(1) - AFFIRMATIVE EXPRESS CONSENT.—(i) - The request is provided to the individual in a clear and conspicuous standalone disclosure made through the primary medium used(ii) - The request includes a description of the act or practice for which the individual’s consent is sought and—(iii) - The request clearly explains the individual’s applicable rights related to consent.(iv) - The request shall be made in a manner readily accessible to and usable by individuals with disabilities.(v) - The request shall be made available to the public in each language in which the covered entity provides a product(i) - the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or(ii) - the design, modification, or manipulation of any user interface with the purpose or substantial effect of obscuring, subverting, or impairing(2) - ALGORITHM.—The term “algorithm” means a computational process that uses machine learning, natural language processing, artificial intelligence techniques, or other computational(3) - BIOMETRIC INFORMATION.—(i) - fingerprints;(ii) - voice prints;(iii) - iris or retina scans;(iv) - facial mapping or hand mapping, geometry, or templates; or(v) - gait or personally identifying physical movements.(i) - a digital or physical photograph;(ii) - an audio or video recording; or(iii) - data generated from a digital or physical photograph, or an audio or video recording that cannot be used to identify(4) - COLLECT; COLLECTION.—The terms “collect” and “collection” mean buying, renting, gathering, obtaining, receiving, accessing, or otherwise acquiring covered data by any(5) - COMMISSION.—The term “Commission” means the Federal Trade Commission.(6) - COMMON BRANDING.—The term “common branding” means a name, service mark, or trademark that is shared by 2 or more entities.(7) - CONTROL.—The term “control” means, with respect to an entity—(8) - COVERED DATA.—(i) - de-identified data;(ii) - employee data;(iii) - publicly available information; or(iv) - inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect(i) - information relating to a job applicant collected by a covered entity acting as a prospective employer of such job applicant(ii) - the business contact information of an employee, including the employee’s name, position or title, business telephone number, business address, or(iii) - emergency contact information collected by an employer that relates to an employee of that employer, provided that such information is(iv) - information relating to an employee (or a spouse, dependent, other covered family member, or beneficiary of such employee) that is(9) - COVERED ENTITY.—(i) - means any entity or any person, other than an individual acting in a non-commercial context, that alone or jointly with(ii) - includes any entity or person that controls, is controlled by, or is under common control with another covered entity.(i) - a governmental entity such as a body, authority, board, bureau, commission, district, agency, or political subdivision of the Federal, State,(ii) - a person or an entity that is collecting, processing, or transferring covered data on behalf of or a Federal, State,(i) - to process and transfer the information solely in a de-identified form without any reasonable means for re-identification; and(ii) - to not attempt to re-identify the information with any individual or device; and(i) - the covered data of more than 5,000,000 individuals or devices that identify or are linked or reasonably linkable to 1(ii) - the sensitive covered data of more than 200,000 individuals or devices that identify or are linked or reasonably linkable to(i) - personal email addresses;(ii) - personal telephone numbers; or(iii) - log-in information of an individual or device to allow the individual or device to log in to an account administered(i) - Federal, State, or local government records provided that the covered entity collects, processes, and transfers such information in accordance with(ii) - widely distributed media;(iii) - a website or online service made available to all members of the public, for free or for a fee, including(iv) - a disclosure that has been made to the general public as required by Federal, State, or local law; or(v) - a visual observation of an individual’s physical presence in a public place by another person, not including data collected by(i) - AVAILABLE TO ALL MEMBERS OF THE PUBLIC.—For purposes of this paragraph, information from a website or online service is not(ii) - OTHER LIMITATIONS.—The term “publicly available information” does not include—(i) - A government-issued identifier, such as a social security number, passport number, or driver’s license number, that is not required by(ii) - Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition(iii) - A financial account number, debit card number, credit card number, or information about income level or bank account balances.(iv) - Biometric information.(v) - Genetic information.(vi) - Precise geolocation information.(vii) - An individual’s private communications such as voicemails, emails, texts, direct messages, or mail, or information identifying the parties to such(viii) - Account or device log-in credentials, or security or access codes for an account or device.