American Privacy Rights Act (APRA) Redline

  • Redline based on Punchbowl-circulated version received by PIPC on 6/20/2024. Changes from this draft are in blue (note different color codes in the COPPA 2.0 section). Small changes that do not have an impact (likely or substantive) on the bill may not be included as blue below, but we erred on the side of caution and colored most changes.
  • Black text below struck through is from cuts to the version circulated May 22, 2024 linked here from the version circulated on April 7, 2024 linked here.
  • Want more colors to see which changes were made when to Title I? Check out the fantastic unofficial IAPP redline comparison from the amazing Cobun Zweifel-Keegan here.
Table of Contents

    TITLE I—AMERICAN PRIVACY RIGHTS

    SEC. 101. DEFINITIONS. 

    In this title:

    1.  AFFIRMATIVE EXPRESS CONSENT.—
    1. IN GENERAL.—The term ‘‘affirmative express consent’’ means an affirmative act by an individual, or if a covered entity has knowledge that such individual is a child, an affirmative act by the parent of a child, or where the covered entity has knowledge such individual is a teen, an affirmative act by the parent or the teen that—
    1. clearly communicates the authorization of the individual for an act or practice; and
    2. is provided in response to a specific request from a covered entity, or a service provider on behalf of a covered entity,and that meets the requirements of subparagraph (B).
    1. REQUEST REQUIREMENTS.—The requirements of this subparagraph with respect to a request made under subparagraph (A), are the following:
    1. The request is provided to the individual in a clear and conspicuous standalone disclosure.
    2. The request includes a description of each act or practice for which the consent of the individual is sought and—
    1. clearly distinguishes between an act or practice that is necessary, proportionate, and limited to fulfill a request of the individual and an act or practice that is for another purpose;
    2. clearly states the specific categories of covered data that the covered entity shall collect, process, retain, or transfer to fulfill the act or practice for which the request was made; and
    3. is written in easy-to-understand language and includes a prominent heading that would enable a reasonable individual to identify and understand each such act or practice.
    1. The request clearly explains the applicable rights of the individual related to consent.
    2. The request is made in a manner reasonably accessible to and usable by individuals living with disabilities.
    3. The request is made available to the individual in eachthe language in which the covered entity provides a product or service for which authorization is sought.
    4. The option to refuse consent shall beis at least as prominent as the option to acceptprovide consent, and the option to refuse consent shall taketakes no more than 1 additional step as compared to the same number of steps necessary or fewer as the option to acceptprovide consent.
    5. With respect to affirmative express consent sought for the collection, processing, retention, or transfer of biometric information or genetic information, includes in the request for affirmative express consent the length of time the covered entity or service provider intends to retain the biometric information or genetic information, or, if it is not possible to identify the length of time, the criteria used to determine the length of time the covered entity or service provider intends to retain the biometric information or genetic information.
    1. EXPRESS CONSENT REQUIRED.—Affirmative express consent to an act or practice shallmay not be inferred from the inaction of an individual or the continued use by an individual of a service or product provided by thean entity.
    2. WITHDRAWAL OF AFFIRMATIVE EXPRESS CONSENT.—
    1. IN GENERAL.—A covered entity shall provide an individual with a means to withdraw affirmative express consent previously provided by the individual.
    2. REQUIREMENTS.—The means to withdraw affirmative express consent described in clause (i) shall be—
    1. clear and conspicuous; and
    2. as easy for a reasonable individual to use as the mechanism by which the individual provided affirmative express consent.
    1.  BIOMETRIC INFORMATION.—
    1. IN GENERAL.—The term ‘‘biometric information’’ means any covered data that is specific toallows or confirms the unique identification or verification of an individual and is generated from the measurement or processing of unique biological, physical, or physiological characteristics that is linked or reasonably linkable to the individual, including—
    1. fingerprints;
    2. voice prints;
    3. iris or retina imagery scans;
    4. facial or hand mapping, geometry, or templates; orand
    5. gait.
    1. EXCLUSION.—The term ‘‘biometric information’’ does not include—
    1. a digital or physical photograph;
    2. an audio or video recording; or
    3. metadata associated with a digital or physical photograph or an audio or video recording that cannot be used to identify or authenticate an specific individual.
    1.  CHILD.—The term ‘‘child’’ means an individual under the age of 13.
    2.  CLEAR AND CONSPICUOUS.—The term “clear and conspicuous” means, with respect to a disclosure, that the disclosure is difficult to miss and easily understandable by ordinary consumers.
    3.  COARSE GEOLOCATION INFORMATION.—The term ‘‘coarse geolocation information’’ means information that reveals the present physical location of an individual or device identified by a unique persistent identifier at the ZIP code attribution level, except where a geographic area attributed to a ZIP code is equal to or less than the area of a circle with a radius of 1,850 feet or less, at a level greater than a geographic area equal to the area of a circle with a radius of 1,850 feet.
    4.  COLLECT; COLLECTION.—The terms ‘‘collect’’ and ‘‘collection’’ mean, with respect to covered data, buying, renting, gathering, obtaining, receiving, accessing, or otherwise acquiring the covered data by any means.
    5.  COMMISSION.—The term ‘‘Commission’’ means the Federal Trade Commission.
    6.  COMMON BRANDING.—The term ‘‘common branding’’ means a name, service mark, or trademark that is shared by 2 or more entities.
    7.  CONNECTED DEVICE.—The term ‘‘connected device’’ means a device that is capable of connecting to the internet over a fixed or wireless connection.

    (10) CONSEQUENTIAL DECISION.—The term “consequential decision” means a decision or an offer that determines the eligibility of an individual for, or results in the provision or denial to an individual of, housing, employment, credit opportunities, education enrollment or opportunities, access to places of public accommodation, healthcare, or insurance.

    1.  CONTEXTUAL ADVERTISING.—The term “contextual advertising” means displaying or presenting an online advertisement that—
    1. is not target advertising;
    1. does not vary based on the identity of the individual recipient; and
    2. is based solely on—
    1. the content of a webpage or online service;
    2. advertising or marketing content to an individual in response to a specific request of the individual for information or feedback; or
    3. the presence of an individual within a radius no smaller than 10 miles. coarse geolocation information.
    1.  CONTROL.—The term ‘‘control’’ means, with respect to an entity—
    1. ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of the entity;
    2. control over the election of a majority of the directors of the entity (or of individuals exercising similar functions); or
    3. the power to exercise a controlling influence over the management of the entity.

    (12) COVERED ALGORITHM.—The term ‘‘covered algorithm’’ means a computational process, including onea process derived from machine learning, statistics, or other data processing or artificial intelligence techniques, natural language processing, or other advanced computational processing techniques, that makes a is used to substantially assist or replace discretionary human decision or facilitates human decision-making by using covered data, which includes determining the provision of products or services or ranking, ordering, promoting, recommending, amplifying, or similarly determining the delivery or display of information to an individual.

    1.   COVERED DATA.—
    1. IN GENERAL.—The term ‘‘covered data’’ means information, including sensitive covered data, that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals.
    2. (B) EXCLUSIONS.—The term ‘‘covered data’’ does not include—
    1. de-identified data;
    2. employee information;
    3. publicly available information;
    4. inferences made exclusively from multiple independent sources of publicly available information provided that, if such inferences—
    1. do not reveal information about an individual that meets the definition of the term “sensitive covered data” with respect to anthe individual; and
    2. are not combined with covered data; or
    1. information in the collection of a library, archive, or museum, if 
    1. the collection is 
    1. open to the public or routinely made available to researchers who are not affiliated with the library, archive, or museum; and if the library, archive, or museum has—
    2. composed of lawfully acquired materials with respect to which all licensing conditions are met; and
    1. the library, archive, or museum has—
    1. a public service mission; and
    2. trained staff or volunteers to provide professional services normally associated with libraries, archives, or museums; or and 
    1. collections composed of lawfully acquired materials andwith respect to which all licensing conditions for such materials are met.
    1. on-device data
    1.   COVERED ENTITY.—
    1. IN GENERAL.—The term ‘‘covered entity’’ means any entity that, alone or jointly with others, determines the purposes and means of collecting, processing, retaining, or transferring covered data and—
    1. is subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq.);
    2. is a common carrier subject to title II of the Communications Act of 1934 (47 U.S.C. 201 et seq.); or
    3. is an organization not organized to carry on business for theirits own profit or that of its members.
    1. INCLUSION.—The term “covered entity” includes any entity that controls, is controlled by, or is under common control with another covered entity.
    2. EXCLUSIONS.—The term “covered entity” does not include—
    1. a Federal, State, Tribal, territorial, or local government entity, such as a body, authority, board, bureau, commission, district, agency, or other political subdivision of the Federal Government or a State, Tribal, territorial, or local government;
    2. an entity that is collecting, processing, retaining, or transferring covered data on behalf of a Federal, State, Tribal, territorial, or local government entity, to the extent that such entity is acting as a service provider to the government entity;
    3. a small business;
    4. an individual acting at their own direction and in a non-commercial context;
    5. the National Center for Missing and Exploited Children; or
    6. except with respect to the obligationsrequirements under section 109, a nonprofit organization whose primary mission is to prevent, investigate, or deter fraud, or to train anti-fraud professionals, or to educate the public about fraud, including insurance fraud, securities fraud, and financial fraud to the extent the organization collects, processes, retains, or transfers covered data in furtherance of such primary mission.
    1. NONAPPLICATION TO SERVICE PROVIDERS.—An entity shallmay not be considered to be a ‘‘covered entity’’ for the purposes of this Acttitle, insofar as the entity is acting as a service provider.
    1.   COVERED HIGH-IMPACT SOCIAL MEDIA COMPANY.—
    1. IN GENERAL.—The term ‘‘covered high-impact social media company’’ means a covered entity that provides any internet-accessible platform wherethat—
    1. (A) such covered entity generates $3,000,000,000 or more in global annual revenue, including the revenue generated by any affiliate of such covered entity;
    2. (B) such platform has 300,000,000 or more global monthly active users for not fewer than 3 of the preceding 12 months on the platform of such covered entity; and
    3. (C) such platform constitutes an online product or service that is primarily used by individuals users to access or share user-generated content.
    1. TREATMENT OF CERTAIN SERVICES AND APPLICATIONS.—A service or application may not be considered to constitute an online product or service described in subparagraph (A)(iii) solely on the basis of providing any of the following:
    1. Email.
    2. Career        or professional development networking opportunities.
    3. Reviews of products, services, events, or destinations.
    4. A platform for use in a public or private school under the direction of the school.
    5. File collaboration.
    6. Cloud storage.
    7. Closed video or audio communications services.
    8. A wireless messaging service, including such a service provided through short messaging service or multimedia messaging service protocols, that is not a component of, or linked to, a platform of a covered high-impact social media company, if the predominant or exclusive function is direct messaging consisting of the transmission of text, photos, or videos that are sent by electronic means, and if messages are transmitted from the sender to a recipient and are not posted within a platform of a covered high-impact social media company or publicly.
    1.  COVERED MINOR.—The term ‘‘covered minor’’ means an individual under the age of 17.
    2.  DARK PATTERNS.—The term “dark patterns” means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.
    3. DATA BROKER.—
    1. IN GENERAL.—The term ‘‘data broker’’ means a covered entity whose principal source of revenue is derived from processing or transferring covered data that the covered entity did not collect directly from the individuals linked or linkable to such the covered data.
    2. PRINCIPAL SOURCE OF REVENUE DEFINED.—For purposes of this paragraph, the term ‘‘principal source of revenue’’ means, with respect to for the preceding prior 12-month period—
    1. revenue that constitutes greater than 50 percent of all revenue of the covered entity during such period; or
    2. revenue obtained from processing or transferring the covered data of more than 5,000,000 individuals that the covered entity did not collect directly from the individuals linked or linkable to the covered data.
    1. NON-APPLICATION TO SERVICE PROVIDERS.—The term ‘‘data broker’’ does not include an entity to the extent that such entity is acting as a service provider.

    DARK PATTERNS.—The term ‘‘dark patterns’’ means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice.

