The request shall be made available to the public in each language in which the covered entity provides a product or service for which authorization is sought or in which the covered entity carries out any activity related to any product or service for which the covered data of the individual may be collected, processed, or transferred.

(v)

(C) EXPRESS CONSENT REQUIRED.—A covered entity shall not infer that an individual has provided affirmative express consent to an act or practice from the inaction of the individual or the individual’s continued use of a service or product provided by the covered entity.

(v)

(D) PRETEXTUAL CONSENT PROHIBITED.—A covered entity shall not obtain or attempt to obtain the affirmative express consent of an individual through—

(ii)

(C) NON-APPLICATION TO SERVICE PROVIDERS.—An entity shall not be considered to be a third-party collecting entity for purposes of this Act if the entity is acting as a service provider (as defined in this section).

(a)

In General.—A covered entity shall not collect, process, or transfer covered data unless the collection, processing, or transfer is limited to what is reasonably necessary and proportionate to—

(c)

Guidance.—The Commission shall issue guidance regarding what is reasonably necessary and proportionate to comply with this section. Such guidance shall take into consideration—

(a)

Restricted Data Practices.—Notwithstanding section 101 and unless an exception applies, with respect to covered data, a covered entity shall not—

(a)

Policies, Practices, And Procedures.—A covered entity and a service provider shall establish, implement, and maintain reasonable policies, practices, and procedures regarding the collection, processing, and transfer of covered data to—

(b)

Factors To Consider.—The policies, practices, and procedures established by a covered entity and a service provider under subsection (a), shall correspond with—

(c)

Commission Guidance.—Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance as to what constitutes reasonable policies, practices, and procedures as required by this section. The Commission shall consider unique circumstances applicable to nonprofit organizations and covered entities meeting the requirements of section 209.

(a)

Conditional Service Or Pricing Prohibited.—A covered entity shall not deny or condition or effectively condition the provision of a service or product to an individual based on the individual’s agreement to waive (or refusal to waive) any requirements under this Act or any regulations promulgated under this Act or terminate a service or otherwise refuse to provide a service or product to an individual as a consequence of the individual’s refusal to provide such a waiver.

(b)

Rules Of Construction.—Nothing in subsection (a) shall be construed to—

(a)

In General.—Not later than 90 days after the date of enactment of this Act, the Commission shall publish, on the public website of the Commission, a web page that describes each provision, right, obligation, and requirement of this Act, listed separately for individuals and for covered entities and service providers, and the remedies, exemptions, and protections associated with this Act in plain and concise language and in an easy-to-understand manner.

(b)

Updates.—The Commission shall update the information published under subsection (a) on a quarterly basis as necessitated by any change in law, regulation, guidance, or judicial decisions.

(c)

Accessibility.—The Commission shall publish materials disclosed pursuant to subsection (a) in the ten languages with the most users in the United States, according to the most recent U.S. Census. The Commission shall ensure the website is readily accessible to and usable by individuals with disabilities.

(a)

In General.—Each covered entity and service provider shall make publicly available, in a clear, conspicuous, not misleading, and readily accessible manner, a privacy policy that provides a detailed and accurate representation of the entity’s data collection, processing, and transfer activities.

(b)

Content Of Privacy Policy.—The privacy policy required under subsection (a) shall include, at a minimum, the following:

(c)

Languages.—The privacy policy required under subsection (a) shall be made available to the public in each language in which the covered entity or service provider—

(d)

Accessibility.—The covered entity or service provider shall also provide the disclosures under this section in a manner that is readily accessible to and usable by individuals with disabilities.

(1)

AFFIRMATIVE EXPRESS CONSENT.—If a covered entity makes a material change to its privacy policy or practices, the covered entity shall notify each individual affected by such material change before implementing the material change with respect to any previously collected covered data and, except as provided in section 101(b), provide a reasonable opportunity for each individual to withdraw consent to any further materially different collection, processing, or transferring of covered data under the changed policy.

(2)

NOTIFICATION.—The covered entity shall take all reasonable measures to provide direct notification regarding material changes to the privacy policy to each affected individual, in each language that the privacy policy is made available, and taking into account available technology and the nature of the relationship.

(3)

CLARIFICATION.—Nothing in this section shall be construed to affect the requirements for covered entities under section 102 or 204.

