the information available to the covered entity or service
provider;
(2) the sensitivity of the covered data collected,
processed, retained, or transferred by the covered entity or
service provider;
(3) the volume of covered data collected, processed,
retained, or transferred by the covered entity or service
provider;
(4) the number of individuals and devices to which the
covered data collected, processed, retained, or transferred by
the covered entity or service provider relates;
(5) state-of-the-art administrative, technological, and
organizational measures that, by default, serve the purpose of
protecting the privacy and security of covered data as required
by this title; and
(6) the cost of implementing such policies, practices, and
procedures in relation to the risks and nature of the covered
data involved.
(d) Commission Guidance.--Not later than 1 year after the date of
the enactment of this Act, the Commission shall issue guidance with
respect to what constitutes reasonable policies, practices, and
procedures as required by subsection (a). In issuing such guidance, the
Commission shall consider unique circumstances applicable to nonprofit
organizations, service providers, and data brokers.
SEC. 104. TRANSPARENCY.
(a) In General.--Each covered entity and service provider shall
make publicly available a clear and conspicuous, not misleading, and
easy-to-read privacy policy that provides a detailed and accurate
representation of the data collection, processing, retention, and
transfer activities of the covered entity or service provider.
(b) Content of Privacy Policy.--The privacy policy required under
subsection (a) shall include, at a minimum, the following:
(1) The identity and the contact information of--
(A) the covered entity or service provider to which
the privacy policy applies, including a point of
contact and a monitored email address or other
monitored online contact mechanism, as applicable,
specific to data privacy and data security inquiries;
and
(B) any affiliate within the same corporate
structure as the covered entity or service provider, to
which the covered entity or service provider may
transfer data, that--
(i) is not under common branding with the
covered entity or service provider; or
(ii) has different contact information than
the covered entity or service provider.
(2) With respect to the collection, processing, and
retention of covered data--
(A) the categories of covered data the covered
entity or service provider collects, processes, or
retains; and
(B) the processing purposes for each such category
of covered data.
(3) Whether the covered entity or service provider
transfers covered data and, if so--
(A) each category of service provider or third
party to which the covered entity or service provider
transfers covered data;
(B) the name of each data broker to which the
covered entity or service provider transfers covered
data; and
(C) the purposes for which such data is
transferred.
(4) The length of time the covered entity or service
provider intends to retain each category of covered data or, if
it is not possible to identify the length of time, the criteria
used to determine the length of time the covered entity or
service provider intends to retain each category of covered
data.
(5) A prominent description of how an individual may
exercise the rights, as applicable, of the individual under
this title.
(6) A description of how the covered entity treats data
collected from covered minors differently than data collected
from other individuals, if the covered entity has knowledge
that the covered entity has collected data from covered minors.
(7) A general description of the data security practices of
the covered entity or service provider.
(8) The effective date of the privacy policy.
(9) Whether any covered data collected by the covered
entity or service provider is transferred to, processed in,
retained in, or otherwise accessible to a foreign adversary (as
determined by the Secretary of Commerce and specified in
section 7.4 of title 15, Code of Federal Regulations (or any
successor regulation)).
(c) Languages.--A privacy policy required under subsection (a)
shall be made available to the public--
(1) in the 10 most-used languages in which a covered entity
or service provider provides products or services or carries
out activities related to such products or services; or
(2) if the covered entity or service provider provides
products or services in fewer than 10 languages, in the
languages in which the covered entity or service provider
provides products or services or carries out activities related
to such products or services.
(d) Accessibility.--A covered entity or service provider shall
provide the disclosures required under this section in a manner that is
reasonably accessible to and usable by individuals living with
disabilities.
(e) Material Changes.--
(1) Notice and opt out.--A covered entity that makes a
material change to the privacy policy or practices of the
covered entity shall--
(A) provide to each affected individual, in a clear
and conspicuous manner--
(i) advance notice of such material change;
and
(ii) a means to opt out of the collection,
processing, retention, or transfer of any
covered data of such individual pursuant to
such material change; and
(B) with respect to the covered data of any
individual who opts out using the means described in
subparagraph (A)(ii), discontinue the collection,
processing, retention, or transfer of such covered
data, unless such collection, processing, retention, or
transfer is necessary, proportionate, and limited to
provide or maintain a product or service specifically
requested by the individual.
(2) Direct notification.--A covered entity shall take all
reasonable electronic measures to provide direct notification,
if possible, to each affected individual regarding material
changes to the privacy policy of the covered entity, and such
notification shall be provided in each language in which the
privacy policy is made available, taking into account available
technology and the nature of the relationship between the
covered entity and the individual.
(3) Clarification.--Except as provided in paragraph (1)(B),
nothing in this subsection may be construed to affect the
requirements for covered entities under sections 102, 105, and
106.
(f) Transparency Requirements for Large Data Holders.--
(1) Retention of privacy policies; log of material
changes.--
(A) In general.--Beginning on the date that is 180
days after the date of the enactment of this Act, each
large data holder shall--
(i) retain and publish on the website of
the large data holder a copy of each version of
the privacy policy of the large data holder
required under subsection (a) for not less than
10 years; and
(ii) make publicly available on the website
of the large data holder, in a clear and
conspicuous manner, a log that describes the
date and nature of each material change to the
privacy policy of the large data holder during
the preceding 10-year period in a manner that
is sufficient for a reasonable individual to
understand the effect of each material change.
(B) Exclusion.--This paragraph does not apply to
material changes to previous versions of the privacy
policy of a large data holder that precede the date
that is 180 days after the date of the enactment of
this Act.
(2) Short form notice to consumers.--
(A) In general.--In addition to the privacy policy
required under subsection (a), a large data holder
shall provide a short-form notice of the covered data
practices of the large data holder in a manner that--
(i) is concise;
(ii) is clear and conspicuous;
(iii) is readily accessible to an
individual, based on the manner in which the
individual interacts with the large data holder
and the products or services of the large data
holder and what is reasonably anticipated
within the context of the relationship between
the individual and the large data holder;
(iv) includes an overview of individual
rights and disclosures to reasonably draw
attention to data practices that may be
unexpected or that involve sensitive covered
data; and
(v) is not more than 500 words in length in
the English language or, if in a language other
than English, not more than 550 words in
length.
(B) Guidance.--Not later than 180 days after the
date of the enactment of this Act, the Commission shall
issue guidance establishing the minimum disclosures
necessary for the short-form notice described in this
paragraph and shall include templates or models for
such notice.
SEC. 105. INDIVIDUAL CONTROL OVER COVERED DATA.
(a) Access to, and Correction, Deletion, and Portability of,
Covered Data.--After receiving a verified request from an individual,
including a parent acting on behalf of a child of the parent, a covered
entity shall provide the individual with the right to--
(1) access--
(A) in a format that can be naturally read by a
human, the covered data of the individual or child (as
applicable) (or an accurate representation of the
covered data of the individual or child (as
applicable), if the covered data is no longer in the
possession of the covered entity or a service provider
acting on behalf of the covered entity) that is
collected, processed, or retained by the covered entity
or any service provider of the covered entity;
(B) the name of any third party or service provider
to whom the covered entity has transferred the covered
data, as well as the categories of sources from which
the covered data was collected; and
(C) a description of the purpose for which the
covered entity transferred any covered data of the
individual or child (as applicable) to a third party or
service provider;
(2) correct any inaccuracy or incomplete information with
respect to the covered data of the individual or child (as
applicable) that is collected, processed, or retained by the
covered entity and, for covered data that has been transferred,
request the covered entity to notify any third party or service
provider to which the covered entity transferred such covered
data of the corrected information, including so that service
providers may provide the assistance required by section
111(a)(1)(C);
(3) delete covered data of the individual or child (as
applicable) that is retained by the covered entity and, for
covered data that has been transferred, request that the
covered entity notify any third party or service provider to
which the covered entity transferred such covered data of the
deletion request, including so that service providers may
provide the assistance required by section 111(a)(1)(C);
(4) to the extent technically feasible, have exported
covered data of the individual or child (as applicable) that is
collected, processed, or retained by the covered entity,
without licensing restrictions that unreasonably limit such
transfers, in--
(A) a format that can be naturally read by a human;
and
(B) a format that is portable, structured,
interoperable, and machine-readable; and
(5) delete any content or information submitted to the
covered entity by the individual when a covered minor and, for
any such content or information that has been transferred,
request that the covered entity notify any third party or
service provider to which the covered entity transferred such
content or information of the deletion request, including so
that service providers may provide the assistance required by
section 111(a)(1)(C).
(b) Frequency and Cost.--A covered entity--
(1) shall provide an individual with the opportunity to
exercise each of the rights described in subsection (a); and
(2) with respect to--
(A) the first 3 instances that an individual
exercises any right described in subsection (a) during
any 12-month period, shall allow the individual to
exercise such right free of charge; and
(B) any instance beyond the first 3 instances
described in subparagraph (A), may charge a reasonable
fee for each additional request to exercise any such
right during such 12-month period.
(c) Timing.--
(1) In general.--Subject to subsections (b), (d), and (e),
each request under subsection (a) shall be completed--
(A) by any covered entity that is a large data
holder or data broker, not later than 30 calendar days
after receiving such request from an individual, unless
it is impossible or demonstrably impracticable to
verify the individual; or
(B) by a covered entity that is not a large data
holder or data broker, not later than 45 calendar days
after receiving such request from an individual, unless
it is impossible or demonstrably impracticable to
verify the individual.
(2) Extension.--A response period required under paragraph
(1) may be extended once, by not more than the applicable time
period described in such paragraph, when reasonably necessary,
considering the complexity and number of requests from the
individual, if the covered entity informs the individual of any
such extension, and the reason for the extension, within the
initial response period.
(d) Verification.--
(1) In general.--A covered entity shall reasonably verify
that an individual making a request to exercise a right
described in subsection (a) is--
(A) the individual whose covered data is the
subject of the request;
(B) the parent of the child whose covered data (or,
with respect to a request under subsection (a)(5),
whose content or other information) is the subject of
the request; or
(C) another individual who is a natural person who
is authorized to make such a request on behalf of the
individual whose covered data is the subject of the
request.
(2) Additional information.--If a covered entity cannot
make the verification described in paragraph (1), the covered
entity may request that the individual making the request
provide any additional information necessary for the sole
purpose of making such verification, except that--
(A) the request of the covered entity may not be
burdensome on the individual; and
(B) the covered entity may not process, retain, or
transfer such additional information for any other
purpose.
(e) Exceptions.--
(1) Required exceptions.--A covered entity may not permit
an individual to exercise a right described in subsection (a),
in whole or in part, if the covered entity--
(A) cannot reasonably make the verification
described in subsection (d)(1);
(B) determines that exercise of the right would
require access to, or the correction or deletion of,
the sensitive covered data of an individual other than
the individual whose covered data is the subject of the
request;
(C) determines that exercise of the right would
require correction or deletion of covered data subject
to a warrant, lawfully executed subpoena, or litigation
hold notice or equivalent preservation notice in
connection with such warrant or subpoena or issued in a
matter in which the covered entity is a named party;
(D) determines that exercise of the right would
violate a Federal, State, Tribal, or local law that is
not preempted by this title;
(E) determines that exercise of the right would
violate the professional ethical obligations of the
covered entity;
(F) reasonably believes that the request is made to
further fraud;
(G) except with respect to health information,
reasonably believes that the request is made in
furtherance of criminal activity; or
(H) reasonably believes that complying with the
request would threaten data security or network
security.
(2) Permissive exceptions.--A covered entity may decline,
in whole or in part, to comply with a request to exercise a
right described in subsection (a), with adequate explanation to
the individual making the request, if compliance with the
request would--
(A) be demonstrably impracticable due to
technological limitations or prohibitive cost, and if
the covered entity provides a detailed description to
the individual regarding the inability to comply with
the request due to technological limitations or
prohibitive cost;
(B) delete covered data necessary to perform a
contract between the covered entity and the individual;
(C) with respect to a right described in paragraph
(1) or (4) of subsection (a), require the covered
entity to release trade secrets or other privileged,
proprietary, or confidential business information;
(D) prevent a covered entity from being able to
maintain a confidential record of opt-out requests
pursuant to this title that is maintained solely for
the purpose of preventing covered data of an individual
from being collected, processed, retained, or
transferred after the individual submits an opt-out
request;
(E) with respect to a deletion request, require a
private elementary or secondary school (as determined
under State law) or a private institution of higher
education (as defined in title I of the Higher
Education Act of 1965 (20 U.S.C. 1001 et seq.)) to
delete covered data, if the deletion would unreasonably
interfere with the provision of education services by,
or the ordinary operation of, the school or
institution;
(F) delete covered data that relates to a public
figure regarding a matter of legitimate public interest
and for which the requesting individual has no
reasonable expectation of privacy; or
(G) delete covered data that the covered entity
reasonably believes may be evidence of an abuse of the
products or services of the covered entity, including a
violation of terms of service.
