Sec. 101. Definitions
6,266 words·~28 min read·
/bill/118/hr/8818/ih/section-101A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
In this title: The term affirmative express consent means an affirmative act by an individual that— clearly communicates the authorization of the individual for an act or practice; and is provided in response to a specific request from a covered entity, or a service provider on behalf of a covered entity, that meets the requirements of subparagraph (B). The requirements of this subparagraph with respect to a request are the following: The request is provided to the individual in a clear and conspicuous standalone disclosure.
The request includes a description of each act or practice for which the consent of the individual is sought and— clearly distinguishes between an act or practice that is necessary, proportionate, and limited to fulfill a request of the individual and an act or practice that is for another purpose; clearly states the specific categories of covered data that the covered entity shall collect, process, retain, or transfer under each such act or practice; and is written in easy-to-understand language and includes a prominent heading that would enable a reasonable individual to identify and understand each such act or practice.
The request clearly explains the applicable rights of the individual related to consent. The request is made in a manner reasonably accessible to and usable by individuals living with disabilities. The request is made available to the individual in the language in which the covered entity provides a product or service for which authorization is sought. The option to refuse consent is at least as prominent as the option to provide consent, and the option to refuse consent takes no more than 1 additional step as compared to the number of steps necessary to provide consent.
With respect to affirmative express consent sought for the collection, processing, retention, or transfer of biometric information or genetic information, the request includes the length of time the covered entity or service provider intends to retain the biometric information or genetic information or, if it is not possible to identify the length of time, the criteria used to determine the length of time the covered entity or service provider intends to retain the biometric information or genetic information.
Affirmative express consent to an act or practice may not be inferred from the inaction of an individual or the continued use by an individual of a service or product provided by an entity. A covered entity shall provide an individual with a means to withdraw affirmative express consent previously provided by the individual. The means to withdraw affirmative express consent described in clause
(i)shall be— clear and conspicuous; and as easy for a reasonable individual to use as the mechanism by which the individual provided affirmative express consent. If a covered entity has knowledge that— an individual is a child, only a parent of the child may provide affirmative express consent on behalf of the child; or an individual is a teen, a parent or the teen may provide affirmative express consent on behalf of the teen. The term biometric information means any covered data that allows or confirms the unique identification or verification of an individual and is generated from the measurement or processing of unique biological, physical, or physiological characteristics, including— fingerprints; voice prints; iris or retina imagery scans; facial or hand mapping, geometry, or templates; and gait. The term biometric information does not include— a digital or physical photograph; an audio or video recording; or data derived from a digital or physical photograph or an audio or video recording that cannot be used to identify or authenticate a specific individual. The term child means an individual under the age of 13. The term clear and conspicuous means, with respect to a disclosure, that the disclosure is difficult to miss and easily understandable by ordinary consumers. The term coarse geolocation information means information that reveals the present physical location of an individual or device identified by a unique persistent identifier at the ZIP Code attribution level (except, if a geographic area attributed to a ZIP Code is equal to or less than the area of a circle with a radius of 1,850 feet or less, at a level greater than a geographic area equal to the area of a circle with a radius of 1,850 feet). The term collect means, with respect to covered data, to buy, rent, gather, obtain, receive, access, or otherwise acquire the covered data by any means. The term Commission means the Federal Trade Commission. The term common branding means a name, service mark, or trademark that is shared by 2 or more entities. The term connected device means a device that is capable of connecting to the internet. The term contextual advertising means displaying or presenting an advertisement that— does not vary based on the identity of the individual recipient; and is based solely on— the content of a webpage or online service; a specific request of the individual for information or feedback; or coarse geolocation information. The term control means, with respect to an entity— ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of the entity; control over the election of a majority of the directors of the entity (or of individuals exercising similar functions); or the power to exercise a controlling influence over the management of the entity. The term covered data means information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals. The term covered data does not include— de-identified data; employee information; publicly available information; inferences made exclusively from multiple independent sources of publicly available information, if such inferences— do not reveal information about an individual that meets the definition of the term sensitive covered data with respect to the individual; and are not combined with covered data; information in the collection of a library, archive, or museum, if— the collection is— open to the public or routinely made available to researchers who are not affiliated with the library, archive, or museum; and composed of lawfully acquired materials with respect to which all licensing conditions are met; and the library, archive, or museum has— a public service mission; and trained staff or volunteers to provide professional services normally associated with libraries, archives, or museums; or on-device data. The term covered entity