(1) - AFFIRMATIVE EXPRESS CONSENT.—(i) - The request is provided to the individual in a clear and conspicuous standalone disclosure made through the primary medium used(ii) - The request includes a description of the act or practice for which the individual’s consent is sought and—(iii) - The request clearly explains the individual’s applicable rights related to consent.(iv) - The request shall be made in a manner readily accessible to and usable by individuals with disabilities.(v) - The request shall be made available to the public in each language in which the covered entity provides a product(i) - the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or(ii) - the design, modification, or manipulation of any user interface with the purpose or substantial effect of obscuring, subverting, or impairing(2) - ALGORITHM.—The term “algorithm” means a computational process that uses machine learning, natural language processing, artificial intelligence techniques, or other computational(3) - BIOMETRIC INFORMATION.—(i) - fingerprints;(ii) - voice prints;(iii) - iris or retina scans;(iv) - facial mapping or hand mapping, geometry, or templates; or(v) - gait or personally identifying physical movements.(i) - a digital or physical photograph;(ii) - an audio or video recording; or(iii) - data generated from a digital or physical photograph, or an audio or video recording that cannot be used to identify(4) - COLLECT; COLLECTION.—The terms “collect” and “collection” mean buying, renting, gathering, obtaining, receiving, accessing, or otherwise acquiring covered data by any(5) - COMMISSION.—The term “Commission” means the Federal Trade Commission.(6) - COMMON BRANDING.—The term “common branding” means a name, service mark, or trademark that is shared by 2 or more entities.(7) - CONTROL.—The term “control” means, with respect to an entity—(8) - COVERED DATA.—(i) - de-identified data;(ii) - employee data;(iii) - publicly available information; or(iv) - inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect(i) - information relating to a job applicant collected by a covered entity acting as a prospective employer of such job applicant(ii) - the business contact information of an employee, including the employee’s name, position or title, business telephone number, business address, or(iii) - emergency contact information collected by an employer that relates to an employee of that employer, provided that such information is(iv) - information relating to an employee (or a spouse, dependent, other covered family member, or beneficiary of such employee) that is(9) - COVERED ENTITY.—(i) - means any entity or any person, other than an individual acting in a non-commercial context, that alone or jointly with(ii) - includes any entity or person that controls, is controlled by, or is under common control with another covered entity.(i) - a governmental entity such as a body, authority, board, bureau, commission, district, agency, or political subdivision of the Federal, State,(ii) - a person or an entity that is collecting, processing, or transferring covered data on behalf of or a Federal, State,(i) - to process and transfer the information solely in a de-identified form without any reasonable means for re-identification; and(ii) - to not attempt to re-identify the information with any individual or device; and(i) - the covered data of more than 5,000,000 individuals or devices that identify or are linked or reasonably linkable to 1(ii) - the sensitive covered data of more than 200,000 individuals or devices that identify or are linked or reasonably linkable to(i) - personal email addresses;(ii) - personal telephone numbers; or(iii) - log-in information of an individual or device to allow the individual or device to log in to an account administered(i) - Federal, State, or local government records provided that the covered entity collects, processes, and transfers such information in accordance with(ii) - widely distributed media;(iii) - a website or online service made available to all members of the public, for free or for a fee, including(iv) - a disclosure that has been made to the general public as required by Federal, State, or local law; or(v) - a visual observation of an individual’s physical presence in a public place by another person, not including data collected by(i) - AVAILABLE TO ALL MEMBERS OF THE PUBLIC.—For purposes of this paragraph, information from a website or online service is not(ii) - OTHER LIMITATIONS.—The term “publicly available information” does not include—(i) - A government-issued identifier, such as a social security number, passport number, or driver’s license number, that is not required by(ii) - Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition(iii) - A financial account number, debit card number, credit card number, or information about income level or bank account balances.(iv) - Biometric information.(v) - Genetic information.(vi) - Precise geolocation information.(vii) - An individual’s private communications such as voicemails, emails, texts, direct messages, or mail, or information identifying the parties to such(viii) - Account or device log-in credentials, or security or access codes for an account or device.(ix) - Information identifying the sexual orientation or sexual behavior of an individual in a manner inconsistent with the individual’s reasonable expectation(x) - Calendar information, address book information, phone or text logs, photos, audio recordings, or videos maintained for private use by an(xi) - A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual.(xii) - Information that reveals the video content or services requested or selected by an individual from a provider of broadcast television(xiii) - Information about an individual when the covered entity knows that the individual is under the age of 17.(xiv) - Any other covered data collected, processed, or transferred for the purpose of identifying the above data types.(i) - the chief consumer protection officer of a State; or(ii) - a State consumer protection agency with expertise in data protection.(i) - advertising or marketing to an individual or an individual’s device in response to the individual’s specific request for information or(ii) - contextual advertising, which is when an advertisement is displayed based on the content or location in which the advertisement appears(iii) - processing covered data solely for measuring or reporting advertising or content, performance, reach, or frequency, including independent measurement.(i) - collects, processes, or transfers third-party data; and(ii) - is not a service provider with respect to such data; and(i) - means a covered entity whose principal source of revenue is derived from processing or transferring the covered data that the(ii) - does not include a covered entity in so far as such entity processes employee data collected by and received from(i) - more than 50 percent of all revenue of the covered entity; or(ii) - obtaining revenue from processing or transferring the covered data of more than 5,000,000 individuals that the covered entity did not
(a) - In General.—A covered entity shall not collect, process, or transfer covered data unless the collection, processing, or transfer is limited(1) - provide, or maintain a specific product or service requested by the individual to whom the data pertains;(2) - deliver a communication that is reasonably anticipated by the individual recipient within the context of the individual’s interactions with the(3) - effect a purpose expressly permitted under subsection (b).(b) - Permissible Purposes.—A covered entity or service provider may collect, process, or transfer covered data for any of the following purposes(1) - To initiate or complete a transaction or fulfill an order or service specifically requested by an individual, including any associated(2) - With respect to covered data previously collected in accordance with this Act, notwithstanding this exception, to process such data as(3) - To authenticate users of a product or service.(4) - To prevent, detect, protect against, or respond to a security incident, or fulfill a product or service warranty. For purposes(5) - To prevent, detect, protect against or respond to fraud, harassment, or illegal activity. For the purposes of this paragraph, illegal(6) - To comply with a legal obligation imposed by Federal, Tribal, Local, or State law, or to establish, exercise, or defend(7) - To prevent an individual, or groups of individuals, from suffering harm where the covered entity or service provider believes in(8) - To effectuate a product recall pursuant to Federal or State law.(9) - (A) To conduct a public or peer-reviewed scientific, historical, or statistical research project that—(i) - is in the public interest;(ii) - adheres to all relevant laws governing such research; and(iii) - adheres to the regulations for human subject research established under part 46 of title 45, Code of Federal Regulations (or(c) - Guidance.—The Commission shall issue guidance regarding what is reasonably necessary and proportionate to comply with this section. Such guidance shall(1) - the size of, and the nature, scope, and complexity of the activities engaged in by the covered entity, including whether(2) - the sensitivity of covered data collected, processed, or transferred by the covered entity;(3) - the volume of covered data collected, processed, or transferred by the covered entity; and(4) - the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity relates.(d) - Deceptive Marketing Of A Product Or Service.—A covered entity, service provider, or third party is prohibited from engaging in deceptive
(a) - Restricted Data Practices.—Notwithstanding section 101 and unless an exception applies, with respect to covered data, a covered entity shall not—(1) - collect, process, or transfer a social security number, except when necessary to facilitate extensions of credit, authentication, the payment and(2) - collect or process sensitive covered data, except where such collection or processing is strictly necessary to provide or maintain a(3) - transfer an individual’s sensitive covered data to a third party, unless—(4) - collect, process, or transfer an individual’s aggregated internet search or browsing history, except with the affirmative express consent of the
