TITLE I—AMERICAN PRIVACY RIGHTS

SEC. 101. DEFINITIONS.

In this title:

1. AFFIRMATIVE EXPRESS CONSENT.—

1. IN GENERAL.—The term ‘‘affirmative express consent’’ means an affirmative act by an individual, or if a covered entity has knowledge that such individual is a child, an affirmative act by the parent of a child, or where the covered entity has knowledge such individual is a teen, an affirmative act by the parent or the teen that—

1. clearly communicates the authorization of the individual for an act or practice; and
2. is provided in response to a specific request from a covered entity, or a service provider on behalf of a covered entity,and that meets the requirements of subparagraph (B).

2. REQUEST REQUIREMENTS.—The requirements of this subparagraph with respect to a request made under subparagraph (A), are the following:

1. The request is provided to the individual in a clear and conspicuous standalone disclosure.
2. The request includes a description of each act or practice for which the consent of the individual is sought and—

1. clearly distinguishes between an act or practice that is necessary, proportionate, and limited to fulfill a request of the individual and an act or practice that is for another purpose;
2. clearly states the specific categories of covered data that the covered entity shall collect, process, retain, or transfer to fulfill the act or practice for which the request was made; and
3. is written in easy-to-understand language and includes a prominent heading that would enable a reasonable individual to identify and understand each such act or practice.

3. The request clearly explains the applicable rights of the individual related to consent.
4. The request is made in a manner reasonably accessible to and usable by individuals living with disabilities.
5. The request is made available to the individual in eachthe language in which the covered entity provides a product or service for which authorization is sought.
6. The option to refuse consent shall beis at least as prominent as the option to acceptprovide consent, and the option to refuse consent shall taketakes no more than 1 additional step as compared to the same number of steps necessary or fewer as the option to acceptprovide consent.
7. With respect to affirmative express consent sought for the collection, processing, retention, or transfer of biometric information or genetic information, includes in the request for affirmative express consent includes the length of time the covered entity or service provider intends to retain the biometric information or genetic information, or, if it is not possible to identify the length of time, the criteria used to determine the length of time the covered entity or service provider intends to retain the biometric information or genetic information.

3. EXPRESS CONSENT REQUIRED.—Affirmative express consent to an act or practice shallmay not be inferred from the inaction of an individual or the continued use by an individual of a service or product provided by thean entity.
4. WITHDRAWAL OF AFFIRMATIVE EXPRESS CONSENT.—

1. IN GENERAL.—A covered entity shall provide an individual with a means to withdraw affirmative express consent previously provided by the individual.
2. REQUIREMENTS.—The means to withdraw affirmative express consent described in clause (i) shall be—

1. clear and conspicuous; and
2. as easy for a reasonable individual to use as the mechanism by which the individual provided affirmative express consent.

5. CHILDREN AND TEENS.—If a covered entity has knowledge that—

1. an individual is a child, only a parent of the child may provide affirmative express consent on behalf of the child; or
2. an individual is a teen, a parent or the teen may provide affirmative express consent on behalf of the teen. 

2. BIOMETRIC INFORMATION.—

1. IN GENERAL.—The term ‘‘biometric information’’ means any covered data that is specific toallows or confirms the unique identification or verification of an individual and is generated from the measurement or processing of unique biological, physical, or physiological characteristics that is linked or reasonably linkable to the individual, including—

1. fingerprints;
2. voice prints;
3. iris or retina imagery scans;
4. facial or hand mapping, geometry, or templates; orand
5. gait.

2. EXCLUSION.—The term ‘‘biometric information’’ does not include—

1. a digital or physical photograph;
2. an audio or video recording; or
3. metadata associated with data derived from a digital or physical photograph or an audio or video recording that cannot be used to identify or authenticate an specific individual.

3. CHILD.—The term ‘‘child’’ means an individual under the age of 13.
4. CLEAR AND CONSPICUOUS.—The term “clear and conspicuous” means, with respect to a disclosure, that the disclosure is difficult to miss and easily understandable by ordinary consumers.
5. COARSE GEOLOCATION INFORMATION.—The term ‘‘coarse geolocation information’’ means information that reveals the present physical location of an individual or device identified by a unique persistent identifier at the ZIP code attribution level, except where a geographic area attributed to a ZIP code is equal to or less than the area of a circle with a radius of 1,850 feet or less, at a level greater than a geographic area equal to the area of a circle with a radius of 1,850 feet.
6. COLLECT; COLLECTION.—The terms ‘‘collect’’ and ‘‘collection’’ means, with respect to covered data, to buying, renting, gathering, obtaining, receiveing, accessing, or otherwise acquireing the covered data by any means.
7. COMMISSION.—The term ‘‘Commission’’ means the Federal Trade Commission.
8. COMMON BRANDING.—The term ‘‘common branding’’ means a name, service mark, or trademark that is shared by 2 or more entities.
9. CONNECTED DEVICE.—The term ‘‘connected device’’ means a device that is capable of connecting to the internet over a fixed or wireless connection.