(3) Rule of construction.--This section may not be
construed to require a covered entity or service provider
acting on behalf of a covered entity to--
(A) retain covered data collected for a 1-time
transaction, if such covered data is not processed or
transferred by the covered entity for any purpose other
than completing such transaction;
(B) re-identify, or attempt to re-identify, de-
identified data; or
(C) collect or retain any data in order to be
capable of associating a request with the covered data
that is the subject of the request.
(4) Partial compliance.--In the event a covered entity
declines a request under paragraph (2), the covered entity
shall comply with the remainder of the request if partial
compliance is possible and not unduly burdensome.
(5) Number of requests.--For purposes of paragraph (2)(A),
the receipt of a large number of verified requests, on its own,
may not be considered to render compliance with a request
demonstrably impracticable.
(6) Additional exceptions.--
(A) In general.--The Commission may promulgate
regulations, in accordance with section 553 of title 5,
United States Code, to establish additional permissive
exceptions to subsection (a) necessary to protect the
rights of individuals, to alleviate undue burdens on
covered entities, to prevent unjust or unreasonable
outcomes from the exercise of access, correction,
deletion, or portability rights, or to otherwise
fulfill the purposes of this section.
(B) Considerations.--In establishing any exceptions
under subparagraph (A), the Commission shall consider
any relevant changes in technology, means for
protecting privacy and other rights, and beneficial
uses of covered data by covered entities.
(C) Clarification.--A covered entity may decline to
comply with a request of an individual to exercise a
right under this section pursuant to an exception the
Commission establishes under this paragraph.
(f) Large Data Holder Metrics Reporting.--With respect to each
calendar year for which an entity is a large data holder, such entity
shall comply with the following requirements:
(1) Required metrics.--Compile the following information
for such calendar year:
(A) The number of verified access requests under
subsection (a)(1).
(B) The number of verified deletion requests under
subsection (a)(3).
(C) The number of verified deletion requests under
subsection (a)(5).
(D) The number of verified requests to opt out of
covered data transfers under section 106(a)(1).
(E) The number of verified requests to opt out of
targeted advertising under section 106(a)(2).
(F) For each category of request described in
subparagraphs (A) through (E), the number of such
requests that the large data holder complied with in
whole or in part.
(G) For each category of request described in
subparagraphs (A) through (E), the average number of
days within which the large data holder substantively
responded to the requests.
(2) Public disclosure.--Not later than July 1 of each
calendar year, disclose the information compiled under
paragraph (1) for the previous calendar year--
(A) in the privacy policy of the large data holder;
or
(B) on a publicly available website of the large
data holder that is accessible from a hyperlink
included in the privacy policy.
(g) Guidance.--Not later than 1 year after the date of the
enactment of this Act, the Commission shall issue guidance to clarify
or explain the provisions of this section and establish practices by
which a covered entity may verify a request to exercise a right
described in subsection (a).
(h) Accessibility.--
(1) Language.--A covered entity shall facilitate the
ability of individuals to make requests to exercise rights
described in subsection (a) in any language in which the
covered entity provides a product or service.
(2) Individuals living with disabilities.--The mechanisms
by which a covered entity enables individuals to make a request
to exercise a right described in subsection (a) shall be
readily accessible and usable by individuals living with
disabilities.
SEC. 106. OPT-OUT RIGHTS AND UNIVERSAL MECHANISMS.
(a) In General.--A covered entity shall provide to an individual
the following opt-out rights with respect to the covered data of the
individual:
(1) Right to opt out of covered data transfers to third
parties.--A covered entity--
(A) shall provide an individual with a clear and
conspicuous means to opt out of the transfer of the
covered data of the individual to a third party;
(B) upon establishment of an opt out mechanism that
meets the requirements and technical specifications
promulgated under subsection (b), shall allow an
individual to make an opt-out designation pursuant to
subparagraph (A) through the opt out mechanism;
(C) shall abide by an opt-out designation made
pursuant to subparagraph (A) and communicate such
designation to all relevant service providers and third
parties; and
(D) except as provided in subsection (b) or (c)(4)
of section 102, paragraph (3) or (4) of section 112(c),
or section 120(b), need not allow an individual to opt
out of a transfer of covered data made pursuant to a
permissible purpose described in paragraph (1), (2),
(3), (4), (5), (6), (7), (8), (9), (10), (11), (12),
(13), or (14) of section 102(d).
(2) Right to opt out of targeted advertising.--A covered
entity that engages in targeted advertising shall--
(A) provide an individual with a clear and
conspicuous means to opt out of the processing and
transfer of covered data of the individual in
furtherance of targeted advertising;
(B) upon establishment of an opt out mechanism that
meets the requirements and technical specifications
promulgated under subsection (b), allow an individual
to make an opt-out designation with respect to targeted
advertising through the opt-out mechanism; and
(C) abide by any such opt-out designation made by
an individual and communicate such designation to all
relevant service providers and third parties.
(b) Universal Opt-out Mechanisms.--
(1) In general.--Not later than 2 years after the date of
the enactment of this Act, the Commission shall, in
consultation with the Secretary of Commerce, promulgate
regulations, in accordance with section 553 of title 5, United
States Code, to establish requirements and technical
specifications for 1 or more opt-out mechanisms (including
global privacy signals, such as browser or device privacy
settings) for individuals to exercise the opt-out rights
established under this title through a single interface that--
(A) ensures that the opt-out preference signal--
(i) is clearly described, and easy-to-use
by a reasonable individual;
(ii) does not require that an individual
provide additional information beyond what is
necessary to indicate such preference;
(iii) clearly represents the preference of
an individual;
(iv) is provided--
(I) in the 10 most-used languages
in which a covered entity provides
products or services subject to the
opt-out; or
(II) if the covered entity provides
products or services subject to the
opt-out in fewer than 10 languages, in
the languages in which the covered
entity provides such products or
services; and
(v) is provided in a manner that is
reasonably accessible to and usable by
individuals living with disabilities;
(B) provides a mechanism for an individual to
selectively opt out of the collection, processing,
retention, or transfer of covered data by a covered
entity, without affecting the preferences of the
individual with respect to other entities or disabling
the opt-out preference signal globally;
(C) states that, in the case of a page or setting
view that the individual accesses to set the opt-out
preference signal, the individual should see up to 2
choices, corresponding to the rights established under
subsection (a); and
(D) ensures that the opt-out preference signal will
be registered and set only by the individual or by
another individual who is a natural person on behalf of
the individual.
(2) Effect of designations.--A covered entity shall abide
by any designation made by an individual through any mechanism
that meets the requirements and technical specifications
promulgated under paragraph (1).
SEC. 107. INTERFERENCE WITH CONSUMER RIGHTS.
(a) Dark Patterns Prohibited.--
(1) In general.--A covered entity may not use dark patterns
to--
(A) divert the attention of an individual from any
notice required under this title;
(B) impair the ability of an individual to exercise
any right under this title; or
(C) obtain, infer, or facilitate the consent of an
individual for any action that requires the consent of
an individual under this title.
(2) Clarification.--Any agreement by an individual that is
obtained, inferred, or facilitated through dark patterns does
not constitute consent for any purpose under this title.
(b) Individual Autonomy.--A covered entity may not condition,
effectively condition, attempt to condition, or attempt to effectively
condition the exercise of a right described in this title through the
use of any false, fictitious, fraudulent, or materially misleading
statement or representation.
SEC. 108. PROHIBITION ON DENIAL OF SERVICE AND WAIVER OF RIGHTS.
(a) Retaliation Through Service or Pricing Prohibited.--A covered
entity may not retaliate against an individual for exercising any of
the rights established under this title, or any regulations promulgated
under this title, including by denying goods or services, charging
different prices or rates for goods or services, or providing a
different level of quality of goods or services.
(b) Rules of Construction.--
(1) Bona fide loyalty programs.--
(A) In general.--Nothing in subsection (a) may be
construed to prohibit a covered entity from offering--
(i) to an individual different prices,
rates, levels, qualities, or selections of
goods or services, or functionalities with
respect to a product or service, including
offering goods or services for no fee, if the
offering is in connection with the voluntary
participation of the individual in a bona fide
loyalty program, and if--
(I) the individual provided
affirmative express consent to
participate in such bona fide loyalty
program;
(II) the covered entity abides by
the exercise by the individual of any
right provided by subsection (b) or (c)
of section 102, section 105, or section
106; and
(III) the sale of covered data is
not a condition of participation in the
bona fide loyalty program; or
(ii) to an individual different prices,
rates, levels, qualities, or selections of
goods or services, or functionalities with
respect to a product or service, based on the
decision of the individual to terminate
membership in a bona fide loyalty program or to
exercise a right under section 105(a)(3) to
delete covered data that is necessary for
participation in the bona fide loyalty program.
(B) Bona fide loyalty program defined.--For
purposes of this section, the term ``bona fide loyalty
program''--
(i) includes rewards, premium features,
discounts, and club card programs offered by a
covered entity; and
(ii) excludes such programs offered by a
covered high-impact social media company or
data broker.
(2) Market research.--Nothing in subsection (a) may be
construed to prohibit a covered entity from offering a
financial incentive or other consideration to an individual for
participation in market research.
(3) Declining a product or service.--Nothing in subsection
(a) may be construed to prohibit a covered entity from
declining to provide a product or service or a bona fide
loyalty program to an individual, if any collection,
processing, retention, or transfer affected by the individual
exercising a right established under this title is necessary,
proportionate, and limited to providing such product or
service.
SEC. 109. DATA SECURITY AND PROTECTION OF COVERED DATA.
(a) Establishment of Data Security Practices.--
(1) In general.--Each covered entity or service provider
shall establish, implement, and maintain reasonable data
security practices to protect--
(A) the confidentiality, integrity, and
availability of covered data; and
(B) covered data against unauthorized access.
(2) Considerations.--The data security practices required
under paragraph (1) shall be appropriate to--
(A) the size and complexity of the covered entity
or service provider;
(B) the nature and scope of the relevant
collecting, processing, retaining, or transferring of
covered data, taking into account changing business
operations with respect to covered data;
(C) the volume, nature, and sensitivity of the
covered data; and
(D) the state-of-the-art (and limitations thereof)
in administrative, technical, and physical safeguards
for protecting covered data.
(b) Specific Requirements.--The data security practices required
under subsection (a) shall include, at a minimum, the following:
(1) Assess vulnerabilities.--Routinely identifying and
assessing any reasonably foreseeable internal or external risk
to, or vulnerability in, each system maintained by the covered
entity or service provider that collects, processes, retains,
or transfers covered data, including unauthorized access to or
corruption of such covered data, human vulnerabilities, access
rights, and the use of service providers. Such activities shall
include developing and implementing a plan for receiving and
considering unsolicited reports of vulnerability by any entity
and, if such a report is reasonably credible, performing a
reasonable and timely investigation of such report and taking
appropriate action to protect covered data against the
vulnerability.
(2) Preventive and corrective action.--
(A) In general.--Taking preventive and corrective
action to mitigate any reasonably foreseeable internal
or external risk to, or vulnerability of, covered data
identified by the covered entity or service provider,
consistent with the nature of such risk or
vulnerability and the role of the covered entity or
service provider in collecting, processing, retaining,
or transferring the data, which may include
implementing administrative, technical, or physical
safeguards or changes to data security practices or the
architecture, installation, or implementation of
network or operating software.
(B) Evaluation of preventative and corrective
action.--Evaluating and making reasonable adjustments
to the action described in subparagraph (A) in light of
any material changes in state-of-the-art technology,
internal or external threats to covered data, and
changing business operations with respect to covered
data.
(3) Information retention and disposal.--Disposing of
covered data (either by or at the direction of the covered
entity) that is required to be deleted by law or is no longer
necessary for the purpose for which the data was collected,
processed, retained, or transferred, unless a permitted purpose
under section 102(d) applies, except that retention and
disposal of biometric information shall be governed by section
102(c)(3). Such disposal shall include destroying, permanently
erasing, or otherwise modifying the covered data to make such
data permanently unreadable or indecipherable and unrecoverable
to ensure ongoing compliance with this section.
