Sec. 202. Transparency
800 words·~4 min read·
/bill/117/hr/8152/ih/section-202·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Each covered entity and service provider shall make publicly available, in a clear, conspicuous, not misleading, and readily accessible manner, a privacy policy that provides a detailed and accurate representation of the entity’s data collection, processing, and transfer activities. The privacy policy required under subsection
(a)shall include, at a minimum, the following: The identity and the contact information of— the covered entity or service provider (including the covered entity’s or service provider’s points of contact, generic electronic mail addresses, and phone numbers of the covered entity, as applicable for privacy and data security inquiries); and any other entity within the same corporate structure as, and under common branding with, the covered entity or service provider to which covered data is transferred by the covered entity. The categories of covered data the covered entity or service provider collects or processes. The processing purposes for each category of covered data the covered entity or service provider collects or processes. Whether the covered entity or service provider transfers covered data and, if so, each category of service provider and third party to which the covered entity or service provider transfers covered data, the name of each third-party collecting entity to which the covered entity or service provider transfers covered data, and the purposes for which such data is transferred to such categories of service providers and third parties or third-party collecting entities, except for transfers to governmental entities pursuant to a court order or law that prohibits the covered entity from disclosing such transfer. The length of time the covered entity or service provider intends to retain each category of covered data, including sensitive covered data, or, if it is not possible to identify that time frame, the criteria used to determine the length of time the covered entity intends to retain categories of covered data. A prominent description of how an individual can exercise the rights described in this Act. A general description of the covered entity’s or service provider’s data security practices. The effective date of the privacy policy. Whether or not any covered data collected by the covered entity or service provider is transferred to, processed in, stored in or otherwise accessible to the People’s Republic of China, Russia, Iran, or North Korea. The privacy policy required under subsection
(a)shall be made available to the public in each language in which the covered entity or service provider— provides a product or service that is subject to the privacy policy; or carries out activities related to such product or service. The covered entity or service provider shall also provide the disclosures under this section in a manner that is readily accessible to and usable by individuals with disabilities. If a covered entity makes a material change to its privacy policy or practices, the covered entity shall notify each individual affected by such material change before implementing the material change with respect to any previously collected covered data and, except as provided in section 101(b), provide a reasonable opportunity for each individual to withdraw consent to any further materially different collection, processing, or transferring of covered data under the changed policy. The covered entity shall take all reasonable measures to provide direct notification regarding material changes to the privacy policy to each affected individual, in each language that the privacy policy is made available, and taking into account available technology and the nature of the relationship. Nothing in this section shall be construed to affect the requirements for covered entities under section 102 or 204. Each large data holder shall retain copies of previous versions of its privacy policy for at least 10 years and publish them on its website. It shall make publicly available, in a clear, conspicuous, and readily accessible manner, a log describing the data and nature of each material change over the past 10 years. The descriptions shall be sufficient for a reasonable individual to understand the material effect of each material change. In addition to the privacy policy required under subsection (a), a large data holder must provide a short-form notice of its covered data practices in a manner that is— concise, clear, and conspicuous; readily accessible, based on the way an individual interacts with the large data holder and its products or services and what is reasonably anticipated within the context of the relationship; inclusive of an overview of individual rights and disclosures to reasonably draw attention to data practices that may reasonably be unexpected or that involve sensitive covered data; and no more than 500 words in length. The Commission shall issue a rule pursuant to section 553 of title 5, United States Code, establishing the minimum data disclosures necessary for the short-form notice which shall not exceed the content requirements in subsection
(b)and shall include templates and/or models of short-form notices.