[Congressional Bills 118th Congress] [From the U.S. Government Publishing Office] [H.R. 8818 Introduced in House (IH)] <DOC> 118th CONGRESS 2d Session H. R. 8818 To provide Americans with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement, and for other purposes. _______________________________________________________________________ IN THE HOUSE OF REPRESENTATIVES June 25, 2024 Mrs. Rodgers of Washington (for herself, Mr. Pallone, Mr. Bilirakis, and Ms. Schakowsky) introduced the following bill; which was referred to the Committee on Energy and Commerce _______________________________________________________________________ A BILL To provide Americans with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) Short Title.--This Act may be cited as the ``American Privacy Rights Act of 2024''. (b) Table of Contents.--The table of contents for this Act is as follows: Sec. 1. Short title; table of contents. TITLE I--AMERICAN PRIVACY RIGHTS Sec. 101. Definitions. Sec. 102. Data minimization. Sec. 103. Privacy by design. Sec. 104. Transparency. Sec. 105. Individual control over covered data. Sec. 106. Opt-out rights and universal mechanisms. Sec. 107. Interference with consumer rights. Sec. 108. Prohibition on denial of service and waiver of rights. Sec. 109. Data security and protection of covered data. Sec. 110. Executive responsibility. Sec. 111. Service providers and third parties. Sec. 112. Data brokers. Sec. 113. Commission-approved compliance guidelines. Sec. 114. Privacy-enhancing technology pilot program. Sec. 115. Enforcement by Federal Trade Commission. Sec. 116. Enforcement by States. Sec. 117. Enforcement by persons. Sec. 118. Relation to other laws. Sec. 119. Children's Online Privacy Protection Act of 1998. Sec. 120. Data protections for covered minors. Sec. 121. Termination of FTC rulemaking on commercial surveillance and data security. Sec. 122. Severability. Sec. 123. Innovation rulemakings. Sec. 124. Effective date. TITLE II--CHILDREN'S ONLINE PRIVACY PROTECTION ACT 2.0 Sec. 201. Short title. Sec. 202. Online collection, use, disclosure, and deletion of personal information of children. Sec. 203. Study and reports on mobile and online application oversight and enforcement. Sec. 204. Severability. TITLE I--AMERICAN PRIVACY RIGHTS SEC. 101. DEFINITIONS. In this title: (1) Affirmative express consent.-- (A) In general.--The term ``affirmative express consent'' means an affirmative act by an individual that-- (i) clearly communicates the authorization of the individual for an act or practice; and (ii) is provided in response to a specific request from a covered entity, or a service provider on behalf of a covered entity, that meets the requirements of subparagraph (B). (B) Request requirements.--The requirements of this subparagraph with respect to a request are the following: (i) The request is provided to the individual in a clear and conspicuous standalone disclosure. (ii) The request includes a description of each act or practice for which the consent of the individual is sought and-- (I) clearly distinguishes between an act or practice that is necessary, proportionate, and limited to fulfill a request of the individual and an act or practice that is for another purpose; (II) clearly states the specific categories of covered data that the covered entity shall collect, process, retain, or transfer under each such act or practice; and (III) is written in easy-to- understand language and includes a prominent heading that would enable a reasonable individual to identify and understand each such act or practice. (iii) The request clearly explains the applicable rights of the individual related to consent. (iv) The request is made in a manner reasonably accessible to and usable by individuals living with disabilities. (v) The request is made available to the individual in the language in which the covered entity provides a product or service for which authorization is sought. (vi) The option to refuse consent is at least as prominent as the option to provide consent, and the option to refuse consent takes no more than 1 additional step as compared to the number of steps necessary to provide consent. (vii) With respect to affirmative express consent sought for the collection, processing, retention, or transfer of biometric information or genetic information, the request includes the length of time the covered entity or service provider intends to retain the biometric information or genetic information or, if it is not possible to identify the length of time, the criteria used to determine the length of time the covered entity or service provider intends to retain the biometric information or genetic information. (C) Express consent required.--Affirmative express consent to an act or practice may not be inferred from the inaction of an individual or the continued use by an individual of a service or product provided by an entity. (D) Withdrawal of affirmative express consent.-- (i) In general.--A covered entity shall provide an individual with a means to withdraw affirmative express consent previously provided by the individual. (ii) Requirements.--The means to withdraw affirmative express consent described in clause (i) shall be-- (I) clear and conspicuous; and (II) as easy for a reasonable individual to use as the mechanism by which the individual provided affirmative express consent. (E) Children and teens.--If a covered entity has knowledge that-- (i) an individual is a child, only a parent of the child may provide affirmative express consent on behalf of the child; or (ii) an individual is a teen, a parent or the teen may provide affirmative express consent on behalf of the teen. (2) Biometric information.-- (A) In general.--The term ``biometric information'' means any covered data that allows or confirms the unique identification or verification of an individual and is generated from the measurement or processing of unique biological, physical, or physiological characteristics, including-- (i) fingerprints; (ii) voice prints; (iii) iris or retina imagery scans; (iv) facial or hand mapping, geometry, or templates; and (v) gait. (B) Exclusion.