    1.   DE-IDENTIFIED DATA.—
    1. IN GENERAL.—The term ‘‘de-identified data’’ means information that cannot reasonably be used to infer or derive the identity of an individual, and does not identify and is not linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to such an individual, regardless of whether the information is aggregated, provided that if the relevant covered entity or service provider—
    1. takes reasonable physical, administrative, orand technical measures to ensure that the information cannot, at any point, be used to re-identify any individual or device that identifies or is linked or reasonably linkable to an individual;
    2. publicly commits in a clear and conspicuous manner to—
    1. process, retain, or transfer the information solely in a de-identified form without any reasonable means for re-identification; and
    2. not attempt to re-identify the information with any individual or device that identifies or is linked or reasonably linkable to an individual; and, except as necessary, limited, and proportionate to test the effectiveness of the measures described in clause (i); and
    1. contractually obligates any entity that receives the information from the covered entity or service provider to—
    1. comply with all of the provisions of this paragraph clauses (i) and (ii) with respect to the information; and
    2. require that such contractual obligations be included contractually in all subsequent instances for in which the data information may be received; or 
    1. HEALTH INFORMATION.—The term “de-identified data” includes health information (as defined in section 2621171 of the Health Insurance Portability and Accountability Act of 1996 Social Security Act (42 U.S.C. 1320d)) that has been de-identified in accordance with section 164.514(b) of title 45, Code of Federal Regulations, provided except that if such information is subsequently provided to an entity that is not an entity subject to parts 160 and 164 of such title 45, such entity must shall comply with clauses (ii) and (iii) of subparagraph (A) for the information to be considered de-identified under this Act title.
    1.  DERIVED DATA.—The term ‘‘derived data’’ means covered data that is created by the derivation of information, data, assumptions, correlations, inferences, predictions, or conclusions from facts, evidence, or another source of information or data 25 about an individual or an individual’s device.
    2.  DEVICE.—The term ‘‘device’’ means any electronic equipment capable of collecting, processing, retaining, or transferring covered data that is used by 1 or more individuals, including a connected device or a portable connected device.
    3.  DIRECT MAIL TARGETED ADVERTISING.— The term ‘‘direct mail targeted advertising’’ means advertising or marketing using third-party data through a direct communication with an individual via direct mail.
    4.  DISABILITY.—The term ‘‘disability’’ has the meaning given to such term in the Americans with Disabilities Act (42 U.S.C. 12102).
    5.  EMAIL TARGETED ADVERTISING.—The term ‘‘email targeted advertising’’ means advertising or marketing using third-party data through a direct communication with an individual via email.
    6.  EMPLOYEE.—The term ‘‘employee’’ means an individual who is an employee, director, officer, staff member, paid intern, or individual working as an independent contractor (that who is not a service provider), volunteer, or unpaid intern of an employer, regardless of whether such individual is paid, unpaid, or employed engaged on a temporary basis.
    7.  EMPLOYEE INFORMATION.—The term ‘‘employee information’’ means covered data, biometric information, including biometric information or genetic information that is collected by a covered entity (or a service provider acting on behalf of a covered entity)
    1. about an individual in the course of employment or application for employment (including on a contract or temporary basis), provided that if such data information is collected, retained, or processed, or transferred by the covered entity employer or the service provider of the employer solely for purposes necessary for the employment or application of the individual;
    2. that is emergency contact information for an individual who is an employee or job applicant of the covered entity, provided that employer, if such data information is collected, retained, or processed, or transferred by the covered entity employer or the service provider of the employer solely for the purpose of having an emergency contact for such individual on file; or
    3. about an individual (or a relative of an individual) who is an employee or former employee of the covered entity  employer, or the relative, dependent or beneficiary of the employee or former employee, for the purpose of administering benefits, including enrollment and disenrollment for benefits, to which such individual, or relative, dependent, or beneficiary is entitled on the basis of the employment of the individual with the covered entity employer, if provided that such data information is collected, retained, or processed, or transferred by the covered entity employer or the service provider of the employer solely for the purpose of administering such benefits.
    1.  ENTITY.—The term ‘‘entity’’ means an individual, a trust, a partnership, an association, an organization, a company, and a or corporation.
    2.  EXECUTIVE AGENCY.—The term ‘‘executive agency’’ has the meaning given such term in section 105 of title 5, United States Code.
    3.  FEDERATED NONPROFIT ORGANIZATION.—The term ‘‘federated nonprofit organization’’ means a network or system of 2 or more entities, described in section 501(c)(3) of the Internal Revenue Code of 1986 and exempt from taxation under section 501(a) of such Code, that share common branding.
    4.  FIRST PARTY.—The term ‘‘first party’’ means a consumer-facing covered entity with which the consumer intends and expects to interact, and includes any entities with which the covered entity shares common branding.
    5.   FIRST-PARTY ADVERTISING.—
    1. IN GENERAL.—The term ‘‘first-party advertising’’ meansadvertising or marketing facilitated by a first party using that first party’s first-party data and not other forms of covered data—
    1. through direct communications with an individual, such as direct mail, email (subject to 15 U.S.C. 103 and all regulations promulgated thereunder), or text message communications (subject to 47 U.S.C. 227 and all regulations promulgated thereunder): or, or advertising or marketing facilitated by a first party, such as in a physical location operated by the first party; or
    2. entirely within the following first party contexts—
    1. in a physical location operated by the first party;
    2. displaying or presenting an advertisement of a product or service to an individual or device identified by a unique persistent identifier, or group of individuals or devices identified by unique persistent identifiers,  on a website, online service, online application, or mobile application operated by a first party (other than a covered high-impact social media company) based solely on first-party data,  to display or present an online advertisement that promotes a product or service (whether offered by the first party or not offered by the first party) to an individual or device identified by a unique persistent identifier, or group of individuals or devices identified by unique persistent identifiers; or
    3. on a website, online service, online application, or mobile applica- tion operated by a first party that is a covered high-impact social media company to display or present an online advertisement that promotes a product or service offered by the first party that is a covered high-impact social media company to an individual or device identified by a unique persistent identifier, or group of individuals or devices identified by unique persistent identifiers.
    1. EXCLUSION.—The term ‘‘first-party advertising’’ does not include contextual advertising.
    1.  FIRST-PARTY DATA.—The term ‘‘first-party data’’ means covered data collected directly from an individual by a first party, including based on a visit by the individual to or use by the individual of a website, a physical location, a website, or an online service, online application, or mobile application operated by the first party.
    2.  GENETIC INFORMATION.—The term ‘‘genetic information’’ means any covered data, regardless of its format, that concerns an identified or the genetic characteristics of an identified or identifiable individual’s genetic characteristics individual, including—
    1. raw sequence data that results from the sequencing of the complete, or a portion of the extracted deoxyribonucleic acid (DNA) of an individual; or
    2. genotypic and phenotypic information that results from analyzing raw sequence data described in subparagraph (A).
    1.  HEALTH INFORMATION.—The term ‘‘health information’’ means information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or health condition health status, or treatment of an individual, including the precise geolocation information of such treatment.
    2.  INDIVIDUAL.—The term ‘‘individual’’ means a natural person residing in the United States.
    3.   KNOWLEDGE.—
    1. IN GENERAL.—The term ‘‘knowledge’’with respect to knowledge that an individual is a child, teen, or covered minor means actual knowledge or knowledge fairly implied on the basis of objective circumstances.
    2. RULE OF CONSTRUCTION.—For purposes of enforcing this title or a regulation promulgated under this title, a determination as to whether a covered entity has knowledge fairly implied on the basis of objective circumstances that a individual is a child or teen shall rely on competent and reliable evidence, taking into account the totality of the circumstances, including whether a reasonable and prudent person under the circumstances would have known that the individual is a child or teen. Nothing in this title, including a determination described in the preceding sentence, shall be construed to require a covered entity to—
    1. affirmatively collect any covered data with respect to the age of a child or teen that an covered entity is not already collecting in the normal course of business; or
    2. implement an age gating or age verification functionality.
    1. COMMISSION GUIDANCE.—
    1. IN GENERAL.—Within 180 days of enactment, the Commission shall issue guidance to provide information, including best practices and examples for covered entities to understand the Commission’s determination of whether a covered entity has knowledge fairly implied on the basis of objective circumstances that an individual is a child or teen.
    2. LIMITATION.—No guidance issued by the Commission with respect to this title shall confer any rights on any person, State, or locality, nor shall operate to bind the Commission or any person to the approach recommended in such guidance. Any enforcement action brought pursuant to this title, by the Commission or State attorney general, as applicable, shall allege a specific violation of a provision of this title and may not base an enforcement action on, or as applicable execute a consent order based on, practices that are alleged to be inconsistent with any such guidance, unless the practices allegedly violate this title.
    1.   LARGE DATA HOLDER.—
    1. IN GENERAL.—The term ‘‘large data holder’’ means a covered entity or service provider that, in the most recent calendar year, had an annual gross revenue of not less than $250,000,000 and, subject to subparagraph (B), collected, processed, retained, or transferred—
    1. the covered data of—
    1. more than 5,000,000 individuals;
    2. more than 15,000,000 portable connected devices that identify or are linked or reasonably linkable to 1 or more individuals; and or
    3. more than 35,000,000 connected devices that identify or are linked or reasonable linkable to 1 or more individuals; or
    1. the sensitive covered data of—
    1. more than 200,000 individuals;
    2. more than 300,000 portable connected devices that identify or are linked or reasonable linkable to 1 or more individuals; and
    3. more than 700,000 connected devices that identify or are linked or reasonably linkable to 1 or more individuals.
    1. EXCLUSIONS.—For purposes of subparagraph (A), a covered entity or service provider shall may not be considered a large data holder solely on account the basis of collecting, processing, retaining, or transferring to a service provider—
    1. personal mailing or email addresses;
    2. personal telephone numbers;
    3. log-in information of an individual or device to allow the individual or device to log in to an account administered by the covered entity; or
    4. in the case of a covered entity that is a seller of goods or services (other than an entity that facilitates payment, such as a bank, credit card processor, mobile payment system, or payment platform), credit, debit, or mobile payment information strictly necessary and used to initiate, render, bill for, finalize, complete, or otherwise facilitate payments for such goods or services.
    1. DEFINITION OF ANNUAL GROSS REVENUE.—For the purposes of subparagraph (A), the term ‘‘annual gross revenue’’, with respect to a covered entity or service provider—
    1. means the gross receipts the covered entity or service provider received, in whatever form from all sources, without subtracting any costs or expenses; and
    2. includes contributions, gifts, grants, dues or other assessments, income from investments, and proceeds from the sale of real or personal property.
    1.  MARKET RESEARCH.—The term ‘‘market research’’ means the collection, processing, retention, or transfer of covered data, with affirmative express consent, as reasonably necessary and, proportionate, and limited to measure and analyze the market or market trends of products, services, advertising, or ideas, whereif the covered data is not—
    1. integrated into any product or service;
    2. otherwise used to contact any individual or device of an individual; or
    3. used for targeted advertising or to otherwise market to any individual or device of an individual.
    1.  MATERIAL CHANGE.—The term ‘‘material change’’ means, with respect to treatment of covered data, a change by an entity that would likely affect 25 an individual’s the decision of an individual to engage with and provide covered data to the entity, including providing affirmative express consent for, or opt out of, the entity’s collection, processing, retention, or transfer of covered data pertaining to such individual.
    2.  MOBILE APPLICATION.—The term ‘‘mobile application’’—
    1. means a software program that runs on the operating system of—
    1. a cellular telephone;
    2. a tablet computer; or
    3. a similar portable computing device that transmits data over a wireless connection; and
    1. includes a service or application offered via a connected device.
    1.   ON-DEVICE DATA.—
    1. IN GENERAL.—The term ‘‘on-device data’’ means covered data collected, retained, and processed solely on an individual’s device. stored under the sole control of an individual, including on the an individual’s device of an individual, and only to the extent such data is not processed or transferred by a covered entity or service provider.
    2. LIMITATION.—Data collected, retained, and processed solely on an individual’s device shall be considered ‘‘on-device data’’ only if—
    1. such data is not transferred by a covered entity or service provider;
    2. the covered entity clearly and conspicuously provides the device owner with controls that allow the owner to access, correct, delete, and export such data consistent with the rights provided with respect to covered data pursuant to section 105;
    3. the covered entity provides easy to understand instructions on how the device owner can access such controls; and
    4. the covered entity establishes, implements, and maintains reasonable data security practices, consistent with section 109, to protect—
    1. the confidentiality, integrity, and availability of the on-device data; and
    2. on device data against unauthorized access.
    1.  ONLINE ACTIVITY PROFILE.—The term ‘‘online activity profile’’ means covered data that identifies the online activities of an individual (or a device linked or reasonably linkable to an individual) over time and across third party websites, online services, online applications, or mobile applications that do not share common branding, that is collected, processed, retained, or transferred for the purpose of evaluating, analyzing, or predicting the behaviors or characteristics of an individual.
    2.  ONLINE APPLICATION.—The term ‘‘online application’’—
    1. means an internet-connected software program; and
    2. includes a service or application offered via a connected device.
    1.  PARENT.—The term ‘‘parent’’ means a legal guardian.
    2.  PORTABLE CONNECTED DEVICE.—The term ‘‘portable connected device’’ means a portable device that is capable of connecting to the internet over a wireless connection, including a smartphone, tablet computer, laptop computer, smartwatch, or similar portable device.
    3.   PRECISE GEOLOCATION INFORMATION.—
    1. IN GENERAL.—The term ‘‘precise geolocation information’’ means information that reveals the past or present physical location of an individual or device with sufficient precision to identify (A) street-level location information of such individual or device; or the location of such individual or device within a range geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet or less.
    2. EXCLUSIONS.—The term “precise geolocation information” does not include information derived solely from—
    1. a digital or physical photograph: or
    2. an audio or visual recording.; or
    3. metadata associated with a digital or physical photograph or an audio recording that cannot be linked to an individual.
    1.  PROCESS.—The term ‘‘process’’ means, with respect to covered data, any operation or set of operations performed on covered data, including analyzing, organizing, structuring, using, modifying, or otherwise handling the covered data.
    2.  PUBLICLY AVAILABLE INFORMATION.—
    1. IN GENERAL.—The term ‘‘publicly available information’’ means any information that a covered entity has a reasonable basis to believe has been lawfully made available to the general public from by—
    1. Federal, State, or local government records provided that, if the covered entity collects, processes, retains, and transfers such information in accordance with any restrictions or terms of use placed on the information by the relevant government entity;
    2. widely distributed media;
    3. a website or online service made available to all members of the public, for free or for a fee, including where all members of the public can log-in to the website or online service; or
    4. a disclosure to the general public that is required to be made by Federal, State, or local law.
    1. CLARIFICATIONS; LIMITATIONS.—
    1. AVAILABLE TO ALL MEMBERS OF THE PUBLIC.—For purposes of this paragraph, information from a website or online service is not available to all members of the public if the individual to whom the information pertains has restricted the information to a specific audience or maintained a default setting that restricts the information to a specific audience.
    2. BUSINESS CONTACT INFORMATION.—The term ‘‘publicly available information’’ includes the business contact information of an employee individual acting in a business or professional context that is made available on a website or online service made available to all members of the public on a website or online service, including the individual’s employee’s name, position or title, business telephone number, business email address, or business address of the employee.
    3. OTHER LIMITATIONS.—The term ‘‘publicly available information’’ does not include any of the following:
    1. any obscene visual depiction (as defined for purposes of such term is used in section 1460 of title 18, United States Code);
    2. derived data from publicly available information that reveals information about an individual that meets the definition of the term “sensitive covered data”;.
    3. biometric information;. 
    4. genetic information., unless made available by the individual to whom the information pertains by a means described in clause (ii) or (iii) of subparagraph (A);
    5. covered data that has been combined is created through the combination of covered data with publicly available information.; or
    6. intimate images, authentic or computer-generated by a computer or by artificial intelligence, known to be nonconsensual.; or
    7. sensitive covered data made available by a data broker.
    1.  RETAIN.—The term ‘‘retain’’ means, with respect to covered data, to store, maintain, save, or otherwise keep such data, regardless of format.
    2.  SENSITIVE COVERED DATA.—
    1. IN GENERAL.—The term ‘‘sensitive covered data’’ means the following forms of covered data:
    1. A government-issued identifier, such as including a social security number, passport number, or driver’s license number, that is not required by law to be displayed in public.
    2. Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition or treatment of an individual.
    3. Genetic Information.
    4. A financial account number, debit card number, credit card number, or any required security or access code, password, or credentials allowing access to any such account or card., except that the last four digits of an account number, debit card number, or credit card number may not be considered sensitive covered data.
    5. Biometric information.
    6. Precise geolocation information.
    7. An individual’s the private communications of an individual (, such as voicemails, or other voice or video communications, emails, texts, direct messages, or mail,) or information identifying the parties to such communications, information contained in telephone bills, voice communications, and any information that pertains to the transmission of private voice or video communications, including numbers called, numbers from which calls were placed, the time calls were made, call duration, and location information of the parties to the call, unless the covered entity is an intended recipient of the communication.
    8. Unencrypted or unredacted account or device log-in credentials.
    9. Information revealing the sexual behavior of an individual in a manner inconsistent with the individual’s reasonable expectation of the individual regarding disclosure of such information.
    10. Calendar information, address book information, phone, or text, or electronic logs, photographs, audio recordings, or videos intended for private use.
    11. A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual.
    12. Information revealing the extent or content of any individual’s the access, viewing, or other use by an individual of any video programming described(as defined in section 713(bh)(2) of the Communications Act of 1934 (47 U.S.C. 613(h)(2))), including programming provided by a provider of broadcast television service, cable service, satellite service, or streaming media service, but only with regard to the transfer of such information to a third party (excluding any such data information used solely for transfers for independent video measurement).
    13. Information collected by a covered entity that is not a provider of a service described in clause (xii) that reveals the video content requested or selected by an individual (excluding any such data information used solely for transfers for independent video measurement).
    14. Information revealing an individual’s the race, ethnicity, national origin, religion, or sex of an individual in a manner inconsistent with the individual’s reasonable expectation of the individual regarding disclosure of such information.
    15. An online activity profile. Information revealing an individual’s the online activities of an individual over time and across websites or online services that do not share common branding are unaffiliated or over time on any website or online service operated by a covered high-impact social media company.
    16. Information about an individual who is a covered minor.
    17. Information that reveals the status of an individual as a member of the Armed Forces.
    18. Neural data.
    19. any other covered data collected, processed, retained, or transferred for the purpose of identifying the data types of information described in clauses (i) through (xviii).
    20. any other covered data, except for expanding the categories described in clause (ii), that the Commission determines to be sensitive covered data through a rulemaking pursuant to section 553 of title 5, United States Code.
    1. THIRD PARTY.—For the purposes of subparagraph (A)(xii), the term ‘‘third party’’ does not include an entity that—
    1. is related by common ownership or corporate control to the provider of broadcast television service, cable service, satellite service, or streaming media service; and
    2. provides video programming as described in such subparagraph (A)(xii).
    1.  SERVICE PROVIDER.—
    1. IN GENERAL.—The term ‘‘service provider’’ means an entity that collects, processes, retains, or transfers covered data for the purpose of performing 1 or more services or functions on behalf of, and at the direction of, 
    1. a covered entity or another service provider; or
    2. a Federal, State, Tribal, territorial, or local government entity.
    1. RULE OF CONSTRUCTION.—
    1. IN GENERAL.—An entity is a ‘‘covered entity’’ and not a ‘‘service provider’’ with respect to a specific collecting, processing, retaining, or transferring of covered data, if the entity, jointly or with others, determines the purposes and means of the specific collecting, processing, retaining, or transferring of data.
    2. INSTRUCTIONS.—A person that is not limited in its collecting, processing, retention, or transferring of covered data pursuant to the instructions of a covered entity, another service provider, or a Federal, State, Tribal, territorial, or local government entity, or that fails to adhere to such instructions, is a covered entity and not a service provider with respect to a specific processing of such data. If a service provider begins, alone, or jointly with others determining the purposes and means of collecting, processing, retaining, or transferring covered data, it is a covered entity with respect to such data. A service provider that continues to adhere to the instructions of a covered entity with respect to processing covered data remains a service provider.
    3. CONTEXT REQUIRED.—Whether an entity is a ‘‘covered entity’’ or a ‘‘service provider’’ depends on the facts surrounding, and the context in which, the data is collected, processed, retained, or transferred.
    1.   SMALL BUSINESS.—
    1. IN GENERAL.—The term ‘‘small business’’ means an entity (including any affiliate of the entity)—
    1. Whosethat has average annual gross revenues for the period of the 3 preceding calendar years (or for the period during which the covered entity has been in existence, if such period is less than 3 calendar years) did that do not exceeding $40,000,000 dollars, indexed to the Producer Price Index reported by the Bureau of Labor Statistics the size standard in millions of dollars specified in section 121.201 of title 13, Code of Federal Regulations, relating to NAICS Code 518210 (Computing Infrastructure Providers, Data Processing, Web Hosting, and Related Services), including any updates to such size standard;
    2. that, on average, for the period described in clause (i), did not annually collect, process, retain, or transfer the covered data of more than 200,000 individuals for any purpose other than initiating, rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested service or product, so long as all covered data for such purpose was deleted or de-identified within 90 days, except when necessary to investigate fraud or as consistent with a covered entity’s return or warranty policy; and
    3. that did not, during the period described in clause (i), transfer covered data to a third party in exchange for revenue or anything of value, except for purposes of initiating, rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested service or product or facilitating web analytics that are not used to create an online activity profile track the online activity of an individual over time and across websites or online services that do not share common branding or for targeted advertising purposes.
    1. NONPROFIT REVENUE.—For purposes of subparagraph (A)(i), the term ‘‘revenue’’, as it such term relates to any entity that is not organized to carry on business for its own profit or that of their its members, means the gross receipts the entity received in whatever form from all sources without subtracting any costs or expenses, and includes contributions, gifts, non-Federal grants (except for grants from the Federal Government), dues or other assessments, income from investments, or proceeds from the sale of real or personal property.
    1.  STATE.—The term ‘‘State’’ means each of the 50 States, the District of Columbia, the Commonwealth of Puerto Rico, the United States Virgin Islands of the United States, Guam, American Samoa, and the Commonwealth of the Northern Mariana Islands.
    2.  SUBSTANTIAL PRIVACY HARM.—The term ‘‘substantial privacy harm’’ means—
    1. any alleged financial harm of not less than $10,000; or
    2. any alleged physical or mental harm to an individual that involves—
    1.  treatment by a licensed, credentialed, or otherwise bona fide health care provider, hospital, community health center, clinic, hospice, or residential or outpatient facility for medical, mental health, or addiction care; or
    2. physical injury, highly offensive intrusion into the privacy expectations of a reasonable individual under the circumstances, or discrimination on the basis of race, color, religion, national origin, sex, or disability.
    1.  TARGETED ADVERTISING.—The term ‘‘targeted advertising’’—
    1. means displaying or presenting an advertisement to an individual or to a device identified by a unique persistent identifier (or to a group of individuals or devices identified by unique persistent identifiers), if the online advertisement that is selected based, in whole or in part, on known or predicted preferences, or interested associated with the individual or a device identified by a unique persistent identifier; covered data collected or inferred from the online activities of the individual over time and across websites or online services that do not share common branding, or over time on any website or online service operated by a covered high-impact social media company (but not based on a profile created about the individual), to predict the preferences of the individual or interests associated with the individual or a device identified by a unique persistent identifier; and
    2. does not includes—
    1. (i) an online advertisement for a third-party product or service by a covered high-impact social media company that is not a product or service offered by the covered high-im- pact social media company based on first-party data; and  advertising or marketing content to an individual in response to the individual’s specific request for information or feedback;
    2. An online advertisement for a product or service based on the previous interaction of an individual or a device identified by a unique persistent identifier with such product or service on a website or online service that does not share common branding or affiliation with the website or online service displaying or presenting the advertisement.; and
    3. excludes contextual advertising and first-party advertising.
    4. first-party advertising based on an individual’s visit to or use of a website or online service that offers a product or service that is related to the subject of the advertisement;
    5. contextual advertising when an advertisement is displayed online based on the content of the webpage or online service on which the advertisement appears; or
    6. processing covered data solely for measuring or reporting advertising, marketing, or media performance, reach, or frequency, including by independent entities.
    1.  TEEN.—The term ‘‘teen’’ means an individual over the age of 12 and under the age of 17.
    2.  THIRD PARTY.—The term ‘‘third party’’—
    1. means any entity that—
    1. receives covered data from another entity that is not the individual to whom the data pertains; and
    2. is not a service provider with respect to such data; and
    1. does not include an entity that collects covered data from another entity if the 2 entities are—
    1. related by common ownership or corporate control and share common branding.; or
    2. nonprofit entities that are part of the same federated nonprofit organization.
    1.  THIRD-PARTY DATA.—The term ‘‘third party data’’ means covered data that has been transferred to a third party.
    2.  TRANSFER.—The term ‘‘transfer’’ means, with respect to covered data, to disclose, release, share, disseminate, make available, sell, rent, or license the covered data, (orally, in writing, electronically, or by any other means) for consideration of any kind or for a commercial purpose.
    3.  UNIQUE PERSISTENT IDENTIFIER.—
    1. IN GENERAL.—The term ‘‘unique persistent identifier’’ means a technologically created identifier to the extent that such identifier is reasonably linkable to an individual or device that identifies or is linked or reasonably linkable to 1 or more individuals, including a device identifiers, an Internet Protocol addresses, cookies, beacons, pixel tags, mobile ad identifiers, or similar technology, customer numbers, unique pseudonyms, or user aliases, telephone numbers, or other forms of persistent or probabilistic identifiers that are linked or reasonably linkable to 1 or more individuals or devices; and 
    2. EXCLUSION.—The term “unique persistent identifier” does not include an identifier assigned by a covered entity for the specific sole purpose of giving effect to an individual’s the exercise of affirmative express consent by an individual or opt-out of the collection by an individual with respect to the collecting, processing, retaining, or and transfer of covered data or otherwise limiting the collection collecting, processing, retaining, or transfer of such information covered data.
    1.  WIDELY DISTRIBUTED MEDIA.—
    1. IN GENERAL.—The term ‘‘widely distributed media’’ means information that is available to the general public, including information from a telephone book or online directory, a television, internet, or radio program, the news media, or an internet site that is available to the general public on an unrestricted basis; and 
    2. EXCLUSION.—The term “widely distributed media” does not include an obscene visual depiction (as defined such term is used in section 1460 of title 18, United States Code).

    SEC. 102. DATA MINIMIZATION.

    1. IN GENERAL.—ASubject to subsections (b) and (c), a covered entity may, or a service provider acting on behalf of a covered entity, shall not collect, process, retain, or transfer covered data of an individual or direct a service provider to collect, process, retain, or

    transfer covered data of an individual beyond what is necessary, proportionate, and limited—

    1. (1) beyond what is necessary, proportionate, and limited to provide or maintain—
    1. a specific product or service requested by the individual to whom the data pertains, including any associated routine administrative, operational, or account-servicing activity such as billing, shipping, delivery, storage, or accounting; or
    2. a communication, that is not an advertisement, by the covered entity to the individual reasonably anticipated within the context of the relationship; or
    1. for a purpose other than those expressly permitted under subsection (d).
    1. ADDITIONAL PROTECTIONS FOR SENSITIVE COVERED DATA.—Subject to subsection (a), and unless for a purpose expressly permitted under by paragraph (2), (3), (4), (5), (6), (8), (9), (11), (12), or (13) of  (1) IN GENERAL.—Except as expressly provided under subsection (d), a covered entity may, or a service provider acting on behalf of a covered entity, shall not transfer sensitive covered data to a third party or direct a service provider to transfer sensitive covered data to a third party without the affirmative express consent of the individual to whom such data pertains.
    1. (2) WITHDRAWAL OF AFFIRMATIVE EXPRESS CONSENT.—
    1. (A) IN GENERAL.—A covered entity shall provide an individual with a means to withdraw affirmative express consent previously provided by the individual with respect to the transfer of the sensitive covered data of the individual.
    2. (B) REQUIREMENTS.—The means to withdraw affirmative express consent described in subparagraph (A) shall be—
    1. (i) clear and conspicuous; and
    2. (ii) as easy for a reasonable individual 25 to use as the mechanism by which the individual provided affirmative express consent
    1. ADDITIONAL PROTECTIONS FOR BIOMETRIC INFORMATION AND GENETIC INFORMATION.—
    1. IN GENERAL. COLLECTIONASubject to subsection (a), a covered entity may, or a service provider acting on behalf of a covered entity, shall not collect or, process, or retain biometric information or genetic information or direct a service provider to collect or process biometric information or genetic information without the affirmative express consent of the individual to whom such information pertains., unless such collection, processing, or retention is essential for a purpose expressly permitted under by paragraph (1), (2), (3), (4), or paragraphs (9), (10), (11), (12), or through (13) of subsection (d) and if such collection or processing is necessary, proportionate, and limited for such purpose.
    2. PROCESSING.—Subject to subsection (a), a covered entity may not process biometric information or genetic information or direct a service provider to process biometric information or genetic information without the affirmative express consent of the individual to whom such information pertains, unless for a purpose permitted by paragraph (2), (3), or (4) of subsection (d).
    3. RETENTION.—Subject to subsection (a), a covered entity, or service provider acting on behalf of a covered entity, shall may not retain biometric or genetic information or direct a service provider to retain biometric information or genetic information beyond the point for at which a the purpose for which that an individual provided affirmative express consent under paragraph (1) has been satisfied or within beyond the date that is 3 years after the date of the individual’s last interaction of the individual with the covered entity or service provider, whichever occurs first, unless such retention is essential necessary, proportionate, and limited for a purpose expressly permitted under paragraphs (1), (2), (3), or through (4), or paragraphs (9), (10), (11), (12), or through (13) of subsection (d).
    4. TRANSFER.—
    1. AFFIRMATIVE EXPRESS CONSENT REQUIRED.—Subject to subsection (a), a covered entity, or service provider acting on behalf of a covered entity, shall may not transfer biometric information or genetic information to a third party or direct a service provider to transfer biometric information or genetic information to a third party without the affirmative express consent of the individual to whom such information pertains, unless such transfer is essential for a purpose expressly permitted under by paragraphs (2), (3), or (4), (8), (9), (11), or (12) of subsection (d).
    2. NO TRANSFER FOR PAYMENT OR OTHER VALUABLE CONSIDERATION.—A covered entity may not transfer biometric information or genetic information to a third party, or direct a service provider to transfer biometric information or genetic information to a third party for payment or other valuable consideration (regardless of the purpose of the transfer, including a purpose described in subparagraph (A)).
    1. (4) WITHDRAWAL OF AFFIRMATIVE EXPRESS CONSENT.—
    1. (A) IN GENERAL.—A covered entity shall provide an individual with a means to withdraw affirmative express consent previously provided by the individual with respect to the biometric information or genetic information of the individual.
    2. (B) REQUIREMENTS.—The means to withdraw affirmative express consent described in subparagraph (A) shall be—
    1. (i) clear and conspicuous; and
    2. (ii) as easy for a reasonable individual to use as the mechanism by which the individual provided affirmative express consent.
    1. (d) PERMITTED PURPOSES.—Subject to the requirements in subsections (b) and (c), a covered entity, or service provider acting on behalf of a covered entity, may collect, process, retain, or transfer or direct a service provider to collect, process, retain, or transfer covered data for the following purposes, provided that if the covered entity or service provider can demonstrate that the collection, processing, retention, or transferring is necessary, proportionate, and limited to such purpose:
    1. To protect data security (as described in section 109), protect against spam, or protect and maintain networks and systems, including through diagnostics, debugging, and repairs.
    2. To comply with a legal obligation imposed by a Federal, State, local, or Tribal, or local law that is not preempted by this Act title.
    3. To investigate, establish, prepare for, exercise, or defend cognizable legal claims on its own behalf of the covered entity or service provider.
    4. To transfer covered data to a Federal, State, local, or Tribal, or local law enforcement agency pursuant to a lawful warrant, administrative subpoena, or other form of lawful process.
    5. To effectuate a product recall pursuant to state or a Federal or State law, or to fulfill a warranty.
    6. To conduct market research.
    7. With respect to covered data previously collected in accordance with this Act title, to process such the covered data into such that the covered data becomes de-identified data, including in order to—
    1. develop or enhance a product or service of the covered entity or service provider; or
    2. conduct internal research or analytics to improve a product or service of the covered entity or service provider.; or

    (C) conduct a public or peer-reviewed scientific, historical, or statistical research project that—

    1. is in the public interest; and
    2. adheres to all relevant laws and regulations governing such research, including regulations for the protection of human subjects.
    1. conduct research to improve the effectiveness and safety of health care products and treatments and medical devices;
    2. enable the effective delivery and administration of healthcare products and treatments to patients, in compliance with Federal Regulations; or
    3. to monitor the safety and efficacy of products and services administered to patients, in compliance with Federal Regulations.
    1. To transfer assets to a third party in the context of a merger, acquisition, bankruptcy, or similar transaction, with respect to which when the third party assumes control, in whole or in part, of the assets of the covered entity’s assets, but only if the covered entity, in a reasonable time prior to such transfer, provides each affected individual with—
    1. a notice describing such transfer, including the name of any the entity or entities receiving the individual’s covered data of the individual and the privacy policies of such entity ( of such entity or entities as described in section 104); and
    2. a reasonable opportunity to—
    1. withdraw any previously provided given consent in accordance with the requirements of affirmative express consent under this Act title related to the individual’s covered data of the individual; and
    2. request the deletion of the individual’s covered data of the individual, as described in section 105.
    1. With respect to a covered entity or service provider that is a telecommunications carrier or a provider of a mobile service, interconnected VoIP service, or non-interconnected VoIP service (as such terms are defined in section 3 of the Communications Act of 1934 (47 U.S.C. 153)), to provide call location information (asin a manner described in subparagraphs (A) and or (C) of section 222(d)(4) of such Act (47 U.S.C. 222(d)(4)(A) and (C))).
    2. To prevent, detect, protect against, investigate, or respond to fraud or harassment, excluding the transfer of covered data for payment or other valuable consideration to a government entity.
    3. To prevent, detect, protect against, or respond to an ongoing or imminent security incident relating to network security or physical security, including an intrusion or trespass, medical alert, fire alarm or request for a fire response, or access control.
    4. To prevent, detect, protect against, or respond to an imminent or ongoing public safety incident (such as a mass casualty event, natural disaster, or national security incident), excluding the transfer of covered data for payment or other valuable consideration to a government entity.
    5. Except with respect to health information, to prevent, detect, protect against, investigate, or respond to criminal activity or harassment, excluding the transfer of covered data for payment or other valuable consideration to a government entity.
    6. Except with respect to sensitive covered data and only with respect to covered data previously collected in accordance with this Act title, to process or transfer such data as necessary, proportionate, and limited to provide first-party advertising or contextual advertising, or to measure and report on marketing performance or media performance by the covered entity for individuals, including processing or transferring covered data for measurement and reporting of frequency, attribution, and performance, including by independent entities, except that this paragraph does not permit the processing or transfer of covered data for first-party advertising to a covered minor, as prohibited pursuant to section 120.
    7. Except with respect to sensitive covered data (other than covered data collected over time and across websites or online services that do not share common branding or over time on any website or online service operated by a covered high-impact social media company), and only with respect to covered data previously collected in accordance with this Act title, for an individual who has not opted out of targeted advertising pursuant to section 106, to processing or transferring covered data to process or to transfer such data to provide targeted advertising, direct mail targeted advertising, or email targeted advertising (subject to 15 U.S.C. 103 and all regulations promulgated thereunder), or to measure and report on marketing performance or media performance, including processing or transferring covered data for measurement and reporting of frequency, attribution, and performance, including by independent entities, except that this paragraph does not permit the collection, processing, retention, or transfer of information described in section 101(41)(A)(xvi) for targeted advertising processing or transfer of covered data for targeted advertising to an individual who has opted out of targeted advertising pursuant to section 106, or to a covered minor as prohibited pursuant to section 120..
    8. To conduct a public or peer-reviewed scientific, historical, or statistical        research project that—
    1. is in the public interest;
    2. adheres to all relevant laws and regulations governing such research, including regulations for the protection of human subjects, if        applicable; and
    3. limits transfers to third parties of sensitive covered data only to the extent that affirmative express consent has been received from the affected individuals. those transfers necessary, proportionate, and limited to carry out the research; and
    4.  prohibits the transfer of covered data to a data broker.
    1. Conduct medical research in compliance with 45 CFR part 46 or 21 CFR parts 6, 50 and 56
    1. GUIDANCE.—The Commission shall issue guidance regarding what is reasonably necessary, and proportionate, and limited to comply with this section.
    2. JOURNALISM.—Nothing in this Act shall title may be construed to limit or diminish First Amendment freedoms guaranteed under the Constitution journalism, including the gathering, preparing, collecting, photographing, recording, writing, editing, reporting, or investigating news or information that concerns local, national, or international events or other matters of public interest for dissemination to the public.

