(1) - AFFIRMATIVE EXPRESS CONSENT.—(i) - The request is provided to the individual in a clear and conspicuous standalone disclosure made through the primary medium used(ii) - The request includes a description of the act or practice for which the individual’s consent is sought and—(iii) - The request clearly explains the individual’s applicable rights related to consent.(iv) - The request shall be made in a manner readily accessible to and usable by individuals with disabilities.(v) - The request shall be made available to the public in each language in which the covered entity provides a product(i) - the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or(ii) - the design, modification, or manipulation of any user interface with the purpose or substantial effect of obscuring, subverting, or impairing(2) - ALGORITHM.—The term “algorithm” means a computational process that uses machine learning, natural language processing, artificial intelligence techniques, or other computational(3) - BIOMETRIC INFORMATION.—(i) - fingerprints;(ii) - voice prints;(iii) - iris or retina scans;(iv) - facial mapping or hand mapping, geometry, or templates; or(v) - gait or personally identifying physical movements.(i) - a digital or physical photograph;(ii) - an audio or video recording; or(iii) - data generated from a digital or physical photograph, or an audio or video recording that cannot be used to identify(4) - COLLECT; COLLECTION.—The terms “collect” and “collection” mean buying, renting, gathering, obtaining, receiving, accessing, or otherwise acquiring covered data by any(5) - COMMISSION.—The term “Commission” means the Federal Trade Commission.(6) - COMMON BRANDING.—The term “common branding” means a name, service mark, or trademark that is shared by 2 or more entities.(7) - CONTROL.—The term “control” means, with respect to an entity—(8) - COVERED DATA.—(i) - de-identified data;(ii) - employee data;(iii) - publicly available information; or(iv) - inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect(i) - information relating to a job applicant collected by a covered entity acting as a prospective employer of such job applicant(ii) - the business contact information of an employee, including the employee’s name, position or title, business telephone number, business address, or(iii) - emergency contact information collected by an employer that relates to an employee of that employer, provided that such information is(iv) - information relating to an employee (or a spouse, dependent, other covered family member, or beneficiary of such employee) that is(9) - COVERED ENTITY.—(i) - means any entity or any person, other than an individual acting in a non-commercial context, that alone or jointly with(ii) - includes any entity or person that controls, is controlled by, or is under common control with another covered entity.(i) - a governmental entity such as a body, authority, board, bureau, commission, district, agency, or political subdivision of the Federal, State,(ii) - a person or an entity that is collecting, processing, or transferring covered data on behalf of or a Federal, State,(i) - to process and transfer the information solely in a de-identified form without any reasonable means for re-identification; and(ii) - to not attempt to re-identify the information with any individual or device; and(i) - the covered data of more than 5,000,000 individuals or devices that identify or are linked or reasonably linkable to 1(ii) - the sensitive covered data of more than 200,000 individuals or devices that identify or are linked or reasonably linkable to(i) - personal email addresses;(ii) - personal telephone numbers; or(iii) - log-in information of an individual or device to allow the individual or device to log in to an account administered(i) - Federal, State, or local government records provided that the covered entity collects, processes, and transfers such information in accordance with(ii) - widely distributed media;(iii) - a website or online service made available to all members of the public, for free or for a fee, including(iv) - a disclosure that has been made to the general public as required by Federal, State, or local law; or(v) - a visual observation of an individual’s physical presence in a public place by another person, not including data collected by(i) - AVAILABLE TO ALL MEMBERS OF THE PUBLIC.—For purposes of this paragraph, information from a website or online service is not(ii) - OTHER LIMITATIONS.—The term “publicly available information” does not include—(i) - A government-issued identifier, such as a social security number, passport number, or driver’s license number, that is not required by(ii) - Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition(iii) - A financial account number, debit card number, credit card number, or information about income level or bank account balances.(iv) - Biometric information.(v) - Genetic information.(vi) - Precise geolocation information.(vii) - An individual’s private communications such as voicemails, emails, texts, direct messages, or mail, or information identifying the parties to such(viii) - Account or device log-in credentials, or security or access codes for an account or device.(ix) - Information identifying the sexual orientation or sexual behavior of an individual in a manner inconsistent with the individual’s reasonable expectation(x) - Calendar information, address book information, phone or text logs, photos, audio recordings, or videos maintained for private use by an(xi) - A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual.(xii) - Information that reveals the video content or services requested or selected by an individual from a provider of broadcast television(xiii) - Information about an individual when the covered entity knows that the individual is under the age of 17.(xiv) - Any other covered data collected, processed, or transferred for the purpose of identifying the above data types.(i) - the chief consumer protection officer of a State; or(ii) - a State consumer protection agency with expertise in data protection.(i) - advertising or marketing to an individual or an individual’s device in response to the individual’s specific request for information or(ii) - contextual advertising, which is when an advertisement is displayed based on the content or location in which the advertisement appears(iii) - processing covered data solely for measuring or reporting advertising or content, performance, reach, or frequency, including independent measurement.(i) - collects, processes, or transfers third-party data; and(ii) - is not a service provider with respect to such data; and(i) - means a covered entity whose principal source of revenue is derived from processing or transferring the covered data that the(ii) - does not include a covered entity in so far as such entity processes employee data collected by and received from(i) - more than 50 percent of all revenue of the covered entity; or(ii) - obtaining revenue from processing or transferring the covered data of more than 5,000,000 individuals that the covered entity did not
(a) - In General.—A covered entity shall not collect, process, or transfer covered data unless the collection, processing, or transfer is limited(1) - provide, or maintain a specific product or service requested by the individual to whom the data pertains;(2) - deliver a communication that is reasonably anticipated by the individual recipient within the context of the individual’s interactions with the(3) - effect a purpose expressly permitted under subsection (b).(b) - Permissible Purposes.—A covered entity or service provider may collect, process, or transfer covered data for any of the following purposes(1) - To initiate or complete a transaction or fulfill an order or service specifically requested by an individual, including any associated(2) - With respect to covered data previously collected in accordance with this Act, notwithstanding this exception, to process such data as(3) - To authenticate users of a product or service.(4) - To prevent, detect, protect against, or respond to a security incident, or fulfill a product or service warranty. For purposes(5) - To prevent, detect, protect against or respond to fraud, harassment, or illegal activity. For the purposes of this paragraph, illegal(6) - To comply with a legal obligation imposed by Federal, Tribal, Local, or State law, or to establish, exercise, or defend(7) - To prevent an individual, or groups of individuals, from suffering harm where the covered entity or service provider believes in(8) - To effectuate a product recall pursuant to Federal or State law.(9) - (A) To conduct a public or peer-reviewed scientific, historical, or statistical research project that—(i) - is in the public interest;(ii) - adheres to all relevant laws governing such research; and(iii) - adheres to the regulations for human subject research established under part 46 of title 45, Code of Federal Regulations (or(c) - Guidance.—The Commission shall issue guidance regarding what is reasonably necessary and proportionate to comply with this section. Such guidance shall(1) - the size of, and the nature, scope, and complexity of the activities engaged in by the covered entity, including whether(2) - the sensitivity of covered data collected, processed, or transferred by the covered entity;(3) - the volume of covered data collected, processed, or transferred by the covered entity; and(4) - the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity relates.(d) - Deceptive Marketing Of A Product Or Service.—A covered entity, service provider, or third party is prohibited from engaging in deceptive
