(1) - AFFIRMATIVE EXPRESS CONSENT.—(i) - The request is provided to the individual in a clear and conspicuous standalone disclosure made through the primary medium used(ii) - The request includes a description of the act or practice for which the individual’s consent is sought and—(iii) - The request clearly explains the individual’s applicable rights related to consent.(iv) - The request shall be made in a manner readily accessible to and usable by individuals with disabilities.(v) - The request shall be made available to the public in each language in which the covered entity provides a product(i) - the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or(ii) - the design, modification, or manipulation of any user interface with the purpose or substantial effect of obscuring, subverting, or impairing(2) - ALGORITHM.—The term “algorithm” means a computational process that uses machine learning, natural language processing, artificial intelligence techniques, or other computational(3) - BIOMETRIC INFORMATION.—(i) - fingerprints;(ii) - voice prints;(iii) - iris or retina scans;(iv) - facial mapping or hand mapping, geometry, or templates; or(v) - gait or personally identifying physical movements.(i) - a digital or physical photograph;(ii) - an audio or video recording; or(iii) - data generated from a digital or physical photograph, or an audio or video recording that cannot be used to identify(4) - COLLECT; COLLECTION.—The terms “collect” and “collection” mean buying, renting, gathering, obtaining, receiving, accessing, or otherwise acquiring covered data by any(5) - COMMISSION.—The term “Commission” means the Federal Trade Commission.(6) - COMMON BRANDING.—The term “common branding” means a name, service mark, or trademark that is shared by 2 or more entities.(7) - CONTROL.—The term “control” means, with respect to an entity—(8) - COVERED DATA.—(i) - de-identified data;(ii) - employee data;(iii) - publicly available information; or(iv) - inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect(i) - information relating to a job applicant collected by a covered entity acting as a prospective employer of such job applicant(ii) - the business contact information of an employee, including the employee’s name, position or title, business telephone number, business address, or(iii) - emergency contact information collected by an employer that relates to an employee of that employer, provided that such information is(iv) - information relating to an employee (or a spouse, dependent, other covered family member, or beneficiary of such employee) that is(9) - COVERED ENTITY.—(i) - means any entity or any person, other than an individual acting in a non-commercial context, that alone or jointly with(ii) - includes any entity or person that controls, is controlled by, or is under common control with another covered entity.(i) - a governmental entity such as a body, authority, board, bureau, commission, district, agency, or political subdivision of the Federal, State,(ii) - a person or an entity that is collecting, processing, or transferring covered data on behalf of or a Federal, State,(i) - to process and transfer the information solely in a de-identified form without any reasonable means for re-identification; and(ii) - to not attempt to re-identify the information with any individual or device; and(i) - the covered data of more than 5,000,000 individuals or devices that identify or are linked or reasonably linkable to 1(ii) - the sensitive covered data of more than 200,000 individuals or devices that identify or are linked or reasonably linkable to(i) - personal email addresses;(ii) - personal telephone numbers; or(iii) - log-in information of an individual or device to allow the individual or device to log in to an account administered(i) - Federal, State, or local government records provided that the covered entity collects, processes, and transfers such information in accordance with(ii) - widely distributed media;(iii) - a website or online service made available to all members of the public, for free or for a fee, including(iv) - a disclosure that has been made to the general public as required by Federal, State, or local law; or(v) - a visual observation of an individual’s physical presence in a public place by another person, not including data collected by(i) - AVAILABLE TO ALL MEMBERS OF THE PUBLIC.—For purposes of this paragraph, information from a website or online service is not(ii) - OTHER LIMITATIONS.—The term “publicly available information” does not include—(i) - A government-issued identifier, such as a social security number, passport number, or driver’s license number, that is not required by(ii) - Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition(iii) - A financial account number, debit card number, credit card number, or information about income level or bank account balances.(iv) - Biometric information.(v) - Genetic information.(vi) - Precise geolocation information.(vii) - An individual’s private communications such as voicemails, emails, texts, direct messages, or mail, or information identifying the parties to such(viii) - Account or device log-in credentials, or security or access codes for an account or device.(ix) - Information identifying the sexual orientation or sexual behavior of an individual in a manner inconsistent with the individual’s reasonable expectation(x) - Calendar information, address book information, phone or text logs, photos, audio recordings, or videos maintained for private use by an(xi) - A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual.(xii) - Information that reveals the video content or services requested or selected by an individual from a provider of broadcast television(xiii) - Information about an individual when the covered entity knows that the individual is under the age of 17.(xiv) - Any other covered data collected, processed, or transferred for the purpose of identifying the above data types.(i) - the chief consumer protection officer of a State; or(ii) - a State consumer protection agency with expertise in data protection.(i) - advertising or marketing to an individual or an individual’s device in response to the individual’s specific request for information or(ii) - contextual advertising, which is when an advertisement is displayed based on the content or location in which the advertisement appears(iii) - processing covered data solely for measuring or reporting advertising or content, performance, reach, or frequency, including independent measurement.(i) - collects, processes, or transfers third-party data; and(ii) - is not a service provider with respect to such data; and(i) - means a covered entity whose principal source of revenue is derived from processing or transferring the covered data that the(ii) - does not include a covered entity in so far as such entity processes employee data collected by and received from(i) - more than 50 percent of all revenue of the covered entity; or(ii) - obtaining revenue from processing or transferring the covered data of more than 5,000,000 individuals that the covered entity did not
