[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 8818 Introduced in House (IH)]
<DOC>
118th CONGRESS
2d Session
H. R. 8818
To provide Americans with foundational data privacy rights, create
strong oversight mechanisms, and establish meaningful enforcement, and
for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
June 25, 2024
Mrs. Rodgers of Washington (for herself, Mr. Pallone, Mr. Bilirakis,
and Ms. Schakowsky) introduced the following bill; which was referred
to the Committee on Energy and Commerce
_______________________________________________________________________
A BILL
To provide Americans with foundational data privacy rights, create
strong oversight mechanisms, and establish meaningful enforcement, and
for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``American Privacy
Rights Act of 2024''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
TITLE I--AMERICAN PRIVACY RIGHTS
Sec. 101. Definitions.
Sec. 102. Data minimization.
Sec. 103. Privacy by design.
Sec. 104. Transparency.
Sec. 105. Individual control over covered data.
Sec. 106. Opt-out rights and universal mechanisms.
Sec. 107. Interference with consumer rights.
Sec. 108. Prohibition on denial of service and waiver of rights.
Sec. 109. Data security and protection of covered data.
Sec. 110. Executive responsibility.
Sec. 111. Service providers and third parties.
Sec. 112. Data brokers.
Sec. 113. Commission-approved compliance guidelines.
Sec. 114. Privacy-enhancing technology pilot program.
Sec. 115. Enforcement by Federal Trade Commission.
Sec. 116. Enforcement by States.
Sec. 117. Enforcement by persons.
Sec. 118. Relation to other laws.
Sec. 119. Children's Online Privacy Protection Act of 1998.
Sec. 120. Data protections for covered minors.
Sec. 121. Termination of FTC rulemaking on commercial surveillance and
data security.
Sec. 122. Severability.
Sec. 123. Innovation rulemakings.
Sec. 124. Effective date.
TITLE II--CHILDREN'S ONLINE PRIVACY PROTECTION ACT 2.0
Sec. 201. Short title.
Sec. 202. Online collection, use, disclosure, and deletion of personal
information of children.
Sec. 203. Study and reports on mobile and online application oversight
and enforcement.
Sec. 204. Severability.
TITLE I--AMERICAN PRIVACY RIGHTS
SEC. 101. DEFINITIONS.
In this title:
(1) Affirmative express consent.--
(A) In general.--The term ``affirmative express
consent'' means an affirmative act by an individual
that--
(i) clearly communicates the authorization
of the individual for an act or practice; and
(ii) is provided in response to a specific
request from a covered entity, or a service
provider on behalf of a covered entity, that
meets the requirements of subparagraph (B).
(B) Request requirements.--The requirements of this
subparagraph with respect to a request are the
following:
(i) The request is provided to the
individual in a clear and conspicuous
standalone disclosure.
(ii) The request includes a description of
each act or practice for which the consent of
the individual is sought and--
(I) clearly distinguishes between
an act or practice that is necessary,
proportionate, and limited to fulfill a
request of the individual and an act or
practice that is for another purpose;
(II) clearly states the specific
categories of covered data that the
covered entity shall collect, process,
retain, or transfer under each such act
or practice; and
(III) is written in easy-to-
understand language and includes a
prominent heading that would enable a
reasonable individual to identify and
understand each such act or practice.
(iii) The request clearly explains the
applicable rights of the individual related to
consent.
(iv) The request is made in a manner
reasonably accessible to and usable by
individuals living with disabilities.
(v) The request is made available to the
individual in the language in which the covered
entity provides a product or service for which
authorization is sought.
(vi) The option to refuse consent is at
least as prominent as the option to provide
consent, and the option to refuse consent takes
no more than 1 additional step as compared to
the number of steps necessary to provide
consent.
(vii) With respect to affirmative express
consent sought for the collection, processing,
retention, or transfer of biometric information
or genetic information, the request includes
the length of time the covered entity or
service provider intends to retain the
biometric information or genetic information
or, if it is not possible to identify the
length of time, the criteria used to determine
the length of time the covered entity or
service provider intends to retain the
biometric information or genetic information.
(C) Express consent required.--Affirmative express
consent to an act or practice may not be inferred from
the inaction of an individual or the continued use by
an individual of a service or product provided by an
entity.
(D) Withdrawal of affirmative express consent.--
(i) In general.--A covered entity shall
provide an individual with a means to withdraw
affirmative express consent previously provided
by the individual.
(ii) Requirements.--The means to withdraw
affirmative express consent described in clause
(i) shall be--
(I) clear and conspicuous; and
(II) as easy for a reasonable
individual to use as the mechanism by
which the individual provided
affirmative express consent.
(E) Children and teens.--If a covered entity has
knowledge that--
(i) an individual is a child, only a parent
of the child may provide affirmative express
consent on behalf of the child; or
(ii) an individual is a teen, a parent or
the teen may provide affirmative express
consent on behalf of the teen.
(2) Biometric information.--
(A) In general.--The term ``biometric information''
means any covered data that allows or confirms the
unique identification or verification of an individual
and is generated from the measurement or processing of
unique biological, physical, or physiological
characteristics, including--
(i) fingerprints;
(ii) voice prints;
(iii) iris or retina imagery scans;
(iv) facial or hand mapping, geometry, or
templates; and
(v) gait.