(4) Retention schedule.--Developing, maintaining, and
adhering to a retention schedule for covered data consistent
with paragraph (3).
(5) Training.--Training each employee with access to
covered data on how to safeguard covered data, and updating
such training as necessary.
(6) Incident response.--Implementing procedures to detect,
respond to, and recover from data security incidents, including
breaches.
(c) Regulations.--The Commission may, in consultation with the
Secretary of Commerce, promulgate, in accordance with section 553 of
title 5, United States Code, technology-neutral, process-based
regulations to carry out this section.
SEC. 110. EXECUTIVE RESPONSIBILITY.
(a) Designation of Privacy and Data Security Officers.--
(1) In general.--A covered entity or service provider
(except for a large data holder) shall designate 1 or more
qualified employees to serve as privacy and data security
officers.
(2) Requirements for officers.--An employee who is
designated by a covered entity or service provider as a privacy
and data security officer shall, at a minimum--
(A) implement a data privacy program and a data
security program to safeguard the privacy and security
of covered data in compliance with the requirements of
this title; and
(B) facilitate the ongoing compliance of the
covered entity or service provider with this title.
(b) Requirements for Large Data Holders.--
(1) Designation.--A covered entity or service provider that
is a large data holder shall designate 1 qualified employee to
serve as a privacy officer and 1 qualified employee to serve as
a data security officer.
(2) Annual certification.--
(A) In general.--Beginning on the date that is 1
year after the date of the enactment of this Act, the
chief executive officer of a large data holder (or, if
the large data holder does not have a chief executive
officer, the highest ranking officer of the large data
holder) and each privacy officer and data security
officer of such large data holder designated under
paragraph (1), shall annually certify to the
Commission, in a manner specified by the Commission,
that the large data holder implements and maintains--
(i) internal controls reasonably designed,
implemented, maintained, and monitored to
comply with this title; and
(ii) internal reporting structures (as
described in paragraph (3)) to ensure that such
certifying officers are involved in, and
responsible for, decisions that impact
compliance by the large data holder with this
title.
(B) Requirements.--A certification submitted under
subparagraph (A) shall be based on a review of the
effectiveness of the internal controls and reporting
structures of the large data holder that is conducted
by the certifying officers not more than 90 days before
the submission of the certification.
(3) Internal reporting structure requirements.--At least 1
of the officers designated under paragraph (1) shall, either
directly or through a supervised designee--
(A) establish practices to periodically review and
update, as necessary, the privacy and security
policies, practices, and procedures of the large data
holder;
(B) conduct biennial and comprehensive audits to
ensure the policies, practices, and procedures of the
large data holder comply with this title and, upon
request, make such audits available to the Commission;
(C) develop a program to educate and train
employees about the requirements of this title;
(D) maintain updated, accurate, clear, and
understandable records of all significant privacy and
data security practices of the large data holder; and
(E) serve as the point of contact between the large
data holder and enforcement authorities.
(4) Privacy impact assessments.--
(A) In general.--Not later than 1 year after the
date of the enactment of this Act or 1 year after the
date on which an entity first meets the definition of
the term ``large data holder'', whichever is earlier,
and biennially thereafter, each large data holder shall
conduct a privacy impact assessment that weighs the
benefits of the covered data collection, processing,
retention, and transfer practices of the entity against
the potential adverse consequences of such practices to
individual privacy.
(B) Assessment requirements.--A privacy impact
assessment required under subparagraph (A) shall be--
(i) reasonable and appropriate in scope
given--
(I) the nature and volume of the
covered data collected, processed,
retained, or transferred by the large
data holder; and
(II) the potential risks posed to
the privacy of individuals by the
collection, processing, retention, and
transfer of covered data by the large
data holder;
(ii) documented in written form and
maintained by the large data holder for as long
as the relevant privacy policy is required to
be retained under section 104(f)(1); and
(iii) approved by the privacy officer of
the large data holder.
(C) Additional factors to include in assessment.--
In assessing privacy risks for purposes of an
assessment conducted under subparagraph (A), including
significant risks of harm to the privacy of an
individual or the security of covered data, the large
data holder shall include reviews of the means by which
technologies, including blockchain and distributed
ledger technologies and other emerging technologies,
including privacy enhancing technologies, are used to
secure covered data.
SEC. 111. SERVICE PROVIDERS AND THIRD PARTIES.
(a) Service Providers.--
(1) In general.--A service provider that collects,
processes, retains, or transfers covered data on behalf of or
at the direction of a covered entity or another service
provider--
(A) shall adhere to the instructions of the covered
entity or other service provider and collect, process,
retain, or transfer covered data only to the extent
necessary, proportionate, and limited to provide a
service requested by the covered entity or other
service provider, as set out in the contract described
in paragraph (2);
(B) may not collect, process, retain, or transfer
covered data if the service provider has actual
knowledge that the covered entity or other service
provider violated this title with respect to such data;
(C) shall assist the covered entity or other
service provider in fulfilling the obligations of the
covered entity or other service provider to respond to
consumer rights requests pursuant to this title by--
(i) providing appropriate technical and
organizational support, taking into account the
nature of the processing and the information
reasonably available to the service provider;
or
(ii) fulfilling a request by the covered
entity or other service provider to execute a
consumer rights request that the covered entity
or other service provider has determined should
be compiled with, by either--
(I) complying with the request
pursuant to the instructions of the
covered entity or other service
provider; or
(II) providing written verification
to the covered entity or other service
provider that the service provider does
not hold data related to the request,
that complying with the request would
be inconsistent with the legal
obligations of the service provider, or
that the request falls within an
exception pursuant to this title;
(D) shall, upon the reasonable request of the
covered entity or other service provider, make
available to the covered entity or other service
provider all information necessary to demonstrate the
compliance of the service provider with the
requirements of this title;
(E) shall delete or return, as directed by the
covered entity or other service provider, all covered
data as soon as practicable after the contractually
agreed upon end of the provision of services, unless
the retention by the service provider of covered data
is required by law;
(F) may engage another service provider for
purposes of processing or retaining covered data on
behalf of the covered entity or other service provider
only after exercising reasonable care in selecting
another service provider as required by subsection (d),
providing the covered entity or other service provider
with written notice of the engagement, and entering
into a written contract that requires the other service
provider to satisfy the requirements of this title with
respect to covered data; and
(G) shall--
(i) allow and cooperate with reasonable
assessments by the covered entity or other
service provider at least annually; or
(ii) arrange for a qualified and
independent assessor to conduct an assessment
of the policies and technical and
organizational measures of the service provider
in support of the obligations of the service
provider under this title at least annually,
using an appropriate and accepted control
standard or framework and assessment procedure
for such assessments, and report the results of
such assessment to the covered entity or other
service provider.
(2) Contract requirements.--An entity may only operate as a
service provider pursuant to a contract between a covered
entity and a service provider. Such contract--
(A) shall govern the data processing procedures of
the service provider with respect to any collection,
processing, retention, or transfer performed on behalf
of the covered entity;
(B) shall clearly set forth--
(i) instructions for collecting,
processing, retaining, or transferring data;
(ii) the nature and purpose of the
collection, processing, retention, or transfer;
(iii) the type of data subject to
collection, processing, retention, or transfer;
(iv) the duration of the processing or
retention; and
(v) the rights and obligations of both
parties;
(C) may not relieve the covered entity or service
provider of any obligation under this title; and
(D) shall prohibit--
(i) the collection, processing, retention,
or transfer of covered data in a manner that
does not comply with the requirements of
paragraph (1); and
(ii) combining covered data that the
service provider receives from or on behalf of
a covered entity with covered data that the
service provider receives from or on behalf of
another entity or collects from the interaction
of the service provider with an individual,
unless such combining is necessary for a
purpose described in section 102(d), other than
a purpose described in paragraph (7), (14),
(15), or (16) of such section, and is otherwise
permitted under the contract.
(b) Third Parties.--
(1) In general.--A third party may not process, retain, or
transfer third-party data for a purpose other than--
(A) in the case of sensitive covered data--
(i) except as provided in clause (ii), a
purpose for which an individual gave
affirmative express consent pursuant to
subsection (b) or (c) of section 102; or
(ii) in the case of sensitive covered data
with respect to which affirmative express
consent is not required pursuant to subsection
(b) of section 102, a purpose for which the
covered entity or service provider made a
disclosure pursuant to section 104; or
(B) in the case of covered data that is not
sensitive covered data, a purpose for which the covered
entity or service provider made a disclosure pursuant
to section 104.
(2) Contract requirements.--Before transferring covered
data to a third party, a covered entity or service provider
shall enter into a contract with the third party that--
(A) identifies the purposes for which covered data
is being transferred;
(B) specifies that the third party may only use the
covered data for such purposes;
(C) with respect to the covered data transferred,
requires the third party to comply with all applicable
provisions of, and regulations promulgated under, this
title;
(D) requires the third party to notify the covered
entity or service provider if the third party makes a
determination that the third party can no longer meet
the obligations of the third party under this title;
and
(E) grants the covered entity or service provider
the right, upon notice (including under subparagraph
(D)), to take reasonable and appropriate steps to stop
and remediate unauthorized use of covered data by the
third party.
(c) Rules of Construction.--
(1) Successive actor violations.--
(A) In general.--With respect to a violation of
this title by a service provider or third party
regarding covered data received by the service provider
or third party from a covered entity or another service
provider, the covered entity or service provider that
transferred such covered data may not be considered to
be in violation of this title if the covered entity or
service provider transferred the covered data in
compliance with the requirements of this title and, at
the time of transferring such covered data, did not
have actual knowledge, or reason to believe, that the
service provider or third party to which the covered
data was transferred intended to violate this title.
(B) Knowledge of violation.--A covered entity or
service provider that transfers covered data to a
service provider or third party and has actual
knowledge, or reason to believe, that such service
provider or third party is violating, or is about to
violate, the requirements of this title shall
immediately cease the transfer of covered data to such
service provider or third party.
(2) Prior actor violations.--An entity that collects,
processes, retains, or transfers covered data in compliance
with the requirements of this title may not be considered to be
in violation of this title as a result of a violation by an
entity from which it receives, or on whose behalf it collects,
processes, retains, or transfers, covered data.
(d) Reasonable Care.--
(1) Service provider selection.--A covered entity or
service provider shall exercise reasonable care in selecting a
service provider.
(2) Transfer to third party.--A covered entity or service
provider shall exercise reasonable care in deciding to transfer
covered data to a third party.
(3) Guidance.--Not later than 2 years after the date of the
enactment of this Act, the Commission shall publish guidance
regarding compliance with this subsection.
(e) Rule of Construction.--Solely for purposes of this section, the
requirements under this section for service providers to contract with,
assist, and follow the instructions of covered entities shall also
apply to any entity that collects, processes, retains, or transfers
covered data for the purpose of performing services on behalf of, or at
the direction of, a government entity, as though such government entity
were a covered entity.
SEC. 112. DATA BROKERS.
(a) Notice.--A data broker shall--
(1) establish and maintain a publicly available website;
and
(2) place a clear and conspicuous, and not misleading,
notice on such publicly available website, and any mobile
application of the data broker, that--
(A) states that the entity is a data broker;
(B) states that an individual may exercise a right
described in section 105 or 106, and includes a link or
other tool to allow an individual to exercise such
right;
(C) includes a link to the website described in
subsection (c)(3);
(D) is reasonably accessible to and usable by
individuals living with disabilities; and
(E) is provided in any language in which the data
broker provides products or services.
(b) Prohibited Practices.--A data broker may not--
(1) advertise or market access to, or the transfer of,
covered data for the purposes of--
(A) stalking or harassing an individual; or
(B) engaging in fraud, identity theft, or unfair or
deceptive acts or practices; or
(2) misrepresent the business practices of the data broker.
(c) Data Broker Registration.--
(1) In general.--Not later than January 31 of each calendar
year that follows a calendar year during which an entity acted
as a data broker with respect to more than 5,000 individuals or
devices that identify or are linked or reasonably linkable to
an individual, such entity shall register with the Commission
in accordance with this subsection.
(2) Registration requirements.--In registering with the
Commission as required under paragraph (1), a data broker shall
do the following:
(A) Pay to the Commission a registration fee of
$100.
(B) Provide the Commission with the following
information:
(i) The legal name and primary valid
physical postal address, email address, and
internet address of the data broker.
(ii) A description of the categories of
covered data the data broker collects,
processes, retains, or transfers.
