Plain English summary not yet available
The full original text is available below. Check back soon as we process this bill.
II
116TH CONGRESS
2D SESSION
S. 3456
To protect the privacy of consumers.
IN THE SENATE OF THE UNITED STATES
MARCH 12, 2020
Mr. MORAN introduced the following bill; which was read twice and referred
to the Committee on Commerce, Science, and Transportation
A BILL
To protect the privacy of consumers.
Be it enacted by the Senate and House of Representa-
1
tives of the United States of America in Congress assembled,
2
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
3
(a) SHORT TITLE.—This Act may be cited as the
4
‘‘Consumer Data Privacy and Security Act of 2020’’.
5
(b) TABLE OF CONTENTS.—The table of contents of
6
this Act is as follows:
7
Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. Collection and processing of personal data.
Sec. 4. Right to know.
Sec. 5. Individual control.
Sec. 6. Security.
Sec. 7. Accountability.
Sec. 8. Rules relating to service providers.
Sec. 9. Enforcement.
Sec. 10. Relation to other laws.
VerDate Sep 11 2014
01:12 Mar 23, 2020
Jkt 099200
PO 00000
Frm 00001
Fmt 6652
Sfmt 6211
E:\BILLS\S3456.IS
S3456
kjohnson on DSK79L0C42PROD with BILLS
2
•S 3456 IS
Sec. 11. Commission resources.
Sec. 12. Guidance and reporting.
Sec. 13. Severability.
Sec. 14. Effective date.
SEC. 2. DEFINITIONS.
1
In this Act:
2
(1) BIOMETRIC INFORMATION.—The term ‘‘bio-
3
metric information’’ means information, resulting
4
from specific technical processing related to the
5
physical, biological, physiological, genetic, or behav-
6
ioral characteristics of an individual, that identifies
7
the individual.
8
(2)
COLLECTION.—The
term
‘‘collection’’
9
means acquiring personal data by any means, in-
10
cluding by receiving, purchasing, or leasing the data
11
or by observing or interacting with the individual to
12
whom the data relates.
13
(3) COMMISSION.—The term ‘‘Commission’’
14
means the Federal Trade Commission.
15
(4) COVERED ENTITY.—
16
(A) IN GENERAL.—The term ‘‘covered en-
17
tity’’ means any entity that—
18
(i) alone, or jointly with others, deter-
19
mines the purpose and means of collecting
20
or processing personal data; and
21
(ii) is—
22
VerDate Sep 11 2014
01:12 Mar 23, 2020
Jkt 099200
PO 00000
Frm 00002
Fmt 6652
Sfmt 6201
E:\BILLS\S3456.IS
S3456
kjohnson on DSK79L0C42PROD with BILLS
3
•S 3456 IS
(I) a person over which the Com-
1
mission has authority pursuant to sec-
2
tion 5(a)(2) of the Federal Trade
3
Commission Act (15 U.S.C. 45(a)(2));
4
(II) a common carrier subject to
5
the Communications Act of 1934 (47
6
U.S.C. 151 et seq.) and Acts amend-
7
atory
thereof
and
supplementary
8
thereto; or
9
(III) a nonprofit organization, in-
10
cluding any organization that is not
11
organized to carry on business for its
12
own profit or that of its members.
13
(B) LIMITATION.—An entity shall not be
14
considered to be a covered entity with respect to
15
personal data to the extent that the entity is a
16
service provider with respect to such data.
17
(5) DE-IDENTIFY.—The term ‘‘de-identify’’
18
means, with respect to personal data held by a cov-
19
ered entity or service provider, that the covered enti-
20
ty or service provider—
21
(A) alters, anonymizes, or aggregates the
22
data so that there is a reasonable basis for ex-
23
pecting that the data could not be linked (in-
24
VerDate Sep 11 2014
01:12 Mar 23, 2020
Jkt 099200
PO 00000
Frm 00003
Fmt 6652
Sfmt 6201
E:\BILLS\S3456.IS
S3456
kjohnson on DSK79L0C42PROD with BILLS
4
•S 3456 IS
cluding by the entity or service provider) as a
1
practical matter to a specific individual;
2
(B) publicly commits to refrain from at-
3
tempting to re-identify the data with a specific
4
individual, and adopts controls to prevent such
5
identification; and
6
(C) causes the data to be covered by a con-
7
tractual or other legally enforceable prohibition
8
on each entity to which the covered entity or
9
service provider discloses the data from at-
10
tempting to use the data to identify a specific
11
individual and requires the same of all onward
12
disclosures.
