Sec. 7. Definitions
1,099 words·~5 min read·
/bill/117/hr/1816/ih/section-7A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
In this Act the following definitions apply: The term call detail record — means session-identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity number, or an International Mobile Station Equipment Identity number), a telephone calling card number, or the time or duration of a call; does not include— the contents (as defined in section
(8)of title 18, United States Code) of any communication; the name, address, or financial information of a subscriber or customer; cell site location or global positioning system information; or business customers. The term clear and prominent means in any communication medium, the required disclosure is— of a type, size, and location sufficiently noticeable for an ordinary consumer to read and comprehend the communication; provided in a manner such that an ordinary consumer is able to read and comprehend the communication; is presented in an understandable language and syntax; includes nothing contrary to, inconsistent with, or that mitigates any statement contained within the disclosure or within any document linked to or referenced therein; and includes an option that is compliant with applicable obligations of the controller under title III of the Americans with Disabilities Act of 1990 ( 42 U.S.C. 12181 et seq.). The term collection means buying, renting, gathering, obtaining, receiving, or accessing any sensitive data of an individual by any means. The term Commission means the Federal Trade Commission. The term controller means a person that, on its own or jointly with other entities, determines the purposes and means of processing sensitive personal information. The term de-identified data means information held that— does not identify, and is not linked or reasonably linkable to, and individual or device; does not contain a persistent identifier or other information that could readily be used to de-identify the individual to whom, or the device to which, the identifier or information pertains; is subject to a public commitment by the entity; to refrain from attempting to use such information to identify any individual or device; to adopt technical and organizational measures to ensure that such information is not linked to any individual or device; and is not disclosed by the covered entity to any other party unless the disclosure is subject to a contractually or other legally binding requirement. The term employee data means— information relating to an individual collected in the course of the individual acting as a job applicant to, or employee (regardless of whether such employee is paid of unpaid, or employed on a temporary basis), owner, director, officer, staff member, trainee, vendor, visitor, volunteer, intern, or contractor; business contact information of an individual, including the individual’s name, position or title, business telephone number, business address, business email address, qualifications, and other similar information that is provided by an individual who is acting in a professional capacity, provided that such information is collected, processed, or transferred solely for purposes related to such individuals’ professional activities; or emergency contact information collected by a covered entity that relates to an individual who is acting in a role described in subparagraph (A). The term processor means a person that processes data on behalf of a controller or another processor according to and for the purposes set forth in the documented instructions. If a person processes data on its own behalf or for its own purposes, then that person is not a processor with respect to that data but is instead a controller. Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the controller’s documented instructions and the context in which personal data is to be processed. A processor shall only remain a processor to the extent that it continues to process data for the sole purposes set forth in the documented instructions of the controller and adheres to those instructions and the limitations in the controller’s privacy policy as communicated to the processor with respect to a specific processing of personal information. The term sensitive personal information means information relating to an identified or identifiable individual that is— financial account numbers; health information; genetic data; any information pertaining to children under 13 years of age; Social Security numbers; unique government-issued identifiers; authentication credentials for a financial account, such as a username and password; precise geolocation information; content of a personal wire communication, oral communication, or electronic communication such as e-mail or direct messaging with respect to any entity that is not the intended recipient of the communication; call detail records for calls conducted in a personal and not a business capacity; biometric information; sexual orientation, gender identity, or intersex status; citizenship or immigration status; mental or physical health diagnosis; religious beliefs; or web browsing history, application usage history, and the functional equivalent of either that is data described in this subparagraph that is not aggregated data. The term sensitive personal information does not include— de-identified information (or the measurement, analysis or process utilized to transforming personal data so that it is not directly relatable to an identified or identifiable consumer); information related to employment, including any employee data; personal information reflecting a written or verbal communication or a transaction between a controller and the user, where the user is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit, or government agency and whose communications or transaction with the controller occur solely within the context of the controller conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, non-profit, or government agency; or publicly available information. The term State means each State of the United States, the District of Columbia, and each commonwealth, territory, or possession of the United States. The term third party means an individual or entity that uses or receives sensitive personal information obtained by or on behalf of a controller, other than— a service provider of a controller to whom the controller discloses the consumer’s sensitive personal information for an operational purpose subject to section 3(a)(1)(B) of this Act; and any entity that uses sensitive personal information only as reasonably necessary— to comply with applicable law, regulation, or legal process; to enforce the terms of use of a controller; to detect, prevent, or mitigate fraud or security vulnerabilities; or does not determine the purposes and means of processing sensitive personal information. The term transfer means to disclose, release, share, disseminate, make available, or license in writing, electronically or by any other means, for consideration of any kind for a commercial purpose.
Connectionstraces to 1
Traces to 1 document
U.S. Code