Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 119th Congress · H.R. 8413 (Introduced in House) — To establish a national framework for consumer privacy rights and the protection of personal data, and for other purp... · Sec. 2

Sec. 2. Consumer privacy rights

1,037 words·~5 min read·/bill/119/hr/8413/ih/section-2·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

A consumer has the following privacy rights with respect to a controller: To confirm whether a controller is processing the personal data of the consumer and have access to a copy of such data, unless the confirmation and access would require the controller to reveal a trade secret. To correct any inaccuracy in the personal data of the consumer, taking into account the nature of the personal data and the purpose of processing the personal data. To delete personal data provided by or obtained about the consumer.
If the data is available in a digital format and to the extent technically feasible, to obtain a copy of the personal data that the consumer previously provided to the controller in a portable and readily usable format that allows the consumer to transmit the data to another controller without hindrance. To opt out of the processing of the personal data for the following purposes: Targeted advertising. The sale of personal data. Reliance on profiling to make a decision that has a legal or similarly significant effect on the consumer.
Except as provided in paragraphs
(2)and (3), a controller may not process the sensitive data of a consumer without obtaining the consent of the consumer before processing. Notwithstanding paragraph (1), a controller shall process the sensitive data of a child in accordance with the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq). Notwithstanding paragraph (1), a controller may not process the sensitive data of a teen without obtaining the verifiable consent of a parent of the teen. A controller shall comply with any consumer privacy right described in subsection
(a)once a consumer submits a request that specifies each consumer privacy right the consumer requests to exercise and the controller authenticates the consumer. With respect to a consumer privacy right described in subsection
(a)for a child or teen, only a parent of the child or teen may exercise such consumer privacy right on behalf of the child or teen. Except as provided in paragraph (2), without undue delay and not later than 45 days after the date on which a consumer submits a request under subsection (c), a controller— shall respond to the consumer and comply with each privacy right requested; or shall provide a notice to the consumer that— the controller declines to take action; includes a justification for such inaction; and includes instructions on how the consumer can appeal the decision of such inaction. The controller may extend the period described in paragraph (1)(A) an additional 45 days when reasonably necessary, taking into consideration the complexity and number of requests submitted by the consumer, if the controller informs the consumer of the extension during such period with the reason for such extension. For each consumer privacy right described in subsection (a), a consumer may submit to each controller 2 requests under subsection
(c)related to such consumer privacy right in a year free of charge. If a consumer submits more than 2 such requests or submits a request that is technically infeasible or manifestly unfounded, the controller may— charge the consumer a reasonable fee to cover the administrative costs of complying with the request if the controller has notified the consumer of such fee and the consumer has consented to pay such fee; or decline to act on the request. The controller shall demonstrate, document, and provide to the Commission or a State attorney general, upon request, any technically infeasible or manifestly unfounded nature of any such request. If a controller is unable to authenticate a consumer who submits a request under subsection (c), the controller is not required to comply with such request and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the request. A controller that obtains personal data about a consumer from a source other than the consumer is considered to be in compliance with the request of a consumer under subsection
(c)to delete that personal data under subsection (a)(3) by— retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the personal data of the consumer remains deleted from the records of the controller and not using the retained data for any other purpose under this Act; or opting the consumer out of the processing of that personal data for any purpose other than a purpose that is exempt under the provisions of this Act. With respect to a request of a consumer under subsection
(c)for a child, a controller shall be deemed to be in compliance with such subsection if the controller responds to an equivalent consumer privacy right exercised by a parent under the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq). A controller shall establish a process for a consumer to appeal a determination by the controller to not take action under subsection (d)(1)(B). The appeal process established pursuant to paragraph
(1)shall be conspicuously available and similar to the process for a request submitted under subsection (c). Not later than 60 days after the date on which an appeal is received by a controller, the controller— shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of each reason for a decision; and if the appeal is denied, shall provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Commission or a State attorney general to submit a complaint. A controller shall establish and describe in a privacy notice one or more secure and reliable means for a consumer to submit a request to exercise consumer privacy rights described under subsection (a). In establishing the means pursuant to paragraph (1), a controller shall take into account the ways in which a consumer normally interacts with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the consumer making the request. A controller may not require a consumer to create a new account in order to exercise consumer privacy rights described under subsection
(a)but may require a consumer to use an existing account.
Connectionstraces to 1
Traces to 1 document
Citation graph
cites case law
Sec. 2
Consumer privacy rights
U.S.C.§ 6501
Cites 1Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.