“A bill to establish duties for online service providers with respect to end user data that such providers collect and use.”
No CRS summary available for this bill.
This section establishes definitions for terms used in the Act, including (1) "Commission" as the Federal Trade Commission; (2) "end user" as an individual who engages with an online service provider or uses its services over the internet or any other digital network; (3) "individual identifying data" as data collected over the internet or a digital network that is linked, or reasonably linkable, to a specific end user or an associated computing device; (4) "online service provider" as an entity engaged in interstate commerce over the internet or a digital network that collects such data in the course of business, including incidentally; and (5) "sensitive data" as specified categories of data (e.g., Social Security numbers, biometric data, health information), including personal information collected from a child, as defined in the Children's Online Privacy Protection Act of 1998 (COPPA).
This section establishes duties of care, loyalty, and confidentiality for online service providers with respect to individual identifying data of end users. The duties require providers (1) to reasonably secure such data from unauthorized access and, subject to regulations, promptly notify end users of breaches involving their sensitive data; (2) to refrain from using such data (or data derived from it) in ways that benefit the provider to the end user's detriment by causing reasonably foreseeable material physical or financial harm or by being unexpected and highly offensive to a reasonable end user; and (3) to limit disclosures, sales, or sharing of such data to circumstances consistent with the other duties, including by contractually imposing the same duties on recipients and regularly auditing their compliance. The duties also apply to third parties receiving such data from providers. This section further authorizes the Commission to promulgate regulations under the Administrative Procedure Act (5 U.S.C. 553)—(1) to expand breach notifications beyond sensitive data for specified categories and (2) to exempt certain providers or third parties, considering factors such as privacy risks (based on provider size, complexity, activities, and data sensitivity) and costs and benefits.
This section authorizes the Federal Trade Commission (FTC) to enforce violations of section 3—which prohibits specified acts or practices by online service providers and related persons—as if they were unfair or deceptive acts or practices under the FTC Act (15 U.S.C. 41 et seq.), using the same powers, jurisdiction, duties, penalties, privileges, and immunities. Notwithstanding limitations in FTC Act sections 4 and 5(a)(2) (15 U.S.C. 44, 45(a)(2))—which exclude nonprofits organized not for profit and common carriers subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.) from the definition of "corporation" and FTC jurisdiction—the FTC must enforce this Act against such entities in the same manner. (Thus, the provision expands FTC enforcement authority beyond its standard jurisdictional limits.) The FTC must promulgate regulations under this Act using notice-and-comment procedures under 5 U.S.C. 553. This section further authorizes state attorneys general (or other designated state consumer protection officers) to bring parens patriae civil actions in federal or state court on behalf of state residents against violators for appropriate relief, including civil penalties equal to the greater of (1) the number of days of noncompliance or (2) the number of harmed end users, multiplied by the maximum daily penalty under FTC Act section 5(m)(1)(A) (15 U.S.C. 45(m)(1)(A)), as adjusted for inflation. State attorneys general must generally notify the FTC before suing (with limited exceptions), and the FTC may intervene; however, states may not sue based on the same facts if the FTC has already instituted an action. The provision preserves state investigatory powers, specifies venue and service of process rules, and clarifies that state actions are in addition to FTC enforcement.
This section provides that nothing in the Act modifies, limits, or supersedes any privacy or security provision in any other federal or state statute or regulation, or limits the authority of the Commission under any other provision of law.
This section establishes the effective date of the Act as the date of enactment and provides that Section 3 applies to online service providers and persons described in Section 3(c) on and after 180 days after the date of enactment.