Sec. 3. Collection and processing of personal data
1,487 words·~7 min read·
/bill/116/s/3456/is/section-3·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Except as provided in paragraphs
(2)and (3), a covered entity shall not collect or process personal data of an individual unless— the individual has consented explicitly or implicitly to such collection or processing for a specific purpose, in accordance with subsection (b); or the covered entity collects or processes the personal data in accordance with a permissible purpose described in subsection (c). A covered entity that is a third party with respect to the personal data of an individual may collect or process such personal data without directly obtaining the individual's consent as required under paragraph (1)(A) if— the covered entity from whom the third party received the personal data of the individual involved— has provided the individual with notice of— the fact that the covered entity would disclose the individual's personal data to the third party; and the purposes for which the third party will collect or process the personal data of the individual; and the individual has consented to such disclosure and such collection or processing of the individual's personal data; or the third party collects or process the personal data in accordance with a permissible purpose described in subsection (c). A covered entity that is a third party with respect to the personal data of an individual shall obtain the consent of such individual in accordance with subsection
(b)before collecting or processing such personal data if the specific purpose for such collection or processing— is not a purpose described in paragraph (1), (2), (4), or
(6)of subsection (c); and is different from, or in addition to, the purpose for any collection or processing to which the individual previously consented in accordance with subsection (b). For purposes of subparagraph (A), a covered entity that is a third party with respect to the personal data of an individual may reasonably rely on representations made by the covered entity from whom the third party received such data regarding the notice provided to, and the consent obtained from, such individual, provided that the third party has determined, after exercising reasonable due diligence, that the covered entity is credible. A service provider may provide notice to, and obtain consent from, an individual in accordance with subsection
(b)on behalf of a covered entity. Except as provided in subparagraph (B), an individual shall be deemed to have consented to a request to collect or process the individual's personal data if the individual fails to decline the request after being provided with the notice described in paragraph
(2)and a reasonable amount of time to respond to the request. The express affirmative consent of an individual is required to collect or process the personal data of the individual if the collection or processing— involves sensitive personal data of the individual; or involves the disclosure of personal data to a third party for a purpose that is not described in subsection (c). For purposes of clause (i), the express affirmative consent of an individual to a request to collect or process the personal data of the individual— shall be clearly, prominently, and unmistakably stated; shall be provided in response to a request that includes the notice described in paragraph (2); and cannot be inferred from inaction. In requesting the consent of an individual to collect or process the individual's personal data, a covered entity shall provide the individual with notice, in a concise, meaningful, timely, prominent, and easy-to-understand format, that includes— the types of personal data collected and processed; a description of the purposes for which the covered entity seeks to collect or process that individual's personal data; and the information described in subparagraph (B). The notice provided by a covered entity under subparagraph
(A)shall include— information on how the individual may access the privacy policy of the covered entity described in section 4(a); information on how the individual may exercise the rights provided for under this Act; and notice of whether the collection or processing by the covered entity— includes the disclosure of personal data to third parties; or involves sensitive personal data. If consent is obtained in the context of a notice that also concerns matters other than the collection or processing of personal data, the request for consent shall be presented in a manner that is clearly distinguishable from the other matters. A covered entity shall provide an individual with the means to withdraw previously given consent to collect or process the personal data of the individual— at any time and place that is reasonably practicable; and in a manner that is as accessible as reasonably practicable. A withdrawal made under subparagraph (A)— shall take effect without undue delay; shall remain in effect until the individual revokes or limits that denial or withdrawal; and shall not apply to any collection or processing of personal data that occurred before the date on which the withdrawal is made. A covered entity or service provider may collect or process the personal data of an individual without consent to the extent that such collection or processing is reasonably necessary and limited to the following purposes (except that a covered entity that is a third party with respect to personal data may not collect or process such data without consent for the purposes described in paragraphs (3), (5), and (6)): To— provide a service, perform a contract, or conduct a transaction that the individual has initiated; or take steps in furtherance of the request initiated by the individual prior to providing the service or entering into a contract or transaction. To comply with a Federal, State, or local law or another applicable legal requirement, including a subpoena, summons, or other properly executed compulsory process, or to exercise or defend a legal claim, as specifically authorized by law. To prevent imminent danger to the personal safety of any individual, including by effectuating a product recall pursuant to Federal or State law. To protect the rights, property, services, or information systems of the covered entity or service provider, or any individual, including to investigate a possible crime or to protect against security threats, abuse, malicious conduct, deception, fraud, theft, unauthorized transactions, or any other unlawful activity. In the case of a covered entity only, to conduct research that— is performed for the primary purpose of advancing a broadly recognized public interest; is performed by the covered entity (or by a service provider at the direction of the covered entity) and is not disclosed to any third party; is broadly compatible with the purposes for which the data was originally collected or processed; and adheres to all applicable ethics and privacy laws. To— perform internal operations or analytics for a product or service offered by the covered entity or service provider, such as billing, shipping, internal systems maintenance, diagnostics, inventory management, financial reporting or accounting, serving an internet website, or network management; use on a short-term, transient basis, provided that the personal data— is not disclosed to a third party; and is not used to build a persistent profile of the individual; in the case of a covered entity only, market or advertise a service or product to an individual if the personal data used for the marketing or advertising was collected directly from the individual by the covered entity or by a service provider on behalf of the covered entity; improve a product, service, or activity used, requested, or authorized by the individual, including analytics, forecasting, the repair of errors that impair existing intended functionality, actions to verify or maintain quality or safety of the product, service, or activity, or the ongoing provision of customer service and support by the covered entity or service provider; or other additional specific categories of operational purposes that the Commission may define by rule, issued in accordance with section 553 of title 5, United States Code. A covered entity shall delete or de-identify sensitive personal data, and shall direct its service providers to delete or de-identify sensitive personal data, after the data is no longer reasonably necessary to accomplish the intended purposes permitted by this section, unless such deletion or de-identification is impossible or demonstrably impracticable. If a covered entity or service provider commences a case under title 11 of the United States Code, and the case or any proceeding under the case is expected to lead to the disclosure of the personal data of any individual, the covered entity or service provider shall, in a reasonable amount of time before the disclosure, provide each individual whose personal data is subject to the disclosure with— a notice of the proposed disclosure, including— the name of each third party to which the personal data will be disclosed; and a description of the policies and practices relating to personal data of each such third party; and the opportunity to— deny consent, or withdraw previously given consent, to the disclosure of the personal data; or request that the covered entity or service provider delete or de-identify the personal data.