    SEC. 103. PRIVACY BY DESIGN.

    1.  IN GENERAL.—Each covered entity, and service provider, and third party shall establish, implement, and maintain reasonable policies, practices, and procedures that reflect the role of the covered entity,  or service provider, or third party in the collection, processing, retention, and transferring of covered data.
    2. REQUIREMENTS.—The policies, practices, and procedures required by subsection (a) shall—
    1. identify, assess, and mitigate privacy risks related to covered minors (including, if applicable, in a manner that considers the developmental needs of different age ranges of covered minors), , people living with disabilities, and individuals over the age of 65;
    2. mitigate privacy risks related to the products and services of the covered entity,  or service provider, or third party including in the design, development, and implementation of such products and services, taking into account the role of the covered entity,  or service provider, or third party and the information available to the covered entity,  or service provider, or third party; and
    3. implement reasonable internal training and safeguards to promote compliance with this title and to mitigate privacy risks, taking into account the role of the covered entity,  or service provider, or third party and the information available to the covered entity,  or service provider, or third party.
    1. FACTORS TO CONSIDER.—The policies, practices, and procedures established by a covered entity,  or service provider, or third party under subsection (a) shall align with, as applicable—
    1. the nature, scope, and complexity of the activities engaged in by the covered entity,  or service provider, or third party, including whether the covered entity,  or service provider, or third party is a large data holder, nonprofit organization, or data broker, taking into account the role of the covered entity,  or service provider, or third party and the information available to the covered entity,  or service provider, or third party;
    2. the sensitivity of the covered data collected, processed, retained, or transferred by the covered entity,  or service provider, or third party;
    3. the volume of covered data collected, processed, retained, or transferred by the covered entity,  or service provider, or third party;
    4. the number of individuals and devices to which the covered data collected, processed, retained, or transferred by the covered entity,  or service provider, or third party relates;
    5. state-of-the-art administrative, technological, and organizational measures that, by default, serve the purpose of protecting the privacy and security of covered data as required by this title; and
    6. the cost of implementing such policies, practices, and procedures in relation to the risks and nature of the covered data involved.
    1. COMMISSION GUIDANCE.—Not later than 1 year after the date of the enactment of this Act, the Commission shall issue guidance with respect to what constitutes reasonable policies, practices, and procedures as required by subsection (a). In issuing such guidance, the Commission shall consider unique circumstances applicable to nonprofit organizations, service providers, third parties, and data brokers.

    SEC. 104. TRANSPARENCY.

    1. IN GENERAL.—Each covered entity and service provider shall make publicly available, in a clear, and conspicuous, not misleading, and easy-to-read, and readily accessible manner, a privacy policy that provides a detailed and accurate representation of the covered entity or service provider’s data collection, processing, retention, and transfer activities of the covered entity or service provider.
    2. CONTENT OF PRIVACY POLICY.—The privacy policy required under subsection (a) shall include, at a minimum, the following:
    1. The identity and the contact information of—
    1. the covered entity or service provider to which the privacy policy applies, (including the a point of contact and a monitored email address, or other monitored online contact mechanism, as applicable, for specific to data privacy and data security inquiries); and
    2. any affiliate within the same corporate structure as the covered entity or service provider, to which the covered entity or service provider may transfer data that—
    1. is not under common branding with the covered entity or service provider; or
    2. has different contact information than the covered entity or service provider.
    1. With respect to the collection, processing, and retaining of covered data—
    1. the categories of covered data the covered entity or service provider collects, processes, or retains; and
    2. the processing purposes for each such category of covered data.
    1. Whether the covered entity or service provider transfers covered data and, if so—
    1. each category of service provider or third party to which the covered entity or service provider transfers covered data;
    2. the name of each data broker to which the covered entity or service provider transfers covered data; and
    3. the purposes for which such data is transferred.
    1. The length of time the covered entity or service provider intends to retain each category of covered data, including sensitive covered data, or, if it is not possible to identify that time frame the length of time, the criteria used to determine the length of time the covered entity or service provider intends to retain categories each category of covered data.
    2. A prominent description of how an individual can may exercise the rights described in sections 5 and 6, as applicable, of the individual under this title.
    3. A description of how a covered entity treats data collected from covered minors differently than it treats data collected from other individuals, when the covered entity has knowledge that it has collected data from covered minors.
    4. A general description of the data security practices of the covered entity or service provider.
    5. The effective date of the privacy policy.
    6. Whether any covered data collected by the covered entity or service provider is transferred to, processed in, retained in, or otherwise accessible to a foreign adversary (as determined by the Secretary of Commerce and specified in part section 7.4 of title 15, Code of Federal Regulations, or any successor regulation).
    1. LANGUAGES.—TheA privacy policy required under subsection (a) shall be made available to the public in each language in which the covered entity or service provider— the ten most used languages in which a covered entity provides products or services, or carries out activities related to such product or service, or if the entity provides products or services in less than 10 languages, is provided in the number of languages in which the covered entity provides a product or service, or carries out activities related to such product or service.
    1. provides a product or service that is subject to the privacy policy; or
    2. carries out activities related to such product or service. 
    1. ACCESSIBILITY.—TheA covered entity or service provider shall provide the disclosures required under this section in a manner that is reasonably accessible to and usable by individuals living with disabilities.
    2. MATERIAL CHANGES.—
    1. NOTICE AND OPT OUT.—A covered entity that makes a material change to its the privacy policy or practices with respect to previously collected covered data of the covered entity shall—
    1. provide to each affected individual, in a clear and conspicuous manner—
    1. advance notice of such material change; and
    2. a means to opt out of the collection, retention processing or transfer of any such previously collected covered data related to of such individual pursuant to such material change; and
    1. with respect to the covered data of any individual who opts out using the means described in subparagraph (A)(ii), discontinue the collection, processing, retention, or transfer of such previously collected covered data, except if covered data, unless such processing or transfer is strictly necessary, proportionate, and limited to provide or maintain a product or service specifically requested by the individual.
    1. DIRECT NOTIFICATION.—TheA covered entity shall take all reasonable electronic measures to provide direct notification, whereif possible, to each affected individual regarding material changes to the privacy policy of the entity, and such notification shall be provided in each language in which the privacy policy is made available, taking into account available technology and the nature of the relationship between the entity and the individual.
    2. CLARIFICATION.—Except as provided in paragraph (1)(B), nothing in this subsection shall may be construed to affect the requirements for covered entities under sections 102, 105, and 1063, 5, or 6.
    1. TRANSPARENCY REQUIREMENTS FOR LARGE DATA HOLDERS.—
    1. RETENTION OF PRIVACY POLICIES; LOG OF MATERIAL CHANGES.—
    1. IN GENERAL.—Beginning not later than 90 days after on the date of the enactment of this Act, each large data holder shall—
    1. retain and publish on the website of the large data holder a copy of each previous version of its the privacy policy (as described in of the large data holder required under subsection (d)a) for not less than 10 years; and
    2. make publicly available on its the website,of the large data holder, in a clear, and conspicuous, and readily accessible manner, a log that describes the date and nature of each material change to its the privacy policy of the large data holder during such the preceding 10-year period in a manner that is sufficient for a reasonable individual to understand the effect of each material change.
    1. EXCLUSION.—This paragraph does not apply to material changes to previous versions of the privacy policy of a large data holder that precede the date of the enactment of this Act.
    1. SHORT-FORM NOTICE TO CONSUMERS.—
    1. IN GENERAL.—In addition to the privacy policy required under subsection (a), a large data holder shall provide a short-form notice of its the covered data practices of the large data holder in a manner that—
    1. is concise;, clear, and conspicuous and not misleading;
    2. is clear and conspicuous
    3. is readily accessible to the an individual, based on the manner in which the way an individual interacts with the large data holder and its the products or services of the large data holder and what is reasonably anticipated within the context of the relationship between the individual and the large data holder;
    4. includes an overview of individual rights and disclosures to reasonably draw attention to data practices that may be unexpected or that involve sensitive covered data; and
    5. is not more than 500 words in length in the English language or not more than 550 words in length if in a language other than English.
    1. GUIDANCE.—Not later than 180 days after the date of the enactment of this Act, the Commission shall issue guidance establishing the minimum data disclosures necessary for the short-form notice described in this paragraph and shall include templates or models for such notice.

    SEC. 105. INDIVIDUAL CONTROL OVER COVERED DATA.

    1. ACCESS TO, AND CORRECTION, DELETION, AND PORTABILITY OF, COVERED DATA.—Subject to subsections (b), (d), and (e), aAfter receiving a verified request from an individual,  including from a parent acting on behalf of a child, a covered entity shall provide the individual with the right to—
    1. access—
    1. in a format that can be naturally read by a human, the covered data of the individual (or an accurate representation of the covered data of the individual or of the child, in the case of parental access, if the covered data is no longer in the possession of the covered entity or a service provider acting on behalf of the covered entity) that is collected, processed, or retained by the covered entity or any service provider of the covered entity;
    2. the name of any third party or service provider to whom the covered entity has transferred the covered data of the individual, as well as the categories of sources from which the covered data was collected; and
    3. a description of the purpose for which the covered entity transferred the any covered data of the individual or of the child, in the case of parental access, to a third party or service provider;
    1. correct any inaccuracy or incomplete information with respect to the covered data of the individual or of the child, in the case of parental request, that is collected, processed, or retained by the covered entity and, for covered data that has been transferred, request the covered entity to notify any third party or service provider to which the covered entity transferred such covered data of the corrected information so that service providers may provide the assistance required by section 111(a)(1)(C);
    2. delete covered data of the individual or of the child, in the case of parental request, that is collected, processed, or retained by the covered entity and, for covered data that has been transferred, request that the covered entity notify any third party or service provider to which the covered entity transferred such covered data of the individual’s deletion request of the individual or of the child, so that service providers may provide the assistance required by section 111(a)(1)(C) ; and
    3. to the extent technically feasible, export covered data (except for derived data if the export of such derived data would result in the release of trade secrets or other proprietary or confidential data) of the individual or of the child, in the case of parental request, that is collected, processed, or retained by the covered entity without licensing restrictions that unreasonably limit such transfers, in—
    1. a format that can be naturally read by a human; and
    2. a format that is portable, structured, interoperable, and machine-readable format; and
    1.  if the individual is a covered minor, delete covered data collected from the covered minor or content or information submitted by the covered minor to a covered entity.
    1. FREQUENCY AND COST.—A covered entity—
    1. shall provide an individual with the opportunity to exercise each of the rights described in subsection (a); and
    2. with respect to—
    1. the first 3 times instances that an individual exercises any right described in subsection (a) during any 12-month period, shall allow the individual to exercise such right free of charge; and
    2. any time instance beyond the initial first 3 times instances described in subparagraph (A), may charge a reasonable fee for each additional request to exercise any such right during such 12-month period.
    1. TIMING.—
    1. IN GENERAL.—Subject to subsections (b), (d), and (e), each request under subsection (a) shall be completed—
    1. by any covered entity that is a large data holder or data broker, not later than 30 shall comply with a verified request from an individual to exercise a right described in subsection (a) not later than 15 calendar days after receiving of such request from an individual, unless it is impossible or demonstrably impracticable to verify such the individual; andor
    2. by a covered entity that is not a large data holder shall comply with a verified or data broker, not later than 45 calendar days of such request from an individual, unless it is impossible or demonstrably impracticable to verify the to exercise a right described in subsection (a) not later than 30 calendar days after receiving such request, unless it is impossible or demonstrably impracticable to verify such individual.
    1. EXTENSION.—The response period required under paragraph (1) may be extended once by not more than the applicable time period described in such paragraph when reasonably necessary, considering the complexity and number of the individual’s requests, provided that from the individual, if the covered entity informs the individual of any such extension within the initial response period, together with and the reason for the extension.
    1. VERIFICATION.—
    1. IN GENERAL.—A covered entity shall reasonably verify that any individual requesting making a request to exercise a right described in subsection (a) is—
    1. the individual whose covered data is the subject of the request; or
    2. the parent of a child whose covered data, or with respect to paragraph (5) content or other information, is the subject of the request; or
    3. another individual, that is not an entity, on behalf of an individual. authorized to make such a request on the individual’s behalf of the individual whose covered data is the subject of the request.
    1. ADDITIONAL INFORMATION.—If a covered entity cannot make the verification described in paragraph (1), the covered entity—
    1. may request that the individual making suchthe request provide any additional information necessary for the sole purpose of verifying the identity of the individual, and in the case of a parent, that the person making the request is the parent of the child whose information is at issue, except that the request of the covered entity may not be burdensome on the individual; and
    2. Shall may not process, retain, or transfer such additional information for any other purpose.
    1. EXCEPTIONS.—
    1. REQUIRED EXCEPTIONS.—A covered entity shallmay not permit an individual to exercise a right described in subsection (a), in whole or in part, if the covered entity—
    1. cannot reasonably verify that the individual making such request is the individual whose covered data is the subject of the request, or the parent of a child whose covered data is the subject of the request, or another individual person authorized to make such a request on the individual’s behalf of the individual whose covered data, or with respect to paragraph (5) content or other information, is the subject of the request;
    2. determines that exercise of the right would require access to another individual’s, or the correction or deletion of, the sensitive covered data of an individual other than the individual whose covered data is the subject of the request;
    3. determines that exercise of the right would require the correction or deletion of covered data subject to a warrant, lawfully executed subpoena, or litigation or equivalent preservation notice, or hold notice in connection with such warrant or subpoena or issued in a matter in which the covered entity is a named party;
    4. determines that exercise of the right would violate a Federal, State, local, or Tribal, or local law that is not preempted by this Act title;
    5. determines that exercise of the right would violate the covered entity’s professional ethical obligations of the covered entity;
    6. reasonably believes that the request is made in furtherance of to further fraud;
    7. except with respect to health information, reasonably believes that the request is made in furtherance of criminal activity; or
    8. reasonably believes that complying with the request would threaten data security or network security.
    1. PERMISSIVE EXCEPTIONS.—(A) IN GENERAL.—A covered entity may decline, with adequate explanation provided to the individual making the request, to comply with a request to exercise a right described in subsection (a), in whole or in part, if such compliance that would—
    1. be demonstrably impossible impracticable due to technology or technological limitations or prohibitive cost, and such adequate explanation includes if the covered entity provides a detailed description to the individual regarding the inability to comply with the request due to technologicaly limitations or prohibitive cost;
    2. delete covered data reasonably necessary to perform a contract between the covered entity and the individual;
    3. with respect to a right described in paragraph (1) or (4) of subsection (a), require the covered entity to release trade secrets or other privileged, proprietary, or confidential business information;
    4. prevent a covered entity from being able to maintain a confidential record of opt out requests pursuant to section 6 this title, that is maintained solely for the purpose of preventing the covered data of an individual from being recollected, processed, retained, or transferred after the individual submitted submits an opt out request; or
    5. with respect to a deletion requests, require a private elementary or secondary school (as defined by State law) or a private institution of higher education (as defined by section 101 in title I of the Higher Education Act of 1965 (20 U.S.C. 1001 et seq.)) to delete covered data that, if the deletion would unreasonably interfere with the provision of education services by, or the ordinary operation of, the school or institution.
    6. delete covered data that relates to a public figure regarding a matter of legitimate public interest and for which the requesting individual has no reasonable expectation of privacy; or
    7. delete covered data that the covered entity reasonably believes may be evidence of an abuse of the covered entity’s products or services, including violations of terms of service.
    8. PARTIAL COMPLIANCE.—In the event a covered entity makes a permissive exception 25 under subparagraph (A), the covered entity shall partially comply with the remainder of the applicable request if partial compliance is possible and not unduly burdensome.
    9. NUMBER OF REQUESTS.—For purposes of subparagraph (A)(i), the receipt of a large number of verified requests, on its own, shall not be considered to render compliance with a request demonstrably impossible.
    1. RULE OF CONSTRUCTION.—This section shall may not be construed to require a covered entity or service provider acting on behalf of a covered entity to—
    1. retain covered data collected for a single, 1-time transaction, if such covered data is not processed or transferred by the covered entity or service provider for any purpose other than completing such transaction;
    2. re-identify or attempt to re-identify de- identified data; or
    3. collect or retain any data in order to be capable of associating a verified individual’s request with the covered data that is the subject of the request.
    1. PARTIAL COMPLIANCE.—In the event a covered entity declines a request under paragraph (2), the covered entity shall partially comply with the remainder of the request if partial compliance is possible and not unduly burdensome.
    2. NUMBER OF REQUESTS.—For purposes of paragraph (2)(A), the receipt of a large number of verified requests, on its own, may not be considered to render compliance with a request demonstrably impracticable.
    3. ADDITIONAL EXCEPTIONS.—
    1. IN GENERAL.—The Commission may promulgate regulations, in accordance with section 553 of title 5, United States Code, to establish additional permissive exceptions to subsection (a) necessary to protect the rights of individuals, to alleviate undue burdens on covered entities, to prevent unjust or unreasonable outcomes from the exercise of access, correction, deletion, or portability rights, or as otherwise necessary to fulfill the purposes of this section.
    2. CONSIDERATIONS.—In establishing suchany exceptions under subparagraph (A), the Commission shall consider any relevant changes in technology, means for protecting privacy and other rights, and beneficial uses of covered data by covered entities.
    3. CLARIFICATION.—A covered entity may not decline to comply with an individual’s a request roof an individual to exercise a right under this section for any purpose pursuant to an exception the Commission identifies pursuant to establishes under this paragraph.
    1. ON-DEVICE DATA EXEMPTIONEXCEPTION.—A covered entity may decline to comply with a request to exercise a right described in paragraph (1), (2), or (3) of subsection (a), in whole or in part, if—
    1. the covered data is exclusively on-device data; and
    2. the individual can exercise any such right using clear and conspicuous on-device controls.
    1. LARGE DATA HOLDER METRICS REPORTING.— With respect to each calendar year for which an entity is considered a large data holder, such entity shall comply with the following reporting requirements:
    1. REQUIRED METRICS.—Compile the following metrics information for the priorsuch calendar year:
    1. The number of verified access requests under subsection (a)(1).
    2. The number of verified deletion requests under subsection (a)(3).
    3. The number of verified deletion requests under subsection (a)(5).
    4. The number of verified requests to opt-out of covered data transfers under section 106(a)(1).
    5. The number of verified requests to opt-out of targeted advertising under section 106(a)(2).
    6. For each category of requests described in subparagraphs (A), (B), (C), or through (D E), the number of such requests that the large data holder complied with in whole or in part.
    7. For each category of requests described in subparagraphs (A), (B), (C), or through (D E), the average number of days within which such the large data holder substantively responded to the requests.
    1. PUBLIC DISCLOSURE.—Disclose by, not later than July 1 of each applicable calendar year, the information compiled under paragraph (1) for the previous calendar year—
    1. in such the privacy policy of the large data holder’s privacy policy; or
    2. on the a publicly accessible available website of the such large data holder that is accessible from a hyperlink included in the privacy policy.
    1. GUIDANCE.—Not later than 1 year after the date of the enactment of this Act, the Commission shall issue guidance to clarify or explain the provisions of this section and establish processes practices by which a covered entity may verify a request to exercise a right described in subsection (a).
    2. ACCESSIBILITY.—
    1. LANGUAGE.—A covered entity shall facilitate the ability of individuals to make requests under to exercise rights described in subsection (a) in any language in which the covered entity provides a product or service.
    2. INDIVIDUALS LIVING WITH DISABILITIES.—The mechanisms by which a covered entity enables individuals to make requests under a request to exercise a right described in subsection (a) shall be readily accessible and usable by individuals living with disabilities.

    SEC. 106. OPT-OUT RIGHTS AND UNIVERSAL MECHANISM CENTRALIZED .

    1. IN GENERAL.—Beginning on the effective date described in section 24, aA covered entity shall provide to individuals an individual the following opt-out rights with respect to the covered data of the individual:
    1. RIGHT TO OPT OUT OF COVERED DATA TRANSFERS TO THIRD PARTIES.—A covered entity shall
    1. shall provide an individual with a clear and conspicuous means to opt out of the transfer of the individual’s covered data of the individual to a third party;
    2. upon establishment of the opt-out mechanism described in subsection (b), shall allow an individual to make an opt-out designation pursuant to subparagraph (A) through the opt-out mechanism;
    3. shall abide by an opt-out with respect to the transfer of the individual’s designation made pursuant to subparagraph (A) and communicate such designation to all relevant service providers and third parties; and
    4. Except as provided in section 112(c)(3), need not allow an individual to opt out of a transfer of covered data through an opt-out mechanism as made pursuant to a permissible purpose described in subsection (b)paragraph (1), (2), (3), (4), (5), (6), (7), (8), (9), (10), (11), (12), (13), or (14) of section 102(d).; and
    5. abide by any such opt-out designation made by an individual and communicate such designation to all relevant service providers.
    1. RIGHT TO OPT OUT OF TARGETED ADVERTISING.—A covered entity that engages in targeted advertising shall—
    1. provide an individual with a clear and conspicuous means to opt out of the processing and transfer of covered data of the individual in furtherance of targeted advertising;
    2. upon establishment of the opt-out mechanism described in subsection (b), allow an individual to make an opt-out designation with respect to targeted advertising through an the opt-out mechanism as described in subsection (b); and
    3. abide by any such opt-out designation made by an individual and communicate such designation to all relevant service providers and third parties.
    1. CENTRALIZED UNIVERSAL CONSENT AND OPT-OUT MECHANISM.—
    1. IN GENERAL.—Not later than 2 years after the date of the enactment of this Act, the Commission shall, in consultation with the Secretary of Commerce, promulgate regulations, in accordance with section 553 of title 5, United States Code, to establish requirements and technical specifications for a privacy protective, centralized one or more opt out mechanisms (including global privacy signals such as browser or device privacy settings and registries of identifiers) for individuals to exercise the opt-out rights established under this title, through a single interface that—
    1. ensures that the opt-out preference signal—
    1. is user friendly, clearly described, and easy to use by a reasonable individual;
    2. does not require that the an individual provide additional information beyond what is reasonably necessary to indicate such preference;
    3. clearly represents an individual’s the preference of an individual and is free of defaults constraining or presupposing such preference;
    4. is provided in any language the ten most used languages in which the a covered entity provides products or services subject to the opt out, or if the entity provides products or services in less than 10 languages, is provided in the number of languages in which the covered entity provides a product or service; and
    5. is provided in a manner that is reasonably accessible to and usable by individuals living with disabilities.; and
    6. does not conflict with other commonly-used privacy settings or tools that an individual may employ;
    1. provides a mechanism for the an individual to selectively opt out of the covered entity’s collection, processing, retention, or transfer of covered data by a covered entity, without affecting the individual’s preferences of the individual with respect to other entities or disabling the opt-out preference signal globally;
    2. states that, in the case of a page or setting view that the individual accesses to set the opt-out preference signal, the individual should see up to 2 choices, corresponding to the rights established under subsection (a); and
    3. ensures that the opt-out preference signal applies neutrally and that the opt-out preference signal will be registered and set only by the individual and not by a third party or another individual, that is not an entity, on behalf of the individual..
    1. EFFECT OF DESIGNATIONS.—A covered entity shall abide by any designation made by an individual through any mechanism that meets the requirements and technical specifications promulgated under paragraph (1).

