II 117TH CONGRESS 1ST SESSION S. 1444 To amend the Federal Trade Commission Act to establish requirements and responsibilities for entities that use, store, or share personal information, to protect personal information, and for other purposes. IN THE SENATE OF THE UNITED STATES APRIL 29, 2021 Mr. WYDEN introduced the following bill; which was read twice and referred to the Committee on Finance A BILL To amend the Federal Trade Commission Act to establish requirements and responsibilities for entities that use, store, or share personal information, to protect personal information, and for other purposes. Be it enacted by the Senate and House of Representa- 1 tives of the United States of America in Congress assembled, 2 SECTION 1. SHORT TITLE. 3 This Act may be cited as the ‘‘Mind Your Own Busi- 4 ness Act of 2021’’. 5 SEC. 2. DEFINITIONS. 6 In this Act: 7 VerDate Sep 11 2014 02:22 Jun 03, 2021 Jkt 019200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\S1444.IS S1444 pbinns on DSKJLVW7X2PROD with BILLS 2 •S 1444 IS (1) AUTOMATED DECISION SYSTEM.—The term 1 ‘‘automated decision system’’ means a computational 2 process, including one derived from machine learn- 3 ing, statistics, or other data processing or artificial 4 intelligence techniques, that makes a decision or fa- 5 cilitates human decision making, that impacts con- 6 sumers. 7 (2) AUTOMATED DECISION SYSTEM IMPACT AS- 8 SESSMENT.—The term ‘‘automated decision system 9 impact assessment’’ means a study evaluating an 10 automated decision system and the automated deci- 11 sion system’s development process, including the de- 12 sign and training data of the automated decision 13 system, for impacts on accuracy, fairness, bias, dis- 14 crimination, privacy, and security that includes, at a 15 minimum— 16 (A) a detailed description of the automated 17 decision system, its design, its training, data, 18 and its purpose; 19 (B) an assessment of the relative benefits 20 and costs of the automated decision system in 21 light of its purpose, taking into account rel- 22 evant factors, including— 23 (i) data minimization practices; 24 VerDate Sep 11 2014 02:22 Jun 03, 2021 Jkt 019200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\S1444.IS S1444 pbinns on DSKJLVW7X2PROD with BILLS 3 •S 1444 IS (ii) the duration for which personal 1 information and the results of the auto- 2 mated decision system are stored; 3 (iii) what information about the auto- 4 mated decision system is available to con- 5 sumers; 6 (iv) the extent to which consumers 7 have access to the results of the automated 8 decision system and may correct or object 9 to its results; and 10 (v) the recipients of the results of the 11 automated decision system; 12 (C) an assessment of the risks posed by 13 the automated decision system to the privacy or 14 security of personal information of consumers 15 and the risks that the automated decision sys- 16 tem may result in or contribute to inaccurate, 17 unfair, biased, or discriminatory decisions im- 18 pacting consumers; and 19 (D) the measures the covered entity will 20 employ to minimize the risks described in sub- 21 paragraph (C), including technological and 22 physical safeguards. 23 (3) COMMISSION.—The term ‘‘Commission’’ 24 means Federal Trade Commission. 25 VerDate Sep 11 2014 02:22 Jun 03, 2021 Jkt 019200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\S1444.IS S1444 pbinns on DSKJLVW7X2PROD with BILLS 4 •S 1444 IS (4) CONSUMER.—The term ‘‘consumer’’ means 1 an individual. 2 (5) COVERED ENTITY.