Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · S. 1494 (Introduced in Senate) — To protect the privacy of consumers. · Sec. 5

Sec. 5. Individual control

1,265 words·~6 min read·/bill/117/s/1494/is/section-5

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Each covered entity shall— provide each individual whose personal data is collected or processed by the covered entity with a reasonably accessible, clear and conspicuous, and easy-to-use means to exercise the individual's rights established under this section with respect to such data; if applicable, offer the means required under paragraph
(1)through the same means that the individual routinely uses to interact with the covered entity; and make the means required under paragraph
(1)available at no additional cost to the individual. A covered entity shall, in response to a verified request from an individual— confirm whether or not the covered entity has collected or processed the personal data of the individual; and if the covered entity has collected or processed the personal data of the individual, provide, within a reasonable time after receiving the request, the individual with— a copy, or an accurate representation, of the personal data pertaining to the individual collected and processed by the covered entity; and a list of the categories of third parties to which the covered entity has disclosed the personal data of the individual, if applicable. The covered entity shall provide the information described in paragraph (1)(B) in an electronic format unless— the individual requests to receive the information by other means; or providing the information electronically is impossible or demonstrably impracticable. If a covered entity provides an individual with information in an electronic format under subparagraph (A), the covered entity shall, where technically feasible and reasonably practicable, provide the individual with— the ability to export the personal data generated and submitted by the individual in a structured, commonly-used, and machine-readable format; and the ability to transmit such information to another entity without constraints or conditions. A covered entity shall establish reasonable procedures designed to— ensure that the personal data that the covered entity collects and processes with respect to an individual is accurate and up-to-date; and provide individuals with the ability to submit a verified request to the covered entity to— dispute the accuracy and completeness of such personal data; and request the appropriate correction of such personal data. Each covered entity shall ensure that the ability of an individual to dispute or request that the covered entity correct personal data as described in paragraph
(1)is provided in a manner that is appropriate and reasonable based on the benefits and risks of harm to the individual regarding the accuracy of the personal data. A covered entity shall not be required to verify the accuracy of publicly available information if the covered entity has reasonable procedures to ensure that the publicly available information assembled or maintained by the covered entity accurately reflects the information available to the general public. Except for personal data collected and processed in accordance with a permissible purpose described in section 3(c), upon a verified request from an individual, a covered entity shall, without undue delay, delete or de-identify the personal data of the individual, and shall direct any service providers of the covered entity to delete or de-identify such data. In determining whether a covered entity that is a small business has complied with a verified request under paragraph
(1)in a timely fashion, the Commission shall take into account the amount of time that the entity requires to comply with the request considering the technical feasibility, cost, and burden to the entity of complying with the request. A covered entity— shall comply with a verified request from any individual to exercise each of the rights described in subsections (b), (c), and
(d)not less frequently than twice in any 12-month period; and the first 2 times that an individual makes a verified request described in subparagraph
(A)in any 12-month period, shall comply with such requests without any charge to the individual. If an individual submits a manifestly unfounded or frivolous request to exercise a right under subsection (b), (c), or (d), or an excessive number of requests under such subsections, the covered entity may— charge a reasonable fee, taking into account the administrative costs of providing the personal data, communication, or taking the action requested by the individual; or refuse to act on the request. A request to exercise a right described in this section shall only be considered a verified request if the covered entity verifies that the individual making the request is the individual whose personal data is the subject of the request. A covered entity shall make a reasonable effort to verify the identity of any individual who submits a request to exercise a right under this section. If a covered entity cannot verify the identity of the individual submitting a request under this subsection, the covered entity— may request that the individual provide such additional information as is necessary to confirm the identity of the individual; and shall only process additional information provided under clause
(i)for the purpose of verifying the identity of the individual. A covered entity— shall decline to act on a request under this section where, after undertaking a reasonable effort, the entity cannot verify that the individual making the request is the individual whose personal data is the subject of the request; may decline to act on a request under this section where fulfilling the request would— require the covered entity or a service provider of the covered entity to retain any personal data collected for a single, one-time transaction, if such personal data is not processed for additional purposes; be impossible or demonstrably impracticable, or require any steps or measures to re-identify, or otherwise alter or manipulate, information that is de-identified; be contrary to the legitimate interests of the covered entity or a service provider of the covered entity, such as completing a transaction, repairing func­tion­al­i­ty or errors, or performing a contract between the covered entity and the individual; impair the ability of the covered entity or a service provider of the covered entity to detect or respond to a security incident, provide a secure environment, or protect against malicious, deceptive, fraudulent, or illegal activity; hinder compliance with a legal obligation or legally recognized privilege, such as a requirement to retain certain information, or the establishment, exercise, or defense of legal claims; interfere with research (conducted in accordance with section 3(c)(5)) when the deletion of the personal data is likely to render impossible or seriously impair such research; or create a legitimate risk to the privacy, security, safety, or other rights of the individual, an individual other than the requester, or the covered entity, based on a reasonable individualized determination by the covered entity; and shall not be required to act on a request under this section if the covered entity is unable to fulfill the request because— the covered entity requires the assistance of a service provider to fulfill the request; and the service provider has informed the covered entity that the service provider is unable to assist the covered entity in fulfilling the request for a reason specified in section 8(c)(3)(A)(ii)(IV). If the covered entity declines to act on a request pursuant to paragraph (1), the covered entity shall inform the individual who made the request of the reasons for such declination and any rights the individual may have to appeal the decision of the covered entity. The requirements under subsections
(b)and
(c)shall not apply to a covered entity that is a small business. The Commission shall, after consulting with and soliciting comments from consumer data industry representatives, issue guidance describing nonbinding best practices for covered entities and service providers of different business sizes and types to develop privacy controls as described in this section.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.