OLL18800 S.L.C. 115TH CONGRESS 2D SESSION S. ll To establish duties for online service providers with respect to end user data that such providers collect and use. IN THE SENATE OF THE UNITED STATES llllllllll Mr. SCHATZ (for himself, Ms. HASSAN, Mr. BENNET, Ms. DUCKWORTH, Ms. KLOBUCHAR, Mrs. MURRAY, Mr. BOOKER, Ms. CORTEZ MASTO, Mr. HEINRICH, Mr. MARKEY, Mr. BROWN, Ms. BALDWIN, Mr. JONES, Mr. MANCHIN, and Mr. DURBIN) introduced the following bill; which was read twice and referred to the Committee on llllllllll A BILL To establish duties for online service providers with respect to end user data that such providers collect and use. 1 Be it enacted by the Senate and House of Representa- 2 tives of the United States of America in Congress assembled, 3 4 SECTION 1. SHORT TITLE. This Act may be cited as the ‘‘Data Care Act of 5 2018’’. 6 7 8 9 SEC. 2. DEFINITIONS. In this Act— (1) the term ‘‘Commission’’ means the Federal Trade Commission; OLL18800 S.L.C. 2 1 (2) the term ‘‘end user’’ means an individual 2 who engages with an online service provider or logs 3 into or uses services provided by the online service 4 provider over the internet or any other digital net- 5 work; 6 7 8 9 10 (3) the term ‘‘individual identifying data’’ means any data that is— (A) collected over the internet or any other digital network; and (B) linked, or reasonably linkable, to— 11 (i) a specific end user; or 12 (ii) a computing device that is associ- 13 ated with or routinely used by an end user; 14 (4) the term ‘‘online service provider’’ means an 15 entity that— 16 (A) is engaged in interstate commerce over 17 the internet or any other digital network; and 18 (B) in the course of business, collects indi- 19 vidual identifying data about end users, includ- 20 ing in a manner that is incidental to the busi- 21 ness conducted; and 22 (5) the term ‘‘sensitive data’’ means any data 23 24 that includes— (A) a social security number; OLL18800 S.L.C. 3 1 (B) personal information (as defined in 2 section 1302 of the Children’s Online Privacy 3 Protection Act of 1998 (15 U.S.C. 6501)) col- 4 lected from a child (as defined in such section 5 1302); 6 (C) a driver’s license number, passport 7 number, military identification number, or any 8 other similar number issued on a government 9 document used to verify identity; 10 (D) a financial account number, credit or 11 debit card number, or any required security 12 code, access code, or password that is necessary 13 to permit access to a financial account of an in- 14 dividual; 15 (E) unique biometric data such as a finger 16 print, voice print, a retina or iris image, or any 17 other unique physical representation; 18 (F) information sufficient to access an ac- 19 count of an individual, such as user name and 20 password or email address and password; 21 (G) the first and last name of an indi- 22 vidual, or first initial and last name, or other 23 unique identifier in combination with— 24 25 (i) the month, day, and year of birth of the individual; OLL18800 S.L.C. 4 1 (ii) the maiden name of the mother of 2 the individual; or 3 (iii) the past or present precise 4 geolocation of the individual; 5 (H) information that relates to— 6 (i) the past, present, or future phys- 7 ical or mental health or condition of an in- 8 dividual; or 9 (ii) the provision of health care to an 10 individual; and 11 (I) the nonpublic communications or other 12 nonpublic user-created content of an individual. 13 SEC. 3. PROVIDER DUTIES. 14 (a) IN GENERAL.—An online service provider shall 15 fulfill the duties of care, loyalty, and confidentiality under 16 paragraphs (1), (2), and (3), respectively, of subsection 17 (b). 18 (b) DUTIES.— 19 (1) DUTY 20 21 22 OF CARE.—An online service provider shall— (A) reasonably secure individual identifying data from unauthorized access; and 23 (B) subject to subsection (c), promptly in- 24 form an end user of any breach of the duty de- OLL18800 S.L.C. 5 1 scribed in subparagraph (A) of this paragraph 2 with respect to sensitive data of that end user. 3 (2) DUTY OF LOYALTY.—An online service pro- 4 vider may not use individual identifying data, or 5 data derived from individual identifying data, in any 6 way that— 7 8 (A) will benefit the online service provider to the detriment of an end user; and 9 (B)(i) will result in reasonably foreseeable 10 and material physical or financial harm to an 11 end user; or 12 (ii) would be unexpected and highly offen- 13 sive to a reasonable end user. 14 (3) DUTY 15 OF CONFIDENTIALITY.