    SEC. 107. INTERFERENCE WITH CONSUMER RIGHTS.

    1. DARK PATTERNS PROHIBITED.—
    1. IN GENERAL.—A covered entity shall may not use dark patterns to—
    1. divert an individual’s the attention of an individual from any notice required under this Act title;
    2. impair an individual’s the ability of an individual to exercise any right under this Act title; or
    3. obtain, infer, or facilitate an individual’s the consent of an individual for any action that requires an individual’s consent under this Act title.
    1. CLARIFICATION.—Any agreement by an individual that is obtained, inferred, or facilitated through dark patterns shall does not constitute consent for any purpose under this title.
    1. INDIVIDUAL AUTONOMY.—A covered entity may not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of a right described in this Act title through the use of any false, fictitious, fraudulent, or materially misleading statement or representation.

    SEC. 108. PROHIBITION ON DENIAL OF SERVICE AND WAIVER OF RIGHTS.

    1. RETALIATION THROUGH SERVICE OR PRICING PROHIBITED.—A covered entity may not retaliate against an individual for exercising any of the rights guaranteed by the Act title, or any regulations promulgated under this Act title, including by denying products goods or services, charging different prices or rates for products goods or services, or providing a different level of quality of products or services.
    2. RULES OF CONSTRUCTION.—
    1. BONA FIDE LOYALTY PROGRAMS.—
    1. IN GENERAL.—Nothing in subsection (a) may be construed to prohibit a covered entity from offering—
    1. a different price, rate, level, quality, or selection of products goods or services to an individual, including offering products goods or services for no fee, if the offering is in connection with an individual’s the voluntary participation of the individual in a bona fide loyalty program, provided that and if—
    1. the individual provided affirmative express consent to participate in such bona fide loyalty program;
    2. the covered entity provides an individual with means to withdraw abides by the affirmative express consent previously provided exercise by the individual of any in the manner set forth in right provided by subsection (b) or (c) of section 102(b), section 105, or section 1063(b)(2); and
    3. the sale of covered data is not a condition of participation in the bona fide loyalty program abides by an individual’s exercise of any right described in sections 3(b)(2), 5, or 6; and
    4. the individual provides affirmative express consent for the transfer of any data collected in connection with; and or
    1. different prices, rates, levels, qualities, or selection of goods or services, or functionalities with respect to a product or service based on an individual’s the decision of an individual to terminate membership in a bona fide loyalty program or to exercise a right under section 105(a)(3) that deletes to delete covered data that is strictly necessary for participation in the bona fide loyalty program.
    1. BONA FIDE LOYALTY PROGRAM DEFINED.—For purposes of this paragraph section, the term ‘‘bona fide loyalty program’’ includes rewards, premium features, discounts, or and club card programs offered by a covered entity that is not a covered high-impact social media company or data broker.
    1. MARKET RESEARCH.—Nothing in subsection (a) may be construed to prohibit a covered entity from offering a financial incentive or other consideration to an individual for participation in market research.
    2. DECLINING A PRODUCT OR SERVICE.— Nothing in subsection (a) may be construed to prohibit a covered entity from declining to provide a product or service insofar as or a bona fide loyalty program, if the collection, processing, retention, or transfer affected by the relevant individual exercising a right guaranteed by this title of covered data is strictly necessary, proportionate, and limited to providing for the function of such product or service.

    SEC. 109. DATA SECURITY AND PROTECTION OF COVERED DATA.

    1. ESTABLISHMENT OF DATA SECURITY PRACTICES.—
    1. IN GENERAL.—AEach covered entity and or service provider shall establish, implement, and maintain reasonable data security practices to protect—
    1. the confidentiality, integrity, and accessibility availability of covered data; and
    2. covered data against unauthorized access.
    1. CONSIDERATIONS.—The data security practices required under paragraph (1) shall be appropriate to—
    1. the size and complexity of the covered entity or service provider;
    2. the nature and scope of the covered entity’s or the service provider’s relevant collecting, processing, retaining, or transferring of covered data, taking into account such covered entity’s or service provider’s changing business operations with respect to covered data;
    3. the volume, nature, and sensitivity of the covered data at issue; and
    4. the state-of-the-art (and limitations thereof) in administrative, technical, and physical safeguards for protecting such covered data.
    1. SPECIFIC REQUIREMENTS.—The data security practices required under subsection (a) shall include, for each respective entity’s own system, at a minimum, the following practices:
    1. ASSESS VULNERABILITIES.—Routinely identifying and assessing any reasonably foreseeable internal or external risk to, and or vulnerability in, each system maintained by the covered entity or service provider that collects, processes, retains, or transfers covered data, including unauthorized access to or corruption of such covered data, human vulnerabilities, access rights, and the use of service providers. Such activities shall include developing a plan to receive for receiving and considering unsolicited reports of vulnerability by any entity or individual, and, if such report is reasonably credible, performing a reasonable and timely investigation of such report and take taking appropriate action necessary to protect covered data against suchthe vulnerability.
    2. PREVENTATIVE AND CORRECTIVE ACTION.—
    1. IN GENERAL.—Taking preventative and corrective action to mitigate any reasonably foreseeable internal or external risk to, or vulnerability of, to covered data identified by the covered entity or service provider, consistent with the nature of such risk or vulnerability and the covered entity’s or service provider’s role of the covered entity or service provider in collecting, processing, retaining, or transferring the data, which may include implementing administrative, technical, or physical safeguards or changes to data security practices or the architecture, installation, or implementation of network or operating software.
    2. EVALUATION OF PREVENTATIVE AND CORRECTIVE ACTION.—Evaluating and making reasonable adjustments to the action described in subparagraph (A) in light of any material changes in state-of-the-art technology, internal or external threats to covered data, and the covered entity’s or service provider’s changing business operations with respect to covered data.
    1. INFORMATION RETENTION AND DISPOSAL.—Disposing of covered data (either by or at the direction of a the covered entity) that is required to be deleted by law or is no longer necessary for the purpose for which the data was collected, processed, retained, or transferred, unless an individual has provided affirmative express consent to such retention a permitted purpose under section 102 applies, except that retention and disposal of biometric information shall be governed by section 102(c)(3). Such disposal shall include destroying, permanently erasing, or otherwise modifying the covered data to make such data permanently unreadable or indecipherable and unrecoverable to ensure ongoing compliance with this section.
    2. RETENTION SCHEDULE.—Developing, maintaining, and adhering to a retention schedule for covered data disposal consistent with the practices and procedures required in paragraph (3).
    3. TRAINING.—Training each employee with access to covered data on how to safeguard covered data and updating such training as necessary.
    4. INCIDENT RESPONSE.—Implementing procedures to detect, respond to, and recover from data security incidents, including breaches of data security.
    1. REGULATIONS.—The Commission may, in consultation with the Secretary of Commerce, promulgate in accordance with section 553 of title 5, United States Code, technology-neutral, process-based regulations to carry out this section.

    SEC. 110. EXECUTIVE RESPONSIBILITY.

    1. DESIGNATION OF PRIVACY AND DATA SECURITY OFFICERS.—
    1. DESIGNATION.—IN GENERAL.—A covered entity or service provider (eExcept for an entity that is a large data holder, a covered entity or service provider) shall designate 1 or more qualified employees to serve as privacy or and data security officers.
    2. REQUIREMENTS FOR OFFICERS.—An employee who is designated by a covered entity or service provider as a privacy or and data security officer shall, at a minimum—
    1. implement a data privacy program and a data security program to safeguard the privacy and security of covered data in compliance with the requirements of this Act title; and
    2. facilitate the covered entity’s or service provider’s ongoing compliance of the covered entity or service provider with this Act title.
    1. REQUIREMENTS FOR LARGE DATA HOLDERS.—
    1. DESIGNATION.—A covered entity or service provider that is a large data holder shall designate 1 qualified employee to serve as privacy officer and 1 qualified employee to serve as a data security officer.
    2. ANNUAL CERTIFICATION.—
    1. IN GENERAL.—Beginning on the date that is 1 year after the date of the enactment of this Act, the chief executive officer of a large data holder (or, if the large data holder does not have a chief executive officer, the highest ranking officer of the large data holder) and each privacy officer and data security officer of such large data holder designated under subparagraph (A1), shall annually certify to the Commission, in a manner specified by the Commission, that the large data holder implements and maintains—
    1. internal controls reasonably designed, implemented, maintained, and monitored to comply with this Act title; and
    2. internal reporting structures (as described in subparagraph (C3)) to ensure that such certifying officers are involved in, and responsible for, decisions that impact compliance by the large data holder with this Act title.
    1. REQUIREMENTS.—A certification submitted under clause (i)subparagraph (A) shall be based on a review of the effectiveness of a large data holder’s the internal controls and reporting structures of the large data holder that is conducted by the certifying officers not more than 90 days before the submission of the certification.
    1. INTERNAL REPORTING STRUCTURE REQUIREMENTS.—At least 1 of the officers designated described in subparagraph (A under paragraph (1) shall, either directly or through a supervised designee—
    1. establish processes practices to periodically review and update, as necessary, the privacy and security policies, practices, and procedures of the large data holder, as necessary;
    2. conduct biennial and comprehensive audits to ensure the policies, practices, and procedures of the large data holder comply with this Act title and, upon request, make such audits available to the Commission;
    3. develop a program to educate and train employees about the requirements of this Act title;
    4. maintain updated, accurate, clear, and understandable records of all material significant privacy and data security practices of the large data holder; and
    5. serve as the point of contact between the large data holder and enforcement authorities.
    1. PRIVACY IMPACT ASSESSMENTS.—
    1. IN GENERAL.—Not later than 1 year after the date of the enactment of this Act or 1 year after the date that on which an entity first meets the definition of the term “large data holder”, whichever is earlier, and biennially thereafter, each large data holder shall conduct a privacy impact assessment that weighs the benefits of the entity’s covered data collection, processing, retention, and transfer practices of the entity against the potential adverse consequences of such practices to individual privacy.
    2. ASSESSMENT REQUIREMENTS.—A privacy impact assessment required under clause (i)subparagraph (A) shall be—
    1. reasonable and appropriate in scope given—
    1. the nature and volume of the covered data collected, processed, retained, or transferred by the large data holder; and
    2. the potential risks posed to the privacy of individuals by the collection, processing, retention, and transfer of covered data by the large data holder;
    1. documented in written form and maintained by the large data holder, unless rendered out of date by a subsequent assessment conducted under clause (i); and  for as long as the relevant privacy policy is required to be retained under section 104(f)(1); and
    2. approved by the privacy officer of the large data holder.
    1. ADDITIONAL FACTORS TO INCLUDE IN ASSESSMENT.—In assessing the privacy risks for purposes of an assessment conducted under subparagraph (A), including significant risks of harm to the privacy of an individual or security of covered data, the large data holder shall include reviews of the means by which emerging technologies, including blockchain and, distributed ledger technologies, and other emerging technologies, including privacy enhancing technologies, and other emerging technologies are used to secure covered data.

    SEC. 111. SERVICE PROVIDERS AND THIRD PARTIES.

    1. SERVICE PROVIDERS.—
    1. IN GENERAL.—A service provider that collects, processes, retains, or transfers covered data on behalf of or at the direction of a covered entity or another service provider
    1. shall adhere to the instructions of a the covered entity and only collect, process, retain, or transfer service provider covered data only to the extent necessary, proportionate, and limited to provide a service requested by the covered entity, as set out in the contract required under described in paragraph (2);
    2. may not collect, process, retain, or transfer covered data if the service provider has actual knowledge that a the covered entity violated this Act title with respect to such data;
    3. shall assist a the covered entity in fulfilling the covered entity’s obligations of the covered entity to respond to consumer rights requests pursuant to sections 5, 6, and 14this title by
    1. providing appropriate technical and organizational measures support, taking into account the nature of the processing and the information reasonably available to the service provider, for the covered entity to comply with such request for covered data; or
    2. fulfilling a request by a covered entity to execute a consumer rights request that the covered entity has determined should be compiled with, by either—
    1. complying with the request pursuant to the covered entity’s instructions; or
    2. providing written verification to the covered entity that it does not hold data related to the request, that complying with the request would be inconsistent with its legal obligations, or that the request falls within an exception pursuant to this title
    1. shall, upon the reasonable request of the covered entity, make available to the covered entity information necessary to demonstrate the service provider’s compliance of the service provider with the requirements of this Act title;
    2. shall delete or return, as directed by the covered entity, all covered data as soon as practicable after the contractually agreed upon end of the provision of services, unless the service provider’s retention by the service provider of the covered data is required by law;
    3. may engage another service provider for purposes of processing or retaining covered data on behalf of a the covered entity only after exercising reasonable due diligence care in selecting such other service provider as required by subsection (d), providing such the covered entity with written notice of the engagement, and pursuant to a written contract that requires such other service provider to satisfy the requirements of this Act title with respect to covered data; and

    (G) shall develop, implement, and maintain reasonable administrative, technical, and physical safeguards that are designed to protect the security and confidentiality of covered data the service provider processes consistent with section 9; and

    1. shall—
    1. allow and cooperate with reasonable assessments by the covered entity at least once annually; or
    2. arrange for a qualified and independent assessor to conduct an assessment of the service provider’s policies and technical and organizational measures of the service provider in support of the obligations under this Act title at least once annually, using an appropriate and accepted control standard or framework and assessment procedure for such assessments and report the results of such assessment to the covered entity.
    1. CONTRACT REQUIREMENTS.—An entity may only operate as a service provider pursuant to any contract between a covered entity and a service provider. Such contract
    1. shall govern the service provider’s data processing procedures of the service provider with respect to any collection, processing, retention, or transfer performed on behalf of the covered entity;
    2. shall clearly set forth—
    1. instructions for collecting, processing, retaining, or transferring data;
    2. the nature and purpose of the collection, processing, retention, or transfer;
    3. the type of data subject to collection, processing, retention, or transfer;
    4. the duration of the processing or retention; and
    5. the rights and obligations of both parties;
    1. Shall may not relieve a the covered entity or service provider of any obligation under this Act title; and
    2. shall prohibit—
    1. the collection, processing, retention, or transfer of covered data in a manner that does not comply with the requirements of paragraph (1); and
    2. combining service provider covered data that the service provider receives from or on behalf of 1 covered entity with covered data whichthat the service provider receives from or on behalf of another entity or collects from the interaction of the service provider with an individual, provided that unless such combining is not necessary to effectuate a purpose described in section 1023(d), other than paragraph (7), (14), (15), or (16) of such section, and is otherwise permitted under the contract required by this subsection.
    1. THIRD PARTIES.—
    1. IN GENERAL.—A third party— shall  may not process, retain, or transfer third- party data for a purpose other than—
    1. in the case of sensitive covered data, the a purpose for which an individual gave affirmative express consent for the transfer of the individual’s sensitive covered data pursuant to subsection (b) or (c) of section 102; or
    2. in the case of sensitive covered data that does not require affirmative express consent pursuant to subsection (b) of section 102, a purpose for which the covered entity or service provider made a disclosure pursuant to section 104; or
    3. in the case of covered data that is not sensitive covered data, a purpose for which the covered entity or service provider made a disclosure pursuant to section 4;102 or 104.
    1. CONTRACT REQUIREMENTS.—Before transferring covered data for purposes of paragraph (1), may reasonably rely on representations made by the covered entity that transferred the third-party data regarding the expectations of to a reasonable person based on disclosures by to a third party, a covered entity shall enter into a contract with the covered entity about third party that—
    1. Identifies the treatment of purposes for which covered such data, provided that the  is being transferred consistent with paragraph (1);
    2. specifies that the third party conducts reasonable due diligence on may only use the representations of the covered entity and finds those representations to be credible data for such purposes; and 
    3. shall be exempt from the requirements of section 3(b) with respect to third-party data, but shall otherwise have the same responsibilities and obligations as a covered entity with respect to such covered data under transferred, requires the third party to comply with all other applicable provisions of, and regulations promulgated under, this Act title;
    4. requires the third party to notify the covered entity or service provider if the third party makes a determination that the third party can no longer meet the obligations of the third party under this title; and  
    5. grants the covered entity the right, upon notice (including under subparagraph (D)), to take reasonable and appropriate steps to stop and remediate unauthorized use of covered data by the third party.
    1. RULES OF CONSTRUCTION.—
    1. SUCCESSIVE ACTOR VIOLATIONS.—
    1. IN GENERAL.—With respect to a violation of this Act title by a service provider or third party regarding covered data received by the service provider or third party from a covered entity or another service provider, the covered entity or service provider that transferred such covered data to the service provider or third party shall may not be considered to be in violation of this Act title if the covered entity or service provider transferred the covered data to the service provider or third party in compliance with the requirements of this Act title and, at the time of transferring such covered data, the covered entity or service provider did not have actual knowledge, or reason to believe, that the service provider or third party intended to violate this Act title.
    2. KNOWLEDGE OF VIOLATION.—AnA covered entity or service provider that transfers covered data to a service provider or third party and has actual knowledge, or reason to believe, that such service provider or third party is violating, or is about to violate, the requirements of this Act title shall immediately cease the transfer of covered data to such service provider or third party.
    1. PRIOR ACTOR VIOLATIONS.—An entity that collects, processes, retains, or transfers covered data in compliance with the requirements of this Act title shall may not be considered to be in violation of this Act title as a result of a violation by an entity from which it receives, or on whose behalf it collects, processes, retains, or transfers, covered data.
    1. DUE DILIGENCE REASONABLE CARE.—
    1. SERVICE PROVIDER SELECTION.—A covered entity or service provider shall exercise reasonable due diligence care in selecting a service provider.
    2. TRANSFER TO THIRD PARTY.—A covered entity or service provider shall exercise reasonable due diligence care in deciding to transfer covered data to a third party.
    3. GUIDANCE.—Not later than 2 years after the date of the enactment of this Act, the Commission shall publish guidance regarding compliance with this subsection.
    1. RULE OF CONSTRUCTION.—Solely for purposes of this section, the requirements under this section for service providers to contract with, assist, and follow the instructions of covered entities shall also apply to any entity that collects, processes, retains, or transfers covered data for the purpose of performing services on behalf of, or at the direction of, government entity, as though such government entity were a covered entity.

    SEC. 112. DATA BROKERS.

    1. NOTICE.—A data broker shall—
    1. establish and maintain a publicly accessibleavailable website; and
    2. place a clear, and conspicuous, and not misleading, and readily accessible notice on such publicly accessibleavailable website and any mobile application of the data broker that—
    1. states that the entity is a data broker, using specific language that the Commission shall develop through guidance not later than 180 days 25 after the date of the enactment of this Act;
    2. states that an individual has a right tomay exercise the rightsa right described in sections 105 andor 106, and includingincludes a link or other tool to allow an individual to exercise such rights;
    3. includes a link to the website established underdescribed in subsection (c)(3); and 
    4. (D) is reasonably accessible to and usable by individuals living with disabilities; and
    5. is provided in any language in which the data broker provides products or services.
    1. PROHIBITED PRACTICES.—A data broker is prohibited frommay not—
    1. advertisingadvertise or marketing the access to, or the transfer of, covered data for the purposes of—
    1. stalking or harassing another individual; or
    2. engaging in fraud, identity theft, or unfair or deceptive acts or practices; or
    1. misrepresenting the business practices of the data broker.
    1. DATA BROKER REGISTRATION.—
    1. IN GENERAL.—Not later than January 31 of each calendar year that follows a calendar year during which an entity acted as a data broker with respect to more than 5,000 individuals or devices that identify or are linked or reasonably linkable to an individual, such entity shall register with the Commission in accordance with this subsection.
    2. REGISTRATION REQUIREMENTS.—In registering with the Commission as required under paragraph (1), a data broker shall do the following:
    1. Pay to the Commission a registration fee of $100.
    2. Provide the Commission with the following information:
    1. The legal name and primary valid physical postal address, email address, and internet addresses of the data broker.
    2. A description of the categories of covered data the data broker collects, processes, retains, andor transfers.
    3. The contact information of the data broker, including the name of a contact person, a human-monitored telephone number, a human-monitored e-mail address, a website, and a physical mailing address.
    4. A link to a website through which an individual may easily exercise the rights described in subsection (a)(2)(B)sections 105 and 106.
    1. DATA BROKER REGISTRY.—
    1. ESTABLISHMENT.—The Commission shall establish and maintain on a publicly available website a searchable registrylist of data brokers that are registered with the Commission under this subsection.
    2. REQUIREMENTS.—The registry established under subparagraph (A) shall—
    1. allow members of the public to search for and identify data brokers;
    2. include the information required under paragraph (2)(B) for each data broker; and 
    3. includes a mechanism by which an individual including a parent acting on behalf of a child, may submit a request to all registered data brokers that are not consumer reporting agencies (as defined in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f))), and to the extent such third-party collecting entities are not acting as consumer reporting agencies (as so defined), a ‘‘Do Not Collect’’ directive suchrequest that anyresults in registered data broker shall ensure that the data brokers no longer collectscollecting covered data related to such individual without the affirmative express consent of such individual, except insofar as the data broker is acting as a service provider;
    4. include a mechanism by which an individual, including a parent acting on behalf of a child, may submit to all registered data brokers a “Delete My Data” request that results in registered data brokers deleting all covered data related to such individual that the data broker did not collect directly from such individual or when acting as a service provider.
    1. AFFORDABILITY.— A data broker may not charge an individual a fee to exercise a right under this paragraph.
    1. DO NOT COLLECT AND DELETE MY DATA REQUESTS.—
    1. COMPLIANCE.—Subject to subparagraph (B), each data broker that receives a request from an individual using the mechanism established under paragraph (3)(B)(iii) or (3)(B)(iv), and not a third party on behalf of the individual, shall comply with such request not later than 30 days after the date on which the request is received by the data broker receiving such request.
    2.  EXCEPTION.—A data broker may decline to fulfill a request from an individual if where
    1. the data broker has actual knowledge that the individual has been convicted of a crime related to the abduction or sexual exploitation of a child; and
    2. the data collected by the data broker is necessary—
    1. to carry out a national or State-run sex offender registry; or
    2. for the National Center for Missing and Exploited Children.
    3. for the Congressionally designated entity that serves as the nonprofit national resource center and clearinghouse to provide assistance to victims, families, child-serving professionals, and the general public regarding issues related to missing and exploited children.
    1. PENALTIES.—
    1. IN GENERAL.—Subject to paragraph (2), a data broker that violates this section shall be liable for civil penalties as set forth in subsections (l) and (m) of section 5 of the Federal Trade Commission Act, (15 U.S.C. 45(l), (m)).
    2. EXCEPTIONS.—A data broker that—
    1. fails to register with the Commission as required by subsection (c) shall be liable for—
    1. a civil penalty of $100 for each day the data broker fails to register, not to exceed a total of $10,000 for any year; and
    2. an amount equal to the registration fee due under subsection (c)(2)(A) for each year that the data broker failed to register as required under subsection (c)(1); or
    1. fails to provide notice as required by subsection (a) shall be liable for a civil penalty 25 of $100 for each day the data broker fails to provide such notice, not to exceed a total of $10,000 for any year.
    1. RULE OF CONSTRUCTION.—Except as set forth in paragraph (2), nothing in this subsection shall be construed as altering, limiting, or affecting any enforcement authority or remedy provided under this Act.

