Sec. 2. Definitions
2,084 words·~9 min read·
/bill/117/s/2499/is/section-2·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
In this Act: The term affirmative express consent means, upon being presented with a clear and conspicuous description of an act or practice for which consent is sought, an affirmative act by the individual clearly communicating the individual’s authorization for the act or practice. The term algorithm means a computational process derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that processes covered data for the purpose of making a decision or facilitating human decision-making.
The term collection means buying, renting, gathering, obtaining, receiving, or accessing any covered data of an individual by any means. The term Commission means the Federal Trade Commission. The term common branding means a shared name, servicemark, or trademark. The term covered data means information that identifies or is linked or reasonably linkable to an individual or a device that is linked or reasonably linkable to an individual. For purposes of subparagraph (A), information held by a covered entity is linked or reasonably linkable to an individual or a device if, as a practical matter, it can be used on its own or in combination with other information held by, or readily accessible to, the covered entity to identify such individual or such device.
Such term does not include— aggregated data; de-identified data; employee data; or publicly available information. For purposes of subparagraph (C), the term aggregated data means information that relates to a group or category of individuals or devices that does not identify and is not linked or reasonably linkable to any individual or device. For purposes of subparagraph (C), the term de-identified data means information held by a covered entity that— does not identify, and is not linked or reasonably linkable to, an individual or device; does not contain any persistent identifier or other information that could readily be used to reidentify the individual to whom, or the device to which, the identifier or information pertains; is subject to a public commitment by the covered entity— to refrain from attempting to use such information to identify any individual or device; and to adopt technical and organizational measures to ensure that such information is not linked to any individual or device; and is not disclosed by the covered entity to any other party unless the disclosure is subject to a contractually or other legally binding requirement that— the recipient of the information shall not use the information to identify any individual or device; and all onward disclosures of the information shall be subject to the requirement described in subclause (I).
For purposes of subparagraph (C), the term employee data means— information relating to an individual collected by a covered entity in the course of the individual acting as a job applicant to, or employee (regardless of whether such employee is paid or unpaid, or employed on a temporary basis), owner, director, officer, staff member, trainee, vendor, visitor, volunteer, intern, or contractor of, the entity, provided that such information is collected, processed, or transferred by the covered entity solely for purposes related to the individual’s status as a current or former job applicant to, or an employee, owner, director, officer, staff member, trainee, vendor, visitor, volunteer, intern, or contractor of, that covered entity; business contact information of an individual, including the individual's name, position or title, business telephone number, business address, business email address, qualifications, and other similar information, that is provided to a covered entity by an individual who is acting in a professional capacity, provided that such information is collected, processed, or transferred solely for purposes related to such individual's professional activities; emergency contact information collected by a covered entity that relates to an individual who is acting in a role described in clause
(i)with respect to the covered entity, provided that such information is collected, processed, or transferred solely for the purpose of having an emergency contact on file for the individual; or information relating to an individual (or a relative or beneficiary of such individual) that is necessary for the covered entity to collect, process, or transfer for the purpose of administering benefits to which such individual (or relative or beneficiary of such individual) is entitled on the basis of the individual acting in a role described in clause
(i)with respect to the entity, provided that such information is collected, processed, or transferred solely for the purpose of administering such benefits. For the purposes of subparagraph (C), the term publicly available information means any information that a covered entity has a reasonable basis to believe— has been lawfully made available to the general public from Federal, State, or local government records; is widely available to the general public, including information from— a telephone book or online directory; television, internet, or radio content or programming; or the news media or a website that is lawfully available to the general public on an unrestricted basis (for purposes of this subclause a website is not restricted solely because there is a fee or log-in requirement associated with accessing the website); or is a disclosure to the general public that is required to be made by Federal, State, or local law. Such term does not include an obscene visual depiction (as defined for purposes of section 1460 of title 18, United States Code). The term covered entity means any person that— is subject to the Federal Trade Commission Act ( 15 U.S.C. 41 et seq. ) or is— a common carrier described in section 5(a)(2) of such Act ( 15 U.S.C. 45(a)(2) ); or an organization not organized to carry on business for their own profit or that of their members; collects, processes, or transfers covered data; and determines the purposes and means of such collection, processing, or transfer. The term data broker means a covered entity whose principal source of revenue is derived from processing or transferring the covered data of individuals with whom the entity does not have a direct relationship on behalf of third parties for such third parties' use. Such term does not include a service provider. The term delete means to remove or destroy information such that it is not maintained in human or machine readable form and cannot be