(iii) The contact information of the data
broker, including the name of a contact person,
a human-monitored telephone number, a human-
monitored e-mail address, a website, and a
physical mailing address.
(iv) A link to a website through which an
individual may easily exercise the rights
described in sections 105 and 106.
(3) Data broker registry.--
(A) Establishment.--The Commission shall establish
and maintain on a publicly available website a
searchable list of data brokers that are registered
with the Commission under this subsection.
(B) Requirements.--The registry established under
subparagraph (A) shall--
(i) allow members of the public to search
for and identify data brokers;
(ii) include the information required under
paragraph (2)(B) for each data broker;
(iii) include a mechanism by which an
individual, including a parent acting on behalf
of a child of the parent, may submit to all
registered data brokers a ``Do Not Collect''
request that results in registered data brokers
no longer collecting covered data related to
such individual or child (as applicable)
without the affirmative express consent of such
individual; and
(iv) include a mechanism by which an
individual, including a parent acting on behalf
of a child of the parent, may submit to all
registered data brokers a ``Delete My Data''
request that results in registered data brokers
deleting all covered data related to such
individual or child (as applicable) that the
data broker did not collect directly from such
individual or when acting as a service
provider.
(C) Affordability.--A data broker may not charge an
individual a fee to exercise a right under this
paragraph.
(4) Do not collect and delete my data requests.--
(A) Compliance.--Subject to subparagraph (B), each
data broker that receives a request from an individual,
including a parent acting on behalf of a child of the
parent, using the mechanism established under paragraph
(3)(B)(iii) or paragraph (3)(B)(iv) shall comply with
such request not later than 30 days after the date on
which the request is received by the data broker.
(B) Exception.--A data broker may decline to
fulfill a request from an individual, if--
(i) the data broker has actual knowledge
that the individual has been convicted of a
crime related to the abduction or sexual
exploitation of a child; and
(ii) the data collected by the data broker
is necessary--
(I) to carry out a national or
State-run sex offender registry; or
(II) for the National Center for
Missing and Exploited Children.
SEC. 113. COMMISSION-APPROVED COMPLIANCE GUIDELINES.
(a) Application for Compliance Guideline Approval.--
(1) In general.--A covered entity that is not a data broker
and is not a large data holder, or a group of such covered
entities, may apply to the Commission for approval of 1 or more
sets of compliance guidelines governing the collection,
processing, retention, or transfer of covered data by the
covered entity or covered entities.
(2) Application requirements.--An application under
paragraph (1) shall include--
(A) a description of how the proposed guidelines
will meet or exceed the applicable requirements of this
title;
(B) a description of the entities or activities the
proposed guidelines are designed to cover;
(C) a list of the covered entities, to the extent
known at the time of application, that intend to adhere
to the proposed guidelines;
(D) a description of an independent organization,
not associated with any of the intended adhering
covered entities, that will administer the proposed
guidelines; and
(E) a description of how such intended adhering
entities will be assessed for adherence to the proposed
guidelines by the independent organization described in
subparagraph (D).
(3) Commission review.--
(A) Initial approval.--
(i) Public comment period.--Not later than
90 days after receipt of an application
regarding proposed guidelines submitted
pursuant to paragraph (1), the Commission shall
publish the application and provide an
opportunity for public comment on such proposed
guidelines.
(ii) Approval criteria.--The Commission
shall approve an application regarding proposed
guidelines submitted pursuant to paragraph (1),
including the independent organization that
will administer the guidelines, if the
applicant demonstrates that the proposed
guidelines--
(I) meet or exceed the applicable
requirements of this title;
(II) provide for regular review and
validation by an independent
organization to ensure that the covered
entity or covered entities adhering to
the guidelines continue to meet or
exceed the applicable requirements of
this title; and
(III) include a means of
enforcement if a covered entity does
not meet or exceed the requirements in
the guidelines, which may include
referral to the Commission for
enforcement under section 115 or
referral to the appropriate State
attorney general for enforcement under
section 116.
(iii) Timeline.--Not later than 1 year
after the date on which the Commission receives
an application regarding proposed guidelines
pursuant to paragraph (1), the Commission shall
issue a determination approving or denying the
application, including the relevant independent
organization, and providing the reasons for
approving or denying the application.
(B) Approval of modifications.--
(i) In general.--If the independent
organization administering a set of guidelines
approved under subparagraph (A) makes
significant changes to the guidelines, the
independent organization shall submit the
updated guidelines to the Commission for
approval. As soon as feasible, the Commission
shall publish the updated guidelines and
provide an opportunity for public comment.
(ii) Timeline.--The Commission shall
approve or deny any significant change to
guidelines submitted under clause (i) not later
than 180 days after the date on which the
Commission receives the submission for
approval.
(b) Withdrawal of Approval.--
(1) In general.--If at any time the Commission determines
that guidelines previously approved under this section no
longer meet the applicable requirements of this title or that
compliance with the approved guidelines is insufficiently
enforced by the independent organization administering the
guidelines, the Commission shall notify the relevant covered
entity or group of covered entities and the independent
organization of the determination of the Commission to withdraw
approval of the guidelines, including the basis for the
determination.
(2) Opportunity to cure.--
(A) In general.--Not later than 180 days after
receipt of a notice under paragraph (1), the covered
entity or group of covered entities and the independent
organization may cure any alleged deficiency with the
guidelines or the enforcement of the guidelines and
submit each proposed cure to the Commission.
(B) Effect on withdrawal of approval.--If the
Commission determines that cures proposed under
subparagraph (A) eliminate alleged deficiencies in the
guidelines, the Commission may not withdraw the
approval of such guidelines on the basis of such
deficiencies.
(c) Certification.--A covered entity with guidelines approved by
the Commission under this section shall--
(1) publicly self-certify that the covered entity is in
compliance with the guidelines; and
(2) as part of the self-certification under paragraph (1),
indicate the independent organization responsible for assessing
compliance with the guidelines.
(d) Rebuttable Presumption of Compliance.--A covered entity that is
eligible to participate in guidelines approved under this section,
participates in the guidelines, and is in compliance with the
guidelines shall be entitled to a rebuttable presumption that the
covered entity is in compliance with the relevant provisions of this
title to which the guidelines apply.
(e) Eligibility of Service Providers.--This section shall apply to
a service provider that is not a large data holder, or a group of such
service providers, in the same manner as this section applies to a
covered entity or group of covered entities. Such a service provider or
group of service providers may apply for approval of, and participate
in, the same guidelines as a covered entity or group of covered
entities.
SEC. 114. PRIVACY-ENHANCING TECHNOLOGY PILOT PROGRAM.
(a) Privacy-Enhancing Technology Defined.--In this section, the
term ``privacy-enhancing technology''--
(1) means any software or hardware solution, cryptographic
algorithm, or other technical process of extracting the value
of information without substantially reducing the privacy and
security of the information; and
(2) includes technologies with functionality similar to
homomorphic encryption, differential privacy, zero-knowledge
proofs, synthetic data generation, federated learning, and
secure multi-party computation.
(b) Establishment.--Not later than 1 year after the date of the
enactment of this Act, the Commission shall establish and carry out a
pilot program to encourage private sector use of privacy-enhancing
technologies for the purposes of protecting covered data to comply with
section 109.
(c) Purposes.--Under the pilot program established under subsection
(b), the Commission shall--
(1) develop and implement a petition process for covered
entities to request to be a part of the pilot program; and
(2) build an auditing system that leverages privacy-
enhancing technologies to support the enforcement actions of
the Commission.
(d) Petition Process.--A covered entity wishing to be accepted into
the pilot program established under subsection (b) shall demonstrate to
the Commission that the privacy-enhancing technologies to be used under
the pilot program by the covered entity will establish data security
practices that meet or exceed all or some of the requirements in
section 109. If the covered entity demonstrates the privacy-enhancing
technologies meet or exceed the requirements in section 109, the
Commission may accept the covered entity to be a part of the pilot
program. If the Commission does not accept a covered entity to be a
part of the pilot program, the Commission shall provide an adequate
response to the covered entity detailing why the covered entity was not
accepted, and the covered entity may subsequently revise the petition
of the covered entity to address any deficiencies indicated by the
Commission in the response of the Commission to the covered entity.
(e) Requirements.--In carrying out the pilot program established
under subsection (b), the Commission shall--
(1) receive input from private, public, and academic
stakeholders; and
(2) develop ongoing public and private sector engagement,
in consultation with the Secretary of Commerce, to disseminate
voluntary, consensus-based resources to increase the
integration of privacy-enhancing technologies in data
collection, sharing, and analytics by the public and private
sectors.
(f) Conclusion of Pilot Program.--The Commission shall terminate
the pilot program established under subsection (b) not later than 10
years after the commencement of the program.
(g) Study Required.--
(1) In general.--The Comptroller General of the United
States shall conduct a study--
(A) to assess the progress of the pilot program
established under subsection (b);
(B) to determine the effectiveness of using
privacy-enhancing technologies at the Commission to
support oversight of the data security practices of
covered entities; and
(C) to develop recommendations to improve and
advance privacy-enhancing technologies, including by
improving communication and coordination between
covered entities and the Commission to increase
implementation of privacy-enhancing technologies by
such entities and the Commission.
(2) Initial briefing.--Not later than 3 years after the
date of the enactment of this Act, the Comptroller General
shall brief the Committee on Energy and Commerce of the House
of Representatives and the Committee on Commerce, Science, and
Transportation of the Senate on the initial results of the
study conducted under paragraph (1).
(3) Final report.--Not later than 240 days after the date
on which the briefing required by paragraph (2) is conducted,
the Comptroller General shall submit to the Committee on Energy
and Commerce of the House of Representatives and the Committee
on Commerce, Science, and Transportation of the Senate a final
report setting forth the results of the study conducted under
paragraph (1), including the recommendations developed under
subparagraph (C) of such paragraph.
(h) Audit of Covered Entities.--The Commission shall, on an ongoing
basis, audit covered entities who have been accepted to be part of the
pilot program established under subsection (b) to determine whether
such a covered entity is maintaining the use and implementation of
privacy-enhancing technologies to secure covered data.
(i) Withdrawal From the Pilot Program.--If at any time the
Commission determines that a covered entity accepted to be a part of
the pilot program established under subsection (b) is no longer
maintaining the use of privacy-enhancing technologies, the Commission
shall notify the covered entity of the determination of the Commission
to withdraw approval for the covered entity to be a part of the pilot
program and the basis for doing so. Not later than 180 days after the
date on which a covered entity receives such notice, the covered entity
may cure any alleged deficiency with the use of privacy-enhancing
technologies and submit each proposed cure to the Commission. If the
Commission determines that such cures eliminate alleged deficiencies
with the use of privacy-enhancing technologies, the Commission may not
withdraw the approval of the covered entity to be a part of the pilot
program on the basis of such deficiencies.
(j) Limitations on Liability.--Any covered entity that petitions,
and is accepted, to be part of the pilot program established under
subsection (b), actively implements and maintains the use of privacy-
enhancing technologies, and is determined by the Commission to be in
compliance with the program shall--
(1) for any action under section 115 or 116 for a violation
of section 109, be deemed to be in compliance with section 109
with respect to the covered data subject to the privacy-
enhancing technologies; and
(2) for any action under section 117 for a violation of
section 109, be entitled to a rebuttable presumption that such
entity is in compliance with section 109 with respect to the
covered data subject to the privacy-enhancing technologies.
SEC. 115. ENFORCEMENT BY FEDERAL TRADE COMMISSION.
(a) New Bureau.--
(1) In general.--Subject to the availability of
appropriations, the Commission shall establish, within the
Commission, a new bureau comparable in structure, size,
organization, and authority to the existing bureaus within the
Commission related to consumer protection and competition.
(2) Mission.--The mission of the bureau established under
this subsection shall be to assist the Commission in exercising
the authority of the Commission under this title and related
authorities.
(3) Staff.--
(A) In general.--In staffing the bureau established
under this subsection, the Commission shall ensure the
allocation of full time employees or full time employee
equivalents that include attorneys, economists,
investigators, technologists, and mental health
professionals with experience in the well-being of
children and teens.
(B) Technologist defined.--For the purposes of this
paragraph, the term ``technologist'' means an
individual with training and expertise with respect to
technology, including state-of-the art information
technology, network or data security, hardware or
software development, privacy-enhancing technologies,
cryptography, computer science, data science,
advertising technology, web tracking, machine learning,
and other related fields and applications.
(4) Timeline.--The bureau established under this subsection
shall be established, staffed, and fully operational not later
than 180 days after the date of the enactment of this Act.
