Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 118th Congress · H.R. 8818 (Introduced in House) — To provide Americans with foundational data privacy rights, create strong oversight mechanisms, and establish meaning... · Sec. 103

Sec. 103. Privacy by design

417 words·~2 min read·/bill/118/hr/8818/ih/section-103

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Each covered entity and service provider shall establish, implement, and maintain reasonable policies, practices, and procedures that reflect the role of the covered entity or service provider in the collection, processing, retention, and transferring of covered data. The policies, practices, and procedures required by subsection
(a)shall— identify, assess, and mitigate privacy risks related to covered minors (including, if applicable, in a manner that considers the developmental needs of different age ranges of covered minors), individuals living with disabilities, and individuals over the age of 65; mitigate privacy risks related to the products and services of the covered entity or service provider, including in the design, development, and implementation of such products and services, taking into account the role of the covered entity or service provider and the information available to the covered entity or service provider; and implement reasonable internal training and safeguards to promote compliance with this title and to mitigate privacy risks, taking into account the role of the covered entity or service provider and the information available to the covered entity or service provider. The policies, practices, and procedures established by a covered entity or service provider under subsection
(a)shall align with, as applicable— the nature, scope, and complexity of the activities engaged in by the covered entity or service provider, including whether the covered entity or service provider is a large data holder, nonprofit organization, or data broker, taking into account the role of the covered entity or service provider and the information available to the covered entity or service provider; the sensitivity of the covered data collected, processed, retained, or transferred by the covered entity or service provider; the volume of covered data collected, processed, retained, or transferred by the covered entity or service provider; the number of individuals and devices to which the covered data collected, processed, retained, or transferred by the covered entity or service provider relates; state-of-the-art administrative, technological, and organizational measures that, by default, serve the purpose of protecting the privacy and security of covered data as required by this title; and the cost of implementing such policies, practices, and procedures in relation to the risks and nature of the covered data involved. Not later than 1 year after the date of the enactment of this Act, the Commission shall issue guidance with respect to what constitutes reasonable policies, practices, and procedures as required by subsection (a). In issuing such guidance, the Commission shall consider unique circumstances applicable to nonprofit organizations, service providers, and data brokers.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.