(a) - Policies, Practices, And Procedures.—A covered entity and a service provider shall establish, implement, and maintain reasonable policies, practices, and procedures(1) - consider Federal laws, rules, or regulations related to covered data the covered entity or service provider collects, processes, or transfers;(2) - identify, assess, and mitigate privacy risks related to individuals under the age of 17, if applicable;(3) - mitigate privacy risks, including substantial privacy risks, related to the products and services of the covered entity or the service(4) - implement reasonable training and safeguards within the covered entity and service provider to promote compliance with all privacy laws applicable(b) - Factors To Consider.—The policies, practices, and procedures established by a covered entity and a service provider under subsection (a), shall(1) - the size of the covered entity or the service provider and the nature, scope, and complexity of the activities engaged(2) - the sensitivity of the covered data collected, processed, or transferred by the covered entity or service provider;(3) - the volume of covered data collected, processed, or transferred by the covered entity or service provider;(4) - the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity or(5) - the cost of implementing such policies, practices, and procedures in relation to the risks and nature of the covered data.(c) - Commission Guidance.—Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance as
(a) - Conditional Service Or Pricing Prohibited.—A covered entity shall not deny or condition or effectively condition the provision of a service(b) - Rules Of Construction.—Nothing in subsection (a) shall be construed to—(1) - prohibit the relation of the price of a service or the level of service provided to an individual to the(2) - prohibit a covered entity from offering a loyalty program that provides discounted or free products or services, or other consideration,(3) - require a covered entity to provide a loyalty program that would require the covered entity to collect, process, or transfer(4) - prohibit a covered entity from offering a financial incentive or other consideration to an individual for participation in market research;(5) - prohibit a covered entity from offering different types of pricing or functionalities with respect to a product or service based
(a) - In General.—Not later than 90 days after the date of enactment of this Act, the Commission shall publish, on the(b) - Updates.—The Commission shall update the information published under subsection (a) on a quarterly basis as necessitated by any change in(c) - Accessibility.—The Commission shall publish materials disclosed pursuant to subsection (a) in the ten languages with the most users in the
(a) - In General.—Each covered entity and service provider shall make publicly available, in a clear, conspicuous, not misleading, and readily accessible(b) - Content Of Privacy Policy.—The privacy policy required under subsection (a) shall include, at a minimum, the following:(1) - The identity and the contact information of—(2) - The categories of covered data the covered entity or service provider collects or processes.(3) - The processing purposes for each category of covered data the covered entity or service provider collects or processes.(4) - Whether the covered entity or service provider transfers covered data and, if so, each category of service provider and third(5) - The length of time the covered entity or service provider intends to retain each category of covered data, including sensitive(6) - A prominent description of how an individual can exercise the rights described in this Act.(7) - A general description of the covered entity’s or service provider’s data security practices.(8) - The effective date of the privacy policy.(9) - Whether or not any covered data collected by the covered entity or service provider is transferred to, processed in, stored(c) - Languages.—The privacy policy required under subsection (a) shall be made available to the public in each language in which the(1) - provides a product or service that is subject to the privacy policy; or(2) - carries out activities related to such product or service.(d) - Accessibility.—The covered entity or service provider shall also provide the disclosures under this section in a manner that is readily(e) - Material Changes.—(1) - AFFIRMATIVE EXPRESS CONSENT.—If a covered entity makes a material change to its privacy policy or practices, the covered entity shall(2) - NOTIFICATION.—The covered entity shall take all reasonable measures to provide direct notification regarding material changes to the privacy policy to(3) - CLARIFICATION.—Nothing in this section shall be construed to affect the requirements for covered entities under section 102 or 204.(4) - LOG OF MATERIAL CHANGES.—Each large data holder shall retain copies of previous versions of its privacy policy for at least(f) - Short-Form Notice To Consumers By Large Data Holders.—(1) - IN GENERAL.—In addition to the privacy policy required under subsection (a), a large data holder must provide a short-form notice(2) - RULEMAKING.—The Commission shall issue a rule pursuant to section 553 of title 5, United States Code, establishing the minimum data
(a) - Access To, And Correction, Deletion, And Portability Of, Covered Data.—Subject to subsections (b) and (c), a covered entity shall provide(1) - access—(2) - correct any verifiably material inaccuracy or materially incomplete information with respect to the covered data of the individual that is(3) - delete covered data of the individual that is processed by the covered entity and instruct the covered entity to notify(4) - to the extent technically feasible, export covered data to the individual or directly to another entity, except for derived data,(b) - Individual Autonomy.—A covered entity shall not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of(1) - through the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or(2) - the design, modification, or manipulation of any user interface with the purpose or substantial effect of obscuring, subverting, or impairing(c) - Timing.—(1) - Subject to subsections (d) and (e)(1) each request shall be completed by any—(2) - A response period set forth in this subsection may be extended once by 45 additional days when reasonably necessary, considering(d) - Frequency And Cost Of Access.—A covered entity—(1) - shall provide an individual with the opportunity to exercise each of the rights described in subsection (a); and(2) - with respect to—(e) - Verification And Exceptions.—(1) - REQUIRED EXCEPTIONS.—A covered entity shall not permit an individual to exercise a right described in subsection (a), in whole or(2) - ADDITIONAL INFORMATION.—If a covered entity cannot reasonably verify that a request to exercise a right described in subsection (a) is(3) - PERMISSIVE EXCEPTIONS.—(i) - require the covered entity to retain any covered data collected for a single, one-time transaction, if such covered data is(ii) - be impossible or demonstrably impracticable to comply with, and the covered entity shall provide a description to the requestor detailing(iii) - require the covered entity to attempt to re-identify de-identified data;(iv) - result in the release of trade secrets, or other privileged, or confidential business information;(v) - require the covered entity to correct any covered data that cannot be reasonably verified as being inaccurate or incomplete;(vi) - interfere with law enforcement, judicial proceedings, investigations, or reasonable efforts to guard against, detect, or investigate malicious or unlawful activity,(vii) - violate Federal or State law or the rights and freedoms of another individual, including under the Constitution of the United(viii) - prevent a covered entity from being able to maintain a confidential record of deletion requests, maintained solely for the purpose(ix) - fall within an exception enumerated in the regulations promulgated by the Commission pursuant to paragraph (D); or(x) - with respect to requests for deletion—(f) - Regulations.—Within two years of the date of enactment of this Act, the Commission may promulgate regulations, pursuant to section 553(1) - the size of, and the nature, scope, and complexity of the activities engaged in by the covered entity, including whether(2) - the sensitivity of covered data collected, processed, or transferred by the covered entity;(3) - the volume of covered data collected, processed, or transferred by the covered entity; and(4) - the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity relates.(g) - Accessibility.—A covered entity shall facilitate the ability for individuals to make requests under this section in any of the ten
(a) - Withdrawal Of Consent.—A covered entity shall provide an individual with a clear and conspicuous, easy-to-execute means to withdraw any affirmative(b) - Right To Opt Out Of Covered Data Transfers.—(1) - IN GENERAL.—A covered entity—(2) - EXCEPTION.—An individual may not opt out of the collection, processing, and transfer of covered data made pursuant to the exceptions(c) - Right To Opt Out Of Targeted Advertising.—A covered entity that engages in targeted advertising shall—(1) - prior to engaging in such targeted advertising and at all times thereafter, provide an individual with a clear and conspicuous(2) - abide by such opt-out designations by an individual; and(3) - allow an individual to prohibit such targeted advertising through an opt-out mechanism, as described in section 210, if applicable.(d) - Individual Autonomy.—A covered entity shall not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of(1) - through the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or(2) - the design, modification, or manipulation of any user interface with the purpose or substantial effect of obscuring, subverting, or impairing
(a) - Prohibition On Targeted Advertising To Children And Minors.—A covered entity shall not engage in targeted advertising to any individual under(b) - Data Transfer Requirements Related To Minors.—A covered entity shall not transfer the covered data of an individual to a third(c) - Knowledge.—The knowledge requirement in subsections (a) and (b), shall not be construed to require the affirmative collection or processing of(d) - Youth Privacy And Marketing Division.—(1) - ESTABLISHMENT.—There is established within the Commission a division to be known as the “Youth Privacy and Marketing Division” (in this(2) - DIRECTOR.—The Division shall be headed by a Director, who shall be appointed by the Chair of the Commission.(3) - DUTIES.—The Division shall be responsible for assisting the Commission in addressing, as it relates to this Act—(4) - STAFF.—The Director of the Division shall hire adequate staff to carry out the duties described in paragraph (3), including by(5) - REPORTS.—Not later than 1 year after the date of enactment of this Act, and annually thereafter, the Commission shall submit(6) - PUBLICATION.—Not later than 10 days after the date on which a report is submitted under paragraph (5), the Commission shall(e) - Report By The Inspector General.—(1) - IN GENERAL.—Not later than 2 years after the date of enactment of this Act, and biennially thereafter, the Inspector General(i) - operating fairly and effectively; and(ii) - effectively protecting the interests of children and minors; and(2) - PUBLICATION.—Not later than 10 days after the date on which a report is submitted under paragraph (1), the Commission shall
