(a)

Prohibition on access to user contacts

It shall be unlawful for a covered entity to ask a user to share the contacts or information about the contacts of the user unless the user and the contacts of the user consent to such use in writing. (b)

Access to, and correction, deletion, and portability of, covered data

(1)

In general

Subject to paragraphs (2) and (3), a covered entity shall provide a user, immediately or as quickly as possible and in no case later than 90 days after receiving a verified request from the user, with the ability to reasonably— (A)access— (i)if applicable, a list of each third party and service provider to whom the covered entity has transferred or shared the covered data of the user; (ii)the covered data of the user, or an accurate representation of the covered data of the user, including data aggregation that is a readable summary, that is held or has been processed by the covered entity or any service provider of the covered entity; and (iii)if a covered entity transfers covered data, a description of the covered data that was transferred and the purpose for which the third party requested the data; (B)request that the covered entity— (i)correct material inaccuracies or materially incomplete information with respect to the covered data of the user that is maintained by the covered entity; (ii)delete or de-identify covered data of the user that is or has been maintained by the covered entity; (iii)notify any service provider or third party to which the covered entity transferred such covered data of the corrected information; and (iv)provide contact information to the user of any service provider or third party that the covered data of the user was transferred to so that the user may make requests described in this subparagraph; and (C)to the extent that is technically feasible, provide covered data of the user that is or has been generated and submitted to the covered entity by the user and maintained by the covered entity in a portable, structured, and machine-readable format that is not subject to licensing restrictions. (2)

Frequency and cost of access

A covered entity shall— (A)provide a user with the opportunity to exercise the rights described in paragraph (1) not less than twice in any 12-month period; and (B)fulfill the responsibilities described in paragraph (1) free of charge. (3)

Prohibition on retaliation

A covered entity shall provide the same quality of goods or services, at the same price or rate, regardless of whether a user took an action described under paragraph (1). (4)

Retention of data

A covered entity that collects data on a user’s browsing history or biometric data and information shall delete the data within 60 days after the date on which the data was collected. (c)

Data minimization and contextuality

(1)

Collection and use of information

A commercial data operator shall limit the collection and sharing of information by the operator with third parties to what is reasonably necessary to provide a service or conduct an activity that a consumer has requested or is reasonably necessary for fraud prevention. (2)

Retention of information

A commercial data operator that collects the personal information of a consumer shall limit the use and retention of that information to what is reasonably necessary to provide a service or conduct an activity that a consumer has requested or a related operational purpose. Any data collected or retained by a commercial data operator solely for security or fraud prevention may not be used for operational purposes. (3)

Monetization

Monetization of personal information shall not be considered reasonably necessary to provide a service or conduct an activity that a consumer has requested or reasonably necessary for security or fraud prevention. (d)

Consumer choice and control

(1)

Commercial data operator

A commercial data operator shall provide a prominently and conspicuously displayed icon a user may click to opt out of data collection on every unique website, mobile application, or computer application. (2)

Covered entities

Within 2 years after the date of the enactment of this Act, a covered entity shall take reasonable steps, taking account of available technology, to provide users the ability to directly delete the covered data collected by the covered entity. (e)

Default settings

A covered entity may require, through terms of service or otherwise, that a user must consent to the transfer of covered data in order to use the service of the covered entity. (f)

Policies regarding data from minors

A covered entity may not collect, retain, or transfer the covered data of a user to a third party without affirmative consent from the parent or guardian of the user if the user is below the age of 18 years old, where technically feasible. (g)

Prohibition on tracking cookies without user consent

A commercial data operator— (1)unless authorized by the user, may not track cookies, including on mobile applications; and (2)shall provide the same services to users who do not authorize tracking cookies. (h)

Transparency

(1)

Privacy notice

A covered entity shall provide users with a clear, comprehensible, accurate, and continuously available privacy notice that— (A)describes in detail the information collected by the operator, how that information would be used, and whether the information would be sold or shared with any third party; and (B)is 1,000 words or less. (2)

Report on use of information required

If a user allows a commercial data operator to sell the covered data of the user, the commercial data operator shall provide the user with an annual report regarding the types of third parties with whom data has been shared. The report shall include a description of what information has been shared, for what purpose information is shared, and a list of each third party that receives data. (i)

Data security and breach notification

A covered entity shall notify each user in a timely manner of any data breach with respect to the information of the user and provide any remedy to compensate the user for the breach of their information, including a credit protection service, fraud alert, and credit monitoring through credit reporting agencies. (j)