(10) CONSEQUENTIAL DECISION.—The term “consequential decision” means a decision or an offer that determines the eligibility of an individual for, or results in the provision or denial to an individual of, housing, employment, credit opportunities, education enrollment or opportunities, access to places of public accommodation, healthcare, or insurance.

10. CONTEXTUAL ADVERTISING.—The term “contextual advertising” means displaying or presenting an online advertisement that—

1. is not target advertising;

1. does not vary based on the identity of the individual recipient; and
2. is based solely on—

1. the content of a webpage or online service;
2. advertising or marketing content to an individual in response to a specific request of the individual for information or feedback; or
3. the presence of an individual within a radius no smaller than 10 miles. coarse geolocation information.

11. CONTROL.—The term ‘‘control’’ means, with respect to an entity—

1. ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of the entity;
2. control over the election of a majority of the directors of the entity (or of individuals exercising similar functions); or
3. the power to exercise a controlling influence over the management of the entity.

(12) COVERED ALGORITHM.—The term ‘‘covered algorithm’’ means a computational process, including onea process derived from machine learning, statistics, or other data processing or artificial intelligence techniques, natural language processing, or other advanced computational processing techniques, that makes a is used to substantially assist or replace discretionary human decision or facilitates human decision-making by using covered data, which includes determining the provision of products or services or ranking, ordering, promoting, recommending, amplifying, or similarly determining the delivery or display of information to an individual.

12. COVERED DATA.—

1. IN GENERAL.—The term ‘‘covered data’’ means information, including sensitive covered data, that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals.
2. (B) EXCLUSIONS.—The term ‘‘covered data’’ does not include—

1. de-identified data;
2. employee information;
3. publicly available information;
4. inferences made exclusively from multiple independent sources of publicly available information provided that, if such inferences—

1. do not reveal information about an individual that meets the definition of the term “sensitive covered data” with respect to anthe individual; and
2. are not combined with covered data; or

5. information in the collection of a library, archive, or museum, if— 

1. the collection is— 

27. open to the public or routinely made available to researchers who are not affiliated with the library, archive, or museum; and if the library, archive, or museum has—
28. composed of lawfully acquired materials with respect to which all licensing conditions are met; and

2. the library, archive, or museum has—

27. a public service mission; and
28. trained staff or volunteers to provide professional services normally associated with libraries, archives, or museums; or and 

3. collections composed of lawfully acquired materials andwith respect to which all licensing conditions for such materials are met.

6. on-device data

13. COVERED ENTITY.—

1. IN GENERAL.—The term ‘‘covered entity’’ means any entity that, alone or jointly with others, determines the purposes and means of collecting, processing, retaining, or transferring covered data and—

1. is subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq.);
2. is a common carrier subject to title II of the Communications Act of 1934 (47 U.S.C. 201 et seq.); or
3. is an organization not organized to carry on business for theirits own profit or that of its members.

2. INCLUSION.—The term “covered entity” includes any entity that controls, is controlled by, or is under common control with another covered entity.
3. EXCLUSIONS.—The term “covered entity” does not include—

1. a Federal, State, Tribal, territorial, or local government entity, such as a body, authority, board, bureau, commission, district, agency, or other political subdivision of the Federal Government or a State, Tribal, territorial, or local government;
2. an entity that is collecting, processing, retaining, or transferring covered data on behalf of a Federal, State, Tribal, territorial, or local government entity, to the extent that such entity is acting as a service provider to the government entity;
3. a small business;
4. an individual acting at their own direction and in a non-commercial context;
5. the National Center for Missing and Exploited Children; or
6. except with respect to the obligationsrequirements under section 109, a nonprofit organization whose primary mission is to prevent, investigate, or deter fraud, or to train anti-fraud professionals, or to educate the public about fraud, including insurance fraud, securities fraud, and financial fraud to the extent the organization collects, processes, retains, or transfers covered data in furtherance of such primary mission.

4. NONAPPLICATION TO SERVICE PROVIDERS.—An entity shallmay not be considered to be a ‘‘covered entity’’ for the purposes of this Acttitle, insofar as the entity is acting as a service provider.

14. COVERED HIGH-IMPACT SOCIAL MEDIA COMPANY.—

1. IN GENERAL.—The term ‘‘covered high-impact social media company’’ means a covered entity that provides any internet-accessible platform wherethat—

1. (A) such covered entity generates $3,000,000,000 or more in global annual revenue, including the revenue generated by any affiliate of such covered entity;
2. (B) such platform has 300,000,000 or more global monthly active users for not fewer than 3 of the preceding 12 months on the platform of such covered entity; and
3. (C) such platform constitutes an online product or service that is primarily used by individuals users to access or share user-generated content.

