(a) Short title.—This Act may be cited as the “Online Privacy Act of 2019”.

(b) Table of contents.—The table of contents for this Act is as follows:

Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. Prohibition on waivers.
Sec. 4. Effective date.
Sec. 5. Journalism protection.
Sec. 6. Small business compliance ramp.
Sec. 7. Criminal prohibition on disclosing personal information.
Sec. 8. Limitation on disclosing nonredacted government records.

In this Act:

(1) AGENCY.—The term “Agency” means the United States Digital Privacy Agency established by section 301.

(2) BEHAVIORAL PERSONALIZATION.—

(A) IN GENERAL.—The term “behavioral personalization” means the processing of an individual’s personal information, using an algorithm, model, or other means built using that individual’s personal information collected over a period of time, or an aggregate of the personal information of one or more similarly situated individuals and designed to—

(i) alter, influence, guide, or predict an individual’s behavior;

(ii) tailor or personalize a product or service; or

(iii) filter, sort, limit, promote, display or otherwise differentiate between specific content or categories of content that would otherwise be accessible to the individual.

(B) EXCLUSIONS.—The term “behavioral personalization” does not include the use of historical personal information to merely prevent the display of or provide additional information about previously accessed content.

(3) COLLECT.—The term “collect” includes, with respect to personal information or contents of communication, obtaining such information in any manner, except when solely transmitting, routing, providing intermediate storage for, or providing connections for personal information through a system or network.

(4) CONTENTS.—The term “contents”, when used with respect to communication, has the meaning given such term in section 2510 of title 18, United States Code.

(5) COVERED ENTITY.—

(A) IN GENERAL.—The term “covered entity” means a person who—

(i) intentionally collects, processes, or maintains personal information; and

(ii) sends or receives such personal information over the internet or a similar communications network.

(B) EXCLUSION.—The term “covered entity” does not include a natural person, except to the extent such person is engaged in a commercial activity that is more than de minimis.

(6) DATA BREACH.—The term “data breach” means unauthorized access to or acquisition of personal information or contents of communications maintained by such covered entity.

(7) DATA SHARING ABUSE.—The term “data sharing abuse” means processing, by a third party, of personal information or contents of communications disclosed by a covered entity to the third party, for any purpose other than—

(A) a purpose specified by the covered entity to the third party at the time of disclosure; or

(B) a purpose to which the individual to whom the information relates has consented.

(8) DE-Identified.—

(A) IN GENERAL.—The term “de-identified” means information that cannot reasonably identify, relate to, describe, reference, be capable of being associated with, or be linked, directly or indirectly, to a particular individual or device, provided that a business that uses de-identified information—

(i) has de-identified the personal information using best practices for the types of data the information contains;

(ii) has implemented technical safeguards that prohibit re-identification of the individual with whom the information was linked;

(iii) has implemented business processes that specifically prohibit re-identification of the information;

(iv) has implemented business processes to prevent inadvertent release of de-identified information; and

(v) makes no attempt to re-identify the information.

(B) The Director may determine that a methodology of de-identifying personal information is insufficient for the purposes of this definition.

(9) DIRECTOR.—The term “Director” means the Director of the Agency.

(10) DISCLOSE.—The term “disclose” means, with respect to personal information or contents of communication, to sell, release, transfer, share, disseminate, make available, or otherwise cause to be communicated such information to a third party.

(11) INDIVIDUAL.—The term “individual” means a natural person residing in the United States.

(12) MAINTAIN.—The term “maintain” means, with respect to personal information or contents of communication, to store, secure, or otherwise cause the retaining of such information, or taking actions necessary for such purposes.

(13) PERSONAL INFORMATION.—

(A) IN GENERAL.—The term “personal information” means any information maintained by a covered entity that is linked or reasonably linkable to a specific individual or a specific device, including de-identified personal information and the means to behavioral personalization created for or linked to a specific individual.

(B) EXCLUSIONS.—The term “personal information” does not include—

(i) publicly available information related to an individual; or

(ii) information derived or inferred from personal information, if the derived or inferred information is not linked or reasonably linkable to a specific individual.

(14) PRIVACY HARM.—The term “privacy harm” means adverse consequences or potential adverse consequences to an individual or society arising from the collection, processing, maintenance, or disclosure of personal information, including—

(A) direct or indirect financial loss or economic harm;

(B) physical harm;

(C) psychological harm, including anxiety, embarrassment, fear, and other demonstrable mental trauma;

(D) adverse outcomes or decisions with respect to the eligibility of an individual for rights, benefits, or privileges in employment (including hiring, firing, promotion, demotion, and compensation), credit and insurance (including denial of an application or obtaining less favorable terms), housing, education, professional certification, or the provision of health care and related services;

(E) stigmatization or reputational harm;

(F) price discrimination;

(G) other adverse consequences that affect the private life of an individual, including private family matters and actions and communications within the home of such individual or a similar physical, online, or digital location where such individual has a reasonable expectation that personal information will not be collected, processed, or retained;

(H) chilling of free expression or action of an individual, group of individuals, or society generally, due to perceived or actual pervasive and excessive collection, processing, disclosure, or maintenance of personal information by a covered entity;

(I) impairing the autonomy of an individual, group of individuals, or society generally; and

(J) other adverse consequences or potential adverse consequences, consistent with the provisions of this Act, as determined by the Director.

(15) PRIVACY PRESERVING COMPUTING.—

(A) IN GENERAL.—The term “privacy preserving computing” means—

(i) the collecting, processing, disclosing, or maintaining of personal information that has been encrypted or otherwise rendered unintelligible using a means that cannot be reversed by a covered entity, or a covered entity’s service provider, such that—

(I) if such personal information could be rendered intelligible through cooperation or sharing of cryptographic secrets by multiple persons, the covered entity has both technical safeguards and business processes to prevent such cooperation or sharing;

(II) if such personal information is rendered intelligible within a hardware processing unit or other means of performing operations on the information, there are technical safeguards that, during the normal course of operation—

(aa) prevent rendering personal information intelligible anywhere but within the hardware processing unit or other means of performing operations; and

(bb) make the exporting or otherwise observing of such intelligible information, or the cryptographic secret used to protect such information, impossible; and

(III) if the result of such processing of the personal information is also personal information, such result must be unintelligible to the covered entity or service provider and protected by privacy preserving computing.

(B) INSUFFICIENT METHODOLOGIES.—The Director may determine that a methodology of privacy preserving computing is insufficient for the purposes of this definition.

(16) PROCESS.—The term “process” means to perform or cause to be performed any operation or set of operations on personal information or contents of communication, whether or not by automated means.

(17) PROTECTED CLASS.—The term “protected class” means the actual or perceived race, color, ethnicity, national origin, religion, sex (including sexual orientation and gender identity), familial status, or disability of an individual or group of individuals.

(18) PUBLICLY AVAILABLE INFORMATION.—The term “publicly available information” means—

(A) information that is lawfully made available from Federal, State, or local government records;

(B) information about a public individual or official that is made publicly accessible, without restrictions on accessibility other than the general authorization to access the services used to make the information accessible;

(C) information made publicly accessible by the individual to whom it pertains, without restrictions on accessibility other than the general authorization to access the services used to make the information accessible, and that such individual has the ability to delete or change without relying on a request under section 102 or 103 of this Act; and

(D) does not include—

(i) biometric information collected by a covered entity relating to an individual without the individual’s knowledge;

(ii) information used for a purpose that is not compatible with the purpose for which the information is maintained and made available in government records;

(iii) information obtained from government records for the purpose of selling such information; or

(iv) information used to contact or locate a private individual either physically or electronically.

(19) REASONABLE MECHANISM.—The term “reasonable mechanism” means, in the case of a mechanism for individuals to exercise a right under title I or interact with a covered entity under title II, that such mechanism—

(A) is equivalent in availability and ease of use to that of other mechanisms for communicating or interacting with the covered entity; and

(B) includes an online means of exercising such right or engaging in such interaction, if such individuals communicate or interact with such covered entity through an online medium or if such covered entity provides information processing services through a public or widely available application programming interface (or similar mechanism).

(20) SELL AND SALE.—

(A) IN GENERAL.—The terms “sell” and “sale” means the disclosure of personal information for monetary consideration by a covered entity to a third party for the purposes of processing, maintaining or disclosing such personal information at the third party’s discretion.

(B) EXCLUSIONS.—The terms “sell” and “sale” do not include—

(i) the disclosure of personal data to a third party with which the individual has a direct relationship for purposes of providing a product or service requested by the individual or otherwise in a manner that is consistent with an individual’s reasonable expectations considering the context in which the individual provided the personal information to the covered entity;

(ii) the disclosure or transfer of personal information to a subsidiary or an affiliate of the covered entity; or

(iii) the disclosure or transfer of personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the covered entity’s assets, unless such assets are limited to personal information unless personal information makes up the majority of the value of such assets.

(21) SERVICE PROVIDER.—

(A) IN GENERAL.—The term “service provider” means a covered entity who—

(i) processes, discloses, or maintains personal information, where such person does not process, disclose, or maintain the personal information other than in accordance with the directions and on behalf of another covered entity;

(ii) does not directly collect personal information from or control the mechanism for collecting personal information from an individual;

(iii) does not earn revenue from processing, maintaining, or disclosing personal information disclosed to the service provider by a covered entity except by providing contracted services to another covered entity;

(iv) does not disclose personal information to another covered entity unless it was provided by that covered entity or resulted from maintaining or processing performed on personal information exclusively provide by that covered entity;

(v) does not offer services that allow another covered entity to target specific individuals using personal information not provided by that covered entity;

(vi) assists a covered entity on behalf of which it processes personal information to comply with title I, with respect to personal information processed or maintained by the service provider on behalf of the covered entity, including providing tools for such covered entities requirements under title I if requested; and

(vii) does not link the personal information provided by another covered entity to personal information from any other source.

(B) Any such person, and the personal information they disclose, process, or maintain, shall be treated as a service provider under this Act only to the extent that such person complies with the requirements under (A).

(22) SIGNIFICANT PRIVACY HARM.—The term “significant privacy harm” means adverse consequences to an individual arising from the collection, processing, maintenance, or disclosure of personal information, limited to subparagraph (A), (B), or (D) of paragraph (14).

(23) SMALL BUSINESS.—The term “small business” means a covered entity that—

(A) does not earn revenue from the sale of personal information;

(B) earns less than half of annual revenues from the processing of personal information for targeted or personalized advertising;

(C) has not, at any time during the preceding 6-month period, maintained personal information of 250,000 or more individuals;

(D) has fewer than 200 employees; and

(E) received less than $25,000,000 in gross revenue in the preceding 12-month period.

(24) STATE.—The term “State” means each State of the United States, the District of Columbia, each commonwealth, territory, or possession of the United States, and each federally recognized Indian Tribe.

(25) THIRD PARTY.—The term “third party” means, with respect to a covered entity, a person—

(A) to whom such covered entity disclosed personal information; and

(B) is not—

(i) such covered entity;

(ii) a subsidiary or corporate affiliate of such covered entity; or

(iii) a service provider of such covered entity.

(a) In general.—The provisions under this Act may not be waived. Any agreement purporting to waive compliance with or modify any provision of this Act shall be void as contrary to public policy.

(b) Prohibition on predispute arbitration agreements.—No predispute arbitration agreement shall be valid or enforceable with respect to any claims under this Act.

(a) In general.—This Act shall apply beginning on the date that is 1 year after the date of the enactment of this Act.

(b) Authority To promulgate regulations and take certain other actions.—Nothing in subsection (a) affects the authority to take an action expressly required by a provision of this Act to be taken before the effective date described in such subsection.

(a) In general.—Covered entities engaged in journalism shall not be subject to the obligations imposed under this Act to the extent that those obligations directly infringe on the journalism rather than the business practices of the covered entity, so long as, the covered entity has technical safeguards and business processes that prevent the collection, processing, maintaining, or disclosure of such personal information for business practices other than journalism.

(b) Journalism.—The term “journalism” includes the collecting, maintaining, processing, and disclosing of personal information about a public individual or official, or that otherwise concerns matters of public interest, for dissemination to the public.

Upon losing its status as a small business, a covered entity shall have nine months to comply with provisions of this Act that a small business is exempt from complying with.

Chapter 41 of title 18, United States Code, is amended by adding at the end the following:

shall be fined under this title or imprisoned not more than 5 years, or both.”.