Enforcement

(1)

Enforcement by the Federal Trade Commission

(A)

Unfair or deceptive acts or practices

A violation of this section shall be treated as a violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices. (B)

Powers of Commission

The Commission shall enforce this section in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any person who violates this section shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act. (2)

Effect on other laws

Nothing in this section shall be construed in any way to limit the authority of the Commission under any other provision of law or to limit the application of any Federal or State law. (3)

Enforcement by State attorneys general

(A)

In general

If the chief law enforcement officer of a State, or an official or agency designated by a State, has reason to believe that any person has violated or is violating this section, the attorney general, official, or agency of the State, in addition to any authority it may have to bring an action in State court under its consumer protection law, may bring a civil action in any appropriate United States district court or in any other court of competent jurisdiction, including a State court, to— (i)enjoin further such violation by such person; (ii)enforce compliance with this section; (iii)obtain civil penalties; and (iv)obtain damages, restitution, or other compensation on behalf of residents of the State. (B)

Notice and intervention by the Federal Trade Commission

The attorney general of a State shall provide prior written notice of any action under subparagraph (A) to the Commission and provide the Commission with a copy of the complaint in the action, except in any case in which such prior notice is not feasible, in which case the attorney general shall serve such notice immediately upon instituting such action. The Commission shall have the right— (i)to intervene in the action; (ii)upon so intervening, to be heard on all matters arising therein; and (iii)to file petitions for appeal. (C)

Limitation on State action while Federal action is pending

If the Commission has instituted a civil action for violation of this section, no State attorney general, or official or agency of a State, may bring an action under this paragraph during the pendency of that action against any defendant named in the complaint of the Commission for any violation of this section alleged in the complaint. (4)

Private right of action

(A)

In general

Any individual alleging a violation of this section or a regulation promulgated under this section may bring a civil action in any Federal or State court of competent jurisdiction against a covered entity that has global annual gross revenues of at least $50,000,000. (B)

Relief

In a civil action brought under subparagraph (A) in which the plaintiff prevails, the court may award— (i)$100 to $750 per violation; (ii)reasonable attorney’s fees and litigation costs; and (iii)any other relief, including equitable or declaratory relief, that the court determines appropriate. (k)

Definitions

In this section: (1)

Commercial data operator

The term commercial data operator means an entity acting in its capacity as a consumer online services provider or data broker that— (A)generates a material amount of revenue from the use, collection, processing, sale, or sharing of data generated by a user; and (B)has more than 100,000,000 unique monthly visitors or users in the United States for a majority of months during the previous 1-year period. (2)

Commission

The term Commission means the Federal Trade Commission. (3)

Consent

The term consent means an affirmative act by an individual that clearly communicates the informed authorization of the individual for an act or practice. (4)

Core function

The term core function does not mean targeted advertising or marketing. (5)

Covered data

The term covered data means individually, identifiable information about a user collected online, including any of the following: (A)Location information that would identify the physical address of an individual. (B)Telephone number. (C)Email address. (D)Social security number or other unique, government-issued identifiers. (E)Nonpublic personal information (as defined in section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809)). (F)Content of a personal wire communication, oral communication, or electronic communication such as email or direct messaging with respect to any entity that is not the intended recipient of the communication. (G)Call detail records. (H)Web browsing history, application usage history, and the functional equivalent of either that is not aggregated data. (I)Biometric data and information, such as facial and voice recognition data. (6)

Covered entity

The term covered entity means a commercial data broker or large online operator that collects covered data from a user through an online platform. (7)

Data broker

The term data broker means a covered entity whose principal source of revenue is derived from processing or transferring the covered data of individuals with whom the entity does not have a direct relationship on behalf of a third party for use by the third party. (8)

De-identify

The term de-identify means to separate information from the user or IP address the information is associated with. (9)

Delete

The term delete means to remove or destroy information so that the information is not maintained in human or machine-readable form and cannot be retrieved or used in such form in the normal course of business. (10)

Large online operator

The term large online operator means any person that— (A)provides an online service; and (B)has more than 100,000,000 authenticated users of an online service in any 30-day period. (11)

Monetization

The term monetization means the process of collecting, using, and storing data solely for economic benefit. (12)

User

The term user means an individual residing in the United States who uses a website that collects data and information from the user.

H.R. 8652 — YODA