[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 3337 Introduced in Senate (IS)]
<DOC>
118th CONGRESS
1st Session
S. 3337
To establish national data privacy standards in the United States, and
for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
November 15, 2023
Ms. Cortez Masto introduced the following bill; which was read twice
and referred to the Committee on Commerce, Science, and Transportation
_______________________________________________________________________
A BILL
To establish national data privacy standards in the United States, and
for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Digital Accountability and
Transparency to Advance Privacy Act'' or the ``DATA Privacy Act''.
SEC. 2. DEFINITIONS.
(a) In General.--In this Act:
(1) Collect.--The term ``collect'' means taking any
operation or set of operations to obtain covered data,
including by automated means, including purchasing, leasing,
assembling, recording, gathering, acquiring, or procuring.
(2) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(3) Covered data.--The term ``covered data''--
(A) means any information that is--
(i) collected, processed, stored, or
disclosed by a covered entity;
(ii) collected over the internet or other
digital network; and
(iii)(I) linked to an individual or device
associated with an individual; or
(II) practicably linkable to an individual
or device associated with an individual,
including by combination with separate
information, by the covered entity or any
potential recipient of the data; and
(B) does not include data that is--
(i) collected, processed, stored, or
disclosed solely for the purpose of employment
of an individual; or
(ii) lawfully made available to the public
from Federal, State, or local government
records.
(4) Covered entity.--The term ``covered entity''--
(A) means any entity that collects, processes,
stores, or discloses covered data; and
(B) does not include any entity that collects,
processes, stores, or discloses covered data relating
to fewer than 50,000 individuals and devices during any
12-month period.
(5) Disclose.--The term ``disclose'' means taking any
action with respect to covered data, including by automated
means, to sell, share, provide, or otherwise transfer covered
data to another entity, person, or the general public.
(6) Privacy enhancing technology.--The term ``privacy
enhancing technology'' means any--
(A) software solution, technical processes, or
other technological means of enhancing the privacy and
confidentiality of an individual's covered data in data
or sets of data; or
(B) de-identification, anonymization, or
pseudonymization technologies or techniques, filtering
tools, anti-tracking technology, differential privacy
tools, synthetic data generation tools, cryptographic
techniques (such as secure multi-party computation and
homomorphic encryption), or systems for federated
learning.
(7) Privacy risk.--The term ``privacy risk'' means
potential harm to an individual resulting from the collection,
processing, storage, or disclosure of covered data, including--
(A) direct or indirect financial loss;
(B) stigmatization or reputational harm;
(C) anxiety, embarrassment, fear, and other severe
emotional trauma;
(D) loss of economic opportunity; or
(E) physical harm.
(8) Process.--The term ``process'' means any operation or
set of operations that is performed on covered data or on sets
of covered data, including by automated means, including
organizing, combining, adapting, altering, using, or
transforming.
(9) Protected characteristic.--The term ``protected
characteristic'' means an individual's race, sex, gender,
sexual orientation, nationality, religious belief, age, or
disability status.
(10) Pseudonymous data.--The term ``pseudonymous data''
means covered data that may only be linked to the identity of
an individual or the identity of a device associated with an
individual if combined with separate information.
(11) Reasonable interest.--The term ``reasonable interest''
means--
(A) a compelling business, operational,
administrative, legal, or educational justification for
the collection, processing, storage, or disclosure of
covered data exists; and
(B) the interest does not subject the individual
linked to the covered data to an unreasonable privacy
risk.
(12) Sensitive data.--The term ``sensitive data'' means any
covered data relating to--
(A) the health, biologic, physiologic, biometric,
sexual life, or genetic information of an individual;
or
(B) the precise geolocation information of a device
associated with an individual.
(13) Store.--The term ``store'' means any operation or set
of operations to continue possession of covered data, including
by automated means.
(14) Third party service provider.--The term ``third party
service provider'' means any covered entity that collects,
processes, stores, or discloses covered data at the direction
of, and for the sole benefit of, another covered entity under a
contract.
(b) Modified Definition by Rulemaking.--If the Commission
determines that a term defined in paragraph (10) or (12) is not
sufficient to protect an individual's data privacy, the Commission may
promulgated regulations under section 553 of title 5, United States
Code, to modify the definition as the Commission considers appropriate.
SEC. 3. REQUIRED PRIVACY NOTICE.
(a) Privacy Notice.--Each covered entity shall post in an
accessible location a notice that is concise, in context, in easily
understandable language, accurate, clear, timely, updated, uses
visualizations where appropriate, conspicuous, and free of charge
regarding the covered entity's privacy practices.
(b) Contents of Notice.--The notice required by subsection (a)
shall include--
(1) a description of the covered data that the entity
collects, processes, stores, and discloses, including the
sources that provided the covered data if the covered entity
did not collect the covered data from the individual;
(2) the purposes for and means by which the entity
collects, processes, and stores the covered data;
(3) the persons and entities to whom, and purposes for
which, the covered entity discloses the covered data; and
(4) a conspicuous, clear, and understandable means for
individuals to access the methods necessary to exercise their
rights under sections 4 and 5.
SEC. 4. REQUIRED DATA PRACTICES.
