IN THE SENATE OF THE UNITED STATES
February 27, 2019
Ms. Cortez Masto introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation
To provide for digital accountability and transparency.
This Act may be cited as the
Digital Accountability and Transparency to Advance Privacy Act or the
DATA Privacy Act.
In this Act:
The term collect means taking any operation or set of operations to obtain covered data, including by automated means, including purchasing, leasing, assembling, recording, gathering, acquiring, or procuring.
The term Commission means the Federal Trade Commission.
The term covered data—
means any information that is—
collected, processed, stored, or disclosed by a covered entity;
collected over the internet or other digital network; and
linked to an individual or device associated with an individual; or
practicably linkable to an individual or device associated with an individual, including by combination with separate information, by the covered entity or any potential recipient of the data; and
does not include data that is—
collected, processed, stored, or disclosed solely for the purpose of employment of an individual; and
lawfully made available to the public from Federal, State, or local government records.
The term covered entity—
means any entity that collects, processes, stores, or discloses covered data; and
does not include any entity that collects, processes, stores, or discloses covered data relating to fewer than 3,000 individuals and devices during any 12-month period.
The term disclose means taking any action with respect to covered data, including by automated means, to sell, share, provide, or otherwise transfer covered data to another entity, person, or the general public.
The term privacy risk means potential harm to an individual resulting from the collection, processing, storage, or disclosure of covered data, including—
direct or indirect financial loss;
stigmatization or reputational harm;
anxiety, embarrassment, fear, and other severe emotional trauma;
loss of economic opportunity; or
The term process means any operation or set of operations that is performed on covered data or on sets of covered data, including by automated means, including organizing, combining, adapting, altering, using, or transforming.
The term protected characteristic means an individual’s race, sex, gender, sexual orientation, nationality, religious belief, or political affiliation.
The term pseudonymous data means covered data that may only be linked to the identity of an individual or the identity of a device associated with an individual if combined with separate information.
The term reasonable interest means—
a compelling business, operational, administrative, legal, or educational justification for the collection, processing, storage, or disclosure of covered data exists;
the use of covered data is within the context of the relationship between the covered entity and the individual linked to the covered data; and
the interest does not subject the individual to an unreasonable privacy risk.
The term sensitive data means any covered data relating to—
the health, biologic, physiologic, biometric, sexual life, or genetic information of an individual; or
the precise geolocation information of a device associated with an individual.
The term store means any operation or set of operations to continue possession of covered data, including by automated means.
Third party service provider
The term third party service provider means any covered entity that collects, processes, stores, or discloses covered data at the direction of, and for the sole benefit of, another covered entity under a contract.
Modified definition by rulemaking
If the Commission determines that a term defined in paragraph (9) or (11) is not sufficient to protect an individual’s data privacy, the Commission may promulgated regulations under section 553 of title 5, United States Code, to modify the definition as the Commission considers appropriate.
Required privacy notice
Each covered entity shall post in an accessible location a notice that is concise, in context, in easily understandable language, accurate, clear, timely, updated, uses visualizations where appropriate, conspicuous, and free of charge regarding the covered entity’s privacy practices.
Contents of notice
The notice required by subsection (a) shall include—
a description of the covered data that the entity collects, processes, stores, and discloses, including the sources that provided the covered data if the covered entity did not collect the covered data;
the purposes for and means by which the entity collects, processes, and stores the covered data;
the persons and entities to whom, and purposes for which, the covered entity discloses the covered data; and
a conspicuous, clear, and understandable means for individuals to access the methods necessary to exercise their rights under sections 4 and 5.
Required data practices
Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, that require covered entities to implement, practice, and maintain certain data procedures and processes that meet the following requirements:
Minimum data processing requirements
Except as provided in subsection (b), require covered entities to meet all of the following requirements regarding the means by and purposes for which covered data is collected, processed, stored, and disclosed:
Except as provided in paragraph (3), covered data collection, processing, storage, and disclosure practices must meet a reasonable interest of the covered entity, including—
business, educational, and administrative operations that are relevant and appropriate to the context of the relationship between the covered entity and the individual linked to the covered data;
relevant and appropriate product and service development and enhancement;
preventing and detecting abuse, fraud, and other criminal activity;
reasonable communications and marketing practices that follow best practices, rules, and ethical standards;
engaging in scientific, medical, or statistical research that follows commonly accepted ethical standards; or
any other purpose for which the Commission considers to be reasonable.
Covered data collection, processing, storage, and disclosure practices may not be for purposes that result in discrimination against a protected characteristic, including—
discriminatory targeted advertising practices;
price, service, or employment opportunity discrimination; or
any other practice the Commission considers likely to result in unfair discrimination against a protected characteristic.