    SEC. 113. CIVIL RIGHTS AND ALGORITHMS.

    1. CIVIL RIGHTS PROTECTIONS.—
    1. IN GENERAL.—A covered entity or a service provider may not collect, process, retain, or transfer covered data in a manner that discriminates in or otherwise makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, or disability.
    2. EXCEPTIONS.—This subsection shalldoes not apply to—
    1. the collection, processing, retention, or transfer of covered data for the purpose of—
    1. a covered entity’s or a service provider’s self-testing by a covered entity or service provider to prevent or mitigate unlawful discrimination; or 
    2. diversifyingexpanding an applicant, participant, or customer pool; or
    3. solely determining participation of an individual in market research; or
    1. any private club or groupother establishment not open to the public, as described in section 201(e) of the Civil Rights Act of 1964 (42 U.S.C. 2000a(e)). ; or
    2. advertising, marketing, or soliciting economic opportunities or benefits to underrepresented populations or members of protected classes as described in paragraph (1).
    1. FTC ENFORCEMENT ASSISTANCE.—
    1. IN GENERAL.—Whenever the Commission obtains information that a covered entity or service provider may have collected, processed, retained, or transferred covered data in violation of this subsection (a), the Commission shall transmit such information as allowable under Federal law to any Executive agency with authority to initiate enforcement actions or proceedings relating to such violation.
    2. ANNUAL REPORT.—Not later than 3 years after the date of the enactment of this Act, and annually thereafter, the Commission shall submit to Congress a report that includes a summary of—
    1. the types of information the Commission transmitted to Executive agencies under paragraph (1)subparagraph (A) during the previous 1-year period; and
    2. how such information relates to Federal civil rights laws.
    1. TECHNICAL ASSISTANCE.—In transmitting information to an Executive agency under paragraph (1)subparagraph (A), the Commission may consult and coordinate with, and provide technical and investigative assistance to, as appropriate, such Executive agency.
    2. COOPERATION WITH OTHER AGENCIES.— The Commission may implement this subsection by executing agreements or memoranda of understanding with the appropriate Executive agencies.
    1. COVERED ALGORITHM IMPACTASSESSMENT AND EVALUATION.—
    1. COVERED ALGORITHM IMPACT ASSESSMENT.—
    1. IMPACT ASSESSMENT.—Notwithstanding any other provision of law, not later than 2 years after the date of the enactment of this Act, and annually thereafter, as well as upon deployment, a large data holder that uses a covered algorithm in a manner that posesto make a consequential risk of a harm identified under subparagraph (B)(vi) to an individual or group of individuals and uses such covered algorithmdecision, solely or in part, to collect, process, or transfer covered data shall conduct, or shall engage a certified independent auditor to conduct, an impact assessment of such algorithm in accordance with subparagraph (B).
    2. (B) IMPACT ASSESSMENT SCOPE.—AnThe impact assessment required under subparagraph (A) shall provideinclude the following:

    (i) A detailed description of the design process and methodologies of the covered algorithm.

    1. A statement of the purpose and proposed uses offor which the covered algorithm is deployed, and the extent to which the use of the covered algorithm is consistent with or varies from the developer’s description of the intended purpose.
    2. A detailed description of the data used by the covered algorithm, including the specific categories of data that will beare processed as inputs by the covered algorithm being deployed, and an explanation of how the any data used tois representative, proportional, and appropriate to train the model thatdeployment of the covered algorithm relies on, if applicable.
    3. A description of the outputs produced by the covered algorithm.
    4. An assessment of the necessity and proportionality of the covered algorithm in relation to its stated purpose., including benefits and limitations.
    5. If applicable, an overview of the type of data the large data holder used to retrain the covered algorithm.
    6. If applicable, metrics for evaluating the covered algorithm’s performance and known limitations.
    7. If applicable, transparency measures, including information identifying to individuals when a covered algorithm is in use.
    8. If applicable, post-deployment monitoring and user safeguards, including a description of the oversight process in place to address issues as they arise.
    9. The potential for use of the covered algorithm to cause a harm, including harm to an individual or group of individuals on the basis of protected characteristics, whether an individual is a covered minor, or an individual’s political party registration, and Aa detailed description of steps the large data holder has taken or will take to mitigate potential harms from the covered algorithm to an individual or group of individuals, including related to—
    1. covered minors;
    2. making or facilitating advertising for, or determining access to, or restrictions on the use of housing, education, employment, healthcare, insurance, or credit opportunities;
    3. determining access to, or restrictions on the use of, any place of public accommodation, particularly as such harms relate to the protected characteristics of individuals, including race, color, religion, national origin, sex, or disability;
    4. disparate impact on the basis of individuals’ race, color, religion, national origin, sex, or disability status; or
    5. disparate impact on the basis of individuals’ political party registration status.
    1. REPORT.—A certified independent auditor engaged under subparagraph (A) shall submit a report of its findings and recommendations to the large data holder.
    1. ALGORITHM DESIGN EVALUATION.—
    1. DESIGN EVALUATION.—Notwithstanding any other provision of law, not later than 2 years after the date of the enactment of this Act, a covered entity or service provider that knowingly develops a covered algorithm designed, wholly or in part, to make consequential decision shall, prior to deploying the covered algorithm in interstate commerce, conduct, or engage a certified independent auditor to conduct, evaluate the a design, structure, and inputsevaluation of the covered algorithm, including any training data used to develop the covered algorithm in accordance with subparagraph (B), to reduce the risk of the potential harms identified under paragraph (1)(B)(vi).
    2. DESIGN EVALUATION SCOPE.—The design evaluation required under subparagraph (A) shall provide the following:
    1. The purpose of the covered algorithm, the intended use cases, and the benefits and limitations of the covered algorithm.
    2. The covered algorithm’s methodology.
    3. The inputs the covered algorithm is intended to use and the outputs the intended algorithm is designed to produce.
    4. An overview of how the covered algorithm was trained and tested, including—
    1. the types of data used to train the covered algorithm and how the data was collected and processed; and
    2. measures used to test performance of the covered algorithm.
    1. The potential for use of the covered algorithm to cause harm, including harm to an individual or group of individuals on the basis of protected characteristics, whether an individual is a covered minor, or an individual’s political party registration, and a detailed description of steps the covered entity or service provider has taken or will take to mitigate potential harms from the covered algorithm to an individual or group of individuals.
    1. REPORT.—A certified independent auditor engaged under subparagraph (A) shall submit a report of its findings and recommendations to the covered entity or service provider.
    2. COMPLIANCE ASSISTANCE.—A covered entity or service provider that develops a covered algorithm shall provide a large data holder that is subject to paragraph (1) with the technical capability to access or otherwise make available to such large data holder the information reasonably necessary for the large data holder to comply with its requirement to conduct an impact assessment under this title, including documentation regarding a covered algorithm’s capabilities, known limitations, and guidelines for intended use. Nothing in this title shall require the disclosure of trade secrets or other information.
    1. OTHER CONSIDERATIONS.—

    FOCUS.—In complying with paragraphs (1) and (2), a covered entity and a service provider may focus the impact assessment or evaluation on any covered algorithm, or portions of a covered algorithm, that will be put to use and may reasonably contribute to the risk of the potential harms identified under paragraph (1)(B)(vi).

    1. AVAILABILITY.—
    1. LARGE DATA HOLDERS.—A large data holder that does not engage a certified independent auditor for an impact assessment of the large data holder under paragraph (1) to the National Telecommunications and Information Administration not later than 30 days after completing the impact assessment.
    2. COVERED ENTITIES.—A covered entity that does not engage a certified independent auditor for a design evaluation under paragraph (2) shall submit each design evaluation of the covered entity under paragraph (2) to the National Telecommunications and Information Administration not later than 30 days after completing the design evaluation.
    3. ENGAGED AUDITORS.—A covered entity, service provider, or large data holder that engages a certified independent auditor for an impact assessment or design evaluation under paragraph (1) or (2) shall—
    1. certify to the National Telecommunications and Information Administration, not later than 30 days after the covered entity or service provider receives each certified independent auditor’s report of findings and recommendations, that the covered entity or service provider has completed the impact assessment or design evaluation; and
    2. retain the certified independent auditor’s report of findings and recommendations for at least 5 years.
    1. OTHER AVAILABILITY.—A covered entity, service provider, or large data holder that conducts an impact assessment or design evaluation under this subsection—
    1. shall, upon request, make such impact assessment or evaluation available to Congress; and
    2. may make a summary of such impact assessment or evaluation publicly available in a place that is easily accessible to individuals. IN GENERAL.—A covered entity and a service provider—
    3. shall, not later than 30 days after completing an impact assessment or evaluation under paragraph (1) or (2), submit the impact assessment or evaluation to the Commission;
    4. shall, upon request, make such impact assessment and evaluation available to Congress; and
    5. may make a summary of such impact assessment and evaluation publicly available in a place that is easily accessible to individuals.
    1. TRADE SECRETS.—A covered entity or service provider may redact and segregate any trade secret (as defined in section 1839 of title 18, United States Code) or other confidential or proprietary information from public disclosure under this subsection.subparagraph, and the Commission shall abide by its obligations under section 6(f) of the Federal Trade Commission Act (15 U.S.C. 46(f)) with respect to such information.

    LIMITATION ON ENFORCEMENT.—

    1. IN GENERAL.—Subject to clause (ii), the Commission may not use any information obtained solely and exclusively 25 through a covered entity or a service provider’s disclosure of information to the Commission in compliance with this section for any purpose other than to carry out the provisions of this Act, including the study and report described in paragraph (6).
    2. EXCEPTIONS.—
    1. PROVISION TO CONGRESS.— The limitation described in clause (i) does not preclude the Commission from providing such information to Congress in response to a subpoena.
    2. CONSENT ORDERS.—The limitation described in clause (i) does not preclude the Commission from enforcing a consent order entered into with the applicable covered entity or service provider.
    1. GUIDANCE.—Not later than 2 years after the date of enactment of this Act, the Commission shall, in consultation with the Secretary of Commerce shall publish guidance regarding compliance with this section.
    2. RULEMAKING AND EXEMPTION.—The Secretary of Commerce Commission may promulgate regulations, in accordance with section 553 of title 5, United States Code, as necessary to establish a process processes by which an entity shall submit an impact assessment or design evaluation conducted under paragraph (1) or (2), or a certification of an impact assessment or design evaluation conducted under paragraph (1) or (2) by a certified independent auditor, to the National Telecommunications and Information Administration. 
    1. large data holder shall submit an impact assessment to the Commission under paragraph (3)(B)(i)(I); and
    2. large data holder, covered entity, or service provider may exclude from this subsection any covered algorithm that presents low or minimal risk of the potential harms identified under paragraph (1)(B)(vi) to an individual or group of individuals.
    1. CERTIFIED INDEPENDENT AUDITOR DEFINED.—For the purposes of this section, the term ‘‘certified independent auditor’’—
    1. means a person that conducts a design evaluation or impact assessment of a covered algorithm in a manner that exercises objective and impartial judgment on all issues within the scope of such evaluation or assessment; and
    2. does not include a person if such person—
    1. is or was involved in using, developing, offering, licensing, or deploying the covered algorithm;
    2. at any point during the design evaluation or impact assessment, has or had an employment relationship with a covered entity or service provider that uses, offers, or licenses the covered algorithm; or
    3. at any point during the design evaluation or impact assessment, has or had a direct financial interest or a material indirect financial interest in a covered entity or service provider that uses, offers, or licenses the covered algorithm.

    STUDY AND REPORT.—

    1. STUDY.—The Commission, in consultation with the Secretary of Commerce, shall conduct a study, to review any impact assessment or evaluation submitted under this subsection. Such study shall include an examination of—
    1. best practices for the assessment and evaluation of covered algorithms; and
    2. methods to reduce the risk of harm to individuals that may be related to the use of covered algorithms.
    1. REPORT.—
    1. INITIAL REPORT.—Not later than 3 years after the date of enactment of this Act, the Commission, in consultation with the Secretary of Commerce, shall submit to Congress a report containing the results of the study conducted under subparagraph (A), together with recommendations for such legislation and administrative action as the Commission determines appropriate.
    2. ADDITIONAL REPORTS.—Not later than 3 years after submission of the initial report under clause (i), and as the Commission determines necessary thereafter, the Commission shall submit to Congress an updated version of such report.

    SEC. 14. CONSEQUENTIAL DECISION OPT OUT.

    1. (a) IN GENERAL.—Beginning not later than 90 days after the date on which the guidance required by subsection (c) is issued, a covered entity that uses a covered algorithm to make or facilitate a consequential decision shall—
    1. (1) provide—
    1. (A) notice to any individual subject to such use of the covered algorithm; and
    2. (B) an opportunity for the individual to opt out of such use of the covered algorithm and to instead have such consequential decision made by a human; and
    1. (2) abide by any opt-out designation made by an individual under paragraph (1)(B), unless allowing the individual to opt out would be demonstrably impracticable due to technological limitations or would be prohibitively costly, and the covered entity shall provide to the individual a detailed description regarding the inability to comply with the request due to technology or cost.
    1. (b) NOTICE.—The notice required under subsection (a)(1)(A) shall—
    1. be clear and conspicuous and not misleading;
    2. provide meaningful information about how the covered algorithm makes or facilitates a consequential decision, including the range of potential outcomes;
    3. be provided in each language in which the covered entity—
    1. provides a product or service subject to the use of thesuch covered algorithm; or
    2. carries out activities related to such product or service; and
    1. be reasonably accessible to and usable by individuals living with disabilities.
    1. (c) GUIDANCE.—Not later than 2 years after the date of enactment of this Act, the Commission shall, in consultation with the Secretary of Commerce, shall publish guidance regarding compliance with this section. 
    2. (d) CONSEQUENTIAL DECISION DEFINED.—For the purposes of this section, the term ‘‘consequential decision’’ means a determination or an offer, including through advertisement, that uses covered data and relates to—
    1. (1) an individual’s or a class of individuals’ access to or equal enjoyment of housing, employment, education enrollment or opportunity, healthcare, insurance, or credit opportunities; or
    2. (2) access to, or restrictions on the use of, any place of public accommodation.

    SEC. 113. COMMISSION APPROVED COMPLIANCE GUIDELINES.

    1. APPLICATION FOR COMPLIANCE GUIDELINE APPROVAL.—
    1. (1) IN GENERAL.—A covered entity or service provider that is not a data broker and is not a large data holder, or a group of such covered entities, may apply to the Commission for approval of 1 or more sets of compliance guidelines governing the collection, processing, retention, orand transfer of covered data by the covered entity or covered entities.
    2. APPLICATION REQUIREMENTS.—An application under paragraph (1) shall include—
    1. a description of how the proposed compliance guidelines will meet or exceed the requirements of this titleAct;
    2. a description of the entities or activities the proposed set of compliance guidelines are designed to cover;
    3. a list of the covered entities, to the extent known at the time of application, that intend to adhere to the proposed compliance guidelines;
    4. a description of an independent organization, which shall not be associated with any of the intended adhering participating covered entities, that will administer the proposedcompliance guidelines; and
    5. a description of how such intended adhering entities will be assessed for adherence to the proposed such compliance guidelines by the independent organization described in subparagraph (D).
    1. COMMISSION REVIEW.—
    1. INITIAL APPROVAL.—
    1. PUBLIC COMMENT PERIOD.—Not later than 90 days after receipt of an application regarding proposed guidelines submitted pursuant to paragraph (1), the Commission shall publish the application and provide an opportunity for public comment on such proposed guidelinesthe compliance guidelines proposed in such application.
    2. APPROVAL CRITERIA.—The Commission shall approve an application regarding proposed guidelines submitted pursuant to under paragraph (1), including the independent organization that will the application proposed to administer the guidelines proposed in such application, if the applicant demonstrates that the proposed guidelines—
    1. meet or exceed requirements of this title;
    2. provide for regular review and validation by an independent organization to ensure that the covered entity or covered entities adhering to the guidelines continue to meet or exceed the requirements of this title; and
    3. include a means of enforcement if a covered entity does not meet or exceed the requirements in the guidelines, which may include referral to the Commission for enforcement consistent with section 115 or referral to the appropriate State attorney general for enforcement consistent with section 116.
    1. TIMELINE.—Not later than 1 year after the date on which the Commission receives receiving an application regarding proposed guidelines pursuant to paragraph (1), the Commission shall issue a determination approving or denying the application, including the relevant independent organization the application proposed to administer the compliance guidelines proposed in such application, and providing the reasons for approving or denying the applicationan explanation for such approval or denial.
    1. APPROVAL OF MODIFICATIONS.—
    1. IN GENERAL.—If the independent organization administering a set of compliance guidelines approved under subparagraph (A) makes any material significant changes to the guidelines, previously approved by the Commission, the independent organization shall submit the updated compliance guidelines to the Commission for approval. As soon as feasible, the Commission shall publish the updated compliance guidelines and provide an opportunity for public comment.
    2. TIMELINE.—The Commission shall approve or deny any material significant change to guidelines submitted under clause (i) not later than 180 days year after the date on which the Commission receives the submission for approval. Not later than 1 year after receiving the updated compliance guidelines under clause (i), the Commission shall issue a determination approving or denying the material change to such guidelines. 
    1. WITHDRAWAL OF APPROVAL.—
    1. (1) IN GENERAL.—If at any time the Commission determines that compliance guidelines previously approved under this section no longer meet the requirements of this title or a regulation promulgated under this Act, or that compliance with any such the approved guidelines is insufficiently enforced by the independent organization administering the guidelines, the Commission shall notify the relevant covered entity or group of covered entities and the independent organization of the Commission’s determination of the Commission to withdraw approval of the guidelines, including the basis for the determination.
    2. OPPORTUNITY TO CURE.—
    1. IN GENERAL.—Not later than 180 days after receipt of a receiving notice  from the Commission under paragraph (1), the covered entity or group of covered entities and the independent organization may cure any alleged deficiency with the compliance guidelines or the enforcement of the guidelines thereof and submit each proposed cure to the Commission.
    2. EFFECT ON WITHDRAWAL OF APPROVAL.—If the Commission determines that the proposed cures proposed under described in subparagraph (A) eliminate alleged deficiencies in the compliance guidelines, then the Commission may not withdraw the approval of such guidelines on the basis of such deficienciesdetermination.
    1. CERTIFICATION.—A covered entity with compliance guidelines approved by the Commission under this section shall—
    1. (1) publicly self-certify that the covered entity is in compliance with the such compliance guidelines; and
    2. as part of the self-certification under paragraph (1), indicate the independent organization responsible for assessing compliance with thesuch compliance guidelines.
    1. REBUTTABLE PRESUMPTION OF COMPLIANCE.— A covered entity that is eligible to participate in with compliance guidelines approved by the Commission under this section, participates in the guidelines, and that is in compliance with the guidelines shall be entitled to a rebuttable presumption that the covered entity is in compliance with the relevant provisions of this title to which the if such covered entity is in compliance with such guidelines apply.

    SEC. 114. PRIVACY-ENHANCING TECHNOLOGY PILOT PROGRAM.

    1. PRIVACY-ENHANCING TECHNOLOGY DEFINED.— In this section, the term ‘‘privacy-enhancing technology’’—
    1. means any software or hardware solution, cryptographic algorithm, or other technical process of extracting the value of information without substantially reducing risking the privacy and security of the information; and
    2.  includes technologies with functionality similar to homomorphic encryption, differential privacy, zero-knowledge proofs, synthetic data generation, federated learning, and secure multi-party computation.
    1. ESTABLISHMENT(a) IN GENERAL.—Not later than 1 year after the date of the enactment of this Act, the Commission shall establish and carry out a pilot program to encourage private sector use of privacy-enhancing technologies for the purposes of protecting covered data to comply in compliance with section 109.
    2. PURPOSES.—Under the pilot program established under subsection (b), the Commission shall—
    1. develop and implement a petition process for covered entities to request to be a part of the pilot program; and
    2. build an auditing system that leverages privacy-enhancing technologies to support the enforcement actions of the Commission.
    1. PETITION PROCESS.—A covered entity wishing to be accepted into the pilot program established under subsection (b) shall demonstrate to the Commission that the privacy-enhancing technologies to be used under the pilot program by the covered entity will establish data security practices that meet or exceed all or some of the requirements in section 109. If the covered entity demonstrates the privacy-enhancing technologies meet or exceed the requirements in section 109, the Commission may accept the covered entity to be a part of the pilot program. If the Commission does not accept a covered entity to be a part of the pilot program, the Commission shall provide an adequate response to the covered entity detailing why such entity was not admitted to the pilot program. The covered entity that was not admitted to the pilot program, may subsequently revise their petition and amend any deficiencies indicated by the Commission in their response to the covered entity.
    2. REQUIREMENTS.—In carrying out the pilot program established under subsection (b), the Commission shall—
    1. receive input from private, public, and academic stakeholders; and
    2. develop ongoing public and private sector engagement, in consultation with the Secretary of Commerce, to disseminate voluntary, consensus- based resources to increase the integration of privacy-enhancing technologies in data collection, sharing, and analytics by the public and private sectors.
    1. CONCLUSION OF PILOT PROGRAM.—The Commission shall terminate the pilot program established under subsection (b) not later than 10 years after the commencement of the program.

    (b) COVERED ENTITY PARTICIPATION.—

    1. (1) APPLICATION PROCESS.—A covered entity seeking to participate in the pilot program established under subsection (a) shall submit to the Commission, in such time, form, and manner as the Commission may require, an application that demonstrates the ability of the covered entity to use privacy-enhancing technology to establish data security practices that meet or exceed the requirements of section 9.
    2. (2) LIMITATIONS ON LIABILITY.—Any covered entity selected by the Commission to participate in the pilot program shall—
    1. (A) with respect to any action under section 17 or 18 for a violation of section 9, be deemed to be in compliance with section 9 with respect to any covered data subject to the privacy-enhancing technology; and
    2. (B) for any action under section 19 alleging a data breach due to a violation of section 9, be entitled to a rebuttable presumption that such covered entity is in compliance with the relevant requirements under section 9 with respect to any covered data subject to the privacy-enhancing technology. 25
    1. (3) AUDIT OF COVERED ENTITIES.—
    1. (A) IN GENERAL.—The Commission shall, on an ongoing basis, audit each covered entity participating in the pilot program to determine whether the covered entity is maintaining the use and implementation of privacy-enhancing technology to secure covered data.
    2. (B) REMOVAL.—
    1. (i) IN GENERAL.—If at any time the Commission determines that a covered entity participating in the pilot program is no longer maintaining the use and implementation of privacy-enhancing technology, the Commission shall—
    1. (I) notify the covered entity of such determination; and
    2. (II) subject to clause (ii), remove such covered entity from participation in the pilot program, including the limitations on liability described in paragraph (2) that are afforded to participants.
    1. (ii) OPPORTUNITY TO CURE.—Not later than 180 days after receiving notice from the Commission under clause (i), a 25 covered entity may cure any alleged deficiency with its use and implementation of privacy-enhancing technology and submit to the Commission such proposed cure. If the Commission determines that such cure eliminates the alleged deficiency, then the Commission may not remove the covered entity from participation in the pilot program.

