A BILL
To restore Privacy and ensure security, to the citizens of the United States and its Territories.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the “The Right to Consumer Privacy Act”.
SECTION 2. DEFINITIONS.
In this Act:
- The term “Commission” means the Federal Trade Commission.
- DATA BROKER.—The term “data broker” means a commercial entity that collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell the information or provide third party access to the information.
- CREDIT MERCHANT.—The term “credit merchant” means a commercial entity that allows businesses to accept payments in multiple ways, typically debit or credit cards. A merchant account is established under an agreement between an acceptor and a merchant acquiring bank for the settlement of payment card transactions.
- LOYALTY CARD PROGRAM.—The term “credit merchant” means is an incentive plan that allows a retail business to gather data about its customers. Customers are offered product discounts, coupons, points toward merchandise or some other reward in exchange for their voluntary participation in the program.
- INTERNET SERVICE PROVIDER.—The term “internet service provider” means is an organization that provides services accessing and using the Internet. Internet service providers may be organized in various forms, such as commercial, community-owned, non-profit, or otherwise privately owned.
- EDGE PROVIDER. .—The term “Edge Provider” means any individual or entity that provides any content, application, or service over the Internet, and any individual or entity that provides a device used for accessing any content, application, or service over the Internet.
- NON-PUBLIC INFORMATION.—The term “non-public information” means information about an individual that is of a private nature, not available to the general public, and not obtained from a public record.
- of a private nature;
- not available to the general public; and
- not obtained from a public record.
- PUBLIC RECORD INFORMATION.—The term “public record information” means information about an individual that has been obtained originally from records of a Federal, State, or local government entity that are available for public inspection.
SECTION 3. PROHIBITION ON OBTAINING OR SOLICITATION TO OBTAIN PERSONAL INFORMATION BY FALSE PRETENSES.
- In General.—It shall be unlawful to retain, obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, personal information or any other information relating to any person by making a false, fictitious, or fraudulent statement or representation to any person, including by providing any document to any person, that the is known or should know to be forged, counterfeit, lost, stolen, or fraudulently obtained, or contains a false, fictitious, or fraudulent statement or representation.
- To be forged, counterfeit, lost, stolen, or fraudulently obtained; or
- Contains a false, fictitious, or fraudulent statement or representation.
- —It shall be unlawful to request a person to obtain personal information, or any other information, relating to any other person if it is known or should know that the person to whom the request is made will obtain or attempt to obtain that information in the manner described in subsection (1).
- Punishable offence. Those who openly violate such restriction shall be accountable under existing statue Fraud and related activity in connection with computers (18 U.S.C. 1030 et seq.)
SECTION 4. DATA BROKERS REQUIREMENTS CONCERNING ACCURACY OF AND ACCESS TO PERSONAL INFORMATION.
- —
- IN GENERAL.—Except as provided in paragraph (2), a covered data broker shall establish procedures to ensure, to the maximum extent practicable, the accuracy of—
- the personal information it collects, assembles, or maintains; and
- any other information it collects, assembles, or maintains that specifically identifies an individual, unless the information only identifies an individual’s name or address; and
- The source by which the information was retrieved.
- —A covered data broker may collect or maintain information that may be inaccurate with respect to a particular individual if that information is being collected or maintained solely for the purpose of—
- indicating whether there may be a discrepancy or irregularity in the personal information that is associated with an individual;
- helping to identify, or to authenticate the identity of, an individual; or
- helping to protect against or investigate fraud or other unlawful conduct.
- Consumer Access.—
- IN GENERAL.—Subject to paragraph (4), a covered data broker shall provide an individual a means to review or remove any personal information or other information that specifically identifies that individual, that the covered data broker collects, assembles, or maintains on that individual.
- REVIEW REQUIREMENTS.—The means for review or removal under paragraph (1) shall be provided—
- at an individual’s request;
- after verifying the identity of the individual;
- perpetually with no limitation;
- at no cost to the individual; and
- in a format that can be readily understood by a consumer, as determined by the Commission.
- PERIOD OF REVIEW.—A covered data broker shall provide an individual the means required under paragraph (1) within such period after receiving a request from such individual as the Commission shall determine, by rule, is appropriate.
- —The Commission may, by rule, establish such exceptions to paragraph (1) as the Commission considers appropriate, such as for child protection, law enforcement, fraud prevention, or other government purposes.
- LIMITATION ON USE OF VERIFYING INFORMATION.—If a covered data broker collects information from an individual to verify the identity of the individual under paragraph (2)(B) that the data broker did not have before such collection, the data broker may not use such information for any purpose other than for purposes of verifying the identity of the individual under such paragraph.