(ix) - Information identifying the sexual orientation or sexual behavior of an individual in a manner inconsistent with the individual’s reasonable expectation(x) - Calendar information, address book information, phone or text logs, photos, audio recordings, or videos maintained for private use by an(xi) - A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual.(xii) - Information that reveals the video content or services requested or selected by an individual from a provider of broadcast television(xiii) - Information about an individual when the covered entity knows that the individual is under the age of 17.(xiv) - Any other covered data collected, processed, or transferred for the purpose of identifying the above data types.(i) - the chief consumer protection officer of a State; or(ii) - a State consumer protection agency with expertise in data protection.(i) - advertising or marketing to an individual or an individual’s device in response to the individual’s specific request for information or(ii) - contextual advertising, which is when an advertisement is displayed based on the content or location in which the advertisement appears(iii) - processing covered data solely for measuring or reporting advertising or content, performance, reach, or frequency, including independent measurement.(i) - collects, processes, or transfers third-party data; and(ii) - is not a service provider with respect to such data; and(i) - means a covered entity whose principal source of revenue is derived from processing or transferring the covered data that the(ii) - does not include a covered entity in so far as such entity processes employee data collected by and received from(i) - more than 50 percent of all revenue of the covered entity; or(ii) - obtaining revenue from processing or transferring the covered data of more than 5,000,000 individuals that the covered entity did not
(a) - In General.—A covered entity shall not collect, process, or transfer covered data unless the collection, processing, or transfer is limited(1) - provide, or maintain a specific product or service requested by the individual to whom the data pertains;(2) - deliver a communication that is reasonably anticipated by the individual recipient within the context of the individual’s interactions with the(3) - effect a purpose expressly permitted under subsection (b).(b) - Permissible Purposes.—A covered entity or service provider may collect, process, or transfer covered data for any of the following purposes(1) - To initiate or complete a transaction or fulfill an order or service specifically requested by an individual, including any associated(2) - With respect to covered data previously collected in accordance with this Act, notwithstanding this exception, to process such data as(3) - To authenticate users of a product or service.(4) - To prevent, detect, protect against, or respond to a security incident, or fulfill a product or service warranty. For purposes(5) - To prevent, detect, protect against or respond to fraud, harassment, or illegal activity. For the purposes of this paragraph, illegal(6) - To comply with a legal obligation imposed by Federal, Tribal, Local, or State law, or to establish, exercise, or defend(7) - To prevent an individual, or groups of individuals, from suffering harm where the covered entity or service provider believes in(8) - To effectuate a product recall pursuant to Federal or State law.(9) - (A) To conduct a public or peer-reviewed scientific, historical, or statistical research project that—(i) - is in the public interest;(ii) - adheres to all relevant laws governing such research; and(iii) - adheres to the regulations for human subject research established under part 46 of title 45, Code of Federal Regulations (or(c) - Guidance.—The Commission shall issue guidance regarding what is reasonably necessary and proportionate to comply with this section. Such guidance shall(1) - the size of, and the nature, scope, and complexity of the activities engaged in by the covered entity, including whether(2) - the sensitivity of covered data collected, processed, or transferred by the covered entity;(3) - the volume of covered data collected, processed, or transferred by the covered entity; and(4) - the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity relates.(d) - Deceptive Marketing Of A Product Or Service.—A covered entity, service provider, or third party is prohibited from engaging in deceptive
(a) - Restricted Data Practices.—Notwithstanding section 101 and unless an exception applies, with respect to covered data, a covered entity shall not—(1) - collect, process, or transfer a social security number, except when necessary to facilitate extensions of credit, authentication, the payment and(2) - collect or process sensitive covered data, except where such collection or processing is strictly necessary to provide or maintain a(3) - transfer an individual’s sensitive covered data to a third party, unless—(4) - collect, process, or transfer an individual’s aggregated internet search or browsing history, except with the affirmative express consent of the
