SECURE Data Act

This Act may be cited as the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act or the SECURE Data Act.

The table of contents for the Act is as follows:

A consumer has the following privacy rights with respect to a controller:

(1) To confirm whether a controller is processing the personal data of the consumer and have access to a copy of such data, unless the confirmation and access would require the controller to reveal a trade secret.

(2) To correct any inaccuracy in the personal data of the consumer, taking into account the nature of the personal data and the purpose of processing the personal data.

(3) To delete personal data provided by or obtained about the consumer.

(4) If the data is available in a digital format and to the extent technically feasible, to obtain a copy of the personal data that the consumer previously provided to the controller in a portable and readily usable format that allows the consumer to transmit the data to another controller without hindrance.

(5) To opt out of the processing of the personal data for the following purposes:

(A) Targeted advertising.

(B) The sale of personal data.

(C) Reliance on profiling to make a decision that has a legal or similarly significant effect on the consumer.

Except as provided in paragraphs (2) and (3), a controller may not process the sensitive data of a consumer without obtaining the consent of the consumer before processing.

Notwithstanding paragraph (1), a controller shall process the sensitive data of a child in accordance with the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq).

Notwithstanding paragraph (1), a controller may not process the sensitive data of a teen without obtaining the verifiable consent of a parent of the teen.

A controller shall comply with any consumer privacy right described in subsection (a) once a consumer submits a request that specifies each consumer privacy right the consumer requests to exercise and the controller authenticates the consumer.

With respect to a consumer privacy right described in subsection (a) for a child or teen, only a parent of the child or teen may exercise such consumer privacy right on behalf of the child or teen.

Except as provided in paragraph (2), without undue delay and not later than 45 days after the date on which a consumer submits a request under subsection (c), a controller—

(A) shall respond to the consumer and comply with each privacy right requested; or

(B) shall provide a notice to the consumer that—

(i) the controller declines to take action;

(ii) includes a justification for such inaction; and

(iii) includes instructions on how the consumer can appeal the decision of such inaction.

The controller may extend the period described in paragraph (1)(A) an additional 45 days when reasonably necessary, taking into consideration the complexity and number of requests submitted by the consumer, if the controller informs the consumer of the extension during such period with the reason for such extension.

For each consumer privacy right described in subsection (a), a consumer may submit to each controller 2 requests under subsection (c) related to such consumer privacy right in a year free of charge.

If a consumer submits more than 2 such requests or submits a request that is technically infeasible or manifestly unfounded, the controller may—

(i) charge the consumer a reasonable fee to cover the administrative costs of complying with the request if the controller has notified the consumer of such fee and the consumer has consented to pay such fee; or

(ii) decline to act on the request.

The controller shall demonstrate, document, and provide to the Commission or a State attorney general, upon request, any technically infeasible or manifestly unfounded nature of any such request.

If a controller is unable to authenticate a consumer who submits a request under subsection (c), the controller is not required to comply with such request and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the request.

A controller that obtains personal data about a consumer from a source other than the consumer is considered to be in compliance with the request of a consumer under subsection (c) to delete that personal data under subsection (a)(3) by—

(A) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the personal data of the consumer remains deleted from the records of the controller and not using the retained data for any other purpose under this Act; or

(B) opting the consumer out of the processing of that personal data for any purpose other than a purpose that is exempt under the provisions of this Act.

With respect to a request of a consumer under subsection (c) for a child, a controller shall be deemed to be in compliance with such subsection if the controller responds to an equivalent consumer privacy right exercised by a parent under the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq).

A controller shall establish a process for a consumer to appeal a determination by the controller to not take action under subsection (d)(1)(B).

The appeal process established pursuant to paragraph (1) shall be conspicuously available and similar to the process for a request submitted under subsection (c).

Not later than 60 days after the date on which an appeal is received by a controller, the controller—

(A) shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of each reason for a decision; and

(B) if the appeal is denied, shall provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Commission or a State attorney general to submit a complaint.

A controller shall establish and describe in a privacy notice one or more secure and reliable means for a consumer to submit a request to exercise consumer privacy rights described under subsection (a).

In establishing the means pursuant to paragraph (1), a controller shall take into account the ways in which a consumer normally interacts with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the consumer making the request.

