(1) - AFFIRMATIVE EXPRESS CONSENT.—(i) - The request is provided to the individual in a clear and conspicuous standalone disclosure made through the primary medium used(ii) - The request includes a description of the act or practice for which the individual’s consent is sought and—(iii) - The request clearly explains the individual’s applicable rights related to consent.(iv) - The request shall be made in a manner readily accessible to and usable by individuals with disabilities.(v) - The request shall be made available to the public in each language in which the covered entity provides a product(i) - the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or(ii) - the design, modification, or manipulation of any user interface with the purpose or substantial effect of obscuring, subverting, or impairing(2) - ALGORITHM.—The term “algorithm” means a computational process that uses machine learning, natural language processing, artificial intelligence techniques, or other computational(3) - BIOMETRIC INFORMATION.—(i) - fingerprints;(ii) - voice prints;(iii) - iris or retina scans;(iv) - facial mapping or hand mapping, geometry, or templates; or(v) - gait or personally identifying physical movements.(i) - a digital or physical photograph;(ii) - an audio or video recording; or(iii) - data generated from a digital or physical photograph, or an audio or video recording that cannot be used to identify(4) - COLLECT; COLLECTION.—The terms “collect” and “collection” mean buying, renting, gathering, obtaining, receiving, accessing, or otherwise acquiring covered data by any(5) - COMMISSION.—The term “Commission” means the Federal Trade Commission.(6) - COMMON BRANDING.—The term “common branding” means a name, service mark, or trademark that is shared by 2 or more entities.(7) - CONTROL.—The term “control” means, with respect to an entity—(8) - COVERED DATA.—(i) - de-identified data;(ii) - employee data;(iii) - publicly available information; or(iv) - inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect(i) - information relating to a job applicant collected by a covered entity acting as a prospective employer of such job applicant(ii) - the business contact information of an employee, including the employee’s name, position or title, business telephone number, business address, or(iii) - emergency contact information collected by an employer that relates to an employee of that employer, provided that such information is(iv) - information relating to an employee (or a spouse, dependent, other covered family member, or beneficiary of such employee) that is(9) - COVERED ENTITY.—(i) - means any entity or any person, other than an individual acting in a non-commercial context, that alone or jointly with(ii) - includes any entity or person that controls, is controlled by, or is under common control with another covered entity.(i) - a governmental entity such as a body, authority, board, bureau, commission, district, agency, or political subdivision of the Federal, State,(ii) - a person or an entity that is collecting, processing, or transferring covered data on behalf of or a Federal, State,(i) - to process and transfer the information solely in a de-identified form without any reasonable means for re-identification; and(ii) - to not attempt to re-identify the information with any individual or device; and(i) - the covered data of more than 5,000,000 individuals or devices that identify or are linked or reasonably linkable to 1(ii) - the sensitive covered data of more than 200,000 individuals or devices that identify or are linked or reasonably linkable to(i) - personal email addresses;(ii) - personal telephone numbers; or(iii) - log-in information of an individual or device to allow the individual or device to log in to an account administered(i) - Federal, State, or local government records provided that the covered entity collects, processes, and transfers such information in accordance with(ii) - widely distributed media;(iii) - a website or online service made available to all members of the public, for free or for a fee, including(iv) - a disclosure that has been made to the general public as required by Federal, State, or local law; or(v) - a visual observation of an individual’s physical presence in a public place by another person, not including data collected by(i) - AVAILABLE TO ALL MEMBERS OF THE PUBLIC.—For purposes of this paragraph, information from a website or online service is not(ii) - OTHER LIMITATIONS.—The term “publicly available information” does not include—(i) - A government-issued identifier, such as a social security number, passport number, or driver’s license number, that is not required by(ii) - Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition(iii) - A financial account number, debit card number, credit card number, or information about income level or bank account balances.(iv) - Biometric information.(v) - Genetic information.(vi) - Precise geolocation information.(vii) - An individual’s private communications such as voicemails, emails, texts, direct messages, or mail, or information identifying the parties to such(viii) - Account or device log-in credentials, or security or access codes for an account or device.(ix) - Information identifying the sexual orientation or sexual behavior of an individual in a manner inconsistent with the individual’s reasonable expectation(x) - Calendar information, address book information, phone or text logs, photos, audio recordings, or videos maintained for private use by an(xi) - A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual.