Sec. 3. Unfair or deceptive acts or practices
2,948 words·~13 min read·
/bill/116/hr/5703/ih/section-3·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Section 1303 of the Children’s Online Privacy Protection Act of 1998 ( 15 U.S.C. 6502 ) is amended— in the section heading, by striking and inserting collection and use of personal information from and about children on the internet ; processing of covered information from and about young consumers or children by amending subsection
(a)to read as follows: It is unlawful for a covered entity that has actual or constructive knowledge that such covered entity is processing covered information about a young consumer or child to process such information in a manner that violates the regulations prescribed under subsection (b). ; by amending subsection
(b)to read as follows: Not later than 1 year after the date of enactment of the Protecting the Information of our Vulnerable Children and Youth Act , the Commission shall, under section 553 of title 5, United States Code, revise regulations issued under this Act prior to such date of enactment and issue additional regulations as necessary that implement the requirements and prohibitions set forth in paragraphs
(1)through (7). The Commission shall have the authority to revise such regulations every 7 years or as it determines necessary due to changes in or emerging technology. Such regulations shall require a covered entity to develop and make publicly available at all times and in a machine-readable format, a privacy policy, in a manner that is clear, easily understood, and written in plain and concise language, that includes— the categories of covered information that the covered entity processes about young consumers and children; how and under what circumstances covered information is collected directly from a young consumer or child; the categories and the sources of any covered information processed by a covered entity that is not collected directly from a young consumer or child; a description of the purposes for which the covered entity processes covered information, including— a description of whether and how the covered entity customizes products or services, or adjusts the prices of products or services for young consumers or children or based in any part on processing of covered information; a description of whether and how the covered entity, or the covered entity’s affiliates or service providers, de-identifies information, including the methods used to de-identify such information; and a description of whether and how the covered entity, or the covered entity’s affiliates or service providers, generates or uses any consumer score to make decisions concerning a young consumer or child, and the source or sources of any such consumer score; a description of how long and the circumstances under which the covered entity retains covered information; a description of all of the purposes for which the covered entity discloses covered information with service providers and, on a biennial basis, the categories of service providers; a description of whether and for what purposes the covered entity discloses information to third parties; whether a covered entity sells or otherwise shares covered information with data brokers or processes covered information for targeted advertising; whether a covered entity collects covered information about young consumers or children over time and across different websites or mobile applications when a young consumer or child uses the covered entity’s website or mobile application; how a young consumer or a parent of a child can exercise their rights to access, correct, and delete such young consumer’s or child’s covered information as set forth under paragraph (5); how a young consumer or a parent of a child can grant, withhold, or withdraw the consent required under paragraph (2), including how to modify consent for the processing of covered information, and the consequences of withholding, withdrawing, or modifying such consent; the effective date of the notice; and how the covered entity will communicate material changes of the privacy policy to the young consumer or the parent of a child. Such regulations shall require a covered entity that has actual or constructive knowledge that such covered entity is processing covered information about a young consumer or child— to provide clear and concise notice to a young consumer or the parent of a child of the items of covered information about such young consumer or child, respectively, that is processed by such covered entity and how such covered entity processes such covered information and obtain verifiable consent for such processing; and if such covered entity determines, including through constructive knowledge, that such covered entity has not obtained verifiable consent for the processing of covered information about a young consumer or child, to, not later than 48 hours after such determination— obtain verifiable consent; or delete all covered information about such young consumer or child. Such regulations shall provide that verifiable consent under this paragraph is not required in the case of— online contact information collected from a young consumer or child that— is used only to respond directly on a one-time basis to a specific request from the young consumer or child; is not used to re-contact the young consumer or child; and is not retained by the covered entity after responding as described in subclause (I); a request for the name or online contact information of a young consumer or the parent of a child that is used for the sole purpose of obtaining verifiable consent or providing notice under subparagraph (A)(i) and where such information is not retained by the covered entity if verifiable consent is not obtained within 48 hours; or the processing of such information by the covered entity is necessary— to respond to judicial process; or to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety. Such regulations shall further provide a young consumer or the parent of a child, as applicable, a mechanism to withdraw his or her consent at any time in a manner that is as easy as the mechanism to give consent. Such withdrawal of consent shall not be construed to affect the lawfulness of any processing based on verifiable consent before such withdrawal. Such regulations shall prohibit a covered entity from refusing to provide a service, or discontinuing a service provided, to a young consumer or child, if the young consumer or parent of the child, as applicable, refuses to consent, or withdraws consent, to the processing of any covered information not essential to the covered entity to provide such service. Subject to the exceptions provided in subparagraph (B), such regulations shall prohibit a covered entity from keeping, retaining, or otherwise storing covered information for longer than is reasonably necessary for the purposes for which the covered information is processed. Further retention of covered information shall not be considered to be incompatible with the purposes of processing described in subparagraph