—The term ‘‘covered en- 3 tity’’— 4 (A) means any person, partnership, or cor- 5 poration over which the Commission has juris- 6 diction under section 5(a)(2) of the Federal 7 Trade Commission Act (15 U.S.C. 45(a)(2)) 8 that— 9 (i) had greater than $50,000,000 in 10 average annual gross receipts for the 3- 11 taxable-year period preceding the most re- 12 cent fiscal year, as determined in accord- 13 ance with paragraphs (2) and (3) of sec- 14 tion 448(c) of the Internal Revenue Code 15 of 1986; 16 (ii) possesses or controls personal in- 17 formation on more than— 18 (I) 1,000,000 consumers; or 19 (II) 1,000,000 consumer devices; 20 (iii) is substantially owned, operated, 21 or controlled by a person, partnership, or 22 corporation that meets the requirements 23 under clauses (i) or (ii); or 24 VerDate Sep 11 2014 02:22 Jun 03, 2021 Jkt 019200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\S1444.IS S1444 pbinns on DSKJLVW7X2PROD with BILLS 5 •S 1444 IS (iv) is a data broker or other commer- 1 cial entity that, as a substantial part of 2 their business, collects, assembles, or main- 3 tains personal information concerning an 4 individual who is not a customer or an em- 5 ployee of that entity in order to sell or 6 trade the information or provide third- 7 party access to the information. 8 (6) DATA PROTECTION IMPACT ASSESSMENT.— 9 The term ‘‘data protection impact assessment’’ 10 means a study evaluating the extent to which an in- 11 formation system protects the privacy and security 12 of personal information the system processes. 13 (7) EXECUTIVE CAPACITY.—The term ‘‘execu- 14 tive capacity’’ means an assignment within an orga- 15 nization in which the employee primarily— 16 (A) directs the management of the organi- 17 zation or a major component or function of the 18 organization; 19 (B) establishes the goals and policies of 20 the organization, component, or function; 21 (C) exercises wide latitude in discretionary 22 decision-making; and 23 VerDate Sep 11 2014 02:22 Jun 03, 2021 Jkt 019200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 E:\BILLS\S1444.IS S1444 pbinns on DSKJLVW7X2PROD with BILLS 6 •S 1444 IS (D) receives only general supervision or di- 1 rection from higher level executives, the board 2 of directors, or stockholders of the organization. 3 (8) HIGH-RISK AUTOMATED DECISION SYS- 4 TEM.—The term ‘‘high-risk automated decision sys- 5 tem’’ means an automated decision system that— 6 (A) taking into account the novelty of the 7 technology used and the nature, scope, context, 8 and purpose of the automated decision system, 9 poses a significant risk— 10 (i) to the privacy or security of per- 11 sonal information of consumers; or 12 (ii) of resulting in or contributing to 13 inaccurate, unfair, biased, or discrimina- 14 tory decisions impacting consumers; 15 (B) makes decisions, or facilitates human 16 decision making, based on systematic and ex- 17 tensive evaluations of consumers, including at- 18 tempts to analyze or predict sensitive aspects of 19 their lives, such as their work performance, eco- 20 nomic situation, health, personal preferences, 21 interests, behavior, location, or movements, 22 that— 23 (i) alter legal rights of consumers; or 24 VerDate Sep 11 2014 02:22 Jun 03, 2021 Jkt 019200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 E:\BILLS\S1444.IS S1444 pbinns on DSKJLVW7X2PROD with BILLS 7 •S 1444 IS (ii) otherwise significantly impact con- 1 sumers; 2 (C) involves the personal information of a 3 significant number of consumers regarding 4 race, color, national origin, political opinions, 5 religion, trade union membership, genetic data, 6 biometric data, health, gender, gender identity, 7 sexuality, sexual orientation, criminal convic- 8 tions, or arrests; 9 (D) systematically monitors a large, pub- 10 licly accessible physical place; or 11 (E) meets any other criteria established by 12 the Commission in regulations issued under sec- 13 tion 7(b)(1). 