means any entity that, alone or jointly with others, determines the purposes and means of collecting, processing, retaining, or transferring covered data and— is subject to the Federal Trade Commission Act ( 15 U.S.C. 41 et seq. ); is a common carrier subject to title II of the Communications Act of 1934 ( 47 U.S.C. 201 et seq. ); or is an organization not organized to carry on business for its own profit or that of its members. The term covered entity includes any entity that controls, is controlled by, or is under common control with another covered entity. The term covered entity does not include— a Federal, State, Tribal, or local government entity, such as a body, authority, board, bureau, commission, district, agency, or other political subdivision of the Federal Government or a State, Tribal, or local government; an entity that is collecting, processing, retaining, or transferring covered data on behalf of a Federal, State, Tribal, or local government entity, to the extent that such entity is acting as a service provider to the government entity; a small business; an individual acting at their own direction and in a non-commercial context; the National Center for Missing and Exploited Children; or except with respect to requirements under section 109, a nonprofit organization whose primary mission is to prevent, investigate, or deter fraud, to train anti-fraud professionals, or to educate the public about fraud, including insurance fraud, securities fraud, and financial fraud, to the extent the organization collects, processes, retains, or transfers covered data in furtherance of such primary mission. An entity may not be considered to be a covered entity for the purposes of this title, insofar as the entity is acting as a service provider. The term covered high-impact social media company means a covered entity that provides any internet-accessible platform that— generates $3,000,000,000 or more in global annual revenue, including the revenue generated by any affiliate of such covered entity; has 300,000,000 or more global monthly active users for not fewer than 3 of the preceding 12 months; and constitutes an online product or service that is primarily used by users to access or share user-generated content. A service or application may not be considered to constitute an online product or service described in subparagraph (A)(iii) solely on the basis of providing any of the following: Email. Career or professional development networking opportunities. Reviews of products, services, events, or destinations. A platform for use in a public or private school under the direction of the school. File collaboration. Cloud storage. Closed video or audio communications services. A wireless messaging service, including such a service provided through short messaging service or multimedia messaging service protocols, that is not a component of, or linked to, a platform of a covered high-impact social media company, if the predominant or exclusive function is direct messaging consisting of the transmission of text, photos, or videos that are sent by electronic means, and if messages are transmitted from the sender to a recipient and are not posted within a platform of a covered high-impact social media company or publicly. The term covered minor means an individual under the age of 17. The term dark patterns means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice. The term data broker means a covered entity whose principal source of revenue is derived from processing or transferring covered data that the covered entity did not collect directly from the individuals linked or linkable to the covered data. For purposes of this paragraph, the term principal source of revenue means, for the prior 12-month period— revenue that constitutes greater than 50 percent of all revenue of the covered entity during such period; or revenue obtained from processing and transferring the covered data of more than 5,000,000 individuals that the covered entity did not collect directly from the individuals linked or linkable to the covered data. The term data broker does not include an entity to the extent that such entity is acting as a service provider. The term de-identified data means information that cannot reasonably be used to infer or derive the identity of an individual, and does not identify and is not linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to an individual, regardless of whether the information is aggregated, if the relevant covered entity or service provider— takes reasonable physical, administrative, and technical measures to ensure that the information cannot, at any point, be used to re-identify any individual or device that identifies or is linked or reasonably linkable to an individual; publicly commits in a clear and conspicuous manner to— process, retain, or transfer the information solely in a de-identified form without any reasonable means for re-identification; and not attempt to re-identify the information with any individual or device that identifies or is linked or reasonably linkable to an individual, except as necessary, limited, and proportionate to test the effectiveness of the measures described in clause (i); and contractually obligates any entity that receives the information from the covered entity or service provider to— comply with clauses
(i)and
(ii)with respect to the information; and require that such contractual obligations be included contractually in all subsequent instances in which the information may be received. The term de-identified data includes health information (as defined in section 1171 of the Social Security Act ( 42 U.S.C. 1320d )) that has been de-identified in accordance with section 164.514(b) of title 45, Code of Federal Regulations, except that if such information is subsequently provided to an entity that is not an entity subject to parts 160 and 164 of such title 45, such entity shall comply with clauses
(ii)and
(iii)of subparagraph
