Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · H.R. 8152 (Introduced in House) — To provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaning... · Sec. 103

Sec. 103. Privacy by design

344 words·~2 min read·/bill/117/hr/8152/ih/section-103·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

A covered entity and a service provider shall establish, implement, and maintain reasonable policies, practices, and procedures regarding the collection, processing, and transfer of covered data to— consider Federal laws, rules, or regulations related to covered data the covered entity or service provider collects, processes, or transfers; identify, assess, and mitigate privacy risks related to individuals under the age of 17, if applicable; mitigate privacy risks, including substantial privacy risks, related to the products and services of the covered entity or the service provider, including their design, development, and implementation; and implement reasonable training and safeguards within the covered entity and service provider to promote compliance with all privacy laws applicable to covered data the covered entity collects, processes, or transfers or covered data the service provider collects, processes, or transfers on behalf of the covered entity and mitigate privacy risks, including substantial privacy risks.
The policies, practices, and procedures established by a covered entity and a service provider under subsection (a), shall correspond with— the size of the covered entity or the service provider and the nature, scope, and complexity of the activities engaged in by the covered entity, including whether the covered entity is a large data holder, nonprofit organization, covered entities meeting the requirements of section 209, third party, or third-party collecting entity; the sensitivity of the covered data collected, processed, or transferred by the covered entity or service provider; the volume of covered data collected, processed, or transferred by the covered entity or service provider; the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity or service provider relates; and the cost of implementing such policies, practices, and procedures in relation to the risks and nature of the covered data.
Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance as to what constitutes reasonable policies, practices, and procedures as required by this section. The Commission shall consider unique circumstances applicable to nonprofit organizations and covered entities meeting the requirements of section 209.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.