2. TREATMENT OF CERTAIN SERVICES AND APPLICATIONS.—A service or application may not be considered to constitute an online product or service described in subparagraph (A)(iii) solely on the basis of providing any of the following:

1. Email.
2. Career        or professional development networking opportunities.
3. Reviews of products, services, events, or destinations.
4. A platform for use in a public or private school under the direction of the school.
5. File collaboration.
6. Cloud storage.
7. Closed video or audio communications services.
8. A wireless messaging service, including such a service provided through short messaging service or multimedia messaging service protocols, that is not a component of, or linked to, a platform of a covered high-impact social media company, if the predominant or exclusive function is direct messaging consisting of the transmission of text, photos, or videos that are sent by electronic means, and if messages are transmitted from the sender to a recipient and are not posted within a platform of a covered high-impact social media company or publicly.

15. COVERED MINOR.—The term ‘‘covered minor’’ means an individual under the age of 17.
16. DARK PATTERNS.—The term “dark patterns” means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.
17. DATA BROKER.—

1. IN GENERAL.—The term ‘‘data broker’’ means a covered entity whose principal source of revenue is derived from processing or transferring covered data that the covered entity did not collect directly from the individuals linked or linkable to suchthe covered data.
2. PRINCIPAL SOURCE OF REVENUE DEFINED.—For purposes of this paragraph, the term ‘‘principal source of revenue’’ means, with respect to for the precedingprior 12-month period—

1. revenue that constitutes greater than 50 percent of all revenue of the covered entity during such period; or
2. revenue obtained from processing or transferring the covered data of more than 5,000,000 individuals that the covered entity did not collect directly from the individuals linked or linkable to the covered data.

3. NON-APPLICATION TO SERVICE PROVIDERS.—The term ‘‘data broker’’ does not include an entity to the extent that such entity is acting as a service provider.

DARK PATTERNS.—The term ‘‘dark patterns’’ means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice.

18. DE-IDENTIFIED DATA.—

1. IN GENERAL.—The term ‘‘de-identified data’’ means—  information that cannot reasonably be used to infer or derive the identity of an individual, and does not identify and is not linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to such an individual, regardless of whether the information is aggregated, provided that if the relevant covered entity or service provider—

1. takes reasonable physical, administrative, orand technical measures to ensure that the information cannot, at any point, be used to re-identify any individual or device that identifies or is linked or reasonably linkable to an individual;
2. publicly commits in a clear and conspicuous manner to—

1. process, retain, or transfer the information solely in a de-identified form without any reasonable means for re-identification; and
2. not attempt to re-identify the information with any individual or device that identifies or is linked or reasonably linkable to an individual; and, except as necessary, limited, and proportionate to test the effectiveness of the measures described in clause (i); and

3. contractually obligates any entity that receives the information from the covered entity or service provider to—

1. comply with all of the provisions of this paragraph clauses (i) and (ii) with respect to the information; and
2. require that such contractual obligations be included contractually in all subsequent instances for in which the data information may be received; or 

2. HEALTH INFORMATION.—The term “de-identified data” includes health information (as defined in section 2621171 of the Health Insurance Portability and Accountability Act of 1996 Social Security Act (42 U.S.C. 1320d)) that has been de-identified in accordance with section 164.514(b) of title 45, Code of Federal Regulations, provided except that if such information is subsequently provided to an entity that is not an entity subject to parts 160 and 164 of such title 45, such entity must shall comply with clauses (ii) and (iii) of subparagraph (A) for the information to be considered de-identified under this Act title.

19. DERIVED DATA.—The term ‘‘derived data’’ means covered data that is created by the derivation of information, data, assumptions, correlations, inferences, predictions, or conclusions from facts, evidence, or another source of information or data 25 about an individual or an individual’s device.
20. DEVICE.—The term ‘‘device’’ means any electronic equipment capable of collecting, processing, retaining, or transferring covered data that is used by 1 or more individuals, including a connected device or a portable connected device.
21. DIRECT MAIL TARGETED ADVERTISING.— The term ‘‘direct mail targeted advertising’’ means advertising or marketing using third-party data through a direct communication with an individual via direct mail.
22. DISABILITY.—The term ‘‘disability’’ has the meaning given to such term in the Americans with Disabilities Act (42 U.S.C. 12102).
23. EMAIL TARGETED ADVERTISING.—The term ‘‘email targeted advertising’’ means advertising or marketing using third-party data through a direct communication with an individual via email.
24. EMPLOYEE.—The term ‘‘employee’’ means an individual who is an employee, director, officer, staff member, paid intern, or individual working as an independent contractor (that who is not a service provider), volunteer, or unpaid intern of an employer, regardless of whether such individual is paid, unpaid, or employed engaged on a temporary basis.
25. EMPLOYEE INFORMATION.—The term ‘‘employee information’’ means covered data, biometric information, including biometric information or genetic information that is collected by a covered entity (or a service provider acting on behalf of a covered entity)—