(a) - Policies, Practices, And Procedures.—A covered entity and a service provider shall establish, implement, and maintain reasonable policies, practices, and procedures(1) - consider Federal laws, rules, or regulations related to covered data the covered entity or service provider collects, processes, or transfers;(2) - identify, assess, and mitigate privacy risks related to individuals under the age of 17, if applicable;(3) - mitigate privacy risks, including substantial privacy risks, related to the products and services of the covered entity or the service(4) - implement reasonable training and safeguards within the covered entity and service provider to promote compliance with all privacy laws applicable(b) - Factors To Consider.—The policies, practices, and procedures established by a covered entity and a service provider under subsection (a), shall(1) - the size of the covered entity or the service provider and the nature, scope, and complexity of the activities engaged(2) - the sensitivity of the covered data collected, processed, or transferred by the covered entity or service provider;(3) - the volume of covered data collected, processed, or transferred by the covered entity or service provider;(4) - the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity or(5) - the cost of implementing such policies, practices, and procedures in relation to the risks and nature of the covered data.(c) - Commission Guidance.—Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance as
(a) - Conditional Service Or Pricing Prohibited.—A covered entity shall not deny or condition or effectively condition the provision of a service(b) - Rules Of Construction.—Nothing in subsection (a) shall be construed to—(1) - prohibit the relation of the price of a service or the level of service provided to an individual to the(2) - prohibit a covered entity from offering a loyalty program that provides discounted or free products or services, or other consideration,(3) - require a covered entity to provide a loyalty program that would require the covered entity to collect, process, or transfer(4) - prohibit a covered entity from offering a financial incentive or other consideration to an individual for participation in market research;(5) - prohibit a covered entity from offering different types of pricing or functionalities with respect to a product or service based
(a) - In General.—Not later than 90 days after the date of enactment of this Act, the Commission shall publish, on the(b) - Updates.—The Commission shall update the information published under subsection (a) on a quarterly basis as necessitated by any change in(c) - Accessibility.—The Commission shall publish materials disclosed pursuant to subsection (a) in the ten languages with the most users in the
(a) - In General.—Each covered entity and service provider shall make publicly available, in a clear, conspicuous, not misleading, and readily accessible(b) - Content Of Privacy Policy.—The privacy policy required under subsection (a) shall include, at a minimum, the following:(1) - The identity and the contact information of—(2) - The categories of covered data the covered entity or service provider collects or processes.(3) - The processing purposes for each category of covered data the covered entity or service provider collects or processes.(4) - Whether the covered entity or service provider transfers covered data and, if so, each category of service provider and third(5) - The length of time the covered entity or service provider intends to retain each category of covered data, including sensitive(6) - A prominent description of how an individual can exercise the rights described in this Act.(7) - A general description of the covered entity’s or service provider’s data security practices.(8) - The effective date of the privacy policy.(9) - Whether or not any covered data collected by the covered entity or service provider is transferred to, processed in, stored(c) - Languages.—The privacy policy required under subsection (a) shall be made available to the public in each language in which the(1) - provides a product or service that is subject to the privacy policy; or(2) - carries out activities related to such product or service.(d) - Accessibility.—The covered entity or service provider shall also provide the disclosures under this section in a manner that is readily(e) - Material Changes.—(1) - AFFIRMATIVE EXPRESS CONSENT.—If a covered entity makes a material change to its privacy policy or practices, the covered entity shall(2) - NOTIFICATION.—The covered entity shall take all reasonable measures to provide direct notification regarding material changes to the privacy policy to(3) - CLARIFICATION.—Nothing in this section shall be construed to affect the requirements for covered entities under section 102 or 204.(4) - LOG OF MATERIAL CHANGES.—Each large data holder shall retain copies of previous versions of its privacy policy for at least(f) - Short-Form Notice To Consumers By Large Data Holders.—(1) - IN GENERAL.—In addition to the privacy policy required under subsection (a), a large data holder must provide a short-form notice(2) - RULEMAKING.—The Commission shall issue a rule pursuant to section 553 of title 5, United States Code, establishing the minimum data
