Text: S.2728 — 115th Congress (2017-2018)All Information (Except Text)

There is one version of the bill.

Text available as:

Shown Here:
Introduced in Senate (04/23/2018)


115th CONGRESS
2d Session
S. 2728


To protect the privacy of users of social media and other online platforms.


IN THE SENATE OF THE UNITED STATES

April 23, 2018

Ms. Klobuchar (for herself and Mr. Kennedy) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation


A BILL

To protect the privacy of users of social media and other online platforms.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Social Media Privacy Protection and Consumer Rights Act of 2018”.

SEC. 2. Definitions.

In this Act—

(1) the term “Commission” means the Federal Trade Commission;

(2) the term “covered online platform” means an online platform that collects personal data during the online behavior of a user of the online platform;

(3) the term “geolocation information” means, with respect to an individual, any information that is not the content of a communication, concerning the location of a wireless communication device that—

(A) in whole or in part, is generated by or derived from the operation of that device; and

(B) could be used to determine or infer information regarding the location of the individual;

(4) the term “online platform”—

(A) means any public-facing website, web application, or digital application (including a mobile application); and

(B) includes a social network, an ad network, a mobile operating system, a search engine, an email service, or an Internet access service;

(5) the term “operator” has the meaning given the term in section 1302 of the Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6501); and

(6) the term “personal data” means individually identifiable information about an individual collected online, including—

(A) location information sufficient to identify the name of a street and a city or town, including a physical address;

(B) an e-mail address;

(C) a telephone number;

(D) a government identifier, such as a Social Security number;

(E) geolocation information;

(F) the content of a message;

(G) protected health information, as defined in section 160.103 of title 45, Code of Federal Regulations, or any successor regulation; and

(H) nonpublic personal information, as defined in section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809).

SEC. 3. Privacy protections.

(a) Transparency and terms of service.—

(1) DISCLOSURE AND OBTAINING INITIAL CONSENT AND PRIVACY PREFERENCES.—

(A) IN GENERAL.—Before a user creates an account with, or otherwise begins to use, a covered online platform, the operator of the online platform shall—

(i) inform the user that, unless the user makes an election under clause (ii)(II), personal data of the user produced during the online behavior of the user, whether on the online platform or otherwise, will be collected and used by the operator and third parties; and

(ii) provide the user the option to specify the privacy preferences of the user, including by—

(I) agreeing to the terms of service for use of the online platform, including, except as provided in subclause (II), the collection and use of personal data described in clause (i); and

(II) prohibiting, if the user so elects, the collection and use of personal data described in clause (i), subject to subparagraph (B).

(B) CONSEQUENCE OF PROHIBITION OF DATA COLLECTION.—If the election of a user under subparagraph (A)(ii)(II) creates inoperability in the online platform, the operator of the online platform may deny certain services or completely deny access to the user.

(C) FORM OF DISCLOSURE.—An operator of a covered online platform shall provide a user of the online platform with the terms of service for use of the online platform, including the collection and use of personal data described in subparagraph (A)(i), in a form that—

(i) is—

(I) easily accessible;

(II) of reasonable length; and

(III) clearly distinguishable from other matters; and

(ii) uses language that is clear, concise, and well organized, and follows other best practices appropriate to the subject and intended audience.

(D) PRIVACY OR SECURITY PROGRAM.—An operator of a covered online platform shall—

(i) establish and maintain a privacy or security program for the online platform; and

(ii) publish a description of the privacy or security program that—

(I) details how the operator will use the personal data of a user of the online platform, including requirements for how the operator will address privacy risks associated with the development of new products and services; and

(II) includes details of the access that employees and contractors of the operator have to the personal data of a user of the online platform, and internal policies for the use of that personal data.

(2) NEW PRODUCTS; CHANGES TO PRIVACY OR SECURITY PROGRAM.—An operator of a covered online platform may not introduce a new product, or implement any material change to the privacy or security program of the online platform that overrides the privacy preferences of a user of the online platform, as specified under paragraph (1)(A)(ii), unless the operator has—

(A) informed the user that the new product or change will result in the collection and use of personal data described in paragraph (1)(A)(i), if that is the case;

(B) provided the user the option under paragraph (1)(A)(ii); and

(C) obtained affirmative express consent from the user to the introduction of the new product or the implementation of the change.

(3) WITHDRAWAL OF CONSENT.—An operator of a covered online platform shall ensure that—

(A) a user of the online platform is able to withdraw consent to the terms of service for use of the online platform, including the collection and use of personal data described in paragraph (1)(A)(i), as easily as the user is able to give such consent; and

(B) except as otherwise required by law, no person is able to access the personal data of a user of the online platform later than 30 days after the date on which the user closes his or her account or otherwise terminates his or her use of the online platform.

(b) Right to access.—An operator of a covered online platform shall offer a user of the online platform a copy of the personal data of the user that the operator has processed, free of charge and in an electronic and easily accessible format, including a list of each person that received the personal data from the operator for business purposes, whether through sale or other means.

(c) Violations of privacy.—

(1) IN GENERAL.—Not later than 72 hours after an operator of a covered online platform becomes aware that the personal data of a user of the online platform has been transmitted in violation of the privacy or security program of the online platform, including the privacy preferences specified by the user under subsection (a)(1)(A)(ii), the operator shall—

(A) notify the user of the transmission;

(B) offer the user the option to elect to prohibit the operator from collecting and using the personal data of the user, subject to paragraph (2);

(C) except as provided in paragraph (3), offer the user the option to have the operator—

(i) erase all personal data of the user tracked by the operator; and

(ii) cease further dissemination of personal data of the user tracked by the operator;

(D) offer the user a copy of the personal data of the user that the operator has processed, free of charge and in an electronic and easily accessible format, including a list of each person that received the personal data from the operator, whether through sale or other means; and

(E) offer the user the option to close his or her account or otherwise terminate his or her use of the online platform.

