Sec. 102. Data minimization
1,511 words·~7 min read·
/bill/118/hr/8818/ih/section-102A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
A covered entity may not collect, process, retain, or transfer covered data of an individual or direct a service provider to collect, process, retain, or transfer covered data of an individual beyond what is necessary, proportionate, and limited— to provide or maintain— a specific product or service requested by the individual to whom the data pertains, including any associated routine administrative, operational, or account-servicing activity, such as billing, shipping, delivery, storage, or accounting; or a communication, that is not an advertisement, by the covered entity to the individual reasonably anticipated within the context of the relationship; or for a purpose expressly permitted under subsection (d).
Subject to subsection (a), a covered entity may not transfer sensitive covered data to a third party or direct a service provider to transfer sensitive covered data to a third party without the affirmative express consent of the individual to whom such data pertains, unless for a purpose permitted by paragraph (2), (3), (4), (5), (6), (8), (9), (11), (12), or
(13)of subsection (d). Subject to subsection (a), a covered entity may not collect biometric information or genetic information or direct a service provider to collect biometric information or genetic information without the affirmative express consent of the individual to whom such information pertains. Subject to subsection (a), a covered entity may not process biometric information or genetic information or direct a service provider to process biometric information or genetic information without the affirmative express consent of the individual to whom such information pertains, unless for a purpose permitted by paragraph (2), (3), or
(4)of subsection (d). Subject to subsection (a), a covered entity may not retain biometric information or direct a service provider to retain biometric information beyond the point at which the purpose for which an individual provided affirmative express consent under paragraph
(1)has been satisfied or beyond the date that is 3 years after the date of the last interaction of the individual with the covered entity or service provider, whichever occurs first, unless for a purpose permitted under paragraph (2), (3), or
(4)of subsection (d). Subject to subsection (a), a covered entity may not transfer biometric information or genetic information to a third party or direct a service provider to transfer biometric information or genetic information to a third party without the affirmative express consent of the individual to whom such information pertains, unless for a purpose permitted by paragraph (2), (3), or
(4)of subsection (d). A covered entity may not transfer biometric information or genetic information to a third party, or direct a service provider to transfer biometric information or genetic information to a third party, for payment or other valuable consideration (regardless of the purpose of the transfer, including a purpose described in subparagraph (A)). Subject to the requirements in subsections
(b)and (c), a covered entity may collect, process, retain, or transfer or direct a service provider to collect, process, retain, or transfer covered data for the following purposes, if the covered entity or service provider can demonstrate that the collection, processing, retention, or transfer is necessary, proportionate, and limited to such purpose: To protect data security as described in section 109, protect against spam, or protect and maintain networks and systems, including through diagnostics, debugging, and repairs. To comply with a legal obligation imposed by a Federal, State, Tribal, or local law that is not preempted by this title. To investigate, establish, prepare for, exercise, or defend cognizable legal claims of the covered entity or service provider. To transfer covered data to a Federal, State, Tribal, or local law enforcement agency pursuant to a lawful warrant, administrative subpoena, or other form of lawful process. To effectuate a product recall pursuant to Federal or State law, or to fulfill a warranty. To conduct market research. With respect to covered data previously collected in accordance with this title, to process the covered data such that the covered data becomes de-identified data, including in order to— develop or enhance a product or service of the covered entity or service provider; conduct research or analytics to improve a product or service of the covered entity or service provider; conduct research to investigate, establish, or improve the effectiveness or safety of medical products, including drugs, biologics, and medical devices; enable the effective delivery and administration of health care products and treatments to patients, in compliance with Federal regulations; or monitor the safety and efficacy of health care products and services administered to patients, in compliance with Federal regulations. To transfer assets to a third party in the context of a merger, acquisition, bankruptcy, or similar transaction, with respect to which the third party assumes control, in whole or in part, of the assets of the covered entity, but only if the covered entity, in a reasonable time prior to such transfer, provides each affected individual with— a notice describing such transfer, including the name of the entity or entities receiving the covered data of the individual and the privacy policies of such entity or entities as described in section 104; and a reasonable opportunity to— withdraw any previously provided consent in accordance with the requirements of affirmative express consent under this title related to the covered data of the individual; and request the deletion of the covered data of the individual, as described in section 105. With respect to a covered entity or service provider that is a telecommunications carrier or a provider of a mobile service, interconnected VoIP service, or non-interconnected VoIP service (as such terms are defined in section 3 of the Communications Act of 1934 ( 47 U.S.C. 153 )), to provide call location information in a manner described in subparagraph
(A)or
(C)of section 222(d)(4) of such Act ( 47 U.S.C. 222(d)(4) ). To prevent, detect, protect against, investigate, or respond to fraud, excluding the transfer of covered data for payment or other valuable consideration to a government entity. To prevent, detect, protect against, investigate, or respond to an ongoing or imminent security incident relating to network security or physical security, including an intrusion or trespass, medical alert or request for a medical response, fire alarm or request for a fire response, or access control. To prevent, detect, protect against, investigate, or respond to an imminent or ongoing public safety incident (such as a mass casualty event, natural disaster, or national security incident), excluding the transfer of covered data for payment or other valuable consideration to a government entity. Except with respect to health information, to prevent, detect, protect against, investigate, or respond to criminal activity or harassment, excluding the transfer of covered data for payment or other valuable consideration to a government entity. Except with respect to sensitive covered data, and only with respect to covered data previously collected in accordance with this title, to process or transfer such data to provide first-party advertising or contextual advertising or to measure and report on marketing performance or media performance by the covered entity, including processing or transferring covered data for measurement and reporting of frequency, attribution, and performance, including by independent entities, except that this paragraph does not permit the processing or transfer of covered data for first-party advertising to a covered minor as prohibited by section 120. Except with respect to sensitive covered data, and only with respect to covered data previously collected in accordance with this title, to process or transfer such data to provide targeted advertising, direct mail targeted advertising, or email targeted advertising (subject to the CAN-SPAM Act of 2003 ( 15 U.S.C. 7701 et seq. ) and the regulations promulgated under such Act) or to measure and report on marketing performance or media performance, including processing or transferring covered data for measurement and reporting of frequency, attribution, and performance, including by independent entities, except that this paragraph does not permit the processing or transfer of covered data for targeted advertising to an individual who has opted out of targeted advertising pursuant to section 106 or to a covered minor as prohibited by section 120. To conduct a public or peer-reviewed scientific, historical, or statistical research project that— is in the public interest; adheres to all relevant laws and regulations governing such research, including regulations for the protection of human subjects, if applicable; limits transfers to third parties of sensitive covered data to only those transfers necessary, proportionate, and limited to carry out the research; and prohibits the transfer of covered data to a data broker. To conduct medical research in compliance with part 46 of title 45, Code of Federal Regulations, or parts 50 and 56 of title 21, Code of Federal Regulations. Not later than 180 days after the date of the enactment of this Act, the Commission shall issue guidance regarding what is necessary, proportionate, and limited to comply with this section. Nothing in this title may be construed to limit or diminish journalism, including gathering, preparing, collecting, photographing, recording, writing, editing, reporting, or investigating news or information that concerns local, national, or international events or other matters of public interest for dissemination to the public.
Connectionstraces to 3
Traces to 3 documents
Citation graph
cites case law
Cites 3Cited by 0 across 0 sources