(a) - In General.—A covered entity shall not collect, process, or transfer covered data unless the collection, processing, or transfer is limited(1) - provide, or maintain a specific product or service requested by the individual to whom the data pertains;(2) - deliver a communication that is reasonably anticipated by the individual recipient within the context of the individual’s interactions with the(3) - effect a purpose expressly permitted under subsection (b).(b) - Permissible Purposes.—A covered entity or service provider may collect, process, or transfer covered data for any of the following purposes(1) - To initiate or complete a transaction or fulfill an order or service specifically requested by an individual, including any associated(2) - With respect to covered data previously collected in accordance with this Act, notwithstanding this exception, to process such data as(3) - To authenticate users of a product or service.(4) - To prevent, detect, protect against, or respond to a security incident, or fulfill a product or service warranty. For purposes(5) - To prevent, detect, protect against or respond to fraud, harassment, or illegal activity. For the purposes of this paragraph, illegal(6) - To comply with a legal obligation imposed by Federal, Tribal, Local, or State law, or to establish, exercise, or defend(7) - To prevent an individual, or groups of individuals, from suffering harm where the covered entity or service provider believes in(8) - To effectuate a product recall pursuant to Federal or State law.(9) - (A) To conduct a public or peer-reviewed scientific, historical, or statistical research project that—(i) - is in the public interest;(ii) - adheres to all relevant laws governing such research; and(iii) - adheres to the regulations for human subject research established under part 46 of title 45, Code of Federal Regulations (or(c) - Guidance.—The Commission shall issue guidance regarding what is reasonably necessary and proportionate to comply with this section. Such guidance shall(1) - the size of, and the nature, scope, and complexity of the activities engaged in by the covered entity, including whether(2) - the sensitivity of covered data collected, processed, or transferred by the covered entity;(3) - the volume of covered data collected, processed, or transferred by the covered entity; and(4) - the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity relates.(d) - Deceptive Marketing Of A Product Or Service.—A covered entity, service provider, or third party is prohibited from engaging in deceptive
(a) - Restricted Data Practices.—Notwithstanding section 101 and unless an exception applies, with respect to covered data, a covered entity shall not—(1) - collect, process, or transfer a social security number, except when necessary to facilitate extensions of credit, authentication, the payment and(2) - collect or process sensitive covered data, except where such collection or processing is strictly necessary to provide or maintain a(3) - transfer an individual’s sensitive covered data to a third party, unless—(4) - collect, process, or transfer an individual’s aggregated internet search or browsing history, except with the affirmative express consent of the
(a) - Policies, Practices, And Procedures.—A covered entity and a service provider shall establish, implement, and maintain reasonable policies, practices, and procedures(1) - consider Federal laws, rules, or regulations related to covered data the covered entity or service provider collects, processes, or transfers;(2) - identify, assess, and mitigate privacy risks related to individuals under the age of 17, if applicable;(3) - mitigate privacy risks, including substantial privacy risks, related to the products and services of the covered entity or the service(4) - implement reasonable training and safeguards within the covered entity and service provider to promote compliance with all privacy laws applicable(b) - Factors To Consider.—The policies, practices, and procedures established by a covered entity and a service provider under subsection (a), shall(1) - the size of the covered entity or the service provider and the nature, scope, and complexity of the activities engaged(2) - the sensitivity of the covered data collected, processed, or transferred by the covered entity or service provider;(3) - the volume of covered data collected, processed, or transferred by the covered entity or service provider;(4) - the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity or(5) - the cost of implementing such policies, practices, and procedures in relation to the risks and nature of the covered data.(c) - Commission Guidance.—Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance as
(a) - Conditional Service Or Pricing Prohibited.—A covered entity shall not deny or condition or effectively condition the provision of a service(b) - Rules Of Construction.—Nothing in subsection (a) shall be construed to—(1) - prohibit the relation of the price of a service or the level of service provided to an individual to the(2) - prohibit a covered entity from offering a loyalty program that provides discounted or free products or services, or other consideration,(3) - require a covered entity to provide a loyalty program that would require the covered entity to collect, process, or transfer(4) - prohibit a covered entity from offering a financial incentive or other consideration to an individual for participation in market research;(5) - prohibit a covered entity from offering different types of pricing or functionalities with respect to a product or service based
(a) - In General.—Not later than 90 days after the date of enactment of this Act, the Commission shall publish, on the(b) - Updates.—The Commission shall update the information published under subsection (a) on a quarterly basis as necessitated by any change in(c) - Accessibility.—The Commission shall publish materials disclosed pursuant to subsection (a) in the ten languages with the most users in the
(a) - In General.—Each covered entity and service provider shall make publicly available, in a clear, conspicuous, not misleading, and readily accessible(b) - Content Of Privacy Policy.—The privacy policy required under subsection (a) shall include, at a minimum, the following:(1) - The identity and the contact information of—(2) - The categories of covered data the covered entity or service provider collects or processes.(3) - The processing purposes for each category of covered data the covered entity or service provider collects or processes.(4) - Whether the covered entity or service provider transfers covered data and, if so, each category of service provider and third(5) - The length of time the covered entity or service provider intends to retain each category of covered data, including sensitive(6) - A prominent description of how an individual can exercise the rights described in this Act.(7) - A general description of the covered entity’s or service provider’s data security practices.(8) - The effective date of the privacy policy.(9) - Whether or not any covered data collected by the covered entity or service provider is transferred to, processed in, stored(c) - Languages.—The privacy policy required under subsection (a) shall be made available to the public in each language in which the(1) - provides a product or service that is subject to the privacy policy; or(2) - carries out activities related to such product or service.(d) - Accessibility.—The covered entity or service provider shall also provide the disclosures under this section in a manner that is readily(e) - Material Changes.—(1) - AFFIRMATIVE EXPRESS CONSENT.—If a covered entity makes a material change to its privacy policy or practices, the covered entity shall(2) - NOTIFICATION.—The covered entity shall take all reasonable measures to provide direct notification regarding material changes to the privacy policy to(3) - CLARIFICATION.—Nothing in this section shall be construed to affect the requirements for covered entities under section 102 or 204.(4) - LOG OF MATERIAL CHANGES.—Each large data holder shall retain copies of previous versions of its privacy policy for at least(f) - Short-Form Notice To Consumers By Large Data Holders.—(1) - IN GENERAL.—In addition to the privacy policy required under subsection (a), a large data holder must provide a short-form notice(2) - RULEMAKING.—The Commission shall issue a rule pursuant to section 553 of title 5, United States Code, establishing the minimum data
