skip to main content

S. 189: Social Media Privacy Protection and Consumer Rights Act of 2019

The text of the bill below is as of Jan 17, 2019 (Introduced).


II

116th CONGRESS

1st Session

S. 189

IN THE SENATE OF THE UNITED STATES

January 17, 2019

(for herself and Mr. Kennedy) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation

A BILL

To protect the privacy of users of social media and other online platforms.

1.

Short title

This Act may be cited as the Social Media Privacy Protection and Consumer Rights Act of 2019.

2.

Definitions

In this Act—

(1)

the term Commission means the Federal Trade Commission;

(2)

the term covered online platform means an online platform that collects personal data during the online behavior of a user of the online platform;

(3)

the term geolocation information means, with respect to an individual, any information that is not the content of a communication, concerning the location of a wireless communication device that—

(A)

in whole or in part, is generated by or derived from the operation of that device; and

(B)

could be used to determine or infer information regarding the location of the individual;

(4)

the term online platform

(A)

means any public-facing website, web application, or digital application (including a mobile application); and

(B)

includes a social network, an ad network, a mobile operating system, a search engine, an email service, or an internet access service;

(5)

the term operator has the meaning given the term in section 1302 of the Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6501); and

(6)

the term personal data means individually identifiable information about an individual collected online, including—

(A)

location information sufficient to identify the name of a street and a city or town, including a physical address;

(B)

an email address;

(C)

a telephone number;

(D)

a government identifier, such as a Social Security number;

(E)

geolocation information;

(F)

the content of a message;

(G)

protected health information, as defined in section 160.103 of title 45, Code of Federal Regulations, or any successor regulation; and

(H)

nonpublic personal information, as defined in section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809).

3.

Privacy protections

(a)

Transparency and terms of service

(1)

Disclosure and obtaining initial consent and privacy preferences

(A)

In general

Before a user creates an account with, or otherwise begins to use, a covered online platform, the operator of the online platform shall—

(i)

inform the user that, unless the user makes an election under clause (ii)(II), personal data of the user produced during the online behavior of the user, whether on the online platform or otherwise, will be collected and used by the operator and third parties; and

(ii)

provide the user the option to specify the privacy preferences of the user, including by—

(I)

agreeing to the terms of service for use of the online platform, including, except as provided in subclause (II), the collection and use of personal data described in clause (i); and

(II)

prohibiting, if the user so elects, the collection and use of personal data described in clause (i), subject to subparagraph (B).

(B)

Consequence of prohibition of data collection

If the election of a user under subparagraph (A)(ii)(II) creates inoperability in the online platform, the operator of the online platform may deny certain services or completely deny access to the user.

(C)

Form of disclosure

An operator of a covered online platform shall provide a user of the online platform with the terms of service for use of the online platform, including the collection and use of personal data described in subparagraph (A)(i), in a form that—

(i)

is—

(I)

easily accessible;

(II)

of reasonable length; and

(III)

clearly distinguishable from other matters; and

(ii)

uses language that is clear, concise, and well organized, and follows other best practices appropriate to the subject and intended audience.

(D)

Privacy or security program

An operator of a covered online platform shall—

(i)

establish and maintain a privacy or security program for the online platform; and

(ii)

publish a description of the privacy or security program that—

(I)

details how the operator will use the personal data of a user of the online platform, including requirements for how the operator will address privacy risks associated with the development of new products and services; and

(II)

includes details of the access that employees and contractors of the operator have to the personal data of a user of the online platform, and internal policies for the use of that personal data.

(2)

New products; changes to privacy or security program

An operator of a covered online platform may not introduce a new product, or implement any material change to the privacy or security program of the online platform that overrides the privacy preferences of a user of the online platform, as specified under paragraph (1)(A)(ii), unless the operator has—

(A)

informed the user that the new product or change will result in the collection and use of personal data described in paragraph (1)(A)(i), if that is the case;

(B)

provided the user the option under paragraph (1)(A)(ii); and

(C)

obtained affirmative express consent from the user to the introduction of the new product or the implementation of the change.

(3)

Withdrawal of consent

An operator of a covered online platform shall ensure that—

(A)

a user of the online platform is able to withdraw consent to the terms of service for use of the online platform, including the collection and use of personal data described in paragraph (1)(A)(i), as easily as the user is able to give such consent; and

(B)

except as otherwise required by law, no person is able to access the personal data of a user of the online platform later than 30 days after the date on which the user closes his or her account or otherwise terminates his or her use of the online platform.

(b)

Right to access

An operator of a covered online platform shall offer a user of the online platform a copy of the personal data of the user that the operator has processed, free of charge and in an electronic and easily accessible format, including a list of each person that received the personal data from the operator for business purposes, whether through sale or other means.

(c)

Violations of privacy

(1)

In general

Not later than 72 hours after an operator of a covered online platform becomes aware that the personal data of a user of the online platform has been transmitted in violation of the privacy or security program of the online platform, including the privacy preferences specified by the user under subsection (a)(1)(A)(ii), the operator shall—

(A)

notify the user of the transmission;

(B)

offer the user the option to elect to prohibit the operator from collecting and using the personal data of the user, subject to paragraph (2);

(C)

except as provided in paragraph (3), offer the user the option to have the operator—

(i)

erase all personal data of the user tracked by the operator; and

(ii)

cease further dissemination of personal data of the user tracked by the operator;

(D)

offer the user a copy of the personal data of the user that the operator has processed, free of charge and in an electronic and easily accessible format, including a list of each person that received the personal data from the operator, whether through sale or other means; and

(E)

offer the user the option to close his or her account or otherwise terminate his or her use of the online platform.