1. about an individual in the course of employment or application for employment (including on a contract or temporary basis), provided that if such data information is collected, retained, or processed, or transferred by the covered entity employer or the service provider of the employer solely for purposes necessary for the employment or application of the individual;
2. that is emergency contact information for an individual who is an employee or job applicant of the covered entity, provided that employer, if such data information is collected, retained, or processed, or transferred by the covered entity employer or the service provider of the employer solely for the purpose of having an emergency contact for such individual on file; or
3. about an individual (or a relative of an individual) who is an employee or former employee of the an covered entity  employer, or the relative, dependent or beneficiary of the employee or former employee, and collected, retained, processed, or transferred for the purpose of administering benefits, including enrollment and disenrollment for benefits, to which such individual the employee, former employee, or relative, dependent, or beneficiary is entitled on the basis of the employment of the individual employee or former employee with the covered entity employer, if provided that such data information is collected, retained, or processed, or transferred by the covered entity employer or the service provider of the employer solely for the purpose of administering such benefits.

26. ENTITY.—The term ‘‘entity’’ means an individual, a trust, a partnership, an association, an organization, a company, and a or corporation.
27. EXECUTIVE AGENCY.—The term ‘‘executive agency’’ has the meaning given such term in section 105 of title 5, United States Code.
28. FEDERATED NONPROFIT ORGANIZATION.—The term ‘‘federated nonprofit organization’’ means a network or system of 2 or more entities, described in section 501(c)(3) of the Internal Revenue Code of 1986 and exempt from taxation under section 501(a) of such Code, that share common branding.
29.  FIRST PARTY.—The term ‘‘first party’’— 

1. means a consumer-facing covered entity with which the consumer intends and expects to interact, and
2. includes any entities with which the covered entity shares common branding.

30. FIRST-PARTY ADVERTISING.—

1. IN GENERAL.—The term ‘‘first-party advertising’’ means—advertising or marketing facilitated by a first party using that first party’s the first-party data of the first party and not other forms of covered data and carried out—

1. through direct communications with an individual, such as direct mail, email (subject to 15 U.S.C. 103 and all regulations promulgated thereunder the CAN-SPAM Act of 2003 (15 U.S.C. 7701 et seq.) and the regulations promulgated under such Act), or text message communications (subject to section 227 of the Communications Act of 1934 (47 U.S.C. 227) and all the regulations promulgated thereunder under such section): or, or advertising or marketing facilitated by a first party, such as in a physical location operated by the first party; or
2. entirely within the following first party contexts—

1. in a physical location operated by the first party;
2. displaying or presenting an advertisement of a product or service to an individual or device identified by a unique persistent identifier, or group of individuals or devices identified by unique persistent identifiers,  in the case of a first party that is not a covered high-impact social media company, on a website, online service, online application, or mobile application operated by a the first party (other than a covered high-impact social media company) based solely on first-party data,  to through display or presentation of an online advertisement that promotes a product or service (whether offered by the first party or not offered by the first party) to an individual or device identified by a unique persistent identifier, or group of individuals or devices identified by unique persistent identifiers; or
3. in the case of a first party that is a covered high-impact social media company, on a website, online service, online application, or mobile application operated by a the first party, that is a covered high-impact social media company to through display or presentation of an online advertisement that promotes a product or service offered by the first party that is a covered high-impact social media company to an individual or device identified by a unique persistent identifier, or group of individuals or devices identified by unique persistent identifiers.

2. EXCLUSION.—The term ‘‘first-party advertising’’ does not include contextual advertising.

31. FIRST-PARTY DATA.—The term ‘‘first-party data’’ means covered data collected directly from an individual by a first party, including based on a visit by the individual to or use by the individual of a website, a physical location, a website, or an online service, online application, or mobile application operated by the first party.
32. GENETIC INFORMATION.—The term ‘‘genetic information’’ means any covered data, regardless of its format, that concerns an identified or the genetic characteristics of an identified or identifiable individual’s genetic characteristics individual, including—

1. raw sequence data that results from the sequencing of the complete, or a portion of the extracted deoxyribonucleic acid (DNA) of an individual; or
2. genotypic and phenotypic information that results from analyzing raw sequence data described in subparagraph (A).

33. HEALTH INFORMATION.—The term ‘‘health information’’ means information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or health condition health status, or treatment of an individual, including the precise geolocation information of such treatment.
34. INDIVIDUAL.—The term ‘‘individual’’ means a natural person residing in the United States.
35. KNOWLEDGE.—

1. IN GENERAL.—The term ‘‘knowledge” means, with respect to knowledge that whether an individual is a child, teen, or covered minor means actual knowledge or knowledge fairly implied on the basis of objective circumstances.
2. RULE OF CONSTRUCTION.—For purposes of enforcing this title or a regulation promulgated under this title, a determination as to whether a covered entity has knowledge fairly implied on the basis of objective circumstances that a individual is a child, or teen, or covered minor shall rely on competent and reliable evidence, taking into account the totality of the circumstances, including whether a reasonable and prudent person under the circumstances would have known that the individual is a child, teen, or covered minor. Nothing in this title, including a determination described in the preceding sentence, shall be construed to require a covered entity to—

1. affirmatively collect any covered data with respect to the age of a child, or teen, or covered minor that an the covered entity is not already collecting in the normal course of business; or
2. implement an age gating or age verification functionality.