(a) - Access To, And Correction, Deletion, And Portability Of, Covered Data.—Subject to subsections (b) and (c), a covered entity shall provide(1) - access—(2) - correct any verifiably material inaccuracy or materially incomplete information with respect to the covered data of the individual that is(3) - delete covered data of the individual that is processed by the covered entity and instruct the covered entity to notify(4) - to the extent technically feasible, export covered data to the individual or directly to another entity, except for derived data,(b) - Individual Autonomy.—A covered entity shall not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of(1) - through the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or(2) - the design, modification, or manipulation of any user interface with the purpose or substantial effect of obscuring, subverting, or impairing(c) - Timing.—(1) - Subject to subsections (d) and (e)(1) each request shall be completed by any—(2) - A response period set forth in this subsection may be extended once by 45 additional days when reasonably necessary, considering(d) - Frequency And Cost Of Access.—A covered entity—(1) - shall provide an individual with the opportunity to exercise each of the rights described in subsection (a); and(2) - with respect to—(e) - Verification And Exceptions.—(1) - REQUIRED EXCEPTIONS.—A covered entity shall not permit an individual to exercise a right described in subsection (a), in whole or(2) - ADDITIONAL INFORMATION.—If a covered entity cannot reasonably verify that a request to exercise a right described in subsection (a) is(3) - PERMISSIVE EXCEPTIONS.—(i) - require the covered entity to retain any covered data collected for a single, one-time transaction, if such covered data is(ii) - be impossible or demonstrably impracticable to comply with, and the covered entity shall provide a description to the requestor detailing(iii) - require the covered entity to attempt to re-identify de-identified data;(iv) - result in the release of trade secrets, or other privileged, or confidential business information;(v) - require the covered entity to correct any covered data that cannot be reasonably verified as being inaccurate or incomplete;(vi) - interfere with law enforcement, judicial proceedings, investigations, or reasonable efforts to guard against, detect, or investigate malicious or unlawful activity,(vii) - violate Federal or State law or the rights and freedoms of another individual, including under the Constitution of the United(viii) - prevent a covered entity from being able to maintain a confidential record of deletion requests, maintained solely for the purpose(ix) - fall within an exception enumerated in the regulations promulgated by the Commission pursuant to paragraph (D); or(x) - with respect to requests for deletion—(f) - Regulations.—Within two years of the date of enactment of this Act, the Commission may promulgate regulations, pursuant to section 553(1) - the size of, and the nature, scope, and complexity of the activities engaged in by the covered entity, including whether(2) - the sensitivity of covered data collected, processed, or transferred by the covered entity;(3) - the volume of covered data collected, processed, or transferred by the covered entity; and(4) - the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity relates.(g) - Accessibility.—A covered entity shall facilitate the ability for individuals to make requests under this section in any of the ten
(a) - Withdrawal Of Consent.—A covered entity shall provide an individual with a clear and conspicuous, easy-to-execute means to withdraw any affirmative(b) - Right To Opt Out Of Covered Data Transfers.—(1) - IN GENERAL.—A covered entity—(2) - EXCEPTION.—An individual may not opt out of the collection, processing, and transfer of covered data made pursuant to the exceptions(c) - Right To Opt Out Of Targeted Advertising.—A covered entity that engages in targeted advertising shall—(1) - prior to engaging in such targeted advertising and at all times thereafter, provide an individual with a clear and conspicuous(2) - abide by such opt-out designations by an individual; and(3) - allow an individual to prohibit such targeted advertising through an opt-out mechanism, as described in section 210, if applicable.(d) - Individual Autonomy.—A covered entity shall not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of(1) - through the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or(2) - the design, modification, or manipulation of any user interface with the purpose or substantial effect of obscuring, subverting, or impairing
(a) - Prohibition On Targeted Advertising To Children And Minors.—A covered entity shall not engage in targeted advertising to any individual under(b) - Data Transfer Requirements Related To Minors.—A covered entity shall not transfer the covered data of an individual to a third(c) - Knowledge.—The knowledge requirement in subsections (a) and (b), shall not be construed to require the affirmative collection or processing of(d) - Youth Privacy And Marketing Division.—(1) - ESTABLISHMENT.—There is established within the Commission a division to be known as the “Youth Privacy and Marketing Division” (in this(2) - DIRECTOR.—The Division shall be headed by a Director, who shall be appointed by the Chair of the Commission.(3) - DUTIES.—The Division shall be responsible for assisting the Commission in addressing, as it relates to this Act—(4) - STAFF.—The Director of the Division shall hire adequate staff to carry out the duties described in paragraph (3), including by(5) - REPORTS.—Not later than 1 year after the date of enactment of this Act, and annually thereafter, the Commission shall submit(6) - PUBLICATION.—Not later than 10 days after the date on which a report is submitted under paragraph (5), the Commission shall(e) - Report By The Inspector General.—(1) - IN GENERAL.—Not later than 2 years after the date of enactment of this Act, and biennially thereafter, the Inspector General(i) - operating fairly and effectively; and(ii) - effectively protecting the interests of children and minors; and(2) - PUBLICATION.—Not later than 10 days after the date on which a report is submitted under paragraph (1), the Commission shall
(a) - Notice.—Each third-party collecting entity shall place a clear and conspicuous notice on the website or mobile application of the third-party(1) - notifies individuals that the entity is a third-party collecting entity using specific language that the Commission shall develop through rulemaking(2) - includes a link to the website established under subsection (b)(3).(b) - Third-Party Collecting Entity Registration.—(1) - IN GENERAL.—Not later than January 31 of each calendar year that follows a calendar year during which a covered entity(2) - REGISTRATION REQUIREMENTS.—In registering with the Commission as required under paragraph (1), a third-party collecting entity shall do the following:(i) - The legal name and primary physical, email, and internet addresses of the third-party collecting entity.(ii) - A description of the categories of data the third-party collecting entity processes and transfers.(iii) - The contact information of the third-party collecting entity, including a contact person, telephone number, an e-mail address, a website, and(iv) - Link to a website through which an individual may easily exercise the rights provided under this subsection.(3) - THIRD-PARTY COLLECTING ENTITY REGISTRY.—The Commission shall establish and maintain on a website a searchable, publicly available, central registry of third-party(i) - delete all covered data related to such individual that the third-party collecting entity did not collect from the individual directly(ii) - ensure that any third-party collecting entity no longer collects covered data related to such individual without the affirmative express consent(c) - Penalties.—A third-party collecting entity that fails to register or provide the notice as required under this section shall be liable(1) - a civil penalty of $50 for each day it fails to register or provide notice as required under this subsection,(2) - an amount equal to the registration fees due under paragraph (2) of subsection (b) for each year that it failed
