Sec. 404. Relationship to Federal and State laws

903 words·~4 min read·/bill/117/hr/8152/ih/section-404

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Nothing in this Act or a regulation promulgated under this Act shall be construed to limit— the authority of the Commission, or any other Executive agency, under any other provision of law; any requirement for a common carrier subject to section 64.2011 of title 47, Code of Federal Regulations, regarding information security breaches; or any other provision of Federal law unless specifically authorized by this Act. A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801 et seq. ), the Health Information Technology for Economic and Clinical Health Act ( 42 U.S.C. 17931 et seq. ), part C of title XI of the Social Security Act ( 42 U.S.C. 1320d et seq. ), the Fair Credit Reporting Act ( 15 U.S.C. 1681 et seq. ), the Family Educational Rights and Privacy Act ( 20 U.S.C. 1232g ; part 99 of title 34, Code of Federal Regulations), or the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 ( 42 U.S.C. 1320d–2 note), and is in compliance with the data privacy requirements of such regulations, part, title, or Act (as applicable), shall be deemed to be in compliance with the related requirements of this title, except for section 208, with respect to data subject to the requirements of such regulations, part, title, or Act.

Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance describing the implementation of this paragraph. A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801 et seq. ), the Health Information Technology for Economic and Clinical Health Act ( 42 U.S.C. 17931 et seq. ), part C of title XI of the Social Security Act ( 42 U.S.C. 1320d et seq. ), or the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 ( 42 U.S.C. 1320d–2 note), and is in compliance with the information security requirements of such regulations, part, title, or Act (as applicable), shall be deemed to be in compliance with the requirements of section 208 with respect to data subject to the requirements of such regulations, part, title, or Act.

Not later than 1 year after the date of enactment of this Act, the Commission shall issue guidance describing the implementation of this paragraph. No State or political subdivision of a State may adopt, maintain, enforce, or continue in effect any law, regulation, rule, standard, requirement, or other provision having the force and effect of law of any State, or political subdivision of a State, covered by the provisions of this Act, or a rule, regulation, or requirement promulgated under this Act.

Paragraph

(1)shall not be construed to preempt, displace, or supplant the following State laws, rules, regulations, or requirements: Consumer protection laws of general applicability such as laws regulating deceptive, unfair, or unconscionable practices. Civil rights laws. Laws that govern the privacy rights or other protections of employees, employee information, students, or student information. Laws that address notification requirements in the event of a data breach. Contract or tort law. Criminal laws governing fraud, theft, including identity theft, unauthorized access to information or electronic devices, or unauthorized use of information, malicious behavior, or similar provisions, or laws of criminal procedure. Criminal or civil laws regarding cyberstalking, cyberbullying, nonconsensual pornography, or sexual harassment. Public safety or sector specific laws unrelated to privacy or security. Laws that address public records, criminal justice information systems, arrest records, mug shots, conviction records, or non-conviction records. Laws that address banking records, financial records, tax records, Social Security numbers, credit cards, credit reporting and investigations, credit repair, credit clinics, or check-cashing services. Laws that solely address facial recognition or facial recognition technologies, electronic surveillance, wiretapping, or telephone monitoring. The Biometric Information Privacy Act (740 ICLS 14 et seq.) and the Genetic Information Privacy Act (410 ILCS et seq.). Laws to address unsolicited email messages, telephone solicitation, or caller ID. Laws that address health information, medical information, medical records, HIV status, or HIV testing. Laws that address the confidentiality of library records. Section 1798.150 of the California Civil Code (as amended on November 3, 2020, by initiative Proposition 24, section 16). Notwithstanding any other provision of law, sections 222, 338(i), and 631 of the Communications Act of 1934, as amended ( 47 U.S.C. 222 , 338(i), and 551), and any regulation promulgated by the Federal Communications Commission under such sections, shall not apply to any covered entity with respect to the collecting, processing, or transferring of covered data under this Act. Nothing in this Act, nor any amendment, standard, rule, requirement, assessment, law, or regulation promulgated under this Act, shall be construed to preempt, displace, or supplant any Federal or State common law rights or remedies, or any statute creating a remedy for civil relief, including any cause of action for personal injury, wrongful death, property damage, or other financial, physical, reputational, or psychological injury based in negligence, strict liability, products liability, failure to warn, an objectively offensive intrusion into the private affairs or concerns of the individual, or any other legal theory of liability under any Federal or State common law, or any State statutory law, except that the fact of a violation of this Act shall not be pleaded as an element of any such cause of action.

Connectionstraces to 6

Traces to 6 documents

U.S. Code