- Disputed Information.—
- IN GENERAL.—An individual whose personal information is maintained by a covered data broker may request the removal of any or all records or dispute the accuracy of any information described under subsection (b)(1) by requesting
- In writing or
- By an electronic communication platform that is agreeable to the individual or
- By secure Web interface
- CORRECTION REQUIREMENTS.—A covered data broker, after verifying the identity of an individual making a request under paragraph (1) to correct information, and unless there are reasonable grounds to believe the request is frivolous or irrelevant, shall—
- with regard to public record information—
- inform the individual of the source of the information and, if reasonably available, where to direct the individual’s request for correction; or
- if the individual provides proof that the public record has been corrected or that the covered data broker was reporting the information incorrectly, correct the inaccuracy in the covered data broker’s records; or
- remove the information from its database at the direction of the individual
- with regard to non-public information—
- note the information that is disputed, including the individual’s written request;
- if the information can be independently verified, use the procedures established under subsection (a) to independently verify the information; and
- if the covered data broker was reporting the information incorrectly, correct the inaccuracy in the covered data broker’s records. ; or
- remove the information at the request of the individual.
- with regard to public record information—
- PERIOD OF CORRECTION.—In a case in which a covered data broker is subject to a requirement under paragraph (2) due to a request made by an individual under paragraph (1), such covered data broker shall take such action as may be required to satisfy such requirement within such period as the Commission shall determine, by rule, is appropriate.
- —
- IN GENERAL.—A covered data broker shall maintain an Internet website and place a clear and conspicuous notice on that Internet website instructing an individual how—
- to review or remove information under subsection (b)(1); and
- at the individuals direction
- to express a preference under subsection (e)(2).
- —A covered data broker shall ensure that the notice the covered data broker places under paragraph (1) conforms to such model form as the Commission shall promulgate for purposes of this subsection.
- Certain Marketing Information.—
- IN GENERAL.—A covered data broker may not use, share, or sell any information for marketing purposes that is subject to an expressed preference under paragraph (2).
- EXPRESSION OF PREFERENCES.—A covered data broker that maintains any information described under subsection (a) and that uses, shares, or sells that information for marketing purposes shall provide each individual whose information the covered data broker maintains with a reasonable means of expressing a preference not to have that individual’s information used for those purposes.
- —
- IN GENERAL.—Subject to paragraph (2), each covered data broker shall establish measures that facilitate the auditing or retracing of any internal or external access to, or transmission of, any data containing personal information collected, assembled, or maintained by the covered data broker.
- —The Commission may establish, by rule, such exceptions to paragraph (1) as the Commission considers appropriate to further or protect law enforcement or national security activities.
- Persons Regulated By The Fair Credit Reporting Act.—A covered data broker shall be considered to be in compliance with this section with respect to information that is subject to the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) if the covered data broker is in compliance with sections 609, 610, and 611 of that Act (15 U.S.C. 1681g, 1681h, 1681i).
SEC. 5. CREDIT MECHANTS REQUIREMENTS CONCERNING TRANSPARENCY IN TARANSACTIONS.
- IN GENERAL.—NOTFIY consumers when transactions are being recorded or stored, or transferred to Data Brokers (SEC 4)
- By sicker affixed at collection transaction terminal with web site url or phone number provided; or
- The sticker be plainly visible notifying that the transaction details will be exposed to third parties,
(B) By sign or decal placed in conspicuous place at entrance or door of business notifying that consumers that credit/ debit transactions details will be exposed to third parties
- NOTIFCATION by web site or phone containing;
- which Data Broker(s) (SEC 4) are receiving data and how to contact data broker; and
- any other entity that is not a data broker (SEC 4) including contact information
- (i) Company or induvial name
- (ii) Legal mailing address
- (iii) Phone number
- (iv) Email address if available
- UNFAIR OR DECEPTIVE ACTS OR PRACTICES.—
A violation of this Act shall be treated as an unfair or deceptive act or practice in or affecting commerce for purposes of section 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)).- POWERS OF COMMISSION.—Except as provided in subsection (a)(2) of this section—
- (i) the Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act; and
- (ii) any person who violates this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act.
- Persons Regulated By The Fair Credit Reporting Act.—A covered credit merchant be considered to be in compliance with this section with respect to information that is subject to the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) if the covered credit merchant is in compliance with sections 609, 610, and 611 of that Act (15 U.S.C. 1681g, 1681h, 1681i).
- POWERS OF COMMISSION.—Except as provided in subsection (a)(2) of this section—
SECTION 7. INTERNET SERVICE PROVIDER TRANSPARENCY
- IN GENERAL.—A provider of a covered service shall provide the users of the service with notice of the privacy policies of the provider with respect to the service. Such notice shall be clear and conspicuous.
- It shall notify users which if any data brokers (SECTION 4) it discloses information to.
- AVAILABILITY TO PROSPECTIVE USERS.—The notice required by subsection
- shall be made available to prospective users—
- (i) at the point of sale of, subscription to, or establishment of an account for the covered service, prior to such sale, subscription, or establishment, whether such point of sale, subscription, or establishment is in person, online, over the telephone, or through another means; or
- (ii) if there is no such sale, subscription, or establishment, before the user uses the service.
