This document provides a section by section summary of proposed legislation called the American Data Privacy and Protection Act. Some key points:
- It would establish definitions for terms like "covered entity", "covered data", and "sensitive covered data". Covered entities would include companies that collect or process personal data.
- It outlines various individual rights for access, correction, deletion and data portability of personal data. Covered entities would need to provide transparency into their data practices and privacy policies.
- It establishes duties for covered entities around data minimization, security, and "privacy by design". It restricts certain uses of sensitive data and requires consent for things like targeted advertising.
- It addresses issues like third
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...Dr. Oliver Massmann
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE BASIC AND GUIDANCE ON PRACTICAL HANDLING
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...Dr. Oliver Massmann
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE BASIC AND GUIDANCE ON PRACTICAL HANDLING
With the submission of SriKrishna Committee report on data protection, the final countdown for India’s own Data Protection Regime has finally begun. A detailed legal framework on data protection is to be implemented in the coming days.
Purpose of Data Protection Bill 2018- To protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organizational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide remedies for unauthorized and harmful processing, and to establish a Data Protection Authority for overseeing processing activities.
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
There is no federal law governing privacy and data security applicable to all US citizens. Rather, individual states and regulatory agencies have created a patchwork of protections that may overlap in certain industries.
This webinar provides an overview of the many privacy and data security laws and regulations which may impact your business, from the state law protecting personal information to regulations covering the financial services industry to state breach notification laws.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-2020/
Asia Counsel Vietnam summarises the long awaited Decree 13 on data protection. We provide useful steps to get prepared and comply with the new provisions which will take effect on 1 July 2023.
Discussing about privacy related issues in the areas of Financial Data, Health Information and Children’s Personal Data with identifying regulations in USA and EU. Also it focus on Fair Information Practices.
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...Vijay Dalmia
REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION RULES, 2011
Under
The (Indian) Information Technology Act, 2000
How GDPR works : companies will be expected to be
fully compliant from 25 May 2018. The regulation
is intended to establish one single set of data
protection rules across Europe
Introduction to US Privacy and Data Security: Regulations and RequirementsFinancial Poise
The United States has no federal data security or privacy law covering all businesses or all U.S. citizens. Instead, federal agencies and individual states have created their own patchwork of laws and regulations which must be evaluated for their application to a business.
This webinar will help you navigate the overlapping and sometimes confusing system of laws and regulations which may impact your business, ranging from emerging state-level privacy legislation to the numerous data breach notification statutes to cybersecurity regulations with extraterritorial effect.
Part of the webinar series: CYBERSECURITY & DATA PRIVACY 2022
See more at https://www.financialpoise.com/webinars/
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
The Data Protection Act 2019, was enacted on November 8th, 2019, ushering a new era of accountability and responsibility with regard to processing of personal data and information. Naturally, there has been a resurrection of the chatter around data protection in increasingly data-driven social and economic settings. The question on everyone’s mind being what does this mean for me?
This course provides an overview of whistleblower protections for employees who blow the whistle on cybersecurity or data privacy concerns. And it offers practical tips and insights for practitioners on how to evaluate potential cybersecurity whistleblower claims and overlapping remedies to maximize damages. In addition, the course addresses the challenging issues that arise when a whistleblower simultaneously prosecutes both whistleblower retaliation and whistleblower rewards claims.
Luis Alberto Montezuma provides his insight on the latest sanctions imposed by the Colombian Data Protection Authority (the Superintendence of Industry and Commerce, or SIC) for using personal data to send direct marketing without first obtaining the consent of data subjects.
With the submission of SriKrishna Committee report on data protection, the final countdown for India’s own Data Protection Regime has finally begun. A detailed legal framework on data protection is to be implemented in the coming days.
Purpose of Data Protection Bill 2018- To protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organizational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide remedies for unauthorized and harmful processing, and to establish a Data Protection Authority for overseeing processing activities.
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
There is no federal law governing privacy and data security applicable to all US citizens. Rather, individual states and regulatory agencies have created a patchwork of protections that may overlap in certain industries.
This webinar provides an overview of the many privacy and data security laws and regulations which may impact your business, from the state law protecting personal information to regulations covering the financial services industry to state breach notification laws.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-2020/
Asia Counsel Vietnam summarises the long awaited Decree 13 on data protection. We provide useful steps to get prepared and comply with the new provisions which will take effect on 1 July 2023.