(a) - Notice.—Each third-party collecting entity shall place a clear and conspicuous notice on the website or mobile application of the third-party(1) - notifies individuals that the entity is a third-party collecting entity using specific language that the Commission shall develop through rulemaking(2) - includes a link to the website established under subsection (b)(3).(b) - Third-Party Collecting Entity Registration.—(1) - IN GENERAL.—Not later than January 31 of each calendar year that follows a calendar year during which a covered entity(2) - REGISTRATION REQUIREMENTS.—In registering with the Commission as required under paragraph (1), a third-party collecting entity shall do the following:(i) - The legal name and primary physical, email, and internet addresses of the third-party collecting entity.(ii) - A description of the categories of data the third-party collecting entity processes and transfers.(iii) - The contact information of the third-party collecting entity, including a contact person, telephone number, an e-mail address, a website, and(iv) - Link to a website through which an individual may easily exercise the rights provided under this subsection.(3) - THIRD-PARTY COLLECTING ENTITY REGISTRY.—The Commission shall establish and maintain on a website a searchable, publicly available, central registry of third-party(i) - delete all covered data related to such individual that the third-party collecting entity did not collect from the individual directly(ii) - ensure that any third-party collecting entity no longer collects covered data related to such individual without the affirmative express consent(c) - Penalties.—A third-party collecting entity that fails to register or provide the notice as required under this section shall be liable(1) - a civil penalty of $50 for each day it fails to register or provide notice as required under this subsection,(2) - an amount equal to the registration fees due under paragraph (2) of subsection (b) for each year that it failed
(a) - Civil Rights Protections.—(1) - IN GENERAL.—A covered entity or a service provider may not collect, process, or transfer covered data in a manner that(2) - EXCEPTIONS.—This subsection shall not apply to—(i) - a covered entity’s or a service provider’s self-testing to prevent or mitigate unlawful discrimination; or(ii) - diversifying an applicant, participant, or customer pool; or(b) - FTC Enforcement Assistance.—(1) - IN GENERAL.—Whenever the Commission obtains information that a covered entity or service provider may have collected, processed, or transferred covered(2) - ANNUAL REPORT.—Not later than 3 years after the date of enactment of this Act, and annually thereafter, the Commission shall(3) - TECHNICAL ASSISTANCE.—In transmitting information under paragraph (1), the Commission may consult and coordinate with, and provide technical and investigative assistance,(4) - COOPERATION WITH OTHER AGENCIES.—The Commission may implement this subsection by executing agreements or memoranda of understanding with the appropriate Federal(c) - Algorithm Impact And Evaluation.—(1) - ALGORITHM IMPACT ASSESSMENT.—(i) - A detailed description of the design process and methodologies of the algorithm.(ii) - A statement of the purpose, proposed uses, and foreseeable capabilities outside of the articulated proposed use of the algorithm.(iii) - A detailed description of the data used by the algorithm, including the specific categories of data that will be processed(iv) - A description of the outputs produced by the algorithm.(v) - An assessment of the necessity and proportionality of the algorithm in relation to its stated purpose, including reasons for the(vi) - A detailed description of steps the large data holder has taken or will take to mitigate potential harms to individuals,(2) - ALGORITHM DESIGN EVALUATION.—Notwithstanding any other provision of law, not later than 2 years after the date of enactment of this(3) - OTHER CONSIDERATIONS.—(i) - IN GENERAL.—A covered entity and a service provider—(ii) - TRADE SECRETS.—Covered entities and service providers must make all submissions under this section to the Commission in unredacted form, but(4) - GUIDANCE.—Not later than 2 years after the date of enactment of this Act, the Commission shall, in consultation with the(5) - RULEMAKING AND EXEMPTION.—The Commission shall have authority under section 553 of title 5, United States Code, to promulgate regulations as(6) - STUDY AND REPORT.—(i) - best practices for the assessment and evaluation of algorithms; and(ii) - methods to reduce the risk of harm to individuals that may be related to the use of algorithms.(i) - INITIAL REPORT.—Not later than 3 years after the date of enactment of this Act, the Commission, in consultation with the(ii) - ADDITIONAL REPORTS.—Not later than 3 years after submission of the initial report under clause (i), and as the Commission determines
(a) - Establishment Of Data Security Practices.—(1) - IN GENERAL.—A covered entity or service provider shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices(2) - CONSIDERATIONS.—The reasonable administrative, technical, and physical data security practices required under paragraph (1) shall be appropriate to—(b) - Specific Requirements.—The data security practices required under subsection (a) shall include, at a minimum, the following practices:(1) - ASSESS VULNERABILITIES.—Identifying and assessing any material internal and external risk to, and vulnerability in, the security of each system maintained(2) - PREVENTIVE AND CORRECTIVE ACTION.—Taking preventive and corrective action designed to mitigate any reasonably foreseeable risks or vulnerabilities to covered data(3) - EVALUATION OF PREVENTIVE AND CORRECTIVE ACTION.—Evaluating and making reasonable adjustments to the safeguards described in paragraph (2) in light of(4) - INFORMATION RETENTION AND DISPOSAL.—Disposing of covered data that is required to be deleted by law or is no longer necessary(5) - TRAINING.—Training each employee with access to covered data on how to safeguard covered data and updating such training as necessary.(6) - DESIGNATION.—Designating an officer, employee, or employees to maintain and implement such practices.(7) - INCIDENT RESPONSE.—Implementing procedures to detect, respond to, or recover from security incidents or breaches.(c) - Regulations.—The Commission may promulgate in accordance with section 553 of title 5, United States Code, technology-neutral regulations to establish processes(d) - Applicability Of Other Information Security Laws.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act
(a) - In General.—(1) - Any covered entity or service provider that can establish that it met the requirements described in paragraph (2) for the(2) - EXEMPTION REQUIREMENTS.—The requirements of this paragraph are, with respect to a covered entity or a service provider and a period,(3) - DEFINITION.—For purposes of this section, the term “revenue” as it relates to any covered entity that is not organized to(4) - JOURNALISM.—Nothing in this Act shall be construed to limit or diminish First Amendment freedoms to gather and publish information guaranteed
(a) - In General.—Beginning 1 year after the date of enactment of this Act, an executive officer of a large data holder(1) - internal controls reasonably designed to comply with this Act; and(2) - reporting structures to ensure that such certifying officers are involved in, and are responsible for, decisions that impact the entity’s(b) - Requirements.—A certification submitted under subsection (a) shall be based on a review of the effectiveness of a large data holder’s(c) - Designation Of Privacy And Data Security Officer.—(1) - IN GENERAL.—A covered entity and a service provider shall designate—(2) - REQUIREMENTS FOR OFFICERS.—An employee who is designated by a covered entity or a service provider as a privacy officer or(3) - ADDITIONAL REQUIREMENTS FOR LARGE DATA HOLDERS.—A large data holder shall designate at least 1 of the officers described in paragraph(d) - Large Data Holder Privacy Impact Assessments.—(1) - IN GENERAL.—Not later than 1 year after the date of enactment of this Act or 1 year after the date(2) - ASSESSMENT REQUIREMENTS.—A privacy impact assessment required under paragraph (1) shall be—(i) - the nature of the covered data collected, processed, and transferred by the large data holder;(ii) - the volume of the covered data collected, processed, and transferred by the large data holder; and(iii) - the potential risks posed to the privacy of individuals by the collecting, processing, and transfer of covered data by the(3) - ADDITIONAL FACTORS TO INCLUDE IN ASSESSMENT.—In assessing the privacy risks, including substantial privacy risks, the large data holder may include
(a) - Service Providers.—A service provider—(1) - shall only collect, process, and transfer service provider data to the extent strictly necessary and proportionate to provide a service(2) - shall not collect, process, or transfer service provider data if the service provider has actual knowledge that the covered entity(3) - shall assist a covered entity in fulfilling the covered entity’s obligation to respond to individual rights requests pursuant to section(4) - may engage another service provider for purposes of processing service provider data on behalf of a covered entity only after(5) - shall upon the reasonable request of the covered entity, make available to the covered entity information necessary to demonstrate the(6) - shall, at the covered entity’s direction, delete or return all covered data to the covered entity as requested at the(7) - shall not transfer service provider data to any person with the exception of another service provider without the affirmative express(8) - shall develop, implement, and maintain reasonable administrative, technical, and physical safeguards that are designed to protect the security and confidentiality(9) - shall be exempt from the requirements of section 202(d) with respect to service provider data but shall provide direct notification(b) - Contracts Between Covered Entities And Service Providers.—A person or entity may act as a service provider pursuant to a written(1) - governs the service provider’s data processing procedures with respect to processing or transfer performed on behalf of the covered entity(2) - clearly sets forth—(3) - does not relieve a covered entity or a service provider of an obligation under this Act; and(4) - prohibits—(c) - Relationship Between Covered Entities And Service Providers.—(1) - Determining whether a person is acting as a covered entity or service provider with respect to a specific processing of(2) - A covered entity or service provider that transfers covered data to a service provider, in compliance with the requirements of(3) - A covered entity or service provider that receives covered data in compliance with the requirements of this Act is not(d) - Third Parties.—A third party—(1) - shall not process third-party data for a processing purpose other than, in the case of sensitive covered data, the processing(2) - for purposes of paragraph (1), may reasonably rely on representations made by the covered entity that transferred the third-party data,(3) - shall be exempt from the requirements of section 204 with respect to third-party data, but shall otherwise have the same(e) - Additional Obligations On Covered Entities.—(1) - IN GENERAL.—A covered entity or service provider shall exercise reasonable due diligence in—(2) - GUIDANCE.—Not later than 2 years after the date of enactment of this Act, the Commission shall publish guidance regarding compliance