(4)

LOG OF MATERIAL CHANGES.—Each large data holder shall retain copies of previous versions of its privacy policy for at least 10 years and publish them on its website. It shall make publicly available, in a clear, conspicuous, and readily accessible manner, a log describing the data and nature of each material change over the past 10 years. The descriptions shall be sufficient for a reasonable individual to understand the material effect of each material change.

(2)

RULEMAKING.—The Commission shall issue a rule pursuant to section 553 of title 5, United States Code, establishing the minimum data disclosures necessary for the short-form notice which shall not exceed the content requirements in subsection (b) and shall include templates and/or models of short-form notices.

(a)

Access To, And Correction, Deletion, And Portability Of, Covered Data.—Subject to subsections (b) and (c), a covered entity shall provide an individual, after receiving a verified request from the individual, with the right to—

(b)

Individual Autonomy.—A covered entity shall not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of any individual rights under this section through—

(1)

Subject to subsections (d) and (e)(1) each request shall be completed by any—

(1)

shall provide an individual with the opportunity to exercise each of the rights described in subsection (a); and

(2)

(A) the first 2 times that an individual exercises any right described in subsection (a) in any 12-month period, shall allow the individual to exercise such right free of charge; and

(1)

REQUIRED EXCEPTIONS.—A covered entity shall not permit an individual to exercise a right described in subsection (a), in whole or in part, if the covered entity—

(2)

(B) shall not process or transfer such additional information for any other purpose.

(ii)

be impossible or demonstrably impracticable to comply with, and the covered entity shall provide a description to the requestor detailing the inability to comply with the request;

(x)

(B) PARTIAL COMPLIANCE.—In a circumstance that would allow a denial pursuant to paragraph (A), a covered entity shall partially comply with the remainder of the request if it is possible and not unduly burdensome to do so.

(x)

(C) NUMBER OF REQUESTS.—For purposes of this paragraph, the receipt of a large number of verified requests, on its own, shall not be considered to render compliance with a request demonstrably impossible.

(f)

Regulations.—Within two years of the date of enactment of this Act, the Commission may promulgate regulations, pursuant to section 553 of title 5, United States Code (5 U.S.C. 553), as necessary to establish processes by which covered entities are to comply with the provisions of this section. Such regulations shall take into consideration—

(g)

Accessibility.—A covered entity shall facilitate the ability for individuals to make requests under this section in any of the ten languages with the most users in the United States, according to the most recent U.S. Census, if the covered entity provides service in such language. The mechanisms by which a covered entity enables individuals to make requests under this section shall be readily accessible and usable by with disabilities.

(a)

Withdrawal Of Consent.—A covered entity shall provide an individual with a clear and conspicuous, easy-to-execute means to withdraw any affirmative express consent previously provided by the individual that is as easy to execute by a reasonable individual as the means to provide consent, with respect to the processing or transfer of the covered data of the individual.

(1)

(A) shall not transfer the covered data of an individual to a third party if the individual objects to the transfer; and

(1)

(B) shall allow an individual to object to such transfer through an opt-out mechanism, as described in section 210, if applicable.

(c)

Right To Opt Out Of Targeted Advertising.—A covered entity that engages in targeted advertising shall—

(d)

(a)

Prohibition On Targeted Advertising To Children And Minors.—A covered entity shall not engage in targeted advertising to any individual under the age of 17 if the covered entity knows that the individual is under the age of 17.

(b)

Data Transfer Requirements Related To Minors.—A covered entity shall not transfer the covered data of an individual to a third party without affirmative express consent from the individual or the individual’s parent or guardian if the covered entity knows that the individual under the age of 17.

(c)

Knowledge.—The knowledge requirement in subsections (a) and (b), shall not be construed to require the affirmative collection or processing of any data with respect to the age of an individual or a proxy thereof, or to require that a covered entity implement an age gating regime. Rather, the determination of whether an individual is under 17 shall be based on the covered data collected directly from an individual or a proxy thereof that the covered entity would otherwise collect in the normal course of business.

(2)

DIRECTOR.—The Division shall be headed by a Director, who shall be appointed by the Chair of the Commission.

(3)

DUTIES.—The Division shall be responsible for assisting the Commission in addressing, as it relates to this Act—

(4)

STAFF.—The Director of the Division shall hire adequate staff to carry out the duties described in paragraph (3), including by hiring individuals who are experts in data protection, digital advertising, data analytics, and youth development.

(5)

REPORTS.—Not later than 1 year after the date of enactment of this Act, and annually thereafter, the Commission shall submit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives a report that includes—

(6)

PUBLICATION.—Not later than 10 days after the date on which a report is submitted under paragraph (5), the Commission shall publish the report on its website.

