Sec. 2. Definitions
2,001 words·~9 min read·
/bill/116/s/2968/is/section-2·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
In this Act: The term affirmative express consent means an affirmative act by an individual that clearly communicates the individual’s authorization for an act or practice, in response to a specific request that meets the requirements of subparagraph (B). The requirements of this subparagraph with respect to a request from a covered entity to an individual are the following: The request is provided to the individual in a standalone disclosure. The request includes a description of each act or practice for which the individual’s consent is sought and— clearly distinguishes between an act or practice which is necessary to fulfill a request of the individual and an act or practice which is for another purpose; and is written in easy-to-understand language and includes a prominent heading that would enable a reasonable individual to identify and understand the act or practice.
The request clearly explains the individual’s applicable rights related to consent. An entity shall not infer that an individual has provided affirmative express consent to an act or practice from the inaction of the individual or the individual’s continued use of a service or product provided by the entity. The term algorithmic decision-making means a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques that makes a decision or facilitates human decision-making with respect to covered data.
The term biometric information means any covered data generated from the measurement or specific technological processing of an individual’s biological, physical, or physiological characteristics, including— fingerprints; voice prints; iris or retina scans; facial scans or templates; deoxyribonucleic acid
(DNA)information; and gait. Such term does not include writing samples, written signatures, photographs, voice recordings, demographic data, or physical characteristics such as height, weight, hair color, or eye color, provided that such data is not used for the purpose of identifying an individual’s unique biological, physical, or physiological characteristics. The terms collect and collection mean buying, renting, gathering, obtaining, receiving, accessing, or otherwise acquiring covered data by any means, including by passively or actively observing the individual’s behavior. The term common branding means a shared name, servicemark, or trademark. The term control means, with respect to an entity— ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of the entity; control in any manner over the election of a majority of the directors of the entity (or of individuals exercising similar functions); or the power to exercise a controlling influence over the management of the entity. The term Commission means the Federal Trade Commission. The term covered data means information that identifies, or is linked or reasonably linkable to an individual or a consumer device, including derived data. Such term does not include— de-identified data; employee data; and public records. The term covered entity means any entity or person that— is subject to the Federal Trade Commission Act ( 15 U.S.C. 41 et seq.); and processes or transfers covered data. Such term includes any entity or person that controls, is controlled by, is under common control with, or shares common branding with a covered entity. Such term does not include a small business. Term de-identified data means information that cannot reasonably be used to infer information about, or otherwise be linked to, an individual, a household, or a device used by an individual or household, provided that the entity— takes reasonable measures to ensure that the information cannot be reidentified, or associated with, an individual, a household, or a device used by an individual or household; publicly commits in a conspicuous manner— to process and transfer the information in a de-identified form; and not to attempt to reidentify or associate the information with any individual, household, or device used by an individual or household; and contractually obligates any person or entity that receives the information from the covered entity to comply with all of the provisions of this paragraph. The term derived data means covered data that is created by the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data about an individual, household, or device used by an individual or household. The term employee data means— covered data that is collected by a covered entity or the covered entity’s service provider about an individual in the course of the individual’s employment or application for employment (including on a contract or temporary basis) provided that such data is retained or processed by the covered entity or the covered entity’s service provider solely for purposes necessary for the individual’s employment or application for employment; covered data that is collected by a covered entity or the covered entity’s service provider that is emergency contact information for an individual who is an employee, contractor, or job applicant of the covered entity provided that such data is retained or processed by the covered entity or the covered entity’s service provider solely for the purpose of having an emergency contact for such individual on file; and covered data that is collected by a covered entity or the covered entity’s service provider about an individual (or a relative of an individual) who is an employee or former employee of the covered entity for the purpose of administering benefits to which such individual or relative is entitled on the basis of the individual’s employment with the covered entity, provided that such data is retained or processed by the covered entity or the covered entity’s service provider solely for the purpose of administering such benefits. The term Executive agency has the meaning given such term in section 105 of title 5, United States Code. The term individual means a natural person residing in the United States, however identified, including by any unique identifier. The term large data holder means a covered entity that, in the most recent calendar year— processed or transferred the covered data of more than 5,000,000 individuals, devices used by individuals or households, or households; or processed or transferred the sensitive covered data of more than 100,000 