(a) - In General.—Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations(b) - Scope Of Programs.—The technical compliance programs established under this section shall, with respect to a technology, product, service, or method(1) - establish guidelines for compliance with this Act;(2) - meet or exceed the requirements of this Act; and(3) - be made publicly available to any individual whose covered data is collected, processed, or transferred using such technology, product, service,(c) - Approval Process.—(1) - IN GENERAL.—Any request for approval, amendment, or repeal of a technical compliance program may be submitted to the Commission by(2) - EXPEDITED RESPONSE TO REQUESTS.—Beginning 1 year after the date of enactment of this Act, the Commission shall act upon a(d) - Right To Appeal.—Final action by the Commission on a request for approval, amendment, or repeal of a technical compliance program,(e) - Effect On Enforcement.—(1) - IN GENERAL.—Prior to commencing an investigation or enforcement action against any covered entity under this Act, the Commission and State(2) - COMMISSION AUTHORITY.—Approval of a technical compliance program shall not limit the authority of the Commission, including the Commission’s authority to(3) - RULE OF CONSTRUCTION.—Nothing in this subsection shall provide any individual, class of individuals, or person with any right to seek
(a) - Application For Compliance Guideline Approval.—(1) - IN GENERAL.—A covered entity that is not a third-party collecting entity and meets the requirements of section 209, or a(2) - APPLICATION REQUIREMENTS.—Such application shall include—(3) - COMMISSION REVIEW.—(i) - PUBLIC COMMENT PERIOD.—Within 90 days after the receipt of proposed guidelines submitted pursuant to paragraph (2), the Commission shall publish(ii) - APPROVAL.—The Commission shall approve an application regarding proposed guidelines under paragraph (2) if the applicant demonstrates that the compliance guidelines—(iii) - TIMELINE.—Within 1 year of receiving an application regarding proposed guidelines under paragraph (2), the Commission shall issue a determination approving(i) - IN GENERAL.—If the independent organization administering a set of guidelines makes material changes to guidelines previously approved by the Commission,(ii) - TIMELINE.—The Commission shall approve or deny any material change to the guidelines within 180 days after receipt of the submission(b) - Withdrawal Of Approval.—If at any time the Commission determines that the guidelines previously approved no longer meet the requirements of(c) - Deemed Compliance.—A covered entity that is eligible to participate under subsection (a)(1), and participates, in guidelines approved under this section
(a) - Reports.—Not later than 1 year after the date of enactment of this Act, and annually thereafter, the Secretary of Commerce(b) - Requirements.—Each report under subsection (a) shall include the following:(1) - A definition of digital content forgeries along with accompanying explanatory materials, except that the definition developed pursuant to this section(2) - A description of the common sources of digital content forgeries in the United States and commercial sources of digital content(3) - An assessment of the uses, applications, and harms of digital content forgeries.(4) - An analysis of the methods and standards available to identify digital content forgeries as well as a description of the(5) - A description of the types of digital content forgeries, including those used to commit fraud, cause harm, or violate any(6) - Any other information determined appropriate by the Secretary of Commerce or the Secretary’s designee.
(a) - New Bureau.—(1) - IN GENERAL.—The Commission shall establish within the Commission a new bureau, the Bureau of Privacy, which shall be comparable in(2) - MISSION.—The mission of the bureau established under this subsection shall be to assist the Commission in exercising the Commission’s authority(3) - TIMELINE.—The bureau shall be established, staffed, and fully operational not later than 1 year after the date of enactment of(b) - Office Of Business Mentorship.—The Director of the Bureau established under subsection (a) shall establish within the Bureau an Office of(c) - Enforcement By The Federal Trade Commission.—(1) - UNFAIR OR DECEPTIVE ACTS OR PRACTICES.—A violation of this Act or a regulation promulgated under this Act shall be treated(2) - POWERS OF THE COMMISSION.—(3) - LIMITING CERTAIN ACTIONS UNRELATED TO THIS ACT.—If the Commission brings a civil action under this Act alleging that an act(4) - COMMON CARRIERS AND NONPROFITS.—Notwithstanding any jurisdictional limitation of the Commission with respect to consumer protection or privacy, the Commission shall(5) - DATA PRIVACY AND SECURITY VICTIMS RELIEF FUND.—(i) - AVAILABILITY TO THE COMMISSION.—Notwithstanding section 3302 of title 31, United States Code, amounts in the Victims Relief Fund shall be(ii) - OTHER PERMISSIBLE USES.—To the extent that individuals cannot be located or such redress, payments or compensation, or other monetary relief
(a) - Civil Action.—In any case in which the attorney general of a State or State Privacy Authority has reason to believe(1) - enjoin that act or practice;(2) - enforce compliance with this Act or the regulation;(3) - obtain damages, civil penalties, restitution, or other compensation on behalf of the residents of the State; or(4) - reasonable attorneys’ fees and other litigation costs reasonably incurred.(b) - Rights Of The Commission.—(1) - IN GENERAL.—Except where not feasible, the attorney general of a State or State Privacy Authority shall notify the Commission in(2) - NOTIFICATION TIMELINE.—Where it is not feasible for the attorney general of a State or State Privacy Authority to provide the(c) - Actions By The Commission.—In any case in which a civil action is instituted by or on behalf of the Commission(d) - Rule Of Construction.—Nothing in this section shall be construed to prevent the attorney general of a State or State Privacy(e) - Preservation Of State Powers.—Except as provided in subsection (c), no provision of this section shall be construed as altering, limiting,(1) - bring an action or other regulatory proceeding arising solely under the laws in effect in that State; or(2) - exercise the powers conferred on the attorney general or State Privacy Authority by the laws of the State, including the
(a) - Enforcement By Individuals.—(1) - IN GENERAL.—Beginning 4 years after the date on which this Act takes effect, any individual who suffers an injury that(2) - RELIEF.—In a civil action brought under paragraph (1) in which the plaintiff prevails, the court may award the plaintiff—(3) - RIGHTS OF THE COMMISSION AND STATE ATTORNEYS GENERAL.—(i) - be heard on all matters arising in such action; and(ii) - file petitions for appeal of a decision in such action.(i) - Prior to the date that is 60 days after either a State attorney general or the Commission has received the(ii) - After the Commission or attorney general of a State made the determination to independently seek civil actions against such entity(4) - FTC STUDY.—Beginning on the date that is 5 years after the date of enactment of this Act, the Commission’s Bureau(5) - REPORT TO CONGRESS.—Not later than 1 year after the first day on which individuals are able to bring civil actions(b) - Pre-Dispute Arbitration Agreements And Pre-Dispute Joint-Action Waivers Related To Individuals Under The Age Of 18.—(1) - ARBITRATION.—Except as provided in section 303(d), and notwithstanding any other provision of law, no agreement for pre-dispute arbitration with respect(2) - JOINT-ACTION WAIVERS.—Notwithstanding any other provision of law, no agreement for pre-dispute joint-action waiver with respect to an individual under the(3) - DEFINITIONS.—For purposes of this subsection:(c) - Right To Cure.—(1) - NOTICE.—Subject to paragraph (3), any action under this section may be brought by an individual if, prior to initiating such(2) - EFFECT OF CURE.—In the event a cure is possible, if within the 45 days the covered entity cures the noticed(d) - Demand Letter.—If an individual or a class of individuals sends correspondence to a covered entity alleging a violation of the(e) - Applicability.—This section shall only apply to any claim alleging a violation of section 102, 104, 202, 203, 204, 205(a), 205(b),
(a) - Federal Law Preservation.—(1) - IN GENERAL.—Nothing in this Act or a regulation promulgated under this Act shall be construed to limit—(2) - APPLICABILITY OF OTHER PRIVACY REQUIREMENTS.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act (15(3) - APPLICABILITY OF OTHER DATA SECURITY REQUIREMENTS.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act(b) - Preemption Of State Laws.—(1) - IN GENERAL.—No State or political subdivision of a State may adopt, maintain, enforce, or continue in effect any law, regulation,(2) - STATE LAW PRESERVATION.—Paragraph (1) shall not be construed to preempt, displace, or supplant the following State laws, rules, regulations, or(3) - NONAPPLICATION OF FCC PRIVACY LAWS AND REGULATIONS TO COVERED ENTITIES.—Notwithstanding any other provision of law, sections 222, 338(i), and 631(c) - Preservation Of Common Law Or Statutory Causes Of Action For Civil Relief.—Nothing in this Act, nor any amendment, standard, rule,
(I) clearly states the specific categories of covered data that the covered entity shall collect, process, and transfer for each act or practice;
The request shall be made in a manner readily accessible to and usable by individuals with disabilities.