(A)for the information to be considered de-identified under this title. The term derived data means covered data that is created by the derivation of information, data, assumptions, correlations, inferences, predictions, or conclusions from facts, evidence, or another source of information. The term device means any electronic equipment capable of collecting, processing, retaining, or transferring covered data that is used by 1 or more individuals, including a connected device or a portable connected device. The term direct mail targeted advertising means advertising or marketing using third-party data through a direct communication with an individual via direct mail. The term disability has the meaning given such term in section 3 of the Americans with Disabilities Act of 1990 ( 42 U.S.C. 12102 ). The term email targeted advertising means advertising or marketing using third-party data through a direct communication with an individual via email. The term employee means an individual who is an employee, director, officer, staff member, paid intern, individual working as an independent contractor (who is not a service provider), volunteer, or unpaid intern of an employer, regardless of whether such individual is paid, unpaid, or engaged on a temporary basis. The term employee information means information, including biometric information or genetic information— about an individual related to the course of employment or application for employment of the individual (including on a contract or temporary basis), if such information is collected, retained, processed, or transferred by the employer or the service provider of the employer solely for purposes necessary for the employment or application of the individual; that is emergency contact information for an individual who is an employee or job applicant of an employer, if such information is collected, retained, processed, or transferred by the employer or the service provider of the employer solely for the purpose of having an emergency contact for such individual on file; or about an individual who is an employee or former employee of an employer, or a relative, dependent, or beneficiary of the employee or former employee, and collected, retained, processed, or transferred for the purpose of administering benefits, including enrollment and disenrollment for benefits, to which the employee, former employee, relative, dependent, or beneficiary is entitled on the basis of the employment of the employee or former employee with the employer, if such information is collected, retained, processed, or transferred by the employer or the service provider of the employer solely for the purpose of administering such benefits. The term entity means an individual, a trust, a partnership, an association, an organization, a company, and a corporation. The term Executive agency has the meaning given such term in section 105 of title 5, United States Code. The term federated nonprofit organization means a network or system of 2 or more entities, described in section 501(c)(3) of the Internal Revenue Code of 1986 and exempt from taxation under section 501(a) of such Code, that share common branding. The term first party — means a consumer-facing covered entity with which a consumer intends and expects to interact; and includes any entities with which the covered entity shares common branding. The term first-party advertising means advertising or marketing by a first party using the first-party data of the first party and not other forms of covered data and carried out— through direct communications with an individual, such as direct mail, email (subject to the CAN-SPAM Act of 2003 ( 15 U.S.C. 7701 et seq. ) and the regulations promulgated under such Act), or text message communications (subject to section 227 of the Communications Act of 1934 ( 47 U.S.C. 227 ) and the regulations promulgated under such section); or entirely— in a physical location operated by the first party; in the case of a first party that is not a covered high-impact social media company, on a website, online service, online application, or mobile application operated by the first party, through display or presentation of an online advertisement that promotes a product or service (whether offered by the first party or not offered by the first party) to an individual or device identified by a unique persistent identifier, or group of individuals or devices identified by unique persistent identifiers; or in the case of a first party that is a covered high-impact social media company, on a website, online service, online application, or mobile application operated by the first party, through display or presentation of an online advertisement that promotes a product or service offered by the first party to an individual or device identified by a unique persistent identifier, or group of individuals or devices identified by unique persistent identifiers. The term first-party advertising does not include contextual advertising. The term first-party data means covered data collected directly from an individual by a first party, including based on a visit by the individual to or use by the individual of a physical location, website, online service, online application, or mobile application operated by the first party. The term genetic information means any covered data, regardless of format, that concerns the genetic characteristics of an identified or identifiable individual, including— raw sequence data that results from the sequencing of the complete, or a portion of, extracted deoxyribonucleic acid
(DNA)of an individual; or genotypic and phenotypic information that results from analyzing raw sequence data described in subparagraph (A). The term health information means information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or health condition, status, or treatment of an individual, including the precise geolocation information of such treatment. The term individual means a natural person residing in the United States. The term knowledge means, with respect to whether an individual is a child, teen, or covered minor, actual knowledge or knowledge fairly implied on the basis of objective circumstances. For purposes of enforcing this title or a regulation promulgated under this title, a determination as to whether a covered entity has knowledge fairly implied on the basis of objective circumstances that an individual is a child, teen, or covered minor shall rely on competent and reliable evidence, taking into account the totality of the circumstances, including whether a reasonable and prudent person under the circumstances would have known that the individual is a child, teen, or covered minor. Nothing in this title, including a determination described in the preceding sentence, may be construed to require a covered entity to— affirmatively collect any covered data with respect to the age of a child, teen, or covered minor that the covered entity is not already collecting in the normal course of business; or implement an age gating or age verification functionality. Not later than 180 days after the date of the enactment of this Act, the Commission shall issue guidance to provide information, including best practices and examples, for covered entities to use in understanding whether a covered entity has knowledge fairly implied on the basis of objective circumstances that an individual is a child, teen, or covered minor. No guidance issued by the Commission under clause