(a) - Restricted Data Practices.—Notwithstanding section 101 and unless an exception applies, with respect to covered data, a covered entity shall not—(1) - collect, process, or transfer a social security number, except when necessary to facilitate extensions of credit, authentication, the payment and(2) - collect or process sensitive covered data, except where such collection or processing is strictly necessary to provide or maintain a(3) - transfer an individual’s sensitive covered data to a third party, unless—(4) - collect, process, or transfer an individual’s aggregated internet search or browsing history, except with the affirmative express consent of the
(a) - Policies, Practices, And Procedures.—A covered entity and a service provider shall establish, implement, and maintain reasonable policies, practices, and procedures(1) - consider Federal laws, rules, or regulations related to covered data the covered entity or service provider collects, processes, or transfers;(2) - identify, assess, and mitigate privacy risks related to individuals under the age of 17, if applicable;(3) - mitigate privacy risks, including substantial privacy risks, related to the products and services of the covered entity or the service(4) - implement reasonable training and safeguards within the covered entity and service provider to promote compliance with all privacy laws applicable(b) - Factors To Consider.—The policies, practices, and procedures established by a covered entity and a service provider under subsection (a), shall(1) - the size of the covered entity or the service provider and the nature, scope, and complexity of the activities engaged(2) - the sensitivity of the covered data collected, processed, or transferred by the covered entity or service provider;(3) - the volume of covered data collected, processed, or transferred by the covered entity or service provider;(4) - the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity or(5) - the cost of implementing such policies, practices, and procedures in relation to the risks and nature of the covered data.(c) - Commission Guidance.—Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance as
(a) - Conditional Service Or Pricing Prohibited.—A covered entity shall not deny or condition or effectively condition the provision of a service(b) - Rules Of Construction.—Nothing in subsection (a) shall be construed to—(1) - prohibit the relation of the price of a service or the level of service provided to an individual to the(2) - prohibit a covered entity from offering a loyalty program that provides discounted or free products or services, or other consideration,(3) - require a covered entity to provide a loyalty program that would require the covered entity to collect, process, or transfer(4) - prohibit a covered entity from offering a financial incentive or other consideration to an individual for participation in market research;(5) - prohibit a covered entity from offering different types of pricing or functionalities with respect to a product or service based
(a) - In General.—Not later than 90 days after the date of enactment of this Act, the Commission shall publish, on the(b) - Updates.—The Commission shall update the information published under subsection (a) on a quarterly basis as necessitated by any change in(c) - Accessibility.—The Commission shall publish materials disclosed pursuant to subsection (a) in the ten languages with the most users in the
(a) - In General.—Each covered entity and service provider shall make publicly available, in a clear, conspicuous, not misleading, and readily accessible(b) - Content Of Privacy Policy.—The privacy policy required under subsection (a) shall include, at a minimum, the following:(1) - The identity and the contact information of—(2) - The categories of covered data the covered entity or service provider collects or processes.(3) - The processing purposes for each category of covered data the covered entity or service provider collects or processes.(4) - Whether the covered entity or service provider transfers covered data and, if so, each category of service provider and third(5) - The length of time the covered entity or service provider intends to retain each category of covered data, including sensitive(6) - A prominent description of how an individual can exercise the rights described in this Act.(7) - A general description of the covered entity’s or service provider’s data security practices.(8) - The effective date of the privacy policy.(9) - Whether or not any covered data collected by the covered entity or service provider is transferred to, processed in, stored(c) - Languages.—The privacy policy required under subsection (a) shall be made available to the public in each language in which the(1) - provides a product or service that is subject to the privacy policy; or(2) - carries out activities related to such product or service.(d) - Accessibility.—The covered entity or service provider shall also provide the disclosures under this section in a manner that is readily(e) - Material Changes.—(1) - AFFIRMATIVE EXPRESS CONSENT.—If a covered entity makes a material change to its privacy policy or practices, the covered entity shall(2) - NOTIFICATION.—The covered entity shall take all reasonable measures to provide direct notification regarding material changes to the privacy policy to(3) - CLARIFICATION.—Nothing in this section shall be construed to affect the requirements for covered entities under section 102 or 204.(4) - LOG OF MATERIAL CHANGES.—Each large data holder shall retain copies of previous versions of its privacy policy for at least(f) - Short-Form Notice To Consumers By Large Data Holders.—(1) - IN GENERAL.—In addition to the privacy policy required under subsection (a), a large data holder must provide a short-form notice(2) - RULEMAKING.—The Commission shall issue a rule pursuant to section 553 of title 5, United States Code, establishing the minimum data
(a) - Access To, And Correction, Deletion, And Portability Of, Covered Data.—Subject to subsections (b) and (c), a covered entity shall provide(1) - access—(2) - correct any verifiably material inaccuracy or materially incomplete information with respect to the covered data of the individual that is(3) - delete covered data of the individual that is processed by the covered entity and instruct the covered entity to notify(4) - to the extent technically feasible, export covered data to the individual or directly to another entity, except for derived data,(b) - Individual Autonomy.—A covered entity shall not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of(1) - through the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or(2) - the design, modification, or manipulation of any user interface with the purpose or substantial effect of obscuring, subverting, or impairing(c) - Timing.—(1) - Subject to subsections (d) and (e)(1) each request shall be completed by any—(2) - A response period set forth in this subsection may be extended once by 45 additional days when reasonably necessary, considering(d) - Frequency And Cost Of Access.—A covered entity—(1) - shall provide an individual with the opportunity to exercise each of the rights described in subsection (a); and(2) - with respect to—(e) - Verification And Exceptions.—(1) - REQUIRED EXCEPTIONS.—A covered entity shall not permit an individual to exercise a right described in subsection (a), in whole or(2) - ADDITIONAL INFORMATION.—If a covered entity cannot reasonably verify that a request to exercise a right described in subsection (a) is(3) - PERMISSIVE EXCEPTIONS.—(i) - require the covered entity to retain any covered data collected for a single, one-time transaction, if such covered data is(ii) - be impossible or demonstrably impracticable to comply with, and the covered entity shall provide a description to the requestor detailing(iii) - require the covered entity to attempt to re-identify de-identified data;(iv) - result in the release of trade secrets, or other privileged, or confidential business information;(v) - require the covered entity to correct any covered data that cannot be reasonably verified as being inaccurate or incomplete;(vi) - interfere with law enforcement, judicial proceedings, investigations, or reasonable efforts to guard against, detect, or investigate malicious or unlawful activity,(vii) - violate Federal or State law or the rights and freedoms of another individual, including under the Constitution of the United(viii) - prevent a covered entity from being able to maintain a confidential record of deletion requests, maintained solely for the purpose(ix) - fall within an exception enumerated in the regulations promulgated by the Commission pursuant to paragraph (D); or(x) - with respect to requests for deletion—(f) - Regulations.—Within two years of the date of enactment of this Act, the Commission may promulgate regulations, pursuant to section 553(1) - the size of, and the nature, scope, and complexity of the activities engaged in by the covered entity, including whether(2) - the sensitivity of covered data collected, processed, or transferred by the covered entity;(3) - the volume of covered data collected, processed, or transferred by the covered entity; and(4) - the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity relates.(g) - Accessibility.—A covered entity shall facilitate the ability for individuals to make requests under this section in any of the ten