(b) Enforcement by Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
this title or a regulation promulgated under this title shall
be treated as a violation of a rule defining an unfair or
deceptive act or practice prescribed under section 18(a)(1)(B)
of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(2) Powers of commission.--
(A) In general.--Except as provided in paragraph
(3) or otherwise provided in this title, the Commission
shall enforce this title and the regulations
promulgated under this title in the same manner, by the
same means, and with the same jurisdiction, powers, and
duties as though all applicable terms and provisions of
the Federal Trade Commission Act (15 U.S.C. 41 et seq.)
were incorporated into and made a part of this title.
(B) Privileges and immunities.--Any entity that
violates this title or a regulation promulgated under
this title shall be subject to the penalties and
entitled to the privileges and immunities provided in
the Federal Trade Commission Act (15 U.S.C. 41 et
seq.).
(3) Common carriers and nonprofits.--Notwithstanding
section 4, 5(a)(2), or 6 of the Federal Trade Commission Act
(15 U.S.C. 44; 45(a)(2); 46) or any jurisdictional limitation
of the Commission, the Commission shall also enforce this
title, and the regulations promulgated under this title, in the
same manner provided in paragraphs (1) and (2) of this
subsection with respect to--
(A) common carriers subject to title II of the
Communications Act of 1934 (47 U.S.C. 201 et seq.); and
(B) organizations not organized to carry on
business for their own profit or that of their members.
(4) Penalty offset for state or individual actions.--Any
amount that a court orders an entity to pay in an action
brought under this subsection shall be offset by any amount a
court has ordered the entity to pay in an action brought
against the entity for the same violation under section 116 or
117.
(5) Privacy and security victims relief fund.--
(A) Establishment of victims relief fund.--There is
established in the Treasury of the United States a
separate fund to be known as the ``Privacy and Security
Victims Relief Fund'' (in this paragraph referred to as
the ``Victims Relief Fund'').
(B) Deposits.--The Commission or the Attorney
General of the United States, as applicable, shall
deposit into the Victims Relief Fund the amount of any
civil penalty obtained in any civil action the
Commission, or the Attorney General on behalf of the
Commission, commences to enforce this title or a
regulation promulgated under this title.
(C) Use of fund amounts.--
(i) Availability to the commission.--
Notwithstanding section 3302 of title 31,
United States Code, amounts in the Victims
Relief Fund shall be available to the
Commission, without fiscal year limitation, to
provide redress, damages, payments or
compensation, or other monetary relief to
persons affected by an act or practice for
which civil penalties, other monetary relief,
or any other forms of relief (including
injunctive relief) have been ordered in a civil
action or administrative proceeding the
Commission commences, or in any civil action
the Attorney General of the United States
commences on behalf of the Commission, to
enforce this title or a regulation promulgated
under this title.
(ii) Other permissible uses.--To the extent
that individuals cannot be located or such
redress, damages, payments or compensation, or
other monetary relief are otherwise not
practicable, the Commission may use amounts in
the Victims Relief Fund for the purpose of--
(I) consumer or business education
relating to data privacy or data
security; or
(II) engaging in technological
research that the Commission considers
necessary to implement this title,
including promoting privacy-enhancing
technologies that promote compliance
with this title.
(D) Calculation.--Any amount that the Commission
provides to a person as redress, payments or
compensation, or other monetary relief under
subparagraph (C) with respect to a violation by an
entity shall be offset by any amount the person
received from an action brought against the entity for
the same violation under section 116 or 117.
(E) Rule of construction.--Amounts collected and
deposited in the Victims Relief Fund may not be
construed to be Government funds or appropriated monies
and may not be subject to apportionment for the purpose
of chapter 15 of title 31, United States Code, or under
any other authority.
(c) Report.--
(1) In general.--Not later than 4 years after the date of
the enactment of this Act, and annually thereafter, the
Commission shall submit to Congress a report describing
investigations conducted during the prior year with respect to
violations of this title, including--
(A) the number of such investigations the
Commission commenced;
(B) the number of such investigations the
Commission closed with no official agency action;
(C) the disposition of such investigations, if such
investigations have concluded and resulted in official
agency action; and
(D) for each investigation that was closed with no
official agency action, the industry sectors of the
covered entities subject to each investigation.
(2) Privacy protections.--A report required under paragraph
(1) may not include the identity of any person who is the
subject of an investigation or any other information that
identifies such a person.
(3) Annual plan.--Not later than 540 days after the date of
the enactment of this Act, and annually thereafter, the
Commission shall submit to Congress a plan for the next
calendar year describing the projected activities of the
Commission under this title, including--
(A) the policy priorities of the Commission and any
changes to the previous policy priorities of the
Commission;
(B) any rulemaking proceedings projected to be
commenced, including any such proceedings to amend or
repeal a rule;
(C) any plans to develop, update, or withdraw
guidelines or guidance required under this title;
(D) any plans to restructure the Commission; and
(E) projected dates and timelines, or changes to
projected dates and timelines, associated with any of
the requirements under this title.
SEC. 116. ENFORCEMENT BY STATES.
(a) Civil Action.--
(1) In general.--In any case in which the attorney general
of a State, the chief consumer protection officer of a State,
or an officer or office of a State authorized to enforce
privacy or data security laws applicable to covered entities or
service providers has reason to believe that an interest of the
residents of the State has been or is adversely affected by the
engagement of any entity in an act or practice that violates
this title or a regulation promulgated under this title, the
attorney general, chief consumer protection officer, or other
authorized officer or office of the State may bring a civil
action in the name of the State, or as parens patriae on behalf
of the residents of the State, in an appropriate Federal
district court of the United States to--
(A) enjoin such act or practice;
(B) enforce compliance with this title or the
regulations promulgated under this title;
(C) obtain civil penalties;
(D) obtain damages, restitution, or other
compensation on behalf of the residents of the State;
(E) obtain reasonable attorney's fees and other
litigation costs reasonably incurred; or
(F) obtain such other relief as the court may
consider to be appropriate.
(2) Limitation.--In any case with respect to which the
attorney general of a State, the chief consumer protection
officer of a State, or an officer or office of a State
authorized to enforce privacy or data security laws applicable
to covered entities or service providers brings an action under
paragraph (1), no other officer or office of the same State may
institute a civil action under paragraph (1) against the same
defendant for the same violation of this title or regulation
promulgated under this title.
(b) Rights of the Commission.--
(1) In general.--Except if not feasible, a State officer
shall notify the Commission in writing prior to initiating a
civil action under subsection (a). Such notice shall include a
copy of the complaint to be filed to initiate such action. Upon
receiving such notice, the Commission may intervene in such
action and, upon intervening--
(A) be heard on all matters arising in such action;
and
(B) file petitions for appeal of a decision in such
action.
(2) Notification timeline.--If not feasible for a State
officer to provide the notification required by paragraph (1)
before initiating a civil action under subsection (a), the
State officer shall notify the Commission immediately after
initiating the civil action.
(c) Actions by the Commission.--In any case in which a civil action
is instituted by or on behalf of the Commission for a violation of this
title or a regulation promulgated under this title, no attorney general
of a State, chief consumer protection officer of a State, or officer or
office of a State authorized to enforce privacy or data security laws
may, during the pendency of such action, institute a civil action
against any defendant named in the complaint in the action instituted
by or on behalf of the Commission for a violation of this title or a
regulation promulgated under this title that is alleged in such
complaint.
(d) Investigatory Powers.--Nothing in this title may be construed
to prevent the attorney general of a State, the chief consumer
protection officer of a State, or an officer or office of a State
authorized to enforce privacy or data security laws applicable to
covered entities or service providers from exercising the powers
conferred on such officer or office to conduct investigations, to
administer oaths or affirmations, or to compel the attendance of
witnesses or the production of documentary or other evidence.
(e) Venue; Service of Process.--
(1) Venue.--Any action brought under subsection (a) may be
brought in any Federal district court of the United States that
meets applicable requirements relating to venue under section
1391 of title 28, United States Code.
(2) Service of process.--In an action brought under
subsection (a), process may be served in any district in which
the defendant--
(A) is an inhabitant; or
(B) may be found.
(f) GAO Study.--
(1) In general.--The Comptroller General of the United
States shall conduct a study of the practice of State attorneys
general hiring, or otherwise contracting with, outside firms to
assist in enforcement efforts pursuant to this title, which
shall include the study of--
(A) the frequency with which each State attorney
general hires or contracts with outside firms to assist
in such enforcement efforts;
(B) the contingency fees, hourly rates, and other
costs of hiring or contracting with outside firms;
(C) the types of matters for which outside firms
are hired or contracted;
(D) the bid and selection process for such outside
firms, including reviews of conflicts of interest;
(E) the practices State attorneys general set in
place to protect sensitive information that would
become accessible by outside firms while the outside
firms are assisting in such enforcement efforts;
(F) the percentage of monetary recovery that is
returned to victims and the percentage of such recovery
that is retained by outside firms; and
(G) the market average for the hourly rate of hired
or contracted attorneys in each market.
(2) Report.--Not later than 1 year after the date of the
enactment of this Act, the Comptroller General shall submit to
the Committee on Energy and Commerce of the House of
Representatives and the Committee on Commerce, Science, and
Transportation of the Senate a report on the results of the
study conducted under paragraph (1).
(g) Preservation of State Powers.--Except as provided in
subsections (a)(2) and (c), no provision of this section may be
construed as altering, limiting, or affecting the authority of a State
attorney general, the chief consumer protection officer of a State, or
an officer or office of a State authorized to enforce laws applicable
to covered entities or service providers to--
(1) bring an action or other regulatory proceeding arising
solely under the laws in effect in such State; or
(2) exercise the powers conferred on the attorney general,
chief consumer protection officer, or officer or office by the
laws of such State, including the ability to conduct
investigations, to administer oaths or affirmations, or to
compel the attendance of witnesses or the production of
documentary or other evidence.
(h) Calculation.--Any amount that a court orders an entity to pay
to a person under this section shall be offset by any amount the person
received from an action brought against the entity for the same
violation under section 115 or 117.
SEC. 117. ENFORCEMENT BY PERSONS.
(a) Civil Action.--
(1) In general.--Subject to subsections (b) and (c), a
person may bring a civil action against a covered entity or
service provider for a violation of subsection (b) or (c) of
section 102, subsection (a) or (e) of section 104, section 105,
subsection (a) or (b)(2) of section 106, section 107, section
108, section 109 to the extent such action alleges a data
breach arising from a violation of subsection (a) of such
section, subsection (d) of section 111, or subsection (c)(4) of
section 112, or a regulation promulgated thereunder, in an
appropriate Federal district court of the United States.
(2) Relief.--
(A) In general.--In a civil action brought under
paragraph (1) in which the plaintiff prevails, the
court may award the plaintiff--
(i) an amount equal to the sum of any
actual damages;
(ii) injunctive relief, including an order
that an entity retrieve any covered data
transferred in violation of this title;
(iii) declaratory relief; and
(iv) reasonable attorney fees and
litigation costs.
(B) Biometric and genetic information.--In a civil
action brought under paragraph (1) for a violation of
this title with respect to section 102(c), in which the
plaintiff prevails, if the conduct underlying the
violation occurred primarily and substantially in
Illinois, the court may award the plaintiff--
(i) for a violation involving biometric
information, the same relief as set forth in
section 20 of the Biometric Information Privacy
Act (740 ILCS 14/20), as such statute reads on
December 31, 2024; or
(ii) for a violation involving genetic
information, the same relief as set forth in
section 40 of the Genetic Information Privacy
Act (410 ILCS 513/40), as such statute reads on
December 31, 2024.
(C) Data security.--
(i) In general.--In a civil action brought
under paragraph (1) for a violation of this
title alleging unauthorized access of covered
information as a result of a violation of
section 109(a), in which the plaintiff
prevails, the court may award a plaintiff who
is a resident of California the same relief as
set forth in section 1798.150 of the California
Civil Code, as such statute read on January 1,
2024.
(ii) Covered information defined.--For
purposes of this subparagraph, the term
``covered information'' means the following:
(I) A username, email address, or
telephone number of an individual in
combination with a password or security
question or answer that would permit
access to an account held by the
individual that contains or provides
access to sensitive covered data.
(II) The first name or first
initial of an individual and the last
name of the individual in combination
with 1 or more of the following
categories of sensitive covered data,
if either the name or the sensitive
covered data are not encrypted or
redacted:
(aa) A government-issued
identifier described in section
101(49)(A)(i).
(bb) A financial account
number described in section
101(49)(A)(iv).