3. COMMISSION GUIDANCE.—

1. IN GENERAL.—Within Not later than 180 days of after the date of the enactment of this Act, the Commission shall issue guidance to provide information, including best practices and examples for covered entities to use in understanding the Commission’s determination of whether a covered entity has knowledge fairly implied on the basis of objective circumstances that an individual is a child, or teen, or covered minor.
2. LIMITATION.—No guidance issued by the Commission with respect to this title shall  under clause (i) confers any rights on any person, State, or locality, nor shall or operates to bind the Commission or any person, State, or locality to the approach recommended in such guidance. Any enforcement action brought pursuant to this title, by the Commission or State by the attorney general of a state, the chief consumer protection officer of a State, or an officer or office of a State authorized to enforce privacy or data security laws applicable to covered entities or service providers, as applicable, shall allege a specific violation of a provision of this title and the Commission or the attorney general, chief consumer protection officer, or other authorized officer or office of the State, as applicable, may not base an enforcement action on, or as applicable execute a consent order based on, practices that are alleged to be inconsistent with any such guidance, unless the practices allegedly violate this title.

36. LARGE DATA HOLDER.—

1. IN GENERAL.—The term ‘‘large data holder’’ means a covered entity or service provider that, in the most recent calendar year, had an annual gross revenue of not less than $250,000,000 and, subject to subparagraph (B), collected, processed, retained, or transferred—

1. the covered data of—

1. more than 5,000,000 individuals;
2. more than 15,000,000 portable connected devices that identify or are linked or reasonably linkable to 1 or more individuals; and or
3. more than 35,000,000 connected devices that identify or are linked or reasonable linkable to 1 or more individuals; or

2. the sensitive covered data of—

1. more than 200,000 individuals;
2. more than 300,000 portable connected devices that identify or are linked or reasonable linkable to 1 or more individuals; and
3. more than 700,000 connected devices that identify or are linked or reasonably linkable to 1 or more individuals.

2. EXCLUSIONS.—For purposes of subparagraph (A), a covered entity or service provider shall may not be considered a large data holder solely on account the basis of collecting, processing, retaining, or transferring to a service provider—

1. personal mailing or email addresses;
2. personal telephone numbers;
3. log-in information of an individual or device to allow the individual or device to log in to an account administered by the covered entity; or
4. in the case of a covered entity that is a seller of goods or services (other than an entity that facilitates payment, such as a bank, credit card processor, mobile payment system, or payment platform), credit, debit, or mobile payment information strictly necessary and used to initiate, render, bill for, finalize, complete, or otherwise facilitate payments for such goods or services.

3. DEFINITION OF ANNUAL GROSS REVENUE.—For the purposes of subparagraph (A), the term ‘‘annual gross revenue’’, with respect to a covered entity or service provider—

1. means the gross receipts the covered entity or service provider received, in whatever form from all sources, without subtracting any costs or expenses; and
2. includes contributions, gifts, grants, dues or other assessments, income from investments, and proceeds from the sale of real or personal property.

37. MARKET RESEARCH.—The term ‘‘market research’’ means the collection, processing, retention, or transfer of covered data, with affirmative express consent, as reasonably that is necessary and, proportionate, and limited to measure and analyze the market or market trends of products, services, advertising, or ideas, whereif the covered data is not—

1. integrated into any product or service;
2. otherwise used to contact any individual or device of an individual; or
3. used for targeted advertising or to otherwise market to any individual or device of an individual.

38. MATERIAL CHANGE.—The term ‘‘material change’’ means, with respect to treatment of covered data, a change by an entity that would likely affect 25 an individual’s the decision of an individual to engage with and provide covered data to the entity, including providing affirmative express consent for, or opting out of, the entity’s collection, processing, retention, or transfer of covered data pertaining to such individual.
39. MOBILE APPLICATION.—The term ‘‘mobile application’’—

1. means a software program that runs on the operating system of—

1. a cellular telephone;
2. a tablet computer; or
3. a similar portable computing device that transmits data over a wireless connection; and

2. includes a service or application offered via a connected device.

40. ON-DEVICE DATA.—

1. IN GENERAL.—The term ‘‘on-device data’’ means covered data collected, retained, and processed solely on the device of an individual.an individual’s device. stored under the sole control of an individual, including on the an individual’s device of an individual, and only to the extent such data is not processed or transferred by a covered entity or service provider.
2. LIMITATION.—Data collected, retained, and processed solely on the device of an individual may an individual’s device shall be considered ‘‘on-device data’’ only if—

1. such data is not transferred by a covered entity or service provider;
2. the relevant covered entity clearly and conspicuously provides the device owner with controls that allow the owner to access, correct, delete, and export such data consistent with the rights provided with respect to covered data pursuant to section 105;
3. the relevant covered entity provides easy-to-understand instructions on how the device owner can access such controls; and
4. the relevant covered entity establishes, implements, and maintains reasonable data security practices, consistent with section 109, to protect—

1. the confidentiality, integrity, and availability of the on-device data; and
2. on device data against unauthorized access.

