[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 189 Introduced in Senate (IS)]
<DOC>
116th CONGRESS
1st Session
S. 189
To protect the privacy of users of social media and other online
platforms.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
January 17, 2019
Ms. Klobuchar (for herself and Mr. Kennedy) introduced the following
bill; which was read twice and referred to the Committee on Commerce,
Science, and Transportation
_______________________________________________________________________
A BILL
To protect the privacy of users of social media and other online
platforms.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Social Media Privacy Protection and
Consumer Rights Act of 2019''.
SEC. 2. DEFINITIONS.
In this Act--
(1) the term ``Commission'' means the Federal Trade
Commission;
(2) the term ``covered online platform'' means an online
platform that collects personal data during the online behavior
of a user of the online platform;
(3) the term ``geolocation information'' means, with
respect to an individual, any information that is not the
content of a communication, concerning the location of a
wireless communication device that--
(A) in whole or in part, is generated by or derived
from the operation of that device; and
(B) could be used to determine or infer information
regarding the location of the individual;
(4) the term ``online platform''--
(A) means any public-facing website, web
application, or digital application (including a mobile
application); and
(B) includes a social network, an ad network, a
mobile operating system, a search engine, an email
service, or an internet access service;
(5) the term ``operator'' has the meaning given the term in
section 1302 of the Children's Online Privacy Protection Act of
1998 (15 U.S.C. 6501); and
(6) the term ``personal data'' means individually
identifiable information about an individual collected online,
including--
(A) location information sufficient to identify the
name of a street and a city or town, including a
physical address;
(B) an email address;
(C) a telephone number;
(D) a government identifier, such as a Social
Security number;
(E) geolocation information;
(F) the content of a message;
(G) protected health information, as defined in
section 160.103 of title 45, Code of Federal
Regulations, or any successor regulation; and
(H) nonpublic personal information, as defined in
section 509 of the Gramm-Leach-Bliley Act (15 U.S.C.
6809).
SEC. 3. PRIVACY PROTECTIONS.
(a) Transparency and Terms of Service.--
(1) Disclosure and obtaining initial consent and privacy
preferences.--
(A) In general.--Before a user creates an account
with, or otherwise begins to use, a covered online
platform, the operator of the online platform shall--
(i) inform the user that, unless the user
makes an election under clause (ii)(II),
personal data of the user produced during the
online behavior of the user, whether on the
online platform or otherwise, will be collected
and used by the operator and third parties; and
(ii) provide the user the option to specify
the privacy preferences of the user, including
by--
(I) agreeing to the terms of
service for use of the online platform,
including, except as provided in
subclause (II), the collection and use
of personal data described in clause
(i); and
(II) prohibiting, if the user so
elects, the collection and use of
personal data described in clause (i),
subject to subparagraph (B).
(B) Consequence of prohibition of data
collection.--If the election of a user under
subparagraph (A)(ii)(II) creates inoperability in the
online platform, the operator of the online platform
may deny certain services or completely deny access to
the user.
(C) Form of disclosure.--An operator of a covered
online platform shall provide a user of the online
platform with the terms of service for use of the
online platform, including the collection and use of
personal data described in subparagraph (A)(i), in a
form that--
(i) is--
(I) easily accessible;
(II) of reasonable length; and
(III) clearly distinguishable from
other matters; and
(ii) uses language that is clear, concise,
and well organized, and follows other best
practices appropriate to the subject and
intended audience.
(D) Privacy or security program.--An operator of a
covered online platform shall--
(i) establish and maintain a privacy or
security program for the online platform; and
(ii) publish a description of the privacy
or security program that--
(I) details how the operator will
use the personal data of a user of the
online platform, including requirements
for how the operator will address
privacy risks associated with the
development of new products and
services; and
(II) includes details of the access
that employees and contractors of the
operator have to the personal data of a
user of the online platform, and
internal policies for the use of that
personal data.