13
(6) DELETE.—The term ‘‘delete’’ means to re-
14
move or destroy information such that the informa-
15
tion is not able to be retrieved in the ordinary course
16
of business.
17
(7) INDIVIDUAL.—The term ‘‘individual’’ means
18
a natural person residing in the United States.
19
(8) MATERIAL CHANGE.—The term ‘‘material
20
change’’ means a change to a policy or practice of
21
a covered entity or service provider that—
22
(A) relates to the collection or processing
23
of personal data by the covered entity or service
24
provider;
25
VerDate Sep 11 2014
01:12 Mar 23, 2020
Jkt 099200
PO 00000
Frm 00004
Fmt 6652
Sfmt 6201
E:\BILLS\S3456.IS
S3456
kjohnson on DSK79L0C42PROD with BILLS
5
•S 3456 IS
(B) is likely to affect the conduct or deci-
1
sion of a reasonable individual with respect to
2
any personal data of the individual that is sub-
3
ject to such policy or practice; and
4
(C) in the case of a service provider, is
5
made at the direction of the covered entity on
6
whose behalf the service provider is performing
7
a service or function.
8
(9) PERSONAL DATA.—
9
(A) IN
GENERAL.—The term ‘‘personal
10
data’’ means information that identifies or is
11
linked or reasonably linkable to a specific indi-
12
vidual.
13
(B) LINKED OR REASONABLY LINKABLE.—
14
(i) IN
GENERAL.—For purposes of
15
subparagraph (A), information held by a
16
covered entity or service provider is linked
17
or reasonably linkable to a specific indi-
18
vidual if it can be used on its own or in
19
combination with other information held
20
by, or readily accessible to, the covered en-
21
tity or service provider to identify the indi-
22
vidual.
23
(ii) APPLICATION
TO
DEVICE-LEVEL
24
IDENTIFIERS.—A persistent identifier that
25
VerDate Sep 11 2014
01:12 Mar 23, 2020
Jkt 099200
PO 00000
Frm 00005
Fmt 6652
Sfmt 6201
E:\BILLS\S3456.IS
S3456
kjohnson on DSK79L0C42PROD with BILLS
6
•S 3456 IS
is used to identify a specific individual over
1
time and across services and platforms, in-
2
cluding a customer number held in a cook-
3
ie, a static Internet Protocol (IP) address,
4
a processor or device serial number, or an-
5
other unique device identifier, shall be con-
6
sidered information that is linked or rea-
7
sonably linkable to the individual for pur-
8
poses of subparagraph (A).
9
(C) EXCLUSION.—The term ‘‘personal
10
data’’ does not include—
11
(i) de-identified data;
12
(ii) data that has been rendered
13
unreadable or indecipherable;
14
(iii) information about employees or
15
employment status collected or used by an
16
employer pursuant to an employer-em-
17
ployee relationship, including information
18
related to prospective employees and rel-
19
evant application materials;
20
(iv) publicly available information;
21
(v) data that has undergone pseudo-
22
nymization; or
23
(vi) employee data.