(a) In general.—A Federal or State government entity may not use a channel of interstate commerce to disclose the personal information of an individual in a government record without an agreement prohibiting the recipient of such information from selling the information without the express consent of the individual for each disclosure.

(b) Exception.—Notwithstanding subsection (a), nothing in this section shall prohibit the disclosure of personal information using a channel of interstate commerce to another government entity without consent of the individual.

(a) In general.—A covered entity shall make available a reasonable mechanism by which an individual may access—

(1) the categories of personal information and contents of communications of such individual that is maintained by such covered entity, including, in the case of personal information that such covered entity did not collect from such individual, how and from whom such covered entity obtained such personal information;

(2) a list of the third parties, subsidiaries, and corporate affiliates, to which such covered entity has disclosed and from which such covered entity has, at any time on or after the effective date specified in section 4(a), obtained the personal information of such individual;

(3) a concise and clear description of the business or commercial purposes of such covered entity—

(A) for collecting, processing, or maintaining the personal information of such individual; and

(B) for disclosing to a third party the personal information of such individual; and

(4) a list of automated decision-making processes that an individual has a right to request human review of under section 105 with a concise and clear description of the implications and intended effects of such process.

(b) Exception for publicly accessibly information.—A covered entity that makes available information required in subsection (a) shall be considered in compliance with such requirements if the covered entity provides an individual instructions on how to access a public posting of such information, including in a privacy policy, if the instructions are easy and do not require payment.

(c) Small businesses excluded.—Subsection (a)(3) does not apply to a small business.

(a) Dispute by individual.—A covered entity shall make available a reasonable mechanism by which an individual may dispute the accuracy or completeness of personal information linked to such individual that is maintained by such covered entity if such information is processed in any way, by such covered entity, a third party of such covered entity, or a service provider of such covered entity that may increase reasonably foreseeable significant privacy harms.

(b) Correction by covered entity.—A covered entity receiving a dispute under subsection (a) shall—

(1) correct or complete (as the case may be) the disputed information and notify such individual that the correction or completion has been made; or

(2) notify such individual that—

(A) the disputed information is correct or complete;

(B) such covered entity lacks sufficient information to correct or complete the disputed information; or

(C) such covered entity is denying the request for correction or completion in reliance on an exemption or exception provided by section 109(g) (with the notification containing an identification of the specific exemption or exception relied upon).

(c) Small businesses excluded.—This section does not apply to a small business.

(a) Request by individual.—A covered entity shall make available a reasonable mechanism by which an individual may request the deletion of personal information and contents of communications of such individual maintained by such covered entity, including any such information that such covered entity acquired from a third party or inferred from other information maintained by such covered entity.

(b) Deletion by covered entity.—A covered entity receiving a request for deletion under subsection (a) shall—

(1) delete such information and notify such individual that such information has been deleted; or

(2) notify such individual that such covered entity is denying the request for deletion in reliance on an exemption or exception provided by section 109(g) (with the notification containing an identification of the specific exemption or exception relied upon).

(a) Determination of portable categories.—

(1) ANNUAL DETERMINATION.—Not less frequently than once per year, the Director shall—

(A) establish categories of products and services offered by covered entities, based on similarities in the products and services;

(B) determine which categories established under subparagraph (A) are portable categories; and

(C) publish in the Federal Register a list of portable categories determined under subparagraph (B).

(2) OPPORTUNITY FOR PUBLIC COMMENT.—Before publishing the final list under paragraph (1)(C), the Director shall—

(A) publish a draft of such list in the Federal Register; and

(B) provide for an opportunity for public comment on such draft list.

(b) Exercise of right.—

(1) IN GENERAL.—A covered entity that offers a product or service in a portable category shall make available to an individual whose personal information or contents of communications such entity maintains a reasonable mechanism by which such individual may—

(A) download, in a format that is structured, commonly used, and machine-readable—

(i) any personal information of such individual that such individual has provided to such covered entity, with the option to download such information by category that is accessible under section 101 of this Act; and

(ii) any contents of communications; and

(B) using a real-time application programming interface, or similar mechanism, transmit all personal information and contents of communications of or related to such individual (whether or not provided to such covered entity by such individual) from such covered entity to another covered entity in accordance with subsection (c).

(2) REQUIREMENTS FOR APPLICATION PROGRAMMING INTERFACE.—The application programming interface, or similar mechanism, required by paragraph (1)(B) shall—

(A) be publicly documented;

(B) allow the option of data to be obtained by category that is accessible under section 101;

(C) include a publicly available, fully functional test version for development purposes; and

(D) be of similar quality to mechanisms used internally by the covered entity.

(c) Requirements for access to Application programming interface.—

(1) ACCESS.—A covered entity shall provide access to the application programming interface or similar mechanism required by subsection (b)(1)(B) upon the request of another covered entity if the requesting covered entity has self-certified, using the procedures established by the Director under paragraph (3)(A), that such requesting covered entity—

(A) is a covered entity;

(B) can have personal information disclosed to it under section 205 of this Act;

(C) is, at the time of the self-certification, in compliance with all requirements of this Act (including provisions a small business is otherwise exempt from complying with);

(D) will continue to comply with all requirements of this Act; and

(E) will only use such application programming interface or similar mechanism at the express request of an individual.

(2) DENIAL OF ACCESS.—

(A) IN GENERAL.—A covered entity may deny access to the application programming interface or similar mechanism required by subsection (b)(1)(B) if such covered entity has an objective, reasonable belief that the requesting covered entity has failed to meet the requirements for self-certification under paragraph (1).

(B) REVIEW.—In accordance with the procedures established under paragraph (3)(B), a covered entity the request of which is denied under subparagraph (A) may petition the Director for review of the denial. If the Director finds that such denial is unreasonable, the Director may impose a penalty, to be established in such procedures, on the covered entity that denied the request.

(3) CERTIFICATION AND REVIEW PROCEDURES.—The Director shall establish—

(A) procedures for a covered entity to self-certify under paragraph (1); and

(B) procedures for the review of petitions under paragraph (2)(B), including penalties for unreasonable denials.

(d) Small businesses excluded.—This section does not apply to a small business.

(e) Definitions.—In this section:

(1) PORTABLE CATEGORY.—The term “portable category” means a category of products and services established by the Director under subsection (a)(1)(A)—

(A) for which the sum obtained by adding the number of users or estimated users of each product or service in such category is greater than 10,000,000; and

(B) that—

(i) has an estimated Herfindahl-Hirschman Index of 2,000 or greater;

(ii) the total number of covered entities offering products and services in such category is 3 or less; or

(iii) the Director otherwise determines that a category would benefit from encouraging increased competition.

(2) USERS.—The term “users” means, with respect to a product or service, the monthly active users, subscribers, or customers (or a reasonable proxy or substitute therefor determined by the Director) of such product or service.

For any decision by a covered entity based solely on automated processing of personal information of an individual, if such processing increases reasonably foreseeable significant privacy harms for such individual, such covered entity shall—

(1) inform such individual of what personal information is or may be used for such decision;

(2) make available a reasonable mechanism by which such individual may request human review of such decision; and

(3) if such individual requests such a review, conduct such review within a reasonable amount of time after such request.

(a) In general.—A covered entity shall not collect, process, maintain, or disclose an individual’s personal information to:

(1) create, improve upon, or maintain;

(2) process with; or

(3) otherwise link an individual with;

an algorithm, model, or other means designed for behavioral personalization, without the affirmative express consent of that individual.

(b) Consent.—A covered entity must obtain express affirmative consent from an individual before it may provide a behaviorally personalized version of a product or service. Where consent is denied, a covered entity must provide the product or service without behavioral personalization.

(c) Exceptions to providing product or service.—

(1) Where the offering of a substantially similar product or service without behavioral personalization is infeasible, a covered entity shall provide, to the greatest extent feasible, a core aspect or part of the product or service that can be offered without behavioral personalization.

(2) Where no core aspect or part of the product or service can function in a substantially similar function without behavioral personalization, a covered entity may deny providing an individual use of such product or service if such individual does not consent to behavioral personalization as required in subsection (a).

(d) Exception to behavioral processing.—Notwithstanding subsections (a) and (b), a covered entity may create or process using behavioral personalization algorithms, models, or other mechanisms for the purpose of increasing the usability of the product or service provided by a covered entity that—

(1) are built using aggregated personal information that is representative of all the personal information the covered entity maintains; and

(2) have an output that is both uniform across the individuals that use the product or service and independent of a specific individual’s inherent or behavioral characteristics.

(e) Usability.—The term “usability” as used in subsection (d) does not include optimizations or other alterations to the product or service that are made with the primary purpose of increasing the amount of time an individual engages with or uses the product or service, unless such increase benefits the individual

(f) Small businesses excluded.—This section does not apply to a small business.

A covered entity that collects personal information of an individual with whom such covered entity does not have an existing relationship (as of the time of the collection), if such personal information includes contact information, shall notify such individual within 30 days, in writing if possible and at no charge to the individual, that such covered entity has collected the personal information of such individual.

(a) Limitation on maintenance of personal information.—A covered entity shall not maintain personal information for more time than expressly consented to by an individual whose personal information is being maintained.

(b) Consent.—A covered entity must obtain express affirmative consent from an individual before maintaining the personal information of such individual for any duration. Such consent may be obtained for categories of personal information and shall give an individual options to affirmatively choose granting a covered entity consent for various durations, at least including—

(1) for no longer than needed to complete the specific request or transaction (including a reasonable estimate of such duration by the covered entity);

(2) until consent is revoked; and

(3) one or more additional durations based on reasonable expectations and norms for the maintenance of the category of personal information being maintained.

(c) Exception for implied consent.—Where the long-term maintenance of personal information is, on its face, obvious and a core feature of the product or service at the request of the individual, and the personal information is maintained only to provide such product or service, subsections (a) and (b) shall not apply.

(a) Exemptions for personal information for particular purposes.—

(1) IN GENERAL.—This title does not apply with respect to personal information that is collected, processed, maintained, or disclosed for any of the following purposes (or a combination of such purposes), where a covered entity has technical safeguards and business processes that limit the collection, processing, maintaining, or disclosure of such personal information to the following purposes:

(A) Detecting, responding to, or preventing security incidents or threats.

(B) Protecting against malicious, deceptive, fraudulent, or illegal activity.

(C) Complying with specific law enforcement requests or court orders.

(D) Protecting a legally recognized privilege or other legal right.

(E) Protecting public safety.

(F) Collection, processing, or maintenance by an employer pursuant to an employer-employee relationship of records about employees or employment status, except—

(i) where the information would not be reasonably expected to be collected in the context of an employee’s regular duties; or

(ii) was disclosed to the employer by a third party.

(G) Preventing prospective abuses of a service by an individual whose account has been previously terminated.

(H) Routing a communication through a communications network or resolving the location of a host or client on a communications network.

(I) Providing transparency in advertising or origination of user generated content.

(2) REIDENTIFICATION.—Where compliance with this title would require the reidentification of de-identified personal information, and the covered entity does not already maintain the information necessary for such reidentification, the covered entity shall be exempt from such compliance, except for with section 106.

(3) DISCLOSURE.—A covered entity relying on an exemption under paragraph (1) with respect to personal information shall disclose in the privacy policy maintained by such entity under section 213—

(A) the reason for which such information is collected, processed, maintained, or disclosed; and

(B) a description of the rights provided by this title that are not available with respect to such personal information by reason of such exemption.

(b) Exceptions for particular requests.—

(1) IN GENERAL.—A covered entity may deny the request of an individual under this title if—

(A) such covered entity cannot confirm the identity of such individual;

(B) such covered entity determines that granting the request of such individual would create a legitimate risk to the privacy, security, safety, or other rights of another individual;

(C) such covered entity determines that granting the request of such individual would create a legitimate risk to free expression; or

(D) the personal information requested to be corrected under section 102 or deleted under section 103—

(i) is necessary to the completion of a transaction initiated before such request was made or the performance of a contract entered into before such request was made;

(ii) was collected specifically for the completion of such transaction or the performance of such contract; and

(iii) would undermine the integrity of a legally significant transaction.

(2) LIMITATIONS ON REQUESTS FOR ADDITIONAL INFORMATION TO CONFIRM IDENTITY.—A covered entity may not deny a request of an individual under paragraph (1)(A) on the basis of the refusal of such individual to provide additional personal information to such covered entity to confirm the identity of such individual—

(A) if the identity of such individual can reasonably be confirmed using personal information of such individual that such covered entity (as of the time of the request) already maintains; or

(B) if such individual has an existing relationship (as of the time of the request) with such covered entity, such individual has confirmed the identity of such individual to such covered entity in the same manner as for other transactions of a similar sensitivity.