(xii) - Information that reveals the video content or services requested or selected by an individual from a provider of broadcast television(xiii) - Information about an individual when the covered entity knows that the individual is under the age of 17.(xiv) - Any other covered data collected, processed, or transferred for the purpose of identifying the above data types.(i) - the chief consumer protection officer of a State; or(ii) - a State consumer protection agency with expertise in data protection.(i) - advertising or marketing to an individual or an individual’s device in response to the individual’s specific request for information or(ii) - contextual advertising, which is when an advertisement is displayed based on the content or location in which the advertisement appears(iii) - processing covered data solely for measuring or reporting advertising or content, performance, reach, or frequency, including independent measurement.(i) - collects, processes, or transfers third-party data; and(ii) - is not a service provider with respect to such data; and(i) - means a covered entity whose principal source of revenue is derived from processing or transferring the covered data that the(ii) - does not include a covered entity in so far as such entity processes employee data collected by and received from(i) - more than 50 percent of all revenue of the covered entity; or(ii) - obtaining revenue from processing or transferring the covered data of more than 5,000,000 individuals that the covered entity did not
(a) - In General.—A covered entity shall not collect, process, or transfer covered data unless the collection, processing, or transfer is limited(1) - provide, or maintain a specific product or service requested by the individual to whom the data pertains;(2) - deliver a communication that is reasonably anticipated by the individual recipient within the context of the individual’s interactions with the(3) - effect a purpose expressly permitted under subsection (b).(b) - Permissible Purposes.—A covered entity or service provider may collect, process, or transfer covered data for any of the following purposes(1) - To initiate or complete a transaction or fulfill an order or service specifically requested by an individual, including any associated(2) - With respect to covered data previously collected in accordance with this Act, notwithstanding this exception, to process such data as(3) - To authenticate users of a product or service.(4) - To prevent, detect, protect against, or respond to a security incident, or fulfill a product or service warranty. For purposes(5) - To prevent, detect, protect against or respond to fraud, harassment, or illegal activity. For the purposes of this paragraph, illegal(6) - To comply with a legal obligation imposed by Federal, Tribal, Local, or State law, or to establish, exercise, or defend(7) - To prevent an individual, or groups of individuals, from suffering harm where the covered entity or service provider believes in(8) - To effectuate a product recall pursuant to Federal or State law.(9) - (A) To conduct a public or peer-reviewed scientific, historical, or statistical research project that—(i) - is in the public interest;(ii) - adheres to all relevant laws governing such research; and(iii) - adheres to the regulations for human subject research established under part 46 of title 45, Code of Federal Regulations (or(c) - Guidance.—The Commission shall issue guidance regarding what is reasonably necessary and proportionate to comply with this section. Such guidance shall(1) - the size of, and the nature, scope, and complexity of the activities engaged in by the covered entity, including whether(2) - the sensitivity of covered data collected, processed, or transferred by the covered entity;(3) - the volume of covered data collected, processed, or transferred by the covered entity; and(4) - the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity relates.(d) - Deceptive Marketing Of A Product Or Service.—A covered entity, service provider, or third party is prohibited from engaging in deceptive
(a) - Restricted Data Practices.—Notwithstanding section 101 and unless an exception applies, with respect to covered data, a covered entity shall not—(1) - collect, process, or transfer a social security number, except when necessary to facilitate extensions of credit, authentication, the payment and(2) - collect or process sensitive covered data, except where such collection or processing is strictly necessary to provide or maintain a(3) - transfer an individual’s sensitive covered data to a third party, unless—(4) - collect, process, or transfer an individual’s aggregated internet search or browsing history, except with the affirmative express consent of the