A controller may not require a consumer to create a new account in order to exercise consumer privacy rights described under subsection (a) but may require a consumer to use an existing account.

A controller shall limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to each purpose for which the data is processed as disclosed to the consumer.

Except as otherwise provided in this section, a controller may not process personal data for any purpose that is not reasonably necessary or compatible with the disclosed purpose for which the personal data is processed as disclosed to the consumer, unless the controller obtains the consent of the consumer before any such processing.

A controller may not process personal data in violation of a Federal law that prohibits unlawful discrimination against a consumer.

A controller may not discriminate against a consumer for exercising any consumer right described under section 2, including by denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer.

Nothing in subsection (d) may be construed—

(1) to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain; or

(2) to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to the voluntary participation of a consumer in a bona fide loyalty, rewards, premium features, discounts, or club card program.

Beginning on the date of the enactment of this Act, any provision of a contract or agreement of any kind that waives or limits a consumer right described under section 2 shall be deemed contrary to public policy and shall be void and unenforceable.

Before processing the personal data of a consumer, a controller shall provide that consumer with a reasonably accessible, clear, and meaningful privacy notice that includes the following:

(1) Each category of personal data processed by the controller.

(2) Each purpose for processing personal data.

(3) How a consumer may exercise a consumer right described under section 2, including how a consumer may appeal the decision of a controller under section 2(d).

(4) Each category of personal data the controller shares with any other controller or any governmental entity.

(5) Each category of other controllers or any governmental entity, if any, with whom the controller shares personal data.

(6) Whether any personal data processed by the controller is transferred to, processed in, stored in, or sold to a covered nation.

If a controller sells personal data of a consumer, the controller shall clearly and conspicuously disclose—

(1) such activity before any collection or sale of personal data; and

(2) the manner in which a consumer may exercise the right to opt out of the sale of such personal data under section 2(a)(5).

If a controller processes personal data of a consumer for targeted advertising, the controller shall clearly and conspicuously disclose—

(1) such activity before any collection or use of personal data; and

(2) the manner in which a consumer may exercise the right to opt out of such processing under section 2(a)(5).

A controller that relies on profiling to make a decision that has a legal or similarly significant effect on a consumer shall clearly and conspicuously disclose to such consumer before any such decision is made that—

(A) the decision will be made using automated means; and

(B) the manner in which a consumer may exercise the right to opt out of such profiling.

For purposes of paragraph (1) and section 2(a)(5), a controller relies on profiling to make a decision that has a legal or similarly significant effect on a consumer if such decision is made with no human review, involvement, oversight, or intervention.

A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and that are appropriate to the volume, sensitivity, and nature of such personal data.

A controller has a rebuttable presumption to an alleged violation of this section if—

(1) the controller complies with a relevant code of conduct approved under section 8(a)(3) (or a relevant certification described in section 8(f)); or

(2) the controller has established, implemented, and maintained—

(A) data security practices appropriate to the state-of-the-art in administrative, technical, and physical data security practices for the protection of the confidentiality, integrity, and accessibility of personal data, including such a practice demonstrated by adherence to a widely accepted technical specification or through a third-party attestation; and

(B) a comprehensive data security program that reasonably conforms to a relevant Federal or widely accepted international risk management framework for identifying and protecting against data security risks, and for detecting, responding to, and recovering from data security events.

A data broker shall post on a publicly available website or mobile application a conspicuous notice that—

(1) states that the entity maintaining the website or application is a data broker;

(2) is clear, not misleading, and readily accessible by the public; and

(3) informs a consumer how to exercise any consumer right described under section 2.

Not later than 12 months after the date of the enactment of this Act, and annually thereafter, a data broker shall register with the Commission by filing a registration statement and paying a reasonable registration fee set by the Commission that includes the following information:

(1) The legal name of the data broker.

(2) A contact person and the primary physical address, email address, telephone number, and website address for the data broker.

(3) A description of each category of personal data sold by the data broker.

(4) A statement of whether the data broker implements a purchaser credentialing process.

(5) A description of any incident of unauthorized access to personal data that the data broker has reported to a Federal or State governmental entity pursuant to an applicable law, rule, or regulation during the year before the year in which the registration is filed, and if known, the total number of consumers affected by each previously reported incident of such unauthorized access.