(1)

IN GENERAL.—Not later than 2 years after the date of enactment of this Act, and biennially thereafter, the Inspector General of the Commission shall submit to the Commission and to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives a report regarding the safe harbor provisions in section 1307 of the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6503), which shall include—

(2)

PUBLICATION.—Not later than 10 days after the date on which a report is submitted under paragraph (1), the Commission shall publish the report on the website of the Commission.

(a)

Notice.—Each third-party collecting entity shall place a clear and conspicuous notice on the website or mobile application of the third-party collecting entity (if the third-party collecting entity maintains such a website or mobile application) that—

(1)

notifies individuals that the entity is a third-party collecting entity using specific language that the Commission shall develop through rulemaking under section 553 of title 5, United States Code; and

(1)

IN GENERAL.—Not later than January 31 of each calendar year that follows a calendar year during which a covered entity acted as a third-party collecting entity and processed covered data pertaining to more than 5,000 individuals or devices that identify or are linked or reasonably linkable to an individual, such covered entity shall register with the Commission in accordance with this subsection.

(2)

REGISTRATION REQUIREMENTS.—In registering with the Commission as required under paragraph (1), a third-party collecting entity shall do the following:

(3)

THIRD-PARTY COLLECTING ENTITY REGISTRY.—The Commission shall establish and maintain on a website a searchable, publicly available, central registry of third-party collecting entities that are registered with the Commission under this subsection that includes the following:

(ii)

ensure that any third-party collecting entity no longer collects covered data related to such individual without the affirmative express consent of such individual, except insofar as such covered entity is acting as a service provider. Each third-party collecting entity that receives such a request from an individual shall delete all the covered data of the individual not later than 30 days after the request is received by the third-party collecting entity.

(c)

Penalties.—A third-party collecting entity that fails to register or provide the notice as required under this section shall be liable for—

(2)

EXCEPTIONS.—This subsection shall not apply to—

(1)

IN GENERAL.—Whenever the Commission obtains information that a covered entity or service provider may have collected, processed, or transferred covered data in violation of subsection (a), the Commission shall transmit such information as allowable under Federal law to any Executive agency with authority to initiate enforcement actions or proceedings relating to such violation.

(2)

ANNUAL REPORT.—Not later than 3 years after the date of enactment of this Act, and annually thereafter, the Commission shall submit to Congress a report that includes a summary of—

(1)

(B) IMPACT ASSESSMENT SCOPE.—The impact assessment required under subparagraph (A) shall provide the following:

(2)

ALGORITHM DESIGN EVALUATION.—Notwithstanding any other provision of law, not later than 2 years after the date of enactment of this Act, a covered entity or service provider that knowingly develops an algorithm, solely or in part, to collect, process, or transfer covered data or publicly available information shall prior to deploying the algorithm in interstate commerce evaluate the design, structure, and inputs of the algorithm, including any training data used to develop the algorithm, to reduce the risk of the potential harms identified under paragraph (1)(B).

(3)

(B) EXTERNAL, INDEPENDENT AUDITOR OR RESEARCHER.—To the extent possible, a covered entity and a service provider shall utilize an external, independent auditor or researcher to conduct an impact assessment under paragraph (1) or an evaluation under paragraph (2).

(i)

(I) shall, not later than 30 days after completing an impact assessment or evaluation, submit the impact assessment and evaluation conducted under paragraphs (1) and (2) to the Commission;

(i)

(II) shall, upon request, make such impact assessment and evaluation available to Congress; and

(ii)

(D) ENFORCEMENT.—The Commission may not use any information obtained solely and exclusively through a covered entity or a service provider’s disclosure of information to the Commission in compliance with this section for any purpose other than enforcing this Act, including the study and report provisions in paragraph 6 of this section. This provision shall not preclude the Commission from providing this information to Congress in response to a subpoena or official Congressional request.

(4)

GUIDANCE.—Not later than 2 years after the date of enactment of this Act, the Commission shall, in consultation with the Secretary of Commerce, or their respective designees, publish guidance regarding compliance with this section.