(A)if such processing is necessary and done solely for the purposes of— compliance with laws, regulations, or other legal obligations; preventing risks to the health or safety of a child or young adults or groups of children or young adults; or repairing errors that impair existing functionality. Such regulations shall prohibit a covered entity from disclosing covered information to a third party unless the covered entity has a written agreement with such third party that— specifies all of the purposes for which the third party may process the covered information for which the covered entity has verifiable consent; prohibits the third party from processing covered information for any purpose other than the purposes specified under clause (i); and requires the third party to provide at least the same privacy and security protections as the covered entity; or Such regulations shall require a covered entity— to perform reasonable due diligence in selecting any third party to enter into an agreement under subparagraph
(A)and to exercise reasonable oversight over all such third parties to assure compliance with the requirements of this Act; and if the covered entity has actual or constructive knowledge that a third party has violated the agreement described in subparagraph
(A)to— to the extent practicable, promptly take steps to ensure compliance with such agreement; and promptly report to the Commission that such a violation occurred. Such regulations shall require a covered entity, upon request of a young consumer or the parent of a child and after proper identification of such young consumer or parent, to promptly provide to such young consumer or parent, as applicable— access to all covered information pertaining to such young consumer or child including a description of— each type of covered information processed by the covered entity pertaining to the young consumer or child, as applicable; each purpose for which the covered entity processes each category of covered information pertaining to the young consumer or child, as applicable; the names of each third party to which the covered entity disclosed the covered information; each source other than the young consumer or child, as applicable, from which the covered entity obtained covered information pertaining to that young consumer or child, as applicable; how long the covered information will be retained or stored by the covered entity and, if not known, the criteria the covered entity uses to determine how long the covered information will be retained or stored by the covered entity; and with respect to any consumer score of the young consumer or child, as applicable, processed by the covered entity, of— how such consumer score is used by the covered entity to make decisions with respect to that young consumer or child, as applicable; and the source that created the consumer score if not created by the covered entity; and a simple and reasonable mechanism by which a young consumer or parent of a child may request access to the information described under clause (i), as applicable. Such regulations shall require a covered entity, subject to the exceptions established under subparagraph (D)— to establish a simple and reasonable mechanism by which a young consumer or parent of a child with respect to whom the covered entity processes covered information may request the covered entity to delete any covered information (or any component thereof); and to delete such covered information not later than 45 days after receiving such request. Such regulations shall require a covered entity, subject to the exceptions established under subparagraph (D)— to provide each young consumer or parent of a child with respect to whom the covered entity processes covered information, as applicable, a simple and reasonable mechanism by which that young consumer or parent may submit a request to the entity— to dispute the accuracy or completeness of that covered information, or part or component thereof; and to request that such covered information, or part or component thereof, be corrected for accuracy or completeness; and not later than 45 days after receiving a request under clause (i)— to determine whether the covered information disputed or requested to be corrected is inaccurate or incomplete; and to correct the accuracy or completeness of any covered information determined by the covered entity to be inaccurate or incomplete. Such regulations shall permit a covered entity to deny a request made under subparagraphs (A), (B), or
(C)if— the covered entity is unable to verify the identity of the young consumer or parent of a child making the request after making a reasonable effort to verify the identity of such young consumer or parent; or with respect to the request made, the covered entity determines that— the entity is limited from doing so by law, legally recognized privilege, or other legal obligation; or fulfilling the request would create a legitimate risk to the privacy, security, or safety of someone other than the young consumer or child, as applicable; or with respect to a request to correct covered information made under subparagraph