retrieved or utilized in such form in the normal course of business. The term Executive agency has the meaning set forth in section 105 of title 5, United States Code. The term individual means a natural person residing in the United States. The term large data holder means a covered entity that in the most recent calendar year— processed or transferred the covered data of more than 8,000,000 individuals; or processed or transferred the sensitive covered data of more than 300,000 individuals or devices that are linked or reasonably linkable to an individual (excluding any instance where the covered entity processes the log-in information of an individual or device to allow the individual or device to log in to an account administered by the covered entity). The term material means, with respect to an act, practice, or representation of a covered entity (including a representation made by the covered entity in a privacy policy or similar disclosure to individuals), that such act, practice, or representation is likely to affect an individual's decision or conduct regarding a product or service. The term process means any operation or set of operations performed on covered data including analysis, organization, structuring, retaining, using, or otherwise handling covered data. The term processing purpose means a reason for which a covered entity processes covered data. The term research means the scientific analysis of information, including covered data, by a covered entity or those with whom the covered entity is cooperating or others acting at the direction or on behalf of the covered entity, that is conducted for the primary purpose of advancing scientific knowledge and may be for the commercial benefit of the covered entity. The term sensitive covered data means any of the following forms of covered data of an individual: A unique, government-issued identifier, such as a Social Security number, passport number, or driver’s license number, that is not required to be displayed to the public. Any covered data that describes or reveals the diagnosis or treatment of the past, present, or future physical health, mental health, or disability of an individual. A financial account number, debit card number, credit card number, or any required security or access code, password, or credentials allowing access to any such account. Covered data that is biometric information. Precise geolocation information. A persistent identifier. The contents of an individual’s private communications, such as emails, texts, direct messages, or mail, or the identity of the parties subject to such communications, unless the covered entity is the intended recipient of the communication. Account log-in credentials such as a user name or email address, in combination with a password or security question and answer that would permit access to an online account. Covered data revealing an individual’s racial or ethnic origin, or religion in a manner inconsistent with the individual’s reasonable expectation regarding the processing or transfer of such information. Covered data revealing the sexual orientation or sexual behavior of an individual in a manner inconsistent with the individual’s reasonable expectation regarding the processing or transfer of such information. Covered data about the online activities of an individual that addresses or reveals a category of covered data described in another clause of this subparagraph. Covered data that is calendar information, address book information, phone or text logs, photos, or videos maintained for private use on an individual’s device. Any covered data collected or processed by a covered entity for the purpose of identifying covered data described in another clause of this subparagraph. Any other category of covered data designated by the Commission pursuant to a rulemaking under section 553 of title 5, United States Code. For purposes of subparagraph (A), the term biometric information — means the physiological or biological characteristics of an individual, including deoxyribonucleic acid, that are used, singly or in combination with each other or with other identifying data, to establish the identity of an individual; and includes— imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted; and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information. For purposes of subparagraph (A), the term persistent identifier means a technologically derived identifier that identifies an individual, or is linked or reasonably linkable to an individual over time and across services and platforms, which may include a customer number held in a cookie, a static Internet Protocol address, a processor or device serial number, or another unique device identifier. For purposes of subparagraph (A), the term precise geolocation information means technologically derived information capable of determining the past or present actual physical location of an individual or an individual’s device at a specific point in time to within 1,750 feet. The term service provider means, with respect to a set of covered data, a covered entity that processes or transfers such covered data for the purpose of performing 1 or more services or functions on behalf of, and at the direction of, a covered entity that— is not related to the covered entity providing the service or function by common ownership or corporate control; and does not share common branding with the covered entity providing the service or function. The term service provider data means covered data that is collected by the service provider on behalf of a covered entity or transferred to the service provider by a covered entity for the purpose of allowing the service provider to perform a service or function on behalf of, and at the direction of, such covered entity. The term third party means, with respect to a set of covered data, a covered entity— that is not a service provider with respect to such covered data; and that received such covered data from another covered entity— that is not related to the covered entity by common ownership or corporate control; and that does not share common branding with the covered entity. The term third party data means, with respect to a third party, covered data that has been transferred to the third party by a covered entity. The term transfer means to disclose, release, share, disseminate, make available, or license in writing, electronically, or by any other means for consideration of any kind or for a commercial purpose.
Connectionstraces to 2
Citation graph
cites case law
Cites 2Cited by 0 across 0 sources