Discussing about privacy related issues in the areas of Financial Data, Health Information and Children’s Personal Data with identifying regulations in USA and EU. Also it focus on Fair Information Practices.
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...Vijay Dalmia
REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION RULES, 2011
Under
The (Indian) Information Technology Act, 2000
How GDPR works : companies will be expected to be
fully compliant from 25 May 2018. The regulation
is intended to establish one single set of data
protection rules across Europe
Introduction to US Privacy and Data Security: Regulations and RequirementsFinancial Poise
The United States has no federal data security or privacy law covering all businesses or all U.S. citizens. Instead, federal agencies and individual states have created their own patchwork of laws and regulations which must be evaluated for their application to a business.
This webinar will help you navigate the overlapping and sometimes confusing system of laws and regulations which may impact your business, ranging from emerging state-level privacy legislation to the numerous data breach notification statutes to cybersecurity regulations with extraterritorial effect.
Part of the webinar series: CYBERSECURITY & DATA PRIVACY 2022
See more at https://www.financialpoise.com/webinars/
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
The Data Protection Act 2019, was enacted on November 8th, 2019, ushering a new era of accountability and responsibility with regard to processing of personal data and information. Naturally, there has been a resurrection of the chatter around data protection in increasingly data-driven social and economic settings. The question on everyone’s mind being what does this mean for me?
This course provides an overview of whistleblower protections for employees who blow the whistle on cybersecurity or data privacy concerns. And it offers practical tips and insights for practitioners on how to evaluate potential cybersecurity whistleblower claims and overlapping remedies to maximize damages. In addition, the course addresses the challenging issues that arise when a whistleblower simultaneously prosecutes both whistleblower retaliation and whistleblower rewards claims.
Luis Alberto Montezuma provides his insight on the latest sanctions imposed by the Colombian Data Protection Authority (the Superintendence of Industry and Commerce, or SIC) for using personal data to send direct marketing without first obtaining the consent of data subjects.
Frequently Asked Questions on the judgment of the Court
of Justice of the European Union in Case C-311/18 - Data
Protection Commissioner v Facebook Ireland Ltd and
Maximillian Schrems
A 53-count third-superseding indictment (the “Indictment”) was unsealed today in federal court in Brooklyn charging sports marketing executives Hernan Lopez and Carlos Martinez, formerly of 21st Century Fox, Inc. (“Fox”); Gerard Romy, former co-CEO of Spanish media company Imagina Media Audiovisual SL (“Imagina”); and Uruguayan sports marketing company Full Play Group S.A. (“Full Play”) (collectively, the “New Defendants”) with wire fraud, money laundering and related offenses – including, as to Romy and Full Play, racketeering conspiracy – in connection with the government’s long-running investigation and prosecution of corruption in organized soccer.
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselThomas (Tom) Jasper
Military Commissions Trial Judiciary, Guantanamo Bay, Cuba. Notice of the Chief Defense Counsel's detailing of LtCol Thomas F. Jasper, Jr. USMC, as Detailed Defense Counsel for Abd Al Hadi Al-Iraqi on 6 August 2014 in the case of United States v. Hadi al Iraqi (10026)
DNA Testing in Civil and Criminal Matters.pptxpatrons legal
Get insights into DNA testing and its application in civil and criminal matters. Find out how it contributes to fair and accurate legal proceedings. For more information: https://www.patronslegal.com/criminal-litigation.html
Introducing New Government Regulation on Toll Road.pdfAHRP Law Firm
For nearly two decades, Government Regulation Number 15 of 2005 on Toll Roads ("GR No. 15/2005") has served as the cornerstone of toll road legislation. However, with the emergence of various new developments and legal requirements, the Government has enacted Government Regulation Number 23 of 2024 on Toll Roads to replace GR No. 15/2005. This new regulation introduces several provisions impacting toll business entities and toll road users. Find out more out insights about this topic in our Legal Brief publication.
ALL EYES ON RAFAH BUT WHY Explain more.pdf46adnanshahzad
All eyes on Rafah: But why?. The Rafah border crossing, a crucial point between Egypt and the Gaza Strip, often finds itself at the center of global attention. As we explore the significance of Rafah, we’ll uncover why all eyes are on Rafah and the complexities surrounding this pivotal region.
INTRODUCTION
What makes Rafah so significant that it captures global attention? The phrase ‘All eyes are on Rafah’ resonates not just with those in the region but with people worldwide who recognize its strategic, humanitarian, and political importance. In this guide, we will delve into the factors that make Rafah a focal point for international interest, examining its historical context, humanitarian challenges, and political dimensions.