(a) Regulations.--Not later than 1 year after the date of the
enactment of this Act, the Commission shall promulgate regulations
under section 553 of title 5, United States Code, that require covered
entities to implement, practice, and maintain certain data procedures
and processes that meet the following requirements:
(1) Minimum data processing requirements.--Except as
provided in subsection (b), require covered entities to meet
all of the following requirements regarding the means by and
purposes for which covered data is collected, processed,
stored, and disclosed:
(A) Reasonable.--
(i) In general.--Except as provided in
paragraph (3), covered data collection,
processing, storage, and disclosure practices
must meet a reasonable interest of the covered
entity, including--
(I) business, educational, and
administrative operations that are
relevant and appropriate to the context
of the relationship between the covered
entity and the individual linked to the
covered data;
(II) relevant and appropriate
product and service development and
enhancement;
(III) preventing and detecting
abuse, fraud, and other criminal
activity;
(IV) reasonable communications and
marketing practices that follow best
practices, rules, and ethical
standards;
(V) engaging in scientific,
medical, or statistical research that
follows commonly accepted ethical
standards; or
(VI) any other purpose for which
the Commission considers to be
reasonable.
(ii) Considerations.--In promulgating
regulations in accordance with this
subparagraph, the Commission shall consider--
(I) the role of impact assessments
in determining the privacy risk for
high risk processing;
(II) the sensitivity of the covered
data; and
(III) the impact of such
regulations on small business.
(B) Equitable.--
(i) In general.--Covered data collection,
processing, storage, and disclosure practices
may not be for purposes that result in
discrimination against a protected
characteristic, including--
(I) discriminatory targeted
advertising practices;
(II) price, service, or employment
opportunity discrimination; or
(III) any other practice the
Commission considers likely to result
in discrimination against a protected
characteristic.
(ii) Considerations.--In promulgating
regulations in accordance with this
subparagraph, the Commission shall consider--
(I) established civil rights laws,
common law, and existing relevant
consent decrees;
(II) the existing economic models
and technology available in the digital
advertising system;
(III) the role of algorithms and
impact assessments; and
(IV) the impact of such regulations
on small businesses.
(C) Forthright.--
(i) In general.--Covered data collection,
processing, storage, and disclosure practices
may not be accomplished with means or for
purposes that are deceptive, including--
(I) the use of inconspicuous
recording or tracking devices and
methods;
(II) the disclosure of covered data
that a reasonable individual believes
to be the content of a private
communication with another party or
parties;
(III) notices, interfaces, or other
representations likely to mislead
consumers; or
(IV) any other practice that the
Commission considers likely to mislead
individuals regarding the purposes for
and means by which covered data is
collected, processed, stored, or
disclosed.
(ii) Considerations.--In promulgating
regulations in accordance with this
subparagraph, the Commission shall consider--
(I) existing relevant consent
decrees;
(II) the reasonable expectations of
consumers;
(III) research on deceptive
practices;
(IV) the role of deceptive user
interfaces; and
(V) the impact of such regulations
on small businesses.
(2) Requirements for opt-out consent.--Except as provided
in subsection (b), require covered entities to provide
individuals with conspicuous access to a method that is in
easily understandable language, concise, accurate, clear, to
opt-out of any collection, processing, storage, or disclosure
of covered data linked to the individual.
(3) Requirements for affirmative consent.--Except as
provided in subsection (b), require covered entities to provide
individuals with a notice that is concise, in easily
understandable language, accurate, clear, timely, and
conspicuous to express affirmative, opt in consent--
(A) before the covered entity collects or discloses
sensitive data linked to the individual; or
(B) before the covered entity collects, processes,
stores, or discloses data for purposes which are
outside the context of the relationship of the covered
entity with the individual linked to the data,
including--
(i) the use of covered data beyond what is
necessary to provide, improve, or market a good
or service that the individual requests;
(ii) the processing or disclosure of
covered data differs in material ways from the
purposes described in the privacy policy that
was in effect when the data was collected;
(iii) any other purpose that Commission
considers outside of context.
(4) Data minimization requirements.--Except as provided in
subsection (b), require covered entities to--
(A) take reasonable measures to limit the
collection, processing, storage, and disclosure of
covered data to the amount that is necessary to carry
out the purposes for which the data is collected; and
(B) store covered data only as long as is
reasonably necessary to carry out the purposes for
which the data was collected.
(b) Exemptions.--Subsection (a) shall not apply if the limitations
on the collection, processing, storage, or disclosure of covered data
would--
(1) inhibit detection or prevention of a security risk or
incident;
(2) risk the health, safety, or property of the covered
entity or individual; or
(3) prevent compliance with an applicable law (including
regulations) or legal process.
SEC. 5. INDIVIDUAL CONTROL OVER DATA USE.
(a) Regulations.--Not later than 1 year after the date of the
enactment of this Act, the Commission shall promulgate regulations
under section 553 of title 5, United States Code, to require covered
entities to provide conspicuous, understandable, clear, and free of
charge method to--
(1) upon the request of an individual, provide the
individual with access to, or an accurate representation of,
covered data linked to with the individual or the individual's
device stored by the covered entity;
(2) upon the request of an individual, provide the
individual with a means to dispute and resolve the accuracy or
completeness of the covered data linked to the individual or
the individual's device stored by the entity;
(3) upon the request of an individual, delete any covered
data that the covered entity stores linked to the individual or
the individual's device; and
(4) when technically feasible, upon the request of an
individual, allow the individual to transmit or transfer
covered data linked to the individual or the individual's
device that is maintained by the entity to the individual in a
format that is standardized and interoperable.
(b) Pseudonymous Data.--If the covered data that an individual has
requested processed under subsection (a) is pseudonymous data, a
covered entity may decline the request if processing the request is not
technically feasible.
(c) Timeliness of Requests.--In fulfilling any requests made by the
individual under subsection (a) the covered entity shall act in as
timely a manner as is reasonably possible.
(d) Access to Same Servi