(5)

RULEMAKING AND EXEMPTION.—The Commission shall have authority under section 553 of title 5, United States Code, to promulgate regulations as necessary to establish processes by which a large data holder—

(5)

(A) shall submit an impact assessment to the Commission under paragraph (3)(C)(i)(I); and

(6)

(A) STUDY.—The Commission, in consultation with the Secretary of Commerce or the Secretary’s designee, shall conduct a study, to review any impact assessment or evaluation submitted under this paragraph. Such study shall include an examination of—

(i)

INITIAL REPORT.—Not later than 3 years after the date of enactment of this Act, the Commission, in consultation with the Secretary of Commerce or the Secretary’s designee, shall submit to Congress a report containing the results of the study conducted under subsection (a), together with recommendations for such legislation and administrative action as the Commission determines appropriate.

(ii)

ADDITIONAL REPORTS.—Not later than 3 years after submission of the initial report under clause (i), and as the Commission determines necessary thereafter, the Commission shall submit to Congress an updated version of such report.

(1)

IN GENERAL.—A covered entity or service provider shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices and procedures to protect and secure covered data against unauthorized access and acquisition.

(2)

CONSIDERATIONS.—The reasonable administrative, technical, and physical data security practices required under paragraph (1) shall be appropriate to—

(b)

Specific Requirements.—The data security practices required under subsection (a) shall include, at a minimum, the following practices:

(1)

ASSESS VULNERABILITIES.—Identifying and assessing any material internal and external risk to, and vulnerability in, the security of each system maintained by the covered entity that collects, processes, or transfers covered data, or service provider that collects, processes, or transfers covered data on behalf of the covered entity, including unauthorized access to or risks to such covered data, human vulnerabilities, access rights, and the use of service providers. With respect to large data holders, such activities shall include a plan to receive and respond to unsolicited reports of vulnerabilities by any entity or individual.

(4)

INFORMATION RETENTION AND DISPOSAL.—Disposing of covered data that is required to be deleted by law or is no longer necessary for the purpose for which the data was collected, processed, or transferred, unless an individual has provided affirmative express consent to such retention. Such disposal shall include destroying, permanently erasing, or otherwise modifying the covered data to make such data permanently unreadable or indecipherable and unrecoverable to ensure ongoing compliance with this section.

(d)

Applicability Of Other Information Security Laws.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) or the Health Information Technology for Economic and Clinical Health Act (42 U.S.C. 17931 et seq.), and is in compliance with the information security requirements of such Act as determined by the enforcement authority in such Act, shall be deemed to be in compliance with the requirements of this section with respect to any data covered by such information security requirements.

(1)

Any covered entity or service provider that can establish that it met the requirements described in paragraph (2) for the period of the 3 preceding calendar years (or for the period during which the covered entity has been in existence if such period is less than 3 years) shall—

(4)

JOURNALISM.—Nothing in this Act shall be construed to limit or diminish First Amendment freedoms to gather and publish information guaranteed under the Constitution.

(a)

In General.—Beginning 1 year after the date of enactment of this Act, an executive officer of a large data holder shall annually certify, in good faith, to the Commission, in a manner specified by the Commission by regulation under section 553 of title 5, United States Code, that the entity maintains—

(b)

Requirements.—A certification submitted under subsection (a) shall be based on a review of the effectiveness of a large data holder’s internal controls and reporting structures that is conducted by the certifying officers not more than 90 days before the submission of the certification.

(1)

IN GENERAL.—A covered entity and a service provider shall designate—

(2)

REQUIREMENTS FOR OFFICERS.—An employee who is designated by a covered entity or a service provider as a privacy officer or a data security officer shall, at a minimum—

(3)

ADDITIONAL REQUIREMENTS FOR LARGE DATA HOLDERS.—A large data holder shall designate at least 1 of the officers described in paragraph (1) of this subsection to report directly to the highest official at the large data holder as a privacy protection officer who shall, in addition to the requirements in paragraph (2), either directly or through a supervised designee or designees—

(1)

IN GENERAL.—Not later than 1 year after the date of enactment of this Act or 1 year after the date that a covered entity or service provider first meets the definition of large data holder, whichever is earlier, and biennially thereafter, each large data holder shall conduct a privacy impact assessment that weighs the benefits of the large data holder’s covered data collecting, processing, and transfer practices against the potential adverse consequences of such practices to individual privacy.