In 2020, the Ministry of Home Affairs established a committee led by Prof. (Dr.) Ranbir Singh, former Vice Chancellor of National Law University (NLU), Delhi. This committee was tasked with reviewing the three codes of criminal law. The primary objective of the committee was to propose comprehensive reforms to the country’s criminal laws in a manner that is both principled and effective.
The committee’s focus was on ensuring the safety and security of individuals, communities, and the nation as a whole. Throughout its deliberations, the committee aimed to uphold constitutional values such as justice, dignity, and the intrinsic value of each individual. Their goal was to recommend amendments to the criminal laws that align with these values and priorities.
Subsequently, in February, the committee successfully submitted its recommendations regarding amendments to the criminal law. These recommendations are intended to serve as a foundation for enhancing the current legal framework, promoting safety and security, and upholding the constitutional principles of justice, dignity, and the inherent worth of every individual.
How to Obtain Permanent Residency in the NetherlandsBridgeWest.eu
You can rely on our assistance if you are ready to apply for permanent residency. Find out more at: https://immigration-netherlands.com/obtain-a-permanent-residence-permit-in-the-netherlands/.
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxanvithaav
These slides helps the student of international law to understand what is the nature of international law? and how international law was originated and developed?.
The slides was well structured along with the highlighted points for better understanding .
ASHWINI KUMAR UPADHYAY v/s Union of India.pptxshweeta209
transfer of the P.I.L filed by lawyer Ashwini Kumar Upadhyay in Delhi High Court to Supreme Court.
on the issue of UNIFORM MARRIAGE AGE of men and women.
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptxOmGod1
Victims of crime have a range of rights designed to ensure their protection, support, and participation in the justice system. These rights include the right to be treated with dignity and respect, the right to be informed about the progress of their case, and the right to be heard during legal proceedings. Victims are entitled to protection from intimidation and harm, access to support services such as counseling and medical care, and the right to restitution from the offender. Additionally, many jurisdictions provide victims with the right to participate in parole hearings and the right to privacy to protect their personal information from public disclosure. These rights aim to acknowledge the impact of crime on victims and to provide them with the necessary resources and involvement in the judicial process.
Car Accident Injury Do I Have a Case....Knowyourright
Every year, thousands of Minnesotans are injured in car accidents. These injuries can be severe – even life-changing. Under Minnesota law, you can pursue compensation through a personal injury lawsuit.
1. 1
American Data Privacy and Protection Act Draft Legislation
Section by Section Summary
Section 1. Short Title; Table of Contents.
The title of the Act will be the “American Data Privacy and Protection Act.”
Section 2. Definitions.
The Act defines “covered entity” to include any entity that collects, processes, or transfers
covered data and is subject to the jurisdiction of the Federal Trade Commission (FTC), including
nonprofits, and telecommunications common carriers. “Covered data” is defined as information
identifying, linked, or reasonably linkable to an individual or device linkable to an individual.
This includes derived data and unique identifiers, but does not include de-identified data,
employee data, or publicly available information (each of which is separately defined).
“Sensitive covered data” is also defined and subject to heightened requirements. Any
information related to individuals under 17 is sensitive. Sensitive covered data also includes
government-issued identifiers not required to be displayed in public such as social security and
passport numbers; past, present, and future health, diagnosis, disability, or treatment information;
financial account, debit card, and credit card numbers along with any access code, password, or
credentials; biometric information; genetic information; past or present precise geolocation
information; private communications such as voicemail, email, text or information identifying
parties to communications; any account or device log-in credentials; information revealing race,
ethnicity, national origin, religion, union membership status, sexual orientation, or sexual
behavior that violates an individual’s reasonable expectations on disclosure; information
revealing online activities over time and across third party online services; calendar, address
book, phone, text, photos, audio and video recordings maintained for private use on a device;
photos or videos of naked or undergarment-clad private areas; and information revealing
individuals access to or viewing of TV, cable, or streaming media services.
Any other covered data collected, processed, or transferred for the purpose of identifying
sensitive covered data is also considered sensitive. The FTC is granted rulemaking authority
under the Administrative Procedure Act (APA) to include additional categories of covered data
within the sensitive covered data definition where those categories require similar protection as a
result of new methods for collecting or processing covered data.