(c) Exemption for service providers.—This title does not apply to a service provider.

(d) Exemption for privacy preserving computing.—Except for sections 101, 105, 106, and 109, this title does not apply to personal information secured using privacy preserving computing.

(e) Timeline for complying with a request.—Without undue delay but not longer than 30 days after the request, a covered that receives a request under this title must—

(1) comply with such request; or

(2) inform such individual of the reason for denying such request, as allowed under subsections (a) or (b) of this section.

(f) Fees prohibited.—

(1) IN GENERAL.—Except as provided in paragraph (2), a covered entity may not charge a fee to an individual for a request made under this title.

(2) UNFOUNDED OR EXCESSIVE REQUESTS.—If a request under this title is unfounded or excessive, a covered entity may charge a reasonable fee that reflects the estimated administrative costs of complying with such request.

(3) AGENCY NOTICE.—If a covered entity plans to charge fee under paragraph (2), it must notify the Agency at least 7 days before charging such fee.

(4) AGENCY REVIEW.—The Director may reject any fee that a covered entity plans to charge for a request made under this title if the Agency finds—

(A) such fee to be unreasonable relative to reasonable administrative costs of complying with a request under this title; or

(B) such request is not unfounded or excessive.

(g) Rules of construction.—Nothing in this title shall be construed to require a covered entity to—

(1) take an action that would convert information that is not personal information into personal information;

(2) collect or maintain personal information or contents of communication that the covered entity would otherwise not maintain; or

(3) maintain personal information or contents of communication longer than the covered entity would otherwise maintain such personal information.

(h) Regulations.—The Director shall promulgate regulations to implement this section.

(a) Articulated basis.—A covered entity shall have a reasonable, articulated basis for the collection, processing, disclosure, and maintenance of personal information that takes into account the reasonable business needs of the covered entity and minimum amount of personal information necessary for providing the service, balanced with the intrusion on the privacy of, potential privacy harms to, and reasonable expectations of individuals to whom the personal information relates.

(b) Minimization of collection, processing, disclosure, and maintenance.—

(1) COLLECTION.—A covered entity may not collect more personal information than is reasonably needed to provide a product or service that an individual has requested.

(2) PROCESSING.—A covered entity may not process personal information for a purpose other than the purpose for which such information was originally collected from the individual or in the case of a service provider, a purpose other than that which is in accordance with the directions of a covered entity.

(3) DISCLOSURE.—A covered entity may not disclose personal information for a purpose other than the purpose for which such information was originally collected from the individual or in the case of a service provider, a purpose other than that which is in accordance with the directions of a covered entity.

(4) MAINTENANCE.—A covered entity may not maintain personal information once such information is no longer needed for the purpose for which such information was originally collected from the individual or in the case of a service provider, a purpose other than that which is in accordance with the directions of a covered entity.

(c) Ancillary collection, processing, disclosure, and maintenance.—Notwithstanding subsection (b), a covered entity may engage in collection, processing, disclosure, or maintenance of personal information beyond limitations under subsection (b) only if such covered entity complies with this subsection.

(1) NO NOTICE OR CONSENT REQUIRED.—A covered entity may engage in collection, processing, or maintenance of personal information without additional notice or consent if the purpose for such collection, processing, or maintenance is substantially similar to the type of personal information and purpose for which such personal information was originally collected and such ancillary collection, processing, or maintenance will not result in additional or increased privacy harms.

(2) NOTICE REQUIRED.—A covered entity shall provide notice of ancillary collection, processing, disclosure or maintenance of personal information in the case of one, but not more than one, of the following:

(A) Such ancillary collection, processing, disclosure, or maintenance may result in additional or increased privacy harms (but not increased significant privacy harms), and is substantially similar to the purpose for which such personal information was originally collected.

(B) The purpose for such ancillary collection, processing, disclosure, or maintenance is not substantially similar to the purpose for which such personal information was originally collected, but will not result in additional or increased privacy harms.

(C) Such ancillary collection, processing, disclosure, or maintenance may result in additional or increased privacy harms (but not increased significant privacy harms) and the purpose is not substantially similar to the purpose for which such personal information was originally collected, so long as, the personal information is secured using privacy preserving computing.

(3) NOTICE AND CONSENT REQUIRED.—For scenarios not covered under paragraph (1) or (2), and notwithstanding section 212(b)(2) and (3), a covered entity shall provide notice of and obtain consent for ancillary collection, processing, disclosure or maintenance of personal information.

(d) Substitution.—In cases in which personal information can be replaced with artificial personal information, personal information that has been de-identified, or the random personal information of a one or more individuals without substantially reducing the utility of the data or requiring an unreasonable amount of effort, such a replacement shall take place.

(a) Minimization.—A covered entity shall restrict access to personal information and contents of communications by the employees or contractors of such covered entity based on an articulated balance between the potential for privacy harm, reasonable expectations of individuals to whom the personal information relates, and reasonable business needs.

(b) Records of access.—

(1) IN GENERAL.—A covered entity shall maintain records identifying each instance in which an employee or a contractor of such covered entity accesses personal information or contents of communications if disclosure of, or a data breach or data sharing abuse involving, such personal information or contents may foreseeably result in increased privacy harms.

(2) INFORMATION REQUIRED.—The records required by paragraph (1) shall include the following:

(A) A unique identifier for the employee or contractor accessing personal information or contents of communications.

(B) The date and time of access.

(C) The fields of information accessed.

(D) The individuals whose personal information was accessed or the contents of whose communications were accessed.

(3) SMALL BUSINESSES EXCLUDED.—This subsection does not apply to a small business.

A covered entity may not collect or maintain personal information using a channel of interstate commerce unless such covered entity is in compliance with all requirements of this Act.

(a) Consent for disclosure required.—

(1) IN GENERAL.—A covered entity may not intentionally disclose personal information unless the covered entity obtains consent of the individual whose personal information is being disclosed for each category of third party to which such personal information will be disclosed. Such covered entity must also provide such individual with notice of—

(A) each category of third party;

(B) the personal information to be disclosed; and

(C) a concise and clear description of the business or commercial purpose for such disclosure.

(2) ADDITIONAL REQUIREMENTS FOR SALE OF PERSONAL INFORMATION.—

(A) IN GENERAL.—A covered entity may not intentionally sell personal information unless the covered entity—

(i) obtains the consent required by paragraph (1) for each individual disclosure of such person information; and

(ii) and provides the individual to whom such personal information relates with the identity of the specific third party to which such personal information will be disclosed.

(B) DISCLOSURE SERVICES.—Subparagraph (A) shall not apply to a covered entity in a case in which an individual is directing the covered entity to disclose the personal information of such individual for the sole purpose of procuring goods or services, or offers for goods or services, for such individual, if there is a reasonable mechanism for the individual to withdraw consent.

(3) REQUIREMENT TO INCLUDE ORIGINAL PURPOSE OF COLLECTION.—A covered entity may not intentionally disclose personal information without including the purpose for which the personal information was originally collected.

(4) EXCEPTION FOR PRIVACY PRESERVING COMPUTING.—Notwithstanding paragraph (1), consent is not required for a disclosure (not including sale) of personal information secured using privacy preserving computing.

(5) EXCEPTION FOR DE-IDENTIFIED PERSONAL INFORMATION.—Notwithstanding paragraph (1), consent is not required for a disclosure (not including sale) of de-identified personal information where the disclosed personal information is limited to the narrowest possible scope likely to yield the intended benefit and contractual obligations are in place that prohibit—

(A) re-identification of the disclosed personal information; and

(B) the processing of additional personal information in combination with the disclosed personal information that would allow for the reidentification of the disclosed personal information.

(b) Disclosure for advertising or marketing purposes.—

(1) IN GENERAL.—A covered entity may not intentionally disclose for advertising or marketing purposes a unique identifier or any other personal information that would allow the disclosure of such information to be linked to past or future disclosures of information relating to the same individual or device.

(2) TREATMENT OF CERTAIN TYPES OF INFORMATION.—A disclosure for advertising or marketing purposes may not be treated as violating subparagraph (1) by reason of including any or all of the following:

(A) Internet Protocol addresses truncated to no more than the first 24 bits for Internet Protocol version 4 and the first 48 bits for Internet Protocol version 6, or for a successor protocol truncated to limit the precision of the identifier to a network address of the internet access provider.

(B) Geolocation information truncated to allow no more than the equivalent of two decimal degrees of precision at the equator or prime meridian, or an equivalent precision in another geolocation standard.

(C) A general description of a device, browser, or operating system, or any combination thereof.

(D) An identifier that is unique for each disclosure.

(a) Prohibition.—A covered entity may not intentionally disclose personal information to any entity that—

(1) is not subject to the jurisdiction of the United States; or

(2) is not in compliance with all requirements of this Act.

(b) Exception.—Notwithstanding subsection (a), a covered entity may disclose personal information where that personal information is limited to an identifier created primarily for the purpose of sending or receiving electronic communications and the sole purpose of the disclosure is to send or receive an electronic communication at the request of the individual whose personal information is being disclosed.

(c) Disclosure safe harbors.—Notwithstanding subsection (a), a covered entity may disclose personal information to another covered entity (the receiving covered entity) that is not subject to the jurisdiction of the United States if either—

(1) the receiving covered entity has entered into an agreement, as described in subsection (e), with the Agency, and—

(A) the covered entity has a reasonable belief that the receiving covered entity is sufficiently solvent to compensate victims or pay fines for violations of this Act;

(B) a contract between the covered entity and receiving covered entity requires that the receiving covered entity complies with this Act, and the covered entity has reason to believe the receiving covered entity is compliant with this Act; and

(C) a contract between the covered entity and the receiving covered entity prohibits the receiving covered entity from using the disclosed personal information for any purpose other than provided in the contract; or

(2) the covered entity has—

(A) entered into an agreement with the receiving covered entity that—

(i) requires the receiving covered entity to comply with this Act;

(ii) prohibits the receiving covered entity from using the disclosed personal information for any purpose other than provided in the contract;

(iii) requires the receiving covered entity to indemnify the covered entity against violations of this Act committed by the receiving covered entity for any amount the covered entity is unable to pay of a judgment for such violation;

(iv) grants the covered entity the authority to audit, including physical access to electronic devices and data, the receiving covered entity’s compliance with this Act and the contract; and

(v) requires the receiving covered entity to assist the covered entity in responding to and complying with any court orders, Agency orders, or the exercising of an individual’s rights under this Act;

(B) actual knowledge that the receiving covered entity is in compliance with this Act and not using personal information contrary to their agreement;

(C) actual knowledge that the receiving covered entity is sufficiently solvent to compensate victims or pay fines for violations of this Act;

(D) an auditing and compliance program to ensure the receiving covered entity’s continued compliance with this Act and contract terms;

(E) filed with the Agency the terms of said contract, proof of its actual knowledge of the receiving covered entity’s compliance with this Act and contract terms, and documents detailing its auditing and compliance program for approval and publication by the Agency; and

(F) the covered entity has entered into an agreement with the Agency where it agrees to accept, respond to, or comply with a court order, agency order, or request by an individual regarding actions taken by the receiving covered entity with respect to the data it has disclosed.

(d) For the purposes of subsection (c)(2), the covered entity shall be jointly liable for a violation of this Act by the receiving covered entity regarding the data the covered entity disclosed, except where the covered entity was the first to notify the Agency of the violation, in which case, it shall be severally liable. Where the covered entity should reasonably have known of a violation of this Act by the receiving covered entity and fails to disclose the violation to the Agency, each day of continuance of the failure to report such violation shall be treated as a separate violation.

(e) Agency agreements.—Upon the request of a covered entity not subject to the jurisdiction of the United States, the Agency shall enter into an agreement with the covered entity that includes, but is not limited to, the following conditions:

(1) The principle place of business for the covered entity must be in a country that allows for the domestication of a United States court decision for civil fines payable to a government entity and injunctive relief. Where a foreign court refuses to enforce a United States court decision under this Act, the agreement, and all other agreements with covered entities with a principle place of business in the same jurisdiction, shall be void.

(2) The covered entity agrees to comply with this Act.

(3) The covered entity agrees to be subject to this Act with choice of venue being a United States court.

(4) The covered entity agrees to comply with Agency investigative requests or orders, and United States court orders or decisions under this Act.