14 (9) HIGH-RISK INFORMATION SYSTEM.—The 15 term ‘‘high-risk information system’’ means an in- 16 formation system that— 17 (A) taking into account the novelty of the 18 technology used and the nature, scope, context, 19 and purpose of the information system, poses a 20 significant risk to the privacy or security of per- 21 sonal information of consumers; 22 (B) involves the personal information of a 23 significant number of consumers regarding 24 race, color, national origin, political opinions, 25 VerDate Sep 11 2014 02:22 Jun 03, 2021 Jkt 019200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6201 E:\BILLS\S1444.IS S1444 pbinns on DSKJLVW7X2PROD with BILLS 8 •S 1444 IS religion, trade union membership, genetic data, 1 biometric data, health, gender, gender identity, 2 sexuality, sexual orientation, criminal convic- 3 tions, or arrests; 4 (C) systematically monitors a large, pub- 5 licly accessible physical place; or 6 (D) meets any other criteria established by 7 the Commission in regulations issued under sec- 8 tion 7(b)(1). 9 (10) INFORMATION SYSTEM.—The term ‘‘infor- 10 mation system’’— 11 (A) means a process, automated or not, 12 that involves personal information, such as the 13 collection, recording, organization, structuring, 14 storage, alteration, retrieval, consultation, use, 15 sharing, disclosure, dissemination, combination, 16 restriction, erasure, or destruction of personal 17 information; and 18 (B) does not include automated decision 19 systems. 20 (11) JOURNALISM.—The term ‘‘journalism’’ 21 means the gathering, preparing, collecting, 22 photographing, recording, writing, editing, reporting, 23 or publishing of news or information that concerns 24 local, national, or international events or other mat- 25 VerDate Sep 11 2014 02:22 Jun 03, 2021 Jkt 019200 PO 00000 Frm 00008 Fmt 6652 Sfmt 6201 E:\BILLS\S1444.IS S1444 pbinns on DSKJLVW7X2PROD with BILLS 9 •S 1444 IS ters of public interest for dissemination to the pub- 1 lic. 2 (12) PERSONAL INFORMATION.—The term 3 ‘‘personal information’’ means any information, re- 4 gardless of how the information is collected, in- 5 ferred, or obtained that is reasonably linkable to a 6 specific consumer or consumer device. 7 (13) SHARE.—The term ‘‘share’’— 8 (A) means the actions of a person, part- 9 nership, or corporation transferring information 10 to another person, partnership, or corporation; 11 and 12 (B) includes actions to knowingly— 13 (i) share, exchange, transfer, sell, 14 lease, rent, provide, disclose, or otherwise 15 permit access to information; 16 (ii) enable or facilitate the collection 17 of personal information by a third party; 18 or 19 (iii) use personal information substan- 20 tially at the direction of or substantially 21 for the benefit of a third party. 22 (14) STORE.—The term ‘‘store’’— 23 VerDate Sep 11 2014 02:22 Jun 03, 2021 Jkt 019200 PO 00000 Frm 00009 Fmt 6652 Sfmt 6201 E:\BILLS\S1444.IS S1444 pbinns on DSKJLVW7X2PROD with BILLS 10 •S 1444 IS (A) means the actions of a person, part- 1 nership, or corporation to retain information; 2 and 3 (B) includes actions to store, collect, as- 4 semble, possess, control, or maintain informa- 5 tion. 6 (15) THIRD PARTY.