41. ONLINE ACTIVITY PROFILE.—The term ‘‘online activity profile’’ means covered data that identifies the online activities of an individual (or a device linked or reasonably linkable to an individual) over time and across third party websites, online services, online applications, or mobile applications that do not share common branding, and that is collected, processed, retained, or transferred for the purpose of evaluating, analyzing, or predicting the behaviors or characteristics of an individual.
42. ONLINE APPLICATION.—The term ‘‘online application’’—

1. means an internet-connected software program; and
2. includes a service or application offered via a connected device.

43. PARENT.—The term ‘‘parent’’ means a legal guardian.
44. PORTABLE CONNECTED DEVICE.—The term ‘‘portable connected device’’ means a portable device that is capable of connecting to the internet over a wireless connection, including a smartphone, tablet computer, laptop computer, smartwatch, or similar portable device.
45. PRECISE GEOLOCATION INFORMATION.—

1. IN GENERAL.—The term ‘‘precise geolocation information’’ means information that reveals the past or present physical location of an individual or device with sufficient precision to identify (A) street-level location information of such individual or device; or the location of such individual or device within a range geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet or less.
2. EXCLUSIONS.—The term “precise geolocation information” does not include information derived solely from—

1. a digital or physical photograph; or
2. an audio or visual recording.; or
3. metadata associated with a digital or physical photograph or an audio or visual recording that cannot be linked to an individual.

46. PROCESS.—The term ‘‘process’’ means, with respect to covered data, any operation or set of operations performed on the covered data, including analyzing, organizing, structuring, using, modifying, or otherwise handling the covered data.
47. PUBLICLY AVAILABLE INFORMATION.—

1. IN GENERAL.—The term ‘‘publicly available information’’ means any information that a covered entity has a reasonable basis to believe has been lawfully made available to the general public from by—

1. Federal, State, or local government records provided that, if the covered entity collects, processes, retains, and transfers such information in accordance with any restrictions or terms of use placed on the information by the relevant government entity;
2. widely distributed media;
3. a website or online service made available to all members of the public, for free or for a fee, including where all members of the public can log -in to the website or online service; or
4. a disclosure to the general public that is required to be made by Federal, State, or local law.

2. CLARIFICATIONS; LIMITATIONS.—

1. AVAILABLE TO ALL MEMBERS OF THE PUBLIC.—For purposes of this paragraph, information from a website or online service is not available to all members of the public if the individual to whom the information pertains has restricted the information to a specific audience or maintained a default setting that restricts the information to a specific audience.
2. BUSINESS CONTACT INFORMATION.—The term ‘‘publicly available information’’ includes the business contact information of an employee individual acting in a business or professional context that is made available on a website or online service made available to all members of the public on a website or online service, including the individual’s employee’s name, position or title, business teletelephone number, business email address, or business address of the individualemployee.
3. OTHER LIMITATIONS.—The term ‘‘publicly available information’’ does not include– any of the following:

1. any obscene visual depiction (as defined for purposes of such term is used in section 1460 of title 18, United States Code);
2. derived data from publicly available information that reveals information about an individual that meets the definition of the term “sensitive covered data”;.
3. biometric information;. 
4. genetic information., unless made publicly available by the individual to whom the information pertains by a means described in clause (ii) or (iii) of subparagraph (A);
5. covered data that has been combined is created through the combination of covered data with publicly available information.; or
6. intimate images, authentic or computer-generated by a computer or by artificial intelligence, known to be nonconsensual.; or
7. sensitive covered data made available by a data broker.

48. RETAIN.—The term ‘‘retain’’ means, with respect to covered data, to store, maintain, save, or otherwise keep such data, regardless of format.
49. SENSITIVE COVERED DATA.—