(5) The covered entity consents to United States Federal court personal jurisdiction for the sole purpose of enforcing this Act.

(6) Where enforcement of the decision requires the use of a foreign court, the covered entity agrees to pay reasonable attorney fees necessary to enforce the judgment.

(7) A default judgment, failure to comply with Agency investigative requests or orders, or failure to comply with United States court orders or decisions shall result in the immediate termination of the agreement.

(f) Rule of construction against data localization.—Nothing in this section shall be construed to require the localization of processing or maintaining personal information by a covered entity to within the United State, or limit internal disclosure of personal information within a covered entity or to subsidiary or corporate affiliate of such covered entity, regardless of the country in which the covered entity will process, disclose, or maintain that personal information.

(a) In general.—Except as required under title I, a covered entity shall not use personal information collected from an individual, acquired from a third party, or acquired from a publicly available information to reidentify an individual from de-identified information.

(b) Third-Party prohibition.—A covered entity that discloses de-identified information to a third party shall prohibit such third party from reidentifying an individual using such de-identified information.

(c) Exception.—Subsection (a) shall not apply to qualified research entities, as determined by the Director, conducting research not for commercial purposes.

(a) In general.—A covered entity may not collect, process, maintain, or disclose the contents of any communication, regardless of whether the sender or intended recipient of the communication is an individual, other person, or an electronic device, for any purpose other than—

(1) transmission or display of the communication to any intended recipient or the original sender, or maintenance of such communications for such purposes;

(2) detecting, responding to, or preventing security incidents or threats;

(3) providing services to assist in the drafting or creation of the content of a communication;

(4) processing expressly requested by the sender or intended recipient, if the sender or intended recipient can terminate such processing using a reasonable mechanism;

(5) a disclosure otherwise required by law;

(6) the filtering of a communication where primary purpose of the communication is the commercial advertisement or promotion of a commercial product or service; or

(7) detecting or enforcing an abuse or violation of the service’s terms of service that would result in either a temporary or permanent ban from using the service.

(b) Intended recipient.—A covered entity is not considered an intended recipient of a communication, or any communication used in the creation of the content of said communication, where—

(1) at least one intended recipient is a natural person other than an employee or contractor of the covered entity;

(2) at least one intended recipient is a person other than the covered entity; or

(3) a purpose of the covered entity’s service is to maintain, at the direction of the sender, the content of said communication for more than a transitory period.

(c) Sender.—The sender of a communication is the person for whom the communication, and its content, is disclosed at the direction of and on behalf of.

(1) Where the sender is a natural person, they shall be the sender of the entire content of the communication, regardless of the original author of any portion of the content.

(2) Otherwise, a sender shall be the sender of only the content it was an original author of, or content it received as an intended recipient.

(d) Exception for publicly available communications.—Subsection (a) shall not apply where the contents of communication that are made publicly accessible by the sender without restrictions on accessibility other than the general authorization to access the services used to make the information accessible.

(e) Encryption protection.—A covered entity shall not—

(1) prohibit or prevent a person from encrypting or otherwise rendering unintelligible the content of a communication using a means that prevents the covered entity from being able to decrypt or otherwise render intelligible said content; and

(2) require or cause a person to disclose or circumvent the means described in paragraph (1) to the covered entity that would allow it to render the content intelligible.

(f) Service providers safe harbor.—A service provider shall not be held liable for a violation of this section if such service provider is acting at the direction of and on behalf of a covered entity and has a reasonable belief that the covered entity’s directions are in compliance with this section.

(a) Discrimination in economic opportunities.—A covered entity shall not process personal information or contents of communication for advertising, marketing, soliciting, offering, selling, leasing, licensing, renting, or otherwise commercially contracting for employment, finance, healthcare, credit, insurance, housing, or education opportunities in a manner that discriminates against or otherwise makes opportunities unavailable on the basis of an individual’s protected class status.

(b) Public accommodations.—A covered entity shall not process personal information in a manner that segregates, discriminates in, or otherwise makes unavailable the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation on the basis of a person’s or a group’s protected class status.

(c) The Director shall promulgate regulations to implement this section.

(a) In general.—A covered entity may not collect, process, maintain, or disclose genetic information for any purpose other than—

(1) providing medical treatment or testing to the individual whose genetic information is being collected, processed, maintained, or disclosed;

(2) research and services related to medical, historical, or population uses of genetic information, if, in the case of disclosure of genetic information—

(A) such genetic information is only disclosed to qualified research entities, as determined by the Director;

(B) additional personal information disclosed with such genetic information is limited to the narrowest possible scope likely to yield the intended benefit; and

(C) the covered entity limits, through contractual obligations, additional types of personal information that can be processed with the disclosed genetic information and personal information.

(3) a purpose specified by the Director by regulation, taking into account the potential privacy harms and potential benefits of such collection, processing, maintenance, or disclosure; or

(4) to comply with a Federal criminal investigation request or order.

(b) Genetic information defined.—In this section, the term “genetic information” has the meaning given such term in section 201 of the Genetic Information Nondiscrimination Act of 2008 (42 U.S.C. 2000ff).

(c) Service providers safe harbor.—A service provider shall not be held liable for a violation of this section if such service provider is acting at the direction of and on behalf of a covered entity and has a reasonable belief that is the covered entity’s directions are in compliance with this section.

(a) Minimum threshold.—The Director shall establish a minimum threshold that a covered entity must meet for the percentage of individuals who read and understand a notice or consent process or privacy policy required by this Act. In establishing such minimum thresholds, the Director shall take into account expectations of individuals, potential privacy harms, and individuals’ awareness of privacy harms.

(b) Consent revocation.—A covered entity shall make available a reasonable mechanism by which an individual may revoke consent for any consent given under this Act.

(c) Safe harbor.—

(1) APPROVAL PROCEDURES.—The Director shall develop procedures for analyzing and approving data submitted by a covered entity to establish that a notice and consent process or privacy policy of such covered entity meets the threshold established under subsection (a).

(2) PRESUMPTION.—If a covered entity submits testing data to and receives an approval from the Director under paragraph (1) establishing that a notice or consent process or privacy policy of such covered entity meets the threshold established under subsection (a), such notice or consent process or privacy policy shall be presumed to have met such threshold. Such presumption may be rebutted by clear and convincing evidence.

(3) PUBLIC AVAILABILITY OF APPROVED PROCESSES AND POLICIES AND ASSOCIATED TESTING DATA.—The Director shall make publicly available online the notice and consent processes and privacy policies and associated testing data that the Director approves under paragraph (1).

(4) SMALL BUSINESS ADOPTION OF NOTICE OR CONSENT PROCESS OF ANOTHER COVERED ENTITY.—

(A) IN GENERAL.—If a small business adopts a notice or consent process of another covered entity that collects, processes, maintains, or discloses personal information in substantially the same way as such small business, if the process of such other covered entity has been approved under paragraph (1), the process of such small business shall receive the presumption under paragraph (2).

(B) ABILITY TO FREELY USE APPROVED PROCESS.—A covered entity whose notice or consent process is approved under paragraph (1) shall permit a small business to freely use such process, or a derivative thereof, as described in subparagraph (A).

(C) NO PUBLISHED PROCESS.—In the case of a small business for which there is no approved notice or consent process published under paragraph (3) of a covered entity that collects, processes, maintains, or discloses personal information in substantially the same way as such small business, any requirement under this title for a notice or consent process to be objectively shown to meet the threshold established by the Director under subsection (a) shall not apply to such small business. Nothing in the preceding sentence exempts a small business from the requirement to use such notice or consent process or that such process be concise and clear.

(D) INAPPLICABILITY TO PRIVACY POLICY.—Paragraph (4) does not apply with respect to a privacy policy.

(5) MINOR CHANGES.—A covered entity may make minor changes in a notice or consent process or privacy policy approved under paragraph (1) and retain the presumption under paragraph (2) for such process or policy without retesting or resubmission of testing data to the Director.

In providing notice, obtaining consent, or maintaining a privacy policy as required by this title, a covered entity may not intentionally take any action that substantially impairs, obscures, or subverts the ability of an individual to—

(1) understand the contents of such notice or such privacy policy;

(2) understand the process for granting such consent;

(3) make a decision regarding whether to grant or withdraw such consent; or

(4) act on any such decision.

(a) Notice.—A covered entity shall provide an individual with notice of the personal information such covered entity collects, processes, maintains, and discloses through a process that is concise and clear and can be objectively shown to meet the threshold established by the Director under section 210(a).

(b) Consent.—

(1) EXPRESS CONSENT REQUIRED.—Except as provided in paragraphs (2) and (3), a covered entity may not collect from an individual personal information that creates or increases the risk of foreseeable privacy harms, or process or maintain any such personal information collected from an individual, unless such entity obtains the express consent of such individual to the collection, processing, or maintenance (or any combination thereof) of such information through a process that is concise and clear and can be objectively shown to meet the threshold established by the Director under section 210(a).

(2) EXCEPTION FOR IMPLIED CONSENT.—Notwithstanding paragraph (1), express consent is not required for collection, processing, or maintenance of personal information if the collection, processing, or maintenance is, on its face, obvious and necessary to provide a service at the request of the individual and the personal information is collected, processed, or maintained only for such request. Nothing in this paragraph shall be construed to exempt the covered entity from the requirement of subsection (a) to provide notice to such individual with respect to such collection, processing, or maintenance.

(3) EXEMPTION FOR PRIVACY PRESERVING COMPUTING.—Notwithstanding paragraph (1), except with regard to consent for purposes of section 106, express consent is not required for collection, processing, or maintenance of personal information secured using privacy preserving computing. Nothing in this paragraph shall be construed to exempt the covered entity from the requirement of subsection (a) to provide notice to such individual with respect to such collection, processing, or maintenance.

(c) Service providers excluded.—This section does not apply to a service provider if such service provider has a reasonable belief that a covered entity for which it processes, maintains, or discloses personal information is in compliance with this section.

(a) Policy required.—A covered entity shall maintain a privacy policy relating to the practices of such entity regarding the collection, processing, maintenance, and disclosure of personal information.

(b) Contents.—The privacy policy required by subsection (a) shall contain the following:

(1) A general description of the practices of the covered entity regarding the collection, processing, maintenance, and disclosure of personal information.

(2) A description of how individuals may exercise the rights provided by title I.

(3) A clear and concise summary of the following:

(A) The categories of personal information collected or otherwise obtained by the covered entity.

(B) The business or commercial purposes of the covered entity for collecting, processing, maintaining, or disclosing personal information.

(C) The categories and a list of third parties to which the covered entity discloses personal information.

(4) A description of the personal information that the covered entity maintains that the covered entity does not collect from individuals and how the covered entity obtains such personal information.

(5) A list of the third parties to which the covered entity has disclosed personal information.

(6) A list of the third parties from which the covered entity has obtained personal information at any time on or after the effective date specified in section 4(a).

(7) The articulated basis for the collection, processing, disclosure and maintenance of personal information, as required under section 201(a).

(c) Exemption for personal information for particular purposes.—The privacy policy required by subsection (a) is not required to contain information relating to personal information that is collected, processed, maintained, or disclosed exclusively for any of the purposes described in paragraph (1) of section 109(a) (or a combination of such purposes), except as provided in paragraph (2) of such section.

(d) Availability of privacy policy.—

(1) FORM AND MANNER.—The privacy policy required by subsection (a) shall be—

(A) clear and in plain language; and

(B) made publicly available in a prominent location on an ongoing basis.

(2) TIMING.—The privacy policy required by subsection (a) shall be made available as required by paragraph (1) before any collection of personal information by the covered entity that occurs after the effective date specified in section 4(a).

(e) Small businesses excluded.—Subsections (b)(7) and (d) do not apply to a small business.

(f) Service providers excluded.—This section does not apply to a service provider if such service provider has a reasonable belief that a covered entity for which it processes, maintains, or discloses personal information is in compliance with this section.

(a) In general.—A covered entity shall establish and implement reasonable information security policies, practices, and procedures for the protection of personal information collected, processed, maintained, or disclosed by such covered entity, taking into consideration—

(1) the nature, scope, and complexity of the activities engaged in by such covered entity;

(2) the sensitivity of any personal information at issue;

(3) the current state of the art in administrative, technical, and physical safeguards for protecting such information; and

(4) the cost of implementing such administrative, technical, and physical safeguards.

(b) Point of contact.—A covered entity shall identify an officer or other individual as the point of contact with responsibility for the management of information security.