individuals, devices used by individuals or households, or households. The term process means any operation or set of operations performed on covered data including collection, analysis, organization, structuring, retaining, using, or otherwise handling covered data. The term processing purpose means an adequately specific and granular reason for which a covered entity processes covered data that clearly describes the processing activity. The term publicly available information means— information that a covered entity has a reasonable basis to believe is lawfully made available to the general public from widely distributed media; and information that is directly and voluntarily disclosed to the general public by the individual to whom the information relates. Such term does not include— information derived from publicly available information; biometric information; or nonpublicly available information that has been combined with publicly available information. The term public records means information that is lawfully made available from Federal, State, or local government records provided that the covered entity processes and transfers such information in accordance with any restrictions or terms of use placed on the information by the relevant government entity. The term sensitive covered data means the following forms of covered data: A government-issued identifier, such as a Social Security number, passport number, or driver’s license number. Any information that describes or reveals the past, present, or future physical health, mental health, disability, or diagnosis of an individual. A financial account number, debit card number, credit card number, or any required security or access code, password, or credentials allowing access to any such account. Biometric information. Precise geolocation information that reveals the past or present actual physical location of an individual or device. The content or metadata of an individual’s private communications or the identity of the parties to such communications unless the covered entity is an intended recipient of the communication. An email address, telephone number, or account log-in credentials. Information revealing an individual’s race, ethnicity, national origin, religion, or union membership in a manner inconsistent with the individual’s reasonable expectation regarding disclosure of such information. Information revealing the sexual orientation or sexual behavior of an individual in a manner inconsistent with the individual’s reasonable expectation regarding disclosure of such information. Information revealing online activities over time and across third party websites or online services. Calendar information, address book information, phone or text logs, photos, or videos maintained on an individual’s device. A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual. Any other covered data processed or transferred for the purpose of identifying the above data types. Any other covered data that the Commission determines to be sensitive covered data through a rulemaking pursuant to section 553 of title 5, United States Code. The term service provider means a covered entity that processes or transfers covered data in the course of performing a service or function on behalf of, and at the direction of, another covered entity, but only to the extent that such processing or transferral— relates to the performance of such service or function; or is necessary to comply with a legal obligation or to establish, exercise, or defend legal claims. Such term does not include a covered entity that processes or transfers the covered data outside of the direct relationship between the service provider and the covered entity. The term service provider data means covered data that is collected by or has been transferred to a service provider by a covered entity for the purpose of allowing the service provider to perform a service or function on behalf of, and at the direction of, such covered entity. The term small business means an entity that can establish that, with respect to the 3 preceding calendar years (or for the period during which the entity has been in existence if, as of such date, such period is less than 3 years) the entity does not— maintain annual average gross revenue in excess of $25,000,000; annually process the covered data of an average of 100,000 or more individuals, households, or devices used by individuals or households; and derive 50 percent or more of its annual revenue from transferring individuals’ covered data. For purposes of subparagraph (A), the annual average gross revenue, data processing volume, and percentage of annual revenue of an entity shall include the revenue and processing activities of any person that controls, is controlled by, is under common control with, or shares common branding with such entity. The term third party — means any person or entity that— processes or transfers third party data; and is not a service provider with respect to such data; and does not include a person or entity that collects covered data from another entity if the two entities are related by common ownership or corporate control and share common branding. The term third party data means covered data that is transferred to a third party by a covered entity. The term transfer means to disclose, release, share, disseminate, make available, sell, license, or otherwise communicate covered data by any means to a service provider or third party— in exchange for consideration; or for a commercial purpose. The term unique identifier means an identifier that is reasonably linkable to an individual, household, or device used by an individual or household, including a device identifier, an Internet Protocol address, cookies, beacons, pixel tags, mobile ad identifiers, or similar technology, customer number, unique pseudonym, or user alias, telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular individual, a household, or a device. The term widely distributed media means information that is available to the general public, including information from a telephone book or online directory, a television, internet, or radio program, the news media, or an internet site that is available to the general public on an unrestricted basis, but does not include an obscene visual depiction as defined in section 1460 of title 18, United States Code.
Connectionstraces to 1
Traces to 1 document