(2)

ASSESSMENT REQUIREMENTS.—A privacy impact assessment required under paragraph (1) shall be—

(1)

shall only collect, process, and transfer service provider data to the extent strictly necessary and proportionate to provide a service requested by the covered entity. This paragraph shall not require a service provider to collect or process covered data if the service provider would not otherwise do so;

(2)

shall not collect, process, or transfer service provider data if the service provider has actual knowledge that the covered entity violated this Act with respect to such data;

(3)

shall assist a covered entity in fulfilling the covered entity’s obligation to respond to individual rights requests pursuant to section 203, by appropriate technical and organizational measures, taking into account the nature of the processing and the information reasonably available to the service provider;

(5)

shall upon the reasonable request of the covered entity, make available to the covered entity information necessary to demonstrate the service provider’s compliance with the obligations in this Act, which may include making available a report of an independent assessment arranged by the service provider on terms agreed to by the parties and making the report required under section 207(c)(2) as applicable;

(6)

shall, at the covered entity’s direction, delete or return all covered data to the covered entity as requested at the end of the provision of services, unless retention of the covered data is required by law;

(7)

shall not transfer service provider data to any person with the exception of another service provider without the affirmative express consent, obtained by the covered entity with the direct relationship to the individual that is directing the services or functions of the service provider with respect to the service provider data, of the individual to whom the service provider data is linked or reasonably linkable;

(8)

shall develop, implement, and maintain reasonable administrative, technical, and physical safeguards that are designed to protect the security and confidentiality of covered data it processes consistent with section 208; and

(9)

shall be exempt from the requirements of section 202(d) with respect to service provider data but shall provide direct notification regarding material changes to its privacy policy to each covered entity with which it provides services or functions as a service provider, in each language that the privacy policy is made available. Compliance with this provision does not alleviate any obligations the service provider has to the covered entity to which it provides services or functions as a service provider.

(1)

shall not process third-party data for a processing purpose other than, in the case of sensitive covered data, the processing purpose for which the individual gave affirmative express consent and, in the case of non-sensitive data, the processing purpose for which the covered entity made a disclosure pursuant to section 204(b)(4);

(3)

shall be exempt from the requirements of section 204 with respect to third-party data, but shall otherwise have the same responsibilities and obligations as a covered entity with respect to such data under all other provisions of this Act.

(1)

IN GENERAL.—A covered entity or service provider shall exercise reasonable due diligence in—

(2)

GUIDANCE.—Not later than 2 years after the date of enactment of this Act, the Commission shall publish guidance regarding compliance with this subsection, taking into consideration the burdens on small- and medium-sized covered entities.

(a)

In General.—Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to establish a process for the proposal and approval of technical compliance programs under this section specific to any technology, product, service, or method used by a covered entity to collect, process, or transfer covered data.

(b)

Scope Of Programs.—The technical compliance programs established under this section shall, with respect to a technology, product, service, or method used by a covered entity to collect, process, or transfer covered data—

(1)

IN GENERAL.—Any request for approval, amendment, or repeal of a technical compliance program may be submitted to the Commission by any person, including a covered entity, a representative of a covered entity, an association of covered entities, or a public interest group or organization. Within 90 days, the Commission shall publish the request and provide an opportunity for public comment on the proposal.

(2)

EXPEDITED RESPONSE TO REQUESTS.—Beginning 1 year after the date of enactment of this Act, the Commission shall act upon a request for the proposal and approval of a technical compliance program not later than 180 days after the filing of the request, and shall set forth publicly in writing its conclusions with regard to such request.

(1)

IN GENERAL.—Prior to commencing an investigation or enforcement action against any covered entity under this Act, the Commission and State attorney general shall consider the covered entity’s history of compliance with any technical compliance program approved under this section and any action taken by the covered entity to remedy noncompliance with such program. If such enforcement action described in Sec. 403 is commenced, the covered entity’s history of compliance with any technical compliance program approved under this section and any action taken by the covered entity to remedy noncompliance with such program shall be taken into consideration when determining liability or a penalty. The covered entity’s history of compliance with any technical compliance program shall not affect any burden of proof or the weight given to evidence in an enforcement or judicial proceeding.

(2)

COMMISSION AUTHORITY.—Approval of a technical compliance program shall not limit the authority of the Commission, including the Commission’s authority to commence an investigation or enforcement action against any covered entity under this Act or any other Act.

(3)

RULE OF CONSTRUCTION.—Nothing in this subsection shall provide any individual, class of individuals, or person with any right to seek discovery of any non-public Commission deliberations or activities or impose any pleading requirement on the Commission should it bring an enforcement action of any kind.

(2)

APPLICATION REQUIREMENTS.—Such application shall include—

(i)

PUBLIC COMMENT PERIOD.—Within 90 days after the receipt of proposed guidelines submitted pursuant to paragraph (2), the Commission shall publish the proposal and provide an opportunity for public comment on such compliance guidelines.

