Sec. 2. Definitions

2,066 words·~9 min read·/bill/117/s/2134/is/section-2

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

In this Act: The term Agency means the Data Protection Agency established under section 3. The term anonymized data means information— that does not identify an individual; and with respect to which there is no reasonable basis to believe that the information can be used on its own or in combination with other reasonably available information to identify an individual. The term automated decision system means a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision, or facilitates human decision making.

The term biometric information — means information regarding the physiological or biological characteristics of an individual that may be used, singly or in combination with each other or with other identifying data, to establish the identity of an individual; includes— genetic data; imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted; keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information; and any mathematical code, profile, or algorithmic model derived from information regarding the physiological or biological characteristics of an individual; does not include information captured from a patient in a health care setting for a medical purpose or information collected, used, or stored for health care treatment, payment, or operations under the Health Insurance Portability and Accountability Act of 1996 ( Public Law 104–191 ); and does not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.

The term collect — means buying, renting, gathering, obtaining, receiving, or accessing any personal data by any means; and includes— receiving personal data from an individual or device; and creating, deriving, or inferring personal data by analyzing data about an individual or about groups of individuals similar to the individual. The term data aggregator — means any person that collects, uses, or shares, in or affecting interstate commerce, an amount of personal data that is not de minimis, as well as entities related to that person by common ownership or corporate control; and does not include an individual who collects, uses, or shares personal data solely for non-commercial reasons.

The term device means any physical object that— is capable of connecting to the internet or other communication network; or has computer processing capabilities that can collect, send, receive, or store data. The term Director means the Director of the Data Protection Agency. The term electronic data means any information that is in an electronic or digital format or any electronic or digital reference that contains information about an individual or device. The term Federal privacy law means the provisions of this Act, any other rule or order prescribed by the Agency under this Act, and the following laws (including any amendments made to such laws):

Title V of the Gramm-Leach-Bliley Act ( Public Law 106–102 ; 113 Stat. 1338). The Fair Credit Reporting Act ( 15 U.S.C. 1681 et seq. ). The Telemarketing and Consumer Fraud and Abuse Prevention Act ( 15 U.S.C. 6101 et seq. ). The Fair and Accurate Credit Transactions Act of 2003 ( Public Law 108–159 ; 117 Stat. 1952). The CAN-SPAM Act of 2003 ( 15 U.S.C. 7701 et seq. ). Sections 222, 227, 338(l), 631, and 705 of the Communications Act of 1934 ( 47 U.S.C. 222 , 227, 338(l), 551, 705).

The Children’s Online Privacy Protection Act of 1998 ( 15 U.S.C. 6501 et seq. ). The Right to Financial Privacy Act of 1978 ( 12 U.S.C. 3401 et seq. ). The Identity Theft Assumption and Deterrence Act of 1998 ( Public Law 105–318 ; 117 Stat. 3007). The General Education Provisions Act ( 20 U.S.C. 1221 et seq. ) (commonly known as the Family Educational Rights and Privacy Act of 1974 ). Section 552a of title 5, United States Code. The E-Government Act of 2002 ( Public Law 107–347 ; 116 Stat. 2899).

The Computer Security Act of 1987 ( 40 U.S.C. 1441 note). The Employee Polygraph Protection Act of 1988 ( 29 U.S.C. 2001 et seq. ). The Communications Assistance for Law Enforcement Act ( Public Law 103–414 ; 108 Stat. 4279). Sections 1028A, 1030, 1801, 2710, and 2721 and chapter 119, of title 18, United States Code. The Genetic Information Nondiscrimination Act of 2008 ( Public Law 110–233 ; 122 Stat. 881). The Taxpayer Browsing Protection Act ( Public Law 105–35 ; 111 Stat. 1104).

The Privacy Protection Act of 1980 ( 42 U.S.C. 2000aa et seq. ). The Cable Communications Policy Act of 1984 ( Public Law 98–549 ; 98 Stat. 2779). The Do-Not-Call Implementation Act ( Public Law 108–10 ; 117 Stat. 557). The Wireless Communications and Public Safety Act of 1999 ( Public Law 106–81 ; 113 Stat. 1286). Title XXX of the Public Health Service Act ( 42 U.S.C. 300jj et seq. ). The term high-risk data practice means an action by a data aggregator that involves— the use of an automated decision system; the processing of data in a manner that involves an individual’s protected class, familial status, lawful source of income, financial status such as the individual’s income or assets), veteran status, criminal convictions or arrests, citizenship, past, present, or future physical or mental health or condition, psychological states, or any other factor used as a proxy for identifying any of these characteristics; a systematic processing of publicly accessible data on a large scale; processing involving the use of new technologies, or combinations of technologies, that causes or materially contributes to privacy harm; decisions about an individual’s access to a product, service, opportunity, or benefit which is based to any extent on automated decision system processing; any profiling of individuals on a large scale; any processing of biometric information for the purpose of uniquely identifying an individual, with the exception of one-to-one biometric authentication; combining, comparing, or matching personal data obtained from multiple sources; processing which involves an individual’s precise geolocation; the processing of personal data of children and teens under 17 or other vulnerable individuals such as the elderly, people with disabilities, and other groups known to be susceptible for exploitation for marketing purposes, profiling, or automated processing; or consumer scoring or other business practices that pertain to the eligibility of an individual, and related terms, rights, benefits, and privileges, for employment (including hiring, firing, promotion, demotion, and compensation), credit, insurance, housing, education, professional certification, or the provision of health care and related services.