(6) A link to the privacy policy published in accordance with section 3(g).

(7) A link to a website published by the data broker that informs a consumer how to exercise any consumer right described under section 2.

Not later than 18 months after the date of the enactment of this Act, the Commission shall establish and maintain on a publicly available website of the Commission a searchable, central registry of data brokers registered under subsection (b) that includes the following:

(1) A search feature that allows a person searching the registry to identify a data broker.

(2) For each data broker, a link to the privacy policy published in accordance with section 3(g).

(3) For each data broker, a link to a website published by the data broker that informs a consumer how to exercise any consumer right described under section 2.

A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the requirements of this Act, including by taking into account the nature of processing and the information available to the processor—

(1) by appropriate administrative and technical measures, insofar as reasonably practicable, to fulfill the requirements of the controller to respond to an assertion of any consumer right described under section 2; and

(2) by assisting the controller in meeting the requirements of the controller under section 4.

A contract between a controller and a processor shall govern the data processing procedures of the processor with respect to processing performed on behalf of the controller. The contract shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of personal data subject to processing, the duration of processing, and the rights and obligations of both parties.

At a minimum, the contract between a controller and processor shall include requirements that the processor does the following:

(1) Ensures that each person processing personal data is subject to a duty of confidentiality with respect to the data.

(2) At the direction of the controller, deletes or returns all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law.

(3) Upon the reasonable request of the controller, makes available to the controller all information in the possession of the processor necessary to demonstrate compliance by the processor with the requirements of this Act.

(4) Either—

(A) allows and cooperates with reasonable assessments by the controller or a designated assessor by the controller; or

(B) the processor—

(i) arranges for a qualified and independent assessor to conduct an assessment of the policies and administrative and technical measures of such processor that meet the requirements of this Act using an appropriate and accepted control standard or framework and assessment procedure for such assessment; and

(ii) provides a report of the assessment to the controller upon request.

(5) If a processor engages a subcontractor, include in any subcontract a requirement that the subcontractor meet the obligations of the processor with respect to the personal data.

Nothing in this section may be construed to relieve a controller or processor from any liability imposed on the controller or processor by virtue of a role in a processing.

The determination about whether a person is acting as a controller or processor with respect to a specific processing of personal data is a fact-based determination that depends upon the context in which personal data is to be processed.

If a processor, alone or jointly with others, begins determining the purpose and means of processing personal data, such processor is a controller with respect to a specific processing of such personal data.

A processor that follows the instructions of a controller with respect to a specific processing of personal data remains a processor.

A controller in possession of deidentified data shall—

(1) take reasonable measures to ensure the data cannot be associated with an individual;

(2) publicly commit to maintain and use deidentified data without attempting to re-identify the data; and

(3) contractually obligate any recipient of the deidentified data to comply with each requirement of this Act.

A controller that discloses deidentified or pseudonymous data shall exercise reasonable oversight to monitor compliance with any contractual commitment to which the deidentified or pseudonymous data is subject and shall take appropriate steps to address any breach of such contractual commitment.

An assertion of any consumer right described under section 2 does not apply to pseudonymous data for a case in which the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate administrative and technical measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

Nothing in this Act may be construed to require a controller or processor to—

(1) re-identify deidentified data or pseudonymous data; or

(2) maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating a consumer request with personal data.

Nothing in this Act may be construed to require a controller or processor to comply with an assertion of any consumer right described under section 2 if—

(1) the controller is not reasonably capable of associating the request with the personal data or it would be unduly burdensome for the controller to associate the request with the personal data;

(2) the controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and

(3) the controller does not sell the personal data to another controller or otherwise voluntarily disclose the personal data to any entity other than a processor, except as otherwise permitted in this section.

A controller or processor (or a group of controllers or processors) may submit to the Secretary an application for approval of a code of conduct that meets or exceeds the requirements of the controller or processor (or the group of controllers or processors) under this Act.

An application submitted under paragraph (1) shall include the following:

(A) A description of the specific requirements of this Act to which the code of conduct proposed in the application will apply.

(B) A description of how the code of conduct will meet or exceed such requirements.

(C) A description of the entities the code of conduct is designed to cover.