(a) - Civil Rights Protections.—(1) - IN GENERAL.—A covered entity or a service provider may not collect, process, or transfer covered data in a manner that(2) - EXCEPTIONS.—This subsection shall not apply to—(i) - a covered entity’s or a service provider’s self-testing to prevent or mitigate unlawful discrimination; or(ii) - diversifying an applicant, participant, or customer pool; or(b) - FTC Enforcement Assistance.—(1) - IN GENERAL.—Whenever the Commission obtains information that a covered entity or service provider may have collected, processed, or transferred covered(2) - ANNUAL REPORT.—Not later than 3 years after the date of enactment of this Act, and annually thereafter, the Commission shall(3) - TECHNICAL ASSISTANCE.—In transmitting information under paragraph (1), the Commission may consult and coordinate with, and provide technical and investigative assistance,(4) - COOPERATION WITH OTHER AGENCIES.—The Commission may implement this subsection by executing agreements or memoranda of understanding with the appropriate Federal(c) - Algorithm Impact And Evaluation.—(1) - ALGORITHM IMPACT ASSESSMENT.—(i) - A detailed description of the design process and methodologies of the algorithm.(ii) - A statement of the purpose, proposed uses, and foreseeable capabilities outside of the articulated proposed use of the algorithm.(iii) - A detailed description of the data used by the algorithm, including the specific categories of data that will be processed(iv) - A description of the outputs produced by the algorithm.(v) - An assessment of the necessity and proportionality of the algorithm in relation to its stated purpose, including reasons for the(vi) - A detailed description of steps the large data holder has taken or will take to mitigate potential harms to individuals,(2) - ALGORITHM DESIGN EVALUATION.—Notwithstanding any other provision of law, not later than 2 years after the date of enactment of this(3) - OTHER CONSIDERATIONS.—(i) - IN GENERAL.—A covered entity and a service provider—(ii) - TRADE SECRETS.—Covered entities and service providers must make all submissions under this section to the Commission in unredacted form, but(4) - GUIDANCE.—Not later than 2 years after the date of enactment of this Act, the Commission shall, in consultation with the(5) - RULEMAKING AND EXEMPTION.—The Commission shall have authority under section 553 of title 5, United States Code, to promulgate regulations as(6) - STUDY AND REPORT.—(i) - best practices for the assessment and evaluation of algorithms; and(ii) - methods to reduce the risk of harm to individuals that may be related to the use of algorithms.(i) - INITIAL REPORT.—Not later than 3 years after the date of enactment of this Act, the Commission, in consultation with the(ii) - ADDITIONAL REPORTS.—Not later than 3 years after submission of the initial report under clause (i), and as the Commission determines
(a) - Establishment Of Data Security Practices.—(1) - IN GENERAL.—A covered entity or service provider shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices(2) - CONSIDERATIONS.—The reasonable administrative, technical, and physical data security practices required under paragraph (1) shall be appropriate to—(b) - Specific Requirements.—The data security practices required under subsection (a) shall include, at a minimum, the following practices:(1) - ASSESS VULNERABILITIES.—Identifying and assessing any material internal and external risk to, and vulnerability in, the security of each system maintained(2) - PREVENTIVE AND CORRECTIVE ACTION.—Taking preventive and corrective action designed to mitigate any reasonably foreseeable risks or vulnerabilities to covered data(3) - EVALUATION OF PREVENTIVE AND CORRECTIVE ACTION.—Evaluating and making reasonable adjustments to the safeguards described in paragraph (2) in light of(4) - INFORMATION RETENTION AND DISPOSAL.—Disposing of covered data that is required to be deleted by law or is no longer necessary(5) - TRAINING.—Training each employee with access to covered data on how to safeguard covered data and updating such training as necessary.(6) - DESIGNATION.—Designating an officer, employee, or employees to maintain and implement such practices.(7) - INCIDENT RESPONSE.—Implementing procedures to detect, respond to, or recover from security incidents or breaches.(c) - Regulations.—The Commission may promulgate in accordance with section 553 of title 5, United States Code, technology-neutral regulations to establish processes(d) - Applicability Of Other Information Security Laws.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act
(a) - In General.—(1) - Any covered entity or service provider that can establish that it met the requirements described in paragraph (2) for the(2) - EXEMPTION REQUIREMENTS.—The requirements of this paragraph are, with respect to a covered entity or a service provider and a period,(3) - DEFINITION.—For purposes of this section, the term “revenue” as it relates to any covered entity that is not organized to(4) - JOURNALISM.—Nothing in this Act shall be construed to limit or diminish First Amendment freedoms to gather and publish information guaranteed
(a) - In General.—Beginning 1 year after the date of enactment of this Act, an executive officer of a large data holder(1) - internal controls reasonably designed to comply with this Act; and(2) - reporting structures to ensure that such certifying officers are involved in, and are responsible for, decisions that impact the entity’s(b) - Requirements.—A certification submitted under subsection (a) shall be based on a review of the effectiveness of a large data holder’s(c) - Designation Of Privacy And Data Security Officer.—(1) - IN GENERAL.—A covered entity and a service provider shall designate—(2) - REQUIREMENTS FOR OFFICERS.—An employee who is designated by a covered entity or a service provider as a privacy officer or(3) - ADDITIONAL REQUIREMENTS FOR LARGE DATA HOLDERS.—A large data holder shall designate at least 1 of the officers described in paragraph(d) - Large Data Holder Privacy Impact Assessments.—(1) - IN GENERAL.—Not later than 1 year after the date of enactment of this Act or 1 year after the date(2) - ASSESSMENT REQUIREMENTS.—A privacy impact assessment required under paragraph (1) shall be—(i) - the nature of the covered data collected, processed, and transferred by the large data holder;(ii) - the volume of the covered data collected, processed, and transferred by the large data holder; and(iii) - the potential risks posed to the privacy of individuals by the collecting, processing, and transfer of covered data by the(3) - ADDITIONAL FACTORS TO INCLUDE IN ASSESSMENT.—In assessing the privacy risks, including substantial privacy risks, the large data holder may include
