Sec. 105. Individual control over covered data
1,898 words·~9 min read·
/bill/118/hr/8818/ih/section-105·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
After receiving a verified request from an individual, including a parent acting on behalf of a child of the parent, a covered entity shall provide the individual with the right to— access— in a format that can be naturally read by a human, the covered data of the individual or child (as applicable) (or an accurate representation of the covered data of the individual or child (as applicable), if the covered data is no longer in the possession of the covered entity or a service provider acting on behalf of the covered entity) that is collected, processed, or retained by the covered entity or any service provider of the covered entity; the name of any third party or service provider to whom the covered entity has transferred the covered data, as well as the categories of sources from which the covered data was collected; and a description of the purpose for which the covered entity transferred any covered data of the individual or child (as applicable) to a third party or service provider; correct any inaccuracy or incomplete information with respect to the covered data of the individual or child (as applicable) that is collected, processed, or retained by the covered entity and, for covered data that has been transferred, request the covered entity to notify any third party or service provider to which the covered entity transferred such covered data of the corrected information, including so that service providers may provide the assistance required by section 111(a)(1)(C); delete covered data of the individual or child (as applicable) that is retained by the covered entity and, for covered data that has been transferred, request that the covered entity notify any third party or service provider to which the covered entity transferred such covered data of the deletion request, including so that service providers may provide the assistance required by section 111(a)(1)(C); to the extent technically feasible, have exported covered data of the individual or child (as applicable) that is collected, processed, or retained by the covered entity, without licensing restrictions that unreasonably limit such transfers, in— a format that can be naturally read by a human; and a format that is portable, structured, interoperable, and machine-readable; and delete any content or information submitted to the covered entity by the individual when a covered minor and, for any such content or information that has been transferred, request that the covered entity notify any third party or service provider to which the covered entity transferred such content or information of the deletion request, including so that service providers may provide the assistance required by section 111(a)(1)(C).
A covered entity— shall provide an individual with the opportunity to exercise each of the rights described in subsection (a); and with respect to— the first 3 instances that an individual exercises any right described in subsection
(a)during any 12-month period, shall allow the individual to exercise such right free of charge; and any instance beyond the first 3 instances described in subparagraph (A), may charge a reasonable fee for each additional request to exercise any such right during such 12-month period. Subject to subsections (b), (d), and (e), each request under subsection
(a)shall be completed— by any covered entity that is a large data holder or data broker, not later than 30 calendar days after receiving such request from an individual, unless it is impossible or demonstrably impracticable to verify the individual; or by a covered entity that is not a large data holder or data broker, not later than 45 calendar days after receiving such request from an individual, unless it is impossible or demonstrably impracticable to verify the individual. A response period required under paragraph
(1)may be extended once, by not more than the applicable time period described in such paragraph, when reasonably necessary, considering the complexity and number of requests from the individual, if the covered entity informs the individual of any such extension, and the reason for the extension, within the initial response period. A covered entity shall reasonably verify that an individual making a request to exercise a right described in subsection
(a)is— the individual whose covered data is the subject of the request; the parent of the child whose covered data (or, with respect to a request under subsection (a)(5), whose content or other information) is the subject of the request; or another individual who is a natural person who is authorized to make such a request on behalf of the individual whose covered data is the subject of the request. If a covered entity cannot make the verification described in paragraph (1), the covered entity may request that the individual making the request provide any additional information necessary for the sole purpose of making such verification, except that— the request of the covered entity may not be burdensome on the individual; and the covered entity may not process, retain, or transfer such additional information for any other purpose. A covered entity may not permit an individual to exercise a right described in subsection (a), in whole or in part, if the covered entity— cannot reasonably make the verification described in subsection (d)(1); determines that exercise of the right would require access to, or the correction or deletion of, the sensitive covered data of an individual other than the individual whose covered data is the subject of the request; determines that exercise of the right would require correction or deletion of covered data subject to a warrant, lawfully executed subpoena, or litigation hold notice or equivalent preservation notice in connection with such warrant or subpoena or issued in a matter in which the covered entity is a named party; determines that exercise of the right would violate a Federal, State, Tribal, or local