(D) A list of the controllers or processors, to the extent known at the time of application, that intend to comply with the code of conduct.

(E) A description of the independent organization that will administer the code of conduct with respect to controllers or processors, including an explanation of how the independent organization is governed.

(F) A description of how the entities described in subparagraph (C) will be assessed for compliance with the code of conduct by the independent organization described in subparagraph (E).

(G) A description of how the independent organization will refer to the Commission or to a State attorney general any controller or processor that does not—

(i) meet the requirements of this Act; or

(ii) meet or exceed the requirements of the Act in accordance with the certification publicly disclosed by the controller or processor under subsection (c).

Not later than 90 days after the date on which the Secretary receives an application submitted under paragraph (1), the Secretary shall publish the application and provide an opportunity for public comment on the code of conduct proposed in the application.

The Secretary, in consultation with the Commission, shall approve an application submitted under paragraph (1), including the independent organization that will administer the code of conduct, if the controller or processor (or the group of controllers or processors) that submits the application demonstrates that the code of conduct proposed in the application meets the following criteria:

(I) Meets or exceeds the relevant requirements of this Act.

(II) Provides for regular review and validation by the independent organization to ensure that the controller or processor (or the group of controllers or processors) that complies with the code of conduct continues to meet or exceed the relevant requirements of this Act.

(III) Includes referral to the Commission for enforcement or referral to the appropriate State attorney general for enforcement.

Not later than 1 year after the date on which the Secretary receives an application submitted under paragraph (1), the Secretary shall issue a public determination approving or denying the application and providing the reasons for such approval or denial.

If an independent organization that administers a code of conduct approved under subparagraph (A) makes significant updates to the code of conduct—

(I) the independent organization shall submit to the Secretary an application for approval of the significant updates made to the code of conduct; and

(II) not later than 90 days after the date on which the Secretary receives an application for an updated code of conduct submitted under subclause (I), the Secretary shall publish the proposed updated code of conduct and provide an opportunity for public comment.

Not later than 180 days after the date on which the Secretary receives an application for an updated code of conduct submitted under clause (i)(I), the Secretary, considering the approval criteria described in subparagraph (A)(ii), shall issue a public determination approving or denying the application and providing the reasons for such approval or denial.

If the Secretary has clear and convincing evidence that a code of conduct approved under subsection (a)(3) no longer meets the relevant requirements of this Act or that compliance with the code of conduct is insufficiently assessed by the independent organization that administers the code of conduct, the Secretary shall notify the relevant controller or processor (or the relevant group of controllers or processors) and the independent organization of a potential withdrawal of approval by the Secretary and of the opportunity to cure any alleged deficiency under paragraph (2).

Not later than 180 days after the date on which a controller or processor (or a group of controllers or processors) receives the notice described in paragraph (1), the controller or processor (or the group of controllers or processors) and the relevant independent organization may—

(i) create a proposed cure to any alleged deficiency of the code of conduct or the enforcement of the code of conduct; and

(ii) submit each such proposed cure to the Secretary.

If the Secretary determines within 60 days that a proposed cure submitted under subparagraph (A)(ii) eliminates an alleged deficiency of the code of conduct or the assessment of compliance with the code of conduct, the Secretary may not withdraw the approval of such code of conduct on the basis of such deficiency.

If the Secretary determines that a proposed cure submitted under subparagraph (A)(ii) does not eliminate an alleged deficiency of the code of conduct or the assessment of compliance with the code of the conduct, the Secretary may withdraw approval of such code of conduct on the basis of such deficiency.

Not later than 10 days after the date on which the Secretary makes a determination under subparagraph (A), the Secretary shall notify the relevant controller or processor (or the relevant group of controllers or processors) and the independent organization of the relevant withdrawal of approval described in subparagraph (A).

A withdrawal of approval described in subparagraph (A) shall take effect on the date that is 30 days after the date on which the Secretary provides the notification required by subparagraph (B).

Not later than 30 days after the date on which the Secretary provides notification required by subparagraph (B), the Secretary shall publish on a publicly available website a notice about the relevant withdrawal of approval described in subparagraph (A).

A controller or processor that participates in a code of conduct approved under subsection (a)(3) shall certify on a publicly available website that the controller or processor is in compliance with the code of conduct, including by listing the independent organization that administers the code of conduct.