24
VerDate Sep 11 2014
01:12 Mar 23, 2020
Jkt 099200
PO 00000
Frm 00006
Fmt 6652
Sfmt 6201
E:\BILLS\S3456.IS
S3456
kjohnson on DSK79L0C42PROD with BILLS
7
•S 3456 IS
(D) EMPLOYEE
DATA.—For purposes of
1
subparagraph (C), the term ‘‘employee data’’
2
means information collected by a covered entity
3
or the service provider of a covered entity that
4
is—
5
(i) contact information for an indi-
6
vidual or the individual’s emergency con-
7
tact that is collected in the course of the
8
individual’s employment or application for
9
employment (including on a contract or
10
temporary basis) with the covered entity,
11
provided that such information is retained
12
or processed by the covered entity or serv-
13
ice provider solely for purposes related to
14
the individual’s employment or application
15
for employment with the covered entity; or
16
(ii) information about an individual
17
who is an employee or former employee of
18
the covered entity (or a relative of such an
19
individual) that is necessary to administer
20
benefits to which such individual or rel-
21
ative is entitled on the basis of the individ-
22
ual’s employment with the covered entity,
23
provided that such data is retained or
24
processed by the covered entity or service
25
VerDate Sep 11 2014
01:12 Mar 23, 2020
Jkt 099200
PO 00000
Frm 00007
Fmt 6652
Sfmt 6201
E:\BILLS\S3456.IS
S3456
kjohnson on DSK79L0C42PROD with BILLS
8
•S 3456 IS
provider solely for the purpose of admin-
1
istering such benefits.
2
(10) PSEUDONYMIZATION.—The term ‘‘pseudo-
3
nymization’’ means the processing of personal data
4
so that the personal data can no longer be attributed
5
or reasonably linked to a specific individual without
6
the use of additional information, provided that such
7
additional information—
8
(A) is kept separately; and
9
(B) is subject to technical and organiza-
10
tional measures to ensure that the personal
11
data is not attributed to a specific individual.
12
(11) PRIVACY OFFICER.—The term ‘‘privacy of-
13
ficer’’ means an individual designated by a covered
14
entity or service provider under section 7(b)(1) to be
15
the privacy officer of the covered entity.
16
(12) PROCESSING.—The term ‘‘processing’’
17
means any operation or set of operations performed
18
on personal data, including the analysis, organiza-
19
tion, structuring, retaining, using, disclosing, trans-
20
mitting, sharing, transferring, selling, licensing, or
21
otherwise handling of personal data.
22
(13) PUBLICLY AVAILABLE INFORMATION.—
23
(A) IN
GENERAL.—The term ‘‘publicly
24
available information’’ means any information
25
VerDate Sep 11 2014
01:12 Mar 23, 2020
Jkt 099200
PO 00000
Frm 00008
Fmt 6652
Sfmt 6201
E:\BILLS\S3456.IS
S3456
kjohnson on DSK79L0C42PROD with BILLS
9
•S 3456 IS
that a covered entity or service provider has a
1
reasonable basis to believe is lawfully made
2
available to the general public from—
3
(i) a Federal, State, or local govern-
4
ment record;
5
(ii) widely distributed media; or
6
(iii) a disclosure to the general public
7
that is made voluntarily by an individual,
8
or required to be made by a Federal,
9
State, or local law.
10
(B) REASONABLE
BASIS
TO
BELIEVE.—
11
For purposes of subparagraph (A), reasonable
12
bases for believing that information is lawfully
13
made available to the general public shall in-
14
clude a written determination by a covered enti-
15
ty or service provider that the information is of
16
a type that is lawfully made available to the
17
general public.