“Biometric information” and “genetic information” are each specifically defined.
“Third-party collecting entities” (commonly referred to as data brokers or information brokers),
“service providers”, and “third parties” are all defined subsets of covered entities. “Large Data
Holders” are covered entities with gross revenues above $250 million [and / that] collected,
processed, or transferred covered data of over 5 million individuals/devices or the sensitive
covered data of 100,000 individuals/devices in the most recent calendar year.
“Collecting” means acquiring covered data by any means. “Processing” means any operation or
set of operations performed on covered data. “Transferring” means to disclose, make available,
or license covered data by any means or in any way. Together these terms dictate the actions of
covered entities and individuals with respect to covered data.
2. 2
“Targeted advertising” means displaying to an individual or unique identifier an online
advertisement that is selected based on knowns and assumptions derived from covered data
collected. It does not include responses to an individual’s specific request; first-party advertising
based on individual’s visit to or use of a service that offers a product or service that is the subject
of the advertisement; contextual advertising when an advertisement is displayed based on the
content of a webpage or online service; or processing of data solely used for measuring or
reporting advertising metrics.
Other key definitions include affirmative express consent and algorithm.
Title I – Duty of Loyalty
Section 101. Data Minimization.
The Act imposes a baseline duty on all covered entities not to unnecessarily collect or use
covered data in the first instance, regardless of any consent or transparency requirements.
Specifically, covered entities are prohibited from collecting, processing, or transferring covered
data beyond what is reasonably necessary, proportionate, and limited to provide specific products
and services requested by individuals, communicate with individuals in a manner they
reasonably anticipate given the context of their relationship with the covered entity, or for a
purpose expressly permitted by the Act.
The FTC must issue guidance to help establish what is “reasonably necessary, proportionate, and
limited” to comply with this section.
Section 102. Loyalty Duties.
To prevent harmful uses of particular sensitive data and ensure covered entities are protecting
individual privacy, covered entities are prohibited from and significantly restricted in engaging
in certain data practices regarding specific types of covered data except for very limited
circumstances. This includes responding to a warrant or meeting heightened conditions for
obtaining express affirmative consent of the individual when collecting, processing, or
transferring biometric information, genetic information, aggregated internet browsing and search
history, physical activity information, and transferring precise geolocation information to third
parties. Social Security numbers, password information, and nonconsensual intimate images are
subject to further restrictions.
Section 103. Privacy by Design.
Covered entities have a duty to implement reasonable policies, practices, and procedures for
collecting, processing, and transferring covered data. These should correspond to the entity’s
size, complexity, activities related to covered data, the types and amount of covered data the
entity engages with, and the cost of implementation compared to the risks posed. Privacy by
design must also take into account the particular privacy risks related to individuals under age
17. The FTC must issue guidance on reasonable policies, practices, and procedures within one
year of enactment.
Section 104. Loyalty to Individuals with Respect to Pricing.
Covered entities may not condition or effectively condition the provision or termination of
services or products to individuals by having individuals waive any privacy rights in the Act.
3. 3
This prohibition does not prevent covered entities from differentiating the price of or levels of
services based on an individual providing financial information necessarily collected and used
for payment when an individual specifically requests a product. Covered entities are also not
prevented from offering loyalty programs that provide discounts in exchange for continued
business, provided they otherwise comply with the Act.
Title II – Consumer Data Rights
Section 201. Consumer Awareness.
Within 90 days of enactment, the FTC must publish a public web page describing all provisions
of the Act in plain language, listed separately to help advise individuals and covered entities of
their rights and obligations under the Act. The web page must be updated for changes in law.
Section 202. Transparency.
Covered entities must provide individuals with privacy policies detailing their data collection,
processing, transfer, and security activities in a readily available and understandable manner.
Such policies must include contact information, the affiliates of the covered entity that it
transfers covered data to, and the purposes for each category of covered data the covered entity
collects, processes, and transfers. Covered entities must specify the third-party collecting entities
to whom they transfer covered data and for what purposes.
Privacy policies must also state how individuals may exercise their rights under the Act and how
long the entity intends to retain covered data. Privacy policies must be provided in all languages
in which covered entities conduct business related to the covered data. Any material changes to
a privacy policy require covered entities to notify individuals and provide an opportunity to
withdraw consent before further processing the covered data of those individuals. Covered
entities must specify whether any covered data they handle is made available to China, Russia,
Iran, or North Korea.