(i)confers any rights on any person, State, or locality, or operates to bind the Commission or any person, State, or locality to the approach recommended in such guidance. Any enforcement action brought pursuant to this title by the Commission, or by the attorney general of a State, the chief consumer protection officer of a State, or an officer or office of a State authorized to enforce privacy or data security laws applicable to covered entities or service providers, shall allege a specific violation of a provision of this title, and the Commission or the attorney general, chief consumer protection officer, or other authorized officer or office of the State, as applicable, may not base an enforcement action on, or as applicable execute a consent order based on, practices that are alleged to be inconsistent with any such guidance, unless the practices allegedly violate this title. The term large data holder means a covered entity or service provider that, in the most recent calendar year, had an annual gross revenue of not less than $250,000,000 and, subject to subparagraph (B), collected, processed, retained, or transferred— the covered data of— more than 5,000,000 individuals; more than 15,000,000 portable connected devices that identify or are linked or reasonably linkable to 1 or more individuals; or more than 35,000,000 connected devices that identify or are linked or reasonable linkable to 1 or more individuals; or the sensitive covered data of— more than 200,000 individuals; more than 300,000 portable connected devices that identify or are linked or reasonable linkable to 1 or more individuals; or more than 700,000 connected devices that identify or are linked or reasonably linkable to 1 or more individuals. For the purposes of subparagraph (A), a covered entity or service provider may not be considered a large data holder solely on the basis of collecting, processing, retaining, or transferring to a service provider— personal mailing or email addresses; personal telephone numbers; log-in information of an individual or device to allow the individual or device to log in to an account administered by the covered entity; or in the case of a covered entity that is a seller of goods or services (other than an entity that facilitates payment, such as a bank, credit card processor, mobile payment system, or payment platform), credit, debit, or mobile payment information necessary and used to initiate, render, bill for, finalize, complete, or otherwise facilitate payments for such goods or services. For the purposes of subparagraph (A), the term annual gross revenue , with respect to a covered entity or service provider— means the gross receipts the covered entity or service provider received, in whatever form from all sources, without subtracting any costs or expenses; and includes contributions, gifts, grants, dues or other assessments, income from investments, and proceeds from the sale of real or personal property. The term market research means the collection, processing, retention, or transfer of covered data, with affirmative express consent, that is necessary, proportionate, and limited to measure and analyze the market or market trends of products, services, advertising, or ideas, if the covered data is not— integrated into any product or service; otherwise used to contact any individual or device of an individual; or used for targeted advertising or to otherwise market to any individual or device of an individual. The term material change means, with respect to treatment of covered data, a change by an entity that would likely affect the decision of an individual to engage with and provide covered data to the entity, including providing affirmative express consent for, or opting out of, the collection, processing, retention, or transfer of covered data pertaining to such individual. The term mobile application — means a software program that runs on the operating system of— a cellular telephone; a tablet computer; or a similar portable computing device that transmits data over a wireless connection; and includes a service or application offered via a connected device. The term on-device data means data collected, retained, and processed solely on the device of an individual. Data collected, retained, and processed solely on the device of an individual may be considered on-device data only if— such data is not transferred by a covered entity or service provider; the relevant covered entity clearly and conspicuously provides the device owner with controls that allow the owner to access, correct, delete, and export such data consistent with the rights provided with respect to covered data pursuant to section 105; the relevant covered entity provides easy-to-understand instructions on how the device owner can access such controls; and the relevant covered entity establishes, implements, and maintains reasonable data security practices, consistent with section 109, to protect— the confidentiality, integrity, and availability of the on-device data; and on device data against unauthorized access. The term online activity profile means covered data that identifies the online activities of an individual (or a device linked or reasonably linkable to an individual) over time and across third-party websites, online services, online applications, or mobile applications that do not share common branding and that is collected, processed, retained, or transferred for the purpose of evaluating, analyzing, or predicting the behaviors or characteristics of an individual. The term online application — means an internet-connected software program; and includes a service or application offered via a connected device. The term parent means a legal guardian. The term portable connected device means a portable device that is capable of connecting to the internet over a wireless connection, including a smartphone, tablet computer, laptop computer, smartwatch, or similar portable device. The term precise geolocation information means information that reveals the past or present physical location of an individual or device with sufficient precision to identify the location of such individual or device within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet or less. The term precise geolocation information does not include information derived solely