Sec. 202. Transparency
902 words·~4 min read·
/bill/117/hr/8152/rh/section-202·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Each covered entity shall make publicly available, in a clear, conspicuous, not misleading, and easy-to-read and readily accessible manner, a privacy policy that provides a detailed and accurate representation of the data collection, processing, and transfer activities of the covered entity. A covered entity or service provider shall have a privacy policy that includes, at a minimum, the following: The identity and the contact information of— the covered entity or service provider to which the privacy policy applies (including the covered entity’s or service provider’s points of contact and generic electronic mail addresses, as applicable for privacy and data security inquiries); and any other entity within the same corporate structure as the covered entity or service provider to which covered data is transferred by the covered entity.
The categories of covered data the covered entity or service provider collects or processes. The processing purposes for each category of covered data the covered entity or service provider collects or processes. Whether the covered entity or service provider transfers covered data and, if so, each category of service provider and third party to which the covered entity or service provider transfers covered data, the name of each third-party collecting entity to which the covered entity or service provider transfers covered data, and the purposes for which such data is transferred to such categories of service providers and third parties or third-party collecting entities, except for a transfer to a governmental entity pursuant to a court order or law that prohibits the covered entity or service provider from disclosing such transfer, except for transfers to governmental entities pursuant to a court order or law that prohibits the covered entity from disclosing the transfer.
The length of time the covered entity or service provider intends to retain each category of covered data, including sensitive covered data, or, if it is not possible to identify that timeframe, the criteria used to determine the length of time the covered entity or service provider intends to retain categories of covered data. A prominent description of how an individual can exercise the rights described in this Act. A general description of the covered entity’s or service provider’s data security practices.
The effective date of the privacy policy. Whether or not any covered data collected by the covered entity or service provider is transferred to, processed in, stored in, or otherwise accessible to the People’s Republic of China, Russia, Iran, or North Korea. The privacy policy required under subsection
(a)shall be made available to the public in each covered language in which the covered entity or service provider— provides a product or service that is subject to the privacy policy; or carries out activities related to such product or service. The covered entity or service provider shall also provide the disclosures under this section in a manner that is reasonably accessible to and usable by individuals with disabilities. If a covered entity makes a material change to its privacy policy or practices, the covered entity shall notify each individual affected by such material change before implementing the material change with respect to any prospectively collected covered data and, except as provided in paragraphs
(1)through
(15)of section 101(b), provide a reasonable opportunity for each individual to withdraw consent to any further materially different collection, processing, or transfer of previously collected covered data under the changed policy. The covered entity shall take all reasonable electronic measures to provide direct notification regarding material changes to the privacy policy to each affected individual, in each covered language in which the privacy policy is made available, and taking into account available technology and the nature of the relationship. Nothing in this section may be construed to affect the requirements for covered entities under section 102 or 204. Each large data holder shall retain copies of previous versions of its privacy policy for at least 10 years beginning after the date of enactment of this Act and publish them on its website. Such large data holder shall make publicly available, in a clear, conspicuous, and readily accessible manner, a log describing the date and nature of each material change to its privacy policy over the past 10 years. The descriptions shall be sufficient for a reasonable individual to understand the material effect of each material change. The obligations in this paragraph shall not apply to any previous versions of a large data holder’s privacy policy, or any material changes to such policy, that precede the date of enactment of this Act. In addition to the privacy policy required under subsection (a), a large data holder that is a covered entity shall provide a short-form notice of its covered data practices in a manner that is— concise, clear, conspicuous, and not misleading; readily accessible to the individual, based on what is reasonably anticipated within the context of the relationship between the individual and the large data holder; inclusive of an overview of individual rights and disclosures to reasonably draw attention to data practices that may reasonably be unexpected to a reasonable person or that involve sensitive covered data; and no more than 500 words in length. The Commission shall issue a rule pursuant to section 553 of title 5, United States Code, establishing the minimum data disclosures necessary for the short-form notice required under paragraph (1), which shall not exceed the content requirements in subsection
(b)and shall include templates or models of short-form notices.