Finally, large data holders must provide short-form notices of their covered data practices
pursuant to minimum requirements established in FTC regulations under the APA.
Section 203. Individual Data Ownership and Control.
Individuals have the right to access, correct, delete, and portability of, covered data that pertains
to them. The right to access includes obtaining covered data in a human-readable and
downloadable format that individuals may understand without expertise, the names of any other
entities their data was transferred to, the categories of sources used to collect any covered data,
and the purposes for transferring the data. The rights to correct and delete covered data also
require covered entities to notify other entities to whom covered data was transferred of the
corrected information or desire to have the covered data deleted.
To the extent technologically feasible, individuals also have the right to export their covered data
in a portable format. Covered entities are not required to comply with individual requests under
this section where they are unable to verify the identity of the individual making the request.
These individual rights are subject to covered entities rights to limited permissive exceptions for
covered data use, such as complying with law enforcement or judicial proceedings. The timing
4. 4
for covered entities to respond to such requests depends on whether covered entities are large
data holders or meet the requirements of small and mid-sized entities.
The FTC is authorized to promulgate APA regulations as necessary to establish processes for
compliance with this section, taking into consideration various characteristics of different
covered entities and their activities with respect to covered data.
Section 204. Right to Consent and Object.
Sensitive covered data may not be collected, processed, or transferred to a third party without the
express affirmative consent of the individual to whom it pertains. Individuals must be provided
the means to provide and withdraw consent by the same clear, conspicuous, and easy to use
means. Individuals may opt out of the transfer of any covered data to a third party.
Covered entities engaged in targeted advertising must provide individuals with clear and
conspicuous means to opt out prior to any targeted advertising and at all times afterwards.
Section 205. Data Protections for Children and Minors.
Covered entities are subject to additional requirements for covered data with respect to
individuals under age 17. Targeted advertising is expressly prohibited [if covered entities have
actual knowledge that an individual is under 17]/[to any individual under 17]. Covered entities
may not transfer the covered data of individuals between 13 and 17 years old to third parties
without express affirmative consent [where the covered entity has actual knowledge the
individual is between 13 and 17].
This section establishes a Youth Privacy and Marketing Division at the FTC, which shall be
responsible for addressing privacy and marketing concerns with respect to children and minors.
The division must submit annual reports to Congress and hire staff that includes experts in youth
development, data protection, digital advertising, and data analytics.
This section also requires the FTC Inspector General to submit a report to Congress every two
years analyzing the fairness and effectiveness of the safe harbor provisions in the Children’s
Online Privacy Protection Act of 1998 (COPPA). These reports must be published on the FTC
web site.
Notably, there are several other important provisions with heightened or specific call-outs to
children and minors throughout the legislation.
Section 206. Third-party collecting entities.
Third-party collecting entities must place a clear and conspicuous notice on their web site and/or
mobile application informing individuals they are a third-party collecting entity using language
specified by FTC regulations. The FTC must promulgate regulations under the APA that require
third-party collecting entities to allow for auditing of any access to or disclosure of covered data
related to individuals that is processed by the third-party collecting entity.
Third-party collecting entities that process covered data of more than 5,000 individuals must
annually register with the FTC. Registration includes paying a $100 fee, providing information
about the third-party collecting entity’s activities, providing contact information, and creating a
5. 5
link to a website where individuals may exercise their audit rights under this section. Third-party
collecting entities face civil fines for failing to register or provide the notice required by this
section.
Finally, the FTC must establish and maintain an online, public, searchable registry of registered
third-party collecting entities that allows individuals to look up information on third-party
collecting entities, links to and contact information of the third-party collecting entities, and a
link and mechanism by which individuals may submit a single request to all registered third-
party collecting entities to have all covered data about them deleted within 30 days.
Section 207. Civil Rights and Algorithms.
Covered entities may not collect, process, or transfer covered data in a manner that discriminates
on the basis of race, color, religion, national origin, gender, sexual orientation, or disability. This
does not prevent covered entities from diversifying an applicant, participant, or customer pool.
As applicable, the FTC is required to transmit any information it obtains regarding potential
discriminatory uses of covered data to federal executive agencies with authority to initiate
proceedings related to such a violation. The FTC must submit annual reports to Congress on the
information it sends to these agencies under this section and how that information relates to
federal civil rights laws.