(2) New products; changes to privacy or security program.--
An operator of a covered online platform may not introduce a
new product, or implement any material change to the privacy or
security program of the online platform that overrides the
privacy preferences of a user of the online platform, as
specified under paragraph (1)(A)(ii), unless the operator has--
(A) informed the user that the new product or
change will result in the collection and use of
personal data described in paragraph (1)(A)(i), if that
is the case;
(B) provided the user the option under paragraph
(1)(A)(ii); and
(C) obtained affirmative express consent from the
user to the introduction of the new product or the
implementation of the change.
(3) Withdrawal of consent.--An operator of a covered online
platform shall ensure that--
(A) a user of the online platform is able to
withdraw consent to the terms of service for use of the
online platform, including the collection and use of
personal data described in paragraph (1)(A)(i), as
easily as the user is able to give such consent; and
(B) except as otherwise required by law, no person
is able to access the personal data of a user of the
online platform later than 30 days after the date on
which the user closes his or her account or otherwise
terminates his or her use of the online platform.
(b) Right to Access.--An operator of a covered online platform
shall offer a user of the online platform a copy of the personal data
of the user that the operator has processed, free of charge and in an
electronic and easily accessible format, including a list of each
person that received the personal data from the operator for business
purposes, whether through sale or other means.
(c) Violations of Privacy.--
(1) In general.--Not later than 72 hours after an operator
of a covered online platform becomes aware that the personal
data of a user of the online platform has been transmitted in
violation of the privacy or security program of the online
platform, including the privacy preferences specified by the
user under subsection (a)(1)(A)(ii), the operator shall--
(A) notify the user of the transmission;
(B) offer the user the option to elect to prohibit
the operator from collecting and using the personal
data of the user, subject to paragraph (2);
(C) except as provided in paragraph (3), offer the
user the option to have the operator--
(i) erase all personal data of the user
tracked by the operator; and
(ii) cease further dissemination of
personal data of the user tracked by the
operator;
(D) offer the user a copy of the personal data of
the user that the operator has processed, free of
charge and in an electronic and easily accessible
format, including a list of each person that received
the personal data from the operator, whether through
sale or other means; and
(E) offer the user the option to close his or her
account or otherwise terminate his or her use of the
online platform.
(2) Consequence of prohibition of data collection.--If the
election of a user under paragraph (1)(B) creates inoperability
in the online platform, the operator of the online platform may
deny certain services or completely deny access to the user.
(3) Public safety exception.--If the operator of a covered
online platform, in good faith, believes that an emergency
involving danger of death or serious physical injury to any
individual requires disclosure without delay of specific
personal data of a user of the online platform that relates to
the emergency, the operator shall--
(A) retain the specific personal data; and
(B) notify the proper authorities.
(d) Compliance.--Not less frequently than once every 2 years, the
operator of a covered online platform shall audit the privacy or
security program of the online platform.
(e) Safe Harbor.--Subsections (a), (b), and (c) shall not apply
with respect to the development of privacy-enhancing technology by an
operator of an online platform.
SEC. 4. ENFORCEMENT.
(a) Enforcement by Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
section 3 shall be treated as a violation of a rule defining an
unfair or deceptive act or practice prescribed under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)).
(2) Powers of commission.--
(A) In general.--Except as provided in subparagraph
(C), the Commission shall enforce this Act in the same
manner, by the same means, and with the same
jurisdiction, powers, and duties as though all
applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated
into and made a part of this Act.
(B) Privileges and immunities.--Except as provided
in subparagraph (C), any person who violates this Act
shall be subject to the penalties and entitled to the
privileges and immunities provided in the Federal Trade
Commission Act (15 U.S.C. 41 et seq.).
(C) Common carriers and nonprofit organizations.--
Notwithstanding section 4, 5(a)(2), or 6 of the Federal
Trade Commission Act (15 U.S.C. 44, 45(a)(2), 46) or
any jurisdictional limitation of the Commission, the
Commission shall also enforce this Act, in the same
manner provided in subparagraphs (A) and (B) of this
paragraph, with respect to--
(i) common carriers subject to the
Communications Act of 1934 (47 U.S.C. 151 et
seq.) and Acts amendatory thereof and
supplementary thereto; and
(ii) organizations not organized to carry
on business for their own profit or that of
their members.