(C)or a request to delete covered information made under subparagraph (D), the covered entity determines that the retention of the covered information is necessary to— complete the transaction with the young consumer or child, as applicable, for which the covered information was collected; provide a product or service affirmatively requested by the young consumer or parent of a child, as applicable; perform a contract with the young consumer or a parent of a child, as applicable, including a contract for billing, financial reporting, or accounting; to keep a record of the covered information for law enforcement purposes; or identify and repair errors that impair the functionality of the Internet website or online service; or the covered information is used in public or peer-reviewed scientific, medical, or statistical research in the public interest that adheres to commonly accepted ethical standards or laws, with informed consent consistent with section 50.20 of title 21, Code of Federal Regulations, provided that the research must already be in progress at the time of request to access, correct, or delete is made under subparagraphs (A), (B), or (C). Such regulations shall prohibit a covered entity from refusing to provide a service, or discontinuing a service provided, to a young consumer or child, if the young consumer or parent of the child, as applicable, exercises any of the rights set forth in regulations under this paragraph. Such regulations shall prohibit a covered entity from— processing any covered information in a manner that is inconsistent with what a reasonable young consumer or parent of a child would expect in the context of a particular transaction or the young consumer’s or parent’s relationship with such covered entity or seeking to obtain verifiable consent for such processing; providing targeting advertisements or engaging in other marketing to a specific child, based on that child’s covered information or behavior, or based on the covered information or behavior of children who are similar to that child in gender, income level, age, race, or ethnicity; and conditioning the participation of a child in a game, sweepstakes, or other contest on consenting to the processing of more covered information than is necessary for such child to participate. Nothing in subparagraph
(A)shall prohibit a covered entity from processing covered information if necessary solely for purposes of— detecting and preventing security incidents; preventing imminent danger to the personal safety of an individual or group of individuals; identifying and repairing errors that impair the functionality of the Internet website or online service; or complying with any Federal, State, or local law, rule, regulation, or other legal obligation, including civil, criminal, or regulatory inquiries, investigations, subpoenas, disclosures of information required by a court order or other properly executed compulsory process. Such regulations shall prohibit a covered entity that de-identifies information, and any third party with which the covered entity discloses such de-identified information, from re-identifying, or attempting to re-identify, any information that the covered entity has de-identified. Such regulations shall also require a covered entity to contractually prohibit any third party with which the covered entity discloses such de-identified information from re-identifying or attempting to re-identify such information. Such regulations shall require a covered entity to establish and implement reasonable security policies, practices, and procedures for the treatment and protection of covered information, taking into consideration— the size, nature, scope, and complexity of the activities engaged in by such covered entity; the sensitivity of any covered information at issue; the state of the art in administrative, technical, and physical safeguards for protecting such information; and the cost of implementing such policies, practices, and procedures. Such regulations shall require the policies, practices, and procedures established pursuant to regulations issued under subparagraph
(A)to include the following: A written security policy with respect to the processing of such covered information. The identification of an officer or other individual as the point of contact with responsibility for the management of information security. A process for identifying and assessing any reasonably foreseeable vulnerabilities in the system or systems maintained by such covered entity that contains such covered information, including regular monitoring for a breach of security of such system or systems. A process for taking preventive and corrective action to mitigate against any vulnerabilities identified in the process required by clause (iii), which may include— implementing any changes to the security practices, architecture, installation, or implementation of network or operating software; and regular testing or otherwise monitoring the effectiveness of the safeguards. A process for determining if the covered information is no longer needed and deleting such covered information by shredding, permanently erasing, or otherwise modifying the covered information contained in such data to make such covered information permanently unreadable or indecipherable. A process for overseeing persons who have access to covered information, including through Internet-connected devices, by— taking reasonable steps to select and retain persons that are capable of maintaining appropriate safeguards for the covered information or Internet-connected devices at issue; and requiring all such persons to implement and maintain such security measures. A process for employee training and supervision for implementation of the policies, practices, and procedures required by this subsection. A written plan or protocol for internal and public response in the event of a breach of security. Such regulations shall require a covered entity, not less frequently than every 12 months, to monitor, evaluate, and adjust, as appropriate, the policies, practices, and procedures of such covered entity in light of any relevant changes in— technology; internal or external threats and vulnerabilities to covered information; and the changing business arrangements of the covered entity. Such regulations shall require a covered entity to submit the policies, practices, and procedures of the covered entity to the Commission in conjunction with a notification of a breach of security required by any Federal or State statute or regulation or upon request of the Commission. ; and in subsection (c)— by inserting subsection (a)(2) or after violation of ; and by striking under subsection
(a)and inserting under subsection
(b).
Connectionstraces to 1
Citation graph
cites case law
Sec. 3
Unfair or deceptive acts or practices
Cites 1Cited by 0 across 0 sources