(a) - Access To, And Correction, Deletion, And Portability Of, Covered Data.—Subject to subsections (b) and (c), a covered entity shall provide(1) - access—(2) - correct any verifiably material inaccuracy or materially incomplete information with respect to the covered data of the individual that is(3) - delete covered data of the individual that is processed by the covered entity and instruct the covered entity to notify(4) - to the extent technically feasible, export covered data to the individual or directly to another entity, except for derived data,(b) - Individual Autonomy.—A covered entity shall not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of(1) - through the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or(2) - the design, modification, or manipulation of any user interface with the purpose or substantial effect of obscuring, subverting, or impairing(c) - Timing.—(1) - Subject to subsections (d) and (e)(1) each request shall be completed by any—(2) - A response period set forth in this subsection may be extended once by 45 additional days when reasonably necessary, considering(d) - Frequency And Cost Of Access.—A covered entity—(1) - shall provide an individual with the opportunity to exercise each of the rights described in subsection (a); and(2) - with respect to—(e) - Verification And Exceptions.—(1) - REQUIRED EXCEPTIONS.—A covered entity shall not permit an individual to exercise a right described in subsection (a), in whole or(2) - ADDITIONAL INFORMATION.—If a covered entity cannot reasonably verify that a request to exercise a right described in subsection (a) is(3) - PERMISSIVE EXCEPTIONS.—(i) - require the covered entity to retain any covered data collected for a single, one-time transaction, if such covered data is(ii) - be impossible or demonstrably impracticable to comply with, and the covered entity shall provide a description to the requestor detailing(iii) - require the covered entity to attempt to re-identify de-identified data;(iv) - result in the release of trade secrets, or other privileged, or confidential business information;(v) - require the covered entity to correct any covered data that cannot be reasonably verified as being inaccurate or incomplete;(vi) - interfere with law enforcement, judicial proceedings, investigations, or reasonable efforts to guard against, detect, or investigate malicious or unlawful activity,(vii) - violate Federal or State law or the rights and freedoms of another individual, including under the Constitution of the United(viii) - prevent a covered entity from being able to maintain a confidential record of deletion requests, maintained solely for the purpose(ix) - fall within an exception enumerated in the regulations promulgated by the Commission pursuant to paragraph (D); or(x) - with respect to requests for deletion—(f) - Regulations.—Within two years of the date of enactment of this Act, the Commission may promulgate regulations, pursuant to section 553(1) - the size of, and the nature, scope, and complexity of the activities engaged in by the covered entity, including whether(2) - the sensitivity of covered data collected, processed, or transferred by the covered entity;(3) - the volume of covered data collected, processed, or transferred by the covered entity; and(4) - the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity relates.(g) - Accessibility.—A covered entity shall facilitate the ability for individuals to make requests under this section in any of the ten
(a) - Withdrawal Of Consent.—A covered entity shall provide an individual with a clear and conspicuous, easy-to-execute means to withdraw any affirmative(b) - Right To Opt Out Of Covered Data Transfers.—(1) - IN GENERAL.—A covered entity—(2) - EXCEPTION.—An individual may not opt out of the collection, processing, and transfer of covered data made pursuant to the exceptions(c) - Right To Opt Out Of Targeted Advertising.—A covered entity that engages in targeted advertising shall—(1) - prior to engaging in such targeted advertising and at all times thereafter, provide an individual with a clear and conspicuous(2) - abide by such opt-out designations by an individual; and(3) - allow an individual to prohibit such targeted advertising through an opt-out mechanism, as described in section 210, if applicable.(d) - Individual Autonomy.—A covered entity shall not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of(1) - through the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or(2) - the design, modification, or manipulation of any user interface with the purpose or substantial effect of obscuring, subverting, or impairing
(a) - Prohibition On Targeted Advertising To Children And Minors.—A covered entity shall not engage in targeted advertising to any individual under(b) - Data Transfer Requirements Related To Minors.—A covered entity shall not transfer the covered data of an individual to a third(c) - Knowledge.—The knowledge requirement in subsections (a) and (b), shall not be construed to require the affirmative collection or processing of(d) - Youth Privacy And Marketing Division.—(1) - ESTABLISHMENT.—There is established within the Commission a division to be known as the “Youth Privacy and Marketing Division” (in this(2) - DIRECTOR.—The Division shall be headed by a Director, who shall be appointed by the Chair of the Commission.(3) - DUTIES.—The Division shall be responsible for assisting the Commission in addressing, as it relates to this Act—(4) - STAFF.—The Director of the Division shall hire adequate staff to carry out the duties described in paragraph (3), including by(5) - REPORTS.—Not later than 1 year after the date of enactment of this Act, and annually thereafter, the Commission shall submit(6) - PUBLICATION.—Not later than 10 days after the date on which a report is submitted under paragraph (5), the Commission shall(e) - Report By The Inspector General.—(1) - IN GENERAL.—Not later than 2 years after the date of enactment of this Act, and biennially thereafter, the Inspector General(i) - operating fairly and effectively; and(ii) - effectively protecting the interests of children and minors; and(2) - PUBLICATION.—Not later than 10 days after the date on which a report is submitted under paragraph (1), the Commission shall
