Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · S. 2499 (Introduced in Senate) — To establish data privacy and data security protections for consumers in the United States. · Sec. 106

Sec. 106. Service providers and third parties

509 words·~2 min read·/bill/117/s/2499/is/section-106

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

A service provider— shall not process service provider data for any processing purpose that is not performed on behalf of, and at the direction of, the covered entity that transferred the data to the service provider; shall not transfer service provider data to a third party for any purpose other than a purpose performed on behalf of, or at the direction of, the covered entity that transferred the data to the service provider; at the direction of the covered entity that transferred service provider data to the service provider, shall delete or deidentify such data— as soon as practicable after the service provider has completed providing the service or function for which the data was transferred to the service provider; or as soon as practicable after the end of the period during which the service provider is to provide services with respect to such data, as agreed to by the service provider and the covered entity that transferred the data; is exempt from the requirements of section 103 with respect to service provider data, but shall, to the extent practicable— assist the covered entity from which it received the service provider data in fulfilling requests to exercise rights under section 103(a); and upon receiving notice from a covered entity of a verified request made under section 103(a)(1) to delete, deidentify, or correct service provider data held by the service provider, delete, deidentify, or correct such data; and is exempt from the requirements of sections 104 and 105.
A third party— shall not process third party data for a processing purpose inconsistent with the reasonable expectation of the individual to whom such data relates; for purposes of paragraph (1), may reasonably rely on representations made by the covered entity that transferred third party data regarding the reasonable expectations of individuals to whom such data relates, provided that the third party conducts reasonable due diligence on the representations of the covered entity and finds those representations to be credible; and is exempt from the requirements of sections 104 and 105.
In the event that a covered entity enters into a bankruptcy proceeding which would lead to the disclosure of covered data to a third party, the covered entity shall in a reasonable time prior to the disclosure— provide notice of the proposed disclosure of covered data, including the name of the third party and its policies and practices with respect to the covered data, to all affected individuals; and provide each affected individual with the opportunity to withdraw any previous affirmative express consent related to the covered data of the individual or request the deletion or deidentification of the covered data of the individual.
A covered entity shall exercise reasonable due diligence to ensure compliance with this section before— selecting a service provider; or deciding to transfer covered data to a third party. Not later than 2 years after the effective date of this Act, the Commission shall publish guidance regarding compliance with this subsection. Such guidance shall, to the extent practicable, minimize unreasonable burdens on small- and medium-sized covered entities.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.