This section also requires large data holders that use algorithms to assess their algorithms
annually and submit annual algorithmic impact assessments to the FTC. These assessments must
describe steps the entity has taken or will take to mitigate potential harms from algorithms,
including any harms specifically related to individuals under 17. These assessments must also
seek to mitigate algorithmic harms related to advertising for housing, education, employment,
healthcare, insurance, or credit, access to or restrictions on places of public accommodation, and
any disparate impact on the basis of an individual’s race, color, religion, national origin, gender,
sexual orientation, or disability status.
Algorithmic evaluations must occur at the design phase of an algorithm, including any training
data that is used to develop the algorithm. To the extent possible, entities must also
meaningfully consult with independent auditors when conducting their assessments.
The FTC must publish guidance regarding compliance with this section. The FTC is also
granted rulemaking authority under the APA to promulgate regulations establishing processes for
submitting algorithmic assessments and excluding any algorithms it deems to present minimal
risks to individuals.
Finally, the FTC must, in consultation with the Department of Commerce (DOC), conduct a
study using its section 6(b) authority to review the algorithmic impact assessments received
under this section. Within three years of enactment, the FTC and DOC must submit a report to
Congress containing the results of the study. An additional report is required three years after
the initial submission as well as whenever the FTC deems it necessary.
Section 208. Data Security and Protection of Covered Data.
6. 6
Covered entities must implement and maintain data security practices and procedures that protect
and secure covered data against unauthorized use and acquisition. In determining whether such
protections are reasonable, the FTC must consider the entity’s size, complexity, activities related
to covered data, the types and amount of covered data the entity engages with, the current state
of the art in protecting covered data, and the cost of available tools.
This section provides specific requirements covered entities must meet to assess vulnerabilities,
take preventive and corrective action, evaluate their systems, and for the retention and disposal
of covered data. Covered entities must provide training to all employees with access to covered
data and designate an officer or employee to maintain and implement their data security
practices. Entities regulated by and in compliance with the data security requirements in the
Gramm-Leach Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA)
will be deemed in compliance with this section.
The FTC may promulgate regulations under the APA to establish processes for compliance with
this section.
Section 209. General Exceptions.
Notwithstanding other provisions in the Act, covered entities may generally collect, process, or
transfer covered data for specific purposes where it is reasonably necessary, proportionate, and
limited to the specific purpose. Such exceptions include completing transactions, processing
covered data already collected to perform system maintenance, diagnostics, or internal research,
addressing security incidents, guarding against illegal activity and fraud, complying with legal
obligations, preventing death or serious physical injury, effectuating product recalls, and
conducting research in the public interest that meets specific requirements for human subjects
research.
The section also provides exemptions for certain small and medium-sized covered entities.
Those entities that for the prior three years earned gross annual revenues of $41 million or less,
did not collect or process the covered data of 100,000 individuals in a year (except for processing
payments and promptly deleting covered data for requested products/services), and did not
derive more than half their revenue from transferring covered data are exempt from the data
portability requirements. These covered entities may choose to delete, rather than correct, an
individual’s covered data upon receiving a verified request in section 203 and are fully excluded
from the data security requirements in section 208(a) except for data retention obligations as well
as and section 301(c)’s requirement to designate a privacy and data security officer.
Section 210. Unified Opt-Out Mechanisms.
The FTC must conduct a study to determine the feasibility of created centralized opt-out
mechanisms to ease individuals exercise of their rights to opt-out of covered data transfers in
section 204(c), targeted advertising in section 204(d), and the single request to all registered
third-party collecting entities to have all covered data about them deleted in section 206(c)(3)(D).
If the FTC finds that a centralized mechanism for any or all of the rights would be feasible, it
must promulgate APA regulations establishing such mechanisms for covered entities to allow
individuals to make these designations.
7. 7
Title III – Corporate Accountability
Section 301. Executive Responsibility.
The CEOs (or equivalent) and privacy officers at large data holders must annually certify that
their company maintains reasonable internal controls and reporting structures for compliance
with the Act. This certification must be based on a review conducted by the certifying officers
within 90 days of submission.
All covered entities must designate one or more privacy and data security officers who must
implement privacy and data security programs and ensure ongoing compliance with the Act.
Large data holders must also designate at least one of these officers as the privacy protection
officer to report directly to the entity’s highest official. That officer is responsible for
establishing processes, conducting regular comprehensive audits, developing training and
education programs for employees, maintaining records, and serving as the point of contact with
enforcement authorities as related to the privacy and security requirements of the Act.