(a) - Notice.—Each third-party collecting entity shall place a clear and conspicuous notice on the website or mobile application of the third-party(1) - notifies individuals that the entity is a third-party collecting entity using specific language that the Commission shall develop through rulemaking(2) - includes a link to the website established under subsection (b)(3).(b) - Third-Party Collecting Entity Registration.—(1) - IN GENERAL.—Not later than January 31 of each calendar year that follows a calendar year during which a covered entity(2) - REGISTRATION REQUIREMENTS.—In registering with the Commission as required under paragraph (1), a third-party collecting entity shall do the following:(i) - The legal name and primary physical, email, and internet addresses of the third-party collecting entity.(ii) - A description of the categories of data the third-party collecting entity processes and transfers.(iii) - The contact information of the third-party collecting entity, including a contact person, telephone number, an e-mail address, a website, and(iv) - Link to a website through which an individual may easily exercise the rights provided under this subsection.(3) - THIRD-PARTY COLLECTING ENTITY REGISTRY.—The Commission shall establish and maintain on a website a searchable, publicly available, central registry of third-party(i) - delete all covered data related to such individual that the third-party collecting entity did not collect from the individual directly(ii) - ensure that any third-party collecting entity no longer collects covered data related to such individual without the affirmative express consent(c) - Penalties.—A third-party collecting entity that fails to register or provide the notice as required under this section shall be liable(1) - a civil penalty of $50 for each day it fails to register or provide notice as required under this subsection,(2) - an amount equal to the registration fees due under paragraph (2) of subsection (b) for each year that it failed
(a) - Civil Rights Protections.—(1) - IN GENERAL.—A covered entity or a service provider may not collect, process, or transfer covered data in a manner that(2) - EXCEPTIONS.—This subsection shall not apply to—(i) - a covered entity’s or a service provider’s self-testing to prevent or mitigate unlawful discrimination; or(ii) - diversifying an applicant, participant, or customer pool; or(b) - FTC Enforcement Assistance.—(1) - IN GENERAL.—Whenever the Commission obtains information that a covered entity or service provider may have collected, processed, or transferred covered(2) - ANNUAL REPORT.—Not later than 3 years after the date of enactment of this Act, and annually thereafter, the Commission shall(3) - TECHNICAL ASSISTANCE.—In transmitting information under paragraph (1), the Commission may consult and coordinate with, and provide technical and investigative assistance,(4) - COOPERATION WITH OTHER AGENCIES.—The Commission may implement this subsection by executing agreements or memoranda of understanding with the appropriate Federal(c) - Algorithm Impact And Evaluation.—(1) - ALGORITHM IMPACT ASSESSMENT.—(i) - A detailed description of the design process and methodologies of the algorithm.(ii) - A statement of the purpose, proposed uses, and foreseeable capabilities outside of the articulated proposed use of the algorithm.(iii) - A detailed description of the data used by the algorithm, including the specific categories of data that will be processed(iv) - A description of the outputs produced by the algorithm.(v) - An assessment of the necessity and proportionality of the algorithm in relation to its stated purpose, including reasons for the(vi) - A detailed description of steps the large data holder has taken or will take to mitigate potential harms to individuals,(2) - ALGORITHM DESIGN EVALUATION.—Notwithstanding any other provision of law, not later than 2 years after the date of enactment of this(3) - OTHER CONSIDERATIONS.—(i) - IN GENERAL.—A covered entity and a service provider—(ii) - TRADE SECRETS.—Covered entities and service providers must make all submissions under this section to the Commission in unredacted form, but(4) - GUIDANCE.—Not later than 2 years after the date of enactment of this Act, the Commission shall, in consultation with the(5) - RULEMAKING AND EXEMPTION.—The Commission shall have authority under section 553 of title 5, United States Code, to promulgate regulations as(6) - STUDY AND REPORT.—(i) - best practices for the assessment and evaluation of algorithms; and(ii) - methods to reduce the risk of harm to individuals that may be related to the use of algorithms.(i) - INITIAL REPORT.—Not later than 3 years after the date of enactment of this Act, the Commission, in consultation with the(ii) - ADDITIONAL REPORTS.—Not later than 3 years after submission of the initial report under clause (i), and as the Commission determines