(c) Specific policies, practices, and procedures.—The policies, practices, and procedures required by subsection (a) shall include the following:

(1) A written security policy with respect to the collection, processing, maintenance, and disclosure of personal information. Such policy shall be made publicly available in a prominent location on an ongoing basis, except that the publicly available version is not required to contain information that would compromise a purpose described in paragraph (1) of section 109(a).

(2) A process for identifying and assessing reasonably foreseeable security vulnerabilities in the system or systems used by such covered entity that contain personal information, which shall include regular monitoring for vulnerabilities or data breaches involving such system or systems.

(3) A process for taking action designed to mitigate against vulnerabilities identified in the process required by paragraph (2), which may include implementing any changes to security practices and the architecture, installation, or implementation of network or operating software, or for regularly testing or otherwise monitoring the effectiveness of the existing safeguards.

(4) A process for determining if personal information is no longer needed and disposing of personal information by shredding, permanently erasing, or otherwise modifying the medium on which such personal information is maintained to make such personal information permanently unreadable or indecipherable.

(5) A process for overseeing persons who have access to personal information, including through network-connected devices.

(6) A process for employee training and supervision for implementation of the policies, practices, and procedures required by this section.

(7) A written plan or protocol for internal and public response in the event of a data breach or data sharing abuse.

(d) Regulations.—The Director, in consultation with the National Institute of Standards and Technology, shall promulgate regulations to implement this section.

(e) Small businesses assistance.—The Director, in consultation with the National Institute of Standards and Technology, the Small Business Association, and small businesses, shall develop policy templates, toolkits, tip sheets, configuration guidelines for commonly used hardware and software, interactive tools, and other materials to assist small businesses with complying with this section.

(a) Notification of agency.—

(1) IN GENERAL.—In the case of a data breach or data sharing abuse with respect to personal information maintained by a covered entity, such covered entity shall, without undue delay and, if feasible, not later than 72 hours after becoming aware of such data breach or data sharing abuse, notify the Director of such data breach or data sharing abuse, unless such data breach or data sharing abuse is unlikely to create or increase foreseeable privacy harms.

(2) REASONS FOR DELAY.—If the notification required by paragraph (1) is made more than 72 hours after the covered entity becomes aware of the data breach or data sharing abuse, such notification shall be accompanied by a statement of the reasons for the delay.

(b) Notification of other covered entity.—In the case of a data breach or data sharing abuse with respect to personal information maintained by a covered entity that such covered entity obtained from another covered entity, the covered entity experiencing such data breach or data sharing abuse shall, without undue delay and, if feasible, not later than 72 hours after becoming aware of such data breach or data sharing abuse, notify such other covered entity of such data breach or data sharing abuse, unless such data breach or data sharing abuse is unlikely to create or increase foreseeable privacy harms. A covered entity receiving notice under this subsection of a data breach or data sharing abuse shall notify any other covered entity from which the covered entity receiving notice obtained personal information involved in such data breach or data sharing abuse, in the same manner as required under the preceding sentence for the covered entity experiencing such data breach or data sharing abuse.

(c) Notification of individuals.—

(1) IN GENERAL.—In the case of a data breach or data sharing abuse with respect to personal information maintained by a covered entity (or a data breach or data sharing abuse about which a covered entity is notified under subsection (b)), if such covered entity has a relationship with an individual whose personal information was involved or potentially involved in such data breach or data sharing abuse, such covered entity shall notify such individual of such data breach or data sharing abuse not later than 14 days after becoming aware of such data breach or data sharing abuse (or, in the case of a data breach or data sharing abuse about which a covered entity is notified under subsection (b), not later than 14 days after being so notified), if such data breach or data sharing abuse creates or increases foreseeable privacy harms.

(2) MEDIUM OF NOTIFICATION.—A covered entity shall notify an individual as required by paragraph (1) through—

(A) the same medium through which such individual routinely interacts with such covered entity; and

(B) one additional medium of notification, if such covered entity has the personal information necessary to make a notification through such an additional medium without causing excessive financial burden for such covered entity.

(d) Rule of construction.—This section shall not apply to a covered entity if a person uses personal information obtained from a data breach or data sharing abuse not involving such covered entity.

(a) Agency established.—There is established an independent agency in the executive branch to be known as the “United States Digital Privacy Agency”, which shall implement and enforce this Act.

(b) Director and deputy director.—

(1) IN GENERAL.—There is established the position of the Director, who shall serve as the head of the Agency.

(2) APPOINTMENT.—Subject to paragraph (3), the Director shall be appointed by the President, by and with the advice and consent of the Senate.

(3) QUALIFICATION.—The President shall nominate the Director from among individuals who are citizens of the United States.

(4) DEPUTY DIRECTOR.—There is established the position of Deputy Director, who shall—

(A) be appointed by the Director; and

(B) serve as acting Director in the absence or unavailability of the Director.

(c) Term.—

(1) IN GENERAL.—The Director shall serve for a term of 5 years.

(2) EXPIRATION OF TERM.—An individual may serve as Director after the expiration of the term for which appointed, until a successor has been appointed and qualified.

(3) REMOVAL FOR CAUSE.—The President may remove the Director for inefficiency, neglect of duty, or malfeasance in office.

(d) Service restriction.—No Director or Deputy Director may hold any office, position, or employment in any covered entity during the period of service of such person as Director or Deputy Director.

(e) Offices.—The Director shall establish a principal office and field offices of the Agency in locations that have high levels of activity by covered entities, as determined by the Director.

(f) Compensation.—

(1) IN GENERAL.—The Director shall be compensated at the rate prescribed for level II of the Executive Schedule under section 5313 of title 5, United States Code.

(2) CONFORMING AMENDMENT.—Section 5313 of title 5, United States Code, is amended by inserting after the item relating to “Federal Transit Administrator.” the following new item: “Director of the United States Digital Privacy Agency.”.

(a) Powers of the agency.—The Director is authorized to establish the general policies of the Agency with respect to all executive and administrative functions, including—

(1) the establishment of rules for conducting the general business of the Agency, in a manner not inconsistent with this Act;

(2) to bind the Agency and enter into contracts;

(3) directing the establishment and maintenance of divisions or other offices within the Agency, in order to carry out the responsibilities of the Agency under this Act, and to satisfy the requirements of other applicable law;

(4) to coordinate and oversee the operation of all administrative, enforcement, and research activities of the Agency;

(5) to adopt and use a seal;

(6) to determine the character of and the necessity for the obligations and expenditures of the Agency;

(7) the appointment and supervision of personnel employed by the Agency;

(8) the distribution of business among personnel appointed and supervised by the Director and among administrative units of the Agency;

(9) the use and expenditure of funds;

(10) implementing this Act through rules, orders, guidance, interpretations, statements of policy, investigations, and enforcement actions; and

(11) performing such other functions as may be authorized or required by law.

(b) Delegation of authority.—The Director may delegate to any duly authorized employee, representative, or agent any power vested in the Director or the Agency by law, except that the Director may not delegate the power to appoint the Deputy Director under section 301(b)(4)(A).

(c) Autonomy of agency regarding recommendations and testimony.—No officer or agency of the United States shall have any authority to require the Director or any other officer of the Agency to submit legislative recommendations, or testimony or comments on legislation, to any officer or agency of the United States for approval, comments, or review prior to the submission of such recommendations, testimony, or comments to the Congress, if such recommendations, testimony, or comments to the Congress include a statement indicating that the views expressed therein are those of the Director or such officer, and do not necessarily reflect the views of the President.

The Director may prescribe rules and issue orders and guidance, as may be necessary or appropriate to enable the Agency to administer and carry out the purposes and objectives of this Act, and to prevent evasions thereof.

(a) Appointment.—

(1) IN GENERAL.—The Director may fix the number of, and appoint and direct, all employees of the Agency, in accordance with the applicable provisions of title 5, United States Code.

(2) EMPLOYEES OF THE AGENCY.—The Director is authorized to employ technologists, designers, attorneys, investigators, economists, and other employees as the Director considers necessary to conduct the business of the Agency.

(b) Agency ombudsman.—

(1) ESTABLISHMENT REQUIRED.—The Director shall appoint an ombudsman.

(2) DUTIES OF OMBUDSMAN.—The ombudsman appointed in accordance with paragraph (1) shall—

(A) act as a liaison between the Agency and any affected person with respect to any problem that such person may have in dealing with the Agency, resulting from the regulatory activities of the Agency; and

(B) assure that safeguards exist to encourage complainants to come forward and preserve confidentiality.

(a) In general.—The Director shall establish a unit within the Agency the functions of which shall include establishing a single, toll-free telephone number, a website, and a database or utilizing an existing database to facilitate the centralized collection of, monitoring of, and response to complaints of individuals regarding the privacy or security of personal information. The Director shall coordinate with other Federal agencies with jurisdiction over the privacy or security of personal information to route complaints to such agencies, where appropriate.

(b) Routing complaints to states.—To the extent practicable, State agencies may receive appropriate complaints from the systems established under subsection (a), if—

(1) the State agency system has the functional capacity to receive calls or electronic reports routed by the Agency systems;

(2) the State agency has satisfied any conditions of participation in the system that the Agency may establish, including treatment of personal information and sharing of information on complaint resolution or related compliance procedures and resources; and

(3) participation by the State agency includes measures necessary to provide for protection of personal information that conform to the standards for protection of the confidentiality of personal information and for data integrity and security that apply to Federal agencies.

(c) Data sharing required.—To facilitate inclusion in the reports required by section 310 of the matters regarding complaints of individuals required by subsection (b)(4) of such section to be included in such reports, investigation and enforcement activities, and monitoring of the privacy and security of personal information, the Agency shall share information about complaints of individuals with Federal and State agencies that have jurisdiction over the privacy or security of personal information and State attorneys general, subject to the standards applicable to Federal agencies for protection of the confidentiality of personal information and for data security and integrity. Other Federal agencies that have jurisdiction over the privacy or security of personal information shall share data relating to complaints of individuals regarding the privacy or security of personal information with the Agency, subject to the standards applicable to Federal agencies for protection of confidentiality of personal information and for data security and integrity.

(a) Establishment required.—The Director shall establish a User Advisory Board to advise and consult with the Agency in the exercise of its functions under this Act, and to provide information on emerging practices relating to the treatment of personal information by covered entities, including regional trends, concerns, and other relevant information.

(b) Membership.—In appointing the members of the User Advisory Board, the Director shall seek to assemble experts in consumer protection, privacy, civil rights, and ethics, and seek representation of the interests of individuals who use products or services provided by covered entities, without regard to party affiliation.

(c) Meetings.—The User Advisory Board shall meet from time to time at the call of the Director, but, at a minimum, shall meet at least twice in each year.

(d) Compensation and travel expenses.—Members of the User Advisory Board who are not full-time employees of the United States shall—

(1) be entitled to receive compensation at a rate fixed by the Director while attending meetings of the User Advisory Board, including travel time; and

(2) receive travel expenses, including per diem in lieu of subsistence, in accordance with applicable provisions under subchapter I of chapter 57 of title 5, United States Code.

(a) Establishment required.—The Director shall establish an Academic and Research Advisory Board to advise and consult with the Agency in the exercise of its functions under this Act, and to provide information on emerging practices relating to the treatment of personal information by covered entities, including regional trends, concerns, and other relevant information.

(b) Membership.—In appointing the members of the Academic and Research Advisory Board, the Director shall seek to assemble individuals with academic and research expertise in privacy, cybersecurity, computer science, innovation, economics, law, and public policy, without regard to party affiliation.

(c) Meetings.—The Academic and Research Advisory Board shall meet from time to time at the call of the Director, but, at a minimum, shall meet at least twice in each year.

(d) Compensation and travel expenses.—Members of the Academic and Research Advisory Board who are not full-time employees of the United States shall—

(1) be entitled to receive compensation at a rate fixed by the Director while attending meetings of the Academic and Research Advisory Board, including travel time; and

(2) receive travel expenses, including per diem in lieu of subsistence, in accordance with applicable provisions under subchapter I of chapter 57 of title 5, United States Code.

(a) Establishment required.—The Director shall establish a Small Business and Investor Advisory Board to advise and consult with the Agency in the exercise of its functions under this Act, and to provide information on emerging practices relating to the treatment of personal information by covered entities, including regional trends, concerns, and other relevant information.

(b) Membership.—In appointing the members of the Small Business and Investor Advisory Board, the Director shall seek to assemble representatives of small businesses and investors in small businesses, without regard to party affiliation.