The request shall be made available to the public in each language in which the covered entity provides a product or service for which authorization is sought or in which the covered entity carries out any activity related to any product or service for which the covered data of the individual may be collected, processed, or transferred.
(C) EXPRESS CONSENT REQUIRED.—A covered entity shall not infer that an individual has provided affirmative express consent to an act or practice from the inaction of the individual or the individual’s continued use of a service or product provided by the covered entity.
(D) PRETEXTUAL CONSENT PROHIBITED.—A covered entity shall not obtain or attempt to obtain the affirmative express consent of an individual through—
(C) NON-APPLICATION TO SERVICE PROVIDERS.—An entity shall not be considered to be a third-party collecting entity for purposes of this Act if the entity is acting as a service provider (as defined in this section).
In General.—A covered entity shall not collect, process, or transfer covered data unless the collection, processing, or transfer is limited to what is reasonably necessary and proportionate to—
Guidance.—The Commission shall issue guidance regarding what is reasonably necessary and proportionate to comply with this section. Such guidance shall take into consideration—
Restricted Data Practices.—Notwithstanding section 101 and unless an exception applies, with respect to covered data, a covered entity shall not—
Policies, Practices, And Procedures.—A covered entity and a service provider shall establish, implement, and maintain reasonable policies, practices, and procedures regarding the collection, processing, and transfer of covered data to—
Factors To Consider.—The policies, practices, and procedures established by a covered entity and a service provider under subsection (a), shall correspond with—
Commission Guidance.—Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance as to what constitutes reasonable policies, practices, and procedures as required by this section. The Commission shall consider unique circumstances applicable to nonprofit organizations and covered entities meeting the requirements of section 209.
Conditional Service Or Pricing Prohibited.—A covered entity shall not deny or condition or effectively condition the provision of a service or product to an individual based on the individual’s agreement to waive (or refusal to waive) any requirements under this Act or any regulations promulgated under this Act or terminate a service or otherwise refuse to provide a service or product to an individual as a consequence of the individual’s refusal to provide such a waiver.
Rules Of Construction.—Nothing in subsection (a) shall be construed to—
In General.—Not later than 90 days after the date of enactment of this Act, the Commission shall publish, on the public website of the Commission, a web page that describes each provision, right, obligation, and requirement of this Act, listed separately for individuals and for covered entities and service providers, and the remedies, exemptions, and protections associated with this Act in plain and concise language and in an easy-to-understand manner.
Updates.—The Commission shall update the information published under subsection (a) on a quarterly basis as necessitated by any change in law, regulation, guidance, or judicial decisions.
Accessibility.—The Commission shall publish materials disclosed pursuant to subsection (a) in the ten languages with the most users in the United States, according to the most recent U.S. Census. The Commission shall ensure the website is readily accessible to and usable by individuals with disabilities.
In General.—Each covered entity and service provider shall make publicly available, in a clear, conspicuous, not misleading, and readily accessible manner, a privacy policy that provides a detailed and accurate representation of the entity’s data collection, processing, and transfer activities.
Content Of Privacy Policy.—The privacy policy required under subsection (a) shall include, at a minimum, the following:
Languages.—The privacy policy required under subsection (a) shall be made available to the public in each language in which the covered entity or service provider—
Accessibility.—The covered entity or service provider shall also provide the disclosures under this section in a manner that is readily accessible to and usable by individuals with disabilities.
AFFIRMATIVE EXPRESS CONSENT.—If a covered entity makes a material change to its privacy policy or practices, the covered entity shall notify each individual affected by such material change before implementing the material change with respect to any previously collected covered data and, except as provided in section 101(b), provide a reasonable opportunity for each individual to withdraw consent to any further materially different collection, processing, or transferring of covered data under the changed policy.
NOTIFICATION.—The covered entity shall take all reasonable measures to provide direct notification regarding material changes to the privacy policy to each affected individual, in each language that the privacy policy is made available, and taking into account available technology and the nature of the relationship.
CLARIFICATION.—Nothing in this section shall be construed to affect the requirements for covered entities under section 102 or 204.
LOG OF MATERIAL CHANGES.—Each large data holder shall retain copies of previous versions of its privacy policy for at least 10 years and publish them on its website. It shall make publicly available, in a clear, conspicuous, and readily accessible manner, a log describing the data and nature of each material change over the past 10 years. The descriptions shall be sufficient for a reasonable individual to understand the material effect of each material change.
RULEMAKING.—The Commission shall issue a rule pursuant to section 553 of title 5, United States Code, establishing the minimum data disclosures necessary for the short-form notice which shall not exceed the content requirements in subsection (b) and shall include templates and/or models of short-form notices.
Access To, And Correction, Deletion, And Portability Of, Covered Data.—Subject to subsections (b) and (c), a covered entity shall provide an individual, after receiving a verified request from the individual, with the right to—
Individual Autonomy.—A covered entity shall not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of any individual rights under this section through—
Subject to subsections (d) and (e)(1) each request shall be completed by any—
shall provide an individual with the opportunity to exercise each of the rights described in subsection (a); and
(A) the first 2 times that an individual exercises any right described in subsection (a) in any 12-month period, shall allow the individual to exercise such right free of charge; and
REQUIRED EXCEPTIONS.—A covered entity shall not permit an individual to exercise a right described in subsection (a), in whole or in part, if the covered entity—
(B) shall not process or transfer such additional information for any other purpose.
be impossible or demonstrably impracticable to comply with, and the covered entity shall provide a description to the requestor detailing the inability to comply with the request;
(B) PARTIAL COMPLIANCE.—In a circumstance that would allow a denial pursuant to paragraph (A), a covered entity shall partially comply with the remainder of the request if it is possible and not unduly burdensome to do so.
(C) NUMBER OF REQUESTS.—For purposes of this paragraph, the receipt of a large number of verified requests, on its own, shall not be considered to render compliance with a request demonstrably impossible.
Regulations.—Within two years of the date of enactment of this Act, the Commission may promulgate regulations, pursuant to section 553 of title 5, United States Code (5 U.S.C. 553), as necessary to establish processes by which covered entities are to comply with the provisions of this section. Such regulations shall take into consideration—
Accessibility.—A covered entity shall facilitate the ability for individuals to make requests under this section in any of the ten languages with the most users in the United States, according to the most recent U.S. Census, if the covered entity provides service in such language. The mechanisms by which a covered entity enables individuals to make requests under this section shall be readily accessible and usable by with disabilities.