—An online service provider— 16 (A) may not disclose or sell individual 17 identifying data to, or share individual identi- 18 fying data with, any other person except as con- 19 sistent with the duties of care and loyalty under 20 paragraphs (1) and (2), respectively; 21 (B) may not disclose or sell individual 22 identifying data to, or share individual identi- 23 fying data with, any other person unless that 24 person enters into a contract with the online 25 service provider that imposes on the person the OLL18800 S.L.C. 6 1 same duties of care, loyalty, and confidentiality 2 toward the applicable end user as are imposed 3 on the online service provider under this sub- 4 section; and 5 (C) shall take reasonable steps to ensure 6 that the practices of any person to whom the 7 online service provider discloses or sells, or with 8 whom the online service provider shares, indi- 9 vidual identifying data fulfill the duties of care, 10 loyalty, and confidentiality assumed by the per- 11 son under the contract described in subpara- 12 graph (B), including by auditing, on a regular 13 basis, the data security and data information 14 practices of any such person. 15 (c) EXPANSION OF DUTY TO INFORM REGARDING 16 BREACHES.—The Commission may promulgate regula17 tions under section 553 of title 5, United States Code, 18 to apply the breach notification requirement under sub19 section (b)(1)(B) with respect to specific categories of in20 dividual identifying data other than sensitive data, as the 21 Commission determines necessary. 22 (d) EXCEPTIONS.— 23 (1) REGULATIONS.—The Commission may pro- 24 mulgate regulations under section 553 of title 5, 25 United States Code, to exempt categories of online OLL18800 S.L.C. 7 1 service providers from the requirement under sub- 2 section (a). 3 (2) CONSIDERATIONS.—In promulgating regu- 4 lations under paragraph (1), the Commission shall 5 consider, among other factors— 6 (A) the privacy risks posed by the use of 7 individual identifying data by an online service 8 provider based on— 9 (i) the size of the provider; 10 11 (ii) the complexity of the offerings of the provider; 12 13 (iii) the nature and scope of the activities of the provider; and 14 (iv) the sensitivity of the consumer in- 15 formation handled by the provider; and 16 (B) the costs and benefits of applying the 17 requirement under subsection (a) to online serv- 18 ice providers with particular combinations of 19 characteristics considered under subparagraph 20 (A) of this paragraph. 21 22 23 SEC. 4. ENFORCEMENT. (a) ENFORCEMENT BY COMMISSION.— (1) UNFAIR OR DECEPTIVE ACTS OR PRAC- 24 TICES.—A 25 provider shall be treated as a violation of a rule de- violation of section 3 by an online service OLL18800 S.L.C. 8 1 fining an unfair or deceptive act or practice pre- 2 scribed under section 18(a)(1)(B) of the Federal 3 Trade Commission Act (15 U.S.C. 57a(a)(1)(B)). 4 (2) POWERS OF COMMISSION.— 5 (A) IN GENERAL.—Except as provided in 6 subparagraph (C), the Commission shall enforce 7 this Act in the same manner, by the same 8 means, and with the same jurisdiction, powers, 9 and duties as though all applicable terms and 10 provisions of the Federal Trade Commission 11 Act (15 U.S.C. 41 et seq.) were incorporated 12 into and made a part of this Act. 13 (B) PRIVILEGES AND IMMUNITIES.—Ex- 14 cept as provided in subparagraph (C), any per- 15 son who violates section 3 shall be subject to 16 the penalties and entitled to the privileges and 17 immunities provided in the Federal Trade Com- 18 mission Act (15 U.S.C. 41 et seq.). 19 (C) NONPROFIT ORGANIZATIONS AND COM- 20 MON CARRIERS.—Notwithstanding 21 5(a)(2) of the Federal Trade Commission Act 22 (15 U.S.C. 44, 45(a)(2)) or any jurisdictional 23 limitation of the Commission, the Commission 24 shall also enforce this Act, in the same manner section 4 or OLL18800 S.L.C. 9 1 provided in subparagraphs (A) and (B) of this 2 paragraph, with respect to— 3 (i) organizations not organized to 4 carry on business for their own profit or 5 that of their members; and 6 (ii) common carriers subject to the 7 Communications Act of 1934 (47 U.S.C. 8 151 et seq.). 9 (3) RULEMAKING AUTHORITY.—The Commis- 10 sion shall promulgate regulations under this Act in 11 accordance with section 553 of title 5, United States 12 Code. 13 (b) ENFORCEMENT BY STATES.— 14 (1) AUTHORIZATION.—Subject to paragraph 15 (3), in any case in which the attorney general of a 16 State has reason to believe that an interest of the 17 residents of the State has been or is threatened or 18 adversely affected by the engagement of an online 19 service provider in a practice that violates section 3, 20 the attorney general of the State may, as parens 21 patriae, bring a civil action against the online service 22 provider on behalf of the residents of the State in 23 an appropriate district court of the United States to 24 obtain appropriate relief, including civil penalties in 25 the amount determined under paragraph (2). OLL18800 S.L.C. 10 1 (2) CIVIL PENALTIES.—An online service pro- 2 vider that is found, in an action brought under para- 3 graph (1), to have knowingly or repeatedly violated 4 section 3 shall, in addition to any other penalty oth- 5 erwise applicable to a violation of section 3, be liable 6 for a civil penalty equal to the amount calculated by 7 multiplying— 8 (A) the greater of— 9 (i) the number of days during which 10 the online service provider was not in com- 11 pliance with that section; or 12 (ii) the number of end users who were 13 harmed as a result of the violation, by 14 (B) an amount not to exceed the maximum 15 civil penalty for which a person, partnership, or 16 corporation 17 5(m)(1)(A) of the Federal Trade Commission 18 Act (15 U.S.C. 45(m)(1)(A)) (including any ad- 19 justments for inflation). 20 (3) RIGHTS 21 22 23 24 25 may OF be liable FEDERAL under TRADE section COMMIS- SION.— (A) NOTICE TO FEDERAL TRADE COMMIS- SION.— (i) IN GENERAL.—Except as provided in clause (iii), the attorney general of a OLL18800 S.L.C. 11 1 State shall notify the Commission in writ- 2 ing that the attorney general intends to 3 bring a civil action under paragraph (1) 4 before initiating the civil action. 5 (ii) CONTENTS.—The notification re- 6 quired under clause (i) with respect to a 7 civil action shall include a copy of the com- 8 plaint to be filed to initiate the civil action. 9 (iii) EXCEPTION.—If it is not feasible 10 for the attorney general of a State to pro- 11 vide the notification required under clause 12 (i) before initiating a civil action under 13 paragraph (1), the attorney general shall 14 notify the Commission immediately upon 15 instituting the civil action. 16 (B) INTERVENTION 17 COMMISSION.—The BY FEDERAL TRADE Commission may— 18 (i) intervene in any civil action 19 brought by the attorney general of a State 20 under paragraph (1); and 21 22 23 24 25 (ii) upon intervening— (I) be heard on all matters arising in the civil action; and (II) file petitions for appeal of a decision in the civil action. OLL18800 S.L.C. 12 1 (4) INVESTIGATORY POWERS.—Nothing in this 2 subsection may be construed to prevent the attorney 3 general of a State from exercising the powers con- 4 ferred on the attorney general by the laws of the 5 State to— 6 (A) conduct investigations; 7 (B) administer oaths or affirmations; or 8 (C) compel the attendance of witnesses or 9 the production of documentary or other evi- 10 dence. 11 (5) PREEMPTIVE ACTION BY FEDERAL TRADE 12 COMMISSION.—If 13 action or an administrative action with respect to a 14 violation of section 3, the attorney general of a State 15 may not, during the pendency of the action, bring a 16 civil action under paragraph (1) against any defend- 17 ant named in the complaint of the Commission 18 based on the same set of facts giving rise to the al- 19 leged violation with respect to which the Commission 20 instituted the action. 21 (6) VENUE; 22 23 the Commission institutes a civil SERVICE OF PROCESS.— (A) VENUE.—Any action brought under paragraph (1) may be brought in— 24 (i) the district court of the United 25 States that meets applicable requirements OLL18800 S.L.C. 13 1 relating to venue under section 1391 of 2 title 28, United States Code; or 3 (ii) another court of competent juris- 4 diction. 5 (B) SERVICE OF PROCESS.—In an action 6 brought under paragraph (1), process may be 7 served in any district in which the defendant— 8 (i) is an inhabitant; or 9 (ii) may be found. 10 11 (7) ACTIONS (A) IN BY OTHER STATE OFFICIALS.— GENERAL.—In addition to civil ac- 12 tions brought by attorneys general under para- 13 graph (1), any other consumer protection offi- 14 cer of a State who is authorized by the State 15 to do so may bring a civil action under para- 16 graph (1), subject to the same requirements 17 and limitations that apply under this subsection 18 to civil actions brought by attorneys general. 19 (B) SAVINGS PROVISION.—Nothing in this 20 subsection may be construed to prohibit an au- 21 thorized official of a State from initiating or 22 continuing any proceeding in a court of the 23 State for a violation of any civil or criminal law 24 of the State. OLL18800 S.L.C. 14 1 2 3 SEC. 5. NONENFORCEABILITY OF CERTAIN PROVISIONS WAIVING RIGHTS AND REMEDIES. The rights and remedies provided under this Act may 4 not be waived or limited by contract or otherwise. 5 6 7 SEC. 6. RELATION TO OTHER PRIVACY AND SECURITY LAWS. Nothing in this Act may be construed to— 8 (1) modify, limit, or supersede the operation of 9 any privacy or security provision in any other Fed- 10 11 12 13 14 eral or State statute or regulation; or (2) limit the authority of the Commission under any other provision of law. SEC. 7. EFFECTIVE DATE. (a) IN GENERAL.—This Act shall take effect on the 15 date of enactment of this Act. 16 (b) APPLICABILITY.—Section 3 shall apply with re- 17 spect to an online service provider on and after the date 18 that is 180 days after the date of enactment of this Act.