(D) Authority preserved.--Nothing in this Act shall
be construed to limit the authority of the Commission
under any other provision of law.
(b) Enforcement by States.--
(1) Authorization.--Subject to paragraph (2), in any case
in which the attorney general of a State has reason to believe,
based on a legitimate consumer complaint, that an interest of
the residents of the State has been or is threatened or
adversely affected by the engagement of any person subject to
section 3 in a practice that violates that section, the
attorney general of the State may, as parens patriae, bring a
civil action on behalf of the residents of the State in an
appropriate district court of the United States to obtain
appropriate relief.
(2) Rights of federal trade commission.--
(A) Notice to federal trade commission.--
(i) In general.--Except as provided in
clause (iii), the attorney general of a State
shall notify the Commission in writing that the
attorney general intends to bring a civil
action under paragraph (1) before initiating
the civil action against a person described in
subsection (a)(1).
(ii) Contents.--The notification required
by clause (i) with respect to a civil action
shall include a copy of the complaint to be
filed to initiate the civil action.
(iii) Exception.--If it is not feasible for
the attorney general of a State to provide the
notification required by clause (i) before
initiating a civil action under paragraph (1),
the attorney general shall notify the
Commission immediately upon instituting the
civil action.
(B) Intervention by federal trade commission.--The
Commission may--
(i) intervene in any civil action brought
by the attorney general of a State under
paragraph (1) against a person described in
subsection (a)(1); and
(ii) upon intervening--
(I) be heard on all matters arising
in the civil action; and
(II) file petitions for appeal of a
decision in the civil action.
(3) Investigatory powers.--Nothing in this subsection may
be construed to prevent the attorney general of a State from
exercising the powers conferred on the attorney general by the
laws of the State to conduct investigations, to administer
oaths or affirmations, or to compel the attendance of witnesses
or the production of documentary or other evidence.
(4) Action by federal trade commission.--If the Federal
Trade Commission institutes a civil action or an administrative
action with respect to a violation of section 3, the attorney
general of a State may not, during the pendency of the action,
bring a civil action under paragraph (1) against any defendant
named in the complaint of the Commission for the violation with
respect to which the Commission instituted such action.
(5) Venue; service of process.--
(A) Venue.--Any action brought under paragraph (1)
may be brought in--
(i) the district court of the United States
that meets applicable requirements relating to
venue under section 1391 of title 28, United
States Code; or
(ii) another court of competent
jurisdiction.
(B) Service of process.--In an action brought under
paragraph (1), process may be served in any district in
which the defendant--
(i) is an inhabitant; or
(ii) may be found.
(6) Actions by other state officials.--
(A) In general.--In addition to civil actions
brought by attorneys general under paragraph (1), any
other consumer protection officer of a State who is
authorized by the State to do so may bring a civil
action under paragraph (1), subject to the same
requirements and limitations that apply under this
subsection to civil actions brought by attorneys
general.
(B) Savings provision.--Nothing in this subsection
may be construed to prohibit an authorized official of
a State from initiating or continuing any proceeding in
a court of the State for a violation of any civil or
criminal law of the State.
SEC. 5. EFFECTIVE DATE.
(a) In General.--This Act shall take effect 180 days after the date
of enactment of this Act.
(b) Applicability to Existing Users of Online Platforms.--An
individual who becomes a user of a covered online platform before the
effective date under subsection (a) shall be treated as if he or she
had become a user of the online platform on that effective date.
(c) No Retroactive Applicability.--This Act shall not apply to any
conduct that occurred before the effective date under subsection (a).
<all>
Social Media Privacy Protection and Consumer Rights Act of 2019
#189 | S Congress #116
Policy Area: Commerce
Last Action: Read twice and referred to the Committee on Commerce, Science, and Transportation. (1/17/2019)
Bill Text Source: Congress.gov
Summary and Impacts
Original Text