Withdrawal Of Consent.—A covered entity shall provide an individual with a clear and conspicuous, easy-to-execute means to withdraw any affirmative express consent previously provided by the individual that is as easy to execute by a reasonable individual as the means to provide consent, with respect to the processing or transfer of the covered data of the individual.
(A) shall not transfer the covered data of an individual to a third party if the individual objects to the transfer; and
(B) shall allow an individual to object to such transfer through an opt-out mechanism, as described in section 210, if applicable.
Right To Opt Out Of Targeted Advertising.—A covered entity that engages in targeted advertising shall—
Individual Autonomy.—A covered entity shall not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of any individual rights under this section through—
Prohibition On Targeted Advertising To Children And Minors.—A covered entity shall not engage in targeted advertising to any individual under the age of 17 if the covered entity knows that the individual is under the age of 17.
Data Transfer Requirements Related To Minors.—A covered entity shall not transfer the covered data of an individual to a third party without affirmative express consent from the individual or the individual’s parent or guardian if the covered entity knows that the individual under the age of 17.
Knowledge.—The knowledge requirement in subsections (a) and (b), shall not be construed to require the affirmative collection or processing of any data with respect to the age of an individual or a proxy thereof, or to require that a covered entity implement an age gating regime. Rather, the determination of whether an individual is under 17 shall be based on the covered data collected directly from an individual or a proxy thereof that the covered entity would otherwise collect in the normal course of business.
DIRECTOR.—The Division shall be headed by a Director, who shall be appointed by the Chair of the Commission.
DUTIES.—The Division shall be responsible for assisting the Commission in addressing, as it relates to this Act—
STAFF.—The Director of the Division shall hire adequate staff to carry out the duties described in paragraph (3), including by hiring individuals who are experts in data protection, digital advertising, data analytics, and youth development.
REPORTS.—Not later than 1 year after the date of enactment of this Act, and annually thereafter, the Commission shall submit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives a report that includes—
PUBLICATION.—Not later than 10 days after the date on which a report is submitted under paragraph (5), the Commission shall publish the report on its website.
IN GENERAL.—Not later than 2 years after the date of enactment of this Act, and biennially thereafter, the Inspector General of the Commission shall submit to the Commission and to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives a report regarding the safe harbor provisions in section 1307 of the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6503), which shall include—
PUBLICATION.—Not later than 10 days after the date on which a report is submitted under paragraph (1), the Commission shall publish the report on the website of the Commission.
Notice.—Each third-party collecting entity shall place a clear and conspicuous notice on the website or mobile application of the third-party collecting entity (if the third-party collecting entity maintains such a website or mobile application) that—
notifies individuals that the entity is a third-party collecting entity using specific language that the Commission shall develop through rulemaking under section 553 of title 5, United States Code; and
IN GENERAL.—Not later than January 31 of each calendar year that follows a calendar year during which a covered entity acted as a third-party collecting entity and processed covered data pertaining to more than 5,000 individuals or devices that identify or are linked or reasonably linkable to an individual, such covered entity shall register with the Commission in accordance with this subsection.
REGISTRATION REQUIREMENTS.—In registering with the Commission as required under paragraph (1), a third-party collecting entity shall do the following:
THIRD-PARTY COLLECTING ENTITY REGISTRY.—The Commission shall establish and maintain on a website a searchable, publicly available, central registry of third-party collecting entities that are registered with the Commission under this subsection that includes the following:
ensure that any third-party collecting entity no longer collects covered data related to such individual without the affirmative express consent of such individual, except insofar as such covered entity is acting as a service provider. Each third-party collecting entity that receives such a request from an individual shall delete all the covered data of the individual not later than 30 days after the request is received by the third-party collecting entity.
Penalties.—A third-party collecting entity that fails to register or provide the notice as required under this section shall be liable for—
EXCEPTIONS.—This subsection shall not apply to—
IN GENERAL.—Whenever the Commission obtains information that a covered entity or service provider may have collected, processed, or transferred covered data in violation of subsection (a), the Commission shall transmit such information as allowable under Federal law to any Executive agency with authority to initiate enforcement actions or proceedings relating to such violation.
ANNUAL REPORT.—Not later than 3 years after the date of enactment of this Act, and annually thereafter, the Commission shall submit to Congress a report that includes a summary of—
(B) IMPACT ASSESSMENT SCOPE.—The impact assessment required under subparagraph (A) shall provide the following:
ALGORITHM DESIGN EVALUATION.—Notwithstanding any other provision of law, not later than 2 years after the date of enactment of this Act, a covered entity or service provider that knowingly develops an algorithm, solely or in part, to collect, process, or transfer covered data or publicly available information shall prior to deploying the algorithm in interstate commerce evaluate the design, structure, and inputs of the algorithm, including any training data used to develop the algorithm, to reduce the risk of the potential harms identified under paragraph (1)(B).
(B) EXTERNAL, INDEPENDENT AUDITOR OR RESEARCHER.—To the extent possible, a covered entity and a service provider shall utilize an external, independent auditor or researcher to conduct an impact assessment under paragraph (1) or an evaluation under paragraph (2).
(I) shall, not later than 30 days after completing an impact assessment or evaluation, submit the impact assessment and evaluation conducted under paragraphs (1) and (2) to the Commission;
(II) shall, upon request, make such impact assessment and evaluation available to Congress; and
(D) ENFORCEMENT.—The Commission may not use any information obtained solely and exclusively through a covered entity or a service provider’s disclosure of information to the Commission in compliance with this section for any purpose other than enforcing this Act, including the study and report provisions in paragraph 6 of this section. This provision shall not preclude the Commission from providing this information to Congress in response to a subpoena or official Congressional request.
GUIDANCE.—Not later than 2 years after the date of enactment of this Act, the Commission shall, in consultation with the Secretary of Commerce, or their respective designees, publish guidance regarding compliance with this section.
RULEMAKING AND EXEMPTION.—The Commission shall have authority under section 553 of title 5, United States Code, to promulgate regulations as necessary to establish processes by which a large data holder—
(A) shall submit an impact assessment to the Commission under paragraph (3)(C)(i)(I); and
(A) STUDY.—The Commission, in consultation with the Secretary of Commerce or the Secretary’s designee, shall conduct a study, to review any impact assessment or evaluation submitted under this paragraph. Such study shall include an examination of—
INITIAL REPORT.—Not later than 3 years after the date of enactment of this Act, the Commission, in consultation with the Secretary of Commerce or the Secretary’s designee, shall submit to Congress a report containing the results of the study conducted under subsection (a), together with recommendations for such legislation and administrative action as the Commission determines appropriate.
ADDITIONAL REPORTS.—Not later than 3 years after submission of the initial report under clause (i), and as the Commission determines necessary thereafter, the Commission shall submit to Congress an updated version of such report.
IN GENERAL.—A covered entity or service provider shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices and procedures to protect and secure covered data against unauthorized access and acquisition.
CONSIDERATIONS.—The reasonable administrative, technical, and physical data security practices required under paragraph (1) shall be appropriate to—
Specific Requirements.—The data security practices required under subsection (a) shall include, at a minimum, the following practices:
ASSESS VULNERABILITIES.—Identifying and assessing any material internal and external risk to, and vulnerability in, the security of each system maintained by the covered entity that collects, processes, or transfers covered data, or service provider that collects, processes, or transfers covered data on behalf of the covered entity, including unauthorized access to or risks to such covered data, human vulnerabilities, access rights, and the use of service providers. With respect to large data holders, such activities shall include a plan to receive and respond to unsolicited reports of vulnerabilities by any entity or individual.
INFORMATION RETENTION AND DISPOSAL.—Disposing of covered data that is required to be deleted by law or is no longer necessary for the purpose for which the data was collected, processed, or transferred, unless an individual has provided affirmative express consent to such retention. Such disposal shall include destroying, permanently erasing, or otherwise modifying the covered data to make such data permanently unreadable or indecipherable and unrecoverable to ensure ongoing compliance with this section.
Applicability Of Other Information Security Laws.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) or the Health Information Technology for Economic and Clinical Health Act (42 U.S.C. 17931 et seq.), and is in compliance with the information security requirements of such Act as determined by the enforcement authority in such Act, shall be deemed to be in compliance with the requirements of this section with respect to any data covered by such information security requirements.
Any covered entity or service provider that can establish that it met the requirements described in paragraph (2) for the period of the 3 preceding calendar years (or for the period during which the covered entity has been in existence if such period is less than 3 years) shall—
JOURNALISM.—Nothing in this Act shall be construed to limit or diminish First Amendment freedoms to gather and publish information guaranteed under the Constitution.
