I 118TH CONGRESS 1ST SESSION H. R. 3045 To affirm user ownership of their data, prohibit entities from requiring the transfer or monetization of private data in exchange for services, prohibit the collection of third-party contact information without written consent, and for other purposes. IN THE HOUSE OF REPRESENTATIVES MAY 2, 2023 Mr. CLOUD introduced the following bill; which was referred to the Committee on Energy and Commerce A BILL To affirm user ownership of their data, prohibit entities from requiring the transfer or monetization of private data in exchange for services, prohibit the collection of third-party contact information without written consent, and for other purposes. Be it enacted by the Senate and House of Representa- 1 tives of the United States of America in Congress assembled, 2 SECTION 1. SHORT TITLE. 3 This Act may be cited as the ‘‘You Own the Data 4 Act’’ or ‘‘YODA’’. 5 SEC. 2. FINDINGS. 6 Congress finds the following: 7 VerDate Sep 11 2014 23:19 May 17, 2023 Jkt 039200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\H3045.IH H3045 pbinns on DSKJLVW7X2PROD with $$_JOB 2 •HR 3045 IH (1) Governments exist to protect individual 1 rights to life, liberty, and property. 2 (2) The protection of civil liberties, including 3 the rights to private property and privacy from un- 4 warranted searches and seizures, is one of the hall- 5 marks of a free society. 6 (3) It is appropriate for Congress to enact laws 7 to protect individuals from data collection by third 8 parties. 9 (4) Data is the property of the user, as the user 10 creates the data. 11 (5) A user maintains ownership of the data of 12 such user, even when such data is sold or leased 13 with the consent of such user. 14 (6) Technology should empower the individual 15 and the productivity of the individual. 16 (7) Individuals should have reasonable access to 17 and use of popularly available consumer technologies 18 without abdicating the rights of such individuals to 19 privacy and anonymity. 20 SEC. 3. PROHIBITION ON SHARING USER CONTACTS WITH- 21 OUT WRITTEN CONSENT AND CLARIFYING 22 USER ACCESS TO DATA. 23 (a) PROHIBITION ON ACCESS TO USER CONTACTS.— 24 It shall be unlawful for a covered entity to ask a user to 25 VerDate Sep 11 2014 23:19 May 17, 2023 Jkt 039200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\H3045.IH H3045 pbinns on DSKJLVW7X2PROD with $$_JOB 3 •HR 3045 IH share the contacts or information about the contacts of 1 the user unless the user and the contacts of the user con- 2 sent to such use in writing. 3 (b) ACCESS TO, AND CORRECTION, DELETION, AND 4 PORTABILITY OF, COVERED DATA.— 5 (1) IN GENERAL.—Subject to paragraphs (2) 6 and (3), a covered entity shall provide a user, imme- 7 diately or as quickly as possible and in no case later 8 than 90 days after receiving a verified request from 9 the user, with the ability to reasonably— 10 (A) access— 11 (i) if applicable, a list of each third 12 party and service provider to whom the 13 covered entity has transferred or shared 14 the covered data of the user; 15 (ii) the covered data of the user, or an 16 accurate representation of the covered data 17 of the user, including data aggregation 18 that is a readable summary, that is held or 19 has been processed by the covered entity or 20 any service provider of the covered entity; 21 and 22 (iii) if a covered entity transfers cov- 23 ered data, a description of the covered data 24 VerDate Sep 11 2014 23:19 May 17, 2023 Jkt 039200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\H3045.IH H3045 pbinns on DSKJLVW7X2PROD with $$_JOB 4 •HR 3045 IH that was transferred and the purpose for 1 which the third party requested the data; 2 (B) request that the covered entity— 3 (i) correct material inaccuracies or 4 materially incomplete information with re- 5 spect to the covered data of the user that 6 is maintained by the covered entity; 7 (ii) delete or de-identify covered data 8 of the user that is or has been maintained 9 by the covered entity; 10 (iii) notify any service provider or 11 third party to which the covered entity 12 transferred such covered data of the cor- 13 rected information; and 14 (iv) provide contact information to the 15 user of any service provider or third party 16 that the covered data of the user was 17 transferred to so that the user may make 18 requests described in this subparagraph; 19 and 20 (C) to the extent that is technically fea- 21 sible, provide covered data of the user that is or 22 has been generated and submitted to the cov- 23 ered entity by the user and maintained by the 24 covered entity in a portable, structured, and 25 VerDate Sep 11 2014 23:19 May 17, 2023 Jkt 039200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\H3045.IH H3045 pbinns on DSKJLVW7X2PROD with $$_JOB 5 •HR 3045 IH machine-readable format that is not subject to 1 licensing restrictions. 2 (2) FREQUENCY AND COST OF ACCESS.