1. IN GENERAL.—The term ‘‘sensitive covered data’’ means the following forms of covered data:

1. A government-issued identifier, such as including a sSocial sSecurity number, passport number, or driver’s license number, that is not required by law to be displayed in public.
2. Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition, status, or treatment of an individual.
3. Genetic Information.
4. A financial account number, debit card number, credit card number, or any required security or access code, password, or credentials allowing access to any such account or card., except that the last four digits of an account number, debit card number, or credit card number may not be considered sensitive covered data.
5. Biometric information.
6. Precise geolocation information.
7. An individual’s tThe private communications of an individual (, such as voicemails, or other voice or video communications, emails, texts, direct messages, or mail,) or information identifying the parties to such communications, information contained in telephone bills, voice communications, and any information that pertains to the transmission of private voice or video communications, including numbers called, numbers from which calls were placed, the time calls were made, call duration, and location information of the parties to the call, unless the relevant covered entity or service provider is an intended recipient of the communication.
8. Unencrypted or unredacted account or device log-in credentials.
9. Information revealing the sexual behavior of an individual in a manner inconsistent with the individual’s reasonable expectation of the individual regarding disclosure of such information.
10. Calendar information, address book information, phone, or text, or electronic logs, photographs, audio recordings, or videos intended for private use.
11. A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual.
12. Information revealing the extent or content of any individual’s the access, viewing, or other use by an individual of any video programming described(as defined in section 713(bh)(2) of the Communications Act of 1934 (47 U.S.C. 613(h)(2))), including programming provided by a provider of broadcast television service, cable service, satellite service, or streaming media service, but only with regard to the transfer of such information to a third party (excluding any such data information used solely for transfers for independent video measurement).
13. Information collected by a covered entity that is not a provider of a service described in clause (xii) that reveals the video content requested or selected by an individual (excluding any such data information used solely for transfers for independent video measurement).
14. Information revealing an individual’s the race, ethnicity, national origin, religion, or sex of an individual in a manner inconsistent with the individual’s reasonable expectation of the individual regarding disclosure of such information.
15. An online activity profile. Information revealing an individual’s the online activities of an individual over time and across websites or online services that do not share common branding are unaffiliated or over time on any website or online service operated by a covered high-impact social media company.
16. Information about an individual who is a covered minor.
17. Information that reveals the status of an individual as a member of the Armed Forces.
18. Neural data.
19. aAny other covered data collected, processed, retained, or transferred for the purpose of identifying the dataa types of information described in any of clauses (i) through (xviii).
20. any other covered data, except for expanding the categories described in clause (ii), that the Commission determines to be sensitive covered data through a rulemaking pursuant to section 553 of title 5, United States Code.

2. THIRD PARTY.—For the purposes of subparagraph (A)(xii), the term ‘‘third party’’ does not include an entity that—

1. is related by common ownership or corporate control to the provider of broadcast television service, cable service, satellite service, or streaming media service; and
2. provides video programming as described in such subparagraph (A)(xii).

50. SERVICE PROVIDER.—

1. IN GENERAL.—The term ‘‘service provider’’ means an entity that collects, processes, retains, or transfers covered data for the purpose of performing 1 or more services or functions on behalf of, and at the direction of—,

1. a covered entity or another service provider; or
2. a Federal, State, Tribal, territorial, or local government entity.

2. RULE OF CONSTRUCTION.—

1. IN GENERAL.—An entity is a ‘‘covered entity’’ and not a ‘‘service provider’’ with respect to a specific collecting, processing, retaining, or transferring of covered data, if the entity, alone or jointly or with others, determines the purposes and means of the specific collecting, processing, retaining, or transferring of data.
2. INSTRUCTIONS.—An entity person that is not limited in its collecting, processing, retaining retention, or transferring of covered data pursuant to the instructions of a covered entity, another service provider, or a Federal, State, Tribal, territorial, or local government entity, or that fails to adhere to such instructions, is a covered entity and not a service provider with respect to a specific collecting, processing, retaining, or transferring of such data. If a service provider begins, alone, or jointly with others, determining the purposes and means of collecting, processing, retaining, or transferring covered data, the entity it is a covered entity with respect to such data. A service provider that continues to adhere to the instructions of a covered entity with respect to processing covered data remains a service provider.
3. CONTEXT REQUIRED.—Whether an entity is a ‘‘covered entity’’ or a ‘‘service provider’’ depends on the facts surrounding how, and the context in which, the data is collected, processed, retained, or transferred.

51. SMALL BUSINESS.—

1. IN GENERAL.—The term ‘‘small business’’ means an entity (including any affiliate of the entity)—

1. Whosethat has average annual gross revenues for the period of the 3 preceding calendar years (or for the period during which the covered entity has been in existence, if such period is less than 3 calendar years) did that do not exceeding $40,000,000 dollars, indexed to the Producer Price Index reported by the Bureau of Labor Statistics the size standard in millions of dollars specified in section 121.201 of title 13, Code of Federal Regulations, relating to NAICS Code 518210 (Computing Infrastructure Providers, Data Processing, Web Hosting, and Related Services), including any updates to such size standard;
2. that, on average, for the period described in clause (i), did not annually collect, process, retain, or transfer the covered data of more than 200,000 individuals for any purpose other than initiating, rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested service or product, so long as all covered data for such purpose was deleted or de-identified within 90 days, except when necessary to investigate fraud or as consistent with a covered entity’s return or warranty policy; and
3. that did not, during the period described in clause (i), transfer covered data to a third party in exchange for revenue or anything of value, except for purposes of initiating, rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested service or product or facilitating web analytics that are not used to create an online activity profile. track the online activity of an individual over time and across websites or online services that do not share common branding or for targeted advertising purposes.