from— a digital or physical photograph; an audio or visual recording; or metadata associated with a digital or physical photograph or an audio or visual recording that cannot be linked to an individual. The term process means, with respect to covered data, any operation or set of operations performed on the covered data, including analyzing, organizing, structuring, using, modifying, or otherwise handling the covered data. The term publicly available information means any information that a covered entity has a reasonable basis to believe has been lawfully made available to the general public by— Federal, State, or local government records, if the covered entity collects, processes, retains, and transfers such information in accordance with any restrictions or terms of use placed on the information by the relevant government entity; widely distributed media; a website or online service made available to all members of the public, for free or for a fee, including where all members of the public can log in to the website or online service; or a disclosure to the general public that is required to be made by Federal, State, or local law. For purposes of this paragraph, information from a website or online service is not available to all members of the public if the individual to whom the information pertains has restricted the information to a specific audience or maintained a default setting that restricts the information to a specific audience. The term publicly available information includes business contact information of an individual acting in a business or professional context that is made available on a website or online service made available to all members of the public, including the name, position or title, business telephone number, business email address, or business address of the individual. The term publicly available information does not include— any obscene visual depiction (as such term is used in section 1460 of title 18, United States Code); derived data from publicly available information that reveals information about an individual that meets the definition of the term sensitive covered data ; biometric information; genetic information, unless made publicly available by the individual to whom the information pertains by a means described in clause
(ii)or
(iii)of subparagraph (A); covered data that is created through the combination of covered data with publicly available information; intimate images, authentic or computer-generated, known to be nonconsensual; or sensitive covered data made available by a data broker. The term retain means, with respect to covered data, to store, maintain, save, or otherwise keep such data, regardless of format. The term sensitive covered data means the following forms of covered data: A government-issued identifier, including a Social Security number, passport number, or driver’s license number, that is not required by law to be displayed in public. Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or health condition, status, or treatment of an individual. Genetic information. A financial account number, debit card number, credit card number, or any required security or access code, password, or credentials allowing access to any such account or card, except that the last four digits of an account number, debit card number, or credit card number may not be considered sensitive covered data. Biometric information. Precise geolocation information. The private communications of an individual (such as voicemails, or other voice or video communications, emails, texts, direct messages, or mail) or information identifying the parties to such communications, information contained in telephone bills, and any information that pertains to the transmission of private voice or video communications, including numbers called, numbers from which calls were placed, the time calls were made, call duration, and location information of the parties to the call, unless the relevant covered entity or service provider is an intended recipient of the communication. Unencrypted or unredacted account or device log-in credentials. Information revealing the sexual behavior of an individual in a manner inconsistent with the reasonable expectation of the individual regarding disclosure of such information. Calendar information, address book information, phone, text, or electronic logs, photographs, audio recordings, or videos intended for private use. A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual. Information revealing the extent or content of the access, viewing, or other use by an individual of any video programming (as defined in section 713(h)(2) of the Communications Act of 1934 ( 47 U.S.C. 613(h)(2) )), including programming provided by a provider of broadcast television service, cable service, satellite service, or streaming media service, but only with regard to the transfer of such information to a third party (excluding any such information used solely for transfers for independent video measurement). Information collected by a covered entity that is not a provider of a service described in clause
(xii)that reveals the video content requested or selected by an individual (excluding any such information used solely for transfers for independent video measurement). Information revealing the race, ethnicity, national origin, religion, or sex of an individual in a manner inconsistent with the reasonable expectation of the individual regarding disclosure of such information. An online activity profile. Information about a covered minor. Information that reveals the status of an individual as a member of the Armed Forces. Neural data. Any other covered data collected, processed, retained, or transferred for the purpose of identifying a type of information described in any of clauses
