Sec. 4. Fair Information Practices Principles
824 words·~4 min read·
/bill/116/hr/3900/ih/section-4A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
The Fair Information Practices Principles described in this section are the following: Except as provided in paragraph (3), personal information should be collected from a child or minor only when collection of the personal information is— consistent with the context of a particular transaction or service or the relationship of the child or minor with the operator, including collection necessary to fulfill a transaction or provide a service requested by the child or minor; or required or specifically authorized by law. The personal information of a child or minor should be accurate, complete, and kept up-to-date to the extent necessary to fulfill the purposes described in subparagraphs
(A)through
(D)of paragraph (3). The purposes for which personal information is collected should be specified to the parent of a child or to a minor not later than at the time of the collection of the information. The subsequent use or disclosure of the information should be limited to— fulfillment of the transaction or service requested by the child or minor; support for the internal operations of the website, service, or application, as described in section 312.2 of title 16, Code of Federal Regulations, excluding any activity relating to targeted marketing directed to children, minors, or a device of a child or minor; compliance with legal process or other purposes expressly authorized under specific legal authority; or other purposes— that are specified in a notice to the child or minor; and to which the child or minor has consented under paragraph
(7)before the information is used or disclosed for such other purposes. The personal information of a child or minor should not be retained for longer than is necessary to fulfill a transaction or provide a service requested by the child or minor or such other purposes specified in subparagraphs
(A)through
(D)of paragraph (3). The operator should implement a reasonable and appropriate data disposal policy based on the nature and sensitivity of personal information described in subparagraph (A). The personal information of a child or minor should be protected by reasonable and appropriate security safeguards against risks such as loss or unauthorized access, destruction, use, modification, or disclosure. The operator should maintain a general policy of openness about developments, practices, and policies with respect to the personal information of a child or minor. The operator should provide to each parent of a child, or to each minor, using the website, online service, online application, or mobile application of the operator with a clear and prominent means— to identify and contact the operator, by, at a minimum, disclosing, clearly and prominently, the identity of the operator and— in the case of an operator who is an individual, the address of the principal residence of the operator and an email address and telephone number for the operator; or in the case of any other operator, the address of the principal place of business of the operator and an email address and telephone number for the operator; to determine whether the operator possesses any personal information of the child or minor, the nature of any such information, and the purposes for which the information was collected and is being retained; to obtain any personal information of the child or minor that is in the possession of the operator from the operator, or from a person specified by the operator, within a reasonable time after making a request, at a charge (if any) that is not excessive, in a reasonable manner, and in a form that is readily intelligible to the child or minor; to challenge the accuracy of personal information of the child or minor that is in the possession of the operator; to determine if the child or minor has established the inaccuracy of personal information in a challenge under clause
(iv)in order to have such information erased, corrected, completed, or otherwise amended; and to determine the method by which the operator obtains data relevant to the child or minor. Nothing in this paragraph shall be construed to permit an operator to erase or otherwise modify personal information requested by a law enforcement agency pursuant to legal authority. The operator should— obtain consent from a parent of a child or from a minor before using or disclosing the personal information of the child or minor for any purpose other than the purposes described in subparagraphs
(A)through
(C)of paragraph (3); and obtain affirmative express consent from a parent of a child or from a minor before using or disclosing previously collected personal information of the child or minor for purposes that constitute a material change in practice from the original purposes specified to the child or minor under paragraph (3). The personal information of a child or minor shall not be used to direct content to the child or minor, or a group of individuals similar to the child or minor, on the basis of race, socioeconomic factors, or any proxy thereof.