(c) Meetings.—The Small Business and Investor Advisory Board shall meet from time to time at the call of the Director, but, at a minimum, shall meet at least twice in each year.

(d) Compensation and travel expenses.—Members of the Small Business and Investor Advisory Board who are not full-time employees of the United States shall—

(1) be entitled to receive compensation at a rate fixed by the Director while attending meetings of the Small Business and Investor Advisory Board, including travel time; and

(2) receive travel expenses, including per diem in lieu of subsistence, in accordance with applicable provisions under subchapter I of chapter 57 of title 5, United States Code.

The Director shall consult with Federal and State agencies that have jurisdiction over the privacy or security of personal information, State attorneys general, international and intergovernmental bodies that conduct activities relating to the privacy or security of personal information, and agencies of other countries that are similar to the Agency, as appropriate, to promote consistent regulatory treatment of the activities of covered entities relating to the privacy or security of personal information.

(a) Reports required.—Not later than 6 months after the date of the enactment of this Act, and every 6 months thereafter, the Director shall submit a report to the President and to the Committee on Energy and Commerce, the Committee on the Judiciary, and the Committee on Appropriations of the House of Representatives and the Committee on Commerce, Science, and Transportation, the Committee on the Judiciary, and the Committee on Appropriations of the Senate, and shall publish such report on the website of the Agency.

(b) Contents.—Each report required by subsection (a) shall include—

(1) a discussion of the significant problems faced by individuals with respect to the privacy or security of personal information;

(2) a justification of the budget request of the Agency for the preceding year, unless a justification for such year was included in the preceding report submitted under such subsection;

(3) a list of the significant rules and orders adopted by the Agency, as well as other significant initiatives conducted by the Agency, during the preceding 6-month period and the plan of the Agency for rules, orders, or other initiatives to be undertaken during the upcoming 6-month period;

(4) an analysis of complaints about the privacy or security of personal information that the Agency has received and collected in the database described in section 305(a) during the preceding 6-month period;

(5) a list, with a brief statement of the issues, of the public enforcement actions to which the Agency was a party during the preceding 6-month period; and

(6) an assessment of significant actions by State attorneys general or State agencies relating to this Act or the rules prescribed under this Act during the preceding 6-month period.

The Director shall establish an Open-Source Machine Learning Training Data Program and make grants through the program to support the development of open-source, voluntarily disclosed, personal information data sets to be used for the training or development of machine learning and artificial intelligence algorithms. The Director shall promulgate regulations to implement the Program and to consider any such data sets are in compliance with this Act balancing any intrusion on the privacy of, potential privacy harms to, and reasonable expectations of individuals to whom the personal information relates.

The Director shall order an annual independent audit of the operations and budget of the Agency.

Section 12 of the Inspector General Act of 1978 (5 U.S.C. App.) is amended—

(1) in paragraph (1), by inserting the “Director of the Digital Privacy Agency;” after “the President of the Export-Import Bank;”; and

(2) in paragraph (2), by inserting “the Digital Privacy Agency,” after “the Export-Import Bank,”.

There are authorized to be appropriated to the Director to carry out this Act $550,000,000 for each of the fiscal years 2020, 2021, 2022, 2023, and 2024.

In this title:

(1) AGENCY INVESTIGATOR.—The term “Agency investigator” means any attorney or investigator employed by the Agency who is charged with the duty of enforcing or carrying into effect any provision of this Act or a rule or order prescribed under this Act.

(2) ATTORNEY GENERAL.—The term “attorney general” means, with respect to a State, the attorney general or chief law enforcement officer of the State, or another official or agency designated by the State to bring civil actions on behalf of the State or the residents of the State.

(3) CUSTODIAN.—The term “custodian” means the custodian or any deputy custodian designated by the Agency.

(4) DOCUMENTARY MATERIAL.—The term “documentary material” includes the original or any copy of any book, document, record, report, memorandum, paper, communication, tabulation, chart, logs, electronic files, or other data or data compilations stored in any medium.

(5) VIOLATION.—The term “violation” means any act or omission that, if proved, would constitute a violation of any provision of this Act or a rule or order prescribed under this Act.

(6) NON-PUBLIC INFORMATION.—The term “non-public information” means information that has not been disclosed in a criminal, civil, or administrative proceeding, in a government investigation, report, or audit, or by the news media or other public source of information, and that was not obtained in violation of the law.

(a) Joint investigations.—The Agency or, where appropriate, an Agency investigator, may conduct investigations and make requests for information, as authorized under this Act, on a joint basis with another agency (as defined in section 551 of title 5, United States Code).

(b) Subpoenas.—

(1) IN GENERAL.—The Agency or an Agency investigator may issue subpoenas for the attendance and testimony of witnesses and the production of relevant papers, books, documents, or other material in connection with hearings under this Act.

(2) FAILURE TO OBEY.—In the case of contumacy or refusal to obey a subpoena issued pursuant to this subsection and served upon any person, the district court of the United States for any district in which such person is found, resides, or transacts business, upon application by the Agency or an Agency investigator and after notice to such person, may issue an order requiring such person to appear and give testimony or to appear and produce documents or other material.

(3) CONTEMPT.—Any failure to obey an order of the court under paragraph (2) may be punished by the court as a contempt thereof.

(c) Demands.—

(1) IN GENERAL.—Whenever the Agency has reason to believe that any person may be in possession, custody, or control of any documentary material or tangible things, or may have any information, relevant to a violation, the Agency may, before the institution of any proceedings under this Act, issue in writing, and cause to be served upon such person, a civil investigative demand requiring such person to—

(A) produce such documentary material for inspection and copying or reproduction in the form or medium requested by the Agency;

(B) submit such tangible things;

(C) file written reports or answers to questions;

(D) give oral testimony concerning documentary material, tangible things, or other information; or

(E) furnish any combination of such material, answers, or testimony.

(2) REQUIREMENTS.—Each civil investigative demand shall state the nature of the conduct constituting the alleged violation which is under investigation and the provision of law applicable to such violation.

(3) PRODUCTION OF DOCUMENTS.—Each civil investigative demand for the production of documentary material shall—

(A) describe each class of documentary material to be produced under the demand with such definiteness and certainty as to permit such material to be fairly identified;

(B) prescribe a return date or dates which will provide a reasonable period of time within which the material so demanded may be assembled and made available for inspection and copying or reproduction; and

(C) identify the custodian to whom such material shall be made available.

(4) PRODUCTION OF THINGS.—Each civil investigative demand for the submission of tangible things shall—

(A) describe each class of tangible things to be submitted under the demand with such definiteness and certainty as to permit such things to be fairly identified;

(B) prescribe a return date or dates which will provide a reasonable period of time within which the things so demanded may be assembled and submitted; and

(C) identify the custodian to whom such things shall be submitted.

(5) DEMAND FOR WRITTEN REPORTS OR ANSWERS.—Each civil investigative demand for written reports or answers to questions shall—

(A) propound with definiteness and certainty the reports to be produced or the questions to be answered;

(B) prescribe a date or dates at which time written reports or answers to questions shall be submitted; and

(C) identify the custodian to whom such reports or answers shall be submitted.

(6) ORAL TESTIMONY.—Each civil investigative demand for the giving of oral testimony shall—

(A) prescribe a date, time, and place at which oral testimony shall be commenced; and

(B) identify an Agency investigator who shall conduct the investigation and the custodian to whom the transcript of such investigation shall be submitted.

(7) SERVICE.—Any civil investigative demand issued, and any enforcement petition filed, under this section may be served—

(A) by any Agency investigator at any place within the territorial jurisdiction of any court of the United States; and

(B) upon any person who is not found within the territorial jurisdiction of any court of the United States—

(i) in such manner as the Federal Rules of Civil Procedure prescribe for service in a foreign nation; and

(ii) to the extent that the courts of the United States have authority to assert jurisdiction over such person, consistent with due process, the United States District Court for the District of Columbia shall have the same jurisdiction to take any action respecting compliance with this section by such person that such district court would have if such person were personally within the jurisdiction of such district court.

(8) METHOD OF SERVICE.—Service of any civil investigative demand or any enforcement petition filed under this section may be made upon a person by—

(A) delivering a duly executed copy of such demand or petition to the individual or to any partner, executive officer, managing agent, or general agent of such person, or to any agent of such person authorized by appointment or by law to receive service of process on behalf of such person;

(B) delivering a duly executed copy of such demand or petition to the principal office or place of business of the person to be served; or

(C) depositing a duly executed copy in the United States mails, by registered or certified mail, return receipt requested, duly addressed to such person at the principal office or place of business of such person.

(9) PROOF OF SERVICE.—

(A) IN GENERAL.—A verified return by the individual serving any civil investigative demand or any enforcement petition filed under this section setting forth the manner of such service shall be proof of such service.

(B) RETURN RECEIPTS.—In the case of service by registered or certified mail, such return shall be accompanied by the return post office receipt of delivery of such demand or enforcement petition.

(10) PRODUCTION OF DOCUMENTARY MATERIAL.—The production of documentary material in response to a civil investigative demand shall be made under a sworn certificate, in such form as the demand designates, by the person, if a natural person, to whom the demand is directed or, if not a natural person, by any person having knowledge of the facts and circumstances relating to such production, to the effect that all of the documentary material required by the demand and in the possession, custody, or control of the person to whom the demand is directed has been produced and made available to the custodian.

(11) SUBMISSION OF TANGIBLE THINGS.—The submission of tangible things in response to a civil investigative demand shall be made under a sworn certificate, in such form as the demand designates, by the person to whom the demand is directed or, if not a natural person, by any person having knowledge of the facts and circumstances relating to such production, to the effect that all of the tangible things required by the demand and in the possession, custody, or control of the person to whom the demand is directed have been submitted to the custodian.

(12) SEPARATE ANSWERS.—Each reporting requirement or question in a civil investigative demand shall be answered separately and fully in writing under oath, unless it is objected to, in which event the reasons for the objection shall be stated in lieu of an answer, and it shall be submitted under a sworn certificate, in such form as the demand designates, by the person, if a natural person, to whom the demand is directed or, if not a natural person, by any person responsible for answering each reporting requirement or question, to the effect that all information required by the demand and in the possession, custody, control, or knowledge of the person to whom the demand is directed has been submitted.

(13) TESTIMONY.—

(A) IN GENERAL.—

(i) OATH AND RECORDATION.—The examination of any person pursuant to a demand for oral testimony served under this subsection shall be taken before an officer authorized to administer oaths and affirmations by the laws of the United States or of the place at which the examination is held. The officer before whom oral testimony is to be taken shall put the witness on oath or affirmation and shall personally, or by any individual acting under the direction of and in the presence of the officer, record the testimony of the witness.

(ii) TRANSCRIPTION.—The testimony shall be taken stenographically and transcribed.

(B) PARTIES PRESENT.—Any Agency investigator before whom oral testimony is to be taken shall exclude from the place where the testimony is to be taken all other persons, except the person giving the testimony, the attorney for that person, the officer before whom the testimony is to be taken, an investigator or representative of an agency with which the Agency is engaged in a joint investigation, and any stenographer taking such testimony.

(C) LOCATION.—The oral testimony of any person taken pursuant to a civil investigative demand shall be taken in the judicial district of the United States in which such person resides, is found, or transacts business, or in such other place as may be agreed upon by the Agency investigator before whom the oral testimony of such person is to be taken and such person.

(D) ATTORNEY REPRESENTATION.—

(i) IN GENERAL.—Any person compelled to appear under a civil investigative demand for oral testimony pursuant to this subsection may be accompanied, represented, and advised by an attorney.

(ii) AUTHORITY.—The attorney may advise a person described in clause (i), in confidence, either upon the request of such person or upon the initiative of the attorney, with respect to any question asked of such person.

(iii) OBJECTIONS.—A person described in clause (i), or the attorney for that person, may object on the record to any question, in whole or in part, and such person shall briefly state for the record the reason for the objection. An objection may properly be made, received, and entered upon the record when it is claimed that such person is entitled to refuse to answer the question on grounds of any constitutional or other legal right or privilege, including the privilege against self-incrimination, but such person shall not otherwise object to or refuse to answer any question, and such person or attorney shall not otherwise interrupt the oral examination.

(iv) REFUSAL TO ANSWER.—If a person described in clause (i) refuses to answer any question—

(I) the Agency may petition the district court of the United States pursuant to this section for an order compelling such person to answer such question; and

(II) if the refusal is on grounds of the privilege against self-incrimination, the testimony of such person may be compelled in accordance with the provisions of section 6004 of title 18, United States Code.

