Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 116th Congress · S. 2398 (Introduced in Senate) — To amend the Federal Election Campaign Act of 1971 to ensure privacy with respect to voter information. · Sec. 4

Sec. 4. Voter data privacy

3,028 words·~14 min read·/bill/116/s/2398/is/section-4

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Title III of the Federal Election Campaign Act of 1971 ( 52 U.S.C. 30101 ) is amended by adding at the end the following new subtitle: In this subtitle: The term covered entity means— any candidate, political committee, national committee, connected organization, or political party (as those terms are defined in section 301); any political organization under section 527 of the Internal Revenue Code of 1986; and any person that obtains an individual’s personal information for the purpose of conducting— a public communication as defined in section 301(22), except for purposes of this subtitle such term includes a communication by means of any paid internet or paid digital communication; an electioneering communication as defined in section 304(f)(3); any communication that would be an electioneering communication as defined in such section if such section were applied— by taking into account communications made over the internet; without regard to subparagraph (A)(i)(III) of such section with respect to communications described in subclause
(I)of this clause; and by treating the facilities of any online or digital newspaper, magazine, blog, publication, or periodical in the same manner as the facilities of a broadcasting station for purposes of subparagraph (B)(i) of such section; an independent expenditure as defined in section 301(17); or a generic campaign activity as defined in section 301(21). The term targeting service means any interactive computer service, as defined in section 230(f)(2) of the Communications Act of 1934 ( 42 U.S.C. 230(f)(2) ), that allows a third party to target communications to an individual based on that individual’s personal information. The term individual means a natural person, however identified, including by any unique identifier. Subject to subparagraph (B), the term personal information means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household that includes— identifiers such as internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers; characteristics of any protected class under title VII of the Civil Rights Act of 1964 ( 42 U.S.C. 2000e et seq.); commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; biometric information; internet or other electronic network activity information, including browsing history, search history, and information regarding consumer’s interaction with an internet website, application, or advertisement; geolocation data; health insurance information; audio, electronic, visual, thermal, olfactory, or similar information; professional or employment-related information; education information; and inferences drawn from any of the information identified in this subparagraph to create a profile regarding an individual reflecting the individual’s preferences, characteristics, psychological traits, psychographic modeling, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. The term personal information does not include the following: Publicly available information. Deidentified information. Aggregate polling information. For purposes of clause (i): The term publicly available information means information obtained from a Federal, State, or local voter registration database that is lawfully made available to the public. The term deidentified information means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular individual. The term aggregate polling information means information that relates to a group or category of individuals, from which individual identities have been removed, that is not linked or reasonably linkable to any known individual, including via a device or other unique identifier. The term biometric information means an individual’s physiological, biological, or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, and sleep, health, or exercise data that contain identifying information. The term health insurance information means an individual’s insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify a person, or any information in the individual’s application and claims history. The term categories of personal information means the enumerated categories of information described in clauses
(i)through
(xi)of paragraph (4)(A), except as modified pursuant to regulations or guidance of the Commission pursuant to section 359(b). The term verifiable request means a request made by an individual that a covered entity can reasonably verify, pursuant to regulations adopted by the Commission pursuant to section 359, to be the individual about whom the covered entity has collected information. The terms collect or collected mean, with respect to an individual, any personal information that is gathered directly from that individual. The term received means any individual’s personal information that is not collected by a covered entity directly from that individual, including any personal information that is bought, rented, licensed, acquired, or accessed, by a covered entity from any third party. The term obtained means any personal information that is either collected or received. The term processing means any operation or set of operations that are performed on personal information or on sets of personal information, whether or not by automated means. The term third party means a person who is not— the person that collects an individual’s personal information directly from that individual; or a person to whom a covered entity discloses an individual’s personal information for processing pursuant to a written contract, provided that the contract prohibits the person receiving the personal information from— selling or transferring the personal information to a third party; or retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the written contract. An individual shall have the right to direct a covered entity that obtains an individual’s personal information to disclose to that individual the categories of personal information and specific pieces of personal information the covered entity has obtained with respect to the individual. A covered entity that receives a verifiable request from an individual to access that individual’s personal information pursuant to subsection (a), shall provide the requested information in accordance with subsection (e). A covered entity shall provide the information specified in subsection