2. NONPROFIT REVENUE.—For purposes of subparagraph (A)(i), the term ‘‘revenue’’, as it such term relates to any entity that is not organized to carry on business for its own profit or that of their its members, means the gross receipts the entity received, in whatever form from all sources, without subtracting any costs or expenses, and includes contributions, gifts, non-Federal grants (except for grants from the Federal Government), dues or other assessments, income from investments, or proceeds from the sale of real or personal property.

52. STATE.—The term ‘‘State’’ means each of the 50 States, the District of Columbia, the Commonwealth of Puerto Rico, the United States Virgin Islands of the United States, Guam, American Samoa, and the Commonwealth of the Northern Mariana Islands.
53. SUBSTANTIAL PRIVACY HARM.—The term ‘‘substantial privacy harm’’ means—

1. any alleged financial harm of not less than $10,000; or
2. any alleged physical or mental harm to an individual that involves—

1.  treatment by a licensed, credentialed, or otherwise bona fide health care provider, hospital, community health center, clinic, hospice, or residential or outpatient facility for medical, mental health, or addiction care; or
2. physical injury, highly offensive intrusion into the privacy expectations of a reasonable individual under the circumstances, or discrimination on the basis of race, color, religion, national origin, sex, or disability.

54. TARGETED ADVERTISING.—The term ‘‘targeted advertising’’—

1. means displaying or presenting an online advertisement to an individual or to a device identified by a unique persistent identifier (or to a group of individuals or devices identified by unique persistent identifiers), if the online advertisement that is selected based, in whole or in part, on known or predicted preferences, or interested associated with the individual or a device identified by a unique persistent identifier; covered data collected or inferred from the online activities of the individual over time and across websites or online services that do not share common branding, or over time on any website or online service operated by a covered high-impact social media company (but not based on a profile created about the individual), to predict the preferences of the individual or interests associated with the individual or a device identified by a unique persistent identifier; and
2. does not includes—

1. (i) an online advertisement for a third-party product or service by a covered high-impact social media company for a product or service that is not a product or service offered by the covered high-impact social media company based on first-party data; and  advertising or marketing content to an individual in response to the individual’s specific request for information or feedback;
2. An online advertisement for a product or service based on the previous interaction of an individual or a device identified by a unique persistent identifier with such product or service on a website or online service that does not share common branding or affiliation with the website or online service displaying or presenting the advertisement.; and
3. excludes contextual advertising and first-party advertising.
4. first-party advertising based on an individual’s visit to or use of a website or online service that offers a product or service that is related to the subject of the advertisement;
5. contextual advertising when an advertisement is displayed online based on the content of the webpage or online service on which the advertisement appears; or
6. processing covered data solely for measuring or reporting advertising, marketing, or media performance, reach, or frequency, including by independent entities.

55. TEEN.—The term ‘‘teen’’ means an individual over the age of 12 and 13 years of age or older, but under the age of 17.
56. THIRD PARTY.—The term ‘‘third party’’—

1. means any entity that—

1. receives covered data from another entity that is not the individual to whom the data pertains; and
2. is not a service provider with respect to such data; and

2. does not include an entity that collects covered data from another entity if the 2 entities are—

1. related by common ownership or corporate control and share common branding.; or
2. nonprofit entities that are part of the same federated nonprofit organization.

57. THIRD-PARTY DATA.—The term ‘‘third party data’’ means covered data that has been transferred to a third party.
58. TRANSFER.—The term ‘‘transfer’’ means, with respect to covered data, to disclose, release, share, disseminate, make available, sell, rent, or license the covered data, (orally, in writing, electronically, or by any other means) for consideration of any kind or for a commercial purpose.
59. UNIQUE PERSISTENT IDENTIFIER.—

1. IN GENERAL.—The term ‘‘unique persistent identifier’’ means a technologically created identifier to the extent that such identifier is reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals, including a device identifiers, an Internet Protocol addresses, cookies, beacons, pixel tags, mobile ad identifiers, or similar technology, customer numbers, unique pseudonyms, or user aliases, telephone numbers, or other forms of persistent or probabilistic identifiers that are linked or reasonably linkable to 1 or more individuals or devices; and 
2. EXCLUSION.—The term “unique persistent identifier” does not include an identifier assigned by a covered entity for the specific sole purpose of giving effect to an individual’s the exercise of affirmative express consent by an individual or opt-out of the collection by an individual with respect to the collecting, processing, retaining, or and transfer of covered data or otherwise limiting the collection collecting, processing, retaining, or transfer of such information covered data.

60. WIDELY DISTRIBUTED MEDIA.—

1. IN GENERAL.—The term ‘‘widely distributed media’’ means information that is available to the general public, including information from a telephone book or online directory, a television, internet, or radio program, the news media, or an internet site that is available to the general public on an unrestricted basis.; and 
2. EXCLUSION.—The term “widely distributed media” does not include an obscene visual depiction (as defined such term is used in section 1460 of title 18, United States Code).