(E) TRANSCRIPTS.—For purposes of this subsection—

(i) after the testimony of any witness is fully transcribed, the Agency investigator shall afford the witness (who may be accompanied by an attorney) a reasonable opportunity to examine the transcript;

(ii) the transcript shall be read to or by the witness, unless such examination and reading are waived by the witness;

(iii) any changes in form or substance which the witness desires to make shall be entered and identified upon the transcript by the Agency investigator, with a statement of the reasons given by the witness for making such changes;

(iv) the transcript shall be signed by the witness, unless the witness in writing waives the signing, is ill, cannot be found, or refuses to sign; and

(v) if the transcript is not signed by the witness during the 30-day period following the date on which the witness is first afforded a reasonable opportunity to examine the transcript, the Agency investigator shall sign the transcript and state on the record the fact of the waiver, illness, absence of the witness, or the refusal to sign, together with any reasons given for the failure to sign.

(F) CERTIFICATION BY INVESTIGATOR.—The Agency investigator shall certify on the transcript that the witness was duly sworn by him or her and that the transcript is a true record of the testimony given by the witness, and the Agency investigator shall promptly deliver the transcript or send it by registered or certified mail to the custodian.

(G) COPY OF TRANSCRIPT.—The Agency investigator shall furnish a copy of the transcript (upon payment of reasonable charges for the transcript) to the witness only, except that the Agency may for good cause limit such witness to inspection of the official transcript of his testimony.

(H) WITNESS FEES.—Any witness appearing for the taking of oral testimony pursuant to a civil investigative demand shall be entitled to the same fees and mileage which are paid to witnesses in the district courts of the United States.

(d) Confidential treatment of demand material.—

(1) IN GENERAL.—Documentary materials and tangible things received as a result of a civil investigative demand shall be subject to requirements and procedures regarding confidentiality, in accordance with rules established by the Agency.

(2) DISCLOSURE TO CONGRESS.—No rule established by the Agency regarding the confidentiality of materials submitted to, or otherwise obtained by, the Agency shall be intended to prevent disclosure to either House of Congress or to an appropriate committee of the Congress, except that the Agency is permitted to adopt rules allowing prior notice to any party that owns or otherwise provided the material to the Agency and had designated such material as confidential.

(e) Petition for enforcement.—

(1) IN GENERAL.—Whenever any person fails to comply with any civil investigative demand duly served upon him under this section, or whenever satisfactory copying or reproduction of material requested pursuant to the demand cannot be accomplished and such person refuses to surrender such material, the Agency, through such officers or attorneys as it may designate, may file, in the district court of the United States for any judicial district in which such person resides, is found, or transacts business, and serve upon such person, a petition for an order of such court for the enforcement of this section.

(2) SERVICE OF PROCESS.—All process of any court to which application may be made as provided in this subsection may be served in any judicial district.

(f) Petition for order modifying or setting aside demand.—

(1) IN GENERAL.—Not later than 20 days after the service of any civil investigative demand upon any person under subsection (c), or at any time before the return date specified in the demand, whichever period is shorter, or within such period exceeding 20 days after service or in excess of such return date as may be prescribed in writing, subsequent to service, by any Agency investigator named in the demand, such person may file with the Agency a petition for an order by the Agency modifying or setting aside the demand.

(2) COMPLIANCE DURING PENDENCY.—The time permitted for compliance with the demand in whole or in part, as determined proper and ordered by the Agency, shall not run during the pendency of a petition under paragraph (1) at the Agency, except that such person shall comply with any portions of the demand not sought to be modified or set aside.

(3) SPECIFIC GROUNDS.—A petition under paragraph (1) shall specify each ground upon which the petitioner relies in seeking relief, and may be based upon any failure of the demand to comply with the provisions of this section, or upon any constitutional or other legal right or privilege of such person.

(g) Custodial control.—At any time during which any custodian is in custody or control of any documentary material, tangible things, reports, answers to questions, or transcripts of oral testimony given by any person in compliance with any civil investigative demand, such person may file, in the district court of the United States for the judicial district within which the office of such custodian is situated, and serve upon such custodian, a petition for an order of such court requiring the performance by such custodian of any duty imposed upon him by this section or rule promulgated by the Agency.

(h) Jurisdiction of court.—

(1) IN GENERAL.—Whenever any petition is filed in any district court of the United States under this section, such court shall have jurisdiction to hear and determine the matter so presented, and to enter such order or orders as may be required to carry out the provisions of this section.

(2) APPEAL.—Any final order entered as described in paragraph (1) shall be subject to appeal pursuant to section 1291 of title 28, United States Code.

(a) In general.—The Agency is authorized to conduct hearings and adjudication proceedings with respect to any person in the manner prescribed by chapter 5 of title 5, United States Code, in order to ensure or enforce compliance with this Act and the rules prescribed under this Act.

(b) Special rules for cease-and-Desist proceedings.—

(1) ORDERS AUTHORIZED.—

(A) IN GENERAL.—If, in the opinion of the Agency, a person is engaging or has engaged in an act or omission that violates any provision of this Act or a rule or order prescribed under this Act, the Agency may issue and serve upon the person a notice of charges in respect thereof.

(B) CONTENT OF NOTICE.—The notice under subparagraph (A) shall contain a statement of the facts constituting the alleged violation, and shall fix a time and place at which a hearing will be held to determine whether an order to cease and desist should issue against the person, such hearing to be held not earlier than 30 days nor later than 60 days after the date of service of such notice, unless an earlier or a later date is set by the Agency, at the request of any person so served.

(C) CONSENT.—Unless a person served under subparagraph (B) appears at the hearing personally or by a duly authorized representative, the person shall be deemed to have consented to the issuance of the cease-and-desist order.

(D) PROCEDURE.—In the event of consent under subparagraph (C), or if, upon the record made at any such hearing, the Agency finds that any violation specified in the notice of charges has been established, the Agency may issue and serve upon the person an order to cease and desist from the violation. Such order may, by provisions which may be mandatory or otherwise, require the person to cease and desist from the subject act or omission, and to take affirmative action to correct the conditions resulting from any such violation.

(2) EFFECTIVENESS OF ORDER.—A cease-and-desist order shall become effective at the expiration of 30 days after the date of service of the order under paragraph (1)(D) (except in the case of a cease-and-desist order issued upon consent, which shall become effective at the time specified therein), and shall remain effective and enforceable as provided therein, except to such extent as the order is stayed, modified, terminated, or set aside by action of the Agency or a reviewing court.

(3) DECISION AND APPEAL.—Any hearing provided for in this subsection shall be held in the Federal judicial district or in the territory in which the residence or principal office or place of business of the person is located unless the person consents to another place, and shall be conducted in accordance with the provisions of chapter 5 of title 5, United States Code. After such hearing, and not later than 90 days after the Agency has notified each party to the proceeding that the case has been submitted to the Agency for final decision, the Agency shall render its decision (which shall include findings of fact upon which its decision is predicated) and shall issue and serve upon each such party an order or orders consistent with the provisions of this section. Judicial review of any such order shall be exclusively as provided in this subsection. Unless a petition for review is timely filed in a court of appeals of the United States, as provided in paragraph (4), and thereafter until the record in the proceeding has been filed as provided in paragraph (4), the Agency may at any time, upon such notice and in such manner as the Agency shall determine proper, modify, terminate, or set aside any such order. Upon filing of the record as provided, the Agency may modify, terminate, or set aside any such order with permission of the court.

(4) APPEAL TO COURT OF APPEALS.—Any party to any proceeding under this subsection may obtain a review of any order served pursuant to this subsection (other than an order issued with the consent of the party) by filing in the court of appeals of the United States for the circuit in which the residence or principal office or place of business of the party is located, or in the United States Court of Appeals for the District of Columbia Circuit, within 30 days after the date of service of such order, a written petition praying that the order of the Agency be modified, terminated, or set aside. A copy of such petition shall be forthwith transmitted by the clerk of the court to the Agency, and thereupon the Agency shall file in the court the record in the proceeding, as provided in section 2112 of title 28, United States Code. Upon the filing of such petition, such court shall have jurisdiction, which upon the filing of the record shall, except as provided in the last sentence of paragraph (3), be exclusive, to affirm, modify, terminate, or set aside, in whole or in part, the order of the Agency. Review of such proceedings shall be had as provided in chapter 7 of title 5, United States Code. The judgment and decree of the court shall be final, except that the same shall be subject to review by the Supreme Court of the United States, upon certiorari, as provided in section 1254 of title 28, United States Code.

(5) NO STAY.—The commencement of proceedings for judicial review under paragraph (4) shall not, unless specifically ordered by the court, operate as a stay of any order issued by the Agency.

(c) Special rules for temporary cease-and-Desist proceedings.—

(1) IN GENERAL.—Whenever the Agency determines that the violation specified in the notice of charges served upon a person pursuant to subsection (b), or the continuation thereof, is likely to cause the person to be insolvent or otherwise prejudice the interests of individuals before the completion of the proceedings conducted pursuant to subsection (b), the Agency may issue a temporary order requiring the person to cease and desist from any such violation and to take affirmative action to prevent or remedy such insolvency or other condition pending completion of such proceedings. Such order may include any requirement authorized under this title. Such order shall become effective upon service upon the person and, unless set aside, limited, or suspended by a court in proceedings authorized by paragraph (2), shall remain effective and enforceable pending the completion of the administrative proceedings pursuant to such notice and until such time as the Agency shall dismiss the charges specified in such notice, or if a cease-and-desist order is issued against the person, until the effective date of such order.

(2) APPEAL.—Not later than 10 days after a person has been served with a temporary cease-and-desist order, the person may apply to the United States district court for the judicial district in which the residence or principal office or place of business of the person is located, or the United States District Court for the District of Columbia, for an injunction setting aside, limiting, or suspending the enforcement, operation, or effectiveness of such order pending the completion of the administrative proceedings pursuant to the notice of charges served upon the person under subsection (b), and such court shall have jurisdiction to issue such injunction.

(d) Special rules for enforcement of orders.—

(1) IN GENERAL.—The Agency may in its discretion apply to the United States district court within the jurisdiction of which the residence or principal office or place of business of a person is located, for the enforcement of any effective and outstanding order issued under this section against such person, and such court shall have jurisdiction and power to order and require compliance with such order.

(2) EXCEPTION.—Except as otherwise provided in this section, no court shall have jurisdiction to affect by injunction or otherwise the issuance or enforcement of any order or to review, modify, suspend, terminate, or set aside any such order.

(e) Rules.—The Agency shall prescribe rules establishing such procedures as may be necessary to carry out this section.

(a) In general.—If a person violates any provision of this Act or a rule or order prescribed under this Act, the Agency may commence a civil action against such person to impose a civil penalty or to seek all appropriate legal and equitable relief, including a permanent or temporary injunction.

(b) Representation.—Except as provided in subsection (e), the Agency may act in its own name and through its own attorneys in any action, suit, or other court proceeding to which the Agency is a party.

(c) Compromise of actions.—The Agency may compromise or settle any action, suit, or other court proceeding to which the Agency is a party if such compromise is approved by the court.

(d) Notice to the attorney general.—

(1) IN GENERAL.—When commencing a civil action under subsection (a), the Agency shall notify the Attorney General.

(2) NOTICE AND COORDINATION.—

(A) NOTICE OF OTHER ACTIONS.—In addition to any notice required under paragraph (1), the Agency shall notify the Attorney General concerning any action, suit, or other court proceeding to which the Agency is a party.

(B) COORDINATION.—In order to avoid conflicts and promote consistency regarding litigation of matters under Federal law, the Attorney General and the Agency shall consult regarding the coordination of investigations and proceedings, including by negotiating an agreement for coordination by not later than 180 days after the effective date specified in section 4(a). The agreement under this subparagraph shall include provisions to ensure that parallel investigations and proceedings involving this Act and the rules prescribed under this Act are conducted in a manner that avoids conflicts and does not impede the ability of the Attorney General to prosecute violations of Federal criminal laws.

(C) RULE OF CONSTRUCTION.—Nothing in this paragraph shall be construed to limit the authority of the Agency under this Act, including the authority to interpret this Act.

(e) Appearance before the supreme court.—The Agency may represent itself in its own name before the Supreme Court of the United States, if the Agency makes a written request to the Attorney General within the 10-day period which begins on the date of entry of the judgment which would permit any party to file a petition for writ of certiorari, and the Attorney General concurs with such request or fails to take action within 60 days of the request of the Agency.