(a) - Establishment Of Data Security Practices.—(1) - IN GENERAL.—A covered entity or service provider shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices(2) - CONSIDERATIONS.—The reasonable administrative, technical, and physical data security practices required under paragraph (1) shall be appropriate to—(b) - Specific Requirements.—The data security practices required under subsection (a) shall include, at a minimum, the following practices:(1) - ASSESS VULNERABILITIES.—Identifying and assessing any material internal and external risk to, and vulnerability in, the security of each system maintained(2) - PREVENTIVE AND CORRECTIVE ACTION.—Taking preventive and corrective action designed to mitigate any reasonably foreseeable risks or vulnerabilities to covered data(3) - EVALUATION OF PREVENTIVE AND CORRECTIVE ACTION.—Evaluating and making reasonable adjustments to the safeguards described in paragraph (2) in light of(4) - INFORMATION RETENTION AND DISPOSAL.—Disposing of covered data that is required to be deleted by law or is no longer necessary(5) - TRAINING.—Training each employee with access to covered data on how to safeguard covered data and updating such training as necessary.(6) - DESIGNATION.—Designating an officer, employee, or employees to maintain and implement such practices.(7) - INCIDENT RESPONSE.—Implementing procedures to detect, respond to, or recover from security incidents or breaches.(c) - Regulations.—The Commission may promulgate in accordance with section 553 of title 5, United States Code, technology-neutral regulations to establish processes(d) - Applicability Of Other Information Security Laws.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act
(a) - In General.—(1) - Any covered entity or service provider that can establish that it met the requirements described in paragraph (2) for the(2) - EXEMPTION REQUIREMENTS.—The requirements of this paragraph are, with respect to a covered entity or a service provider and a period,(3) - DEFINITION.—For purposes of this section, the term “revenue” as it relates to any covered entity that is not organized to(4) - JOURNALISM.—Nothing in this Act shall be construed to limit or diminish First Amendment freedoms to gather and publish information guaranteed
(a) - In General.—Beginning 1 year after the date of enactment of this Act, an executive officer of a large data holder(1) - internal controls reasonably designed to comply with this Act; and(2) - reporting structures to ensure that such certifying officers are involved in, and are responsible for, decisions that impact the entity’s(b) - Requirements.—A certification submitted under subsection (a) shall be based on a review of the effectiveness of a large data holder’s(c) - Designation Of Privacy And Data Security Officer.—(1) - IN GENERAL.—A covered entity and a service provider shall designate—(2) - REQUIREMENTS FOR OFFICERS.—An employee who is designated by a covered entity or a service provider as a privacy officer or(3) - ADDITIONAL REQUIREMENTS FOR LARGE DATA HOLDERS.—A large data holder shall designate at least 1 of the officers described in paragraph(d) - Large Data Holder Privacy Impact Assessments.—(1) - IN GENERAL.—Not later than 1 year after the date of enactment of this Act or 1 year after the date(2) - ASSESSMENT REQUIREMENTS.—A privacy impact assessment required under paragraph (1) shall be—(i) - the nature of the covered data collected, processed, and transferred by the large data holder;(ii) - the volume of the covered data collected, processed, and transferred by the large data holder; and(iii) - the potential risks posed to the privacy of individuals by the collecting, processing, and transfer of covered data by the(3) - ADDITIONAL FACTORS TO INCLUDE IN ASSESSMENT.—In assessing the privacy risks, including substantial privacy risks, the large data holder may include
(a) - Service Providers.—A service provider—(1) - shall only collect, process, and transfer service provider data to the extent strictly necessary and proportionate to provide a service(2) - shall not collect, process, or transfer service provider data if the service provider has actual knowledge that the covered entity(3) - shall assist a covered entity in fulfilling the covered entity’s obligation to respond to individual rights requests pursuant to section(4) - may engage another service provider for purposes of processing service provider data on behalf of a covered entity only after(5) - shall upon the reasonable request of the covered entity, make available to the covered entity information necessary to demonstrate the(6) - shall, at the covered entity’s direction, delete or return all covered data to the covered entity as requested at the(7) - shall not transfer service provider data to any person with the exception of another service provider without the affirmative express(8) - shall develop, implement, and maintain reasonable administrative, technical, and physical safeguards that are designed to protect the security and confidentiality(9) - shall be exempt from the requirements of section 202(d) with respect to service provider data but shall provide direct notification(b) - Contracts Between Covered Entities And Service Providers.