—The term ‘‘third party’’ 7 means any person, partnership, or corporation that 8 is not— 9 (A) the person, partnership, or corpora- 10 tion, whether a covered entity or not, that is 11 sharing the personal information; 12 (B) solely performing an outsourced func- 13 tion of the person, partnership, or corporation 14 sharing the personal information if— 15 (i) the person, partnership, or cor- 16 poration is contractually or legally prohib- 17 ited from using, storing, or sharing the 18 personal information after the conclusion 19 of the outsourced function; and 20 (ii) the person, partnership, or cor- 21 poration is complying with regulations pro- 22 mulgated under subparagraphs (A) and 23 (B) of section 7(b)(1), regardless of wheth- 24 VerDate Sep 11 2014 02:22 Jun 03, 2021 Jkt 019200 PO 00000 Frm 00010 Fmt 6652 Sfmt 6201 E:\BILLS\S1444.IS S1444 pbinns on DSKJLVW7X2PROD with BILLS 11 •S 1444 IS er the person, partnership, or corporation 1 is a covered entity; or 2 (C) a person, partnership, or corporation 3 for whom the consumer gave opt-in consent for 4 the covered entity to disclose the personal infor- 5 mation of the consumer. 6 (16) USE.—The term ‘‘use’’ means the actions 7 of a person, partnership, or corporation in using in- 8 formation, including actions to use, process, or ac- 9 cess information. 10 SEC. 3. NONECONOMIC INJURY. 11 The first sentence of section 5(n) of the Federal 12 Trade Commission Act (15 U.S.C. 45(n)) is amended by 13 inserting ‘‘, including those involving noneconomic impacts 14 and those creating a significant risk of unjustified expo- 15 sure of personal information,’’ after ‘‘cause substantial in- 16 jury’’. 17 SEC. 4. CIVIL PENALTY AUTHORITY. 18 Section 5 of the Federal Trade Commission Act (15 19 U.S.C. 45) is amended— 20 (1) in subsection (b)— 21 (A) in the fifth sentence, by inserting ‘‘, 22 and it may, in its discretion depending on the 23 nature and severity of the violation, include in 24 the cease and desist order an assessment of a 25 VerDate Sep 11 2014 02:22 Jun 03, 2021 Jkt 019200 PO 00000 Frm 00011 Fmt 6652 Sfmt 6201 E:\BILLS\S1444.IS S1444 pbinns on DSKJLVW7X2PROD with BILLS 12 •S 1444 IS civil penalty, which shall be not more than an 1 amount that is the greater of $50,000 per viola- 2 tion, taken as an aggregate sum of all viola- 3 tions, and 4 percent of the total annual gross 4 revenue of the person, partnership, or corpora- 5 tion for the prior fiscal year’’ before the period 6 at the end; 7 (2) in subsection (l)— 8 (A) in the first sentence, by striking ‘‘of 9 not more than $10,000 for each violation’’ and 10 inserting ‘‘, which shall be not more than an 11 amount that is the greater of $50,000 per viola- 12 tion, taken as an aggregate sum of all viola- 13 tions, and 4 percent of the total annual gross 14 revenue of the person, partnership, or corpora- 15 tion for the prior fiscal year’’; and 16 (3) in subsection (m)(1)— 17 (A) in subparagraph (A), in the second 18 sentence, by striking ‘‘of not more than 19 $10,000 for each violation’’ and inserting ‘‘, 20 which shall be not more than an amount that 21 is the greater of $50,000 per violation, taken as 22 an aggregate sum of all violations, and 4 per- 23 cent of the total annual gross revenue of the 24 VerDate Sep 11 2014 02:22 Jun 03, 2021 Jkt 019200 PO 00000 Frm 00012 Fmt 6652 Sfmt 6201 E:\BILLS\S1444.IS S1444 pbinns on DSKJLVW7X2PROD with BILLS 13 •S 1444 IS person, partnership, or corporation for the prior 1 fiscal year’’; and 2 (B) in subparagraph (B), in the matter 3 following paragraph (2), by striking ‘‘of not 4 more than $10,000 for each violation’’ and in- 5 serting ‘‘, which shall be not more than an 6 amount that is the greater of $50,000 per viola- 7 tion, taken as an aggregate sum of all viola- 8 tions, and 4 percent of the total annual gross 9 revenue of the person, partnership, or corpora- 10 tion for the prior fiscal year’’. 11 SEC. 5. ANNUAL DATA PROTECTION REPORTS. 12 (a) REPORTS.— 13 (1) IN GENERAL.—Each covered entity that has 14 not less than $1,000,000,000 per year in revenue 15 and stores, shares, or uses person [Text truncated for display. Full text available on Congress.gov.]