Large data holders must also conduct privacy impact assessments weighing the benefits of its
covered data practices against the potential consequences to individual privacy on a biennial
basis and have them approved by the privacy protection officer.
In assessing the privacy risks, the large data holder may include reviews of the means by which
technologies, including blockchain and distributed ledger technologies and other emerging
technologies, are used to secure personal information.
Section 302. Service Providers and Third Parties.
Service providers and third parties each have responsibilities related to covered data. In so far as
a covered entity acts as a service provider, it may only collect or process covered data for the
purposes directed by the covered entity it got the data from and may not transfer such data to
another entity without express affirmative consent of the individual to whom it pertains. Service
providers generally have the same responsibilities as other covered entities under the Act, with
the exception that, given their non-consumer facing role, they are only required to assist the
covered entities they process covered data for from fulfilling requests by individuals to exercise
their rights under sections 203 and 204 of the Act.
Third parties cannot process covered data beyond the expectations of a reasonable individual.
Such entities are generally subject to the same responsibilities as other covered entities under the
Act, except for the rights to consent and object under Section 204 with respect to data collected
in their capacity as third parties.
Covered entities must conduct reasonable due diligence in selecting service providers and
deciding to transfer covered data to third parties. The FTC must issue guidance to help covered
entities comply with this section, including to help alleviate potentially unreasonable compliance
burdens on small entities.
Section 303. Technical Compliance Programs.
Within 120 days of enactment, the FTC must promulgate regulations under the APA to establish
processes for covered entities to submit technical compliance programs for approval. Such
8. 8
programs are to be specific to particular technologies, products, services, or methods regarding
covered data. Such programs will establish compliance guidelines and be publicly available to
individuals whose data is processed by participating entities.
The FTC, state attorneys general, and courts in private litigation must consider a covered entity’s
history of compliance with any approved program when bringing or hearing an enforcement
action against that entity.
Section 304. Commission Approved Compliance Guidelines.
Non-third-party collecting entities that meet the small and medium-sized covered entities criteria
in section 209(c) are eligible to participate in FTC approved compliance guidelines for handling
covered data. Applications for approval must include how the guidelines will meet or exceed the
Act’s requirements, the entities or activities the guidelines intend to cover, any covered entities
known at the time of submission who want to participate, and a description of how entities will
be independently assessed for compliance. Compliance with any approved guidelines must be
assessed by an independent organization not associated with any covered entity participant and
that organization must be identified in the application for approval.
The FTC has 180 days from receipt to approve a submission. Material changes to the guidelines
must also be submitted for approval, which the FTC must respond to in 90 days. The FTC may
withdraw approval at any time by notifying the participating covered entities its basis for doing
so, beginning a 90-day timeline to cure the deficiency in the guidelines and submit the proposed
cure to the FTC for approval.
An entity eligible to participate in approved guidelines will be deemed in compliance with the
Act if in compliance with the guidelines, but will remain subject to enforcement if alleged to not
be in compliance with the Act.
Section 306. Digital Content Forgeries.
Within a year after enactment and annually after that DOC must publish a report on digital
content forgeries. The report will define, describe, and assess digital content forgeries, including
the methods to identify and take counter-measures against them.
Title IV – Enforcement, Applicability, and Miscellaneous
Section 401. Enforcement by the Federal Trade Commission.
The FTC must establish a new bureau to carry out its authority under the Act that is comparable
to the current Bureaus of Consumer Protection and Competition. That bureau must be fully
operational within a year of enactment and include an office of business mentorship to assist
covered entities with compliance.
Violations of the Act will be treated as violations of a rule defining an unfair or deceptive act or
practice under the FTC Act, meaning it may obtain civil penalties for initial and subsequent
violations, among other relief. The FTC may generally enforce the Act akin to any other
violation under the FTC Act, but it may not bring an action under section 5(b) of that Act to stop
the same conduct that it brings an enforcement against under this Act.
9. 9
This section establishes a relief fund for victims of entities violating the Act. Any relief the FTC
or the Department of Justice obtains enforcing the Act that cannot be provided directly to harmed
individuals will be deposited there and be available to the FTC, without fiscal year limitation, to
provide relief to individuals harmed by violations under the Act. To the extent money in the
fund cannot be used to compensate harmed individuals, the FTC may use funds for the office of
business mentorship or to engage in technological research.
Section 402. Enforcement by State Attorneys General.