(f) Forum.—Any civil action brought under subsection (a) may be brought in an appropriate district court of the United States or an appropriate State court.

(g) Time for bringing action.—Except as otherwise permitted by law or equity, no action may be brought under subsection (a) more than 3 years after the date of discovery of the violation to which the action relates.

(a) Coordination.—With respect to covered entities and service providers, to the extent that Federal law authorizes the Agency and another Federal agency to enforce privacy laws, the other Federal agency shall coordinate with the Agency to promote consistent enforcement of this Act and other Federal privacy laws.

(b) Referral.—Any Federal agency authorized to enforce a Federal privacy law described in section 501 may recommend in writing to the Agency that the Agency initiate an enforcement proceeding, as the Agency is authorized by that Federal law or by this Act.

(c) Coordination with the federal trade commission.—

(1) IN GENERAL.—The Agency and the Federal Trade Commission shall negotiate an agreement for coordinating with respect to enforcement actions by each agency regarding the provision of a product or service offered by any covered entity. The agreement shall include procedures for notice to the other agency, where feasible, prior to initiating a civil action to enforce any Federal law regarding the privacy of individuals or security of personal information.

(2) CIVIL ACTIONS.—Whenever a civil action has been filed by, or on behalf of, the Agency or the Federal Trade Commission for any violation of any provision of Federal law described in paragraph (1), or any regulation prescribed under such provision of law—

(A) the other agency may not, during the pendency of that action, institute a civil action under such provision of law against any defendant named in the complaint in such pending action for any violation alleged in the complaint; and

(B) the Agency or the Federal Trade Commission may intervene as a party in any such action brought by the other agency, and, upon intervening—

(i) be heard on all matters arising in such enforcement action; and

(ii) file petitions for appeal in such actions.

(3) AGREEMENT TERMS.—The terms of any agreement negotiated under paragraph (1) may modify or supersede the provisions of paragraph (2).

(4) DEADLINE.—The agencies shall reach the agreement required under paragraph (1) not later than 6 months after the designated transfer date.

(a) Civil action.—In any case in which the attorney general of a State has reason to believe that an interest of the residents of such State has been or is adversely affected by any person who violates any provision of this Act or a rule or order prescribed under this Act, the attorney general of the State, as parens patriae, may bring a civil action on behalf of the residents of the State in an appropriate State court or an appropriate district court of the United States—

(1) to enjoin further violation of such provision by the defendant;

(2) to compel compliance with such provision; or

(3) to obtain relief under section 408.

(b) Rights of agency.—Before initiating a civil action under subsection (a), the attorney general of a State shall notify the Agency in writing of such civil action. Upon receiving notice with respect to a civil action, the Agency may—

(1) intervene in such action; and

(2) upon intervening—

(A) be heard on all matters arising in such civil action; and

(B) file petitions for appeal of a decision in such action.

(c) Preemptive action by agency.—If the Agency institutes a civil action for violation of any provision of this Act or a rule or order prescribed under this Act, no attorney general of a State may bring a civil action against any defendant named in the complaint of the Agency for a violation of such provision that is alleged in such complaint.

(a) Injunctive relief.—A person who is aggrieved by a violation of this Act may bring a civil action for declaratory or injunctive relief in any court of competent jurisdiction in any State or in an appropriate district court.

(b) Civil action for damages.—Except for claims under rule 23 of the Federal Rules of Civil Procedure or a similar judicial procedure authorizing an action to be brought by 1 or more representatives, a person who is aggrieved by a violation of this Act may bring a civil action for damages in any court of competent jurisdiction in any State or in an appropriate district court.

(c) Nonprofit collective representation.—An individual shall have the right to appoint a nonprofit body, organization, or association which has been properly constituted in accordance with the law, has statutory objectives which are in the public interest, and is active in the field of the protection of individual rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in this Act on his or her behalf.

(1) A nonprofit may represent a class of aggrieved individuals.

(2) A prevailing nonprofit shall receive reasonable compensation for expenses, including attorneys fees.

(3) Individuals shall receive an equally divided share of the total damages.

(d) State Appointment.—A State may provide that any body, organization or association referred to in subsection (c), independently of an individual’s appointment, has the right to lodge, in that State, a complaint with the Agency and to exercise the rights referred to in this Act if it considers that the rights of an individual under this Act have been infringed.

(a) Civil actions and adjudication proceedings.—

(1) JURISDICTION.—In any civil action or any adjudication proceeding brought by the Agency or the attorney general of a State, under any provision of this Act or a rule or order prescribed under this Act, the court or the Agency (as the case may be) shall have jurisdiction to grant any appropriate legal or equitable relief with respect to a violation of such provision.

(2) RELIEF.—Relief under this section may include—

(A) rescission or reformation of contracts;

(B) refund of moneys;

(C) restitution;

(D) disgorgement or compensation for unjust enrichment;

(E) payment of damages or other monetary relief;

(F) public notification regarding the violation, including the costs of notification;

(G) limits on the activities or functions of the person; and

(H) civil money penalties, as provided in subsection (c).

(3) NO EXEMPLARY OR PUNITIVE DAMAGES.—Nothing in this subsection shall be construed as authorizing the imposition of exemplary or punitive damages.

(b) Recovery of costs.—In any civil action brought by the Agency or the attorney general of a State under any provision of this Act or a rule or order prescribed under this Act, the Agency or attorney general may recover its costs in connection with prosecuting such action if the Agency or attorney general is the prevailing party in the action.

(c) Civil money penalty in court and adjudication proceedings.—

(1) IN GENERAL.—Any person who violates, through any act or omission, any provision of this Act or a rule or order prescribed under this Act shall forfeit and pay a civil penalty under this subsection.

(2) PENALTY AMOUNT.—

(A) IN GENERAL.—The amount of a civil penalty under this subsection may not exceed, for each violation, the product of—

(i) the maximum civil penalty for which a person, partnership, or corporation may be liable under section 5(m)(1)(A) of the Federal Trade Commission Act (15 U.S.C. 45(m)(1)(A)) for a violation of a rule under such Act respecting unfair or deceptive acts or practices, as adjusted under the Federal Civil Penalties Inflation Adjustment Act of 1990 (28 U.S.C. 2461 note); and

(ii) the number of individuals the personal information of which is affected by the violation.

(B) CONTINUING VIOLATIONS.—In the case of a violation through continuing failure to comply with a provision of this Act or a rule or order prescribed under this Act, each day of continuance of such failure shall be treated as a separate violation for purposes of subparagraph (A).

(3) MITIGATING FACTORS.—In determining the amount of any penalty assessed under paragraph (2), the court or the Agency shall take into account the appropriateness of the penalty with respect to—

(A) the size of financial resources and good faith of the person charged;

(B) the gravity of the violation;

(C) the severity of the privacy harms (including both actual and potential harms) to individuals;

(D) any disparate impact of the privacy harms (including both actual and potential harms) on protected classes;

(E) the history of previous violations; and

(F) such other matters as justice may require.

(4) AUTHORITY TO MODIFY OR REMIT PENALTY.—The Agency or attorney general of a State may compromise, modify, or remit any penalty which may be assessed or has already been assessed under paragraph (2). The amount of such penalty, when finally determined, shall be exclusive of any sums owed by the person to the United States in connection with the costs of the proceeding, and may be deducted from any sums owing by the United States to the person charged.

(5) NOTICE AND HEARING.—No civil penalty may be assessed under this subsection with respect to a violation of any provision of this Act or a rule or order prescribed under this Act, unless—

(A) the Agency or attorney general of a State gives notice and an opportunity for a hearing to the person accused of the violation; or

(B) the appropriate court has ordered such assessment and entered judgment in favor of the Agency or attorney general of a State.

If the Agency obtains evidence that any person, domestic or foreign, has engaged in conduct that may constitute a violation of Federal criminal law, the Agency shall transmit such evidence to the Attorney General of the United States, who may institute criminal proceedings under appropriate law. Nothing in this section affects any other authority of the Agency to disclose information.

(a) In general.—Any person who becomes aware, based on non-public information, that a covered entity has violated this Act may file a civil action for civil penalties, if prior to filing such action, the person files with the Director a written request for the Director to commence the action. The request shall include a clear and concise statement of the grounds for believing a cause of action exists. The person shall make the non-public information available to the Director upon request:

(1) If the Director files suit within 90 days from receipt of the written request to commence the action, no other action may be brought unless the action brought by the Director is dismissed without prejudice.

(2) If the Director does not file suit within 90 days from receipt of the written request to commence the action, the person requesting the action may proceed to file a civil action.

(3) The time period within which a civil action shall be commenced shall be tolled from the date of receipt by the Director of the written request to either the date that the civil action is dismissed without prejudice, or for 150 days, whichever is later, but only for a civil action brought by the person who requested the Director to commence the action.

(b) Allocation of civil penalties.—If a judgment is entered against the defendant or defendants in an action brought pursuant to this section, or the matter is settled, amounts received as civil penalties or pursuant to a settlement of the action shall be allocated as follows:

(1) If the action was brought by the Director upon a request made by a person pursuant to (a), the person who made the request shall be entitled to 15 percent of the civil penalties.

(2) If the action was brought by the person who made the request pursuant to (a), that person shall receive an amount the court determines is reasonable for collecting the civil penalties on behalf of the government. The amount shall be not less than 25 percent and not more than 50 percent of the proceeds of the action and shall be paid out of the proceeds.

Nothing in this Act shall be construed to—

(1) modify, limit, or supersede the operation of any privacy or security provision in—

(A) section 552a of title 5, United States Code (commonly known as the “Privacy Act of 1974”);

(B) the Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.);

(C) the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);

(D) the Fair Debt Collection Practices Act (15 U.S.C. 1692 et seq.);

(E) the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.);

(F) title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.);

(G) chapter 119, 123, or 206 of title 18, United States Code;

(H) section 444 of the General Education Provisions Act (20 U.S.C. 1232g) (commonly referred to as the “Family Educational Rights and Privacy Act of 1974”);

(I) section 445 of the General Education Provisions Act (20 U.S.C. 1232h);

(J) the Privacy Protection Act of 1980 (42 U.S.C. 2000aa et seq.);

(K) the regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note), as those regulations relate to—

(i) a person described in section 1172(a) of the Social Security Act (42 U.S.C. 1320d–1(a)); or

(ii) transactions referred to in section 1173(a)(1) of the Social Security Act (42 U.S.C. 1320d–2(a)(1));

(L) the Communications Assistance for Law Enforcement Act (47 U.S.C. 1001 et seq.);

(M) section 222, 227, 338, or 631 of the Communications Act of 1934 (47 U.S.C. 222, 227, 338, or 551);

(N) the E-Government Act of 2002 (44 U.S.C. 101 et seq.);

(O) the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.);

(P) Federal Information Security Management Act of 2002 (44 U.S.C. 3541 et seq.);

(Q) the Currency and Foreign Transactions Reporting Act of 1970, as amended (commonly known as the Bank Secrecy Act) (12 U.S.C. 1829b and 1951–1959, 31 U.S.C. 5311–5314 and 5316–5332), including the International Money Laundering Abatement and Financial Anti-Terrorism Act of 2001, title III of Public Law 107–56, as amended;

(R) the National Security Act of 1947 (50 U.S.C. 3001 et seq.);

(S) the Foreign Intelligence Surveillance Act of 1978, as amended (50 U.S.C. 1801 et seq.);

(T) the Civil Rights Act of 1964 (Public Law 88–352, 78 Stat. 241);

(U) the Americans with Disabilities Act (42 U.S.C. 12101 et seq.);

(V) the Fair Housing Act (42 U.S.C. 3601 et seq.);

(W) the Dodd-Frank Wall Street Reform and Consumer Protection Act (Public Law 111–203, 124 Stat. 1376–2223);

(X) the Equal Credit Opportunity Act (15 U.S.C. 1691 et seq.);

(Y) the Age Discrimination in Employment Act (29 U.S.C. 621 et seq.);

(Z) the Genetic Information Nondiscrimination Act (Public Law 110–233, 122 Stat. 881); or

(AA) any other privacy or security provision of Federal law; or

(2) limit the authority of the Federal Communications Commission to promulgate regulations and enforce any privacy law not in contradiction with this Act.

If any provision of this Act, or the application thereof, is held unconstitutional or otherwise invalid, the validity of the remainder of the Act and the application of such provision shall not be affected thereby.