(a) - Service Providers.—A service provider—(1) - shall only collect, process, and transfer service provider data to the extent strictly necessary and proportionate to provide a service(2) - shall not collect, process, or transfer service provider data if the service provider has actual knowledge that the covered entity(3) - shall assist a covered entity in fulfilling the covered entity’s obligation to respond to individual rights requests pursuant to section(4) - may engage another service provider for purposes of processing service provider data on behalf of a covered entity only after(5) - shall upon the reasonable request of the covered entity, make available to the covered entity information necessary to demonstrate the(6) - shall, at the covered entity’s direction, delete or return all covered data to the covered entity as requested at the(7) - shall not transfer service provider data to any person with the exception of another service provider without the affirmative express(8) - shall develop, implement, and maintain reasonable administrative, technical, and physical safeguards that are designed to protect the security and confidentiality(9) - shall be exempt from the requirements of section 202(d) with respect to service provider data but shall provide direct notification(b) - Contracts Between Covered Entities And Service Providers.—A person or entity may act as a service provider pursuant to a written(1) - governs the service provider’s data processing procedures with respect to processing or transfer performed on behalf of the covered entity(2) - clearly sets forth—(3) - does not relieve a covered entity or a service provider of an obligation under this Act; and(4) - prohibits—(c) - Relationship Between Covered Entities And Service Providers.—(1) - Determining whether a person is acting as a covered entity or service provider with respect to a specific processing of(2) - A covered entity or service provider that transfers covered data to a service provider, in compliance with the requirements of(3) - A covered entity or service provider that receives covered data in compliance with the requirements of this Act is not(d) - Third Parties.—A third party—(1) - shall not process third-party data for a processing purpose other than, in the case of sensitive covered data, the processing(2) - for purposes of paragraph (1), may reasonably rely on representations made by the covered entity that transferred the third-party data,(3) - shall be exempt from the requirements of section 204 with respect to third-party data, but shall otherwise have the same(e) - Additional Obligations On Covered Entities.—(1) - IN GENERAL.—A covered entity or service provider shall exercise reasonable due diligence in—(2) - GUIDANCE.—Not later than 2 years after the date of enactment of this Act, the Commission shall publish guidance regarding compliance
(a) - In General.—Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations(b) - Scope Of Programs.—The technical compliance programs established under this section shall, with respect to a technology, product, service, or method(1) - establish guidelines for compliance with this Act;(2) - meet or exceed the requirements of this Act; and(3) - be made publicly available to any individual whose covered data is collected, processed, or transferred using such technology, product, service,(c) - Approval Process.—(1) - IN GENERAL.—Any request for approval, amendment, or repeal of a technical compliance program may be submitted to the Commission by(2) - EXPEDITED RESPONSE TO REQUESTS.—Beginning 1 year after the date of enactment of this Act, the Commission shall act upon a(d) - Right To Appeal.—Final action by the Commission on a request for approval, amendment, or repeal of a technical compliance program,(e) - Effect On Enforcement.—(1) - IN GENERAL.—Prior to commencing an investigation or enforcement action against any covered entity under this Act, the Commission and State(2) - COMMISSION AUTHORITY.—Approval of a technical compliance program shall not limit the authority of the Commission, including the Commission’s authority to(3) - RULE OF CONSTRUCTION.—Nothing in this subsection shall provide any individual, class of individuals, or person with any right to seek
(a) - Application For Compliance Guideline Approval.—(1) - IN GENERAL.—A covered entity that is not a third-party collecting entity and meets the requirements of section 209, or a(2) - APPLICATION REQUIREMENTS.—Such application shall include—(3) - COMMISSION REVIEW.—(i) - PUBLIC COMMENT PERIOD.—Within 90 days after the receipt of proposed guidelines submitted pursuant to paragraph (2), the Commission shall publish(ii) - APPROVAL.—The Commission shall approve an application regarding proposed guidelines under paragraph (2) if the applicant demonstrates that the compliance guidelines—(iii) - TIMELINE.—Within 1 year of receiving an application regarding proposed guidelines under paragraph (2), the Commission shall issue a determination approving(i) - IN GENERAL.—If the independent organization administering a set of guidelines makes material changes to guidelines previously approved by the Commission,(ii) - TIMELINE.—The Commission shall approve or deny any material change to the guidelines within 180 days after receipt of the submission(b) - Withdrawal Of Approval.—If at any time the Commission determines that the guidelines previously approved no longer meet the requirements of(c) - Deemed Compliance.—A covered entity that is eligible to participate under subsection (a)(1), and participates, in guidelines approved under this section
(a) - Reports.—Not later than 1 year after the date of enactment of this Act, and annually thereafter, the Secretary of Commerce(b) - Requirements.—Each report under subsection (a) shall include the following:(1) - A definition of digital content forgeries along with accompanying explanatory materials, except that the definition developed pursuant to this section(2) - A description of the common sources of digital content forgeries in the United States and commercial sources of digital content(3) - An assessment of the uses, applications, and harms of digital content forgeries.(4) - An analysis of the methods and standards available to identify digital content forgeries as well as a description of the(5) - A description of the types of digital content forgeries, including those used to commit fraud, cause harm, or violate any(6) - Any other information determined appropriate by the Secretary of Commerce or the Secretary’s designee.
(a) - New Bureau.—(1) - IN GENERAL.—The Commission shall establish within the Commission a new bureau, the Bureau of Privacy, which shall be comparable in(2) - MISSION.—The mission of the bureau established under this subsection shall be to assist the Commission in exercising the Commission’s authority(3) - TIMELINE.—The bureau shall be established, staffed, and fully operational not later than 1 year after the date of enactment of(b) - Office Of Business Mentorship.—The Director of the Bureau established under subsection (a) shall establish within the Bureau an Office of(c) - Enforcement By The Federal Trade Commission.—(1) - UNFAIR OR DECEPTIVE ACTS OR PRACTICES.—A violation of this Act or a regulation promulgated under this Act shall be treated(2) - POWERS OF THE COMMISSION.—(3) - LIMITING CERTAIN ACTIONS UNRELATED TO THIS ACT.—If the Commission brings a civil action under this Act alleging that an act(4) - COMMON CARRIERS AND NONPROFITS.—Notwithstanding any jurisdictional limitation of the Commission with respect to consumer protection or privacy, the Commission shall(5) - DATA PRIVACY AND SECURITY VICTIMS RELIEF FUND.—(i) - AVAILABILITY TO THE COMMISSION.—Notwithstanding section 3302 of title 31, United States Code, amounts in the Victims Relief Fund shall be(ii) - OTHER PERMISSIBLE USES.—To the extent that individuals cannot be located or such redress, payments or compensation, or other monetary relief
