Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · H.R. 1816 (Introduced in House) — To require the Federal Trade Commission to promulgate regulations related to sensitive personal information, and for... · Sec. 3

Sec. 3. Requirements for sensitive personal information

1,624 words·~7 min read·/bill/117/hr/1816/ih/section-3

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Not later than 18 months after the date of enactment of this Act, the Federal Trade Commission shall promulgate regulations under section 553 of title 5, United States Code, to require, except as provided in subsection (b), controllers, processors, and third parties to make available to the public involving the collection, transmission, storage, processing, sale, sharing of sensitive personal information, or other use of sensitive personal information from persons operating in or persons located in the United States when the sensitive personal information is collected, transmitted, stored, processed, sold or shared to meet the following requirements:
Any controller shall provide users whose personal information is collected, transmitted, stored, process, sold, or otherwise shared with notice through a privacy and data use policy of a specific request to collect, transmit, sell, share or otherwise disclose their sensitive personal information and require that users provide affirmative, express consent to any functionality that involves the sale, sharing, or other disclosure of sensitive personal information, including sharing sensitive personal information with third parties, if the sensitive personal information is to be used by the third party for purposes other than the purposes outlined in the notice.
The documented instruction from a controller to a processor or third party shall adhere to the limits of the consent granted in subparagraph (A), and processors and third parties shall not use or disclose the sensitive personal information for any other purposes or in any way that exceeds the limits of the consent granted in subparagraph (A). Controllers and processors shall not be liable for the failure of another processor or third party to adhere to the limits of an opt-in consent granted under subparagraph (A).
Controllers, processors, and third parties shall publicly maintain an up-to-date, transparent privacy, security, and data use policy that meets general requirements, including that such policy, presented in the context where it applies— is concise, intelligible, and uses plain language; is clear and conspicuous consistent with the guidelines of the Federal Trade Commission; uses visualizations, where appropriate to make complex information understandable by the ordinary user; and is provided free of charge.
The privacy, security, and data use policy required under paragraph
(2)shall include the following: Identity and contact information of the entity collecting or processing the sensitive personal information. The purpose or use for collecting, storing, processing, selling, sharing, or otherwise using the sensitive personal information. Categories of third parties with whom the sensitive personal information will be shared and for what general purposes. The process by which individuals may withdraw consent to the collecting, storing, processing, selling, sharing, or other use of the sensitive personal information, including sharing with third parties. How a user, controller, or processor can view or obtain the sensitive personal information that they have received or provided to a controller or processor, including whether it can be exported to other web-based platforms. The categories of sensitive personal information that is collected by the controller or processor and shared with processors or third parties. How sensitive personal information is protected from unauthorized access or acquisition. For any collection, transmission, storage, processing, selling, sharing, or other use of non-sensitive personal information, including sharing with third parties, controllers shall provide users with the ability to opt out at any time. Controllers shall honor an opt out request from a user under subparagraph
(A)to the extent of its role in any collection, transmission, storage, processing, selling, sharing, or other use of non-sensitive personal information and shall communicate an opt-out request to the relevant processor or third party with which the controller has shared information regarding that user. Processors or third parties receiving an opt out pursuant to subparagraph
(A)and
(B)shall comply with such opt out to the extent of their role in any collection, transmission, storage, processing, selling, sharing, or other use of non-sensitive personal information. Any controller that communicates an opt out from a user as required by subparagraph
(B)shall not be liable for the failure of a service provider or third party to comply with such opt out. Processing by a processor must be governed by a contract between the controller and the processor that is binding on both parties and that sets the processor to processes the personal data only on documented instructions from the controller. Processors shall share sensitive personal information with a subcontractor only for purposes of providing services and only after first providing the controller with an opportunity to object. In no event may any contract or documented instructions relieve a controller or a processor from the obligations and liabilities imposed on them by this Act. Except as provided in subparagraphs