(B) Exclusion.--The term ``biometric information''
does not include--
(i) a digital or physical photograph;
(ii) an audio or video recording; or
(iii) data derived from a digital or
physical photograph or an audio or video
recording that cannot be used to identify or
authenticate a specific individual.
(3) Child.--The term ``child'' means an individual under
the age of 13.
(4) Clear and conspicuous.--The term ``clear and
conspicuous'' means, with respect to a disclosure, that the
disclosure is difficult to miss and easily understandable by
ordinary consumers.
(5) Coarse geolocation information.--The term ``coarse
geolocation information'' means information that reveals the
present physical location of an individual or device identified
by a unique persistent identifier at the ZIP Code attribution
level (except, if a geographic area attributed to a ZIP Code is
equal to or less than the area of a circle with a radius of
1,850 feet or less, at a level greater than a geographic area
equal to the area of a circle with a radius of 1,850 feet).
(6) Collect.--The term ``collect'' means, with respect to
covered data, to buy, rent, gather, obtain, receive, access, or
otherwise acquire the covered data by any means.
(7) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(8) Common branding.--The term ``common branding'' means a
name, service mark, or trademark that is shared by 2 or more
entities.
(9) Connected device.--The term ``connected device'' means
a device that is capable of connecting to the internet.
(10) Contextual advertising.--The term ``contextual
advertising'' means displaying or presenting an advertisement
that--
(A) does not vary based on the identity of the
individual recipient; and
(B) is based solely on--
(i) the content of a webpage or online
service;
(ii) a specific request of the individual
for information or feedback; or
(iii) coarse geolocation information.
(11) Control.--The term ``control'' means, with respect to
an entity--
(A) ownership of, or the power to vote, more than
50 percent of the outstanding shares of any class of
voting security of the entity;
(B) control over the election of a majority of the
directors of the entity (or of individuals exercising
similar functions); or
(C) the power to exercise a controlling influence
over the management of the entity.
(12) Covered data.--
(A) In general.--The term ``covered data'' means
information that identifies or is linked or reasonably
linkable, alone or in combination with other
information, to an individual or a device that
identifies or is linked or reasonably linkable to 1 or
more individuals.
(B) Exclusions.--The term ``covered data'' does not
include--
(i) de-identified data;
(ii) employee information;
(iii) publicly available information;
(iv) inferences made exclusively from
multiple independent sources of publicly
available information, if such inferences--
(I) do not reveal information about
an individual that meets the definition
of the term ``sensitive covered data''
with respect to the individual; and
(II) are not combined with covered
data;
(v) information in the collection of a
library, archive, or museum, if--
(I) the collection is--
(aa) open to the public or
routinely made available to
researchers who are not
affiliated with the library,
archive, or museum; and
(bb) composed of lawfully
acquired materials with respect
to which all licensing
conditions are met; and
(II) the library, archive, or
museum has--
(aa) a public service
mission; and
(bb) trained staff or
volunteers to provide
professional services normally
associated with libraries,
archives, or museums; or
(vi) on-device data.
(13) Covered entity.--
(A) In general.--The term ``covered entity'' means
any entity that, alone or jointly with others,
determines the purposes and means of collecting,
processing, retaining, or transferring covered data
and--
(i) is subject to the Federal Trade
Commission Act (15 U.S.C. 41 et seq.);
(ii) is a common carrier subject to title
II of the Communications Act of 1934 (47 U.S.C.
201 et seq.); or
(iii) is an organization not organized to
carry on business for its own profit or that of
its members.
(B) Inclusion.--The term ``covered entity''
includes any entity that controls, is controlled by, or
is under common control with another covered entity.
(C) Exclusions.--The term ``covered entity'' does
not include--
(i) a Federal, State, Tribal, or local
government entity, such as a body, authority,
board, bureau, commission, district, agency, or
other political subdivision of the Federal
Government or a State, Tribal, or local
government;
(ii) an entity that is collecting,
processing, retaining, or transferring covered
data on behalf of a Federal, State, Tribal, or
local government entity, to the extent that
such entity is acting as a service provider to
the government entity;
(iii) a small business;
(iv) an individual acting at their own
direction and in a non-commercial context;
(v) the National Center for Missing and
Exploited Children; or
(vi) except with respect to requirements
under section 109, a nonprofit organization
whose primary mission is to prevent,
investigate, or deter fraud, to train anti-
fraud professionals, or to educate the public
about fraud, including insurance fraud,
securities fraud, and financial fraud, to the
extent the organization collects, processes,
retains, or transfers covered data in
furtherance of such primary mission.
(D) Nonapplication to service providers.--An entity
may not be considered to be a ``covered entity'' for
the purposes of this title, insofar as the entity is
acting as a service provider.
(14) Covered high-impact social media company.--
(A) In general.--The term ``covered high-impact
social media company'' means a covered entity that
provides any internet-accessible platform that--
(i) generates $3,000,000,000 or more in
global annual revenue, including the revenue
generated by any affiliate of such covered
entity;
(ii) has 300,000,000 or more global monthly
active users for not fewer than 3 of the
preceding 12 months; and
(iii) constitutes an online product or
service that is primarily used by users to
access or share user-generated content.
(B) Treatment of certain services and
applications.--A service or application may not be
considered to constitute an online product or service
described in subparagraph (A)(iii) solely on the basis
of providing any of the following:
(i) Email.
(ii) Career or professional development
networking opportunities.
(iii) Reviews of products, services,
events, or destinations.
(iv) A platform for use in a public or