A controller or processor that complies with a relevant code of conduct approved under subsection (a)(3) (or a relevant certification described in subsection (f)) shall be entitled to a rebuttable presumption that the controller or processor is in compliance with the relevant requirements of this Act to which the code of conduct (or certification) applies.

Not later than 2 years after the date of the enactment of this Act, the Secretary shall publish codes of conduct for businesses that otherwise would be persons to whom this Act applies but that do not meet the applicability requirements described in section 13(a)(2).

In carrying out paragraph (1), the Secretary shall—

(A) follow the same procedures described in subsections (a) and (b); and

(B) solicit independent organizations to administer the codes of conduct.

A code of conduct published under paragraph (1) shall meet the following requirements:

(A) Be consistent with the requirements of this Act.

(B) Be cost-effective for any participant in the code of conduct.

(C) Be appropriate to the risks, size, and limitations of any such participant.

Participation in a code of conduct published under paragraph (1) shall be voluntary.

A participant in a code of conduct published under paragraph (1) shall publicly self-certify that the participant is in compliance with the code of conduct, including by listing the independent organization that administers the code of conduct.

A certification by a controller pursuant to the Global Cross Border Privacy Rules System, or any successor system, or a certification by a processor pursuant to the Global Cross Border Privacy Rules System Privacy Recognition for Processors, or any successor system, shall be treated as participation in a code of conduct approved under subsection (a)(3).

The Secretary shall serve as the principal advisor to the President on policy relating to the international flow of personal data and the protection of personal data in international commerce.

The Secretary shall take any action necessary and appropriate to support the international flow of personal data and the protection of personal data in international commerce, including the following:

(1) Assessing the laws, regulations, requirements, frameworks, and practices (and the implementation thereof) of foreign governments for—

(A) alignment with the consumer rights and protections of personal data described in this Act;

(B) any impact on consumers and businesses in the United States, including with respect to economic competitiveness, innovation, and data security; and

(C) any impact on the economic and security interests of the United States.

(2) Developing policy and recommendations relating to—

(A) identifying the benefits of the international flow of personal data to consumers and businesses, including economic competitiveness, innovation, and data security;

(B) addressing any negative impact on consumers and businesses in the United States of laws, regulations, requirements, frameworks, and practices (and the implementation thereof) of foreign governments that limit or restrict the international flow of personal data;

(C) promoting the protection of personal data in a manner that maintains the international flow of personal data in international commerce; and

(D) mitigating the risk posed by covered nations to the international flow of personal data and the protection of personal data in international commerce.

(3) Establishing, maintaining, and promoting frameworks, certifications, principles, and partnerships to facilitate the international flow of personal data for commercial purposes and the protection of personal data in international commerce.

(4) Coordinating with any relevant agency as needed.

The Secretary, as the Secretary determines appropriate, may enter into an agreement with a foreign government, international forum, or foreign political or economic union to promote the international flow of personal data and the protection of personal data in international commerce.

Any agreement entered into pursuant to paragraph (1)—

(A) may not have provisions that conflict with the protections for personal data described in this Act;

(B) shall be consistent with the economic and security interests of the United States; and

(C) not later than 60 days after the date on which the agreement is entered into, shall be submitted to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate.

Nothing in this section may be construed to alter the authority of any agency with rulemaking and enforcement authority under subtitle A of title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).

Not later than 3 years after the date of the enactment of this Act, the Secretary shall publish on a publicly available website a report that—

(1) is developed through a process of public consultation;

(2) reviews commercially available technologies, including a web browser setting or extension or a global setting on an electronic device, that allow a consumer to opt out of the processing of the personal data of the consumer by a controller;

(3) considers the feasibility of a universal opt-out mechanism in a manner that makes use of commercially available technologies and accounts for beneficial uses of personal data; and

(4) limits such review and consideration in accordance with the scope of this Act.

The commercially available technologies reviewed pursuant to the study required by subsection (a) shall meet the following requirements:

(1) Shall require a consumer to make an affirmative, freely given, and unambiguous choice to indicate the intent of the consumer to opt out of any processing of the personal data of the consumer by a controller.

(2) Shall be consumer-friendly and easy to use by the average consumer.