    (c) COORDINATION.—In carrying out the pilot program under subsection (a), the Commission shall—

    1. (1) solicit input from private, public, and academic stakeholders; and
    2. (2) in consultation with the Secretary of Commerce, develop ongoing public and private sector engagement to disseminate voluntary, consensus-based resources to increase the integration of privacy-enhancing technology in data collection, sharing, and analytics by the public and private sectors.
    1. STUDY REQUIRED(d) GAO STUDY AND REPORT.
    1.  IN GENERAL.—The Comptroller General of the United States shall conduct a study— (1) STUDY.—Not later than 3 years after the date of enactment of this Act, the Comptroller General of the United States (in this subsection referred to as the ‘‘Comptroller General’’) shall conduct a study to—
    1. to assess the progress of the pilot program established under subsection (b);
    2. to determine the effectiveness of using privacy-enhancing technologies at the Commission to support oversight of the data security practices of covered entities; and

    evaluate the Commission’s use of privacy-enhancing technology to support oversight of covered entities’ data security practices; and

    1. to develop recommendations to improve and advance privacy-enhancing technologies, including by improving communication and coordination between covered entities and the Commission to increase use and implementation of privacy-enhancing technologies by such entities and the Commission.
    1. INITIAL BRIEFING.—Not later than 3 years 1 year after the date of the enactment of this Act, the Comptroller General shall brief the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate on the initial results of the study conducted under paragraph (1).
    2. FINAL REPORT.—Not later than 240 days after the date on which the initial briefing required by paragraph (2) is conducted, the Comptroller General shall submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a final report setting forth describing the results of the study conducted under paragraph (1), including the recommendations developed under subparagraph (C) of such paragraph.
    1. AUDIT OF COVERED ENTITIES.—The Commission shall, on an ongoing basis, audit covered entities who have been accepted to be part of the pilot program established under subsection (b) to determine whether such a covered entity is maintaining the use and implementation of privacy-enhancing technologies to secure covered data.
    2. WITHDRAWAL FROM THE PILOT PROGRAM.—If at any time the Commission determines that a covered entity accepted to be a part of the pilot program established under subsection (b) is no longer maintaining the use of privacy-enhancing technologies, the Commission shall notify the covered entity of the determination of the Commission to withdraw approval for the covered entity to be a part of the pilot program and the basis for doing so. Not later than 180 days after the date on which a covered entity receives such notice, the covered entity may cure any alleged deficiency with the use of privacy-enhancing technologies and submit each proposed cure to the Commission. If the Commission determines that such cures eliminate alleged deficiencies with the use of privacy-enhancing technologies, the Commission may not withdraw the approval of the covered entity to be a part of the pilot program on the basis of such deficiencies.
    3. LIMITATIONS ON LIABILITY.—Any covered entity that petitions, and is accepted, to be part of the pilot program established under subsection (b), and actively implements and maintains the use of privacy-enhancing technologies, and is deemed to be in compliance with the program shall—
    1. for any action under section 115 or 116 for a violation of section 109, be deemed to be in compliance with section 109 with respect to covered data subject to the privacy-enhancing technologies; and
    2. for any action under section 117 for a violation of section 109, be entitled to a rebuttable presumption that such entity is in compliance with section 109 with respect to the covered data subject to the privacy-enhancing technologies.
    1. (e) SUNSET.—The Commission shall terminate the pilot program established under subsection (a) not later than 10 years after the date on which the pilot program is established.
    2. (f) PRIVACY-ENHANCING TECHNOLOGY DEFINED.— The term ‘‘privacy-enhancing technology’’—
    1. (1) means any software or hardware solution, cryptographic algorithm, or other technical process of extracting the value of the information without risking the privacy and security of the information; and
    2. (2) includes other technologies with functionality similar to homomorphic encryption, differential privacy, zero-knowledge proofs, synthetic data generation, federated learning, and secure multi-party computation.

    SEC. 115. ENFORCEMENT BY THE FEDERAL TRADE COMMISSION.

    1. NEW BUREAU.—
    1. IN GENERAL.—Subject to the availability of appropriations, the Commission shall establish, within the Commission, a new bureau comparable in structure, size, organization, and authority to the existing bureaus within the Commission related to consumer protection and competition.
    2. MISSION.—The mission of the bureau established under this subsection shall be to assist the Commission in exercising the authority of the Commission under this title and related authorities.
    3. STAFF.—In staffing the bureau, the Commission shall ensure it allocates full time employees or full time employee equivalents including attorneys, economists, investigators, technologists, and mental health professionals with experience in the well-being of children and teens. For the purposes of this paragraph, the term ‘‘technologists’’ means individuals with training and expertise including the state of the art information technology, network or data security, hardware or software development, privacy-enhancing technologies, cryptography, computer science, data science, advertising-technology, web tracking, machine learning and other related fields and applications.
    4. TIMELINE.—The bureau shall be established under this subsection shall be established, staffed, and fully operational not later than 180 days 1 year after the date of enactment of this Act.
    1. ENFORCEMENT BY COMMISSION.—
    1. UNFAIR OR DECEPTIVE ACTS OR PRACTICES.—A violation of this title or a regulation promulgated under this title shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
    2. POWERS OF THE COMMISSION.—
    1. IN GENERAL.—Except as provided in paragraph (3) and (4) or otherwise provided in this title, the Commission shall enforce this title and the regulations promulgated under this title in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act.
    2. PRIVILEGES AND IMMUNITIES.—Any entity that violates this title or a regulation promulgated under this title shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.).
    1. COMMON CARRIERS AND NONPROFITS.— Notwithstanding section (4), (5)(a)(2), or 6 of the Federal Trade Commission Act (15 U.S.C. 44, 45(a)(2), 46) or any jurisdictional limitation of the Commission, the Commission shall also enforce this title, and the regulations promulgated under this title, in the same manner provided in paragraphs (1) and (2) of this subsection with respect to—
    1. common carriers subject to title II of the Communications Act of 1934 (47 U.S.C. 201 et seq.)–231) as currently enacted or subsequently amended; and
    2. organizations not organized to carry on business for their own profit or that of their members.
    1. PENALTY OFFSET FOR STATE OR INDIVIDUAL ACTIONS.—Any amount that a court orders an entity to pay in an action under this subsection shall be offset by any amount a court has ordered the entity to pay in an action brought against the entity for the same violation under section 116 or 117.
    2. PRIVACY AND SECURITY VICTIMS RELIEF FUND.—
    1. ESTABLISHMENT OF VICTIMS RELIEF FUND.—There is established in the Treasury of the United States a separate fund to be known as the ‘‘Privacy and Security Victims Relief Fund’’ (in this paragraph referred to as the ‘‘Victims Relief Fund’’).
    2. DEPOSITS.—The Commission or the Attorney General of the United States, as applicable, shall deposit into the Victims Relief Fund the amount of any civil penalty obtained in any civil action the Commission, or the Attorney General on behalf of the Commission, commences to enforce this title or a regulation promulgated under this title.
    1. (i) DEPOSITS FROM THE COMMISSION.—The Commission shall deposit into the Victims Relief Fund the amount of any civil penalty obtained against any entity in any judicial or administrative action the Commission commences to enforce this Act or a regulation promulgated under this Act.
    2. (ii) DEPOSITS FROM THE ATTORNEY GENERAL OF THE UNITED STATES.—The Attorney General of the United States shall deposit into the Victims Relief Fund the amount of any civil penalty obtained against any entity in any judicial or administrative action the Attorney General commences on behalf of the Commission to enforce this Act or a regulation promulgated under this Act.
    1. USE OF FUND AMOUNTS.—
    1. AVAILABILITY TO THE COMMISSION.—Notwithstanding section 3302 of title 31, United States Code, amounts in the Victims Relief Fund shall be available to the Commission, without fiscal year limitation, to provide redress, damages, payments or compensation, or other monetary relief to persons affected by an act or practice for which civil penalties, other monetary relief, or any other forms of relief (including injunctive relief) have been ordered in a civil action or administrative proceeding the Commission commences, or in any civil action the Attorney General of the United States commences on behalf of the Commission, to enforce this title or a regulation promulgated under this title. obtained under this Act. 
    2. (ii) OTHER PERMISSIBLE USES.—To the extent that individuals cannot be located or such redress, payments or compensation, or other monetary relief are otherwise not practicable, the Commission may use amounts in the Victims Relief Fund such funds for the purpose of—
    1. consumer or business education relating to data privacy orand data security; or
    2. engaging in technological research that the Commission considers necessary to implement this title, including promoting privacy-enhancing technologies that promote compliance with this title.enforce this Act.
    1. CALCULATION.—Any amount that the Commission provides to a person as redress, payments or compensation, or other monetary relief under subparagraph (C) with respect to a violation by an entity shall be offset by any amount the person received from an action brought against the entity for the same violation under section 116 or 117.
    1. (i) PENALTY OFFSET FOR STATE OR INDIVIDUAL ACTIONS.—Any amount that a court orders an entity to pay under this subsection shall be offset by any amount the person received from an action brought against the entity for the same violation under section 18 or 19.
    2. (ii) RELIEF OFFSET FOR STATE OR INDIVIDUAL ACTIONS.—Any amount that the Commission provides to a person as redress, payments or compensation, or other monetary relief under subparagraph (C) shall be offset by any amount the person received from an action brought against the entity for the same violation under section 18 or 19.
    1. RULE OF CONSTRUCTION.—Amounts collected and deposited in the Victims Relief Fund may shall not be construed to be Government funds or appropriated monies and may shall not be subject to apportionment for the purpose of chapter 15 of title 31, United States Code, or under any other authority.
    1. REPORT.—
    1. IN GENERAL.—Not later than 4 years after the date of the enactment of this Act, and annually thereafter, the Commission shall submit to Congress a report describingon investigations conducted during the prior year with respect to conducted for alleged violations of this title, including—
    1. the number of such investigations the Commission has commenced;
    2. the number of such investigations the Commission has closed with no official agency action;
    3. the disposition of such investigations, if such investigations have concluded and resulted in official agency action; and
    4. for each investigation that was closed with no official agency action, the industry sectors of the covered entities subject to each investigation.
    1. PRIVACY PROTECTIONS.—A report required under paragraph (1) may shall not include the identity of any person who is the subject of an investigation or any other information that identifies such a person.
    2. ANNUAL PLAN.—Not later than 540 days after the date of the enactment of this Act, and annually thereafter, the Commission shall submit to Congress a plan for the next calendar year describing the projected activities of the Commission under this title, including— each of the following:
    1. the policy priorities of the Commission and any changes to the previous policy priorities of the Commission.
    2. any rulemaking proceedings projected to be commenced, including any such proceedings to amend or repeal a rule.
    3. any plans to develop, update, or withdraw guidelines or guidance required under this title.
    4. any plans to restructure the Commission; and or establish, alter, or terminate working groups. 
    5. projected dates and timelines, or changes to projected dates and timelines, associated with any of the requirements under this title.

    SEC. 116. ENFORCEMENT BY STATES.

    1. (a) CIVIL ACTION.—
    1. (1) IN GENERAL.—In any case in which the attorney general of a State, the chief consumer protection officer of a State, or an officer or office of a State authorized to enforce privacy or data security laws applicable to covered entities or service providers has reason to believe that an interest of the residents of the State has been or is adversely affected by the engagement of any entity in an act or practice that violates this title or a regulation promulgated under this title, the attorney general, chief consumer protection officer, or other authorized officer or office of the State may bring a civil action in the name of the State, or as parens patriae on behalf of the residents of the State, in an appropriate Federal district court of the United States to—
    1. enjoin such act or practice;
    2. enforce compliance with this title or the regulations promulgated under this title;
    3. obtain civil penalties;
    4. obtain damages, restitution, or other compensation on behalf of the residents of the State;
    5. obtain reasonable attorney’s fees and other litigation costs reasonably incurred; or
    6. obtain such other relief as the court may consider to be appropriate.
    1. (2) LIMITATION.—In any case with respect to which where the attorney general of a State, the chief consumer protection officer of a State, or an officer or office of a State authorized to enforce privacy or data security laws applicable to covered entities or service providers brings an action under paragraph (1), no other officer of the same State may institute a civil action under paragraph (1) against the same defendant for the same violation of this title or a regulation promulgated under this title.
    1. (b) RIGHTS OF THE COMMISSION.—
    1. (1) IN GENERAL.—Except ifwhere not feasible, a State officer shall notify the Commission in writing prior to initiating a civil action under subsection (a). Such notice shall include a copy of the complaint to be filed to initiate such action. Upon receiving such notice, the Commission may intervene in such action and, upon intervening—
    1. be heard on all matters arising in such action; and
    2. file petitions for appeal of a decision in such action.
    1. (2) NOTIFICATION TIMELINE.—IfWhere it is not feasible for a State officer to provide the notification required by paragraph (1) before initiating a civil action under subsection (a), the State officer shall notify the Commission immediately after initiating the civil action.
    1. (c) ACTIONS BY THE COMMISSION.—In any case in which a civil action is instituted by or on behalf of the Commission for a violation of this title or a regulation promulgated under this title, no attorney general of a State, chief consumer protection officer of a State, or officer or office of a State authorized to enforce privacy or data security laws may, during the pendency of such action, institute a civil action against any defendant named in the complaint in the action instituted by or on behalf of the Commission for a violation of this title or a regulation promulgated under this title that is alleged in such complaint.
    2. (d) INVESTIGATORY POWERS.—Nothing in this section mayshall be construed to prevent the attorney general of a State, the chief consumer protection officer of a State, or an officer or office of a State authorized to enforce privacy or data security laws applicable to covered entities or service providers from exercising the powers conferred on such officer or office to conduct investigations, to administer oaths or affirmations, or to compel the attendance of witnesses or the production of documentary or other evidence.
    3. (e) VENUE; SERVICE OF PROCESS.—
    1. (1) VENUE.—Any action brought under subsection (a) may be brought in the Federal district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.
    2. (2) SERVICE OF PROCESS.—In an action brought under subsection (a), process may be served in any Federal district in which the defendant—
    1. is an inhabitant; or
    2. may be found.
    1. GAO STUDY.—Not later than 1 year after the date of enactment of this Act, the Comptroller General of the United States shall conduct a study of the practice of State attorneys general hiring, or otherwise contracting with, outside firms to assist in the enforcement of this title, which shall include the study ofshall include
    1. the frequency with which each State attorney general hires or contracts with outside firms to assist in such enforcement effortsof such hires;
    2. the contingency fees, hourly rates, and other costs of hiring or contracting with outside firms;
    3. the types of matters for which outside firms are hired or contracted with for;
    4. the bid and selection process for such outside firms law firm work and selection process, including reviews of conflicts of interest;
    5. the practices State attorneys general set in place to protect sensitive information that would become accessible by outside firms while the outside firms are assisting in such enforcement efforts;
    6. the percentage of monetary recovery that is returned to victims and the percentage of such recovery that is retained by the outsidelaw firms; and
    7. the market average for the hourly rate of hired or contracted attorneys in the market.
    1. (h) PRESERVATION OF STATE POWERS.—Except as provided in subsections (a)(2) and (c), no provision of this section shall be construed as altering, limiting, or affecting the authority of a State attorney general, the chief consumer protection officer of a State, or an officer or office of a State authorized to enforce laws applicable to covered entities or service providers to—
    1. (1) bring an action or other regulatory proceeding arising solely under the laws in effect in such State; or
    2. (2) exercise the powers conferred on the attorney general, the chief consumer protection officer, or officer or office by the laws of such State, including the ability to conduct investigations, to administer oaths or affirmations, or to compel the attendance of witnesses or the production of documentary or other evidence.
    1. (g) CALCULATION.—Any amount that a court orders an entity to pay to a person under this section in an action brought under subsection (a) shall be offset by any amount the person received from an action brought against the entity for the same violation under section 117 or 119.

    SEC. 117. ENFORCEMENT BY PERSONS INDIVIDUALS

    1. CIVIL ACTION(a) ENFORCEMENT BY INDIVIDUALS.—
    1. (1) IN GENERAL.—Subject to subsections (b) and (c), a personan individual may bring a civil action against an entity for a violation of subsections (b) or (c) of section 102, subsections (a) or (e) of section 104, section 105, subsection (a) or (b)(2) of section 106, section 107, section 108, section 109 to the extent such claim alleges a data breach arising from a violation of subsection (a) of such section, subsection (d) of section 111, subsection (c)(4) of section 112, subsection (a) of section 113, section 114, or a regulation promulgated thereunder, in an appropriate Federal district court of the United States.
    2. (2) RELIEF.—
    1. (A) IN GENERAL.—In a civil action brought under paragraph (1) in which the plaintiff prevails, the court may award the plaintiff—
    1. an amount equal to the sum of any actual damages;
    2. injunctive relief, including an order that the entity retrieve any covered data transferred in violation of this title;
    3. declaratory relief; and
    4. reasonable attorney fees and litigation costs.
    1. (B) BIOMETRIC AND GENETIC INFORMATION.—In a civil action brought under paragraph (1) for a violation of this title with respect to section 102(c) where the conduct underlying the violation occurred primarily and substantially in Illinois, in which the plaintiff prevails, if the conduct underlying the violation occurred primarily and substantially in Illinois, the court may award the plaintiff—
    1. For a violation involving biometric information, the same relief as set forth in section 20 of the Biometric Information Privacy Act (740 ILCS 14/20), as such statute read on January 1, 2024; or
    2. For a violation involving genetic information, the same relief as set forth in section 40 of the Genetic Information Privacy Act (410 ILCS 513/40), as such statute read on January 1, 2024.
    1. (C) DATA SECURITY.—
    1. (i) IN GENERAL.—In a civil action brought under paragraph (1) for a violation of this title alleging unauthorized access of covered information as a result of a violation of section 109(a), (as defined in clause (ii)) in which the plaintiff prevails, the court may award a plaintiff who is a resident of California the same relief as set forth in section 1798.150 of the California Civil Code, as such statute read on January 1, 2024.
    2. (ii) COVERED INFORMATION DEFINED.—For purposes of this subparagraph, the term ‘‘covered information’’ means—
    1. an individual’s username, email address, or telephone number of an individual in combination with a password or security question or answer that would permit access to an account held by the individual that contains or provides access to sensitive covered data.; or 
    2. an individual’s The first name or first initial of an individual and the last name of the individual’s last name in combination with 1 or more of the following categories of sensitive covered data, ifwhen either the name or the sensitive covered data are not encrypted or redacted:
    1. (aa) A government-issued identifier as described in section 101(41)(A)(i).
    2. A financial account number described in section 101(41)(A)(iv).
    3. (bb) Any sensitive covered data described in section 2(34)(A)(iv).
    4. (cc) Health information, but only to the extent that such information reveals the individual’s history of medical treatment or diagnosis by a health care professional of the individual.
    5. (dd) Biometric information.
    6. (ee) Genetic information.
    1. (D) LIMITATIONS ON DUAL ACTIONS.— Any amount that a court orders an entity to pay to a person under subparagraph (A)(i), (B), or (C) shall be offset by any amount the person received from an action brought against the entity for the same violation under section 117 or 118.
    1. (b) OPPORTUNITY TO CURE IN ACTIONS FOR INJUNCTIVE RELIEF.—
    1. (1) NOTICE.—Subject to paragraph (3), an action for injunctive relief may be brought by a person under this section only if, prior to initiating such action against an entity for injunctive relief, the individual provides to the entity 30 days written notice identifying the specific provisions of this title the person alleges have been or are being violated.
    2. (2) EFFECT OF CURE.—In the event a cure is possible, if, within the 30 days the entity cures the noticed violation and provides the person with an express written statement that the violation has been cured and that no further such violations shall occur, an action for injunctive relief mayshall not be permitted with respect to the noticed violation.
    3. INJUNCTIVE RELIEF FOR A SUBSTANTIAL PRIVACY HARM.—Notice is not required under paragraph (1) prior to bringingfiling an action for injunctive relief for a violation of this Act that resulted in a substantial privacy harm.
    1. (c) NOTICE OF ACTIONS SEEKING ACTUAL DAMAGES.—
    1. (1) NOTICE.—Subject to paragraph (2), an action under this section for actual damages may be brought by a person only if, prior to initiating such action against an entity, the person provides to the entity 30 days written notice identifying the specific provisions of this title the person alleges have been or are being violated.
    2. NO NOTICE REQUIRED FOR A SUBSTANTIAL PRIVACY HARM.—Notice is not required under paragraph (1) prior to bringing filing an action for actual damages for a violation of this title that resulted in a substantial privacy harm, if such action includes a claim for a preliminary injunction or temporary restraining order.
    1. (d) PRE-DISPUTE ARBITRATION AGREEMENTS.—
    1. (1) IN GENERAL.—Notwithstanding any other provision of law, at the election of the person alleging a violation of this title, no pre-dispute arbitration agreement shall be valid or enforceable with respect to—
    1. (A) a claim alleging a violation involving an individual under the age of 18; or
    2. (B) a claim alleging a violation that resulted in a substantial privacy harm.
    1. (2) DETERMINATION OF APPLICABILITY.—Any issue as to whether this subsection applies to a dispute shall be determined under Federal law. The applicability of this section to an agreement to arbitrate and the validity and enforceability of an agreement to which this section applies shall be determined by a Federal court, rather than an arbitrator, irrespective of whether the party resisting arbitration challenges the arbitration agreement specifically or in conjunction with other terms of the contract containing the agreement, and irrespective of whether the agreement purports to delegate the determination to an arbitrator.
    2. (3) PREDISPUTE ARBITRATION AGREEMENT DEFINED.—For purposes of this subsection, the term ‘‘predispute arbitration agreement’’ means any agreement to arbitrate a dispute that has not arisen at the time of the making of the agreement.
    1. (e) COMBINED NOTICES.—A person may combine the notices required by subsections (b)(1) and (c)(1) into a single notice, if the single notice complies with the requirements of each such subsection.

    SEC. 118. RELATION TO OTHER LAWS.