(cc) Health information,
but only to the extent such
information reveals the history
of medical treatment or
diagnosis by a health care
professional of the individual.
(dd) Biometric information.
(ee) Genetic information.
(D) Limitations on dual actions.--Any amount that a
court orders an entity to pay to a person under
subparagraph (A)(i), (B), or (C) shall be offset by any
amount the person received from an action brought
against the entity for the same violation under section
115 or 116.
(b) Opportunity to Cure in Actions for Injunctive Relief.--
(1) Notice.--Subject to paragraph (3), an action for
injunctive relief may be brought by a person under this section
only if, prior to initiating such action against an entity, the
person provides to the entity written notice identifying the
specific provisions of this title the person alleges have been
or are being violated.
(2) Effect of cure.--In the event a cure is possible with
respect to a violation alleged in a notice described in
paragraph (1) and, not later than 60 days after the date of
receipt of such notice, the entity cures such violation and
provides the person an express written statement that the
violation has been cured and that no further such violations
shall occur, an action for injunctive relief may not be
permitted with respect to the noticed violation.
(3) Injunctive relief for a substantial privacy harm.--
Notice is not required under paragraph (1) prior to bringing an
action for injunctive relief for a violation that resulted in a
substantial privacy harm.
(c) Notice of Actions Seeking Actual Damages.--
(1) Notice.--Subject to paragraph (4), an action under this
section for actual damages may be brought by a person only if,
60 days prior to initiating such action against an entity, the
person provides the entity written notice identifying the
specific provisions of this title the person alleges have been
or are being violated.
(2) Settlement.--An entity that receives a written notice
from a person under paragraph (1) may settle with the person
who sent the written notice.
(3) Effect of settlement.--In the event of a settlement
under paragraph (2), the terms of such settlement shall govern
any future action under this section for actual damages between
the parties to the settlement that relates to the underlying
facts that resulted in the settlement.
(4) No notice required for a substantial privacy harm.--
Notice is not required under paragraph (1) prior to bringing an
action for actual damages for a violation of this title that
resulted in a substantial privacy harm, if such action includes
a claim for a preliminary injunction or temporary restraining
order.
(d) Pre-Dispute Arbitration Agreements.--
(1) In general.--Notwithstanding any other provision of
law, at the election of the person alleging a violation of this
title, no pre-dispute arbitration agreement shall be valid or
enforceable with respect to--
(A) a claim alleging a violation involving an
individual under the age of 18; or
(B) a claim alleging a violation that resulted in a
substantial privacy harm.
(2) Determination of applicability.--Any issue as to
whether this subsection applies to a dispute shall be
determined under Federal law. The applicability of this
subsection to an agreement to arbitrate and the validity and
enforceability of an agreement to which this subsection applies
shall be determined by a Federal court, rather than an
arbitrator, irrespective of whether the party resisting
arbitration challenges the arbitration agreement specifically
or in conjunction with other terms of the contract containing
the agreement, and irrespective of whether the agreement
purports to delegate the determination to an arbitrator.
(3) Pre-dispute arbitration agreement defined.--For
purposes of this subsection, the term ``pre-dispute arbitration
agreement'' means any agreement to arbitrate a dispute that has
not arisen at the time of the making of the agreement.
(e) Combined Notices.--A person may combine the notices required by
subsections (b)(1) and (c)(1) into a single notice, if the single
notice complies with the requirements of each such subsection.
(f) Bad Faith.--If a person represented by counsel brings a civil
action under this section against a covered entity or service provider
requesting actual damages from the covered entity or service provider,
and fails to provide notice to the covered entity or service provider
in accordance with this section, the action may be dismissed without
prejudice and may not be reinstated until the person has complied with
the notice requirements of this section.
SEC. 118. RELATION TO OTHER LAWS.
(a) Preemption of State Laws.--
(1) Congressional intent.--The purposes of this section are
to--
(A) establish a uniform national privacy and data
security standard in the United States to prevent
administrative costs and burdens from being placed on
interstate commerce; and
(B) expressly preempt the laws of a State or
political subdivision of a State as provided in this
subsection.
(2) Preemption.--Except as provided in paragraphs (3) and
(4), no State or political subdivision of a State may adopt,
maintain, enforce, impose, or continue in effect any law,
regulation, rule, requirement, prohibition, standard, or other
provision covered by the provisions of this title or a rule,
regulation, or requirement promulgated under this title.
(3) State law preservation.--Paragraph (2) may not be
construed to preempt, displace, or supplant the following State
laws, rules, regulations, or requirements:
(A) Consumer protection laws of general
applicability, such as laws regulating deceptive,
unfair, or unconscionable practices.
(B) Civil rights laws.
(C) Provisions of laws that address the privacy
rights or other protections of employees or employee
information.
(D) Provisions of laws that address the privacy
rights or other protections of students or student
information.
(E) Provisions of laws, insofar as such provisions
address notification requirements in the event of a
data breach.
(F) Contract or tort law.
(G) Criminal laws.
(H) Civil laws regarding--
(i) blackmail;
(ii) stalking (including cyberstalking);
(iii) cyberbullying;
(iv) intimate images (whether authentic or
computer-generated) known to be nonconsensual;
(v) child abuse;
(vi) child sexual abuse material;
(vii) child abduction or attempted child
abduction;
(viii) child trafficking; or
(ix) sexual harassment.
(I) Public safety or sector-specific laws unrelated
to privacy or data security, but only to the extent
such laws do not directly conflict with the provisions
of this title.
(J) Provisions of laws that address public records,
criminal justice information systems, arrest records,
mug shots, conviction records, or non-conviction
records.
(K) Provisions of laws that address banking
records, financial records, tax records, Social
Security numbers, credit cards, identity theft, credit
reporting and investigations, credit repair, credit
clinics, or check-cashing services.
(L) Provisions of laws that address electronic
surveillance, wiretapping, or telephone monitoring.
(M) Provisions of laws that address unsolicited
email messages, telephone solicitation, or caller
identification.
(N) Provisions of laws that protect the privacy of
health information, healthcare information, medical
information, medical records, HIV status, or HIV
testing.
(O) Provisions of laws that address the
confidentiality of library records.
(P) Provisions of laws that address the use of
encryption as a means of providing data security.
(4) Additional preemption limitations.--Notwithstanding
paragraph (2), the provisions of this title shall preempt any
State law, rule, or regulation that provides protections for
children or teens only to the extent that such State law, rule,
or regulation conflicts with a provision of this title. Nothing
in this title shall be construed to prohibit any State from
enacting a law, rule, or regulation that provides greater
protection to children or teens than the provisions of this
title.
(b) Federal Law Preservation.--
(1) In general.--Nothing in this title or a regulation
promulgated under this title may be construed to limit--
(A) the authority of the Commission, or any other
Executive agency, under any other provision of law;
(B) any requirement for a common carrier subject to
section 64.2011 of title 47, Code of Federal
Regulations (or any successor regulation), regarding
information security breaches; or
(C) any other provision of Federal law, except as
otherwise provided in this title.
(2) Antitrust savings clause.--
(A) Antitrust laws defined.--For purposes of this
paragraph, the term ``antitrust laws''--
(i) has the meaning given such term in
subsection (a) of the first section of the
Clayton Act (15 U.S.C. 12(a)); and
(ii) includes section 5 of the Federal
Trade Commission Act (15 U.S.C. 45), to the
extent such section applies to unfair methods
of competition.
(B) Full application of the antitrust laws.--
Nothing in this title or a regulation promulgated under
this title may be construed to modify, impair,
supersede the operation of, or preclude the application
of the antitrust laws.
(3) Application of other federal privacy and data security
requirements.--
(A) In general.--To the extent that a covered
entity or service provider is required to comply with
any Federal law or regulation described in subparagraph
(B), such covered entity or service provider is not
subject to this title with respect to the activities
governed by the requirements of such law or regulation.
(B) Laws and regulations described.--The Federal
laws and regulations described in this subparagraph are
the following:
(i) Title V of the Gramm-Leach-Bliley Act
(15 U.S.C. 6801 et seq.).
(ii) Part C of title XI of the Social
Security Act (42 U.S.C. 1320d et seq.).
(iii) Subtitle D of the Health Information
Technology for Economic and Clinical Health Act
(42 U.S.C. 17921 et seq.).
(iv) The regulations promulgated pursuant
to section 264(c) of the Health Insurance
Portability and Accountability Act of 1996 (42
U.S.C. 1320d-2 note).
(v) The requirements regarding the
confidentiality of substance use disorder
information under section 543 of the Public
Health Service Act (42 U.S.C. 290dd-2) or any
regulation promulgated under such section.
(vi) The Fair Credit Reporting Act (15
U.S.C. 1681 et seq.).
(vii) Section 444 of the General Education
Provisions Act (commonly known as the ``Family
Educational Rights and Privacy Act of 1974'')
(20 U.S.C. 1232g) and part 99 of title 34, Code
of Federal Regulations (or any successor
regulation), to the extent a covered entity or
service provider is an educational agency or
institution (as defined in such section or
section 99.3 of title 34, Code of Federal
Regulations (or any successor regulation)).
(viii) The regulations related to the
protection of human subjects under part 46 of
title 45, Code of Federal Regulations.
(x) The Health Care Quality Improvement Act
of 1986 (42 U.S.C. 11101 et seq.).
(xi) Part C of title IX of the Public
Health Service Act (42 U.S.C. 299b-21 et seq.).
(xii) Chapter 123 of title 18, United
States Code.
(C) Implementation guidance.--Not later than 1 year
after the date of the enactment of this Act, the
Commission shall issue guidance with respect to the
implementation of this paragraph.
(c) Preservation of Common Law or Statutory Causes of Action for
Civil Relief.--Nothing in this title, nor any amendment, standard,
rule, requirement, assessment, or regulation promulgated under this
title, may be construed to preempt, displace, or supplant any Federal
or State common law rights or remedies, or any State statute creating a
remedy for civil relief, including any cause of action for personal
injury, wrongful death, property damage, or other financial, physical,
reputational, or psychological injury based in negligence, strict
liability, products liability, failure to warn, an objectively
offensive intrusion into the private affairs or concerns of an
individual, or any other legal theory of liability under any Federal or
State common law, or any State statutory law, except that the fact of a
violation of this title or a regulation promulgated under this title
may not be pleaded as an element of any violation of such law.
(d) Nonapplication of Certain Provisions of Communications Act of
1934 and Telecommunications Act of 1996 Related to FCC Privacy and Data
Security Laws and Regulations.--
(1) In general.--Except as provided in paragraph (2),
sections 201, 202, 222, 338(i), and 631 of the Communications
Act of 1934 (47 U.S.C. 201; 202; 222; 338(i); 551) and section
706 of the Telecommunications Act of 1996 (47 U.S.C. 1302), and
any regulation or order issued by the Federal Communications
Commission under any such section, do not apply to any covered
entity or service provider with respect to the collection,
processing, retention, transfer, or security of covered data
(or the equivalent of such data), to the extent that such
sections or any regulation or order issued under such sections
would otherwise cover the collection, processing, retention,
transfer, or security of covered data (or the equivalent of
such data) in order to protect consumer privacy or the security
of such data, and a covered entity or service provider shall
instead be covered by the requirements of this title with
respect to the collection, processing, retention, transfer, and
security of covered data.
(2) Exceptions.--Paragraph (1) does not supersede any
authority of the Federal Communications Commission with respect
to the following:
(A) Emergency services (as defined in section 7 of
the Wireless Communications and Public Safety Act of
1999 (47 U.S.C. 615b)).
(B) Proceedings to implement section 227 of the
Communications Act of 1934 (47 U.S.C. 227) or the
Pallone-Thune Telephone Robocall Abuse Criminal
Enforcement and Deterrence Act (Public Law 116-105; 133
Stat. 3274), or any other authority used by the Federal
Communications Commission to prevent or reduce unwanted
telephone calls or text messages.
(C) An enforcement action alleging or finding a
violation of a section of the Communications Act of
1934 specified in paragraph (1), if such action was
adopted by the Federal Communications Commission prior
to the date of the enactment of this Act.
(D) Subsection (a) of section 222 of the
Communications Act of 1934 (47 U.S.C. 222), to the
extent such subsection imposes a duty on every
telecommunications carrier to protect the
confidentiality of proprietary information of, and
relating to, other telecommunications carriers and
equipment manufacturers.
(E) Subsections (b), (d), and (g) of section 222 of
the Communications Act of 1934 (47 U.S.C. 222).