The term high-risk data practice impact evaluation means a study conducted after deployment of a high-risk data practice that includes, at a minimum— an evaluation of a high-risk data practice’s accuracy, disparate impacts on the basis of protected class, and privacy harms; an evaluation of the effectiveness of measures taken to minimize risks as outlined in any prior high-risk data practice risk assessments; and recommended measures to further minimize risks to accuracy, disparate impacts on the basis of protected class, and privacy harms.

The term high-risk data practice risk assessment means a study evaluating a high-risk data practice and the high-risk data practice’s development process, including the design and training data of the high-risk data practice, if applicable, for likelihood and severity of risks to accuracy, bias, discrimination, and privacy harms that includes, at a minimum— a detailed description of the high-risk data practice, including— its design and methodologies; training data characteristics; data; and purpose; an assessment of the relative benefits and costs of the high-risk data practice in light of its purpose, potential unintended consequences, and taking into account relevant factors, including— data minimization practices; the duration and methods for which personal data and the results of the high-risk data practice are stored; what information about the high-risk data practice is available to individuals; the extent to which individuals have access to the results of the high-risk data practice and may correct or object to its results; and the recipients of the results of the high-risk data practice; an assessment of the risks of privacy harm posed by the high-risk data practice and the risks that the high-risk data practice may result in or contribute to inaccurate, biased, or discriminatory decisions impacting individuals or groups of individuals; and the decision to accept, reject, or mitigate and minimize risks and the measures a data aggregator will employ including to minimize the risks described in subparagraph(C), including technological and physical safeguards.

The term individual means a natural person. The term person means an individual, a local, State, or Federal governmental entity, a partnership, a company, a corporation, an association (incorporated or unincorporated), a trust, an estate, a cooperative organization, another entity, or any other organization or group of such entities acting in concert. The term personal data means electronic data that, alone or in combination with other data— identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual, household, or device; or could be used to determine that an individual or household is part of a protected class.

The term precise geolocation means any data that is derived from a device and that is used or intended to be used to locate an individual within a geographic area that is equal to or less than the area of a circle with a radius of one thousand, eight hundred and fifty (1,850) feet. The term privacy harm means an adverse consequence, or a potential adverse consequence, to an individual, a group of individuals, or society caused, in whole or in part, by the collection, processing, or sharing of personal data, including— direct or indirect financial loss or economic harm, including financial loss or economic harm arising from fraudulent activities or data security breaches; physical harm, harassment, or a threat to an individual or property; psychological harm, including anxiety, embarrassment, fear, other trauma, stigmatization, reputational harm, or the revealing or exposing of an individual, or a characteristic of an individual, in an unexpected way; an adverse outcome or decision, including relating to the eligibility of an individual for the rights, benefits, or privileges in credit and insurance (including the denial of an application or obtaining less favorable terms), housing, education, professional certification, employment (including hiring, firing, promotion, demotion, and compensation), or the provision of health care and related services; discrimination, including both differential treatment on the basis of a protected class and disparate impact on a protected class; the chilling of free expression or action of an individual, or society generally, due to perceived or actual pervasive and excessive collection, processing, or sharing of personal data; the use of information technology to covertly influence an individual’s decision-making, by targeting and exploiting decision-making vulnerabilities; and any other adverse consequence, or potential adverse consequence, prohibited by or defined by Federal privacy laws; provisions of Federal civil rights laws related to the processing of personal information; provisions of Federal consumer protection laws related to the processing of personal information; the First Amendment; and other constitutional rights protecting privacy.

The term process means to perform an operation or set of operations on personal data, either manually or by automated means, including collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, sorting, classifying, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying. The term profile means the use of an automated decision system to process data (including personal data and other data) to derive, infer, predict or evaluate information about an individual or group, such as the processing of data to analyze or predict an individual’s identity, attributes, interests or behavior.

The term protected class means the actual or perceived race, color, ethnicity, national origin, religion, sex, gender, gender identity or expression, sexual orientation, familial status, biometric information, genetic information, or disability of an individual or a group of individuals. The term service provider means a data aggregator that collects, uses, or shares personal data only on behalf of another data aggregator in order to carry out a permissible purpose, and only to the extent of such activity.

The term share means disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, personal data.

Connectionstraces to 11

Traces to 11 documents

U.S. Code