Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · H.R. 8152 (Reported in House) — To provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaning... · Sec. 203

Sec. 203. Individual data ownership and control

1,899 words·~9 min read·/bill/117/hr/8152/rh/section-203·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

In accordance with subsections
(b)and (c), a covered entity shall provide an individual, after receiving a verified request from the individual, with the right to— access— in a human-readable format that a reasonable individual can understand and download from the internet, the covered data (except covered data in a back-up or archival system) of the individual making the request that is collected, processed, or transferred by the covered entity or any service provider of the covered entity within the 24 months preceding the request; the categories of any third party, if applicable, and an option for consumers to obtain the names of any such third party as well as and the categories of any service providers to whom the covered entity has transferred for consideration the covered data of the individual, as well as the categories of sources from which the covered data was collected; and a description of the purpose for which the covered entity transferred the covered data of the individual to a third party or service provider; correct any verifiable substantial inaccuracy or substantially incomplete information with respect to the covered data of the individual that is processed by the covered entity and instruct the covered entity to make reasonable efforts to notify all third parties or service providers to which the covered entity transferred such covered data of the corrected information; delete covered data of the individual that is processed by the covered entity and instruct the covered entity to make reasonable efforts to notify all third parties or service provider to which the covered entity transferred such covered data of the individual’s deletion request; and to the extent technically feasible, export to the individual or directly to another entity the covered data of the individual that is processed by the covered entity, including inferences linked or reasonably linkable to the individual but not including other derived data, without licensing restrictions that limit such transfers in— a human-readable format that a reasonable individual can understand and download from the internet; and a portable, structured, interoperable, and machine-readable format. A covered entity may not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of a right described in subsection
(a)through— the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or the design, modification, or manipulation of any user interface with the purpose or substantial effect of obscuring, subverting, or impairing a reasonable individual’s autonomy, decision making, or choice to exercise such right. Subject to subsections
(d)and (e), each request under subsection
(a)shall be completed by any— large data holder within 45 days of such request from an individual, unless it is demonstrably impracticable or impracticably costly to verify such individual; covered entity that is not a large data holder or a covered entity meeting the requirements of section 209 within 60 days of such request from an individual, unless it is demonstrably impracticable or impracticably costly to verify such individual; or covered entity meeting the requirements of section 209 within 90 days of such request from an individual, unless it is demonstrably impracticable or impracticably costly to verify such individual. A response period set forth in this subsection may be extended once by 45 additional days when reasonably necessary, considering the complexity and number of the individual’s requests, so long as the covered entity informs the individual of any such extension within the initial 45-day response period, together with the reason for the extension. A covered entity— shall provide an individual with the opportunity to exercise each of the rights described in subsection (a); and with respect to— the first 2 times that an individual exercises any right described in subsection
(a)in any 12-month period, shall allow the individual to exercise such right free of charge; and any time beyond the initial 2 times described in subparagraph (A), may allow the individual to exercise such right for a reasonable fee for each request. A covered entity may not permit an individual to exercise a right described in subsection (a), in whole or in part, if the covered entity— cannot reasonably verify that the individual making the request to exercise the right is the individual whose covered data is the subject of the request or an individual authorized to make such a request on the individual’s behalf; reasonably believes that the request is made to interfere with a contract between the covered entity and another individual; determines that the exercise of the right would require access to or correction of another individual’s sensitive covered data; reasonably believes that the exercise of the right would require the covered entity to engage in an unfair or deceptive practice under section 5 of the Federal Trade Commission Act ( 15 U.S.C. 45 ); or reasonably believes that the request is made to further fraud, support criminal activity, or the exercise of the right presents a data security threat. If a covered entity cannot reasonably verify that a request to exercise a right described in subsection