(C)and (D), at least once every 2 years, each controller, processor, or third party that has collected, transmitted, stored, processed, selling, shared, or otherwise used sensitive personal information shall— obtain a privacy audit from a qualified, objective, independent third-party; and shall make publicly available whether or not the privacy audit found the controller, processor, or third party compliant. Each such audit shall— set forth the privacy, security, and data use controls that the controller, processor, or third party has implemented and maintained during the reporting period; describe whether such controls are appropriate to the size and complexity of the controller, processor, or third party, the nature and scope of the activities of the controller, processor, or third party, and the nature of the sensitive personal information or behavioral data collected by the controller, processor, or third party; certify whether the privacy and security controls operate with sufficient effectiveness to provide reasonable assurance to protect the privacy and security of sensitive personal information or behavioral data, including with respect to data shared with third parties, and that the controls have so operated throughout the reporting period; be prepared and completed within 60 days after a substantial change to the controller’s privacy and data use policy described in paragraph (2); and be provided— to the Federal Trade Commission; and to any attorney general of a State, or other authorized State officer, within 10 days of receiving written request by the such attorney general, or other authorized State officer where such officer has presented to the controller, processor, or third party allegations that a violation of this Act or any regulation issued under this Act has been committed by the controller, processor, or third party. The audit requirements described in this paragraph shall not apply to controllers who collect, store, process, sell, share, or otherwise use sensitive personal information relating to 250,000 or fewer individuals per year. The audit requirements set forth above shall not apply to controllers, processors or third parties who do not collect, store, process, sell, share, or otherwise use sensitive personal information. The Commission shall promulgate rules regarding qualifications and requirements of third-party auditors such as a duty to conduct an independent assessment that does not incentivize the auditor to sell under the guise of a potential violation by the controller products or services when there is not a violation of the Act. Subsection
(a)shall not apply to the processing, transmission, collecting, storing, sharing, selling of sensitive and non-sensitive personal information for the following purposes: Preventing or detecting fraud, identity theft, unauthorized transactions, theft, shoplifting, or criminal activity including financial crimes and money laundering. The use of such information to identify errors that impair functionality or otherwise enhancing or maintaining the availability of the services or information systems of the controller for authorized access and use. Protecting the vital interests of the consumer or another natural person. Responding in good faith to valid legal process or providing information as otherwise required or authorized by law. Monitoring or enforcing agreements between the Controller, processor, or third party and an individual, including but not limited to, terms of service, terms of use, user agreements, or agreements concerning monitoring criminal activity. Protecting the property, services, or information systems of the controller, processor, or third party against unauthorized access or use. Advancing a substantial public interest, including archival purposes, scientific or historical research, and public health, if such processing does not create a significant risk of harm to consumers. Uses authorized by the Fair Credit Reporting Act or used by a commercial credit reporting agency. Completing the transaction for which the personal information was collected, provide a good or service requested by the consumer that is reasonably anticipated within the context of a business’ ongoing relationship with the consumer, bill or collect for such good or service or otherwise perform a contract between the controller and a consumer. Complying with other Federal, State, and local law. Conducting product recalls and servicing warranties. The regulations promulgated pursuant to subsection
(a)with respect to the requirement to provide opt-in consent shall not apply to the processing, transmission, storage, selling, sharing, or collection of sensitive personal information in which such processing does not deviate from purposes consistent with a controller’s relationship with users as understood by the reasonable use, including but not limited to— carrying out the term of a contract or service agreement, including elements of a customer loyalty program, with a user; accepting and processing a payment from a user; completing a transaction with a user such as through delivering a good or service even if such delivery is made by a processor or third party; marking goods or services to a user as long as the user is provided with the ability to opt out of such marketing; taking steps to continue or extend an existing business relationship with a user, or inviting a new user to participate in a customer promotion, benefit or loyalty program, as long as the user is provided with the ability to opt out; conduct internal research to improve, repair, or develop products, services, or technology; or municipal governments.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.