Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · S. 2499 (Introduced in Senate) — To establish data privacy and data security protections for consumers in the United States. · Sec. 107

Sec. 107. Privacy impact assessments

417 words·~2 min read·/bill/117/s/2499/is/section-107

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Not later than 1 year after the date of enactment of this Act (or, if later, not later than 1 year after a covered entity first meets the definition of a large data holder (as defined in section 2)), each covered entity that is a large data holder shall conduct a privacy impact assessment of each of its processing activities involving covered data that present a heightened risk of harm to individuals, and each such assessment shall weigh the benefits of the covered entity's covered data collection, processing, and transfer practices against the potential adverse consequences to individual privacy of such practices.
A privacy impact assessment required under paragraph (1)— shall be reasonable and appropriate in scope given— the nature of the covered data collected, processed, or transferred by the covered entity; the volume of the covered data collected, processed, or transferred by the covered entity; the size of the covered entity; and the potential risks posed to the privacy of individuals by the collection, processing, or transfer of covered data by the covered entity; shall be documented in written form and maintained by the covered entity unless rendered out of date by a subsequent assessment conducted under subsection (b); and shall be approved by the data privacy officer of the covered entity.
A covered entity that is a large data holder shall, not less frequently than once every 2 years after the covered entity conducted the privacy impact assessment required under subsection (a), conduct a privacy impact assessment of the collection, processing, and transfer of covered data by the covered entity to assess the extent to which— the ongoing practices of the covered entity are consistent with the covered entity's published privacy policies; any customizable privacy settings included in a service or product offered by the covered entity are adequately accessible to individuals who use the service or product and are effective in meeting the privacy preferences of such individuals; the practices and privacy settings described in subparagraphs
(A)and (B), respectively— meet the expectations of a reasonable individual; and provide an individual with adequate control over the individual's covered data; the covered entity could enhance the privacy and security of covered data through technical or operational safeguards such as encryption, deidentification, and other privacy-enhancing technologies; and the processing of covered data is compatible with the stated purposes for which it was collected. The data privacy officer of a covered entity shall approve the findings of an assessment conducted by the covered entity under this subsection.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.