Covered data collection, processing, storage, and disclosure practices may not be accomplished with means or for purposes that are deceptive, including—
the use of inconspicuous recording or tracking devices and methods;
the disclosure of covered data that a reasonable individual believes to be the content of a private communication with another party or parties;
notices, interfaces, or other representations likely to mislead consumers; or
any other practice that the Commission considers likely to mislead individuals regarding the purposes for and means by which covered data is collected, processed, stored, or disclosed.
Requirements for opt-out consent
Except as provided in subsection (b), require covered entities to provide individuals with conspicuous access to a method that is in easily understandable language, concise, accurate, clear, to opt out of any collection, processing, storage, or disclosure of covered data linked to the individual.
Requirements for affirmative consent
Except as provided in subsection (b), require covered entities to provide individuals with a notice that is concise, in easily understandable language, accurate, clear, timely, and conspicuous to express affirmative, opt-in consent—
before the covered entity collects or discloses sensitive data linked to the individual; or
before the covered entity collects, processes, stores, or discloses data for purposes which are outside the context of the relationship of the covered entity with the individual linked to the data, including—
the use of covered data beyond what is necessary to provide, improve, or market a good or service that the individual requests;
any other purpose that Commission considers outside of context.
Data minimization requirements
Except as provided in subsection (b), require covered entities to—
take reasonable measures to limit the collection, processing, storage, and disclosure of covered data to the amount that is necessary to carry out the purposes for which the data is collected; and
store covered data only as long as is reasonably necessary to carry out the purposes for which the data was collected.
Subsection (a) shall not apply if the limitations on the collection, processing, storage, or disclosure of covered data would—
inhibit detection or prevention of a security risk or incident;
risk the health, safety, or property of the covered entity or individual; or
prevent compliance with an applicable law (including regulations) or legal process.
Individual control over data use
Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to require covered entities to provide conspicuous, understandable, clear, and free of charge method to—
upon the request of an individual, provide the individual with access to, or an accurate representation of, covered data linked to with the individual or the individual’s device stored by the covered entity;
upon the request of an individual, provide the individual with a means to dispute and resolve the accuracy or completeness of the covered data linked to the individual or the individual’s device stored by the entity;
upon the request of an individual, delete any covered data that the covered entity stores linked to the individual or the individual’s device; and
when technically feasible, upon the request of an individual, allow the individual to transmit or transfer covered data linked to the individual or the individual’s device that is maintained by the entity to the individual in a format that is standardized and interoperable.
If the covered data that an individual has requested processed under subsection (a) is pseudonymous data, a covered entity may decline the request if processing the request is not technically feasible.
Timeliness of requests
In fulfilling any requests made by the individual under subsection (a) the covered entity shall act in as timely a manner as is reasonably possible.
Access to same service
A covered entity shall not discriminate against an individual because of any action the individual took under their rights described in subsection (a), including—
denying goods or services to the individual;
charging, or advertising, different prices or rates for goods or services; or
providing different quality of goods or services.
The Commission shall allow a covered entity, by contract, to provide relevant obligations to the individual under subsection (a) on behalf of a third party service provider that collects, processes, stores, or discloses covered data only on behalf of the covered entity.
Information security standards
Required data security practices
Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to require covered entities to establish and implement policies and procedures regarding information security practices for the treatment and protection of covered data taking into consideration—
the level of identifiability of the covered data and the associated privacy risk;
the sensitivity of the covered data collected, processed, and stored and the associated privacy risk;
the currently available and widely accepted technological, administrative, and physical means to protect personal data under the control of the covered entity;
the cost associated with implementing, maintaining, and regularly reviewing the safeguards; and
the impact of these requirements on small and medium-sized businesses.
In promulgating the regulations required under this section, the Commission shall consider a covered entity who is in compliance with existing information security laws that the Commission determines are sufficiently rigorous to be in compliance with this section with respect to particular types of covered data to the extent those types of covered data are covered by such law, including the following:
Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).
The Health Information Technology for Economic and Clinical Health Act (42 U.S.C. 17931).
The Health Insurance Portability and Accountability Act of 1996 Security Rule (45 CFR 160.103 and part 164).
Any other existing law requiring a covered entity to implement and maintain information security practices and procedures that the Commission determines to be sufficiently rigorous.
Privacy protection officers
Appointment of a privacy protection officer
Each covered entity with annual revenue in excess of $25,000,000 the prior year shall designate at least 1 appropriately qualified employee as a privacy protection officer who shall—
educate employees about compliance requirements;
train employees involved in data processing;
conduct regular, comprehensive audits to ensure compliance and make records of the audits available to enforcement authorities upon request;
maintain updated, clear, and understandable records of all data security practices undertaken by the covered entity;
serve as the point of contact between the covered entity and enforcement authorities; and
advocate for policies and practices within the covered entity that promote individual privacy.