(a) - Policies, Practices, And Procedures.—A covered entity and a service provider shall establish, implement, and maintain reasonable policies, practices, and procedures(1) - consider Federal laws, rules, or regulations related to covered data the covered entity or service provider collects, processes, or transfers;(2) - identify, assess, and mitigate privacy risks related to individuals under the age of 17, if applicable;(3) - mitigate privacy risks, including substantial privacy risks, related to the products and services of the covered entity or the service(4) - implement reasonable training and safeguards within the covered entity and service provider to promote compliance with all privacy laws applicable(b) - Factors To Consider.—The policies, practices, and procedures established by a covered entity and a service provider under subsection (a), shall(1) - the size of the covered entity or the service provider and the nature, scope, and complexity of the activities engaged(2) - the sensitivity of the covered data collected, processed, or transferred by the covered entity or service provider;(3) - the volume of covered data collected, processed, or transferred by the covered entity or service provider;(4) - the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity or(5) - the cost of implementing such policies, practices, and procedures in relation to the risks and nature of the covered data.(c) - Commission Guidance.—Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance as
(a) - Conditional Service Or Pricing Prohibited.—A covered entity shall not deny or condition or effectively condition the provision of a service(b) - Rules Of Construction.—Nothing in subsection (a) shall be construed to—(1) - prohibit the relation of the price of a service or the level of service provided to an individual to the(2) - prohibit a covered entity from offering a loyalty program that provides discounted or free products or services, or other consideration,(3) - require a covered entity to provide a loyalty program that would require the covered entity to collect, process, or transfer(4) - prohibit a covered entity from offering a financial incentive or other consideration to an individual for participation in market research;(5) - prohibit a covered entity from offering different types of pricing or functionalities with respect to a product or service based
(a) - In General.—Not later than 90 days after the date of enactment of this Act, the Commission shall publish, on the(b) - Updates.—The Commission shall update the information published under subsection (a) on a quarterly basis as necessitated by any change in(c) - Accessibility.—The Commission shall publish materials disclosed pursuant to subsection (a) in the ten languages with the most users in the
(a) - In General.—Each covered entity and service provider shall make publicly available, in a clear, conspicuous, not misleading, and readily accessible(b) - Content Of Privacy Policy.—The privacy policy required under subsection (a) shall include, at a minimum, the following:(1) - The identity and the contact information of—(2) - The categories of covered data the covered entity or service provider collects or processes.(3) - The processing purposes for each category of covered data the covered entity or service provider collects or processes.(4) - Whether the covered entity or service provider transfers covered data and, if so, each category of service provider and third(5) - The length of time the covered entity or service provider intends to retain each category of covered data, including sensitive(6) - A prominent description of how an individual can exercise the rights described in this Act.(7) - A general description of the covered entity’s or service provider’s data security practices.(8) - The effective date of the privacy policy.(9) - Whether or not any covered data collected by the covered entity or service provider is transferred to, processed in, stored(c) - Languages.—The privacy policy required under subsection (a) shall be made available to the public in each language in which the(1) - provides a product or service that is subject to the privacy policy; or(2) - carries out activities related to such product or service.(d) - Accessibility.—The covered entity or service provider shall also provide the disclosures under this section in a manner that is readily(e) - Material Changes.—(1) - AFFIRMATIVE EXPRESS CONSENT.—If a covered entity makes a material change to its privacy policy or practices, the covered entity shall(2) - NOTIFICATION.—The covered entity shall take all reasonable measures to provide direct notification regarding material changes to the privacy policy to(3) - CLARIFICATION.—Nothing in this section shall be construed to affect the requirements for covered entities under section 102 or 204.(4) - LOG OF MATERIAL CHANGES.—Each large data holder shall retain copies of previous versions of its privacy policy for at least(f) - Short-Form Notice To Consumers By Large Data Holders.—(1) - IN GENERAL.—In addition to the privacy policy required under subsection (a), a large data holder must provide a short-form notice(2) - RULEMAKING.—The Commission shall issue a rule pursuant to section 553 of title 5, United States Code, establishing the minimum data