State Attorneys General and chief consumer protection enforcement officers may bring cases in
federal court for injunctive relief, to obtain damages, penalties, restitution, or other
compensation, and to obtain reasonable attorney’s fees and other litigation costs. The FTC
retains the right to intervene upon receiving required notice from state enforcement officers and
no state enforcement may occur once the FTC or its deputy has initiated an enforcement action
regarding that conduct. States retain all of their existing investigatory and administrative powers
and rights to bring enforcement actions arising solely under existing state law.
Section 403. Enforcement by Individuals.
Starting four years after the date the Act takes effect, persons or classes of persons may generally
bring a civil action in federal court seeking compensatory damages, injunctive relief, declaratory
relief, and reasonable attorney’s fees and litigation costs. This right applies to claims alleging
violations of specified prohibited uses of covered data, the individual rights in sections 102, 104,
202, 203, 204, protections for children and minors against targeted advertising and the unlawful
transfer of covered data in section 205(a)-(b), rights exercisable against registered third-party
collecting entities in section 206, civil rights violations under section 207, data security
protections under section 208, and rights exercisable against service providers and third parties
under section 302.
Individuals must notify the FTC and the attorney general of their state of residence of their intent
to bring such an action; those agencies then have 60 days to determine if they wish to bring suit.
Demands for monetary payments sent to covered entities prior to the end of this period or after
one of the agencies has opted to bring an action will be considered to be made in bad faith. All
demand letters must provide a statement and link to the FTC web site established by section 201
of the Act that describes a covered entity’s rights under the Act.
The FTC’s Bureau of Economics must conduct annual studies beginning five years after
enactment regarding the impact of demand letters under the act and report these findings to
Congress.
Covered entities may not enforce pre-dispute arbitration agreements or joint action waivers with
respect to minors. Pre-dispute joint action waivers for arbitration or administrative proceedings
are precluded in all cases. When individuals seek injunctive relief against covered entities or any
relief against small and medium sized covered entities meeting the criteria in section 209, those
entities have a limited right to cure the alleged deficiency. Covered entities must be provided 45
days written notice identifying specific provisions the entity allegedly violated. When a cure is
achieved, demands for injunctive relief may be reasonably dismissed.
Section 404. Relationship to Federal and State Laws.
10. 10
Existing federal law and the authority of federal agencies is generally not limited except where
specified in the Act. Covered entities subject to and in compliance with the related data privacy
and security requirements of certain specified federal laws shall be held to be in compliance with
the related laws of the Act solely and exclusively to the extent that covered data is subject to the
requirements in the other laws. The FTC must issue guidance for implementation of these
provisions. [In so far as covered entities are providers of broadband internet access service,
satellite carriers, or cable operators] no law or regulation of the FCC shall apply to that entity
with respect to the collecting, processing, or transferring covered data under the Act.
State laws covered by the provisions of the Act are preempted, subject to a list of specified state
laws to be preserved. That list includes generally applicable consumer protection laws; civil
rights laws; employee and student privacy protections; data breach notification laws; contract
and tort law; criminal laws regarding fraud, theft, identity theft, unauthorized access to electronic
devices, and unauthorized use of personal information; laws on cyberstalking, cyberbullying,
nonconsensual pornography, and sexual harassment; unrelated public sector and safety laws;
laws addressing public records and criminal justice information; laws addressing bank, financial,
and tax records, Social Security numbers, credit cards, credit reporting, credit repair, credit
clinics, and check-cashing services; facial recognition, electronic surveillance, wiretapping, and
telephone monitoring laws; the Illinois Biometric and Genetic Information Privacy Acts; laws
addressing unsolicited email and phone calls; laws addressing medical information, records, and
HIV status or testing; the confidentiality of library records; and Section 1798.150 of the
California Civil Code, as amended. State common law rights or remedies and statutes creating
remedies for civil relief are not preempted or displaced by the Act, but violations of the Act shall
not be pleaded as an element of any such cause of action.
Section 405. Severability.
If any provision of the Act is held invalid, the remainder of the Act will remain valid to the
furthest extent possible.
Section 406. COPPA.
The Act does not relieve or change existing obligations under COPPA. Within 180 days of
enactment, the FTC must amend its existing COPPA rules to reference additional requirements
to covered entities under this Act.
Section 407. Authorization of Appropriations.
The Act authorizes the FTC to be appropriated the sums necessary to carry out the Act.
Section 408. Effective Date.
[Except as otherwise provided,] the Act will take effect [180] days after the date of enactment.