(2) CONSEQUENCE OF PROHIBITION OF DATA COLLECTION.—If the election of a user under paragraph (1)(B) creates inoperability in the online platform, the operator of the online platform may deny certain services or completely deny access to the user.

(3) PUBLIC SAFETY EXCEPTION.—If the operator of a covered online platform, in good faith, believes that an emergency involving danger of death or serious physical injury to any individual requires disclosure without delay of specific personal data of a user of the online platform that relates to the emergency, the operator shall—

(A) retain the specific personal data; and

(B) notify the proper authorities.

(d) Compliance.—Not less frequently than once every 2 years, the operator of a covered online platform shall audit the privacy or security program of the online platform.

(e) Safe harbor.—Subsections (a), (b), and (c) shall not apply with respect to the development of privacy-enhancing technology by an operator of an online platform.

SEC. 4. Enforcement.

(a) Enforcement by Commission.—

(1) UNFAIR OR DECEPTIVE ACTS OR PRACTICES.—A violation of section 3 shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).

(2) POWERS OF COMMISSION.—

(A) IN GENERAL.—Except as provided in subparagraph (C), the Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act.

(B) PRIVILEGES AND IMMUNITIES.—Except as provided in subparagraph (C), any person who violates this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.).

(C) COMMON CARRIERS AND NONPROFIT ORGANIZATIONS.—Notwithstanding section 4, 5(a)(2), or 6 of the Federal Trade Commission Act (15 U.S.C. 44, 45(a)(2), 46) or any jurisdictional limitation of the Commission, the Commission shall also enforce this Act, in the same manner provided in subparagraphs (A) and (B) of this paragraph, with respect to—

(i) common carriers subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.) and Acts amendatory thereof and supplementary thereto; and

(ii) organizations not organized to carry on business for their own profit or that of their members.

(D) AUTHORITY PRESERVED.—Nothing in this Act shall be construed to limit the authority of the Commission under any other provision of law.

(b) Enforcement by States.—

(1) AUTHORIZATION.—Subject to paragraph (2), in any case in which the attorney general of a State has reason to believe, based on a legitimate consumer complaint, that an interest of the residents of the State has been or is threatened or adversely affected by the engagement of any person subject to section 3 in a practice that violates that section, the attorney general of the State may, as parens patriae, bring a civil action on behalf of the residents of the State in an appropriate district court of the United States to obtain appropriate relief.

(2) RIGHTS OF FEDERAL TRADE COMMISSION.—

(A) NOTICE TO FEDERAL TRADE COMMISSION.—

(i) IN GENERAL.—Except as provided in clause (iii), the attorney general of a State shall notify the Commission in writing that the attorney general intends to bring a civil action under paragraph (1) before initiating the civil action against a person described in subsection (a)(1).

(ii) CONTENTS.—The notification required by clause (i) with respect to a civil action shall include a copy of the complaint to be filed to initiate the civil action.

(iii) EXCEPTION.—If it is not feasible for the attorney general of a State to provide the notification required by clause (i) before initiating a civil action under paragraph (1), the attorney general shall notify the Commission immediately upon instituting the civil action.

(B) INTERVENTION BY FEDERAL TRADE COMMISSION.—The Commission may—

(i) intervene in any civil action brought by the attorney general of a State under paragraph (1) against a person described in subsection (a)(1); and

(ii) upon intervening—

(I) be heard on all matters arising in the civil action; and

(II) file petitions for appeal of a decision in the civil action.

(3) INVESTIGATORY POWERS.—Nothing in this subsection may be construed to prevent the attorney general of a State from exercising the powers conferred on the attorney general by the laws of the State to conduct investigations, to administer oaths or affirmations, or to compel the attendance of witnesses or the production of documentary or other evidence.

(4) ACTION BY FEDERAL TRADE COMMISSION.—If the Federal Trade Commission institutes a civil action or an administrative action with respect to a violation of section 3, the attorney general of a State may not, during the pendency of the action, bring a civil action under paragraph (1) against any defendant named in the complaint of the Commission for the violation with respect to which the Commission instituted such action.

(5) VENUE; SERVICE OF PROCESS.—

(A) VENUE.—Any action brought under paragraph (1) may be brought in—

(i) the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code; or

(ii) another court of competent jurisdiction.

(B) SERVICE OF PROCESS.—In an action brought under paragraph (1), process may be served in any district in which the defendant—

(i) is an inhabitant; or

(ii) may be found.

(6) ACTIONS BY OTHER STATE OFFICIALS.—

(A) IN GENERAL.—In addition to civil actions brought by attorneys general under paragraph (1), any other consumer protection officer of a State who is authorized by the State to do so may bring a civil action under paragraph (1), subject to the same requirements and limitations that apply under this subsection to civil actions brought by attorneys general.

(B) SAVINGS PROVISION.—Nothing in this subsection may be construed to prohibit an authorized official of a State from initiating or continuing any proceeding in a court of the State for a violation of any civil or criminal law of the State.

SEC. 5. Effective date.

(a) In general.—This Act shall take effect 180 days after the date of enactment of this Act.

(b) Applicability to existing users of online platforms.—An individual who becomes a user of a covered online platform before the effective date under subsection (a) shall be treated as if he or she had become a user of the online platform on that effective date.

(c) No retroactive applicability.—This Act shall not apply to any conduct that occurred before the effective date under subsection (a).