(ii)

APPROVAL.—The Commission shall approve an application regarding proposed guidelines under paragraph (2) if the applicant demonstrates that the compliance guidelines—

(iii)

TIMELINE.—Within 1 year of receiving an application regarding proposed guidelines under paragraph (2), the Commission shall issue a determination approving or denying the application and providing its reasons for approving or denying such application.

(i)

IN GENERAL.—If the independent organization administering a set of guidelines makes material changes to guidelines previously approved by the Commission, the independent organization must submit the updated guidelines to the Commission for approval. As soon as feasible, the Commission shall publish the updated guidelines and provide an opportunity for public comment.

(ii)

TIMELINE.—The Commission shall approve or deny any material change to the guidelines within 180 days after receipt of the submission for approval.

(b)

Withdrawal Of Approval.—If at any time the Commission determines that the guidelines previously approved no longer meet the requirements of this Act or a regulation promulgated under this Act or that compliance with the approved guidelines is insufficiently enforced by the independent organization administering the guidelines, the Commission shall notify the covered entities or group of such entities and the independent organization of its determination to withdraw approval of such guidelines and the basis for doing so. Upon receipt of such notice, the covered entity or group of such entities and the independent organization may cure any alleged deficiency with the guidelines or the enforcement of such guidelines within 180 days and submit the proposed cure or cures to the Commission. If the Commission determines that such cures eliminate the alleged deficiency in the guidelines, then the Commission may not withdraw approval of such guidelines on the basis of such determination.

(c)

Deemed Compliance.—A covered entity that is eligible to participate under subsection (a)(1), and participates, in guidelines approved under this section shall be deemed in compliance with the relevant provisions of this Act if it is in compliance with such guidelines.

(a)

Reports.—Not later than 1 year after the date of enactment of this Act, and annually thereafter, the Secretary of Commerce or the Secretary’s designee shall publish a report regarding digital content forgeries.

(b)

Requirements.—Each report under subsection (a) shall include the following:

(1)

A definition of digital content forgeries along with accompanying explanatory materials, except that the definition developed pursuant to this section shall not supersede any other provision of law or be construed to limit the authority of any Executive agency related to digital content forgeries.

(1)

IN GENERAL.—The Commission shall establish within the Commission a new bureau, the Bureau of Privacy, which shall be comparable in structure, size, organization, and authority to the existing Bureaus within the Commission related to consumer protection and competition.

(2)

MISSION.—The mission of the bureau established under this subsection shall be to assist the Commission in exercising the Commission’s authority under this Act and related authorities.

(3)

TIMELINE.—The bureau shall be established, staffed, and fully operational not later than 1 year after the date of enactment of this Act.

(b)

Office Of Business Mentorship.—The Director of the Bureau established under subsection (a) shall establish within the Bureau an Office of Business Mentorship to provide guidance and education to covered entities regarding compliance with this Act. Covered entities may request advice from the Commission or this office with respect to a course of action which the covered entity proposes to pursue and which may relate to the requirements of this Act.

(1)

UNFAIR OR DECEPTIVE ACTS OR PRACTICES.—A violation of this Act or a regulation promulgated under this Act shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).

(2)

(A) IN GENERAL.—Except as provided in paragraphs (3), (4), and (5), the Commission shall enforce this Act and the regulations promulgated under this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act.

(2)

(B) PRIVILEGES AND IMMUNITIES.—Any person who violates this Act or a regulation promulgated under this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.).

(4)

COMMON CARRIERS AND NONPROFITS.—Notwithstanding any jurisdictional limitation of the Commission with respect to consumer protection or privacy, the Commission shall enforce this Act and the regulations promulgated under this Act, in the same manner provided in subsections (1), (2), (3), and (5) of this subsection, with respect to common carriers subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.) and All Acts amendatory thereof and supplementary thereto; and organizations not organized to carry on business for their own profit or that of their members.

(5)

(B) DEPOSITS.—The amount of any civil penalty obtained against any covered entity or service provider or any other relief ordered to provide redress, payments or compensation, or other monetary relief to individuals that cannot be located or the payment of which would otherwise not be practicable in any judicial or administrative action to enforce this Act or a regulation promulgated under this Act shall be deposited into the Victims Relief Fund.