—A person or entity may act as a service provider pursuant to a written(1) - governs the service provider’s data processing procedures with respect to processing or transfer performed on behalf of the covered entity(2) - clearly sets forth—(3) - does not relieve a covered entity or a service provider of an obligation under this Act; and(4) - prohibits—(c) - Relationship Between Covered Entities And Service Providers.—(1) - Determining whether a person is acting as a covered entity or service provider with respect to a specific processing of(2) - A covered entity or service provider that transfers covered data to a service provider, in compliance with the requirements of(3) - A covered entity or service provider that receives covered data in compliance with the requirements of this Act is not(d) - Third Parties.—A third party—(1) - shall not process third-party data for a processing purpose other than, in the case of sensitive covered data, the processing(2) - for purposes of paragraph (1), may reasonably rely on representations made by the covered entity that transferred the third-party data,(3) - shall be exempt from the requirements of section 204 with respect to third-party data, but shall otherwise have the same(e) - Additional Obligations On Covered Entities.—(1) - IN GENERAL.—A covered entity or service provider shall exercise reasonable due diligence in—(2) - GUIDANCE.—Not later than 2 years after the date of enactment of this Act, the Commission shall publish guidance regarding compliance
(a) - In General.—Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations(b) - Scope Of Programs.—The technical compliance programs established under this section shall, with respect to a technology, product, service, or method(1) - establish guidelines for compliance with this Act;(2) - meet or exceed the requirements of this Act; and(3) - be made publicly available to any individual whose covered data is collected, processed, or transferred using such technology, product, service,(c) - Approval Process.—(1) - IN GENERAL.—Any request for approval, amendment, or repeal of a technical compliance program may be submitted to the Commission by(2) - EXPEDITED RESPONSE TO REQUESTS.—Beginning 1 year after the date of enactment of this Act, the Commission shall act upon a(d) - Right To Appeal.—Final action by the Commission on a request for approval, amendment, or repeal of a technical compliance program,(e) - Effect On Enforcement.—(1) - IN GENERAL.—Prior to commencing an investigation or enforcement action against any covered entity under this Act, the Commission and State(2) - COMMISSION AUTHORITY.—Approval of a technical compliance program shall not limit the authority of the Commission, including the Commission’s authority to(3) - RULE OF CONSTRUCTION.—Nothing in this subsection shall provide any individual, class of individuals, or person with any right to seek
(a) - Application For Compliance Guideline Approval.—(1) - IN GENERAL.—A covered entity that is not a third-party collecting entity and meets the requirements of section 209, or a(2) - APPLICATION REQUIREMENTS.—Such application shall include—(3) - COMMISSION REVIEW.—(i) - PUBLIC COMMENT PERIOD.—Within 90 days after the receipt of proposed guidelines submitted pursuant to paragraph (2), the Commission shall publish(ii) - APPROVAL.—The Commission shall approve an application regarding proposed guidelines under paragraph (2) if the applicant demonstrates that the compliance guidelines—(iii) - TIMELINE.—Within 1 year of receiving an application regarding proposed guidelines under paragraph (2), the Commission shall issue a determination approving(i) - IN GENERAL.—If the independent organization administering a set of guidelines makes material changes to guidelines previously approved by the Commission,(ii) - TIMELINE.—The Commission shall approve or deny any material change to the guidelines within 180 days after receipt of the submission(b) - Withdrawal Of Approval.—If at any time the Commission determines that the guidelines previously approved no longer meet the requirements of(c) - Deemed Compliance.—A covered entity that is eligible to participate under subsection (a)(1), and participates, in guidelines approved under this section
(a) - Reports.—Not later than 1 year after the date of enactment of this Act, and annually thereafter, the Secretary of Commerce(b) - Requirements.—Each report under subsection (a) shall include the following:(1) - A definition of digital content forgeries along with accompanying explanatory materials, except that the definition developed pursuant to this section(2) - A description of the common sources of digital content forgeries in the United States and commercial sources of digital content(3) - An assessment of the uses, applications, and harms of digital content forgeries.(4) - An analysis of the methods and standards available to identify digital content forgeries as well as a description of the(5) - A description of the types of digital content forgeries, including those used to commit fraud, cause harm, or violate any(6) - Any other information determined appropriate by the Secretary of Commerce or the Secretary’s designee.