(a) - Access To, And Correction, Deletion, And Portability Of, Covered Data.—Subject to subsections (b) and (c), a covered entity shall provide(1) - access—(2) - correct any verifiably material inaccuracy or materially incomplete information with respect to the covered data of the individual that is(3) - delete covered data of the individual that is processed by the covered entity and instruct the covered entity to notify(4) - to the extent technically feasible, export covered data to the individual or directly to another entity, except for derived data,(b) - Individual Autonomy.—A covered entity shall not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of(1) - through the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or(2) - the design, modification, or manipulation of any user interface with the purpose or substantial effect of obscuring, subverting, or impairing(c) - Timing.—(1) - Subject to subsections (d) and (e)(1) each request shall be completed by any—(2) - A response period set forth in this subsection may be extended once by 45 additional days when reasonably necessary, considering(d) - Frequency And Cost Of Access.—A covered entity—(1) - shall provide an individual with the opportunity to exercise each of the rights described in subsection (a); and(2) - with respect to—(e) - Verification And Exceptions.—(1) - REQUIRED EXCEPTIONS.—A covered entity shall not permit an individual to exercise a right described in subsection (a), in whole or(2) - ADDITIONAL INFORMATION.—If a covered entity cannot reasonably verify that a request to exercise a right described in subsection (a) is(3) - PERMISSIVE EXCEPTIONS.—(i) - require the covered entity to retain any covered data collected for a single, one-time transaction, if such covered data is(ii) - be impossible or demonstrably impracticable to comply with, and the covered entity shall provide a description to the requestor detailing(iii) - require the covered entity to attempt to re-identify de-identified data;(iv) - result in the release of trade secrets, or other privileged, or confidential business information;(v) - require the covered entity to correct any covered data that cannot be reasonably verified as being inaccurate or incomplete;(vi) - interfere with law enforcement, judicial proceedings, investigations, or reasonable efforts to guard against, detect, or investigate malicious or unlawful activity,(vii) - violate Federal or State law or the rights and freedoms of another individual, including under the Constitution of the United(viii) - prevent a covered entity from being able to maintain a confidential record of deletion requests, maintained solely for the purpose(ix) - fall within an exception enumerated in the regulations promulgated by the Commission pursuant to paragraph (D); or(x) - with respect to requests for deletion—(f) - Regulations.—Within two years of the date of enactment of this Act, the Commission may promulgate regulations, pursuant to section 553(1) - the size of, and the nature, scope, and complexity of the activities engaged in by the covered entity, including whether(2) - the sensitivity of covered data collected, processed, or transferred by the covered entity;(3) - the volume of covered data collected, processed, or transferred by the covered entity; and(4) - the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity relates.(g) - Accessibility.—A covered entity shall facilitate the ability for individuals to make requests under this section in any of the ten
(a) - Withdrawal Of Consent.—A covered entity shall provide an individual with a clear and conspicuous, easy-to-execute means to withdraw any affirmative(b) - Right To Opt Out Of Covered Data Transfers.—(1) - IN GENERAL.—A covered entity—(2) - EXCEPTION.—An individual may not opt out of the collection, processing, and transfer of covered data made pursuant to the exceptions(c) - Right To Opt Out Of Targeted Advertising.—A covered entity that engages in targeted advertising shall—(1) - prior to engaging in such targeted advertising and at all times thereafter, provide an individual with a clear and conspicuous(2) - abide by such opt-out designations by an individual; and(3) - allow an individual to prohibit such targeted advertising through an opt-out mechanism, as described in section 210, if applicable.(d) - Individual Autonomy.—A covered entity shall not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of(1) - through the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or(2) - the design, modification, or manipulation of any user interface with the purpose or substantial effect of obscuring, subverting, or impairing
(a) - Prohibition On Targeted Advertising To Children And Minors.—A covered entity shall not engage in targeted advertising to any individual under(b) - Data Transfer Requirements Related To Minors.—A covered entity shall not transfer the covered data of an individual to a third(c) - Knowledge.—The knowledge requirement in subsections (a) and (b), shall not be construed to require the affirmative collection or processing of(d) - Youth Privacy And Marketing Division.—(1) - ESTABLISHMENT.—There is established within the Commission a division to be known as the “Youth Privacy and Marketing Division” (in this(2) - DIRECTOR.—The Division shall be headed by a Director, who shall be appointed by the Chair of the Commission.(3) - DUTIES.—The Division shall be responsible for assisting the Commission in addressing, as it relates to this Act—(4) - STAFF.—The Director of the Division shall hire adequate staff to carry out the duties described in paragraph (3), including by(5) - REPORTS.—Not later than 1 year after the date of enactment of this Act, and annually thereafter, the Commission shall submit(6) - PUBLICATION.—Not later than 10 days after the date on which a report is submitted under paragraph (5), the Commission shall(e) - Report By The Inspector General.—(1) - IN GENERAL.—Not later than 2 years after the date of enactment of this Act, and biennially thereafter, the Inspector General(i) - operating fairly and effectively; and(ii) - effectively protecting the interests of children and minors; and(2) - PUBLICATION.—Not later than 10 days after the date on which a report is submitted under paragraph (1), the Commission shall