(a) - Withdrawal Of Consent.—A covered entity shall provide an individual with a clear and conspicuous, easy-to-execute means to withdraw any affirmative(b) - Right To Opt Out Of Covered Data Transfers.—(1) - IN GENERAL.—A covered entity—(2) - EXCEPTION.—An individual may not opt out of the collection, processing, and transfer of covered data made pursuant to the exceptions(c) - Right To Opt Out Of Targeted Advertising.—A covered entity that engages in targeted advertising shall—(1) - prior to engaging in such targeted advertising and at all times thereafter, provide an individual with a clear and conspicuous(2) - abide by such opt-out designations by an individual; and(3) - allow an individual to prohibit such targeted advertising through an opt-out mechanism, as described in section 210, if applicable.(d) - Individual Autonomy.—A covered entity shall not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of(1) - through the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or(2) - the design, modification, or manipulation of any user interface with the purpose or substantial effect of obscuring, subverting, or impairing
(a) - Prohibition On Targeted Advertising To Children And Minors.—A covered entity shall not engage in targeted advertising to any individual under(b) - Data Transfer Requirements Related To Minors.—A covered entity shall not transfer the covered data of an individual to a third(c) - Knowledge.—The knowledge requirement in subsections (a) and (b), shall not be construed to require the affirmative collection or processing of(d) - Youth Privacy And Marketing Division.—(1) - ESTABLISHMENT.—There is established within the Commission a division to be known as the “Youth Privacy and Marketing Division” (in this(2) - DIRECTOR.—The Division shall be headed by a Director, who shall be appointed by the Chair of the Commission.(3) - DUTIES.—The Division shall be responsible for assisting the Commission in addressing, as it relates to this Act—(4) - STAFF.—The Director of the Division shall hire adequate staff to carry out the duties described in paragraph (3), including by(5) - REPORTS.—Not later than 1 year after the date of enactment of this Act, and annually thereafter, the Commission shall submit(6) - PUBLICATION.—Not later than 10 days after the date on which a report is submitted under paragraph (5), the Commission shall(e) - Report By The Inspector General.—(1) - IN GENERAL.—Not later than 2 years after the date of enactment of this Act, and biennially thereafter, the Inspector General(i) - operating fairly and effectively; and(ii) - effectively protecting the interests of children and minors; and(2) - PUBLICATION.—Not later than 10 days after the date on which a report is submitted under paragraph (1), the Commission shall
(a) - Notice.—Each third-party collecting entity shall place a clear and conspicuous notice on the website or mobile application of the third-party(1) - notifies individuals that the entity is a third-party collecting entity using specific language that the Commission shall develop through rulemaking(2) - includes a link to the website established under subsection (b)(3).(b) - Third-Party Collecting Entity Registration.—(1) - IN GENERAL.—Not later than January 31 of each calendar year that follows a calendar year during which a covered entity(2) - REGISTRATION REQUIREMENTS.—In registering with the Commission as required under paragraph (1), a third-party collecting entity shall do the following:(i) - The legal name and primary physical, email, and internet addresses of the third-party collecting entity.(ii) - A description of the categories of data the third-party collecting entity processes and transfers.(iii) - The contact information of the third-party collecting entity, including a contact person, telephone number, an e-mail address, a website, and(iv) - Link to a website through which an individual may easily exercise the rights provided under this subsection.(3) - THIRD-PARTY COLLECTING ENTITY REGISTRY.—The Commission shall establish and maintain on a website a searchable, publicly available, central registry of third-party(i) - delete all covered data related to such individual that the third-party collecting entity did not collect from the individual directly(ii) - ensure that any third-party collecting entity no longer collects covered data related to such individual without the affirmative express consent(c) - Penalties.—A third-party collecting entity that fails to register or provide the notice as required under this section shall be liable(1) - a civil penalty of $50 for each day it fails to register or provide notice as required under this subsection,(2) - an amount equal to the registration fees due under paragraph (2) of subsection (b) for each year that it failed
(a) - Civil Rights Protections.—(1) - IN GENERAL.—A covered entity or a service provider may not collect, process, or transfer covered data in a manner that(2) - EXCEPTIONS.—This subsection shall not apply to—(i) - a covered entity’s or a service provider’s self-testing to prevent or mitigate unlawful discrimination; or(ii) - diversifying an applicant, participant, or customer pool; or(b) - FTC Enforcement Assistance.—(1) - IN GENERAL.—Whenever the Commission obtains information that a covered entity or service provider may have collected, processed, or transferred covered(2) - ANNUAL REPORT.—Not later than 3 years after the date of enactment of this Act, and annually thereafter, the Commission shall(3) - TECHNICAL ASSISTANCE.—In transmitting information under paragraph (1), the Commission may consult and coordinate with, and provide technical and investigative assistance,(4) - COOPERATION WITH OTHER AGENCIES.—The Commission may implement this subsection by executing agreements or memoranda of understanding with the appropriate Federal(c) - Algorithm Impact And Evaluation.—(1) - ALGORITHM IMPACT ASSESSMENT.—(i) - A detailed description of the design process and methodologies of the algorithm.(ii) - A statement of the purpose, proposed uses, and foreseeable capabilities outside of the articulated proposed use of the algorithm.(iii) - A detailed description of the data used by the algorithm, including the specific categories of data that will be processed(iv) - A description of the outputs produced by the algorithm.(v) - An assessment of the necessity and proportionality of the algorithm in relation to its stated purpose, including reasons for the(vi) - A detailed description of steps the large data holder has taken or will take to mitigate potential harms to individuals,(2) - ALGORITHM DESIGN EVALUATION.—Notwithstanding any other provision of law, not later than 2 years after the date of enactment of this(3) - OTHER CONSIDERATIONS.—(i) - IN GENERAL.—A covered entity and a service provider—(ii) - TRADE SECRETS.—Covered entities and service providers must make all submissions under this section to the Commission in unredacted form, but(4) - GUIDANCE.—Not later than 2 years after the date of enactment of this Act, the Commission shall, in consultation with the(5) - RULEMAKING AND EXEMPTION.—The Commission shall have authority under section 553 of title 5, United States Code, to promulgate regulations as(6) - STUDY AND REPORT.—(i) - best practices for the assessment and evaluation of algorithms; and(ii) - methods to reduce the risk of harm to individuals that may be related to the use of algorithms.(i) - INITIAL REPORT.—Not later than 3 years after the date of enactment of this Act, the Commission, in consultation with the(ii) - ADDITIONAL REPORTS.—Not later than 3 years after submission of the initial report under clause (i), and as the Commission determines
(a) - Establishment Of Data Security Practices.—(1) - IN GENERAL.—A covered entity or service provider shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices(2) - CONSIDERATIONS.—The reasonable administrative, technical, and physical data security practices required under paragraph (1) shall be appropriate to—(b) - Specific Requirements.—The data security practices required under subsection (a) shall include, at a minimum, the following practices:(1) - ASSESS VULNERABILITIES.—Identifying and assessing any material internal and external risk to, and vulnerability in, the security of each system maintained(2) - PREVENTIVE AND CORRECTIVE ACTION.—Taking preventive and corrective action designed to mitigate any reasonably foreseeable risks or vulnerabilities to covered data(3) - EVALUATION OF PREVENTIVE AND CORRECTIVE ACTION.—Evaluating and making reasonable adjustments to the safeguards described in paragraph (2) in light of(4) - INFORMATION RETENTION AND DISPOSAL.—Disposing of covered data that is required to be deleted by law or is no longer necessary(5) - TRAINING.—Training each employee with access to covered data on how to safeguard covered data and updating such training as necessary.(6) - DESIGNATION.—Designating an officer, employee, or employees to maintain and implement such practices.(7) - INCIDENT RESPONSE.—Implementing procedures to detect, respond to, or recover from security incidents or breaches.(c) - Regulations.—The Commission may promulgate in accordance with section 553 of title 5, United States Code, technology-neutral regulations to establish processes(d) - Applicability Of Other Information Security Laws.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act
