Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 119th Congress · H.R. 8413 (Introduced in House) — To establish a national framework for consumer privacy rights and the protection of personal data, and for other purp... · Sec. 8

Sec. 8. Codes of conduct

1,296 words·~6 min read·/bill/119/hr/8413/ih/section-8·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

A controller or processor (or a group of controllers or processors) may submit to the Secretary an application for approval of a code of conduct that meets or exceeds the requirements of the controller or processor (or the group of controllers or processors) under this Act. An application submitted under paragraph
(1)shall include the following: A description of the specific requirements of this Act to which the code of conduct proposed in the application will apply. A description of how the code of conduct will meet or exceed such requirements. A description of the entities the code of conduct is designed to cover. A list of the controllers or processors, to the extent known at the time of application, that intend to comply with the code of conduct. A description of the independent organization that will administer the code of conduct with respect to controllers or processors, including an explanation of how the independent organization is governed. A description of how the entities described in subparagraph
(C)will be assessed for compliance with the code of conduct by the independent organization described in subparagraph (E). A description of how the independent organization will refer to the Commission or to a State attorney general any controller or processor that does not— meet the requirements of this Act; or meet or exceed the requirements of the Act in accordance with the certification publicly disclosed by the controller or processor under subsection (c). Not later than 90 days after the date on which the Secretary receives an application submitted under paragraph (1), the Secretary shall publish the application and provide an opportunity for public comment on the code of conduct proposed in the application. The Secretary, in consultation with the Commission, shall approve an application submitted under paragraph (1), including the independent organization that will administer the code of conduct, if the controller or processor (or the group of controllers or processors) that submits the application demonstrates that the code of conduct proposed in the application meets the following criteria: Meets or exceeds the relevant requirements of this Act. Provides for regular review and validation by the independent organization to ensure that the controller or processor (or the group of controllers or processors) that complies with the code of conduct continues to meet or exceed the relevant requirements of this Act. Includes referral to the Commission for enforcement or referral to the appropriate State attorney general for enforcement. Not later than 1 year after the date on which the Secretary receives an application submitted under paragraph (1), the Secretary shall issue a public determination approving or denying the application and providing the reasons for such approval or denial. If an independent organization that administers a code of conduct approved under subparagraph
(A)makes significant updates to the code of conduct— the independent organization shall submit to the Secretary an application for approval of the significant updates made to the code of conduct; and not later than 90 days after the date on which the Secretary receives an application for an updated code of conduct submitted under subclause (I), the Secretary shall publish the proposed updated code of conduct and provide an opportunity for public comment. Not later than 180 days after the date on which the Secretary receives an application for an updated code of conduct submitted under clause (i)(I), the Secretary, considering the approval criteria described in subparagraph (A)(ii), shall issue a public determination approving or denying the application and providing the reasons for such approval or denial. If the Secretary has clear and convincing evidence that a code of conduct approved under subsection (a)(3) no longer meets the relevant requirements of this Act or that compliance with the code of conduct is insufficiently assessed by the independent organization that administers the code of conduct, the Secretary shall notify the relevant controller or processor (or the relevant group of controllers or processors) and the independent organization of a potential withdrawal of approval by the Secretary and of the opportunity to cure any alleged deficiency under paragraph (2). Not later than 180 days after the date on which a controller or processor (or a group of controllers or processors) receives the notice described in paragraph (1), the controller or processor (or the group of controllers or processors) and the relevant independent organization may— create a proposed cure to any alleged deficiency of the code of conduct or the enforcement of the code of conduct; and submit each such proposed cure to the Secretary. If the Secretary determines within 60 days that a proposed cure submitted under subparagraph (A)(ii) eliminates an alleged deficiency of the code of conduct or the assessment of compliance with the code of conduct, the Secretary may not withdraw the approval of such code of conduct on the basis of such deficiency. If the Secretary determines that a proposed cure submitted under subparagraph (A)(ii) does not eliminate an alleged deficiency of the code of conduct or the assessment of compliance with the code of the conduct, the Secretary may withdraw approval of such code of conduct on the basis of such deficiency. Not later than 10 days after the date on which the Secretary makes a determination under subparagraph (A), the Secretary shall notify the relevant controller or processor (or the relevant group of controllers or processors) and the independent organization of the relevant withdrawal of approval described in subparagraph (A). A withdrawal of approval described in subparagraph
(A)shall take effect on the date that is 30 days after the date on which the Secretary provides the notification required by subparagraph (B). Not later than 30 days after the date on which the Secretary provides notification required by subparagraph (B), the Secretary shall publish on a publicly available website a notice about the relevant withdrawal of approval described in subparagraph (A). A controller or processor that participates in a code of conduct approved under subsection (a)(3) shall certify on a publicly available website that the controller or processor is in compliance with the code of conduct, including by listing the independent organization that administers the code of conduct. A controller or processor that complies with a relevant code of conduct approved under subsection (a)(3) (or a relevant certification described in subsection (f)) shall be entitled to a rebuttable presumption that the controller or processor is in compliance with the relevant requirements of this Act to which the code of conduct (or certification) applies. Not later than 2 years after the date of the enactment of this Act, the Secretary shall publish codes of conduct for businesses that otherwise would be persons to whom this Act applies but that do not meet the applicability requirements described in section 13(a)(2). In carrying out paragraph (1), the Secretary shall— follow the same procedures described in subsections
(a)and (b); and solicit independent organizations to administer the codes of conduct. A code of conduct published under paragraph
(1)shall meet the following requirements: Be consistent with the requirements of this Act. Be cost-effective for any participant in the code of conduct. Be appropriate to the risks, size, and limitations of any such participant. Participation in a code of conduct published under paragraph
(1)shall be voluntary. A participant in a code of conduct published under paragraph
(1)shall publicly self-certify that the participant is in compliance with the code of conduct, including by listing the independent organization that administers the code of conduct. A certification by a controller pursuant to the Global Cross Border Privacy Rules System, or any successor system, or a certification by a processor pursuant to the Global Cross Border Privacy Rules System Privacy Recognition for Processors, or any successor system, shall be treated as participation in a code of conduct approved under subsection (a)(3).
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.