(3) May not unduly burden lawful data processing by a controller or processor, including with respect to beneficial uses of personal data.

Nothing in this Act may be construed to restrict the ability of a controller or processor to do any of the following:

(1) Cooperate with a law enforcement agency with respect to conduct or activity that the controller or processor reasonably and in good faith believes may violate a Federal, State, or local law, rule, or regulation.

(2) Investigate, establish, exercise, prepare for, or defend a legal claim.

(3) Provide a product or service specifically requested by a consumer or a parent of a consumer (if the consumer is a child or teen).

(4) Perform a contract to which a consumer or a parent of a consumer (if the consumer is a child or teen) is a party, including by fulfilling the terms of a written warranty.

(5) Take immediate steps to protect an interest that is essential to the life or physical safety of a consumer or of another individual.

(6) Prevent, detect, protect against, or respond to a security incident, including a data security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any other similar illegal activity.

(7) Preserve the integrity or security of systems.

(8) Investigate, report, or prosecute a person responsible for any such security incident.

(9) Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to any applicable Federal or State ethics or privacy law and is approved, monitored, and governed by an institutional review board (or similar independent oversight entity) that considers the following:

(A) If the deletion of the personal data of a consumer is likely to provide substantial benefits that do not exclusively accrue to the controller.

(B) If the controller has implemented reasonable safeguards to mitigate privacy and data security risks to a consumer associated with research, including any risks associated with re-identification of the personal data of the consumer.

(C) If the expected benefits of the research outweigh such privacy and data security risks.

Nothing in this Act may be construed to restrict the ability of a controller or processor to collect, use, or retain the personal data of a consumer to do any of the following:

(1) Conduct internal research to develop, improve, or repair a product, service, or technology.

(2) Effectuate a product recall.

(3) Identify and repair any technical error that impairs the functionality of a product, service, or technology.

(4) Perform an internal operation that—

(A) is reasonably aligned with the expectations of a consumer;

(B) is reasonably anticipated based on the relationship of a consumer with the controller; or

(C) is otherwise compatible with processing data to—

(i) provide a product or service specifically requested by a consumer or a parent of a consumer (if the consumer is a child or teen); or

(ii) perform a contract to which a consumer or a parent of a consumer (if the consumer is a child or teen) is a party.

Nothing in this Act may be construed to prevent a controller or processor from providing the personal data of a consumer to a person covered by an evidentiary privilege under Federal or State law as part of a privileged communication.

A controller or processor that discloses the personal data of a consumer to another controller or processor in compliance with the requirements of this Act does not violate this Act if the controller or processor that receives and processes such personal data violates this Act if, at the time of disclosing the personal data, the disclosing controller or processor did not have knowledge that the receiving controller or processor intended to commit such a violation.

Nothing in this Act may be construed as a requirement imposed on a controller or processor that adversely affects the privacy or any other right or freedom of any person, including the right to freedom of speech under the Constitution of the United States, or that applies to the processing of personal data by a person in the course of a purely personal or household activity.

A violation of this Act shall be treated as a violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.

Except as provided in paragraphs (3) and (4), the Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act, and any person who violates this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act.

Notwithstanding section 4, 5(a)(2), or 6 of the Federal Trade Commission Act (15 U.S.C. 44; 45(a)(2); 46) or any jurisdictional limitation of the Federal Trade Commission, the Federal Trade Commission shall also enforce this Act, in the same manner provided in paragraphs (1) and (2), with respect to common carriers subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.).

Notwithstanding paragraphs (1), (2), and (3), the Commission may not enforce any violation of section 3(c) of this Act.

If the Commission receives information alleging that a controller is in violation of section 3(c), the Commission shall transmit such information, as allowable under Federal law, to any agency with authority to initiate an enforcement action or proceeding relating to the alleged violation described in the information.

In any case in which the attorney general of a State has reason to believe that an interest of the residents of such State has been or is threatened or adversely affected by an act or practice in violation of this Act, the attorney general, as parens patriae, may bring a civil action on behalf of the residents of the State in an appropriate district court of the United States to—

(A) enjoin such act or practice;

(B) enforce compliance with this Act;

(C) obtain damages, restitution, or other compensation on behalf of residents of the State; or

(D) obtain such other legal and equitable relief as the court may consider to be appropriate.