(a) - In General.—(1) - Any covered entity or service provider that can establish that it met the requirements described in paragraph (2) for the(2) - EXEMPTION REQUIREMENTS.—The requirements of this paragraph are, with respect to a covered entity or a service provider and a period,(3) - DEFINITION.—For purposes of this section, the term “revenue” as it relates to any covered entity that is not organized to(4) - JOURNALISM.—Nothing in this Act shall be construed to limit or diminish First Amendment freedoms to gather and publish information guaranteed
(a) - In General.—Beginning 1 year after the date of enactment of this Act, an executive officer of a large data holder(1) - internal controls reasonably designed to comply with this Act; and(2) - reporting structures to ensure that such certifying officers are involved in, and are responsible for, decisions that impact the entity’s(b) - Requirements.—A certification submitted under subsection (a) shall be based on a review of the effectiveness of a large data holder’s(c) - Designation Of Privacy And Data Security Officer.—(1) - IN GENERAL.—A covered entity and a service provider shall designate—(2) - REQUIREMENTS FOR OFFICERS.—An employee who is designated by a covered entity or a service provider as a privacy officer or(3) - ADDITIONAL REQUIREMENTS FOR LARGE DATA HOLDERS.—A large data holder shall designate at least 1 of the officers described in paragraph(d) - Large Data Holder Privacy Impact Assessments.—(1) - IN GENERAL.—Not later than 1 year after the date of enactment of this Act or 1 year after the date(2) - ASSESSMENT REQUIREMENTS.—A privacy impact assessment required under paragraph (1) shall be—(i) - the nature of the covered data collected, processed, and transferred by the large data holder;(ii) - the volume of the covered data collected, processed, and transferred by the large data holder; and(iii) - the potential risks posed to the privacy of individuals by the collecting, processing, and transfer of covered data by the(3) - ADDITIONAL FACTORS TO INCLUDE IN ASSESSMENT.—In assessing the privacy risks, including substantial privacy risks, the large data holder may include
(a) - Service Providers.—A service provider—(1) - shall only collect, process, and transfer service provider data to the extent strictly necessary and proportionate to provide a service(2) - shall not collect, process, or transfer service provider data if the service provider has actual knowledge that the covered entity(3) - shall assist a covered entity in fulfilling the covered entity’s obligation to respond to individual rights requests pursuant to section(4) - may engage another service provider for purposes of processing service provider data on behalf of a covered entity only after(5) - shall upon the reasonable request of the covered entity, make available to the covered entity information necessary to demonstrate the(6) - shall, at the covered entity’s direction, delete or return all covered data to the covered entity as requested at the(7) - shall not transfer service provider data to any person with the exception of another service provider without the affirmative express(8) - shall develop, implement, and maintain reasonable administrative, technical, and physical safeguards that are designed to protect the security and confidentiality(9) - shall be exempt from the requirements of section 202(d) with respect to service provider data but shall provide direct notification(b) - Contracts Between Covered Entities And Service Providers.—A person or entity may act as a service provider pursuant to a written(1) - governs the service provider’s data processing procedures with respect to processing or transfer performed on behalf of the covered entity(2) - clearly sets forth—(3) - does not relieve a covered entity or a service provider of an obligation under this Act; and(4) - prohibits—(c) - Relationship Between Covered Entities And Service Providers.—(1) - Determining whether a person is acting as a covered entity or service provider with respect to a specific processing of(2) - A covered entity or service provider that transfers covered data to a service provider, in compliance with the requirements of(3) - A covered entity or service provider that receives covered data in compliance with the requirements of this Act is not(d) - Third Parties.—A third party—(1) - shall not process third-party data for a processing purpose other than, in the case of sensitive covered data, the processing(2) - for purposes of paragraph (1), may reasonably rely on representations made by the covered entity that transferred the third-party data,(3) - shall be exempt from the requirements of section 204 with respect to third-party data, but shall otherwise have the same(e) - Additional Obligations On Covered Entities.—(1) - IN GENERAL.—A covered entity or service provider shall exercise reasonable due diligence in—(2) - GUIDANCE.—Not later than 2 years after the date of enactment of this Act, the Commission shall publish guidance regarding compliance
(a) - In General.—Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations(b) - Scope Of Programs.—The technical compliance programs established under this section shall, with respect to a technology, product, service, or method(1) - establish guidelines for compliance with this Act;(2) - meet or exceed the requirements of this Act; and(3) - be made publicly available to any individual whose covered data is collected, processed, or transferred using such technology, product, service,(c) - Approval Process.—(1) - IN GENERAL.—Any request for approval, amendment, or repeal of a technical compliance program may be submitted to the Commission by(2) - EXPEDITED RESPONSE TO REQUESTS.—Beginning 1 year after the date of enactment of this Act, the Commission shall act upon a(d) - Right To Appeal.—Final action by the Commission on a request for approval, amendment, or repeal of a technical compliance program,(e) - Effect On Enforcement.—(1) - IN GENERAL.—Prior to commencing an investigation or enforcement action against any covered entity under this Act, the Commission and State(2) - COMMISSION AUTHORITY.—Approval of a technical compliance program shall not limit the authority of the Commission, including the Commission’s authority to(3) - RULE OF CONSTRUCTION.—Nothing in this subsection shall provide any individual, class of individuals, or person with any right to seek
(a) - Application For Compliance Guideline Approval.—(1) - IN GENERAL.—A covered entity that is not a third-party collecting entity and meets the requirements of section 209, or a(2) - APPLICATION REQUIREMENTS.—Such application shall include—(3) - COMMISSION REVIEW.—(i) - PUBLIC COMMENT PERIOD.—Within 90 days after the receipt of proposed guidelines submitted pursuant to paragraph (2), the Commission shall publish(ii) - APPROVAL.—The Commission shall approve an application regarding proposed guidelines under paragraph (2) if the applicant demonstrates that the compliance guidelines—(iii) - TIMELINE.—Within 1 year of receiving an application regarding proposed guidelines under paragraph (2), the Commission shall issue a determination approving(i) - IN GENERAL.—If the independent organization administering a set of guidelines makes material changes to guidelines previously approved by the Commission,(ii) - TIMELINE.—The Commission shall approve or deny any material change to the guidelines within 180 days after receipt of the submission(b) - Withdrawal Of Approval.—If at any time the Commission determines that the guidelines previously approved no longer meet the requirements of(c) - Deemed Compliance.—A covered entity that is eligible to participate under subsection (a)(1), and participates, in guidelines approved under this section
(a) - Reports.—Not later than 1 year after the date of enactment of this Act, and annually thereafter, the Secretary of Commerce(b) - Requirements.—Each report under subsection (a) shall include the following:(1) - A definition of digital content forgeries along with accompanying explanatory materials, except that the definition developed pursuant to this section(2) - A description of the common sources of digital content forgeries in the United States and commercial sources of digital content(3) - An assessment of the uses, applications, and harms of digital content forgeries.(4) - An analysis of the methods and standards available to identify digital content forgeries as well as a description of the(5) - A description of the types of digital content forgeries, including those used to commit fraud, cause harm, or violate any(6) - Any other information determined appropriate by the Secretary of Commerce or the Secretary’s designee.
