Sec. 103. Definitions
1,211 words·~6 min read·
/bill/115/s/2187/is/section-103A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Subject to subsection (b), in this title: The term Commission means the Federal Trade Commission. The term covered entity means any person to whom this title applies under section 151. Except as provided in subparagraph (B), the term covered information means only the following: Personally identifiable information. Unique identifier information. Any information that is collected, used, or stored in connection with personally identifiable information or unique identifier information in a manner that may reasonably be used by the party collecting the information to identify a specific individual.
The term covered information does not include the following: Personally identifiable information obtained from public records that is not merged with covered information gathered elsewhere. Personally identifiable information that is obtained from a forum— where the individual voluntarily shared the information or authorized the information to be shared; and that— is widely and publicly available and was not made publicly available in bad faith; and contains no restrictions on who can access and view such information.
Personally identifiable information reported in public media. Personally identifiable information dedicated to contacting an individual at the individual's place of work. The term established business relationship means, with respect to a covered entity and a person, a relationship formed with or without the exchange of consideration, involving the establishment of an account by the person with the covered entity for the receipt of products or services offered by the covered entity.
The term personally identifiable information means only the following: Any of the following information about an individual: The first name (or initial) and last name of an individual, whether given at birth or time of adoption, or resulting from a lawful change of name. The postal address of a physical place of residence of such individual. An e-mail address. A telephone number or mobile device number. A Social Security number or other Government issued identification number issued to such individual.
The account number of a credit card issued to such individual. Unique identifier information that alone can be used to identify a specific individual. Biometric data about such individual, including fingerprints and retina scans. If used, transferred, or stored in connection with one or more of the items of information described in subparagraph (A), any of the following: A date of birth. The number of a certificate of birth or adoption. A place of birth. Unique identifier information that alone cannot be used to identify a specific individual.
Precise geographic location, at the same degree of specificity as a global positioning system or equivalent system, and not including any general geographic information that may be derived from an Internet Protocol address. Information about an individual's quantity, technical configuration, type, destination, location, and amount of uses of voice services, regardless of technology used. Any other information concerning an individual that may reasonably be used by the party using, collecting, or storing that information to identify that individual.
The term sensitive personally identifiable information means— personally identifiable information which, if lost, compromised, or disclosed without authorization either alone or with other information, carries a significant risk of economic or physical harm; or information related to— a particular medical condition or a health record; or the religious affiliation of an individual. The term third party means, with respect to a covered entity, a person that— is— not related to the covered entity by common ownership or corporate control; or related to the covered entity by common ownership or corporate control and an ordinary consumer would not understand that the covered entity and the person were related by common ownership or corporate control; is not a service provider used by the covered entity to receive personally identifiable information or sensitive personally identifiable information in performing services or functions on behalf of and under the instruction of the covered entity; and with respect to the collection of covered information of an individual, does not have an established business relationship with the individual and does not identify itself to the individual at the time of such collection in a clear and conspicuous manner that is visible to the individual.
The term third party may include, with respect to a covered entity, a person who operates under a common brand with the covered entity. The term unauthorized use means the use of covered information by a covered entity or its service provider for any purpose not authorized by the individual to whom such information relates. Except as provided in subparagraph (C), the term unauthorized use does not include use of covered information relating to an individual by a covered entity or its service provider as follows:
To process and enforce a transaction or deliver a service requested by that individual. To operate the covered entity that is providing a transaction or delivering a service requested by that individual, such as inventory management, financial reporting and accounting, planning, and product or service improvement or forecasting. To prevent or detect fraud or to provide for a physically or virtually secure environment. To investigate a possible crime. That is required by a provision of law or legal process.
To market or advertise to an individual from a covered entity within the context of a covered entity's own Internet website, services, or products if the covered information used for such marketing or advertising was— collected directly by the covered entity; or shared with the covered entity— at the affirmative request of the individual; or by an entity with which the individual has an established business relationship. Use that is necessary for the improvement of transaction or service delivery through research, testing, analysis, and development.
Use that is necessary for internal operations, including the following: Collecting customer satisfaction surveys and conducting customer research to improve customer service information. Information collected by an Internet website about the visits to such website and the click-through rates at such website— to improve website navigation and performance; or to understand and improve the interaction of an individual with the advertising of a covered entity. Use— by a covered entity with which an individual has an established business relationship; which the individual could have reasonably expected, at the time such relationship was established, was related to a service provided pursuant to such relationship; and which does not constitute a material change in use or practice from what could have reasonably been expected.
A use of covered information regarding an individual by a covered entity or its service provider may only be excluded under subparagraph
(B)from the definition of unauthorized use under subparagraph
(A)if the use is reasonable and consistent with the practices and purposes described in the notice given the individual in accordance with section 121(a)(1). The term unique identifier information means a unique persistent identifier associated with an individual or a networked device, including a customer number held in a cookie, a user identification, a processor serial number, or a device serial number. If the Commission determines that a term defined in any of paragraphs
(3)through
(8)is not reasonably sufficient to protect an individual from unfair or deceptive acts or practices, the Commission may by rule modify such definition as the Commission considers appropriate to protect such individual from an unfair or deceptive act or practice to the extent that the Commission determines will not unreasonably impede interstate commerce.