Before filing an action under this subsection, the attorney general of the State involved shall provide to the Commission a written notice of such action and a copy of the complaint for such action. If the attorney general determines that it is not feasible to provide the notice described in this paragraph before the filing of the action, the attorney general shall provide written notice of the action and a copy of the complaint to the Commission immediately upon the filing of the action.

On receiving notice under paragraph (2) of an action under this subsection, the Commission shall have the right—

(i) to intervene in the action;

(ii) upon so intervening, to be heard on all matters arising therein; and

(iii) to file petitions for appeal.

If the Commission or the Attorney General of the United States has instituted a civil action for violation of this Act (referred to in this subparagraph as the Federal action), no State attorney general may bring an action under this subsection during the pendency of the Federal action against any defendant named in the complaint in the Federal action for any violation of this Act alleged in such complaint.

For purposes of bringing a civil action under this subsection, nothing in this Act may be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of such State to conduct investigations, administer oaths and affirmations, or compel the attendance of witnesses or the production of documentary and other evidence.

Neither the Commission nor a State attorney general may initiate any action for a violation of this Act until—

(A) the Commission or the attorney general has provided written notice to a controller or processor alleged to be in violation of this Act of the alleged violation that identifies the specific provision of this Act alleged to have been violated; and

(B) not fewer than 45 days have passed since the date on which such written notice has been provided.

There shall be no violation of this Act with respect to an allegation made under paragraph (1)(A) if, during the period of time described in paragraph (1)(B), the controller or processor alleged to be in violation of this Act cures the alleged violation of this Act and provides the Commission or the State attorney general with a written statement that such violation has been cured and that no such further violation shall occur.

The Commission or the State attorney general may initiate an action pursuant to subsection (a) or (b) (as the case may be) to remedy an allegation made under paragraph (1)(A) if the controller or processor alleged to be in violation of this Act—

(A) fails to cure the alleged violation pursuant to paragraph (2); or

(B) after curing the alleged violation pursuant to paragraph (2), continues to violate this Act.

This Act shall apply to any person that is subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq.) or is a common carrier subject to title II of the Communications Act of 1934 (47 U.S.C. 201 et seq.) and—

(1) with respect to the business of the person—

(A) conducts business in the United States or offers for use or sale to a resident of the United States a product or service; or

(B) processes or engages in the sale of personal data of a resident of the United States; and

(2) with respect to personal data and annual gross revenue in the course of such business—

(A) collects and processes personal data of more than 200,000 consumers annually (excluding personal data controlled or processed solely for the purpose of completing a payment transaction) and has an annual gross revenue of $25,000,000 or more (as adjusted on January 1 each year by the percentage increase (if any), during the preceding 12-month period, in the Consumer Price Index for All Urban Consumers published by the Bureau of Labor Statistics); or

(B) collects and processes personal data of 100,000 or more consumers annually (excluding personal data controlled or processed solely for the purpose of completing a payment transaction) and derives 25 percent or more of the annual gross revenue of the person from the sale of such personal data.

This Act does not apply to the following:

(1) A Federal, State, or local governmental entity.

(2) An entity that collects, processes, retains, or transfers personal data on behalf of such Federal or State governmental entity, to the extent that such entity is acting as a processor to the governmental entity.

(3) A financial institution subject to title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).

(4) A covered entity or business associate subject to parts 160 and 164 of title 45, Code of Federal Regulations.

(5) A nonprofit organization.

(6) A nonprofit organization with the primary mission of preventing, investigating, or deterring fraud, training anti-fraud professionals, or educating the public about fraud, including insurance fraud, securities fraud, and financial fraud.

(7) An institution of higher education.

(8) The National Center for Missing and Exploited Children.

(9) An entity created by a Federal or State statute to pay for claims arising from the liquidation of an insurance company.

(10) A futures association registered pursuant to section 17 of the Commodity Exchange Act (7 U.S.C. 21).

(11) A national securities association registered pursuant to section 15A of the Securities Exchange Act of 1934 (15 U.S.C. 78o–3).

(12) Data processed or maintained—

(A) by an individual applying to, employed by, or acting as an agent or independent contractor of a controller or processor for such application, employment, or action;

(B) for inclusion in the emergency contact information relating an individual; or

(C) that is necessary for the administration of benefits for an individual.