(a) - New Bureau.—(1) - IN GENERAL.—The Commission shall establish within the Commission a new bureau, the Bureau of Privacy, which shall be comparable in(2) - MISSION.—The mission of the bureau established under this subsection shall be to assist the Commission in exercising the Commission’s authority(3) - TIMELINE.—The bureau shall be established, staffed, and fully operational not later than 1 year after the date of enactment of(b) - Office Of Business Mentorship.—The Director of the Bureau established under subsection (a) shall establish within the Bureau an Office of(c) - Enforcement By The Federal Trade Commission.—(1) - UNFAIR OR DECEPTIVE ACTS OR PRACTICES.—A violation of this Act or a regulation promulgated under this Act shall be treated(2) - POWERS OF THE COMMISSION.—(3) - LIMITING CERTAIN ACTIONS UNRELATED TO THIS ACT.—If the Commission brings a civil action under this Act alleging that an act(4) - COMMON CARRIERS AND NONPROFITS.—Notwithstanding any jurisdictional limitation of the Commission with respect to consumer protection or privacy, the Commission shall(5) - DATA PRIVACY AND SECURITY VICTIMS RELIEF FUND.—(i) - AVAILABILITY TO THE COMMISSION.—Notwithstanding section 3302 of title 31, United States Code, amounts in the Victims Relief Fund shall be(ii) - OTHER PERMISSIBLE USES.—To the extent that individuals cannot be located or such redress, payments or compensation, or other monetary relief
(a) - Civil Action.—In any case in which the attorney general of a State or State Privacy Authority has reason to believe(1) - enjoin that act or practice;(2) - enforce compliance with this Act or the regulation;(3) - obtain damages, civil penalties, restitution, or other compensation on behalf of the residents of the State; or(4) - reasonable attorneys’ fees and other litigation costs reasonably incurred.(b) - Rights Of The Commission.—(1) - IN GENERAL.—Except where not feasible, the attorney general of a State or State Privacy Authority shall notify the Commission in(2) - NOTIFICATION TIMELINE.—Where it is not feasible for the attorney general of a State or State Privacy Authority to provide the(c) - Actions By The Commission.—In any case in which a civil action is instituted by or on behalf of the Commission(d) - Rule Of Construction.—Nothing in this section shall be construed to prevent the attorney general of a State or State Privacy(e) - Preservation Of State Powers.—Except as provided in subsection (c), no provision of this section shall be construed as altering, limiting,(1) - bring an action or other regulatory proceeding arising solely under the laws in effect in that State; or(2) - exercise the powers conferred on the attorney general or State Privacy Authority by the laws of the State, including the
(a) - Enforcement By Individuals.—(1) - IN GENERAL.—Beginning 4 years after the date on which this Act takes effect, any individual who suffers an injury that(2) - RELIEF.—In a civil action brought under paragraph (1) in which the plaintiff prevails, the court may award the plaintiff—(3) - RIGHTS OF THE COMMISSION AND STATE ATTORNEYS GENERAL.—(i) - be heard on all matters arising in such action; and(ii) - file petitions for appeal of a decision in such action.(i) - Prior to the date that is 60 days after either a State attorney general or the Commission has received the(ii) - After the Commission or attorney general of a State made the determination to independently seek civil actions against such entity(4) - FTC STUDY.—Beginning on the date that is 5 years after the date of enactment of this Act, the Commission’s Bureau(5) - REPORT TO CONGRESS.—Not later than 1 year after the first day on which individuals are able to bring civil actions(b) - Pre-Dispute Arbitration Agreements And Pre-Dispute Joint-Action Waivers Related To Individuals Under The Age Of 18.—(1) - ARBITRATION.—Except as provided in section 303(d), and notwithstanding any other provision of law, no agreement for pre-dispute arbitration with respect(2) - JOINT-ACTION WAIVERS.—Notwithstanding any other provision of law, no agreement for pre-dispute joint-action waiver with respect to an individual under the(3) - DEFINITIONS.—For purposes of this subsection:(c) - Right To Cure.—(1) - NOTICE.—Subject to paragraph (3), any action under this section may be brought by an individual if, prior to initiating such(2) - EFFECT OF CURE.—In the event a cure is possible, if within the 45 days the covered entity cures the noticed(d) - Demand Letter.—If an individual or a class of individuals sends correspondence to a covered entity alleging a violation of the(e) - Applicability.—This section shall only apply to any claim alleging a violation of section 102, 104, 202, 203, 204, 205(a), 205(b),
(a) - Federal Law Preservation.—(1) - IN GENERAL.—Nothing in this Act or a regulation promulgated under this Act shall be construed to limit—(2) - APPLICABILITY OF OTHER PRIVACY REQUIREMENTS.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act (15(3) - APPLICABILITY OF OTHER DATA SECURITY REQUIREMENTS.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act(b) - Preemption Of State Laws.—(1) - IN GENERAL.—No State or political subdivision of a State may adopt, maintain, enforce, or continue in effect any law, regulation,(2) - STATE LAW PRESERVATION.—Paragraph (1) shall not be construed to preempt, displace, or supplant the following State laws, rules, regulations, or(3) - NONAPPLICATION OF FCC PRIVACY LAWS AND REGULATIONS TO COVERED ENTITIES.—Notwithstanding any other provision of law, sections 222, 338(i), and 631(c) - Preservation Of Common Law Or Statutory Causes Of Action For Civil Relief.—Nothing in this Act, nor any amendment, standard, rule,
(14) EXECUTIVE AGENCY.—The “Executive agency” has the meaning set forth in section 105 of title 5, United States Code.
(I) any obscene visual depiction (as defined for purposes of section 1460 of title 18, United States Code);
(B) RULEMAKING.—The Commission may commence a rulemaking pursuant to section 553 of title 5, United States Code, to include any additional category of covered data under this definition that may require a similar level of protection as the data listed in clauses (i) through (xvi) of subparagraph (A) as a result of any new method of collecting, processing, or transferring covered data.
(25) SERVICE PROVIDER.—The term “service provider” means a person or entity that collects, processes, or transfers covered data on behalf of, and at the direction of, a covered entity and which receives covered data from or on behalf of a covered entity pursuant to a written contract, provided that the contract meets the requirements of section 302.
(C) NON-APPLICATION TO SERVICE PROVIDERS.—An entity shall not be considered to be a third-party collecting entity for purposes of this Act if the entity is acting as a service provider (as defined in this section).
(36) WIDELY DISTRIBUTED MEDIA.—The term “widely distributed media” means information that is available to the general public, including information from a telephone book or online directory, a television, internet, or radio program, the news media, or an internet site that is available to the general public on an unrestricted basis, but does not include an obscene visual depiction (as defined in section 1460 of title 18, United States Code).
effect a purpose expressly permitted under subsection (b).
Permissible Purposes.—A covered entity or service provider may collect, process, or transfer covered data for any of the following purposes provided that the covered entity or service provider can demonstrate that collection, processing, or transfer complies with all other applicable laws not preempted in section 404 and provisions of this Act and is limited to what is reasonably necessary and proportionate to such purpose:
(12) Otherwise complies with the requirements of this Act, including section 204(c), to provide a targeted advertisement.
Guidance.—The Commission shall issue guidance regarding what is reasonably necessary and proportionate to comply with this section. Such guidance shall take into consideration—
the size of, and the nature, scope, and complexity of the activities engaged in by the covered entity, including whether the covered entity is a large data holder, nonprofit organization, covered entities meeting the requirements of section 209, service provider, third party, or third-party collecting entity;
Restricted Data Practices.—Notwithstanding section 101 and unless an exception applies, with respect to covered data, a covered entity shall not—
collect or process sensitive covered data, except where such collection or processing is strictly necessary to provide or maintain a specific product or service requested by the individual to whom the covered data pertains, or to effect a purpose enumerated in section 101(b)(1) through (10);
(F) the transfer of genetic information is necessary to perform a medical diagnosis or medical treatment specifically requested by an individual, or to conduct medical research in accordance with conditions of section 101(b)(9); or
collect, process, or transfer an individual’s aggregated internet search or browsing history, except with the affirmative express consent of the individual or pursuant to one of the permissible purposes enumerated in section 101(b)(1) through (10).