(a) - Notice.—Each third-party collecting entity shall place a clear and conspicuous notice on the website or mobile application of the third-party(1) - notifies individuals that the entity is a third-party collecting entity using specific language that the Commission shall develop through rulemaking(2) - includes a link to the website established under subsection (b)(3).(b) - Third-Party Collecting Entity Registration.—(1) - IN GENERAL.—Not later than January 31 of each calendar year that follows a calendar year during which a covered entity(2) - REGISTRATION REQUIREMENTS.—In registering with the Commission as required under paragraph (1), a third-party collecting entity shall do the following:(i) - The legal name and primary physical, email, and internet addresses of the third-party collecting entity.(ii) - A description of the categories of data the third-party collecting entity processes and transfers.(iii) - The contact information of the third-party collecting entity, including a contact person, telephone number, an e-mail address, a website, and(iv) - Link to a website through which an individual may easily exercise the rights provided under this subsection.(3) - THIRD-PARTY COLLECTING ENTITY REGISTRY.—The Commission shall establish and maintain on a website a searchable, publicly available, central registry of third-party(i) - delete all covered data related to such individual that the third-party collecting entity did not collect from the individual directly(ii) - ensure that any third-party collecting entity no longer collects covered data related to such individual without the affirmative express consent(c) - Penalties.—A third-party collecting entity that fails to register or provide the notice as required under this section shall be liable(1) - a civil penalty of $50 for each day it fails to register or provide notice as required under this subsection,(2) - an amount equal to the registration fees due under paragraph (2) of subsection (b) for each year that it failed
(a) - Civil Rights Protections.—(1) - IN GENERAL.—A covered entity or a service provider may not collect, process, or transfer covered data in a manner that(2) - EXCEPTIONS.—This subsection shall not apply to—(i) - a covered entity’s or a service provider’s self-testing to prevent or mitigate unlawful discrimination; or(ii) - diversifying an applicant, participant, or customer pool; or(b) - FTC Enforcement Assistance.—(1) - IN GENERAL.—Whenever the Commission obtains information that a covered entity or service provider may have collected, processed, or transferred covered(2) - ANNUAL REPORT.—Not later than 3 years after the date of enactment of this Act, and annually thereafter, the Commission shall(3) - TECHNICAL ASSISTANCE.—In transmitting information under paragraph (1), the Commission may consult and coordinate with, and provide technical and investigative assistance,(4) - COOPERATION WITH OTHER AGENCIES.—The Commission may implement this subsection by executing agreements or memoranda of understanding with the appropriate Federal(c) - Algorithm Impact And Evaluation.—(1) - ALGORITHM IMPACT ASSESSMENT.—(i) - A detailed description of the design process and methodologies of the algorithm.(ii) - A statement of the purpose, proposed uses, and foreseeable capabilities outside of the articulated proposed use of the algorithm.(iii) - A detailed description of the data used by the algorithm, including the specific categories of data that will be processed(iv) - A description of the outputs produced by the algorithm.(v) - An assessment of the necessity and proportionality of the algorithm in relation to its stated purpose, including reasons for the(vi) - A detailed description of steps the large data holder has taken or will take to mitigate potential harms to individuals,(2) - ALGORITHM DESIGN EVALUATION.—Notwithstanding any other provision of law, not later than 2 years after the date of enactment of this(3) - OTHER CONSIDERATIONS.—(i) - IN GENERAL.—A covered entity and a service provider—(ii) - TRADE SECRETS.—Covered entities and service providers must make all submissions under this section to the Commission in unredacted form, but(4) - GUIDANCE.—Not later than 2 years after the date of enactment of this Act, the Commission shall, in consultation with the(5) - RULEMAKING AND EXEMPTION.—The Commission shall have authority under section 553 of title 5, United States Code, to promulgate regulations as(6) - STUDY AND REPORT.—(i) - best practices for the assessment and evaluation of algorithms; and(ii) - methods to reduce the risk of harm to individuals that may be related to the use of algorithms.(i) - INITIAL REPORT.—Not later than 3 years after the date of enactment of this Act, the Commission, in consultation with the(ii) - ADDITIONAL REPORTS.—Not later than 3 years after submission of the initial report under clause (i), and as the Commission determines
