Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 116th Congress · S. 2968 (Introduced in Senate) — To provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaning... · Sec. 203

Sec. 203. Service providers and third parties

456 words·~2 min read·/bill/116/s/2968/is/section-203

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

A service provider— shall not process service provider data for any processing purpose other than one performed on behalf of, and at the direction of, the covered entity that transferred such data to the service provider, except that a service provider may process data to comply with a legal obligation or the establishment, exercise, or defense of legal claims; shall not transfer service provider data to a third party without the affirmative express consent, obtained by, or on behalf of, the covered entity, of the individual to whom the service provider data is linked or reasonably linkable; shall delete or de-identify service provider data after the agreed upon end of the provision of services; is exempt from the requirements of sections 102(a), 103, 104, and 105(a) with respect to service provider data, but shall, to the extent practicable— assist the covered entity from which it received the service provider data in fulfilling requests made by individuals under such sections; and shall delete, de-identify, or correct (as applicable), any service provider data that is subject to a verified request from an individual described in section 103 or 104; and is exempt from the requirements of section 106 with respect to service provider data, but shall have the same responsibilities and obligations as a covered entity with respect to such data under all other provisions of this Act.
A third party— shall not process third party data for a purpose that is inconsistent with the expectations of a reasonable individual; may reasonably rely on representations made by the covered entity that transferred third party data regarding the expectation of a reasonable individual, provided the third party conducts reasonable due diligence on the representations of the covered entity and finds those representations to be credible; and upon receipt of any third party data, is exempt from the requirements of section 105(c) with respect to such data, but shall have the same responsibilities and obligations as a covered entity with respect to such data under all other provisions of this Act.
A covered entity shall— exercise reasonable due diligence in selecting a service provider and conduct reasonable oversight of its service providers to ensure compliance with the applicable requirements of this section; and exercise reasonable due diligence in deciding to transfer covered data to a third party, and conduct oversight of third parties to which it transfers data to ensure compliance with the applicable requirements of this subsection. Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance for covered entities regarding compliance with this subsection.
The Commission shall have authority under section 553 of title 5, United States Code, to promulgate regulations necessary to carry out the provisions of this section.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.