(a)is made by the individual whose covered data is the subject of the request (or an individual authorized to make such a request on the individual’s behalf), the covered entity— may request that the individual making the request to exercise the right provide any additional information necessary for the sole purpose of verifying the identity of the individual; and may not process or transfer such additional information for any other purpose. A covered entity may decline, with adequate explanation to the individual, to comply with a request to exercise a right described in subsection (a), in whole or in part, that would— require the covered entity to retain any covered data collected for a single, one-time transaction, if such covered data is not processed or transferred by the covered entity for any purpose other than completing such transaction; be demonstrably impracticable or prohibitively costly to comply with, and the covered entity shall provide a description to the requestor detailing the inability to comply with the request; require the covered entity to attempt to re-identify de-identified data; require the covered entity to maintain covered data in an identifiable form or collect, retain, or access any data in order to be capable of associating a verified individual request with covered data of such individual; result in the release of trade secrets or other privileged or confidential business information; require the covered entity to correct any covered data that cannot be reasonably verified as being inaccurate or incomplete; interfere with law enforcement, judicial proceedings, investigations, or reasonable efforts to guard against, detect, prevent, or investigate fraudulent, malicious, or unlawful activity, or enforce valid contracts; violate Federal or State law or the rights and freedoms of another individual, including under the Constitution of the United States; prevent a covered entity from being able to maintain a confidential record of deletion requests, maintained solely for the purpose of preventing covered data of an individual from being recollected after the individual submitted a deletion request and requested that the covered entity no longer collect, process, or transfer such data; fall within an exception enumerated in the regulations promulgated by the Commission pursuant to subparagraph (D); or with respect to requests for deletion— unreasonably interfere with the provision of products or services by the covered entity to another person it currently serves; delete covered data that relates to a public figure and for which the requesting individual has no reasonable expectation of privacy; delete covered data reasonably necessary to perform a contract between the covered entity and the individual; delete covered data that the covered entity needs to retain in order to comply with professional ethical obligations; delete covered data that the covered entity reasonably believes may be evidence of unlawful activity or an abuse of the covered entity’s products or services; or for private elementary and secondary schools as defined by State law and private institutions of higher education as defined by title I of the Higher Education Act of 1965, delete covered data that would unreasonably interfere with the provision of education services by or the ordinary operation of the school or institution. In a circumstance that would allow a denial pursuant to subparagraph (A), a covered entity shall partially comply with the remainder of the request if it is possible and not unduly burdensome to do so. For purposes of subparagraph (A)(ii), the receipt of a large number of verified requests, on its own, may not be considered to render compliance with a request demonstrably impracticable. The Commission may, by regulation as described in subsection (g), establish additional permissive exceptions necessary to protect the rights of individuals, alleviate undue burdens on covered entities, prevent unjust or unreasonable outcomes from the exercise of access, correction, deletion, or portability rights, or as otherwise necessary to fulfill the purposes of this section. In establishing such exceptions, the Commission should consider any relevant changes in technology, means for protecting privacy and other rights, and beneficial uses of covered data by covered entities. A large data holder that is a covered entity shall, for each calendar year in which it was a large data holder, do the following: Compile the following metrics for the prior calendar year: The number of verified access requests under subsection (a)(1). The number of verified deletion requests under subsection (a)(3). The number of requests to opt-out of covered data transfers under section 204(b). The number of requests to opt-out of targeted advertising under section 204(c). The number of requests in each of subparagraphs
(A)through
(D)that such large data holder
(i)complied with in whole or in part and
(ii)denied. The median or mean number of days within which such large data holder substantively responded to the requests in each of subparagraphs
(A)through (D). Disclose by July 1 of each applicable calendar year the information compiled in paragraph
(1)within such large data holder’s privacy policy required under section 202 or on the publicly accessible website of such large data holder that is accessible from a hyperlink included in the privacy policy. Not later than 2 years after the date of enactment of this Act, the Commission shall promulgate regulations, pursuant to section 553 of title 5, United States Code, as necessary to establish processes by which covered entities are to comply with the provisions of this section. Such regulations shall take into consideration— the size of, and the nature, scope, and complexity of the activities engaged in by the covered entity, including whether the covered entity is a large data holder, nonprofit organization, covered entity meeting the requirements of section 209, third party, or third-party collecting entity; the sensitivity of covered data collected, processed, or transferred by the covered entity; the volume of covered data collected, processed, or transferred by the covered entity; the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity relates; and after consulting the National Institute of Standards and Technology, standards for ensuring the deletion of covered data under this Act where appropriate. A covered entity shall facilitate the ability of individuals to make requests under subsection
(a)in any covered language in which the covered entity provides a product or service. The mechanisms by which a covered entity enables individuals to make requests under subsection
(a)shall be readily accessible and usable by with individuals with disabilities.
Connectionstraces to 1
Citation graph
cites case law
Sec. 203
Individual data ownership and control
U.S.C.§ 45
Cites 1Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.