(a) - Establishment Of Data Security Practices.—(1) - IN GENERAL.—A covered entity or service provider shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices(2) - CONSIDERATIONS.—The reasonable administrative, technical, and physical data security practices required under paragraph (1) shall be appropriate to—(b) - Specific Requirements.—The data security practices required under subsection (a) shall include, at a minimum, the following practices:(1) - ASSESS VULNERABILITIES.—Identifying and assessing any material internal and external risk to, and vulnerability in, the security of each system maintained(2) - PREVENTIVE AND CORRECTIVE ACTION.—Taking preventive and corrective action designed to mitigate any reasonably foreseeable risks or vulnerabilities to covered data(3) - EVALUATION OF PREVENTIVE AND CORRECTIVE ACTION.—Evaluating and making reasonable adjustments to the safeguards described in paragraph (2) in light of(4) - INFORMATION RETENTION AND DISPOSAL.—Disposing of covered data that is required to be deleted by law or is no longer necessary(5) - TRAINING.—Training each employee with access to covered data on how to safeguard covered data and updating such training as necessary.(6) - DESIGNATION.—Designating an officer, employee, or employees to maintain and implement such practices.(7) - INCIDENT RESPONSE.—Implementing procedures to detect, respond to, or recover from security incidents or breaches.(c) - Regulations.—The Commission may promulgate in accordance with section 553 of title 5, United States Code, technology-neutral regulations to establish processes(d) - Applicability Of Other Information Security Laws.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act
(a) - In General.—(1) - Any covered entity or service provider that can establish that it met the requirements described in paragraph (2) for the(2) - EXEMPTION REQUIREMENTS.—The requirements of this paragraph are, with respect to a covered entity or a service provider and a period,(3) - DEFINITION.—For purposes of this section, the term “revenue” as it relates to any covered entity that is not organized to(4) - JOURNALISM.—Nothing in this Act shall be construed to limit or diminish First Amendment freedoms to gather and publish information guaranteed
(a) - In General.—Beginning 1 year after the date of enactment of this Act, an executive officer of a large data holder(1) - internal controls reasonably designed to comply with this Act; and(2) - reporting structures to ensure that such certifying officers are involved in, and are responsible for, decisions that impact the entity’s(b) - Requirements.—A certification submitted under subsection (a) shall be based on a review of the effectiveness of a large data holder’s(c) - Designation Of Privacy And Data Security Officer.—(1) - IN GENERAL.—A covered entity and a service provider shall designate—(2) - REQUIREMENTS FOR OFFICERS.—An employee who is designated by a covered entity or a service provider as a privacy officer or(3) - ADDITIONAL REQUIREMENTS FOR LARGE DATA HOLDERS.—A large data holder shall designate at least 1 of the officers described in paragraph(d) - Large Data Holder Privacy Impact Assessments.—(1) - IN GENERAL.—Not later than 1 year after the date of enactment of this Act or 1 year after the date(2) - ASSESSMENT REQUIREMENTS.—A privacy impact assessment required under paragraph (1) shall be—(i) - the nature of the covered data collected, processed, and transferred by the large data holder;(ii) - the volume of the covered data collected, processed, and transferred by the large data holder; and(iii) - the potential risks posed to the privacy of individuals by the collecting, processing, and transfer of covered data by the(3) - ADDITIONAL FACTORS TO INCLUDE IN ASSESSMENT.—In assessing the privacy risks, including substantial privacy risks, the large data holder may include
(a) - Service Providers.—A service provider—(1) - shall only collect, process, and transfer service provider data to the extent strictly necessary and proportionate to provide a service(2) - shall not collect, process, or transfer service provider data if the service provider has actual knowledge that the covered entity(3) - shall assist a covered entity in fulfilling the covered entity’s obligation to respond to individual rights requests pursuant to section(4) - may engage another service provider for purposes of processing service provider data on behalf of a covered entity only after(5) - shall upon the reasonable request of the covered entity, make available to the covered entity information necessary to demonstrate the(6) - shall, at the covered entity’s direction, delete or return all covered data to the covered entity as requested at the(7) - shall not transfer service provider data to any person with the exception of another service provider without the affirmative express(8) - shall develop, implement, and maintain reasonable administrative, technical, and physical safeguards that are designed to protect the security and confidentiality(9) - shall be exempt from the requirements of section 202(d) with respect to service provider data but shall provide direct notification(b) - Contracts Between Covered Entities And Service Providers.—A person or entity may act as a service provider pursuant to a written(1) - governs the service provider’s data processing procedures with respect to processing or transfer performed on behalf of the covered entity(2) - clearly sets forth—(3) - does not relieve a covered entity or a service provider of an obligation under this Act; and(4) - prohibits—(c) - Relationship Between Covered Entities And Service Providers.