(i)

AVAILABILITY TO THE COMMISSION.—Notwithstanding section 3302 of title 31, United States Code, amounts in the Victims Relief Fund shall be available to the Commission, without fiscal year limitation, to provide redress, payments or compensation, or other monetary relief to individuals affected by an act or practice for which relief has been obtained under this Act.

(a)

Civil Action.—In any case in which the attorney general of a State or State Privacy Authority has reason to believe that an interest of the residents of that State has been, may be, or is adversely affected by the engagement of any a covered entity or service provider in an act or practice that has violated this Act or a regulation promulgated under this Act, the attorney general of the State, or State Privacy Authority, may bring a civil action in the name of the State, or as parens patriae on behalf of the residents of the State. Any such action shall be brought exclusively in an appropriate Federal district court of the United States to—

(1)

IN GENERAL.—Except where not feasible, the attorney general of a State or State Privacy Authority shall notify the Commission in writing prior to initiating a civil action under subsection (a). Such notice shall include a copy of the complaint to be filed to initiate such action. Upon receiving such notice, the Commission may intervene in such action as of right pursuant to the Federal Rules of Civil Procedure.

(2)

NOTIFICATION TIMELINE.—Where it is not feasible for the attorney general of a State or State Privacy Authority to provide the notification required by paragraph (1) before initiating a civil action under subsection (a), the attorney general of a State or State Privacy Authority shall notify the Commission immediately after initiating the civil action.

(d)

Rule Of Construction.—Nothing in this section shall be construed to prevent the attorney general of a State or State Privacy Authority from exercising the powers conferred on the attorney general or State Privacy Authority to conduct investigations, to administer oaths or affirmations, or to compel the attendance of witnesses or the production of documentary or other evidence.

(e)

Preservation Of State Powers.—Except as provided in subsection (c), no provision of this section shall be construed as altering, limiting, or affecting the authority of a State attorney general or State Privacy Authority to—

(3)

(A) IN GENERAL.—Prior to an individual bringing a civil action under paragraph (1), such individual must first notify the Commission and the attorney general of the State of the individuals residence in writing outlining their desire to commence a civil action. Upon receiving such notice, the Commission and State attorney general shall make a determination, not later than 60 days after receiving such notice, as to whether they will independently seek to intervene in such action, and upon intervening—

(ii)

(B) BAD FAITH.—Any written communication requesting a monetary payment that is sent to a covered entity shall be considered to have been sent in bad faith and shall be unlawful as defined in this Act, if the written communication was sent:

(4)

FTC STUDY.—Beginning on the date that is 5 years after the date of enactment of this Act, the Commission’s Bureau of Economics shall conduct an annual study to determine the economic impacts in the United States of demand letters and the scope of the rights of an individual to bring forth civil actions against covered entities. Such study shall include, but not be limited to include the following:

(5)

REPORT TO CONGRESS.—Not later than 1 year after the first day on which individuals are able to bring civil actions under this subsection, and annually thereafter, the Commission shall submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a report that contains the results of the study conducted under paragraph (4).

(2)

EFFECT OF CURE.—In the event a cure is possible, if within the 45 days the covered entity cures the noticed violation and provides the individual an express written statement that the violation has been cured and that no further violations shall occur, an action for injunctive relief may be reasonably dismissed.

(d)

Demand Letter.—If an individual or a class of individuals sends correspondence to a covered entity alleging a violation of the provisions of this Act and requesting a monetary payment, such correspondence shall include the following language: “Please visit the website of the Federal Trade Commission to understand your rights pursuant to this letter” followed by a hyperlink to the web page of the Commission required under section 201. If such correspondence does not include such language and hyperlink, the individual or joint class of individuals shall forfeit their rights under this section.

(e)

Applicability.—This section shall only apply to any claim alleging a violation of section 102, 104, 202, 203, 204, 205(a), 205(b), 206(c)(3)(D), 207(a), 208(a), or 302 for which relief described in subsection (a)(2) may be granted.

(1)

IN GENERAL.—Nothing in this Act or a regulation promulgated under this Act shall be construed to limit—

(2)

APPLICABILITY OF OTHER PRIVACY REQUIREMENTS.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), the Health Information Technology for Economic and Clinical Health Act (42 U.S.C. 17931 et seq.), part C of title XI of the Social Security Act (42 U.S.C. 1320d et seq.), the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), the Family Educational Rights and Privacy Act (20 U.S.C. 1232g; part 99 of title 34, Code of Federal Regulations), or the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note), and is in compliance with the data privacy requirements of such regulations, part, title, or Act (as applicable), shall be deemed to be in compliance with the related requirements of this title, except for section 208, with respect to data subject to the requirements of such regulations, part, title, or Act. Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance describing the implementation of this paragraph.