(F) Any obligation of an international treaty
related to the exchange of traffic implemented and
enforced by the Federal Communications Commission.
SEC. 119. CHILDREN'S ONLINE PRIVACY PROTECTION ACT OF 1998.
Nothing in this title may be construed to relieve or change any
obligation that a covered entity or other person may have under the
Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et
seq.).
SEC. 120. DATA PROTECTIONS FOR COVERED MINORS.
(a) Prohibition on Targeted and First-Party Advertising to Covered
Minors.--A covered entity or service provider acting on behalf of a
covered entity may not engage in targeted advertising or first-party
advertising to an individual if the covered entity has knowledge that
the individual is a covered minor, except that a covered entity or
service provider may present or display to a covered minor age-
appropriate advertisements intended for an audience of covered minors,
if the covered entity or service provider does not use any covered data
in relation to such advertisements, other than data relating to the
status of the individual as a covered minor.
(b) Data Transfer Requirements Related to Covered Minors.--
(1) In general.--Except as provided in paragraph (2), and
notwithstanding section 102(b), a covered entity or a service
provider acting on behalf of a covered entity may not transfer
or direct a service provider to transfer the covered data of an
individual to a third party if the covered entity--
(A) has knowledge that the individual is a covered
minor; and
(B) has not obtained affirmative express consent,
unless the transfer is necessary, proportionate, and
limited to a purpose expressly permitted by paragraph
(2), (3), (4), (8), (9), (11), (12), or (13) of section
102(d).
(2) Exception.--A covered entity or service provider may
collect, process, retain, or transfer covered data of an
individual that the covered entity or service provider knows is
a covered minor in order to submit information relating to
child victimization to law enforcement or to the nonprofit,
national resource center and clearinghouse congressionally
designated to provide assistance to victims, families, child-
serving professionals, and the general public on missing and
exploited children issues.
(c) Rulemaking.--The Commission may conduct a rulemaking pursuant
to section 553 of title 5, United States Code, to establish processes
for parents and teens to exercise the rights provided in this title
with respect to covered entities and data brokers. Any such rulemaking
shall take into account--
(1) the specific needs of parents, children, and teens;
(2) how best to harmonize the processes provided for under
this title with the processes and guidance provided for under
the Children's Online Privacy Protection Act of 1998 (15 U.S.C.
6501 et seq.), as amended by title II of this Act, and any
regulations promulgated by the Commission thereunder; and
(3) options for reducing undue burdens on parents,
children, teens, covered entities, and data brokers.
SEC. 121. TERMINATION OF FTC RULEMAKING ON COMMERCIAL SURVEILLANCE AND
DATA SECURITY.
Beginning on the date of the enactment of this Act, the rulemaking
proposed in the advance notice of proposed rulemaking titled ``Trade
Regulation Rule on Commercial Surveillance and Data Security'' and
published on August 22, 2022 (87 Fed. Reg. 51273) shall be terminated.
SEC. 122. SEVERABILITY.
If any provision of this title, or the application thereof to any
person or circumstance, is held invalid, the remainder of this title,
and the application of such provision to other persons not similarly
situated or to other circumstances, may not be affected by the
invalidation.
SEC. 123. INNOVATION RULEMAKINGS.
The Commission may conduct a rulemaking pursuant to section 553 of
title 5, United States Code--
(1) to include other covered data in the definition of the
term ``sensitive covered data'', except that the Commission may
not expand the category of information described in section
101(49)(A)(ii); and
(2) to include in the list of permitted purposes in section
102(d) other permitted purposes for collecting, processing,
retaining, or transferring covered data.
SEC. 124. EFFECTIVE DATE.
Unless otherwise specified in this title, this title shall take
effect on the date that is 180 days after the date of the enactment of
this Act.
TITLE II--CHILDREN'S ONLINE PRIVACY PROTECTION ACT 2.0
SEC. 201. SHORT TITLE.
This title may be cited as the ``Children's Online Privacy
Protection Act 2.0''.
SEC. 202. ONLINE COLLECTION, USE, DISCLOSURE, AND DELETION OF PERSONAL
INFORMATION OF CHILDREN.
(a) Definitions.--Section 1302 of the Children's Online Privacy
Protection Act of 1998 (15 U.S.C. 6501) is amended--
(1) by amending paragraph (2) to read as follows:
``(2) Operator.--The term `operator'--
``(A) means any person--
``(i) who, for commercial purposes, in
interstate or foreign commerce, operates or
provides a website on the internet, an online
service, an online application, or a mobile
application; and
``(ii) who--
``(I) collects or maintains, either
directly or through a service provider,
personal information from or about the
users of that website, service, or
application;
``(II) allows another person to
collect personal information directly
from users of that website, service, or
application (in which case, the
operator is deemed to have collected
the information); or
``(III) allows users of that
website, service, or application to
publicly disclose personal information
(in which case, the operator is deemed
to have collected the information); and
``(B) does not include any nonprofit entity that
would otherwise be exempt from coverage under section 5
of the Federal Trade Commission Act (15 U.S.C. 45).'';
(2) in paragraph (4)--
(A) by amending subparagraph (A) to read as
follows:
``(A) the release of personal information collected
from a child by an operator for any purpose, except
where the personal information is provided to a person
other than an operator who--
``(i) provides support for the internal
operations of a website, online service, online
application, or mobile application (as defined
in paragraph (8)(C)) of the operator, excluding
any activity relating to targeted advertising
or first-party advertising (as such terms are
defined in section 101 of the American Privacy
Rights Act of 2024) to children; and
``(ii) does not disclose or use that
personal information for any other purpose;
and''; and
(B) in subparagraph (B)--
(i) by striking ``website or online
service'' and inserting ``website, online
service, online application, or mobile
application''; and
(ii) by striking ``actual knowledge'' and
inserting ``actual knowledge or knowledge
fairly implied on the basis of objective
circumstances'';
(3) by striking paragraph (8) and inserting the following:
``(8) Personal information.--
``(A) In general.--The term `personal information'
means individually identifiable information about an
individual collected online, including--
``(i) a first and last name;
``(ii) a home or other physical address
including street name and name of a city or
town;
``(iii) an e-mail address;
``(iv) a telephone number;
``(v) a Social Security number;
``(vi) any other identifier that the
Commission determines permits the physical or
online contacting of a specific individual;
``(vii) a persistent identifier that can be
used to recognize a specific child over time
and across different websites, online services,
online applications, or mobile applications,
including a customer number held in a cookie,
an Internet Protocol (IP) address, a processor
or device serial number, or a unique device
identifier, but excluding an identifier that is
used by an operator solely for providing
support for the internal operations of a
website, online service, online application, or
mobile application;
``(viii) a photograph, video, or audio
file, if such file contains the image or voice
of a specific child;
``(ix) geolocation information;
``(x) information generated from the
measurement or technological processing of the
biological, physical, or physiological
characteristics of an individual that is used
to identify an individual, including--
``(I) fingerprints;
``(II) voice prints;
``(III) iris or retina imagery
scans;
``(IV) facial templates;
``(V) deoxyribonucleic acid (DNA)
information; or
``(VI) gait; or
``(xi) information linked or reasonably
linkable to a child or the parents of that
child (including any unique identifier) that an
operator collects online from the child and
combines with an identifier described in this
subparagraph.
``(B) Exclusion.--The term `personal information'
does not include an audio file that contains the voice
of a child, if the operator--
``(i) does not request information via
voice that would otherwise be considered
personal information under this paragraph;
``(ii) provides, in the privacy policy of
the operator, clear notice of the collection
and use of the audio file by the operator and
the deletion policy of the operator;
``(iii) uses the voice within the audio
file solely as a replacement for written words,
to perform a task, or to engage with a website,
online service, online application, or mobile
application, such as to perform a search or
fulfill a verbal instruction or request; and
``(iv) only maintains the audio file long
enough to complete the stated purpose and then
immediately deletes the audio file and does not
make any other use of the audio file prior to
deletion.
``(C) Support for the internal operations of a
website, online service, online application, or mobile
application.--
``(i) In general.--For purposes of
subparagraph (A)(vii), the term `support for
the internal operations of a website, online
service, online application, or mobile
application' means those activities necessary
to--
``(I) maintain or analyze the
functioning of the website, online
service, online application, or mobile
application;
``(II) perform network
communications;
``(III) authenticate users of, or
personalize the content on, the
website, online service, online
application, or mobile application;
``(IV) cap the frequency of
advertising;
``(V) protect the security or
integrity of the user, website, online
service, online application, or mobile
application;
``(VI) ensure legal or regulatory
compliance; or
``(VII) fulfill a request of a
child as permitted by subparagraphs (A)
through (C) of section 1303(b)(2).
``(ii) Condition.--Except as specifically
permitted under clause (i), information
collected for the activities listed in clause
(i) may not be used or disclosed to contact a
specific individual, including through targeted
advertising or first-party advertising (as such
terms are defined in section 101 of the
American Privacy Rights Act of 2024) to
children, to amass a profile on a specific
individual, in connection with processes that
encourage or prompt use of a website, online
service, online application, or mobile
application, or for any other purpose.'';
(4) by amending paragraph (9) to read as follows:
``(9) Verifiable consent.--The term `verifiable consent'
means any reasonable effort (taking into consideration
available technology), including a request for authorization
for future collection, use, and disclosure described in the
notice, to ensure that a parent of the child--
``(A) receives direct notice of the personal
information collection, use, and disclosure practices
of the operator; and
``(B) before the personal information of the child
is collected, freely and unambiguously authorizes--
``(i) the collection, use, and disclosure,
as applicable, of that personal information;
and
``(ii) any subsequent use of that personal
information.'';
(5) in paragraph (10)--
(A) in the paragraph heading, by striking ``Website
or online service directed to children'' and inserting
``Website, online service, online application, or
mobile application directed to children'';
(B) by striking ``website or online service'' each
place it appears and inserting ``website, online
service, online application, or mobile application'';
and
(C) by adding at the end the following new
subparagraph:
``(C) Rule of construction.--In considering whether
a website, online service, online application, or
mobile application, or portion thereof, is directed to
children, the Commission shall apply a totality of
circumstances test and shall also consider competent
and reliable empirical evidence regarding audience
composition and evidence regarding the intended
audience of the website, online service, online
application, or mobile application.''; and
(6) by adding at the end the following:
``(13) Connected device.--The term `connected device' has
the meaning given such term in section 101 of the American
Privacy Rights Act of 2024.
``(14) Educational agency or institution.--The term
`educational agency or institution' means a State educational
agency or local educational agency as defined under Federal
law, as well as an institutional day or residential school,
including a public school, charter school, or private school,
that provides elementary or secondary education, as determined
under State law.
``(15) Mobile application.--The term `mobile application'
has the meaning given such term in section 101 of the American
Privacy Rights Act of 2024.
``(16) Online application.--The term `online application'
has the meaning given such term in section 101 of the American
Privacy Rights Act of 2024.
``(17) Precise geolocation information.--The term `precise
geolocation information' has the meaning given such term in
section 101 of the American Privacy Rights Act of 2024.''.