(2)

Consequence of prohibition of data collection

If the election of a user under paragraph (1)(B) creates inoperability in the online platform, the operator of the online platform may deny certain services or completely deny access to the user.

(3)

Public safety exception

If the operator of a covered online platform, in good faith, believes that an emergency involving danger of death or serious physical injury to any individual requires disclosure without delay of specific personal data of a user of the online platform that relates to the emergency, the operator shall—

(A)

retain the specific personal data; and

(B)

notify the proper authorities.

(d)

Compliance

Not less frequently than once every 2 years, the operator of a covered online platform shall audit the privacy or security program of the online platform.

(e)

Safe harbor

Subsections (a), (b), and (c) shall not apply with respect to the development of privacy-enhancing technology by an operator of an online platform.

4.

Enforcement

(a)

Enforcement by Commission

(1)

Unfair or deceptive acts or practices

A violation of section 3 shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).

(2)

Powers of Commission

(A)

In general

Except as provided in subparagraph (C), the Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act.

(B)

Privileges and immunities

Except as provided in subparagraph (C), any person who violates this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.).

(C)

Common carriers and nonprofit organizations

Notwithstanding section 4, 5(a)(2), or 6 of the Federal Trade Commission Act (15 U.S.C. 44, 45(a)(2), 46) or any jurisdictional limitation of the Commission, the Commission shall also enforce this Act, in the same manner provided in subparagraphs (A) and (B) of this paragraph, with respect to—

(i)

common carriers subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.) and Acts amendatory thereof and supplementary thereto; and

(ii)

organizations not organized to carry on business for their own profit or that of their members.

(D)

Authority preserved

Nothing in this Act shall be construed to limit the authority of the Commission under any other provision of law.

(b)

Enforcement by States

(1)

Authorization

Subject to paragraph (2), in any case in which the attorney general of a State has reason to believe, based on a legitimate consumer complaint, that an interest of the residents of the State has been or is threatened or adversely affected by the engagement of any person subject to section 3 in a practice that violates that section, the attorney general of the State may, as parens patriae, bring a civil action on behalf of the residents of the State in an appropriate district court of the United States to obtain appropriate relief.

(2)

Rights of Federal Trade Commission

(A)

Notice to Federal Trade Commission

(i)

In general

Except as provided in clause (iii), the attorney general of a State shall notify the Commission in writing that the attorney general intends to bring a civil action under paragraph (1) before initiating the civil action against a person described in subsection (a)(1).

(ii)

Contents

The notification required by clause (i) with respect to a civil action shall include a copy of the complaint to be filed to initiate the civil action.

(iii)

Exception

If it is not feasible for the attorney general of a State to provide the notification required by clause (i) before initiating a civil action under paragraph (1), the attorney general shall notify the Commission immediately upon instituting the civil action.

(B)

Intervention by Federal Trade Commission

The Commission may—

(i)

intervene in any civil action brought by the attorney general of a State under paragraph (1) against a person described in subsection (a)(1); and

(ii)

upon intervening—

(I)

be heard on all matters arising in the civil action; and

(II)

file petitions for appeal of a decision in the civil action.

(3)

Investigatory powers

Nothing in this subsection may be construed to prevent the attorney general of a State from exercising the powers conferred on the attorney general by the laws of the State to conduct investigations, to administer oaths or affirmations, or to compel the attendance of witnesses or the production of documentary or other evidence.

(4)

Action by Federal Trade Commission

If the Federal Trade Commission institutes a civil action or an administrative action with respect to a violation of section 3, the attorney general of a State may not, during the pendency of the action, bring a civil action under paragraph (1) against any defendant named in the complaint of the Commission for the violation with respect to which the Commission instituted such action.

(5)

Venue; service of process

(A)

Venue

Any action brought under paragraph (1) may be brought in—

(i)

the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code; or

(ii)

another court of competent jurisdiction.

(B)

Service of process

In an action brought under paragraph (1), process may be served in any district in which the defendant—

(i)

is an inhabitant; or

(ii)

may be found.

(6)

Actions by other State officials

(A)

In general

In addition to civil actions brought by attorneys general under paragraph (1), any other consumer protection officer of a State who is authorized by the State to do so may bring a civil action under paragraph (1), subject to the same requirements and limitations that apply under this subsection to civil actions brought by attorneys general.

(B)

Savings provision

Nothing in this subsection may be construed to prohibit an authorized official of a State from initiating or continuing any proceeding in a court of the State for a violation of any civil or criminal law of the State.

5.

Effective date

(a)

In general

This Act shall take effect 180 days after the date of enactment of this Act.

(b)

Applicability to existing users of online platforms

An individual who becomes a user of a covered online platform before the effective date under subsection (a) shall be treated as if he or she had become a user of the online platform on that effective date.

(c)

No retroactive applicability

This Act shall not apply to any conduct that occurred before the effective date under subsection (a).