    1. (a) PREEMPTION OF STATE LAWS.—
    1. CONGRESSIONAL INTENT.—The purposes of this section are to—
    1. establish a uniform national data privacy and data security standard in the United States to prevent administrative costs and burdens from being placed on interstate commerce; and
    2. expressly preempt the laws of a State or political subdivision of a State thereof, as provided in this subsection.
    1. PREEMPTION.—Except as provided in paragraph (3), no State or political subdivision of a State may adopt, maintain, enforce, impose, or continue in effect any law, regulation, rule, requirement, prohibition, standard, or other provision covered by the provisions of this title or a rule, regulation, or requirement promulgated under this title.
    2. STATE LAW PRESERVATION.—Paragraph (2) may shall not be construed to preempt, displace, or supplant the following State laws, rules, regulations, or requirements:
    1. Consumer protection laws of general applicability, such as laws regulating deceptive, unfair, or unconscionable practices.
    2. Civil rights laws.
    3. Provisions of laws that address the privacy rights or other protections of employees or employee information.
    4. Provisions of laws that address the privacy rights or other protections of students or student information.
    5. Provision of laws, insofar as such provisions address notification requirements in the event of a data breach.
    6. Contract or tort law.
    7. Criminal laws unrelated to data privacy or data security. 
    8. Criminal or civil laws regarding—
    1. blackmail;
    2. stalking (including cyberstalking);
    3. cyberbullying;
    4. intimate images (whether authentic or computer-generated) known to be nonconsensual;
    5. child abuse;
    6. child sexual abuse material;
    7. child abduction or attempted child abduction;
    8. child trafficking; or
    9. sexual harassment.
    1. Public safety or sector-specific laws unrelated to data privacy or data security, but only to the extent provided that such laws do not directly conflict with the provisions of this title.
    2. Provisions of laws that address public records, criminal justice information systems, arrest records, mug shots, conviction records, or non-conviction records.
    3. Provisions of laws that address banking records, financial records, tax records, Social Security numbers, credit cards, identity theft, credit reporting and investigations, credit repair, credit clinics, or check-cashing services.
    4. Provisions of laws that address electronic surveillance, wiretapping, or telephone monitoring.
    5. Provisions of laws that address unsolicited email messages, telephone solicitation, or caller identification.
    6. Provisions of laws that protect the privacy of health information, healthcare information, medical information, medical records, HIV status, or HIV testing.
    7. Provisions of laws that address the confidentiality of library records.
    8. Provisions of laws that address the use of encryption as a means of providing data security.
    1. PREEMPTION LIMITATIONS.—Notwithstanding paragraph (2), the provisions of this title shall preempt any State law, rule, or regulation that provides protections for children or teens only to the extent that such State law, rule, or regulation conflicts with a provision of this title. Nothing in this title shall be construed to prohibit any State from enacting a law, rule, or regulation that provides greater protection to children or teens than the provisions of this title.
    1. (b) FEDERAL LAW PRESERVATION.—
    1. IN GENERAL.—Nothing in this title or a regulation promulgated under this title may be construed to limit—
    1. the authority of the Commission, or any other Executive agency, under any other provision of law;
    2. any requirement for a common carrier subject to section 64.2011 of title 47, Code of Federal Regulations (or any successor regulation), regarding information security breaches; or
    3. any other provision of Federal law, except as otherwise provided in this Act.
    1. ANTITRUST SAVINGS CLAUSE.—
    1. ANTITRUST LAWS DEFINED.— For purposes of this paragraph, the term ‘‘antitrust laws’’—
    1. has the meaning given such term in subsection (a) of the first section of the Clayton Act (15 U.S.C. 12(a)); and
    2. includes section 5 of the Federal Trade Commission Act (15 U.S.C. 45), to the extent such section applies to unfair methods of competition.
    1. FULL APPLICATION OF THE ANTITRUST LAWSRULE OF CONSTRUCTION.—Nothing in this title, or the regulation promulgated under this title may be construed to modify, impair, supersede the operation of, or preclude the application of the antitrust laws.
    1. APPLICATION OF OTHER FEDERAL PRIVACY REQUIREMENTS.—
    1. IN GENERAL.—To the extent a covered entity or service provider is required to comply with any of the laws and regulations described in subparagraph (B), such covered entity or service provider is not subject to this title with respect to the activities governed by shall not be subject to this title, and is in compliance with the data privacy requirements of such laws and regulations shall be deemed to be in compliance with the related provisions of this Act (except with respect to section 9), solely and exclusively with respect to any data subject to the requirements of such laws and regulations.
    2. LAWS AND REGULATIONS DESCRIBED.—The laws and regulations described in this subparagraph includeare the following:
    1. Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).
    2. Part C of title XI of the Social Security Act (42 U.S.C. 1320d et seq.).
    3. Subtitle D of the Health Information Technology for Economic and Clinical Health Act (42 U.S.C. 17931 et seq.).
    4. The regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note).
    5. The requirements regarding the confidentiality of substance use disorder information under section 543 of the Public Health Service Act (42 U.S.C. 290dd– 2) or any regulation promulgated under such section.
    6. The Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).
    7. Section 444 of the General Education Provisions Act of 1974 (commonly known as the ‘‘Family Educational Rights and Privacy Act’’) (20 U.S.C. 1232g) and part 99 of title 34, Code of Federal Regulations (or any successor regulation), to the extent a covered entity or service provider is an educational agency or institution (as defined in such section or section 99.3 of title 34, Code of Federal Regulations (or any successor regulation)).
    8. The regulations related to the protection of human subjects under part 46 of title 45, Code of Federal Regulations.
    9. Regulations and agreements related to information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use; the protection of human subjects under 21 C.F.R. Parts 6, 50, and 56, or personal data used or shared in research conducted in accordance with the requirements set forth in this chapter, or other research conducted in accordance with applicable law.
    10. The federal Health Care Quality Improvement Act of 1986 (42 U.S.C. § 11101 et seq.).
    11. The Federal Patient Safety and Quality Improvement Act (42 U.S.C. § 299b-21 et seq.).
    12. The Drivers Privacy Protection Act.
    1. (C) IMPLEMENTATION GUIDANCE.—Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance with respect to the implementation of this paragraph.
    1. APPLICATION OF OTHER FEDERAL DATA SECURITY REQUIREMENTS.—
    1. IN GENERAL.—To the extent that a covered entity or service provider is required to comply with any of the laws and regulations described in subparagraph (B) such covered entity or service provider is not subject to this title with respect to the activities governed by the and is in compliance with the information security requirements of such laws and regulations shall be deemed to be in compliance with section 109 of this title, solely and exclusively with respect to any data subject to the requirements of such laws and regulations.
    2. LAWS AND REGULATIONS DESCRIBED.—The laws and regulations described in this subparagraph are the following:
    1. Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).
    2. Subtitle D of the Health Information Technology for Economic and Clinical Health Act (42 U.S.C. 17921 et seq.).
    3. Part C of title XI of the Social Security Act (42 U.S.C. 1320d et seq.).
    4. The regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note).
    5. The requirements regarding the confidentiality of substance use disorder information under section 543 of the Public Health Service Act (42 U.S.C. 290dd–2) or any regulation promulgated under such section.
    6. The Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).
    7. Section 444 of the General Education Provisions Act (commonly known as the ‘‘Family Educational Rights and Privacy Act of 1974’’) (20 U.S.C. 1232g) and part 99 of title 34, Code of Federal Regulations (or any successor regulation), to the extent a covered entity or service provider is an educational agency or institution (as defined in such section or section 99.3 of title 34, Code of Federal Regulations (or any successor regulation)).
    8. The regulations related to the protection of human subjects under part 46 of title 45, Code of Federal Regulations.
    9. Regulations and agreements related to information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use; the protection of human subjects under 21 C.F.R. Parts 6, 50, and 56, or personal data used or shared in research conducted in accordance with the requirements set forth in this chapter, or other research conducted in accordance with applicable law.
    10. The Federal Health Care Quality Improvement Act of 1986 (42 U.S.C. 11101 et seq.).
    11. The Federal Patient Safety and Quality Improvement Act (42 U.S.C. 299b-21 et seq.).
    12. The Drivers Privacy Protection Act.
    1. IMPLEMENTATION GUIDANCE.—Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance with respect to the implementation of this paragraph.
    1. (c) PRESERVATION OF COMMON LAW OR STATUTORY CAUSES OF ACTION FOR CIVIL RELIEF.—Nothing in this title, nor any amendment, standard, rule, requirement, assessment, law, or regulation promulgated under this title, may shall be construed to preempt, displace, or supplant any Federal or State common law rights or remedies, or any statute creating a remedy for civil relief, including any cause of action for personal injury, wrongful death, property damage, or other financial, physical, reputational, or psychological injury based in negligence, strict liability, products liability, failure to warn, an objectively offensive intrusion into the private affairs or concerns of an individual, or any other legal theory of liability under any Federal or State common law, or any State statutory law, except that the fact of a violation of this title or a regulation promulgated under this title may not be pleaded as an element of any violation of such law.
    2. (d) NON-APPLICATION OF CERTAIN PROVISIONS OF THE COMMUNICATIONS ACT OF 1934 AS IT RELATES TO FCC PRIVACY AND DATA SECURITY LAWS AND REGULATIONS TO CERTAIN COVERED ENTITIES.—
    1. (1) IN GENERAL.—Except as provided in paragraph (2), sections 201, 202, 222, 338(i), and 631 of Notwithstanding any other provision of law and except as provided in paragraph (2), the Communications Act of 1934 (47 U.S.C. 151 et seq.), as amended, and section 706 of the Telecommunications Act of 1996, as amended (47 U.S.C. 201, 202, 222, 338(i), 551, 1302), and all Acts amendatory thereof or supplementary thereto and any regulations or orders promulgated by the Federal Communications Commission under such sectionAct, does not apply to any covered entity or service provider with respect to the collection, processing, retention, transfer, or security of covered data or its equivalent, to the extent that those provisions of the Communications Act or any regulations or orders adopted pursuant to those provisions of the Communications Act would otherwise govern the collection, processing, retention, transfer, or security of covered data or its equivalent in order to protect consumer privacy or the security of such data and instead shall be to the extent that such collection, processing, retention, transfer, or security of covered data is governed by the requirements of this Act.
    2. (2) EXCEPTIONS.—Paragraph (1) does not preclude the application of any of the following to a covered entity or service provider with respect to the collection, processing, retention, transfer, or security of covered data: supersede any authority of the Federal Communications Commission with respect to the following:
    1. Any emergency services, as defined in section 7 of the Wireless Communications and Public Safety Act of 1999 (47 U.S.C. 615b).
    2. Proceedings to implement section 227 of the Communications Act (47 U.S.C. 227) or the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act of 2019 (Public Law 116–105; 133 Stat. 3274), or any other authority used by the Federal Communications Commission to prevent or reduce unwanted telephone calls or text messages.
    3. An enforcement action alleging or finding a violation of a provision of the Communications Act specified in paragraph (1), where such action was adopted by the Federal Communications Commission prior to the date of the enactment of this Act.
    4. Subsection (a) of section 222 of the Communications Act to the extent it imposes a duty on every telecommunications carrier to protect the confidentiality of proprietary information of, and relating to, other telecommunications carriers and equipment manufacturers.
    5. Subsections (b), (d), and (g) of section 222 of the Communications Act of 1934 (47 U.S.C. 222).

    Section 64.2011 of title 47, Code of Federal Regulations (or any successor regulation).

    Mitigation measures and actions taken pursuant to Executive Order 13913 (85 Fed. Reg. 19643; relating to the establishment of the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector).

    1. Any obligation under an international treaty related to the exchange of traffic implemented and enforced by the Federal Communications Commission.

    SEC. 119. CHILDREN’S ONLINE PRIVACY PROTECTION ACT OF 1998.

    Nothing in this Act may be construed to relieve or change any obligation that a covered entity or other person may have under the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.).

    SEC. 120. DATA PROTECTIONS FOR COVERED MINORS.

    1. PROHIBITION ON FIRST-PARTY AND TARGETED ADVERTISING TO COVERED MINORS.—A covered entity or service provider acting on behalf of a covered entity may not engage in targeted advertising or first-party advertising to an individual if the covered entity has knowledge that the individual is a covered minor, except that a covered entity or service provider may present or display to a covered minor age-appropriate advertisements intended for an audience of covered minors, so long as the covered entity or service provider acting on behalf of a covered entity does not use any covered data other than whether the individual that receives the advertisement is a covered minor or the device that receives the advertisement is linked or reasonably linkable to one or more individuals, at least one of whom is a covered minor.
    2. DATA TRANSFER REQUIREMENTS RELATED TO CHILDREN AND TEENS.—
    1. IN GENERAL.—Notwithstanding section 102(b), a covered entity or an entity acting as a service provider may not transfer or direct a service provider to transfer the covered data of a covered minor to a third party if the covered entity—
    1. has knowledge that the individual is a covered minor; and
    2. has not obtained affirmative express consent unless the transfer is necessary, proportionate, and limited to a purpose expressly permitted by paragraph (2), (3), (4), (8), (9), (11), (12), or (13) of section 102(d).
    1. EXCEPTION.—A covered entity or service provider may collect, process, retain, or transfer covered data of an individual that the covered entity or service provider knows is under the age of 18 solely in order to submit information relating to child victimization to law enforcement or to the nonprofit, national resource center and clearinghouse congressionally designated to provide assistance to victims, families, child-serving professionals, and the general public on missing and exploited children issues.
    1. IN GENERAL.—The Commission may conduct a rulemaking pursuant to section 553 of title 5, United States Code, to establish processes for parents and teens to exercise the rights provided to them in this title with respect to covered entities and data brokers. Any such rulemaking should take into account the specific needs of parents, children, and teens and should consider how best to harmonize the processes provided for under this title with the processes and guidance provided for under title II and by the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et. seq) and any rulemakings undertaken by the Commission thereunder. It should also consider options for reducing undue burdens on parents, children, teens, covered entities and data brokers.

    SEC. 121. TERMINATION OF FTC RULEMAKING ON COMMERCIAL SURVEILLANCE AND DATA SECURITY.

    Beginning on the date of enactment of this Act, the Commission’s Trade Regulation Rule on Commercial Surveillance and Data Security proposed rulemaking proposed in the advance notice of proposed rulemaking titled “Trade Regulation Rule on Commercial Surveillance and Data Security’’ and published on August 22, 2022 (87 Fed. Reg. 51273), shall be terminated.

    SEC. 122. SEVERABILITY.

    If any provision of this title, or the application thereof to any person or circumstance, is held invalid, the remainder of this title, and the application of such provision to other persons not similarly situated or to other circumstances, may shall not be affected by the invalidation.

    SEC. 123. INNOVATION RULEMAKINGS.

    The Commission may conduct a rulemaking pursuant to section 553 of title 5, United States Code—

    1. to include other covered data in the definition of the term ‘‘sensitive covered data’’, except that the Commission may not expand the category of information described in section 101(49)(A)(ii); and
    2. to include in the list of permitted purposes in section 102(d) other permitted purposes for collecting, processing, retaining, or transferring covered data.

    SEC. 124. EFFECTIVE DATE.

    Unless otherwise specified in this title, this title shall take effect on the date that is 180 days after the date of the enactment of this Act.

    TITLE II—CHILDREN’S ONLINE PRIVACY PROTECTION ACT 2.0

    SEC. 201. SHORT TITLE.

    This title may be cited as the ‘‘Children’s Online Privacy Protection Act 2.0’’.


    Purple text = existing law

    Blue text = how text from COPPA 2.0 2/15/2024 fits into existing law

    Pink text = COPPA 2.0 insertions from the FAA reauthorization amendment

    Red text = APRA from 5/22/2024

    Green text = APRA from 6/20/2024


    SEC. 202. ONLINE COLLECTION, USE, DISCLOSURE, AND DELETION OF PERSONAL INFORMATION OF CHILDREN AND TEENS.

    (a) SHORT TITLE.—This Act may be cited as the ‘‘Children and Teens’ Online Privacy Protection Act’’.

    (b) TABLE OF CONTENTS.—The table of contents for this Act is as follows:

    Sec. 1. Short title; table of contents.

    Sec. 2. Online collection, use, disclosure, and deletion of personal information

    of children and teens.

    Sec. 3. Study and reports of mobile and online application oversight and enforcement.

    Sec. 4. GAO study.

    Sec. 5. Severability.

    SEC. 1302. DEFINITIONS.

    In this chapter:

    (1) Child

    The term "child" means an individual under the age of 13.

    (2) Operator.—The term "operator"—

    (A) means any person—

    (i) who, for commercial purposes, in interstate or foreign commerce operates or provides a website on the internet, an online service, an online application, or a mobile application; and

    (ii) who—

    (I) collects or maintains, either directly or through a service provider, personal information from or about the users of that website, service, or application;

    (II) allows another person to collect personal information directly from users of that website, service, or application (in which case, the operator is deemed to have collected the  information); or

    (III) allows users of that website, service, or application to publicly disclose personal information (in which case, the operator is deemed to have collected the information); and

    (B) does not include any nonprofit entity that would otherwise be exempt from coverage under section 5 of the Federal Trade Commission Act (15 U.S.C. 45).

    (3) Commission

    The term "Commission" means the Federal Trade Commission.

    (4) Disclosure

    The term "disclosure" means, with respect to personal information—

    (A) the release of personal information collected from a child or teen by an operator for any purpose, except where the personal information is provided to a person other than an operator who—

    (i) provides support for the internal operations of the website, online service, online application, or mobile application (as defined in paragraph (8)(C)) of the operator, excluding any activity relating to targeted individual-specific advertising or first-party advertising (as such terms are defined in section 101 of the American Privacy Rights Act of 2024) to children or teens; and

    (ii) does not disclose or use that personal information for any other purpose; and

    (B) making personal information collected from a child or teen by a website, online service, online application, or mobile application directed to children or with actual knowledge or knowledge fairly implied on the basis of objective circumstances that such information was collected from a child or teen, publicly available in identifiable form, by any means including by a public posting, through the Internet, or through—

    (i) a home page of a website;

    (ii) a pen pal service;

    (iii) an electronic mail service;

    (iv) a message board; or

    (v) a chat room.

    (5) Federal agency

    The term "Federal agency" means an agency, as that term is defined in section 551(1) of title 5.

    (6) Internet

    The term "Internet" means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire or radio.

    (7) Parent

    The term "parent" includes a legal guardian.

    (8) Personal information

    (A) IN GENERAL—The term "personal information" means individually identifiable information about an individual collected online, including—

    (i) a first and last name;

    (ii) a home or other physical address including street name and name of a city or town;

    (iii) an e-mail address;

    (iv) a telephone number;

    (v) a Social Security number;

    (vi) any other identifier that the Commission determines permits the physical or online contacting of a specific individual; or 

    (vii) a persistent identifier that can be used to recognize a specific child or teen over time and across different websites, online services, online applications, or mobile applications, including but not limited to a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier, but excluding an identifier that is used by an operator solely for providing support for the internal operations of the website, online service, online application, or mobile application;

    (viii) a photograph, video, or audio file where such file contains a specific child’s or teen’s image or voice;

    (ix) geolocation information;

    (x) information generated from the measurement or technological processing of an individual’s biological, physical, or physiological characteristics that is used to identify an individual, including—

            (I) fingerprints;

    (II) voice prints;

    (III) iris or retina imagery scans;

                            (IV) facial templates;

                            (V) deoxyribonucleic acid (DNA) information; or

                            (VI) gait; or

    (xi) information linked or reasonably linkable to a child or teen or the parents of that child or teen (including any unique identifier) that an operator collects online from the child or teen and combines with an identifier described in this subparagraph.

    (B) EXCLUSION.— The term ‘personal information’ doesshall not include an audio file that contains a child’s or teen’s voice so long as the operator—

    (i) does not request information via voice that would otherwise be considered personal information under this paragraph;

    (ii) provides clear notice of its collection and use of the audio file and its deletion policy in its privacy policy;

    (iii) only uses the voice within the audio file solely as a replacement for written words, to perform a task, or engage with a website, online service, online application, or mobile application, such as to perform a search or fulfill a verbal instruction or request; and

    (iv) only maintains the audio file long enough to complete the stated purpose and then immediately deletes the audio file and does not make any other use of the audio file prior to deletion.

    (C) SUPPORT FOR THE INTERNAL OPERATIONS OF A WEBSITE, ONLINE SERVICE, ONLINE APPLICATION, OR MOBILE APPLICATION.—

    (i) IN GENERAL.—For purposes of subparagraph (A)(vii), the term ‘support for the internal operations of a website, online service, online application, or mobile application’ means those activities necessary to—

    (I) maintain or analyze the functioning of the website, online service, online application, or mobile application;

    (II) perform network communications;

    (III) authenticate users of, or personalize the content on, the website, online service, online application, or mobile application;

    (IV) serve contextual advertising, provided that any

         persistent identifier is only used as necessary for technical

         purposes to serve the contextual advertisement, or cap the

         frequency of advertising;

    (IV) cap the frequency of advertising;

    (V) protect the security or integrity of the user, website, online service, online application, or mobile application;

    (VI) ensure legal or regulatory compliance, or

    (VII) fulfill a request of a child or teen as permitted by subparagraphs (A) through (C) of section 1303(b)(2).

    (ii) CONDITION.—Except as specifically permitted under clause (i), information collected for the activities listed in clause (i) cannot be used or disclosed to contact a specific individual, including through targeted individual-specific advertising or first-party advertising (as such terms are defined in section 101 of the American Privacy Rights Act of 2024) to children or teens, to amass a profile on a specific individual, in connection with processes that encourage or prompt use of a website or online service, or for any other purpose.

    (9) VERIFIABLE CONSENT.—The term ‘verifiable consent’ means any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure described in the notice, to ensure that, in the case of a child, a parent of the child, or, in the case of a teen, the teen

    (A) receives direct notice of the personal information collection, use, and disclosure practices of the operator; and

    (B) before the personal information of the child or teen is collected, freely and unambiguously authorizes—

    (i) the collection, use, and disclosure, as applicable, of that personal information; and

    (ii) any subsequent use of that personal information.

    (10) WEBSITE, ONLINE SERVICE, ONLINE APPLICATION, OR MOBILE APPLICATION DIRECTED TO CHILDREN

    (A) In general—The term "website, online service, online application, or mobile application directed to children" means—

    (i) a website, online service, online application, or mobile application that is targeted to children; or

    (ii) that portion of a website, online service, online application, or mobile application that is targeted to children.

    (B) Limitation—A website, online service, online application, or mobile application, or a portion of a website, online service, online application, or mobile application, shall not be deemed directed to children solely for referring or linking to a website, online service, online application, or mobile application directed to children by using information location tools, including a directory, index, reference, pointer, or hypertext link.

    (C) RULE OF CONSTRUCTION.—In considering whether a website, online service, online application, or mobile application, or portion thereof, is directed to children, the Commission shall apply a totality of circumstances test and shallwill also consider competent and reliable empirical evidence regarding audience composition and evidence regarding the intended audience of the website, online service, online application, or mobile application.

    (11) Person

    The term "person" means any individual, partnership, corporation, trust, estate, cooperative, association, or other entity.

    (12) Online contact information

    The term "online contact information" means an e-mail address or another substantially similar identifier that permits direct contact with a person online.

    (13) CONNECTED DEVICE—The term ‘connected device’ has the meaning given such term in section 101 of the American Privacy Rights Act of 2024means a device that is capable of connecting to the internet, directly or indirectly, or to another connected device.

    (14) ONLINE APPLICATION.—The term ‘online application’ has the meaning given such term in section 101 of the American Privacy Rights Act of 2024.

    (A) means an internet-connected software program; and

    (B) includes a service or application offered via a connected device. 

    (15) MOBILE APPLICATION.—The term ‘mobile application’ has the meaning given such term in section 101 of the American Privacy Rights Act of 2024. 

    (A) means a software program that runs on the operating system of—

    (i) a cellular telephone;

    (ii) a tablet computer; or

    (iii) a similar portable computing device that transmits data over a wireless connection; and

    (B) includes a service or application offered via a connected device.

    (16) PRECISE GEOLOCATION INFORMATION.—The term ‘precise geolocation information’  has the meaning given such term in section 101 of the American Privacy Rights Act of 2024means information sufficient to identify a street name and name of a city or town.

    (17) TEEN.—The term ‘teen’ means an individual who has attained age 13 and is under the age of 17.

    (18) INDIVIDUAL-SPECIFIC ADVERTISING TO CHILDREN OR TEENS.—

    (A) IN GENERAL.—The term ‘individual specific advertising to children or teens’ means advertising or any other effort to market a product or service that is directed to a specific child or teen or a connected device that is linked or reasonably linkable to a child or teen based on—

    (i) the personal information from—

    (I) the child or teen; or

    (II) a group of children or teens who are similar in sex, age, household income level, race, or ethnicity to the specific child or teen to whom the product or service is marketed;

    (ii) profiling of a child or teen or group of children or teens; or

    (iii) a unique identifier of the connected device.

    (B) EXCLUSIONS.—The term ‘individual specific advertising to children or teens’ shall not include—

    (i) advertising or marketing to an individual or the device of an individual in response to the individual’s specific request for information or feedback, such as a child’s or teen’s current search query;

    (ii) contextual advertising, such as when an advertisement is displayed based on the content of the website, online service, online application, mobile application, or connected device in which the advertisement appears and does not vary based on personal information related to the viewer; or

    (iii) processing personal information solely for measuring or reporting advertising or content performance, reach, or frequency, including independent measurement.

    (C) RULE OF CONSTRUCTION.—Nothing in subparagraph (A) shall be construed to prohibit an operator with actual knowledge or knowledge fairly implied on the basis of objective circumstances that a user is under the age of 17 from delivering advertising or marketing that is age-appropriate and intended for a child or teen audience, so long as the operator does not use any personal information other than whether the user is under the age of 17.

    (17) EDUCATIONAL AGENCY OR INSTITUTION.—The term ‘educational agency or institution’ means a State educational agency or local educational agency as defined under Federal law, as well as an institutional day or residential school, including a public school, charter school, or private school, that provides elementary or secondary education, as determined under State law.

    Section 1303. Regulation of unfair and deceptive acts and practices in connection with collection and use of personal information from and about children on the Internet ONLINE COLLECTION, USE, AND DISCLOSURE, AND DELETION OF PERSONAL INFORMATION OF CHILDREN AND TEENS.