(b) Online Collection, Use, Disclosure, and Deletion of Personal
Information of Children.--Section 1303 of the Children's Online Privacy
Protection Act of 1998 (15 U.S.C. 6502) is amended--
(1) by striking the heading and inserting the following:
``online collection, use, disclosure, and deletion of personal
information of children.'';
(2) by amending subsection (a) to read as follows:
``(a) Acts Prohibited.--It is unlawful for an operator of a
website, online service, online application, or mobile application
directed to children or for any operator of a website, online service,
online application, or mobile application with actual knowledge or
knowledge fairly implied on the basis of objective circumstances that a
user is a child--
``(1) to collect personal information from a child in a
manner that violates the American Privacy Rights Act of 2024 or
the regulations prescribed under subsection (b); or
``(2) to store or transfer the personal information of a
child outside of the United States, unless--
``(A) the operator provides direct notice to the
parent of the child that the personal information of
the child is being stored or transferred outside of the
United States; and
``(B) with respect to transfer, the operator meets
the requirements of section 102(b) of the American
Privacy Rights Act of 2024.'';
(3) in subsection (b)--
(A) in paragraph (1)--
(i) in subparagraph (A)--
(I) in the matter preceding clause
(i), by striking ``operator of any
website'' and all that follows through
``from a child'' and inserting
``operator of a website, online
service, online application, or mobile
application directed to children or
that has actual knowledge or knowledge
fairly implied on the basis of
objective circumstances that a user is
a child'';
(II) in clause (i)--
(aa) by striking ``notice
on the website'' and inserting
``clear and conspicuous notice
on the website, service, or
application''; and
(bb) by striking ``; and''
and inserting a semicolon;
(III) in clause (ii)--
(aa) by striking
``verifiable parental consent''
and inserting ``verifiable
consent''; and
(bb) by striking the
semicolon at the end and
inserting ``; and''; and
(IV) by inserting after clause (ii)
the following new clause:
``(iii) to obtain verifiable consent from a
parent of a child before using or disclosing
personal information of the child for any
purpose that is a material change from the
original purposes and disclosure practices
specified to the parent of the child under
clause (i);'';
(ii) by striking subparagraph (B);
(iii) in subparagraph (C)--
(I) by striking ``reasonably''; and
(II) by inserting ``,
proportionate, and limited'' after
``necessary'';
(iv) in subparagraph (D), by striking
``website or online service'' and inserting
``website, online service, online application,
or mobile application''; and
(v) by redesignating subparagraphs (C) and
(D) as subparagraphs (B) and (C), respectively;
(B) in paragraph (2)--
(i) in the matter preceding subparagraph
(A)--
(I) by striking ``verifiable
parental consent'' and inserting
``verifiable consent''; and
(II) by striking ``paragraph
(1)(A)(ii)'' and inserting ``clause
(ii) or (iii) of paragraph (1)(A)'';
(ii) in subparagraph (A), by inserting ``or
to contact another child'' after ``to recontact
the child'';
(iii) in subparagraph (B)--
(I) by striking ``or child''; and
(II) by striking ``parental
consent'' each place the term appears
and inserting ``verifiable consent'';
(iv) in subparagraph (D), in the matter
preceding clause (i)--
(I) by striking ``reasonably''; and
(II) by inserting ``,
proportionate, and limited'' after
``necessary''; and
(v) in subparagraph (E)--
(I) in the matter preceding clause
(i), by striking ``website or online
service'' and inserting ``website,
online service, online application, or
mobile application''; and
(II) in clause (i), by striking
``website'' and inserting ``website,
service, or application'';
(C) by redesignating paragraph (3) as paragraph (4)
and inserting after paragraph (2) the following new
paragraph:
``(3) Application to operators acting under agreements with
educational agencies or institutions.--The regulations may
provide that verifiable consent under clause (ii) or (iii) of
paragraph (1)(A) is not required for an operator that is acting
under a written agreement with an educational agency or
institution that, at a minimum, requires--
``(A) the operator to--
``(i) limit its collection, use, and
disclosure of the personal information from a
child to solely educational purposes and for no
other commercial purposes;
``(ii) provide the educational agency or
institution with a notice of the specific types
of personal information the operator will
collect from the child, the method by which the
operator will obtain the personal information,
and the purposes for which the operator will
collect, use, disclose, and retain the personal
information;
``(iii) provide the educational agency or
institution with a link to the online notice of
information practices of the operator as
required under paragraph (1)(A)(i); and
``(iv) provide the educational agency or
institution, upon request, with a means to
review the personal information collected from
a child, to prevent further use or maintenance
or future collection of personal information
from a child, and to delete personal
information collected from a child or content
or information submitted by a child to the
website, online service, online application, or
mobile application of the operator;
``(B) a representative of the educational agency or
institution to--
``(i) acknowledge and agree that the
representative has authority to authorize the
collection, use, and disclosure of personal
information from children on behalf of the
educational agency or institution; and
``(ii) provide the name of the
representative and the title of the
representative at the educational agency or
institution; and
``(C) the educational agency or institution to--
``(i) provide on the website of the
educational agency or institution a notice that
identifies the operator with which the
educational agency or institution has entered
into a written agreement under this paragraph
and a link to the online notice of information
practices of the operator as required under
paragraph (1)(A)(i);
``(ii) provide the notice of the operator
regarding the information practices of the
operator, as required under subparagraph
(A)(ii), upon request, to a parent; and
``(iii) upon the request of a parent,
request the operator provide a means to review
the personal information collected from the
child of the parent and provide the parent a
means to review the personal information.'';
(D) by amending paragraph (4), as so redesignated,
to read as follows:
``(4) Termination of service.--The regulations shall permit
the operator of a website, online service, online application,
or mobile application to terminate service provided to a child
whose parent has requested to delete covered data of the child
pursuant to section 105 of the American Privacy Rights Act of
2024.''; and
(E) by adding at the end the following new
paragraphs:
``(5) Continuation of service.--The regulations shall
prohibit an operator from discontinuing service provided to a
child on the basis of a request by the parent of the child to
delete personal information collected from the child, to the
extent that the operator is capable of providing such service
without such information.
``(6) Common verifiable consent mechanism.--
``(A) In general.--
``(i) Feasibility of mechanism.--The
Commission shall conduct an assessment, with
notice and public comment, of the feasibility
of allowing operators the option to use a
common verifiable consent mechanism that fully
meets the requirements of this title.
``(ii) Requirements.--The feasibility
assessment described in clause (i) shall
consider whether a single operator could use a
common verifiable consent mechanism to obtain
verifiable consent, as required under this
title, from a parent of a child on behalf of
multiple, listed operators that provide a joint
or related service.
``(B) Report.--Not later than 1 year after the date
of the enactment of this paragraph, the Commission
shall submit to the Committee on Commerce, Science, and
Transportation of the Senate and the Committee on
Energy and Commerce of the House of Representatives a
report with the findings of the assessment required by
subparagraph (A).
``(C) Regulations.--If the Commission finds, in the
assessment required by subparagraph (A), that the use
of a common verifiable consent mechanism is feasible
and would meet the requirements of this title, the
Commission shall issue regulations, pursuant to section
553 of title 5, United States Code, to permit the use
of a common verifiable consent mechanism in accordance
with the findings outlined in the report submitted
under subparagraph (B).'';
(4) in subsection (c), by striking ``a regulation
prescribed under subsection (a)'' and inserting ``paragraph (2)
of subsection (a), or of a regulation prescribed under
subsection (b),''; and
(5) by striking subsection (d) and inserting the following:
``(d) Relationship to State Law.--The provisions of this title
shall preempt any State law, rule, or regulation only to the extent
that such State law, rule, or regulation conflicts with a provision of
this title. Nothing in this title may be construed to prohibit any
State from enacting a law, rule, or regulation that provides greater
protection to children than the provisions of this title.''.
(c) Safe Harbors.--Section 1304 of the Children's Online Privacy
Protection Act of 1998 (15 U.S.C. 6503) is amended by adding at the end
the following:
``(d) Publication.--
``(1) In general.--Subject to the restrictions described in
paragraph (2), the Commission shall publish on the website of
the Commission any report or documentation required by
regulation to be submitted to the Commission to carry out this
section.
``(2) Restrictions on publication.--The restrictions
described in sections 6(f) and 21 of the Federal Trade
Commission Act (15 U.S.C. 46(f); 57b-2) applicable to the
disclosure of information obtained by the Commission shall
apply in the same manner to the disclosure under this
subsection of information obtained by the Commission from a
report or documentation described in paragraph (1).''.
(d) Actions by States.--Section 1305 of the Children's Online
Privacy Protection Act of 1998 (15 U.S.C. 6504) is amended--
(1) in subsection (a)(1)--
(A) in the matter preceding subparagraph (A), by
inserting ``section 1303(a) or'' before ``any
regulation''; and
(B) in subparagraph (B), by striking ``the
regulation'' and inserting ``such section or
regulation''; and
(2) in subsection (d)--
(A) by inserting ``section 1303(a) or'' before
``any regulation''; and
(B) by striking ``that regulation'' and inserting
``such section or regulation''.
(e) Administration and Applicability of Act.--Section 1306 of the
Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6505) is
amended--
(1) in subsection (d)--
(A) by inserting ``section 1303(a) or'' before ``a
rule''; and
(B) by striking ``such rule'' and inserting
``section 1303(a) or a rule of the Commission under
section 1303''; and
(2) by adding at the end the following new subsections:
``(f) Determination of Whether an Operator Has Knowledge Fairly
Implied on the Basis of Objective Circumstances.--
``(1) Rule of construction.--For purposes of enforcing this
title or a regulation promulgated under this title, in making a
determination as to whether an operator has knowledge fairly
implied on the basis of objective circumstances that a specific
user is a child, the Commission or a State attorney general
shall rely on competent and reliable evidence, taking into
account the totality of the circumstances, including whether a
reasonable and prudent person under the circumstances would
have known that the user is a child. Nothing in this title,
including a determination described in the preceding sentence,
may be construed to require an operator to--
``(A) affirmatively collect any personal
information with respect to the age of a child that an
operator is not already collecting in the normal course
of business; or
``(B) implement an age gating or age verification
functionality.
``(2) Commission guidance.--
``(A) In general.--Not later than 180 days after
the date of the enactment of this subsection, the
Commission shall issue guidance to provide information,
including best practices and examples, for operators to
understand the process of the Commission for
determining whether an operator has knowledge fairly
implied on the basis of objective circumstances that a
user is a child.
``(B) Limitation.--No guidance issued by the
Commission under subparagraph (A) confers any rights on
any person, State, or locality, or operates to bind the
Commission or any person, State, or locality to the
approach recommended in such guidance. In any
enforcement action brought pursuant to this title, the
Commission or State attorney general, as applicable,
shall allege a specific violation of a provision of
this title, and the Commission or State attorney
general, as applicable, may not base an enforcement
action on, or execute a consent order based on,
practices that are alleged to be inconsistent with any
such guidance, unless the practices allegedly violate
this title.
``(g) Additional Requirement.--Any regulations issued under this
title shall include a description and analysis of the impact of
proposed and final rules on small entities per chapter 6 of title 5,
United States Code.''.
SEC. 203. STUDY AND REPORTS ON MOBILE AND ONLINE APPLICATION OVERSIGHT
AND ENFORCEMENT.
(a) Oversight Report.--Not later than 3 years after the date of the
enactment of this Act, the Federal Trade Commission shall submit to the
Committee on Commerce, Science, and Transportation of the Senate and
the Committee on Energy and Commerce of the House of Representatives a
report on the processes of platforms that offer mobile and online
applications for ensuring that, for those applications that are
websites, online services, online applications, or mobile applications
directed to children, the applications operate in accordance with--
(1) this title, the amendments made by this title, and any
rules promulgated under this title or the amendments made by
this title; and
(2) rules promulgated by the Commission under section 18 of
the Federal Trade Commission Act (15 U.S.C. 57a) relating to
unfair or deceptive acts or practices in marketing.
(b) Enforcement Report.--Not later than 1 year after the date of
the enactment of this Act, and annually thereafter, the Federal Trade
Commission shall submit to the Committee on Commerce, Science, and
Transportation of the Senate and the Committee on Energy and Commerce
of the House of Representatives a report that addresses, at a minimum--
(1) the number of actions brought by the Commission during
the reporting year to enforce the Children's Online Privacy
Protection Act of 1998 (15 U.S.C. 6501 et seq.) and the outcome
of each such action;
(2) the total number of investigations or inquiries into
potential violations of such Act commenced during the reporting
year;
(3) the total number of open investigations or inquiries
into potential violations of such Act as of the time the report
is submitted;
(4) the number and nature of complaints received by the
Commission relating to an allegation of a violation of such Act
during the reporting year; and
(5) policy or legislative recommendations to strengthen
online protections for children.
(c) Report by the Inspector General.--
(1) In general.--Not later than 2 years after the date of
the enactment of this Act, the Inspector General of the Federal
Trade Commission shall submit to the Federal Trade Commission
and to the Committee on Commerce, Science, and Transportation
of the Senate and the Committee on Energy and Commerce of the
House of Representatives a report regarding the safe harbor
provisions in section 1304 of the Children's Online Privacy
Protection Act of 1998 (15 U.S.C. 6503), which shall include--
(A) an analysis of whether the safe harbor
provisions are--
(i) operating fairly and effectively; and
(ii) effectively protecting the interests
of children; and
(B) any proposal or recommendation for policy
changes that would improve the effectiveness of the
safe harbor provisions.
(2) Publication.--Not later than 10 days after the date on
which a report is submitted under paragraph (1), the Commission
shall publish the report on the website of the Commission.
SEC. 204. SEVERABILITY.
If any provision of this title or the amendments made by this
title, or the application thereof to any person or circumstance, is
held invalid, the remainder of this title and the amendments made by
this title, and the application of such provision to other persons not
similarly situated or to other circumstances, may not be affected by
the invalidation.
<all>