(13) The following information:

(A) Health information protected under and collected or used for public health activities and purposes in accordance with HIPAA.

(B) Health records.

(C) Records relating to the identity, diagnosis, prognosis, or treatment of a patient under section 543 of the Public Health Service Act (42 U.S.C. 290dd–2).

(D) Data, information, or identifiable private information (as such term is defined in section 46.102 of title 45, Code of Federal Regulations) obtained pursuant to any of the following:

(i) Part 46 of title 45, Code of Federal Regulations.

(ii) The Guideline for Good Clinical Practice E6(R3) issued by The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use.

(iii) Part 50 or part 56 of title 21, Code of Federal Regulations.

(E) Information reported pursuant to the Health Care Quality Improvement Act of 1986 (42 U.S.C. 11101 et seq.).

(F) Identifiable patient safety work product and nonidentifiable patient safety work product (as such terms are defined in section 921 of the Public Health Service Act (42 U.S.C. 299b–21)) protected under Part C of title IX of the Public Health Service Act (42 U.S.C. 299b–21 et seq.).

(G) Information derived from any of the health care related information listed in this paragraph that is de-identified in accordance with section 164.514(e) of title 45, Code of Federal Regulations.

(H) Information that is included in a limited data set in accordance with the standards and specifications under section 164.514(e) of title 45, Code of Federal Regulations.

(I) Personal data that—

(i) may impact the creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living of a consumer; and

(ii) is collected or disclosed by a consumer reporting agency (as such term is defined in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f))) or a furnisher, to the extent that the consumer reporting agency or furnisher is engaged in activities subject to the Fair Credit Reporting Act.

(J) Personal information (as such term is defined in section 2725 of title 18, United States Code) collected, processed, sold, or disclosed under section 2721 of title 18, United States Code.

(K) Personally identifiable information and personally identifiable data regulated in accordance with section 444 of the General Education Provisions Act (commonly known as the Family Educational Rights and Privacy Act of 1974) (20 U.S.C. 1232g).

(L) Personal data collected, processed, sold, or disclosed as a result of an activity authorized under the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.).

(M) Nonpublic personal information (as such term is defined in section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809)).

(N) Any information that originates from, is intermingled with, or is treated in the same manner as information described in subparagraphs (A) through (M) that is maintained by the following:

(i) A covered entity or business associate.

(ii) A program or a qualified service organization (as such terms are defined in section 2.11 of title 42, Code of Federal Regulations).

Nothing in this Act may be construed to relieve or change an obligation that a controller or processor may have under any of the following:

(1) The Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq).

(2) Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).

(3) Part C of title XI of the Social Security Act (42 U.S.C. 1320d et seq.).

(4) Subtitle D of the HITECH Act (42 U.S.C. 17921 et seq.).

(5) Any regulations promulgated under section 264(c) of HIPAA (42 U.S.C. 1320d–2 note).

(6) The requirements regarding the confidentiality of substance use disorder information under section 543 of the Public Health Service Act (42 U.S.C. 290dd–2) or any regulation promulgated under such section.

(7) The Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).

(8) Section 444 of the General Education Provisions Act (commonly known as the Family Educational Rights and Privacy Act of 1974) (20 U.S.C. 1232g) and part 99 of title 34, Code of Federal Regulations (or any successor regulation), to the extent a controller or processor is an educational agency or institution (as such term is defined in 99.3 of such title (or any successor regulation)).

(9) The regulations related to the protection of human subjects under part 46 of title 45, Code of Federal Regulations.

(10) The Health Care Quality Improvement Act of 1986 (42 U.S.C. 11101 et seq.).

(11) Part C of title IX of the Public Health Service Act (42 U.S.C. 299b–21 et seq.).

(12) Chapter 123 of title 18, United States Code.

Except as provided in paragraph (2), the Communications Act of 1934 (47 U.S.C. 151 et seq.), and any regulation promulgated by the Federal Communications Commission pursuant to such Act, shall not apply to a controller or processor with respect to the collection, use, processing, transferring, or security of personal data.

Paragraph (1) does not apply to the extent a regulation or order pertains solely to emergency services.

Section 2710 of title 18, United States Code, is repealed.