(a)only upon receipt of a verifiable request. A covered entity shall comply with all verifiable requests made pursuant to subsection
(a)within a reasonable period after receiving such a request, but not later than 10 calendar days after receiving such a request. Each request under subsection (a), with respect to the personal information of the requesting individual, shall include the following: The categories of personal information obtained regarding that individual. The specific sources from which the personal information was obtained. The specific third party or third parties to whom the personal information has been transferred or disclosed. The period for which the personal information will be stored by the covered entity. The existence of the right of an individual to request a copy of that individual’s specific pieces of personal information under subsection (f). The existence of the right of an individual to request erasure of that individual’s personal information under section 353. The existence of the right to request prohibition of the transfer of personal information to any third party under section 354. Information regarding the right to lodge a complaint with the Commission under section 309(a) as described in section 356 regarding any potential violation of this subtitle. In addition to the information provided under subsection (e), upon specific, verifiable request an individual shall have the right to access all of that individual’s specific pieces of personal information obtained by a covered entity. A covered entity shall provide information as required under this section to the requesting individual in a concise, and easily accessible form, using clear and plain language. The information required under this subsection may be delivered by mail or electronic mail, or made available via a secured internet website. A covered entity that receives a verifiable request from an individual shall provide information required under this section free of charge. A covered entity shall not be required to provide an individual's personal information to the individual pursuant to this section more than two times in a 12-month period. No third party shall submit a verifiable request to a covered entity on behalf of another individual. No individual may authorize a third party to submit a verifiable request to a covered entity on their behalf. An individual shall have the right to direct a covered entity to delete any of that individual’s personal information obtained by a covered entity. A covered entity that receives a verifiable request to delete an individual's personal information pursuant to subsection (a)— shall immediately cease processing such personal information, and as soon as practicable, permanently delete such information, except as provided under subsections (c), (d), and (e); and shall not, unless the covered entity receives written authorization from the individual, re-collect or otherwise obtain any of the individual's personal information, except as provided under such subsections. The requirement to delete personal information in subsection
(b)does not apply to publicly available information as defined in this subtitle. Notwithstanding subsections
(a)and (b), a covered entity shall maintain such personal information as is necessary to maintain adequate records of a request to delete information under subsection
(a)or to comply with section 352(e)(3) and section 354 of this subtitle. Any personal information retained consistent with this subsection shall not be processed for any other purpose, and shall be reviewable by the Commission. A covered entity shall provide confirmation to the individual requesting deletion of personal information under subsection
(a)not later than 5 days following the deletion of the information. An individual shall have the right to direct a covered entity not to sell or otherwise transfer any of that individual’s personal information obtained by a covered entity to any third party. A covered entity that receives a verifiable request from an individual not to transfer that individual’s personal information pursuant to subsection (a), shall not transfer that personal information directly or indirectly to a third party. A covered entity that seeks to sell or transfer an individual’s personal information to any third party shall provide notice as required under section 355(b)(3). Notwithstanding section 353, a covered entity shall retain sufficient records, including any necessary personal information, to determine whether an individual has directed the covered entity not to transfer that individual’s data to a third party. Any personal information retained pursuant to this section shall not be used for any other purpose, and shall be reviewable by the Commission. It shall be unlawful for any covered entity to knowingly transfer outside of the United States any individual’s personal information, publicly available information, or anonymized information as defined in this subtitle. Any person who violates paragraph
(1)shall be fined under title 18, United States Code, imprisoned not more than 3 years, or both. A covered entity that receives any individual’s personal information from a third party shall inform such individual as to the scope and purpose of receiving such personal information. A covered entity shall provide notice required in subsection
(a)to an individual within a reasonable period after receiving that individual’s personal information, but not later than— except as provided in paragraphs
(2)and (3), 30 days after receiving such information, or if personal information is received in an anonymized format then 30 days after the personal information is connected to an identifiable individual; if the personal information is to be used for a communication or targeted advertisement with an individual, at the time of the first communication with that individual; and if the personal information is to be transferred or sold to a third party, 14 days prior to that transfer or sale. Notice required under subsection