—(1) - Determining whether a person is acting as a covered entity or service provider with respect to a specific processing of(2) - A covered entity or service provider that transfers covered data to a service provider, in compliance with the requirements of(3) - A covered entity or service provider that receives covered data in compliance with the requirements of this Act is not(d) - Third Parties.—A third party—(1) - shall not process third-party data for a processing purpose other than, in the case of sensitive covered data, the processing(2) - for purposes of paragraph (1), may reasonably rely on representations made by the covered entity that transferred the third-party data,(3) - shall be exempt from the requirements of section 204 with respect to third-party data, but shall otherwise have the same(e) - Additional Obligations On Covered Entities.—(1) - IN GENERAL.—A covered entity or service provider shall exercise reasonable due diligence in—(2) - GUIDANCE.—Not later than 2 years after the date of enactment of this Act, the Commission shall publish guidance regarding compliance
(a) - In General.—Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations(b) - Scope Of Programs.—The technical compliance programs established under this section shall, with respect to a technology, product, service, or method(1) - establish guidelines for compliance with this Act;(2) - meet or exceed the requirements of this Act; and(3) - be made publicly available to any individual whose covered data is collected, processed, or transferred using such technology, product, service,(c) - Approval Process.—(1) - IN GENERAL.—Any request for approval, amendment, or repeal of a technical compliance program may be submitted to the Commission by(2) - EXPEDITED RESPONSE TO REQUESTS.—Beginning 1 year after the date of enactment of this Act, the Commission shall act upon a(d) - Right To Appeal.—Final action by the Commission on a request for approval, amendment, or repeal of a technical compliance program,(e) - Effect On Enforcement.—(1) - IN GENERAL.—Prior to commencing an investigation or enforcement action against any covered entity under this Act, the Commission and State(2) - COMMISSION AUTHORITY.—Approval of a technical compliance program shall not limit the authority of the Commission, including the Commission’s authority to(3) - RULE OF CONSTRUCTION.—Nothing in this subsection shall provide any individual, class of individuals, or person with any right to seek
(a) - Application For Compliance Guideline Approval.—(1) - IN GENERAL.—A covered entity that is not a third-party collecting entity and meets the requirements of section 209, or a(2) - APPLICATION REQUIREMENTS.—Such application shall include—(3) - COMMISSION REVIEW.—(i) - PUBLIC COMMENT PERIOD.—Within 90 days after the receipt of proposed guidelines submitted pursuant to paragraph (2), the Commission shall publish(ii) - APPROVAL.—The Commission shall approve an application regarding proposed guidelines under paragraph (2) if the applicant demonstrates that the compliance guidelines—(iii) - TIMELINE.—Within 1 year of receiving an application regarding proposed guidelines under paragraph (2), the Commission shall issue a determination approving(i) - IN GENERAL.—If the independent organization administering a set of guidelines makes material changes to guidelines previously approved by the Commission,(ii) - TIMELINE.—The Commission shall approve or deny any material change to the guidelines within 180 days after receipt of the submission(b) - Withdrawal Of Approval.—If at any time the Commission determines that the guidelines previously approved no longer meet the requirements of(c) - Deemed Compliance.—A covered entity that is eligible to participate under subsection (a)(1), and participates, in guidelines approved under this section
(a) - Reports.—Not later than 1 year after the date of enactment of this Act, and annually thereafter, the Secretary of Commerce(b) - Requirements.—Each report under subsection (a) shall include the following:(1) - A definition of digital content forgeries along with accompanying explanatory materials, except that the definition developed pursuant to this section(2) - A description of the common sources of digital content forgeries in the United States and commercial sources of digital content(3) - An assessment of the uses, applications, and harms of digital content forgeries.(4) - An analysis of the methods and standards available to identify digital content forgeries as well as a description of the(5) - A description of the types of digital content forgeries, including those used to commit fraud, cause harm, or violate any(6) - Any other information determined appropriate by the Secretary of Commerce or the Secretary’s designee.
(a) - New Bureau.—(1) - IN GENERAL.—The Commission shall establish within the Commission a new bureau, the Bureau of Privacy, which shall be comparable in(2) - MISSION.—The mission of the bureau established under this subsection shall be to assist the Commission in exercising the Commission’s authority(3) - TIMELINE.—The bureau shall be established, staffed, and fully operational not later than 1 year after the date of enactment of(b) - Office Of Business Mentorship.—The Director of the Bureau established under subsection (a) shall establish within the Bureau an Office of(c) - Enforcement By The Federal Trade Commission.—(1) - UNFAIR OR DECEPTIVE ACTS OR PRACTICES.—A violation of this Act or a regulation promulgated under this Act shall be treated(2) - POWERS OF THE COMMISSION.—(3) - LIMITING CERTAIN ACTIONS UNRELATED TO THIS ACT.—If the Commission brings a civil action under this Act alleging that an act(4) - COMMON CARRIERS AND NONPROFITS.—Notwithstanding any jurisdictional limitation of the Commission with respect to consumer protection or privacy, the Commission shall(5) - DATA PRIVACY AND SECURITY VICTIMS RELIEF FUND.—(i) - AVAILABILITY TO THE COMMISSION.—Notwithstanding section 3302 of title 31, United States Code, amounts in the Victims Relief Fund shall be(ii) - OTHER PERMISSIBLE USES.—To the extent that individuals cannot be located or such redress, payments or compensation, or other monetary relief