In General.—Beginning 1 year after the date of enactment of this Act, an executive officer of a large data holder shall annually certify, in good faith, to the Commission, in a manner specified by the Commission by regulation under section 553 of title 5, United States Code, that the entity maintains—
Requirements.—A certification submitted under subsection (a) shall be based on a review of the effectiveness of a large data holder’s internal controls and reporting structures that is conducted by the certifying officers not more than 90 days before the submission of the certification.
IN GENERAL.—A covered entity and a service provider shall designate—
REQUIREMENTS FOR OFFICERS.—An employee who is designated by a covered entity or a service provider as a privacy officer or a data security officer shall, at a minimum—
ADDITIONAL REQUIREMENTS FOR LARGE DATA HOLDERS.—A large data holder shall designate at least 1 of the officers described in paragraph (1) of this subsection to report directly to the highest official at the large data holder as a privacy protection officer who shall, in addition to the requirements in paragraph (2), either directly or through a supervised designee or designees—
IN GENERAL.—Not later than 1 year after the date of enactment of this Act or 1 year after the date that a covered entity or service provider first meets the definition of large data holder, whichever is earlier, and biennially thereafter, each large data holder shall conduct a privacy impact assessment that weighs the benefits of the large data holder’s covered data collecting, processing, and transfer practices against the potential adverse consequences of such practices to individual privacy.
ASSESSMENT REQUIREMENTS.—A privacy impact assessment required under paragraph (1) shall be—
shall only collect, process, and transfer service provider data to the extent strictly necessary and proportionate to provide a service requested by the covered entity. This paragraph shall not require a service provider to collect or process covered data if the service provider would not otherwise do so;
shall not collect, process, or transfer service provider data if the service provider has actual knowledge that the covered entity violated this Act with respect to such data;
shall assist a covered entity in fulfilling the covered entity’s obligation to respond to individual rights requests pursuant to section 203, by appropriate technical and organizational measures, taking into account the nature of the processing and the information reasonably available to the service provider;
shall upon the reasonable request of the covered entity, make available to the covered entity information necessary to demonstrate the service provider’s compliance with the obligations in this Act, which may include making available a report of an independent assessment arranged by the service provider on terms agreed to by the parties and making the report required under section 207(c)(2) as applicable;
shall, at the covered entity’s direction, delete or return all covered data to the covered entity as requested at the end of the provision of services, unless retention of the covered data is required by law;
shall not transfer service provider data to any person with the exception of another service provider without the affirmative express consent, obtained by the covered entity with the direct relationship to the individual that is directing the services or functions of the service provider with respect to the service provider data, of the individual to whom the service provider data is linked or reasonably linkable;
shall develop, implement, and maintain reasonable administrative, technical, and physical safeguards that are designed to protect the security and confidentiality of covered data it processes consistent with section 208; and
shall be exempt from the requirements of section 202(d) with respect to service provider data but shall provide direct notification regarding material changes to its privacy policy to each covered entity with which it provides services or functions as a service provider, in each language that the privacy policy is made available. Compliance with this provision does not alleviate any obligations the service provider has to the covered entity to which it provides services or functions as a service provider.
shall not process third-party data for a processing purpose other than, in the case of sensitive covered data, the processing purpose for which the individual gave affirmative express consent and, in the case of non-sensitive data, the processing purpose for which the covered entity made a disclosure pursuant to section 204(b)(4);
shall be exempt from the requirements of section 204 with respect to third-party data, but shall otherwise have the same responsibilities and obligations as a covered entity with respect to such data under all other provisions of this Act.
IN GENERAL.—A covered entity or service provider shall exercise reasonable due diligence in—
GUIDANCE.—Not later than 2 years after the date of enactment of this Act, the Commission shall publish guidance regarding compliance with this subsection, taking into consideration the burdens on small- and medium-sized covered entities.
In General.—Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to establish a process for the proposal and approval of technical compliance programs under this section specific to any technology, product, service, or method used by a covered entity to collect, process, or transfer covered data.
Scope Of Programs.—The technical compliance programs established under this section shall, with respect to a technology, product, service, or method used by a covered entity to collect, process, or transfer covered data—
IN GENERAL.—Any request for approval, amendment, or repeal of a technical compliance program may be submitted to the Commission by any person, including a covered entity, a representative of a covered entity, an association of covered entities, or a public interest group or organization. Within 90 days, the Commission shall publish the request and provide an opportunity for public comment on the proposal.
EXPEDITED RESPONSE TO REQUESTS.—Beginning 1 year after the date of enactment of this Act, the Commission shall act upon a request for the proposal and approval of a technical compliance program not later than 180 days after the filing of the request, and shall set forth publicly in writing its conclusions with regard to such request.
IN GENERAL.—Prior to commencing an investigation or enforcement action against any covered entity under this Act, the Commission and State attorney general shall consider the covered entity’s history of compliance with any technical compliance program approved under this section and any action taken by the covered entity to remedy noncompliance with such program. If such enforcement action described in Sec. 403 is commenced, the covered entity’s history of compliance with any technical compliance program approved under this section and any action taken by the covered entity to remedy noncompliance with such program shall be taken into consideration when determining liability or a penalty. The covered entity’s history of compliance with any technical compliance program shall not affect any burden of proof or the weight given to evidence in an enforcement or judicial proceeding.
COMMISSION AUTHORITY.—Approval of a technical compliance program shall not limit the authority of the Commission, including the Commission’s authority to commence an investigation or enforcement action against any covered entity under this Act or any other Act.
RULE OF CONSTRUCTION.—Nothing in this subsection shall provide any individual, class of individuals, or person with any right to seek discovery of any non-public Commission deliberations or activities or impose any pleading requirement on the Commission should it bring an enforcement action of any kind.
APPLICATION REQUIREMENTS.—Such application shall include—
PUBLIC COMMENT PERIOD.—Within 90 days after the receipt of proposed guidelines submitted pursuant to paragraph (2), the Commission shall publish the proposal and provide an opportunity for public comment on such compliance guidelines.
APPROVAL.—The Commission shall approve an application regarding proposed guidelines under paragraph (2) if the applicant demonstrates that the compliance guidelines—
TIMELINE.—Within 1 year of receiving an application regarding proposed guidelines under paragraph (2), the Commission shall issue a determination approving or denying the application and providing its reasons for approving or denying such application.
IN GENERAL.—If the independent organization administering a set of guidelines makes material changes to guidelines previously approved by the Commission, the independent organization must submit the updated guidelines to the Commission for approval. As soon as feasible, the Commission shall publish the updated guidelines and provide an opportunity for public comment.
TIMELINE.—The Commission shall approve or deny any material change to the guidelines within 180 days after receipt of the submission for approval.
Withdrawal Of Approval.—If at any time the Commission determines that the guidelines previously approved no longer meet the requirements of this Act or a regulation promulgated under this Act or that compliance with the approved guidelines is insufficiently enforced by the independent organization administering the guidelines, the Commission shall notify the covered entities or group of such entities and the independent organization of its determination to withdraw approval of such guidelines and the basis for doing so. Upon receipt of such notice, the covered entity or group of such entities and the independent organization may cure any alleged deficiency with the guidelines or the enforcement of such guidelines within 180 days and submit the proposed cure or cures to the Commission. If the Commission determines that such cures eliminate the alleged deficiency in the guidelines, then the Commission may not withdraw approval of such guidelines on the basis of such determination.
Deemed Compliance.—A covered entity that is eligible to participate under subsection (a)(1), and participates, in guidelines approved under this section shall be deemed in compliance with the relevant provisions of this Act if it is in compliance with such guidelines.
Reports.—Not later than 1 year after the date of enactment of this Act, and annually thereafter, the Secretary of Commerce or the Secretary’s designee shall publish a report regarding digital content forgeries.
Requirements.—Each report under subsection (a) shall include the following:
A definition of digital content forgeries along with accompanying explanatory materials, except that the definition developed pursuant to this section shall not supersede any other provision of law or be construed to limit the authority of any Executive agency related to digital content forgeries.
IN GENERAL.—The Commission shall establish within the Commission a new bureau, the Bureau of Privacy, which shall be comparable in structure, size, organization, and authority to the existing Bureaus within the Commission related to consumer protection and competition.