(a) - New Bureau.—(1) - IN GENERAL.—The Commission shall establish within the Commission a new bureau, the Bureau of Privacy, which shall be comparable in(2) - MISSION.—The mission of the bureau established under this subsection shall be to assist the Commission in exercising the Commission’s authority(3) - TIMELINE.—The bureau shall be established, staffed, and fully operational not later than 1 year after the date of enactment of(b) - Office Of Business Mentorship.—The Director of the Bureau established under subsection (a) shall establish within the Bureau an Office of(c) - Enforcement By The Federal Trade Commission.—(1) - UNFAIR OR DECEPTIVE ACTS OR PRACTICES.—A violation of this Act or a regulation promulgated under this Act shall be treated(2) - POWERS OF THE COMMISSION.—(3) - LIMITING CERTAIN ACTIONS UNRELATED TO THIS ACT.—If the Commission brings a civil action under this Act alleging that an act(4) - COMMON CARRIERS AND NONPROFITS.—Notwithstanding any jurisdictional limitation of the Commission with respect to consumer protection or privacy, the Commission shall(5) - DATA PRIVACY AND SECURITY VICTIMS RELIEF FUND.—(i) - AVAILABILITY TO THE COMMISSION.—Notwithstanding section 3302 of title 31, United States Code, amounts in the Victims Relief Fund shall be(ii) - OTHER PERMISSIBLE USES.—To the extent that individuals cannot be located or such redress, payments or compensation, or other monetary relief
(a) - Civil Action.—In any case in which the attorney general of a State or State Privacy Authority has reason to believe(1) - enjoin that act or practice;(2) - enforce compliance with this Act or the regulation;(3) - obtain damages, civil penalties, restitution, or other compensation on behalf of the residents of the State; or(4) - reasonable attorneys’ fees and other litigation costs reasonably incurred.(b) - Rights Of The Commission.—(1) - IN GENERAL.—Except where not feasible, the attorney general of a State or State Privacy Authority shall notify the Commission in(2) - NOTIFICATION TIMELINE.—Where it is not feasible for the attorney general of a State or State Privacy Authority to provide the(c) - Actions By The Commission.—In any case in which a civil action is instituted by or on behalf of the Commission(d) - Rule Of Construction.—Nothing in this section shall be construed to prevent the attorney general of a State or State Privacy(e) - Preservation Of State Powers.—Except as provided in subsection (c), no provision of this section shall be construed as altering, limiting,(1) - bring an action or other regulatory proceeding arising solely under the laws in effect in that State; or(2) - exercise the powers conferred on the attorney general or State Privacy Authority by the laws of the State, including the
(a) - Enforcement By Individuals.—(1) - IN GENERAL.—Beginning 4 years after the date on which this Act takes effect, any individual who suffers an injury that(2) - RELIEF.—In a civil action brought under paragraph (1) in which the plaintiff prevails, the court may award the plaintiff—(3) - RIGHTS OF THE COMMISSION AND STATE ATTORNEYS GENERAL.—(i) - be heard on all matters arising in such action; and(ii) - file petitions for appeal of a decision in such action.(i) - Prior to the date that is 60 days after either a State attorney general or the Commission has received the(ii) - After the Commission or attorney general of a State made the determination to independently seek civil actions against such entity(4) - FTC STUDY.—Beginning on the date that is 5 years after the date of enactment of this Act, the Commission’s Bureau(5) - REPORT TO CONGRESS.—Not later than 1 year after the first day on which individuals are able to bring civil actions(b) - Pre-Dispute Arbitration Agreements And Pre-Dispute Joint-Action Waivers Related To Individuals Under The Age Of 18.—(1) - ARBITRATION.—Except as provided in section 303(d), and notwithstanding any other provision of law, no agreement for pre-dispute arbitration with respect(2) - JOINT-ACTION WAIVERS.—Notwithstanding any other provision of law, no agreement for pre-dispute joint-action waiver with respect to an individual under the(3) - DEFINITIONS.—For purposes of this subsection:(c) - Right To Cure.—(1) - NOTICE.—Subject to paragraph (3), any action under this section may be brought by an individual if, prior to initiating such(2) - EFFECT OF CURE.—In the event a cure is possible, if within the 45 days the covered entity cures the noticed(d) - Demand Letter.—If an individual or a class of individuals sends correspondence to a covered entity alleging a violation of the(e) - Applicability.—This section shall only apply to any claim alleging a violation of section 102, 104, 202, 203, 204, 205(a), 205(b),
(a) - Federal Law Preservation.—(1) - IN GENERAL.—Nothing in this Act or a regulation promulgated under this Act shall be construed to limit—(2) - APPLICABILITY OF OTHER PRIVACY REQUIREMENTS.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act (15(3) - APPLICABILITY OF OTHER DATA SECURITY REQUIREMENTS.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act(b) - Preemption Of State Laws.—(1) - IN GENERAL.—No State or political subdivision of a State may adopt, maintain, enforce, or continue in effect any law, regulation,(2) - STATE LAW PRESERVATION.—Paragraph (1) shall not be construed to preempt, displace, or supplant the following State laws, rules, regulations, or(3) - NONAPPLICATION OF FCC PRIVACY LAWS AND REGULATIONS TO COVERED ENTITIES.—Notwithstanding any other provision of law, sections 222, 338(i), and 631(c) - Preservation Of Common Law Or Statutory Causes Of Action For Civil Relief.—Nothing in this Act, nor any amendment, standard, rule,
(a)
In General.—Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to establish a process for the proposal and approval of technical compliance programs under this section specific to any technology, product, service, or method used by a covered entity to collect, process, or transfer covered data.