--The term ``biometric information'' does not include-- (i) a digital or physical photograph; (ii) an audio or video recording; or (iii) data derived from a digital or physical photograph or an audio or video recording that cannot be used to identify or authenticate a specific individual. (3) Child.--The term ``child'' means an individual under the age of 13. (4) Clear and conspicuous.--The term ``clear and conspicuous'' means, with respect to a disclosure, that the disclosure is difficult to miss and easily understandable by ordinary consumers. (5) Coarse geolocation information.--The term ``coarse geolocation information'' means information that reveals the present physical location of an individual or device identified by a unique persistent identifier at the ZIP Code attribution level (except, if a geographic area attributed to a ZIP Code is equal to or less than the area of a circle with a radius of 1,850 feet or less, at a level greater than a geographic area equal to the area of a circle with a radius of 1,850 feet). (6) Collect.--The term ``collect'' means, with respect to covered data, to buy, rent, gather, obtain, receive, access, or otherwise acquire the covered data by any means. (7) Commission.--The term ``Commission'' means the Federal Trade Commission. (8) Common branding.--The term ``common branding'' means a name, service mark, or trademark that is shared by 2 or more entities. (9) Connected device.--The term ``connected device'' means a device that is capable of connecting to the internet. (10) Contextual advertising.--The term ``contextual advertising'' means displaying or presenting an advertisement that-- (A) does not vary based on the identity of the individual recipient; and (B) is based solely on-- (i) the content of a webpage or online service; (ii) a specific request of the individual for information or feedback; or (iii) coarse geolocation information. (11) Control.--The term ``control'' means, with respect to an entity-- (A) ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of the entity; (B) control over the election of a majority of the directors of the entity (or of individuals exercising similar functions); or (C) the power to exercise a controlling influence over the management of the entity. (12) Covered data.-- (A) In general.--The term ``covered data'' means information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals. (B) Exclusions.--The term ``covered data'' does not include-- (i) de-identified data; (ii) employee information; (iii) publicly available information; (iv) inferences made exclusively from multiple independent sources of publicly available information, if such inferences-- (I) do not reveal information about an individual that meets the definition of the term ``sensitive covered data'' with respect to the individual; and (II) are not combined with covered data; (v) information in the collection of a library, archive, or museum, if-- (I) the collection is-- (aa) open to the public or routinely made available to researchers who are not affiliated with the library, archive, or museum; and (bb) composed of lawfully acquired materials with respect to which all licensing conditions are met; and (II) the library, archive, or museum has-- (aa) a public service mission; and (bb) trained staff or volunteers to provide professional services normally associated with libraries, archives, or museums; or (vi) on-device data. (13) Covered entity.-- (A) In general.--The term ``covered entity'' means any entity that, alone or jointly with others, determines the purposes and means of collecting, processing, retaining, or transferring covered data and-- (i) is subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq.); (ii) is a common carrier subject to title II of the Communications Act of 1934 (47 U.S.C. 201 et seq.); or (iii) is an organization not organized to carry on business for its own profit or that of its members. (B) Inclusion.--The term ``covered entity'' includes any entity that controls, is controlled by, or is under common control with another covered entity. (C) Exclusions.--The term ``covered entity'' does not include-- (i) a Federal, State, Tribal, or local government entity, such as a body, authority, board, bureau, commission, district, agency, or other political subdivision of the Federal Government or a State, Tribal, or local government; (ii) an entity that is collecting, processing, retaining, or transferring covered data on behalf of a Federal, State, Tribal, or local government entity, to the extent that such entity is acting as a service provider to the government entity; (iii) a small business; (iv) an individual acting at their own direction and in a non-commercial context; (v) the National Center for Missing and Exploited Children; or (vi) except with respect to requirements under section 109, a nonprofit organization whose primary mission is to prevent, investigate, or deter fraud, to train anti- fraud professionals, or to educate the public about fraud, including insurance fraud, securities fraud, and financial fraud, to the extent the organization collects, processes, retains, or transfers covered data in furtherance of such primary mission. (D) Nonapplication to service providers.--An entity may not be considered to be a ``covered entity'' for the purposes of this title, insofar as the entity is acting as a service provider. (14) Covered high-impact social media company.-- (A) In general.--The term ``covered high-impact social media company'' means a covered entity that provides any internet-accessible platform that-- (i) generates $3,000,000,000 or more in global annual revenue, including the revenue generated by any affiliate of such covered entity; (ii) has 300,000,000 or more global monthly active users for not fewer than 3 of the preceding 12 months; and (iii) constitutes an online product or service that is primarily used by users to access or share user-generated content. (B) Treatment of certain services and applications.--A service or application may not be considered to constitute an online product or service described in subparagraph (A)(iii) solely on the basis of providing any of the following: (i) Email. (ii) Career or professional development networking opportunities. (iii) Reviews of products, services, events, or destinations. (iv) A platform for use in a public or