MISSION.—The mission of the bureau established under this subsection shall be to assist the Commission in exercising the Commission’s authority under this Act and related authorities.
TIMELINE.—The bureau shall be established, staffed, and fully operational not later than 1 year after the date of enactment of this Act.
Office Of Business Mentorship.—The Director of the Bureau established under subsection (a) shall establish within the Bureau an Office of Business Mentorship to provide guidance and education to covered entities regarding compliance with this Act. Covered entities may request advice from the Commission or this office with respect to a course of action which the covered entity proposes to pursue and which may relate to the requirements of this Act.
UNFAIR OR DECEPTIVE ACTS OR PRACTICES.—A violation of this Act or a regulation promulgated under this Act shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(A) IN GENERAL.—Except as provided in paragraphs (3), (4), and (5), the Commission shall enforce this Act and the regulations promulgated under this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act.
(B) PRIVILEGES AND IMMUNITIES.—Any person who violates this Act or a regulation promulgated under this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.).
COMMON CARRIERS AND NONPROFITS.—Notwithstanding any jurisdictional limitation of the Commission with respect to consumer protection or privacy, the Commission shall enforce this Act and the regulations promulgated under this Act, in the same manner provided in subsections (1), (2), (3), and (5) of this subsection, with respect to common carriers subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.) and All Acts amendatory thereof and supplementary thereto; and organizations not organized to carry on business for their own profit or that of their members.
(B) DEPOSITS.—The amount of any civil penalty obtained against any covered entity or service provider or any other relief ordered to provide redress, payments or compensation, or other monetary relief to individuals that cannot be located or the payment of which would otherwise not be practicable in any judicial or administrative action to enforce this Act or a regulation promulgated under this Act shall be deposited into the Victims Relief Fund.
AVAILABILITY TO THE COMMISSION.—Notwithstanding section 3302 of title 31, United States Code, amounts in the Victims Relief Fund shall be available to the Commission, without fiscal year limitation, to provide redress, payments or compensation, or other monetary relief to individuals affected by an act or practice for which relief has been obtained under this Act.
Civil Action.—In any case in which the attorney general of a State or State Privacy Authority has reason to believe that an interest of the residents of that State has been, may be, or is adversely affected by the engagement of any a covered entity or service provider in an act or practice that has violated this Act or a regulation promulgated under this Act, the attorney general of the State, or State Privacy Authority, may bring a civil action in the name of the State, or as parens patriae on behalf of the residents of the State. Any such action shall be brought exclusively in an appropriate Federal district court of the United States to—
IN GENERAL.—Except where not feasible, the attorney general of a State or State Privacy Authority shall notify the Commission in writing prior to initiating a civil action under subsection (a). Such notice shall include a copy of the complaint to be filed to initiate such action. Upon receiving such notice, the Commission may intervene in such action as of right pursuant to the Federal Rules of Civil Procedure.
NOTIFICATION TIMELINE.—Where it is not feasible for the attorney general of a State or State Privacy Authority to provide the notification required by paragraph (1) before initiating a civil action under subsection (a), the attorney general of a State or State Privacy Authority shall notify the Commission immediately after initiating the civil action.
Rule Of Construction.—Nothing in this section shall be construed to prevent the attorney general of a State or State Privacy Authority from exercising the powers conferred on the attorney general or State Privacy Authority to conduct investigations, to administer oaths or affirmations, or to compel the attendance of witnesses or the production of documentary or other evidence.
Preservation Of State Powers.—Except as provided in subsection (c), no provision of this section shall be construed as altering, limiting, or affecting the authority of a State attorney general or State Privacy Authority to—
(A) IN GENERAL.—Prior to an individual bringing a civil action under paragraph (1), such individual must first notify the Commission and the attorney general of the State of the individuals residence in writing outlining their desire to commence a civil action. Upon receiving such notice, the Commission and State attorney general shall make a determination, not later than 60 days after receiving such notice, as to whether they will independently seek to intervene in such action, and upon intervening—
(B) BAD FAITH.—Any written communication requesting a monetary payment that is sent to a covered entity shall be considered to have been sent in bad faith and shall be unlawful as defined in this Act, if the written communication was sent:
FTC STUDY.—Beginning on the date that is 5 years after the date of enactment of this Act, the Commission’s Bureau of Economics shall conduct an annual study to determine the economic impacts in the United States of demand letters and the scope of the rights of an individual to bring forth civil actions against covered entities. Such study shall include, but not be limited to include the following:
REPORT TO CONGRESS.—Not later than 1 year after the first day on which individuals are able to bring civil actions under this subsection, and annually thereafter, the Commission shall submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a report that contains the results of the study conducted under paragraph (4).
EFFECT OF CURE.—In the event a cure is possible, if within the 45 days the covered entity cures the noticed violation and provides the individual an express written statement that the violation has been cured and that no further violations shall occur, an action for injunctive relief may be reasonably dismissed.
Demand Letter.—If an individual or a class of individuals sends correspondence to a covered entity alleging a violation of the provisions of this Act and requesting a monetary payment, such correspondence shall include the following language: “Please visit the website of the Federal Trade Commission to understand your rights pursuant to this letter” followed by a hyperlink to the web page of the Commission required under section 201. If such correspondence does not include such language and hyperlink, the individual or joint class of individuals shall forfeit their rights under this section.
Applicability.—This section shall only apply to any claim alleging a violation of section 102, 104, 202, 203, 204, 205(a), 205(b), 206(c)(3)(D), 207(a), 208(a), or 302 for which relief described in subsection (a)(2) may be granted.
IN GENERAL.—Nothing in this Act or a regulation promulgated under this Act shall be construed to limit—
APPLICABILITY OF OTHER PRIVACY REQUIREMENTS.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), the Health Information Technology for Economic and Clinical Health Act (42 U.S.C. 17931 et seq.), part C of title XI of the Social Security Act (42 U.S.C. 1320d et seq.), the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), the Family Educational Rights and Privacy Act (20 U.S.C. 1232g; part 99 of title 34, Code of Federal Regulations), or the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note), and is in compliance with the data privacy requirements of such regulations, part, title, or Act (as applicable), shall be deemed to be in compliance with the related requirements of this title, except for section 208, with respect to data subject to the requirements of such regulations, part, title, or Act. Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance describing the implementation of this paragraph.
APPLICABILITY OF OTHER DATA SECURITY REQUIREMENTS.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), the Health Information Technology for Economic and Clinical Health Act (42 U.S.C. 17931 et seq.), part C of title XI of the Social Security Act (42 U.S.C. 1320d et seq.), or the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note), and is in compliance with the information security requirements of such regulations, part, title, or Act (as applicable), shall be deemed to be in compliance with the requirements of section 208 with respect to data subject to the requirements of such regulations, part, title, or Act. Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance describing the implementation of this paragraph.
STATE LAW PRESERVATION.—Paragraph (1) shall not be construed to preempt, displace, or supplant the following State laws, rules, regulations, or requirements:
NONAPPLICATION OF FCC PRIVACY LAWS AND REGULATIONS TO COVERED ENTITIES.—Notwithstanding any other provision of law, sections 222, 338(i), and 631 of the Communications Act of 1934, as amended (47 U.S.C. 222, 338(i), and 551), and any regulation promulgated by the Federal Communications Commission under such sections, shall not apply to any covered entity with respect to the collecting, processing, or transferring of covered data under this Act.
Preservation Of Common Law Or Statutory Causes Of Action For Civil Relief.—Nothing in this Act, nor any amendment, standard, rule, requirement, assessment, law, or regulation promulgated under this Act, shall be construed to preempt, displace, or supplant any Federal or State common law rights or remedies, or any statute creating a remedy for civil relief, including any cause of action for personal injury, wrongful death, property damage, or other financial, physical, reputational, or psychological injury based in negligence, strict liability, products liability, failure to warn, an objectively offensive intrusion into the private affairs or concerns of the individual, or any other legal theory of liability under any Federal or State common law, or any State statutory law, except that the fact of a violation of this Act shall not be pleaded as an element of any such cause of action.
In General.—Nothing in this Act shall be construed to relieve or change any obligations that a covered entity or another person may have under the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.).
Updated Regulations.—Not later than 180 days after the enactment of this Act, the Commission shall amend its rules issued pursuant to the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.) to make reference to the additional requirements placed on covered entities under this Act, in addition to those already enacted under the Children’s Online Privacy Protection Act of 1998 that may already apply to some of such covered entities.