—A cov- 3 ered entity shall— 4 (A) provide a user with the opportunity to 5 exercise the rights described in paragraph (1) 6 not less than twice in any 12-month period; and 7 (B) fulfill the responsibilities described in 8 paragraph (1) free of charge. 9 (3) PROHIBITION ON RETALIATION.—A covered 10 entity shall provide the same quality of goods or 11 services, at the same price or rate, regardless of 12 whether a user took an action described under para- 13 graph (1). 14 (4) RETENTION OF DATA.—A covered entity 15 that collects data on a user’s browsing history or bi- 16 ometric data and information shall delete the data 17 within 60 days after the date on which the data was 18 collected. 19 (c) DATA MINIMIZATION AND CONTEXTUALITY.— 20 (1) COLLECTION AND USE OF INFORMATION.— 21 A commercial data operator shall limit the collection 22 and sharing of information by the operator with 23 third parties to what is reasonably necessary to pro- 24 vide a service or conduct an activity that a consumer 25 VerDate Sep 11 2014 23:19 May 17, 2023 Jkt 039200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 E:\BILLS\H3045.IH H3045 pbinns on DSKJLVW7X2PROD with $$_JOB 6 •HR 3045 IH has requested or is reasonably necessary for fraud 1 prevention. 2 (2) RETENTION OF INFORMATION.—A commer- 3 cial data operator that collects the personal informa- 4 tion of a consumer shall limit the use and retention 5 of that information to what is reasonably necessary 6 to provide a service or conduct an activity that a 7 consumer has requested or a related operational pur- 8 pose. Any data collected or retained by a commercial 9 data operator solely for security or fraud prevention 10 may not be used for operational purposes. 11 (3) MONETIZATION.—Monetization of personal 12 information shall not be considered reasonably nec- 13 essary to provide a service or conduct an activity 14 that a consumer has requested or reasonably nec- 15 essary for security or fraud prevention. 16 (d) CONSUMER CHOICE AND CONTROL.— 17 (1) COMMERCIAL DATA OPERATOR.—A com- 18 mercial data operator shall provide a prominently 19 and conspicuously displayed icon a user may click to 20 opt out of data collection on every unique website, 21 mobile application, or computer application. 22 (2) COVERED ENTITIES.—Within 2 years after 23 the date of the enactment of this Act, a covered enti- 24 ty shall take reasonable steps, taking account of 25 VerDate Sep 11 2014 23:19 May 17, 2023 Jkt 039200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 E:\BILLS\H3045.IH H3045 pbinns on DSKJLVW7X2PROD with $$_JOB 7 •HR 3045 IH available technology, to provide users the ability to 1 directly delete the covered data collected by the cov- 2 ered entity. 3 (e) DEFAULT SETTINGS.—A covered entity may re- 4 quire, through terms of service or otherwise, that a user 5 must consent to the transfer of covered data in order to 6 use the service of the covered entity. 7 (f) POLICIES REGARDING DATA FROM MINORS.—A 8 covered entity may not collect, retain, or transfer the cov- 9 ered data of a user to a third party without affirmative 10 consent from the parent or guardian of the user if the 11 user is below the age of 18 years old, where technically 12 feasible. 13 (g) PROHIBITION ON TRACKING COOKIES WITHOUT 14 USER CONSENT.—A commercial data operator— 15 (1) unless authorized by the user, may not 16 track cookies, including on mobile applications; and 17 (2) shall provide the same services to users who 18 do not authorize tracking cookies. 19 (h) TRANSPARENCY.— 20 (1) PRIVACY NOTICE.—A covered entity shall 21 provide users with a clear, comprehensible, accurate, 22 and continuously available privacy notice that— 23 (A) describes in detail the information col- 24 lected by the operator, how that information 25 VerDate Sep 11 2014 23:19 May 17, 2023 Jkt 039200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6201 E:\BILLS\H3045.IH H3045 pbinns on DSKJLVW7X2PROD with $$_JOB 8 •HR 3045 IH would be used, and whether the information 1 would be sold or shared with any third party; 2 and 3 (B) is 1,000 words or less. 4 (2) REPORT ON USE OF INFORMATION RE- 5 QUIRED.—If a user allows a commercial data oper- 6 ator to sell the covered data of the user, the com- 7 mercial data operator shall provide the user with an 8 annual report regarding the types of third parties 9 with whom data has been shared. The report shall 10 include a description of what information has been 11 shared, for what purpose information is shared, and 12 a list of each third party that receives data. 13 (i) DATA SECURITY AND BREACH NOTIFICATION.— 14 A covered entity shall notify each user in a timely manner 15 of any data breach with respect to the information of the 16 user and provide any remedy to compensate the user for 17 the breach of their information, including a credit protec- 18 tion service, fraud alert, and credit monitoring through 19 credit reporting agencies. 