Factors To Consider.—The policies, practices, and procedures established by a covered entity and a service provider under subsection (a), shall correspond with—
the size of the covered entity or the service provider and the nature, scope, and complexity of the activities engaged in by the covered entity, including whether the covered entity is a large data holder, nonprofit organization, covered entities meeting the requirements of section 209, third party, or third-party collecting entity;
Commission Guidance.—Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance as to what constitutes reasonable policies, practices, and procedures as required by this section. The Commission shall consider unique circumstances applicable to nonprofit organizations and covered entities meeting the requirements of section 209.
Rules Of Construction.—Nothing in subsection (a) shall be construed to—
prohibit a covered entity from offering different types of pricing or functionalities with respect to a product or service based on an individual’s exercise of a right in section 203(a)(3).
Updates.—The Commission shall update the information published under subsection (a) on a quarterly basis as necessitated by any change in law, regulation, guidance, or judicial decisions.
Accessibility.—The Commission shall publish materials disclosed pursuant to subsection (a) in the ten languages with the most users in the United States, according to the most recent U.S. Census. The Commission shall ensure the website is readily accessible to and usable by individuals with disabilities.
Content Of Privacy Policy.—The privacy policy required under subsection (a) shall include, at a minimum, the following:
Languages.—The privacy policy required under subsection (a) shall be made available to the public in each language in which the covered entity or service provider—
Accessibility.—The covered entity or service provider shall also provide the disclosures under this section in a manner that is readily accessible to and usable by individuals with disabilities.
AFFIRMATIVE EXPRESS CONSENT.—If a covered entity makes a material change to its privacy policy or practices, the covered entity shall notify each individual affected by such material change before implementing the material change with respect to any previously collected covered data and, except as provided in section 101(b), provide a reasonable opportunity for each individual to withdraw consent to any further materially different collection, processing, or transferring of covered data under the changed policy.
CLARIFICATION.—Nothing in this section shall be construed to affect the requirements for covered entities under section 102 or 204.
IN GENERAL.—In addition to the privacy policy required under subsection (a), a large data holder must provide a short-form notice of its covered data practices in a manner that is—
RULEMAKING.—The Commission shall issue a rule pursuant to section 553 of title 5, United States Code, establishing the minimum data disclosures necessary for the short-form notice which shall not exceed the content requirements in subsection (b) and shall include templates and/or models of short-form notices.
Access To, And Correction, Deletion, And Portability Of, Covered Data.—Subject to subsections (b) and (c), a covered entity shall provide an individual, after receiving a verified request from the individual, with the right to—
Individual Autonomy.—A covered entity shall not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of any individual rights under this section through—
Subject to subsections (d) and (e)(1) each request shall be completed by any—
(B) covered entity that is not considered a large data holder or a covered entity described in section 209 within 60 days of verification of such request from an individual; or
(C) covered entity as described in section 209 within 90 days of verification of such request from an individual.
A response period set forth in this subsection may be extended once by 45 additional days when reasonably necessary, considering the complexity and number of the individual’s requests, so long as the covered entity informs the individual of any such extension within the initial 45-day response period, together with the reason for the extension.
shall provide an individual with the opportunity to exercise each of the rights described in subsection (a); and
(A) the first 2 times that an individual exercises any right described in subsection (a) in any 12-month period, shall allow the individual to exercise such right free of charge; and
REQUIRED EXCEPTIONS.—A covered entity shall not permit an individual to exercise a right described in subsection (a), in whole or in part, if the covered entity—
(D) reasonably believes that the exercise of the right would require the covered entity to engage in an unfair or deceptive practice under section 5 of the Federal Trade Commission Act (15 U.S.C. 45).
ADDITIONAL INFORMATION.—If a covered entity cannot reasonably verify that a request to exercise a right described in subsection (a) is made by the individual whose covered data is the subject of the request (or an individual authorized to make such a request on the individual’s behalf), the covered entity—
(A) IN GENERAL.—A covered entity may decline to comply with a request to exercise a right described in subsection (a), in whole or in part, that would—
(D) FURTHER EXCEPTIONS.—The Commission may, by regulation as described in subsection (f), establish additional permissive exceptions necessary to protect the rights of individuals, alleviate undue burdens on covered entities, prevent unjust or unreasonable outcomes from the exercise of access, correction, deletion, or portability rights, or as otherwise necessary to fulfill the purposes of this section. In creating such exceptions, the Commission should consider any relevant changes in technology, means for protecting privacy and other rights, and beneficial uses of covered data by covered entities.
Regulations.—Within two years of the date of enactment of this Act, the Commission may promulgate regulations, pursuant to section 553 of title 5, United States Code (5 U.S.C. 553), as necessary to establish processes by which covered entities are to comply with the provisions of this section. Such regulations shall take into consideration—
the size of, and the nature, scope, and complexity of the activities engaged in by the covered entity, including whether the covered entity is a large data holder, nonprofit organization, covered entities meeting the requirements of section 209, service provider, third party, or third-party collecting entity;
Accessibility.—A covered entity shall facilitate the ability for individuals to make requests under this section in any of the ten languages with the most users in the United States, according to the most recent U.S. Census, if the covered entity provides service in such language. The mechanisms by which a covered entity enables individuals to make requests under this section shall be readily accessible and usable by with disabilities.
(B) shall allow an individual to object to such transfer through an opt-out mechanism, as described in section 210, if applicable.
EXCEPTION.—An individual may not opt out of the collection, processing, and transfer of covered data made pursuant to the exceptions in sections 101(b)(1) through (11) of this Act.
allow an individual to prohibit such targeted advertising through an opt-out mechanism, as described in section 210, if applicable.
Individual Autonomy.—A covered entity shall not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of any individual rights under this section through—
Knowledge.—The knowledge requirement in subsections (a) and (b), shall not be construed to require the affirmative collection or processing of any data with respect to the age of an individual or a proxy thereof, or to require that a covered entity implement an age gating regime. Rather, the determination of whether an individual is under 17 shall be based on the covered data collected directly from an individual or a proxy thereof that the covered entity would otherwise collect in the normal course of business.
ESTABLISHMENT.—There is established within the Commission a division to be known as the “Youth Privacy and Marketing Division” (in this section referred to as the “Division”).
IN GENERAL.—Not later than 2 years after the date of enactment of this Act, and biennially thereafter, the Inspector General of the Commission shall submit to the Commission and to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives a report regarding the safe harbor provisions in section 1307 of the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6503), which shall include—
notifies individuals that the entity is a third-party collecting entity using specific language that the Commission shall develop through rulemaking under section 553 of title 5, United States Code; and
includes a link to the website established under subsection (b)(3).
IN GENERAL.—Not later than January 31 of each calendar year that follows a calendar year during which a covered entity acted as a third-party collecting entity and processed covered data pertaining to more than 5,000 individuals or devices that identify or are linked or reasonably linkable to an individual, such covered entity shall register with the Commission in accordance with this subsection.
Link to a website through which an individual may easily exercise the rights provided under this subsection.
THIRD-PARTY COLLECTING ENTITY REGISTRY.—The Commission shall establish and maintain on a website a searchable, publicly available, central registry of third-party collecting entities that are registered with the Commission under this subsection that includes the following:
(C) A “Do Not Collect” registry link and mechanism by which an individual may, after the Commission has verified the identity of the individual or individual’s parent or guardian, which may include tokenization, easily submit a request to all registered third-party collecting entities that are not consumer reporting agencies, and to the extent they are not acting as consumer reporting agencies, as defined in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)) to—
Penalties.—A third-party collecting entity that fails to register or provide the notice as required under this section shall be liable for—
a civil penalty of $50 for each day it fails to register or provide notice as required under this subsection, not to exceed a total of $10,000 for any year; and
an amount equal to the registration fees due under paragraph (2) of subsection (b) for each year that it failed to register as required under paragraph (1) of such subsection.