The privacy protection officer shall not be dismissed or otherwise penalized by the covered entity for performing any of the tasks assigned to the person under this section.
Research into privacy enhancing technology
Section 4(a) of the Cyber Security Research and Development Act (15 U.S.C. 7403(a)) is amended—
by striking the subsection heading and inserting the following:
Network security and information privacy research grants
in paragraph (1), by striking subparagraph (D) and inserting the following:
privacy and confidentiality, including—
anti-spying and anti-tracking tools; and
any other technology that the Director determines will enhance individual privacy;
Enforcement by the Commission
Except as otherwise provided, this Act and the regulations prescribed under this Act shall be enforced by the Commission under the Federal Trade Commission Act (15 U.S.C. 41 et seq.).
Unfair or deceptive acts or practices
A violation of this Act or a regulation prescribed under this Act shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
Actions by the Commission
Subject to paragraph (4), the Commission shall prevent any person from violating this Act or a regulation prescribed under this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act, and any person who violates this Act or such regulation shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.).
Notwithstanding section 4, 5(a)(2), or 6 of the Federal Trade Commission Act (15 U.S.C. 44, 45(a)(2), and 46) or any jurisdictional limitation of the Commission, the Commission shall also enforce this Act, in the same manner provided in paragraphs (1), (2), and (3) with respect to common carriers subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.) and Acts amendatory thereof and supplementary thereto.
Enforcement by State attorneys general
In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that violates this Act or a regulation prescribed under this Act, the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction to—
enjoin that practice;
enforce compliance with this Act or such regulation;
obtain damages, restitution, or other compensation on behalf of residents of the State;
impose a civil penalty in an amount that is not greater than the product of the number of individuals whose information was affected by a violation and $40,000; or
obtain such other relief as the court may consider to be appropriate.
Adjustment for inflation
Beginning on the date that the Consumer Price Index is first published by the Bureau of Labor Statistics that is after 1 year after the date of enactment of this Act, and each year thereafter, the amounts specified in subparagraph (A)(iv) shall be increased by the percentage increase in the Consumer Price Index published on that date from the Consumer Price Index published the previous year.
Before filing an action under subparagraph (A), the attorney general of the State involved shall provide to the Commission—
written notice of that action; and
a copy of the complaint for that action.
Clause (i) shall not apply with respect to the filing of an action by an attorney general of a State under this paragraph if the attorney general determines that it is not feasible to provide the notice described in that clause before the filing of the action.
In an action described in subclause (I), the attorney general of a State shall provide notice and a copy of the complaint to the Commission at the same time as the attorney general files the action.
Rights of the Commission
Intervention by the Commission
The Commission may intervene in any civil action brought by the attorney general of a State under subsection (b) and upon intervening—
be heard on all matters arising in the civil action; and
file petitions for appeal of a decision in the civil action.
Nothing in this subsection may be construed to prevent the attorney general of a State from exercising the powers conferred on the attorney general by the laws of the State to conduct investigations, to administer oaths or affirmations, or to compel the attendance of witnesses or the production of documentary or other evidence.
Action by the commission
If the Commission institutes a civil action for violation of this title or a regulation promulgated under this title, no attorney general of a State may bring a civil action under subsection (b) against any defendant named in the complaint of the Commission for violation of this Act or a regulation promulgated under this Act that is alleged in the complaint.
Venue and service of process
Any action brought under subsection (b) may be brought in—
the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code; or
another court of competent jurisdiction.
Service of process
In an action brought under subsection (b), process may be served in any district in which the defendant—
is an inhabitant; or
may be found.
Action of other State officials
In addition to civil actions brought by attorneys general under subsection (b), any other officer of a State who is authorized by the State to do so may bring a civil action under subsection (b), subject to the same requirements and limitations that apply under this subsection to civil actions brought by attorneys general.
Nothing in this subsection may be construed to prohibit an authorized official of a State from initiating or continuing any proceeding in a court of the State for a violation of any civil or criminal law of the State.
Preservation of authority
Nothing in this Act shall be construed to limit the authority of the Federal Trade Commission under any other provision of law.
Additional enforcement resources
Notwithstanding any other provision of law the Commission may, without regard to the civil service laws (including regulations), appoint not more than 300 additional personnel for the purposes of enforcing privacy and data security laws and regulations.
Authorization of appropriations
There is authorized to be appropriated to the Commission such sums as may be necessary to carry out this section.