(i)through (xviii). For the purposes of subparagraph (A)(xii), the term third party does not include an entity that— is related by common ownership or corporate control to the provider of broadcast television service or streaming media service; and provides video programming as described in such subparagraph. The term service provider means an entity that collects, processes, retains, or transfers covered data for the purpose of performing 1 or more services or functions on behalf of, and at the direction of— a covered entity or another service provider; or a Federal, State, Tribal, or local government entity. An entity is a covered entity and not a service provider with respect to a specific collecting, processing, retaining, or transferring of covered data, if the entity, alone or jointly with others, determines the purposes and means of the specific collecting, processing, retaining, or transferring of data. An entity that is not limited in its collecting, processing, retaining, or transferring of covered data pursuant to the instructions of a covered entity, another service provider, or a Federal, State, Tribal, or local government entity, or that fails to adhere to such instructions, is a covered entity and not a service provider with respect to a specific collecting, processing, retaining, or transferring of such data. If a service provider begins, alone or jointly with others, determining the purposes and means of collecting, processing, retaining, or transferring covered data, the entity is a covered entity with respect to such data. Whether an entity is a covered entity or a service provider depends on the facts surrounding how, and the context in which, data is collected, processed, retained, or transferred. The term small business means an entity (including any affiliate of the entity)— that has average annual gross revenues for the period of the 3 preceding calendar years (or for the period during which the entity has been in existence, if such period is less than 3 calendar years) not exceeding $40,000,000, indexed to the Producer Price Index reported by the Bureau of Labor Statistics; that, on average for the period described in clause (i), did not annually collect, process, retain, or transfer the covered data of more than 200,000 individuals for any purpose other than initiating, rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested service or product; and that did not, during the period described in clause (i), transfer covered data to a third party in exchange for revenue or anything of value, except for purposes of initiating, rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested service or product or facilitating web analytics that are not used to create an online activity profile. For purposes of subparagraph (A)(i), the term revenue , as such term relates to any entity that is not organized to carry on business for its own profit or that of its members, means the gross receipts the entity received, in whatever form from all sources, without subtracting any costs or expenses, and includes contributions, gifts, grants (except for grants from the Federal Government), dues or other assessments, income from investments, or proceeds from the sale of real or personal property. The term State means each of the 50 States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands of the United States, Guam, American Samoa, and the Commonwealth of the Northern Mariana Islands. The term substantial privacy harm means— any alleged financial harm of not less than $10,000; or any alleged physical or mental harm to an individual that involves— treatment by a licensed, credentialed, or otherwise bona fide health care provider, hospital, community health center, clinic, hospice, or residential or outpatient facility for medical, mental health, or addiction care; or physical injury, highly offensive intrusion into the privacy expectations of a reasonable individual under the circumstances, or discrimination on the basis of race, color, religion, national origin, sex, or disability. The term targeted advertising — means displaying or presenting an online advertisement to an individual or to a device identified by a unique persistent identifier (or to a group of individuals or devices identified by unique persistent identifiers), if the advertisement is selected based, in whole or in part, on known or predicted preferences or interests associated with the individual or device; includes— an online advertisement by a covered high-impact social media company for a product or service that is not a product or service offered by the covered high-impact social media company; and an online advertisement for a product or service based on the previous interaction of an individual or a device identified by a unique persistent identifier with such product or service on a website or online service that does not share common branding or affiliation with the website or online service displaying or presenting the advertisement; and excludes contextual advertising and first-party advertising. The term teen means an individual 13 years of age or older, but under the age of 17. The term third party — means any entity that— receives covered data from another entity that is not the individual to whom the data pertains; and is not a service provider with respect to such data; and does not include an entity that collects covered data from another entity if the 2 entities are— related by common ownership or corporate control; or nonprofit entities that are part of the same federated nonprofit organization. The term third-party data means covered data that has been transferred to a third party. The term transfer means, with respect to covered data, to disclose, release, share, disseminate, make available, sell, rent, or license the covered data (orally, in writing, electronically, or by any other means) for consideration of any kind or for a commercial purpose. The term unique persistent identifier means a technologically created identifier to the extent that such identifier is reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals, including device identifiers, Internet Protocol addresses, cookies, beacons, pixel tags, mobile ad identifiers or similar technology customer numbers, unique pseudonyms, user aliases, telephone numbers, or other forms of persistent or probabilistic identifiers that are linked or reasonably linkable to 1 or more individuals or devices. The term unique persistent identifier does not include an identifier assigned by a covered entity for the sole purpose of giving effect to the exercise of affirmative express consent or opt out by an individual with respect to the collecting, processing, retaining, and transfer of covered data or otherwise limiting the collecting, processing, retaining, or transfer of covered data. The term widely distributed media means information that is available to the general public, including information from a telephone book or online directory, a television, internet, or radio program, the news media, or an internet site that is available to the general public on an unrestricted basis. The term widely distributed media does not include an obscene visual depiction (as such term is used in section 1460 of title 18, United States Code).
Connectionstraces to 7
Citation graph
cites case law
Sec. 101
Definitions
Cites 7Cited by 0 across 0 sources