EXCEPTIONS.—This subsection shall not apply to—
(B) any private club or group not open to the public, as described in section 201(e) of the Civil Rights Act of 1964 (42 U.S.C. 2000a(e)).
IN GENERAL.—Whenever the Commission obtains information that a covered entity or service provider may have collected, processed, or transferred covered data in violation of subsection (a), the Commission shall transmit such information as allowable under Federal law to any Executive agency with authority to initiate enforcement actions or proceedings relating to such violation.
COOPERATION WITH OTHER AGENCIES.—The Commission may implement this subsection by executing agreements or memoranda of understanding with the appropriate Federal agencies.
TRADE SECRETS.—Covered entities and service providers must make all submissions under this section to the Commission in unredacted form, but a covered entity and a service provider may redact and segregate any trade secrets (as defined in section 1839 of title 18, United States Code) from public disclosure under this subparagraph.
(D) ENFORCEMENT.—The Commission may not use any information obtained solely and exclusively through a covered entity or a service provider’s disclosure of information to the Commission in compliance with this section for any purpose other than enforcing this Act, including the study and report provisions in paragraph 6 of this section. This provision shall not preclude the Commission from providing this information to Congress in response to a subpoena or official Congressional request.
GUIDANCE.—Not later than 2 years after the date of enactment of this Act, the Commission shall, in consultation with the Secretary of Commerce, or their respective designees, publish guidance regarding compliance with this section.
RULEMAKING AND EXEMPTION.—The Commission shall have authority under section 553 of title 5, United States Code, to promulgate regulations as necessary to establish processes by which a large data holder—
(B) may exclude from this subsection any algorithm that presents low or minimal risk for potential for harms to individuals (as identified under paragraph (1)(B)).
INITIAL REPORT.—Not later than 3 years after the date of enactment of this Act, the Commission, in consultation with the Secretary of Commerce or the Secretary’s designee, shall submit to Congress a report containing the results of the study conducted under subsection (a), together with recommendations for such legislation and administrative action as the Commission determines appropriate.
Specific Requirements.—The data security practices required under subsection (a) shall include, at a minimum, the following practices:
INFORMATION RETENTION AND DISPOSAL.—Disposing of covered data that is required to be deleted by law or is no longer necessary for the purpose for which the data was collected, processed, or transferred, unless an individual has provided affirmative express consent to such retention. Such disposal shall include destroying, permanently erasing, or otherwise modifying the covered data to make such data permanently unreadable or indecipherable and unrecoverable to ensure ongoing compliance with this section.
Regulations.—The Commission may promulgate in accordance with section 553 of title 5, United States Code, technology-neutral regulations to establish processes for complying with this section.
Applicability Of Other Information Security Laws.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) or the Health Information Technology for Economic and Clinical Health Act (42 U.S.C. 17931 et seq.), and is in compliance with the information security requirements of such Act as determined by the enforcement authority in such Act, shall be deemed to be in compliance with the requirements of this section with respect to any data covered by such information security requirements.
(A) be exempt from compliance with sections 203(a)(4), 208(b)(1)–(3), (5)–(7), and 301(c); and
(B) at the covered entity’s sole discretion, have the option of complying with section 203(a)(2) by, after receiving a verified request from an individual to correct covered data of the individual under such section, deleting such covered data in its entirety instead of making the requested correction.
DEFINITION.—For purposes of this section, the term “revenue” as it relates to any covered entity that is not organized to carry on business for its own profit or that of their members, means the gross receipts the covered entity received in whatever form from all sources without subtracting any costs or expenses, and includes contributions, gifts, grants, dues or other assessments, income from investments, or proceeds from the sale of real or personal property.
In General.—Beginning 1 year after the date of enactment of this Act, an executive officer of a large data holder shall annually certify, in good faith, to the Commission, in a manner specified by the Commission by regulation under section 553 of title 5, United States Code, that the entity maintains—
Requirements.—A certification submitted under subsection (a) shall be based on a review of the effectiveness of a large data holder’s internal controls and reporting structures that is conducted by the certifying officers not more than 90 days before the submission of the certification.
ADDITIONAL REQUIREMENTS FOR LARGE DATA HOLDERS.—A large data holder shall designate at least 1 of the officers described in paragraph (1) of this subsection to report directly to the highest official at the large data holder as a privacy protection officer who shall, in addition to the requirements in paragraph (2), either directly or through a supervised designee or designees—
(C) approved by the privacy protection officer designated in subsection (c)(3) of the large data holder.
shall assist a covered entity in fulfilling the covered entity’s obligation to respond to individual rights requests pursuant to section 203, by appropriate technical and organizational measures, taking into account the nature of the processing and the information reasonably available to the service provider;
shall upon the reasonable request of the covered entity, make available to the covered entity information necessary to demonstrate the service provider’s compliance with the obligations in this Act, which may include making available a report of an independent assessment arranged by the service provider on terms agreed to by the parties and making the report required under section 207(c)(2) as applicable;
shall develop, implement, and maintain reasonable administrative, technical, and physical safeguards that are designed to protect the security and confidentiality of covered data it processes consistent with section 208; and
shall be exempt from the requirements of section 202(d) with respect to service provider data but shall provide direct notification regarding material changes to its privacy policy to each covered entity with which it provides services or functions as a service provider, in each language that the privacy policy is made available. Compliance with this provision does not alleviate any obligations the service provider has to the covered entity to which it provides services or functions as a service provider.
Contracts Between Covered Entities And Service Providers.—A person or entity may act as a service provider pursuant to a written contract between the covered entity and the service provider, or a written contract between one service provider and a second service provider as permitted in section 302(a)(4), provided that the contract—
(A) collecting, processing, or transferring covered data in contravention to subsection (a); and
shall not process third-party data for a processing purpose other than, in the case of sensitive covered data, the processing purpose for which the individual gave affirmative express consent and, in the case of non-sensitive data, the processing purpose for which the covered entity made a disclosure pursuant to section 204(b)(4);
shall be exempt from the requirements of section 204 with respect to third-party data, but shall otherwise have the same responsibilities and obligations as a covered entity with respect to such data under all other provisions of this Act.
GUIDANCE.—Not later than 2 years after the date of enactment of this Act, the Commission shall publish guidance regarding compliance with this subsection, taking into consideration the burdens on small- and medium-sized covered entities.
In General.—Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to establish a process for the proposal and approval of technical compliance programs under this section specific to any technology, product, service, or method used by a covered entity to collect, process, or transfer covered data.
Scope Of Programs.—The technical compliance programs established under this section shall, with respect to a technology, product, service, or method used by a covered entity to collect, process, or transfer covered data—
Right To Appeal.—Final action by the Commission on a request for approval, amendment, or repeal of a technical compliance program, or the failure to act within the 180 day period after a request for approval, amendment, or repeal of a technical compliance program is made under subsection (c), may be appealed to a Federal district court of the United States of appropriate jurisdiction as provided for in section 702 of title 5, United States Code.
IN GENERAL.—Prior to commencing an investigation or enforcement action against any covered entity under this Act, the Commission and State attorney general shall consider the covered entity’s history of compliance with any technical compliance program approved under this section and any action taken by the covered entity to remedy noncompliance with such program. If such enforcement action described in Sec. 403 is commenced, the covered entity’s history of compliance with any technical compliance program approved under this section and any action taken by the covered entity to remedy noncompliance with such program shall be taken into consideration when determining liability or a penalty. The covered entity’s history of compliance with any technical compliance program shall not affect any burden of proof or the weight given to evidence in an enforcement or judicial proceeding.