(a) - Civil Action.—In any case in which the attorney general of a State or State Privacy Authority has reason to believe(1) - enjoin that act or practice;(2) - enforce compliance with this Act or the regulation;(3) - obtain damages, civil penalties, restitution, or other compensation on behalf of the residents of the State; or(4) - reasonable attorneys’ fees and other litigation costs reasonably incurred.(b) - Rights Of The Commission.—(1) - IN GENERAL.—Except where not feasible, the attorney general of a State or State Privacy Authority shall notify the Commission in(2) - NOTIFICATION TIMELINE.—Where it is not feasible for the attorney general of a State or State Privacy Authority to provide the(c) - Actions By The Commission.—In any case in which a civil action is instituted by or on behalf of the Commission(d) - Rule Of Construction.—Nothing in this section shall be construed to prevent the attorney general of a State or State Privacy(e) - Preservation Of State Powers.—Except as provided in subsection (c), no provision of this section shall be construed as altering, limiting,(1) - bring an action or other regulatory proceeding arising solely under the laws in effect in that State; or(2) - exercise the powers conferred on the attorney general or State Privacy Authority by the laws of the State, including the
(a) - Enforcement By Individuals.—(1) - IN GENERAL.—Beginning 4 years after the date on which this Act takes effect, any individual who suffers an injury that(2) - RELIEF.—In a civil action brought under paragraph (1) in which the plaintiff prevails, the court may award the plaintiff—(3) - RIGHTS OF THE COMMISSION AND STATE ATTORNEYS GENERAL.—(i) - be heard on all matters arising in such action; and(ii) - file petitions for appeal of a decision in such action.(i) - Prior to the date that is 60 days after either a State attorney general or the Commission has received the(ii) - After the Commission or attorney general of a State made the determination to independently seek civil actions against such entity(4) - FTC STUDY.—Beginning on the date that is 5 years after the date of enactment of this Act, the Commission’s Bureau(5) - REPORT TO CONGRESS.—Not later than 1 year after the first day on which individuals are able to bring civil actions(b) - Pre-Dispute Arbitration Agreements And Pre-Dispute Joint-Action Waivers Related To Individuals Under The Age Of 18.—(1) - ARBITRATION.—Except as provided in section 303(d), and notwithstanding any other provision of law, no agreement for pre-dispute arbitration with respect(2) - JOINT-ACTION WAIVERS.—Notwithstanding any other provision of law, no agreement for pre-dispute joint-action waiver with respect to an individual under the(3) - DEFINITIONS.—For purposes of this subsection:(c) - Right To Cure.—(1) - NOTICE.—Subject to paragraph (3), any action under this section may be brought by an individual if, prior to initiating such(2) - EFFECT OF CURE.—In the event a cure is possible, if within the 45 days the covered entity cures the noticed(d) - Demand Letter.—If an individual or a class of individuals sends correspondence to a covered entity alleging a violation of the(e) - Applicability.—This section shall only apply to any claim alleging a violation of section 102, 104, 202, 203, 204, 205(a), 205(b),
(a) - Federal Law Preservation.—(1) - IN GENERAL.—Nothing in this Act or a regulation promulgated under this Act shall be construed to limit—(2) - APPLICABILITY OF OTHER PRIVACY REQUIREMENTS.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act (15(3) - APPLICABILITY OF OTHER DATA SECURITY REQUIREMENTS.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act(b) - Preemption Of State Laws.—(1) - IN GENERAL.—No State or political subdivision of a State may adopt, maintain, enforce, or continue in effect any law, regulation,(2) - STATE LAW PRESERVATION.—Paragraph (1) shall not be construed to preempt, displace, or supplant the following State laws, rules, regulations, or(3) - NONAPPLICATION OF FCC PRIVACY LAWS AND REGULATIONS TO COVERED ENTITIES.—Notwithstanding any other provision of law, sections 222, 338(i), and 631(c) - Preservation Of Common Law Or Statutory Causes Of Action For Civil Relief.—Nothing in this Act, nor any amendment, standard, rule,
(17) LARGE DATA HOLDER.—The term “large data holder” means a covered entity or service provider that, in the most recent calendar year—
(C) EXCLUSIONS.—The term “large data holder” does not include any instance where the covered entity or service provider would qualify as a large data holder solely on account of collecting, or processing—
log-in information of an individual or device to allow the individual or device to log in to an account administered by the covered entity or service provider.
(D) REVENUE.—For purposes of this determining whether any covered entity or service provider is a large data holder, the term “revenue” as it relates to any covered entity or service provider that is not organized to carry on business for its own profit or that of its members, means the gross receipts the covered entity or service provider received in whatever form from all sources without subtracting any costs or expenses, and includes contributions, gifts, grants, dues or other assessments, income from investments, or proceeds from the sale of real or personal property.
(25) SERVICE PROVIDER.—The term “service provider” means a person or entity that collects, processes, or transfers covered data on behalf of, and at the direction of, a covered entity and which receives covered data from or on behalf of a covered entity pursuant to a written contract, provided that the contract meets the requirements of section 302.
(26) SERVICE PROVIDER DATA.—The term “service provider data” means covered data that is collected or processed by or has been transferred to a service provider by a covered entity for the purpose of allowing the service provider to perform a service or function on behalf of, and at the direction of, such covered entity.
is not a service provider with respect to such data; and
(C) NON-APPLICATION TO SERVICE PROVIDERS.—An entity shall not be considered to be a third-party collecting entity for purposes of this Act if the entity is acting as a service provider (as defined in this section).
Permissible Purposes.—A covered entity or service provider may collect, process, or transfer covered data for any of the following purposes provided that the covered entity or service provider can demonstrate that collection, processing, or transfer complies with all other applicable laws not preempted in section 404 and provisions of this Act and is limited to what is reasonably necessary and proportionate to such purpose:
To prevent an individual, or groups of individuals, from suffering harm where the covered entity or service provider believes in good faith that the individual, or groups of individuals, is at risk of death, serious physical injury, or other serious health risk.
the size of, and the nature, scope, and complexity of the activities engaged in by the covered entity, including whether the covered entity is a large data holder, nonprofit organization, covered entities meeting the requirements of section 209, service provider, third party, or third-party collecting entity;
Deceptive Marketing Of A Product Or Service.—A covered entity, service provider, or third party is prohibited from engaging in deceptive advertising or marketing with respect to a product or service provided to an individual.
Policies, Practices, And Procedures.—A covered entity and a service provider shall establish, implement, and maintain reasonable policies, practices, and procedures regarding the collection, processing, and transfer of covered data to—
consider Federal laws, rules, or regulations related to covered data the covered entity or service provider collects, processes, or transfers;
mitigate privacy risks, including substantial privacy risks, related to the products and services of the covered entity or the service provider, including their design, development, and implementation; and
implement reasonable training and safeguards within the covered entity and service provider to promote compliance with all privacy laws applicable to covered data the covered entity collects, processes, or transfers or covered data the service provider collects, processes, or transfers on behalf of the covered entity and mitigate privacy risks, including substantial privacy risks.