law that is not preempted by this title; determines that exercise of the right would violate the professional ethical obligations of the covered entity; reasonably believes that the request is made to further fraud; except with respect to health information, reasonably believes that the request is made in furtherance of criminal activity; or reasonably believes that complying with the request would threaten data security or network security. A covered entity may decline, in whole or in part, to comply with a request to exercise a right described in subsection (a), with adequate explanation to the individual making the request, if compliance with the request would— be demonstrably impracticable due to technological limitations or prohibitive cost, and if the covered entity provides a detailed description to the individual regarding the inability to comply with the request due to technological limitations or prohibitive cost; delete covered data necessary to perform a contract between the covered entity and the individual; with respect to a right described in paragraph
(1)or
(4)of subsection (a), require the covered entity to release trade secrets or other privileged, proprietary, or confidential business information; prevent a covered entity from being able to maintain a confidential record of opt-out requests pursuant to this title that is maintained solely for the purpose of preventing covered data of an individual from being collected, processed, retained, or transferred after the individual submits an opt-out request; with respect to a deletion request, require a private elementary or secondary school (as determined under State law) or a private institution of higher education (as defined in title I of the Higher Education Act of 1965 ( 20 U.S.C. 1001 et seq. )) to delete covered data, if the deletion would unreasonably interfere with the provision of education services by, or the ordinary operation of, the school or institution; delete covered data that relates to a public figure regarding a matter of legitimate public interest and for which the requesting individual has no reasonable expectation of privacy; or delete covered data that the covered entity reasonably believes may be evidence of an abuse of the products or services of the covered entity, including a violation of terms of service. This section may not be construed to require a covered entity or service provider acting on behalf of a covered entity to— retain covered data collected for a 1-time transaction, if such covered data is not processed or transferred by the covered entity for any purpose other than completing such transaction; re-identify, or attempt to re-identify, de-identified data; or collect or retain any data in order to be capable of associating a request with the covered data that is the subject of the request. In the event a covered entity declines a request under paragraph (2), the covered entity shall comply with the remainder of the request if partial compliance is possible and not unduly burdensome. For purposes of paragraph (2)(A), the receipt of a large number of verified requests, on its own, may not be considered to render compliance with a request demonstrably impracticable. The Commission may promulgate regulations, in accordance with section 553 of title 5, United States Code, to establish additional permissive exceptions to subsection
(a)necessary to protect the rights of individuals, to alleviate undue burdens on covered entities, to prevent unjust or unreasonable outcomes from the exercise of access, correction, deletion, or portability rights, or to otherwise fulfill the purposes of this section. In establishing any exceptions under subparagraph (A), the Commission shall consider any relevant changes in technology, means for protecting privacy and other rights, and beneficial uses of covered data by covered entities. A covered entity may decline to comply with a request of an individual to exercise a right under this section pursuant to an exception the Commission establishes under this paragraph. With respect to each calendar year for which an entity is a large data holder, such entity shall comply with the following requirements: Compile the following information for such calendar year: The number of verified access requests under subsection (a)(1). The number of verified deletion requests under subsection (a)(3). The number of verified deletion requests under subsection (a)(5). The number of verified requests to opt out of covered data transfers under section 106(a)(1). The number of verified requests to opt out of targeted advertising under section 106(a)(2). For each category of request described in subparagraphs
(A)through (E), the number of such requests that the large data holder complied with in whole or in part. For each category of request described in subparagraphs
(A)through (E), the average number of days within which the large data holder substantively responded to the requests. Not later than July 1 of each calendar year, disclose the information compiled under paragraph
(1)for the previous calendar year— in the privacy policy of the large data holder; or on a publicly available website of the large data holder that is accessible from a hyperlink included in the privacy policy. Not later than 1 year after the date of the enactment of this Act, the Commission shall issue guidance to clarify or explain the provisions of this section and establish practices by which a covered entity may verify a request to exercise a right described in subsection (a). A covered entity shall facilitate the ability of individuals to make requests to exercise rights described in subsection
(a)in any language in which the covered entity provides a product or service. The mechanisms by which a covered entity enables individuals to make a request to exercise a right described in subsection
(a)shall be readily accessible and usable by individuals living with disabilities.
Connectionstraces to 1
Traces to 1 document
Citation graph
cites case law
Sec. 105
Individual control over covered data
Cites 1Cited by 0 across 0 sources