- PERSISTENT AVAILABILITY.—The notice required by subsection
- (i) shall be made persistently available.
- MATERIAL CHANGES.—A provider of a covered service shall provide users with advance notice of any material change to the privacy policies of the provider. The notice required by this subsection shall be clear and conspicuous.
- BASED ON SENSITIVITY OF INFORMATION.
- OPT-IN APPROVAL REQUIRED FOR SENSITIVE USER INFORMATION.—Except as provided in subsection (2)
- a provider of a covered service shall obtain opt-in approval from a user to use, disclose, or permit access to the sensitive user information of the user.
- OPT-OUT APPROVAL REQUIRED FOR NON-SENSITIVE USER INFORMATION.—Except as provided in subsection (2)—
- a provider of a covered service shall obtain opt-out approval from a user to use, disclose, or permit access to any of the non-sensitive user information of the user; or
- if the provider so chooses, the provider may comply with the requirement of paragraph (1) by obtaining opt-in approval from the user to use, disclose, or permit access to any such non-sensitive user information.
- LIMITATIONS AND EXCEPTIONS.—A provider of a covered service may use, disclose, or permit access to user information without user approval for the following purposes:
- In providing the covered service from which such information is derived, or in providing services necessary to, or used in, the provision of such service.
- To initiate, render, bill, and collect for the covered service.
- To protect the rights or property of the provider, or to protect users of the covered service and other service providers from fraudulent, abusive, or unlawful use of the service.
- To provide location information or non-sensitive user information—
- (i) to a public safety answering point, emergency medical service provider or emergency dispatch provider, public safety, fire service, or law enforcement official, or hospital emergency or trauma care facility, in order to respond to the request of the user for emergency services;
- (ii) to inform the legal guardian of the user, or members of the immediate family of the user, of the location of the user in an emergency situation that involves the risk of death or serious physical harm; or
- (iii) to providers of information or database management services solely for purposes of assisting in the delivery of emergency services in response to an emergency.
- (iv) As otherwise required or authorized by law.
- MECHANISM FOR EXERCISING USER APPROVAL.—
- (i) IN GENERAL.—A provider of a covered service shall make available a simple, easy-to-use mechanism for users to grant, deny, or withdraw opt-in approval or opt-out approval at any time.
- (ii) FORM AND MANNER.—The mechanism required by paragraph (1) shall be—
- clear and conspicuous; and
- made available—
- at no additional cost to the user; and
- in a language other than English, if the provider transacts business with the user in such other language.
- —The grant, denial, or withdrawal of opt-in approval or opt-out approval by a user shall—
- (i) be given effect promptly; and
- (ii) remain in effect until the user revokes or limits such grant, denial, or withdrawal of approval.
- SERVICE OFFERS CONDITIONED ON WAIVERS OF PRIVACY RIGHTS.
A provider of a covered service may not—- condition, or effectively condition, provision of such service on agreement by a user to waive privacy rights guaranteed by law or regulation, including this Act; or
- terminate such service or otherwise refuse to provide such service as a direct or indirect consequence of the refusal of a user to waive any such privacy rights.
- ENFORCEMENT BY FEDERAL TRADE COMMISSION.
- GENERAL APPLICATION.—The requirements of this Act apply, according to their terms, to—
- (i) those persons, partnerships, and corporations over which the Commission has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)); and
- (ii) providers of broadband internet access service, notwithstanding the exception in such section for common carriers subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.).
- UNFAIR OR DECEPTIVE ACTS OR PRACTICES.—
A violation of this Act shall be treated as an unfair or deceptive act or practice in or affecting commerce for purposes of section 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)). - POWERS OF COMMISSION.—Except as provided in subsection (a)(2) of this section—
- (i) the Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act; and
- (ii) any person who violates this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act.
- GENERAL APPLICATION.—The requirements of this Act apply, according to their terms, to—
- shall be made available to prospective users—
SEC. 8 LOYALTY AND CLUB CARDS
- Any company with over 10000 employees and offering a loyally or club card to its consumers
- Remove data from customer file after two years of inactive service.
- List which data broker it sells data to in its customer privacy statements
- Disclose in its public that it is selling information and on its website in a conscious place.
- Disclose what data is being sold to data brokers
- Adhere to Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191 without waver
- ENFORCEMENT BY FEDERAL TRADE COMMISSION.
- GENERAL APPLICATION.—The requirements of this Act apply, according to their terms, to—
- those persons, partnerships, and corporations over which the Commission has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)); and
- providers of broadband internet access service, notwithstanding the exception in such section for common carriers subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.).
- UNFAIR OR DECEPTIVE ACTS OR PRACTICES.—
A violation of this Act shall be treated as an unfair or deceptive act or practice in or affecting commerce for purposes of section 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)). - POWERS OF COMMISSION.—Except as provided in subsection (a)(2) of this section—
- the Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act; and
- any person who violates this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act.
- GENERAL APPLICATION.—The requirements of this Act apply, according to their terms, to—