RULE OF CONSTRUCTION.—Nothing in this subsection shall provide any individual, class of individuals, or person with any right to seek discovery of any non-public Commission deliberations or activities or impose any pleading requirement on the Commission should it bring an enforcement action of any kind.
IN GENERAL.—A covered entity that is not a third-party collecting entity and meets the requirements of section 209, or a group of such covered entities, may apply to the Commission for approval of 1 or more sets of compliance guidelines governing the collection, processing, and transfer of covered data by the covered entity or group of covered entities.
(C) a list of the covered entities that meet the requirements of section 209 and are not third-party collecting entities, if any are known at the time of application, that intend to adhere to the compliance guidelines; and
(III) include a means of enforcement if a covered entity does not meet or exceed the requirements in the guidelines, which may include referral to the Commission for enforcement consistent with section 401 or referral to the appropriate State attorney general for enforcement consistent with section 402.
Deemed Compliance.—A covered entity that is eligible to participate under subsection (a)(1), and participates, in guidelines approved under this section shall be deemed in compliance with the relevant provisions of this Act if it is in compliance with such guidelines.
Requirements.—Each report under subsection (a) shall include the following:
A definition of digital content forgeries along with accompanying explanatory materials, except that the definition developed pursuant to this section shall not supersede any other provision of law or be construed to limit the authority of any Executive agency related to digital content forgeries.
MISSION.—The mission of the bureau established under this subsection shall be to assist the Commission in exercising the Commission’s authority under this Act and related authorities.
Office Of Business Mentorship.—The Director of the Bureau established under subsection (a) shall establish within the Bureau an Office of Business Mentorship to provide guidance and education to covered entities regarding compliance with this Act. Covered entities may request advice from the Commission or this office with respect to a course of action which the covered entity proposes to pursue and which may relate to the requirements of this Act.
UNFAIR OR DECEPTIVE ACTS OR PRACTICES.—A violation of this Act or a regulation promulgated under this Act shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
LIMITING CERTAIN ACTIONS UNRELATED TO THIS ACT.—If the Commission brings a civil action under this Act alleging that an act or practice violates this Act or a regulation promulgated under this Act, the Commission may not seek a cease and desist order against the same defendant under section 5(b) of the Federal Trade Commission Act (15 U.S.C. 45(b)) to stop that same act or practice on the grounds that such act or practice constitutes an unfair or deceptive act or practice.
COMMON CARRIERS AND NONPROFITS.—Notwithstanding any jurisdictional limitation of the Commission with respect to consumer protection or privacy, the Commission shall enforce this Act and the regulations promulgated under this Act, in the same manner provided in subsections (1), (2), (3), and (5) of this subsection, with respect to common carriers subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.) and All Acts amendatory thereof and supplementary thereto; and organizations not organized to carry on business for their own profit or that of their members.
AVAILABILITY TO THE COMMISSION.—Notwithstanding section 3302 of title 31, United States Code, amounts in the Victims Relief Fund shall be available to the Commission, without fiscal year limitation, to provide redress, payments or compensation, or other monetary relief to individuals affected by an act or practice for which relief has been obtained under this Act.
(I) funding the activities of the Office of Business Mentorship established under subsection (b); or
IN GENERAL.—Except where not feasible, the attorney general of a State or State Privacy Authority shall notify the Commission in writing prior to initiating a civil action under subsection (a). Such notice shall include a copy of the complaint to be filed to initiate such action. Upon receiving such notice, the Commission may intervene in such action as of right pursuant to the Federal Rules of Civil Procedure.
NOTIFICATION TIMELINE.—Where it is not feasible for the attorney general of a State or State Privacy Authority to provide the notification required by paragraph (1) before initiating a civil action under subsection (a), the attorney general of a State or State Privacy Authority shall notify the Commission immediately after initiating the civil action.
Rule Of Construction.—Nothing in this section shall be construed to prevent the attorney general of a State or State Privacy Authority from exercising the powers conferred on the attorney general or State Privacy Authority to conduct investigations, to administer oaths or affirmations, or to compel the attendance of witnesses or the production of documentary or other evidence.
Preservation Of State Powers.—Except as provided in subsection (c), no provision of this section shall be construed as altering, limiting, or affecting the authority of a State attorney general or State Privacy Authority to—
REPORT TO CONGRESS.—Not later than 1 year after the first day on which individuals are able to bring civil actions under this subsection, and annually thereafter, the Commission shall submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a report that contains the results of the study conducted under paragraph (4).
ARBITRATION.—Except as provided in section 303(d), and notwithstanding any other provision of law, no agreement for pre-dispute arbitration with respect to an individual under the age of 18 may limit any of the rights provided in this Act.
DEFINITIONS.—For purposes of this subsection:
NOTICE.—Subject to paragraph (3), any action under this section may be brought by an individual if, prior to initiating such action against a covered entity for injunctive relief or against a covered entity that meets the requirements of section 210(c) for any form of relief the individual provides to the covered entity 45 days’ written notice identifying the specific provisions of this Act the individual alleges have been or are being violated.
Demand Letter.—If an individual or a class of individuals sends correspondence to a covered entity alleging a violation of the provisions of this Act and requesting a monetary payment, such correspondence shall include the following language: “Please visit the website of the Federal Trade Commission to understand your rights pursuant to this letter” followed by a hyperlink to the web page of the Commission required under section 201. If such correspondence does not include such language and hyperlink, the individual or joint class of individuals shall forfeit their rights under this section.
Applicability.—This section shall only apply to any claim alleging a violation of section 102, 104, 202, 203, 204, 205(a), 205(b), 206(c)(3)(D), 207(a), 208(a), or 302 for which relief described in subsection (a)(2) may be granted.
(B) any requirement for a common carrier subject to section 64.2011 of title 47, Code of Federal Regulations, regarding information security breaches; or
APPLICABILITY OF OTHER PRIVACY REQUIREMENTS.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), the Health Information Technology for Economic and Clinical Health Act (42 U.S.C. 17931 et seq.), part C of title XI of the Social Security Act (42 U.S.C. 1320d et seq.), the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), the Family Educational Rights and Privacy Act (20 U.S.C. 1232g; part 99 of title 34, Code of Federal Regulations), or the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note), and is in compliance with the data privacy requirements of such regulations, part, title, or Act (as applicable), shall be deemed to be in compliance with the related requirements of this title, except for section 208, with respect to data subject to the requirements of such regulations, part, title, or Act. Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance describing the implementation of this paragraph.
APPLICABILITY OF OTHER DATA SECURITY REQUIREMENTS.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), the Health Information Technology for Economic and Clinical Health Act (42 U.S.C. 17931 et seq.), part C of title XI of the Social Security Act (42 U.S.C. 1320d et seq.), or the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note), and is in compliance with the information security requirements of such regulations, part, title, or Act (as applicable), shall be deemed to be in compliance with the requirements of section 208 with respect to data subject to the requirements of such regulations, part, title, or Act. Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance describing the implementation of this paragraph.
(P) Section 1798.150 of the California Civil Code (as amended on November 3, 2020, by initiative Proposition 24, section 16).
NONAPPLICATION OF FCC PRIVACY LAWS AND REGULATIONS TO COVERED ENTITIES.—Notwithstanding any other provision of law, sections 222, 338(i), and 631 of the Communications Act of 1934, as amended (47 U.S.C. 222, 338(i), and 551), and any regulation promulgated by the Federal Communications Commission under such sections, shall not apply to any covered entity with respect to the collecting, processing, or transferring of covered data under this Act.