Factors To Consider.—The policies, practices, and procedures established by a covered entity and a service provider under subsection (a), shall correspond with—
the size of the covered entity or the service provider and the nature, scope, and complexity of the activities engaged in by the covered entity, including whether the covered entity is a large data holder, nonprofit organization, covered entities meeting the requirements of section 209, third party, or third-party collecting entity;
the sensitivity of the covered data collected, processed, or transferred by the covered entity or service provider;
the volume of covered data collected, processed, or transferred by the covered entity or service provider;
the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity or service provider relates; and
In General.—Not later than 90 days after the date of enactment of this Act, the Commission shall publish, on the public website of the Commission, a web page that describes each provision, right, obligation, and requirement of this Act, listed separately for individuals and for covered entities and service providers, and the remedies, exemptions, and protections associated with this Act in plain and concise language and in an easy-to-understand manner.
In General.—Each covered entity and service provider shall make publicly available, in a clear, conspicuous, not misleading, and readily accessible manner, a privacy policy that provides a detailed and accurate representation of the entity’s data collection, processing, and transfer activities.
(A) the covered entity or service provider (including the covered entity’s or service provider’s points of contact, generic electronic mail addresses, and phone numbers of the covered entity, as applicable for privacy and data security inquiries); and
(B) any other entity within the same corporate structure as, and under common branding with, the covered entity or service provider to which covered data is transferred by the covered entity.
The categories of covered data the covered entity or service provider collects or processes.
The processing purposes for each category of covered data the covered entity or service provider collects or processes.
Whether the covered entity or service provider transfers covered data and, if so, each category of service provider and third party to which the covered entity or service provider transfers covered data, the name of each third-party collecting entity to which the covered entity or service provider transfers covered data, and the purposes for which such data is transferred to such categories of service providers and third parties or third-party collecting entities, except for transfers to governmental entities pursuant to a court order or law that prohibits the covered entity from disclosing such transfer.
The length of time the covered entity or service provider intends to retain each category of covered data, including sensitive covered data, or, if it is not possible to identify that time frame, the criteria used to determine the length of time the covered entity intends to retain categories of covered data.
A general description of the covered entity’s or service provider’s data security practices.
Whether or not any covered data collected by the covered entity or service provider is transferred to, processed in, stored in or otherwise accessible to the People’s Republic of China, Russia, Iran, or North Korea.
Languages.—The privacy policy required under subsection (a) shall be made available to the public in each language in which the covered entity or service provider—
Accessibility.—The covered entity or service provider shall also provide the disclosures under this section in a manner that is readily accessible to and usable by individuals with disabilities.
(A) the covered data, except covered data in back-up or archival systems, of the individual in a human-readable format that a reasonable individual can understand and download from the internet, that is collected, processed, or transferred by the covered entity or any service provider of the covered entity within the 24 months preceding the request;
(B) the name of any third party and the categories of any service providers to whom the covered entity has transferred for consideration the covered data of the individual, as well as the categories of sources from which the covered data was collected; and
(C) a description of the purpose for which the covered entity transferred the covered data of the individual to a third party or service provider;
correct any verifiably material inaccuracy or materially incomplete information with respect to the covered data of the individual that is processed by the covered entity and instruct the covered entity to notify any third party, or service provider to which the covered entity transferred such covered data of the corrected information;
delete covered data of the individual that is processed by the covered entity and instruct the covered entity to notify any third party, or service provider to which the covered entity transferred such covered data of the individual’s deletion request; and
the size of, and the nature, scope, and complexity of the activities engaged in by the covered entity, including whether the covered entity is a large data holder, nonprofit organization, covered entities meeting the requirements of section 209, service provider, third party, or third-party collecting entity;
delete all covered data related to such individual that the third-party collecting entity did not collect from the individual directly or when acting as a service provider; and
ensure that any third-party collecting entity no longer collects covered data related to such individual without the affirmative express consent of such individual, except insofar as such covered entity is acting as a service provider. Each third-party collecting entity that receives such a request from an individual shall delete all the covered data of the individual not later than 30 days after the request is received by the third-party collecting entity.
IN GENERAL.—A covered entity or a service provider may not collect, process, or transfer covered data in a manner that discriminates in or otherwise makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, or disability.
a covered entity’s or a service provider’s self-testing to prevent or mitigate unlawful discrimination; or
IN GENERAL.—Whenever the Commission obtains information that a covered entity or service provider may have collected, processed, or transferred covered data in violation of subsection (a), the Commission shall transmit such information as allowable under Federal law to any Executive agency with authority to initiate enforcement actions or proceedings relating to such violation.
ALGORITHM DESIGN EVALUATION.—Notwithstanding any other provision of law, not later than 2 years after the date of enactment of this Act, a covered entity or service provider that knowingly develops an algorithm, solely or in part, to collect, process, or transfer covered data or publicly available information shall prior to deploying the algorithm in interstate commerce evaluate the design, structure, and inputs of the algorithm, including any training data used to develop the algorithm, to reduce the risk of the potential harms identified under paragraph (1)(B).
(A) FOCUS.—In complying with paragraph (1) or (2), a covered entity and a service provider may focus the impact assessment or evaluation on any algorithm, or portions of an algorithm, that may reasonably contribute to the risk of the potential harms identified under paragraph (1)(B).
(B) EXTERNAL, INDEPENDENT AUDITOR OR RESEARCHER.—To the extent possible, a covered entity and a service provider shall utilize an external, independent auditor or researcher to conduct an impact assessment under paragraph (1) or an evaluation under paragraph (2).
IN GENERAL.—A covered entity and a service provider—
TRADE SECRETS.—Covered entities and service providers must make all submissions under this section to the Commission in unredacted form, but a covered entity and a service provider may redact and segregate any trade secrets (as defined in section 1839 of title 18, United States Code) from public disclosure under this subparagraph.
(D) ENFORCEMENT.—The Commission may not use any information obtained solely and exclusively through a covered entity or a service provider’s disclosure of information to the Commission in compliance with this section for any purpose other than enforcing this Act, including the study and report provisions in paragraph 6 of this section. This provision shall not preclude the Commission from providing this information to Congress in response to a subpoena or official Congressional request.
IN GENERAL.—A covered entity or service provider shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices and procedures to protect and secure covered data against unauthorized access and acquisition.