(a) - Civil Action.—In any case in which the attorney general of a State or State Privacy Authority has reason to believe(1) - enjoin that act or practice;(2) - enforce compliance with this Act or the regulation;(3) - obtain damages, civil penalties, restitution, or other compensation on behalf of the residents of the State; or(4) - reasonable attorneys’ fees and other litigation costs reasonably incurred.(b) - Rights Of The Commission.—(1) - IN GENERAL.—Except where not feasible, the attorney general of a State or State Privacy Authority shall notify the Commission in(2) - NOTIFICATION TIMELINE.—Where it is not feasible for the attorney general of a State or State Privacy Authority to provide the(c) - Actions By The Commission.—In any case in which a civil action is instituted by or on behalf of the Commission(d) - Rule Of Construction.—Nothing in this section shall be construed to prevent the attorney general of a State or State Privacy(e) - Preservation Of State Powers.—Except as provided in subsection (c), no provision of this section shall be construed as altering, limiting,(1) - bring an action or other regulatory proceeding arising solely under the laws in effect in that State; or(2) - exercise the powers conferred on the attorney general or State Privacy Authority by the laws of the State, including the
(a) - Enforcement By Individuals.—(1) - IN GENERAL.—Beginning 4 years after the date on which this Act takes effect, any individual who suffers an injury that(2) - RELIEF.—In a civil action brought under paragraph (1) in which the plaintiff prevails, the court may award the plaintiff—(3) - RIGHTS OF THE COMMISSION AND STATE ATTORNEYS GENERAL.—(i) - be heard on all matters arising in such action; and(ii) - file petitions for appeal of a decision in such action.(i) - Prior to the date that is 60 days after either a State attorney general or the Commission has received the(ii) - After the Commission or attorney general of a State made the determination to independently seek civil actions against such entity(4) - FTC STUDY.—Beginning on the date that is 5 years after the date of enactment of this Act, the Commission’s Bureau(5) - REPORT TO CONGRESS.—Not later than 1 year after the first day on which individuals are able to bring civil actions(b) - Pre-Dispute Arbitration Agreements And Pre-Dispute Joint-Action Waivers Related To Individuals Under The Age Of 18.—(1) - ARBITRATION.—Except as provided in section 303(d), and notwithstanding any other provision of law, no agreement for pre-dispute arbitration with respect(2) - JOINT-ACTION WAIVERS.—Notwithstanding any other provision of law, no agreement for pre-dispute joint-action waiver with respect to an individual under the(3) - DEFINITIONS.—For purposes of this subsection:(c) - Right To Cure.—(1) - NOTICE.—Subject to paragraph (3), any action under this section may be brought by an individual if, prior to initiating such(2) - EFFECT OF CURE.—In the event a cure is possible, if within the 45 days the covered entity cures the noticed(d) - Demand Letter.—If an individual or a class of individuals sends correspondence to a covered entity alleging a violation of the(e) - Applicability.—This section shall only apply to any claim alleging a violation of section 102, 104, 202, 203, 204, 205(a), 205(b),
(a) - Federal Law Preservation.—(1) - IN GENERAL.—Nothing in this Act or a regulation promulgated under this Act shall be construed to limit—(2) - APPLICABILITY OF OTHER PRIVACY REQUIREMENTS.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act (15(3) - APPLICABILITY OF OTHER DATA SECURITY REQUIREMENTS.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act(b) - Preemption Of State Laws.—(1) - IN GENERAL.—No State or political subdivision of a State may adopt, maintain, enforce, or continue in effect any law, regulation,(2) - STATE LAW PRESERVATION.—Paragraph (1) shall not be construed to preempt, displace, or supplant the following State laws, rules, regulations, or(3) - NONAPPLICATION OF FCC PRIVACY LAWS AND REGULATIONS TO COVERED ENTITIES.—Notwithstanding any other provision of law, sections 222, 338(i), and 631(c) - Preservation Of Common Law Or Statutory Causes Of Action For Civil Relief.—Nothing in this Act, nor any amendment, standard, rule,
(5)
RULEMAKING AND EXEMPTION.—The Commission shall have authority under section 553 of title 5, United States Code, to promulgate regulations as necessary to establish processes by which a large data holder—
(A) shall submit an impact assessment to the Commission under paragraph (3)(C)(i)(I); and
(B) may exclude from this subsection any algorithm that presents low or minimal risk for potential for harms to individuals (as identified under paragraph (1)(B)).