18
(14) SENSITIVE
PERSONAL
DATA.—The term
19
‘‘sensitive personal data’’ means personal data that
20
is—
21
(A) a unique, government-issued identifier,
22
such as a social security number, passport num-
23
ber, driver’s license number, or taxpayer identi-
24
fication number;
25
VerDate Sep 11 2014
01:12 Mar 23, 2020
Jkt 099200
PO 00000
Frm 00009
Fmt 6652
Sfmt 6201
E:\BILLS\S3456.IS
S3456
kjohnson on DSK79L0C42PROD with BILLS
10
•S 3456 IS
(B) a user name or email address in com-
1
bination with a password or security question
2
and answer that would permit access to an on-
3
line account;
4
(C) biometric information of an individual;
5
(D) the content of a wire communication,
6
oral communication, or electronic communica-
7
tion, as those terms are defined in section 2510
8
of title 18, United States Code, to which the in-
9
dividual is a party, unless the covered entity is
10
the intended recipient of the communication;
11
(E) information that relates to—
12
(i) the past, present, or future diag-
13
nosed physical or mental health or condi-
14
tion of an individual;
15
(ii) the provision of health care to an
16
individual; or
17
(iii) the past, present, or future pay-
18
ment for the provision of health care to an
19
individual;
20
(F) a financial account number, debit card
21
number, credit card number, if combined with
22
an access code, password, or credentials that
23
provide access to such an account;
24
(G) the race or ethnicity of the individual;
25
VerDate Sep 11 2014
01:12 Mar 23, 2020
Jkt 099200
PO 00000
Frm 00010
Fmt 6652
Sfmt 6201
E:\BILLS\S3456.IS
S3456
kjohnson on DSK79L0C42PROD with BILLS
11
•S 3456 IS
(H) the religious beliefs or affiliation of
1
the individual;
2
(I) the sexual orientation of the individual;
3
(J) the precise geolocation of an individual
4
that is technically derived and that is capable of
5
determining with reasonable specificity the past
6
or present actual physical location of the indi-
7
vidual more precisely than a zip code, street, or
8
town or city level; or
9
(K) such other specific categories of per-
10
sonal data as the Commission may define by
11
rule issued in accordance with section 553 of
12
title 5, United States Code, the collection or
13
processing of which could lead to reasonably
14
foreseeable harm to an individual.
15
(15) SERVICE PROVIDER.—The term ‘‘service
16
provider’’ means an entity that collects or processes
17
personal data on behalf of, and at the direction of,
18
a covered entity to which the service provider is un-
19
affiliated, but only—
20
(A) with respect to the personal data col-
21
lected or processed on the behalf of, and at the
22
direction of, such covered entity; and
23
(B) to the extent that the collection or
24
processing—
25
VerDate Sep 11 2014
01:12 Mar 23, 2020
Jkt 099200
PO 00000
Frm 00011
Fmt 6652
Sfmt 6201
E:\BILLS\S3456.IS
S3456
kjohnson on DSK79L0C42PROD with BILLS
12
•S 3456 IS
(i) is on the behalf of, and at the di-
1
rection of, such covered entity; or
2
(ii) is permitted under section 3(c).
3
(16) SMALL BUSINESS.—The term ‘‘small busi-
4
ness’’ means any covered entity or service provider
5
that—
6
(A) for the most recent 6-month period—
7
(i) employs not more than 500 em-
8
ployees; and
9
(ii) maintains less than $50,000,000
10
in average gross receipts for the previous 3
11
years; and
12
(B) collects or processes on an annual
13
basis—
14
(i) the personal data of fewer than
15
1,000,000 individuals; or
16
(ii) the sensitive personal data of
17
fewer than 100,000 individuals.
18
(17) THIRD PARTY.—
19
(A) IN GENERAL.—The term ‘‘third party’’
20
means a covered entity that receives third party
21
personal data from an unaffiliated covered enti-
22
ty, but only with respect to such third party
23
personal data.
24
VerDate Sep 11 2014
01:12 Mar 23, 2020
Jkt 099200
PO 00000
Frm 00012
Fmt 6652
Sfmt 6201
E:\BILLS\S3456.IS
S3456
kjohnson on DSK79L0C42PROD with BILLS
13
•S 3456 IS
(B) THIRD PARTY PERSONAL DATA.—For
1
purposes of subparagraph (A), the term ‘‘third
2
party personal data’’ means personal data that
3
a covered entity discloses to another unaffiliated
4
covered entity and such disclosure—
5
(i) is not directed by the individual to
6
whom the personal data relates; and
7
(ii) is not necessary to complete a
8
transaction or fulfill a request made by the
9
individual to whom such data relates.
10
(18) UNAFFILIATED.—The term ‘‘unaffiliated’’
11
means, with
[Text truncated for display. Full text available on Congress.gov.]