    (a) Acts prohibited

    (1) IN GENERAL.—It is unlawful for an operator of a website, online service, online application, or mobile application directed to children or for any operator of a website, online service, online applica-tion, or mobile application with actual knowledge or knowledge fairly implied on the basis of objective circumstances that a user is a child—or for any operator of a website, online service, online application, or mobile application with actual knowledge or knowledge fairly implied on the basis of objective circumstances that a user is a child or teen— 

    (A) to collect personal information from a child or teen in a manner that violates the American Privacy Rights Act of 2024 or the regulations prescribed under subsection (b);

    (B) except as provided in subparagraphs (B) and (C) of section 1302(18), to collect, use, disclose to third parties, or maintain personal information of a child or teen for purposes of individual-specific advertising to children or teens (or to allow another person to collect, use, disclose, or maintain such information for such purpose);

    (C) to collect the personal information of a child or teen except when the collection of the personal information is—

    (i) consistent with the context of a particular transaction or service or the relationship of the child or teen with the operator, including collection necessary to fulfill a transaction or provide a product or service requested by the child or teen; or

    (ii) required or specifically authorized by Federal or State law; or

    (B) to store or transfer the personal information of a child or teen outside of the United States unless

    (i) the operator provides direct notice to the parent of the child, in the case of a child, or to the teen, in the case of a teen, that the child’s or teen’s personal information is being stored or transferred outside of the United States; and or

    (ii) with respect to transfer, the operator meets the requirements of section 102(b) of the American Privacy Rights Act of 2024.

    (E) to retain the personal information of a child or teen for longer than is reasonably necessary to fulfill a transaction or provide a service requested by the child or teen except as required or specifically authorized by Federal or State law.

    (2) Disclosure to parent or teen protected

    Notwithstanding paragraph (1)(A), neither an operator of such a website or online service nor the operator's agent shall be held to be liable under any Federal or State law for any disclosure made in good faith and following reasonable procedures in responding to a request for disclosure of personal information under subsection (b)(1)(B)(iii)(iv) to the parent of a child or under subsection (b)(1)(C)(iv) to a teen..

    (2) PARENT OR TEEN.—Notwithstanding paragraph (1)(A), neither an operator nor the operator's agent shall be held to be liable under any Federal or State law for any disclosure made in good faith and following reasonable procedures in responding to a request for disclosure of personal information under subsection (b)(1)(B)(iv) to the parent of a child

    (b) Regulations

    (1) In general.—Not later than 1 year after October 21, 1998, the Commission shall promulgate under section 553 of title 5 regulations that—

    (A) require the ‘operator of a website, online service, online application, or mobile application directed to children or that has actual knowledge or knowledge fairly implied on the basis of objective circumstances that a user is a child or teen

    (i) to provide clear and conspicuous notice on the website of what information is collected from children or teens by the operator, how the operator uses such information, the operator's disclosure practices for such information;, the rights and opportunities available to the parent of the child  or teen under subparagraphs (B) and (C), and the procedures or mechanisms the operator uses to ensure that personal information is not collected from children  or teens except in accordance with the regulations promulgated under this paragraph;

    (ii) to obtain verifiable parental consent for the collection, use, or disclosure of personal information from children  or teens; and

    (iii) to obtain verifiable consent from a parent of a child or from a teen before using or disclosing personal information of the child or teen for any purpose that is a material change from the original purposes and disclosure practices specified to the parent of the child or the teen under clause (i);

    (B) require the operator to provide, upon request of a parent under this subparagraph whose child has provided personal information to that operator, upon proper identification of that parent, to such parent—

    (i) a description of the specific types of personal information collected from the child by that operator and the method by which the operator obtained the personal information, and the purposes for which the operator collects, uses, discloses, and retains the personal information;

    (ii) the opportunity at any time to delete personal information collected from the child or content or information submitted by the child to a website, online service, online application, or mobile application and to refuse to permit the operator's further use or maintenance in retrievable form, or future online collection, of personal information from that child;

    (iii) the opportunity to challenge the accuracy of the personal information and, if the parent of the child establishes the inaccuracy of the personal information, to have the inaccurate personal information corrected;

    (iv) notwithstanding any other provision of law, a means that is reasonable under the circumstances for the parent to obtain any personal information collected from that child, if such information is available to the operator at the time the parent makes the request;

    (C) require the operator to provide, upon the request of a teen under this subparagraph who has provided personal information to the operator, upon proper identification of that teen—

    (i) a description of the specific types of personal information collected from the teen by the operator, the method by which the operator obtained the personal information, and the purposes for which the operator collects, uses, discloses, and retains the personal information;

    (ii) the opportunity at any time to delete personal information collected from the teen or content or information submitted by the teen to a website, online service, online application, or mobile application and to refuse to permit the operator’s further use or maintenance in retrievable form, or online collection, of personal information from the teen;

    (iii) the opportunity to challenge the accuracy of the personal information and, if the teen establishes the inaccuracy of the personal information, to have the inaccurate personal information corrected; and

    (iv) a means that is reasonable under the circumstances for the teen to obtain any personal information collected from the teen, if such information is available to the operator at the time the teen makes the request;

    (B) prohibit conditioning a child's  or teen’s participation in a game, the offering of a prize, or another activity on the child  or teen disclosing more personal information than is reasonably necessary, proportionate, and limited to participate in such activity;

    (C) require the operator to establish, implement, and maintain reasonable procedures security practices to protect the confidentiality, security, integrity, and accessibility of personal information collected from children. of children or teens collected by the operator, and to protect such personal information against unauthorized access.

    (2) When consent not required.—The regulations shall provide that verifiable parental consent under paragraph (1)(A)(ii) is not required in the case of—

    (A) online contact information collected from a child  or teen that is used only to respond directly on a one-time basis to a specific request from the child or teen and is not used to recontact the child  or teen or to contact another child  or teen and is not maintained in retrievable form by the operator;

    (B) a request for the name or online contact information of a parent or child or teen that is used for the sole purpose of obtaining verifiable parental consent or providing notice under this section and where such information is not maintained in retrievable form by the operator if verifiable parental consent is not obtained after a reasonable time;

    (C) online contact information collected from a child  or teen that is used only to respond more than once directly to a specific request from the child  or teen and is not used to recontact the child  or teen beyond the scope of that request—

    (i) if, before any additional response after the initial response to the child  or teen, the operator uses reasonable efforts to provide a parent  or teen, as applicable, notice of the online contact information collected from the child  or teen, the purposes for which it is to be used, and an opportunity for the parent or teen, as applicable, to request that the operator make no further use of the information and that it not be maintained in retrievable form; or

    (ii) without notice to the parent  or teen, as applicable, in such circumstances as the Commission may determine are appropriate, taking into consideration the benefits to the child  or teen of access to information and services, and risks to the security and privacy of the child  or teen, in regulations promulgated under this subsection;

    (D) the name of the child  or teen and online contact information (to the extent reasonably necessary, proportionate, and limited to protect the safety of a child  or teen participant on the site)—

    (i) used only for the purpose of protecting such safety;

    (ii) not used to recontact the child or for any other purpose; and

    (iii) not disclosed on the site, if the operator uses reasonable efforts to provide a parent  or teen, as applicable, notice of the name and online contact information collected from the child or teen, the purposes for which it is to be used, and an opportunity for the parent  or teen, as applicable, to request that the operator make no further use of the information and that it not be maintained in retrievable form; or

    (E) the collection, use, or dissemination of such information by the operator of such a website or online service necessary—

    (i) to protect the security or integrity of its website;

    (ii) to take precautions against liability;

    (iii) to respond to judicial process; or

    (iv) to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety.

    (3) APPLICATION TO OPERATORS ACTING UNDER AGREEMENTS WITH EDUCATIONAL AGENCIES OR INSTITUTIONS.—The regulations may provide that verifiable consent under paragraph (1)(A)(ii) is not required for an operator that is acting under a written agreement with an educational agency or institution (as defined in section 444 of the General Education Provisions Act (commonly known as the ‘Family Educational Rights and Privacy Act of 1974’) (20 U.S.C. 1232g(a)(3)) that, at a minimum, requires the—

    (A) operator to—

    (i) limit its collection, use, and disclosure of the personal information from a child or teen to solely educational purposes and for no other commercial purposes;

    (ii) provide the educational agency or institution with a notice of the specific types of personal information the operator will collect from the child or teen, the method by which the operator will obtain the personal information, and the purposes for which the operator will collect, use, disclose, and retain the personal information;

    (iii) provide the educational agency or institution with a link to the operator’s online notice of information practices as required under paragraph (1)(A)(i)subsection (b)(1)(A)(i); and

    (iv) provide the educational agency or institution, upon request, with a means to review the personal information collected from a child or teen, to prevent further use or maintenance or future collection of personal information from a child or teen, and to delete personal information collected from a child or teen or content or information submitted by a child or teen to the operator’s website, online service, online application, or mobile application;

    (B) representative of the educational agency or institution to acknowledge and agree that they have authority to authorize the collection, use, and disclosure of personal information from children or teens on behalf of the educational agency or institution, along with such authorization, their name, and title at the educational agency or institution; and

    (C) educational agency or institution to—

    (i) provide on its website a notice that identifies the operator with which it has entered into a written agreement under this paragraphsubsection and provides a link to the operator’s online notice of information practices as required under paragraph (1)(A)(i);

    (ii) provide the operator’s notice regarding its information practices, as required under subparagraph (A)(ii), upon request, to a parent, in the case of a child, or a parent or teen, in the case of a teen; and

    (iii) upon the request of a parent, in the case of a child, or a parent or teen, in the case of a teen, request the operator provide a means to review the personal information from the child or teen and provide the parent, in the case of a child, or parent or teen, in the case of the teen, a means to review the personal information.

    (4) TERMINATION OF SERVICE.—The regulations shall permit the operator of a website, online service, online application, or mobile application directed to children to terminate service provided to a child whose parent has requested to delete covered data of the child pursuant to section 105 of the American Privacy Rights Act of 2024. refused, or a teen who has refused, under the regulations prescribed under paragraphs (1)(B)(ii) and (1)(C)(ii), to permit the operator’s further use or maintenance in retrievable form, or future online collection of, personal information from that child or teen.

    (5) CONTINUATION OF SERVICE.—The regulations shall prohibit an operator from discontinuing service provided to a child or teen on the basis of a request by the parent of the child or by the teen, under the regulations prescribed under subparagraph (B) or (C) of paragraph (1), respectively, to delete personal information collected from the child or teen, to the extent that the operator is capable of providing such service without such information.

    (6) RULE OF CONSTRUCTION.—A request made pursuant to subparagraph (B) or (C) of paragraph (1) to delete or correct personal information of a child or teen shall not be construed—

    (A) to limit the authority of a law enforcement agency to obtain any content or information from an operator pursuant to a lawfully executed warrant or an order of a court of competent jurisdiction;

    (B) to require an operator or third party delete or correct information that—

    (i) any other provision of Federal or State law requires the operator or third party to maintain; or

    (ii) was submitted to the website, online service, online application, or mobile application of the operator by any person other than the user who is attempting to erase or otherwise eliminate the content or information, including content or information submitted by the user that was republished or resubmitted by another person; or

    (C) to prohibit an operator from—

    (i) retaining a record of the deletion request and the minimum information necessary for the purposes of ensuring compliance with a request made pursuant to subparagraph (B) or (C);

    (ii) preventing, detecting, protecting against, or responding to security incidents, identity theft, or fraud, or reporting those responsible for such actions;

    (iii) protecting the integrity or security of a website, online service, online application or mobile application; or

    (iv) ensuring that the child’s or teen’s information remains deleted.

    (6) COMMON VERIFIABLE CONSENT MECHANISM.—

    (A) IN GENERAL.—

    (i) FEASIBILITY OF MECHANISM.— The Commission shall assess the feasibility, with notice and public comment, of allowing operators the option to use a common verifiable consent mechanism that fully meets the requirements of this title.

    (ii) REQUIREMENTS.—The feasibility assessment described in clause (i) shall consider whether a single operator could use a common verifiable consent mechanism to obtain verifiable consent, as required under this title, from a parent of a child or from a teen on behalf of multiple, listed operators that provide a joint or related service.

    (B) REPORT.—Not later than 1 year after the date of enactment of this paragraph, the Commission shall submit a report to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives with the findings of the assessment required by subparagraph (A).

    (C) REGULATIONS.—If the Commission finds that the use of a common verifiable consent mechanism is feasible and would meet the requirements of this title, the Commission shall issue regulations to permit the use of a common verifiable consent mechanism in accordance with the findings outlined in such report.

    (c) Enforcement.—Subject to sections 6503 and 6505 of this title, a violation of subparagraph (B), (C), (D), or (E) of subsection (a)(1), or of a regulation prescribed under subsection (b), shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 57a(a)(1)(B) of this title.

    (d) Inconsistent State law.—No State or local government may impose any liability for commercial activities or actions by operators in interstate or foreign commerce in connection with an activity or action described in this chapter that is inconsistent with the treatment of those activities or actions under this section.

    (d) RELATIONSHIP TO STATE LAW.—The provisions of this title shall preempt any State law, rule, or regulation only to the extent that such State law, rule, or regulation conflicts with a provision of this title. Nothing in this title shall be construed to prohibit any State from enacting a law, rule, or regulation that provides greater protection to children or teens than the provisions of this title.

    SEC. 1304. Safe harbors

    (a) Guidelines.—An operator may satisfy the requirements of regulations issued under section 6502(b) of this title by following a set of self-regulatory guidelines, issued by representatives of the marketing or online industries, or by other persons, approved under subsection (b).

    (b) Incentives

    (1) Self-regulatory incentives.—In prescribing regulations under section 6502 of this title, the Commission shall provide incentives for self-regulation by operators to implement the protections afforded children and teens under the regulatory requirements described in subsection (b) of that section.

    (2) Deemed compliance.—Such incentives shall include provisions for ensuring that a person will be deemed to be in compliance with the requirements of the regulations under section 6502 of this title if that person complies with guidelines that, after notice and comment, are approved by the Commission upon making a determination that the guidelines meet the requirements of the regulations issued under section 6502 of this title.

    (3) Expedited response to requests.—The Commission shall act upon requests for safe harbor treatment within 180 days of the filing of the request, and shall set forth in writing its conclusions with regard to such requests.

    (c) Appeals.—Final action by the Commission on a request for approval of guidelines, or the failure to act within 180 days on a request for approval of guidelines, submitted under subsection (b) may be appealed to a district court of the United States of appropriate jurisdiction as provided for in section 706 of title 5.

    (d) PUBLICATION.—

    (1) IN GENERAL.—Subject to the restrictions described in paragraph (2), the Commission shall publish on the internet website of the Commission any report or documentation required by regulation to be submitted to the Commission to carry out this section.

    (2) RESTRICTIONS ON PUBLICATION.—The restrictions described in section 6(f) and section 21 of the Federal Trade Commission Act (15 U.S.C. 46(f), 57b–2) applicable to the disclosure of information obtained by the Commission shall apply in same manner to the disclosure under this subsection of information obtained by the Commission from a report or documentation described in paragraph (1).

    SEC. 1305. ACTIONS BY STATES

    (a) In general

    (1) Civil actions.—In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that violates section 1303(a)(1) or any regulation of the Commission prescribed under section 6502(b) of this title, the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction to—

    (A) enjoin that practice;

    (B) enforce compliance with section 1303(a)(1) or the regulation;

    (C) obtain damage, restitution, or other compensation on behalf of residents of the State; or

    (D) obtain such other relief as the court may consider to be appropriate.

    (2) Notice

    (A) In general.—Before filing an action under paragraph (1), the attorney general of the State involved shall provide to the Commission—

    (i) written notice of that action; and

    (ii) a copy of the complaint for that action.

    (B) Exemption

    (i) In general.—Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general determines that it is not feasible to provide the notice described in that subparagraph before the filing of the action.

    (ii) Notification.—In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Commission at the same time as the attorney general files the action.

    (b) Intervention

    (1) In general.—On receiving notice under subsection (a)(2), the Commission shall have the right to intervene in the action that is the subject of the notice.

    (2) Effect of intervention.—If the Commission intervenes in an action under subsection (a), it shall have the right—

    (A) to be heard with respect to any matter that arises in that action; and

    (B) to file a petition for appeal.

    (3) Amicus curiae.—Upon application to the court, a person whose self-regulatory guidelines have been approved by the Commission and are relied upon as a defense by any defendant to a proceeding under this section may file amicus curiae in that proceeding.

    (c) Construction.—For purposes of bringing any civil action under subsection (a), nothing in this chapter shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to—

    (1) conduct investigations;

    (2) administer oaths or affirmations; or

    (3) compel the attendance of witnesses or the production of documentary and other evidence.

    (d) Actions by Commission.—In any case in which an action is instituted by or on behalf of the Commission for violation of section 1303(a)(1) or any regulation prescribed under section 6502 of this title, no State may, during the pendency of that action, institute an action under subsection (a) against any defendant named in the complaint in that action for violation of section 1303(a)(1) or that regulation.

    (e) Venue; service of process

    (1) Venue.— Any action brought under subsection (a) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28.

    (2) Service of process.—In an action brought under subsection (a), process may be served in any district in which the defendant—

    (A) is an inhabitant; or

    (B) may be found.

    SEC. 1306. ADMINISTRATION AND APPLICABILITY.—

    (a) In general.—Except as otherwise provided, this chapter shall be enforced by the Commission under the Federal Trade Commission Act (15 U.S.C. 41 et seq.).

    (b) Provisions.—Compliance with the requirements imposed under this chapter shall be enforced under—

    (1) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), by the appropriate Federal banking agency, with respect to any insured depository institution (as those terms are defined in section 3 of that Act (12 U.S.C. 1813);

    (2) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) by the National Credit Union Administration Board with respect to any Federal credit union;

    (3) part A of subtitle VII of title 49 by the Secretary of Transportation with respect to any air carrier or foreign air carrier subject to that part;

    (4) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et. seq.) (except as provided in section 406 of that Act (7 U.S.C. 226, 227)), by the Secretary of Agriculture with respect to any activities subject to that Act; and

    (5) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by the Farm Credit Administration with respect to any Federal land bank, Federal land bank association, Federal intermediate credit bank, or production credit association.

    (c) Exercise of certain powers.—For the purpose of the exercise by any agency referred to in subsection (a) 2 of its powers under any Act referred to in that subsection, a violation of any requirement imposed under this chapter shall be deemed to be a violation of a requirement imposed under that Act. In addition to its powers under any provision of law specifically referred to in subsection (a),2 each of the agencies referred to in that subsection may exercise, for the purpose of enforcing compliance with any requirement imposed under this chapter, any other authority conferred on it by law.

    (d) Actions by Commission.—The Commission shall prevent any person from violating section 1303(a)(1) or a rule of the Commission under section 6502 of this title in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this chapter. Any entity that violates section 1303(a)(1) or a rule of the Commission under section 1303 shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act in the same manner, by the same means, and with the same jurisdiction, power, and duties as though all applicable terms and provisions of the Federal Trade Commission Act were incorporated into and made a part of this chapter.

    (e) Effect on other laws.—Nothing contained in this chapter shall be construed to limit the authority of the Commission under any other provisions of law.

    (f) DETERMINATION OF WHETHER AN OPERATOR HAS KNOWLEDGE FAIRLY IMPLIED ON THE BASIS OF OBJECTIVE CIRCUMSTANCES.—

    (1) RULE OF CONSTRUCTION.—For purposes of enforcing this title or a regulation promulgated under this title, in making a determination as to whether an operator has knowledge fairly implied on the basis of objective circumstances that a specific user is a child or teen, the Commission or State attorneys general shall rely on competent and reliable evidence, taking into account the totality of the circumstances, including whether a reasonable and prudent person under the circumstances would have known that the user is a child or teen. Nothing in this title, including a determination described in the preceding sentence, shall be construed to require an operator to—

    (A) affirmatively collect any personal information with respect to the age of a child or teen that an operator is not already collecting in the normal course of business; or

    (B) implement an age gating or age verification functionality.

    (2) COMMISSION GUIDANCE.—

    (A) IN GENERAL.—Not later thanWithin 180 days after the date of the enactment of this subsection, the Commission shall issue guidance to provide information, including best practices and examples for operators to understand the Commission’s determination of whether an operator has knowledge fairly implied on the basis of objective circumstances that a user is a child or teen.

    (B) LIMITATION.—No guidance issued by the Commission with respect to this title shall confer any rights on any person, State, or locality, nor shall operate to bind the Commission or any person to the approach recommended in such guidance. In any enforcement action brought pursuant to this title, the Commission or State attorney general, as applicable, shall allege a specific violation of a provision of this title. The Commission or State attorney general, as applicable, may not base an enforcement action on, or execute a consent order based on, practices that are alleged to be inconsistent with any such guidance, unless the practices allegedly violate this title.

    (g) ADDITIONAL REQUIREMENT.—Any regulations issued under this title shall include a description and analysis of the impact of proposed and final Rules on small entities per the Regulatory Flexibility Act of 1980 (5 U.S.C. 601 et seq.).

    Sec. 203. STUDY AND REPORTS OF MOBILE AND ONLINE APPLICATION OVERSIGHT AND ENFORCEMENT.

    (a) OVERSIGHT REPORT.—Not later than 3 years after the date of enactment of this Act, the Federal Trade Commission shall submit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives a report on the processes of platforms that offer mobile and online applications for ensuring that, of those applications that are websites, online services, online applications, or mobile applications directed to children, the applications operate in accordance with—

    (1) this title, the amendments made by this title, and rules promulgated under this title; and

    (2) rules promulgated by the Commission under section 18 of the Federal Trade Commission Act (15 U.S.C. 57a) relating to unfair or deceptive acts or practices in marketing.

    (b) ENFORCEMENT REPORT.—Not later than 1 year after the date of the enactment of this Act, and each year thereafter, the Federal Trade Commission shall submit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives a report that addresses, at a minimum—

    (1) the number of actions brought by the Commission during the reporting year to enforce the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501) (referred to in this subsection as the ‘‘Act’’) and the outcome of each such action;

    (2) the total number of investigations or inquiries into potential violations of the Act; during the reporting year;

    (3) the total number of open investigations or inquiries into potential violations of the Act as of the time the report is submitted;

    (4) the number and nature of complaints received by the Commission relating to an allegation of a violation of the Act during the reporting year; and

    (5) policy or legislative recommendations to strengthen online protections for children and teens.

            (c) REPORT BY THE INSPECTOR GENERAL.—

    (1) IN GENERAL.—Not later than 2 years after the date of the enactment of this Act, the Inspector General of the Federal Trade Commission shall submit to the Federal Trade Commission and to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives a report regarding the safe harbor provisions in section 1304 of the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6503), which shall include—

            (A) an analysis of whether the safe harbor provisions are—

                    (i) operating fairly and effectively; and

                    (ii) effectively protecting the interests of children and minors; and

    (B) any proposal or recommendation for policy changes that would improve the effectiveness of the safe harbor provisions.

    (2) PUBLICATION.—Not later than 10 days after the date on which a report is submitted under paragraph (1), the Commission shall publish the report on the website of the Commission.

    SEC. 4. GAO STUDY.

    (a) STUDY.—The Comptroller General of the United States (in this section referred to as the ‘‘Comptroller General’’) shall conduct a study on the privacy of teens who use financial technology products. Such study shall—

    (1) identify the type of financial technology products that teens are using;

    (2) identify the potential risks to teens’ privacy from using such financial technology products; and

    (3) determine whether existing laws are sufficient to address such risks to teens’ privacy.

    (b) REPORT.—Not later than 1 year after the date of enactment of this section, the Comptroller General shall submit to Congress a report containing the results of the study conducted under subsection (a), together with recommendations for such legislation and administrative action as the Comptroller General determines appropriate.

    SEC. 204. SEVERABILITY.

    If any provision of this title, or an amendment made by this title, is determined to be unenforceable or invalid, the remaining provisions of this title and the amendments made by this title may shall not be affected.