(3)

APPLICABILITY OF OTHER DATA SECURITY REQUIREMENTS.—A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), the Health Information Technology for Economic and Clinical Health Act (42 U.S.C. 17931 et seq.), part C of title XI of the Social Security Act (42 U.S.C. 1320d et seq.), or the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note), and is in compliance with the information security requirements of such regulations, part, title, or Act (as applicable), shall be deemed to be in compliance with the requirements of section 208 with respect to data subject to the requirements of such regulations, part, title, or Act. Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance describing the implementation of this paragraph.

(2)

STATE LAW PRESERVATION.—Paragraph (1) shall not be construed to preempt, displace, or supplant the following State laws, rules, regulations, or requirements:

(3)

NONAPPLICATION OF FCC PRIVACY LAWS AND REGULATIONS TO COVERED ENTITIES.—Notwithstanding any other provision of law, sections 222, 338(i), and 631 of the Communications Act of 1934, as amended (47 U.S.C. 222, 338(i), and 551), and any regulation promulgated by the Federal Communications Commission under such sections, shall not apply to any covered entity with respect to the collecting, processing, or transferring of covered data under this Act.

(c)

Preservation Of Common Law Or Statutory Causes Of Action For Civil Relief.—Nothing in this Act, nor any amendment, standard, rule, requirement, assessment, law, or regulation promulgated under this Act, shall be construed to preempt, displace, or supplant any Federal or State common law rights or remedies, or any statute creating a remedy for civil relief, including any cause of action for personal injury, wrongful death, property damage, or other financial, physical, reputational, or psychological injury based in negligence, strict liability, products liability, failure to warn, an objectively offensive intrusion into the private affairs or concerns of the individual, or any other legal theory of liability under any Federal or State common law, or any State statutory law, except that the fact of a violation of this Act shall not be pleaded as an element of any such cause of action.

(a)

In General.—Nothing in this Act shall be construed to relieve or change any obligations that a covered entity or another person may have under the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.).

(b)

Updated Regulations.—Not later than 180 days after the enactment of this Act, the Commission shall amend its rules issued pursuant to the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.) to make reference to the additional requirements placed on covered entities under this Act, in addition to those already enacted under the Children’s Online Privacy Protection Act of 1998 that may already apply to some of such covered entities.

SEC. 1.TABLE OF CONTENTS

SEC. 2.DEFINITIONS.

SEC. 101.DATA MINIMIZATION.

SEC. 102.LOYALTY DUTIES.

SEC. 103.PRIVACY BY DESIGN.

SEC. 104.LOYALTY TO INDIVIDUALS WITH RESPECT TO PRICING.

SEC. 201.CONSUMER AWARENESS.

SEC. 202.TRANSPARENCY.

SEC. 203.INDIVIDUAL DATA OWNERSHIP AND CONTROL.

SEC. 204.RIGHT TO CONSENT AND OBJECT.

SEC. 205.DATA PROTECTIONS FOR CHILDREN AND MINORS.

SEC. 206.THIRD-PARTY COLLECTING ENTITIES.

SEC. 207.CIVIL RIGHTS AND ALGORITHMS.

SEC. 208.DATA SECURITY AND PROTECTION OF COVERED DATA.

SEC. 209.SMALL BUSINESS PROTECTIONS.

SEC. 210.UNIFIED OPT-OUT MECHANISMS.

SEC. 301.EXECUTIVE RESPONSIBILITY.

SEC. 302.SERVICE PROVIDERS AND THIRD PARTIES.

SEC. 303.TECHNICAL COMPLIANCE PROGRAMS.

SEC. 304.COMMISSION APPROVED COMPLIANCE GUIDELINES.

SEC. 305.DIGITAL CONTENT FORGERIES.

SEC. 401.ENFORCEMENT BY THE FEDERAL TRADE COMMISSION.

SEC. 402.ENFORCEMENT BY STATE ATTORNEYS GENERAL.

SEC. 403.ENFORCEMENT BY INDIVIDUALS.

SEC. 404.RELATIONSHIP TO FEDERAL AND STATE LAWS.

SEC. 405.SEVERABILITY.

SEC. 406.COPPA.

SEC. 407.AUTHORIZATION OF APPROPRIATIONS.

SEC. 408.EFFECTIVE DATE.

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities