Here below are selected key excerpts and definitions from the House floor version of H.R. 8152, the American Data Privacy and Protection Act, a bill adopted in committee July 20, 2022. This language is taken from from a full-text comparison of language in an earlier version of the bill and prepared by the Future of Privacy Forum and the International Association of Privacy Professionals. The comparison may be found HERE. The as approved 53-52 by the House Energy and Commerce Committee may be found HERE.
READ FULL STORY
RIGHT TO OPT OUT OF TARGETED ADVERTISING
(1) A covered entity or service provider that directly delivers a targeted advertisement shall—
(A) prior to engaging in targeted advertising to an individual or device and at all times thereafter, provide such individual with a clear and conspicuous means to opt out of targeted advertising; (B) abide by any opt-out designation by an individual with respect to targeted advertising and notify the covered entity that directed the service provider to deliver the targeted advertisement of the opt-out decision; and (C) allow an individual to make an opt-out designation with respect to targeted advertising through an opt-out mechanism, as described in section 210.
(2) A covered entity or service provider that receives an opt-out notification pursuant to paragraph (1)(B) or this paragraph shall abide by such opt-out designations by an individual and notify any other person that directed the covered entity or service provider to serve, deliver, or otherwise handle the advertisement of the opt-out decision.
TARGETED ADVERTISING.—The term “targeted advertising”— (A) means presenting to an individual or device identified by a unique identifier, or groups of individuals or devices identified by unique identifiers, an online advertisement that is selected based on known or predicted preferences, characteristics, or interests associated with the individual or a device identified by a unique identifier; and (B) does not include — (i) advertising or marketing to an individual or an individual’s device in response to the individual’s specific request for information or feedback; (ii) contextual advertising, which is when an advertisement is displayed based on the content in which the advertisement appears and does not vary based on who is viewing the advertisement; or (iii) processing covered data solely for measuring or reporting advertising or content, performance, reach, or frequency, including independent measurement.
“Any entity or any person, other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing, or transfering covered data and is subject to the Federal Trade Commission Act [or] is a common carrier subject to the Communications Act of 1934 . . . an entity shall not be considered to be a covered entity for purposes of this Act in so far s the entity is acting as a service provider (as defined in paragraph 29).”
“[M]eans information that does not identify and is not linked or reasonably linkable to an individual or an individual’s device, regardless of whether the information is Aggregated, and if the covered entity takes reasonable technical, administrative, and physical measures to ensure that the information cannot, at any point, be used to re-identify any individual or device that identifies or is linked or reasonably linkable to an individual . . . . “
“[C] covered data that is created by the derivation of information, data, assumptions, correlations, inferences, predictions, or conclusions from facts, evidence, or another source of information or data about an individual or an individual’s device.
SENSITIVE COVERED DATA
“The term “sensitive covered data” means the following forms of covered data:
(i) A government-issued identifier, such as a social security number, passport number, or driver’s license number, that is not required by law to be displayed in public.
(ii) Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition or treatment of an individual.
(iii) A financial account number, debit card number, credit card number, or information that describes or reveals the income level or bank account balances of an individual, except that the
last four digits of a digit or credit card number shall not be deemed sensitive covered data.
(iv) Biometric information.
(v) Genetic information.
(vi) Precise geolocation information.
(vii) An individual’s private communications, such as voicemails, emails, texts, direct messages, or mail, or information identifying the parties to such communications, voice communications, video communications, and any information that pertains to the transmission of such communications, including telephone numbers called, telephone numbers from which calls were placed, the time calls were made, call duration, and location information of the parties to the call, unless the covered entity or a service provider acting on behalf of the covered entity is the sender or an intended recipient of the communication. Communications are not private for purposes of this Clause if such communications are made from or to a device provided by an employer to an employee insofar as such employer provides conspicuous notice that such employer may access such communications.
(viii) Account or device log-in credentials, or security or access codes for an account or device.
(ix) Information identifying the sexual behavior of an individual in a manner inconsistent with the individual’s reasonable expectation regarding the collection, processing, or transfer of such information.
(x) Calendar information, address book information, phone or text logs, photos, audio recordings, or videos, maintained for private use by an individual, regardless of whether such information is stored on the individual’s device or is accessible from that device and is backed up in a separate location. Such information is not sensitive for purposes of this paragraph if such information is sent from or to a device provided by an employer to an employee insofar as such employer providesconspicuous notice that it may access such information.
(xi) A photograph, film, video recording, or other similar medium that shows the naked or ndergarment-clad private area of an individual.
(xii) Information revealing the video content or requested or selected by an individual collected by a covered entity that is not a provider of a service described in section 102(4). This clause does not include covered data used solely for transfers for independant video Measurement.
(xiii) Information about an individual when the covered entity or service provider has knowledge that the individual is a covered minor.
(xiv) An individual’s race, color, ethnicity, religion, or union membership.
(xv) Information identifying an individual’s online activities over time and across third party websites or online services.
(xvi) Any other covered data collected, processed, or transferred for the purpose of identifying the types of covered data listed in clauses (i) through (xv).
The term “service provider” means a person or entity that collects, processes, or transfers covered data on behalf of, and at the direction of, a covered entity, or a Federal, State, Tribal, territorial, or local government entity; and receives covered data from or on behalf of a covered entity or a Federal, State, Tribal, territorial, or local government entity.
[A]ny person or entity, including a covered entity, that collects, processes, or transfers covered data that the person or entity did not collect directly from the individual linked or linkable to such covered data; and is not a service provider with respect to such data; and does not include a person or entity that collects covered data from another entity if the two entities are related by common ownership or corporate control, but only if a reasonable consumer’s reasonable expectation would be that such entities share information.
[C]covered data that has been transferred to a third party by a covered entity.
[T]o disclose, release, share, disseminate, make available, or license, rent, or share covered data orally in writing, electronically, or by any other means.
UNIQUE PERSISTENT IDENTIFIER
The term “unique identifier” — Means an identifier to the extent that such identifier is reasonably linkable to an individual or device that identifies or is linked or reasonably linkable to 1 or more individuals, including a device identifier, Internet Protocol address, cookie, beacon, pixel tag, mobile ad identifier, or similar technology, customer number, unique pseudonym, user alias, telephone numbers, or other form of persistent or probabilistic identifier that is linked or reasonably linkable to an individual or device; and does not include an identifier assigned by a covered entity for the specific purpose of giving effect to an individual’s exercise of affirmative express consent or opt-outs of the collection, processing, and transfer of covered data pursuant to section 204 or otherwise limiting the collection, processing, or transfer of such information.
SEC. 104. LOYALTY TO INDIVIDUALS WITH RESPECT TO PRICING.
RETALIATION THROUGH SERVICE OR PRICING PROHIBITED
A covered entity may not retaliate against an individual for exercising any of the rights guaranteed by the Act, or any regulations promulgated under this Act, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or service
RULES OF CONSTRUCTION. — Nothing in subsection (a) shall be construed to—
(1) prohibit the relation of the price of a service or the level of service provided to an individual to the provision, by the individual, of financial information that is necessarily collected and processed only for the purpose of initiating, rendering, billing for, or collecting payment for a service or product requested by the individual;
(2) prohibit a covered entity from offering a different rate, level, quality or selection of goods or services to an individual, including offering goods or services for no fee, if the offering is in connection with an individual’s voluntary participation in a bona fide loyalty program;
(3) require a covered entity to provide a bona fide loyalty program that would require the covered entity to collect, process, or transfer covered data that the covered entity otherwise would not collect, process, or transfer;
(4) prohibit a covered entity from offering a financial incentive or other consideration to an individual for participation in market research;
(5) prohibit a covered entity from offering different types of pricing or functionalities with respect to a product or service based on an individual’s exercise of a right in section 203(a)(3); or (6) prohibit a covered entity from declining to provide a product or service insofar as the collection and processing of covered data is strictly necessary for such product or service.
(c) BONA FIDE LOYALTY PROGRAM DEFINED.—For purposes of this section, the term ‘‘bona fide loyalty program’’ includes rewards, premium features, discount or club card programs.
SEC. 303. TECHNICAL COMPLIANCE PROGRAMS.
(a) IN GENERAL.—Not later than three years after the date of the enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to establish a process for the proposal and approval of technical compliance programs under this section specific to any technology, product, service, or method used by a covered entity to collect, process, or transfer covered data.
(b) SCOPE OF PROGRAMS.—The technical compliance programs established under this section shall, with respect to a technology, product, service, or method used by a covered entity to collect, process, or transfer covered data (1) establish publicly available guidelines for compliance with this Act; and (2) meet or exceed the requirements of this Act.
Any request for approval, amendment, or repeal of a technical compliance program may be submitted to the Commission by any person, including a covered entity, a representative of a covered entity, an association of covered entities, or a public interest group or organization. Within 90 days after the request is made, the Commission shall publish the request and provide an opportunity for public comment on the proposal.
(2) EXPEDITED RESPONSE TO REQUESTS.— Beginning 1 year after the date of enactment of this Act, the Commission shall act upon a request for the proposal and approval of a technical compliance program not later than one year after the filing of the request, and shall set forth publicly in writing the conclusions of the Commission with regard to such request.
Prior to commencing an investigation or enforcement action against any covered entity under this Act, the Commission and State attorney general shall consider the covered entity’s history of compliance with any technical compliance program approved under this section and any action taken by the covered entity to remedy noncompliance with such program. If such enforcement action described in section Sec. 403 is brought commenced, the covered entity’s history of compliance with any technical compliance program approved under this section and any action taken by the covered entity to remedy noncompliance with such program shall be taken into consideration when determining liability or a penalty.