(A) the size and complexity of the covered entity or service provider;
(B) the nature and scope of the covered entity or the service provider’s collecting, processing, or transferring of covered data;
(C) the volume and nature of the covered data collected, processed, or transferred by the covered entity or service provider;
ASSESS VULNERABILITIES.—Identifying and assessing any material internal and external risk to, and vulnerability in, the security of each system maintained by the covered entity that collects, processes, or transfers covered data, or service provider that collects, processes, or transfers covered data on behalf of the covered entity, including unauthorized access to or risks to such covered data, human vulnerabilities, access rights, and the use of service providers. With respect to large data holders, such activities shall include a plan to receive and respond to unsolicited reports of vulnerabilities by any entity or individual.
PREVENTIVE AND CORRECTIVE ACTION.—Taking preventive and corrective action designed to mitigate any reasonably foreseeable risks or vulnerabilities to covered data identified by the covered entity or service provider, consistent with the nature of such risk or vulnerability, which may include implementing administrative, technical, or physical safeguards or changes to data security practices or the architecture, installation, or implementation of network or operating software, among other actions.
EVALUATION OF PREVENTIVE AND CORRECTIVE ACTION.—Evaluating and making reasonable adjustments to the safeguards described in paragraph (2) in light of any material changes in technology, internal or external threats to covered data, and the covered entity or service provider’s own changing business arrangements or operations.
Any covered entity or service provider that can establish that it met the requirements described in paragraph (2) for the period of the 3 preceding calendar years (or for the period during which the covered entity has been in existence if such period is less than 3 years) shall—
EXEMPTION REQUIREMENTS.—The requirements of this paragraph are, with respect to a covered entity or a service provider and a period, the following:
(A) The covered entity or service provider’s average annual gross revenues during the period did not exceed $41,000,000.
(B) The covered entity or service provider, on average, did not annually collect or process the covered data of more than 200,000 individuals during the period beyond the purpose of initiating, rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested service or product, so long as all covered data for such purpose is deleted or de-identified within 90 days.
(C) The covered entity or service provider did not derive more than 50 percent of its revenue from transferring covered data during any year (or part of a year if the covered entity has been in existence for less than 1 year) that occurs during the period.
IN GENERAL.—A covered entity and a service provider shall designate—
REQUIREMENTS FOR OFFICERS.—An employee who is designated by a covered entity or a service provider as a privacy officer or a data security officer shall, at a minimum—
(B) facilitate the covered entity or service provider’s ongoing compliance with this Act.
IN GENERAL.—Not later than 1 year after the date of enactment of this Act or 1 year after the date that a covered entity or service provider first meets the definition of large data holder, whichever is earlier, and biennially thereafter, each large data holder shall conduct a privacy impact assessment that weighs the benefits of the large data holder’s covered data collecting, processing, and transfer practices against the potential adverse consequences of such practices to individual privacy.
Service Providers.—A service provider—
shall only collect, process, and transfer service provider data to the extent strictly necessary and proportionate to provide a service requested by the covered entity. This paragraph shall not require a service provider to collect or process covered data if the service provider would not otherwise do so;
shall not collect, process, or transfer service provider data if the service provider has actual knowledge that the covered entity violated this Act with respect to such data;
shall assist a covered entity in fulfilling the covered entity’s obligation to respond to individual rights requests pursuant to section 203, by appropriate technical and organizational measures, taking into account the nature of the processing and the information reasonably available to the service provider;
may engage another service provider for purposes of processing service provider data on behalf of a covered entity only after providing the covered entity that is directing the services or functions of the service provider with respect to such service provider data with notice, and pursuant to a written contract that requires such other service provider to satisfy the obligations of the service provider with respect to such service provider data;
shall upon the reasonable request of the covered entity, make available to the covered entity information necessary to demonstrate the service provider’s compliance with the obligations in this Act, which may include making available a report of an independent assessment arranged by the service provider on terms agreed to by the parties and making the report required under section 207(c)(2) as applicable;
shall not transfer service provider data to any person with the exception of another service provider without the affirmative express consent, obtained by the covered entity with the direct relationship to the individual that is directing the services or functions of the service provider with respect to the service provider data, of the individual to whom the service provider data is linked or reasonably linkable;
shall be exempt from the requirements of section 202(d) with respect to service provider data but shall provide direct notification regarding material changes to its privacy policy to each covered entity with which it provides services or functions as a service provider, in each language that the privacy policy is made available. Compliance with this provision does not alleviate any obligations the service provider has to the covered entity to which it provides services or functions as a service provider.
Contracts Between Covered Entities And Service Providers.—A person or entity may act as a service provider pursuant to a written contract between the covered entity and the service provider, or a written contract between one service provider and a second service provider as permitted in section 302(a)(4), provided that the contract—
governs the service provider’s data processing procedures with respect to processing or transfer performed on behalf of the covered entity or service provider;
does not relieve a covered entity or a service provider of an obligation under this Act; and
(B) combining service provider data with covered data which the service provider receives from or on behalf of another person or persons or collects from its own interaction with an individual. The contract may, subject to agreement with the service provider, permit a covered entity to monitor the service provider’s compliance with the contract through measures including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing at least once every 12 months.
Relationship Between Covered Entities And Service Providers.—
Determining whether a person is acting as a covered entity or service provider with respect to a specific processing of data is a fact-based determination that depends upon the context in which such data is processed.
A covered entity or service provider that transfers covered data to a service provider, in compliance with the requirements of this Act, is not liable for a violation of this Act by the service provider to whom such covered data was transferred, this Act provided that, at the time of transferring such covered data, the covered entity or service provider did not know or have reason to know that the service provider would likely commit a violation of this Act.
A covered entity or service provider that receives covered data in compliance with the requirements of this Act is not in violation of this Act as a result of a violation by a covered entity or service provider from which it receives such covered data.
IN GENERAL.—A covered entity or service provider shall exercise reasonable due diligence in—
(A) selecting a service provider; and
(B) DEPOSITS.—The amount of any civil penalty obtained against any covered entity or service provider or any other relief ordered to provide redress, payments or compensation, or other monetary relief to individuals that cannot be located or the payment of which would otherwise not be practicable in any judicial or administrative action to enforce this Act or a regulation promulgated under this Act shall be deposited into the Victims Relief Fund.
Civil Action.—In any case in which the attorney general of a State or State Privacy Authority has reason to believe that an interest of the residents of that State has been, may be, or is adversely affected by the engagement of any a covered entity or service provider in an act or practice that has violated this Act or a regulation promulgated under this Act, the attorney general of the State, or State Privacy Authority, may bring a civil action in the name of the State, or as parens patriae on behalf of the residents of the State. Any such action shall be brought exclusively in an appropriate Federal district court of the United States to—