(a)shall include the following: The identity and the contact information of the covered entity. The categories of personal information received. The purposes for which the personal information was received. The period for which the personal information will be retained. The existence of the right to request from the covered entity access to all specific pieces of personal information under section 352(f). The existence of the right of an individual to request erasure of all that individual’s personal information obtained by a covered entity under section 353. The existence of the right of an individual to prohibit the transfer of that individual’s personal information to a third party under section 354. Information regarding the right to lodge a complaint with the Commission under section 309(a) as described in section 357 regarding any violation of this subtitle. Notice required under subsection
(a)shall be provided in a concise and easily accessible form, using clear and plain language. Notice required under subsection
(a)shall be provided at no cost to any individual with respect to whom a covered entity has received personal information. A covered entity shall not receive additional categories of personal information, process personal information for an additional purpose, or transfer personal information to an additional third party without providing such persons notice consistent with this section. An individual shall have the right to prohibit a targeting service from using that individual's personal information to deliver targeted communications to that individual— on behalf of a covered entity; and on behalf of all covered entities. A targeting service that receives a verifiable request pursuant to paragraph
(1)or
(2)of subsection (a)— shall immediately cease providing access, use, or processing of that individual’s personal information to any or all covered entities with respect to which such request is made, including for use in delivering targeted communications to that individual based on that individual’s personal information; and shall not provide any future access, use, or processing of that individual’s personal information to any or all covered entities with respect to which such request is made, including for use in delivering targeted communications to that individual based on their personal information without express written permission from that individual. A covered entity shall provide notice to a targeting service of the covered entity's status as a covered entity under this subtitle, prior to accessing, using, or processing any individual’s personal information provided by the targeting service. A targeting service shall provide notice to any individual whose personal information is accessed, used, or processed, including for use in delivering a targeted communication based on that individual’s personal information, by a covered entity. Notice required under paragraph (1)(B) shall include— the identity and the contact information for the targeting service; the identity and the contact information of the covered entity; the categories of personal information accessed, used, or otherwise made available to a covered entity, including any personal information used to target an advertisement or other information to that individual on behalf of a covered entity; and information on the right of an individual to prohibit a covered entity or all covered entities from using a targeting service to deliver advertisements or other information to that individual based on that individual’s personal information under this section. Notice required under paragraph (1)(B) shall be provided by a targeting service at the time of each targeted communication with an individual by the targeting service on behalf of a covered entity that is based on the individual’s personal information. Notice required under paragraph (1)(B) shall be provided in a concise and easily accessible form, using clear and plain language. A targeting service shall provide confirmation of an individual’s verifiable request to prohibit targeted communications from a covered entity or all covered entities based on that individual’s personal information not later than 3 days following receipt of a verifiable request from that individual pursuant to subsection (a). A targeting service shall maintain adequate records of any individual’s request under subsection
(a)and, if applicable, any written permission provided under subsection (b)(2) to ensure such individuals do not receive targeted communications from a covered entity unless such written permission is provided. A covered entity shall maintain records of all notices provided to a targeting service as required under subsection (c)(1)(A). All records required under this subsection shall be reviewable by the Commission. Nothing in this section shall be interpreted— to prohibit a covered entity from using a targeting service to deliver information to an individual that is not based on that individual’s personal information; or to prohibit a targeting service from using an individual’s personal information to deliver targeted communications to that individual on behalf of a third party that is not a covered entity. An individual who believes a violation of this subtitle has occurred may file a complaint with the Commission pursuant to section 309(a). Any person who knowingly and willfully commits a violation of any provision of this subtitle shall be fined under this title or imprisoned not more than 3 years, or both. Not later than 180 days after the date of enactment of this subtitle, the Commission shall conduct a rulemaking to implement the requirements of this subtitle, including to provide guidance on the definition of a verifiable request , which will ensure individuals can exercise their rights under this subtitle in a secure manner. The Commission shall produce and update as needed guidance and regulations relating to adding categories of personal information for purposes of this subtitle in addition to those described in section 351(4)(A), in order to address changes in technology, data practices of covered entities, and privacy concerns. . If any provision of this Act or amendment made by this Act, or the application of a provision or amendment to any person or circumstance, is held to be unconstitutional, the remainder of this Act and amendments made by this Act, and the application of the provisions and amendment to any person or circumstance, shall not be affected by the holding. The amendments made by this Act shall apply with respect to personal information obtained, stored, or processed on or after 360 days after the date of enactment of this Act, and shall take effect without regard to whether or not the Federal Election Commission has promulgated regulations to carry out such amendments.
Connectionstraces to 3
Citation graph
cites case law
Sec. 4
Voter data privacy
U.S.C.§ 30101
U.S.C.§ 230
U.S.C.§ 2000e
Cites 3Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.