20 (j) ENFORCEMENT.— 21 (1) ENFORCEMENT BY THE FEDERAL TRADE 22 COMMISSION.— 23 (A) UNFAIR OR DECEPTIVE ACTS OR PRAC- 24 TICES.—A violation of this section shall be 25 VerDate Sep 11 2014 23:19 May 17, 2023 Jkt 039200 PO 00000 Frm 00008 Fmt 6652 Sfmt 6201 E:\BILLS\H3045.IH H3045 pbinns on DSKJLVW7X2PROD with $$_JOB 9 •HR 3045 IH treated as a violation of a regulation under sec- 1 tion 18(a)(1)(B) of the Federal Trade Commis- 2 sion Act (15 U.S.C. 57a(a)(1)(B)) regarding 3 unfair or deceptive acts or practices. 4 (B) POWERS OF COMMISSION.—The Com- 5 mission shall enforce this section in the same 6 manner, by the same means, and with the same 7 jurisdiction, powers, and duties as though all 8 applicable terms and provisions of the Federal 9 Trade Commission Act (15 U.S.C. 41 et seq.) 10 were incorporated into and made a part of this 11 Act. Any person who violates this section shall 12 be subject to the penalties and entitled to the 13 privileges and immunities provided in the Fed- 14 eral Trade Commission Act. 15 (2) EFFECT ON OTHER LAWS.—Nothing in this 16 section shall be construed in any way to limit the 17 authority of the Commission under any other provi- 18 sion of law or to limit the application of any Federal 19 or State law. 20 (3) ENFORCEMENT BY STATE ATTORNEYS GEN- 21 ERAL.— 22 (A) IN GENERAL.—If the chief law en- 23 forcement officer of a State, or an official or 24 agency designated by a State, has reason to be- 25 VerDate Sep 11 2014 23:19 May 17, 2023 Jkt 039200 PO 00000 Frm 00009 Fmt 6652 Sfmt 6201 E:\BILLS\H3045.IH H3045 pbinns on DSKJLVW7X2PROD with $$_JOB 10 •HR 3045 IH lieve that any person has violated or is violating 1 this section, the attorney general, official, or 2 agency of the State, in addition to any author- 3 ity it may have to bring an action in State 4 court under its consumer protection law, may 5 bring a civil action in any appropriate United 6 States district court or in any other court of 7 competent jurisdiction, including a State court, 8 to— 9 (i) enjoin further such violation by 10 such person; 11 (ii) enforce compliance with this sec- 12 tion; 13 (iii) obtain civil penalties; and 14 (iv) obtain damages, restitution, or 15 other compensation on behalf of residents 16 of the State. 17 (B) NOTICE AND INTERVENTION BY THE 18 FEDERAL TRADE COMMISSION.—The attorney 19 general of a State shall provide prior written 20 notice of any action under subparagraph (A) to 21 the Commission and provide the Commission 22 with a copy of the complaint in the action, ex- 23 cept in any case in which such prior notice is 24 not feasible, in which case the attorney general 25 VerDate Sep 11 2014 23:19 May 17, 2023 Jkt 039200 PO 00000 Frm 00010 Fmt 6652 Sfmt 6201 E:\BILLS\H3045.IH H3045 pbinns on DSKJLVW7X2PROD with $$_JOB 11 •HR 3045 IH shall serve such notice immediately upon insti- 1 tuting such action. The Commission shall have 2 the right— 3 (i) to intervene in the action; 4 (ii) upon so intervening, to be heard 5 on all matters arising therein; and 6 (iii) to file petitions for appeal. 7 (C) LIMITATION ON STATE ACTION WHILE 8 FEDERAL ACTION IS PENDING.—If the Commis- 9 sion has instituted a civil action for violation of 10 this section, no State attorney general, or offi- 11 cial or agency of a State, may bring an action 12 under this paragraph during the pendency of 13 that action against any defendant named in the 14 complaint of the Commission for any violation 15 of this section alleged in the complaint. 16 (4) PRIVATE RIGHT OF ACTION.— 17 (A) IN GENERAL.—Any individual alleging 18 a violation of this section or a regulation pro- 19 mulgated under this section may bring a civil 20 action in any Federal or State court of com- 21 petent jurisdiction against a covered entity that 22 has global annual gross revenues of at least 23 $50,000,000. 24 VerDate Sep 11 2014 23:19 May 17, 2023 Jkt 039200 PO 00000 Frm 00011 Fmt 6652 Sfmt 6201 E:\BILLS\H3045.IH H3045 pbinns on DSKJLVW7X2PROD with $$_JOB 12 •HR 3045 IH (B) RELIEF.—In a civil action brought 1 under subparagraph (A) in which the plaintiff 2 prevails, the court may award— 3 (i) $100 to $750 per violation; 4 (ii) reasonable attorney’s fees and liti- 5 gation costs; and 6 (iii) any other relief, including equi- 7 table or declaratory relief, that the court 8 determines appropriate. 9 (k) DEFINITIONS.—In this section: 10 (1) COMMERCIAL DATA OPERATOR.—The term 11 ‘‘commercial data operator’’ means an entity acting 12 in its capacity as a consumer online services provider 13 or data broker that— 14 (A) generates a material amount of rev- 15 enue from the use, collection, processing, sale, 16 or sharing of data generated by a user; and 17 (B) has more than 100,000,000 unique 18 monthly visitors or users in the United States 19 for a majority of months during the previous 1- 20 year period. 21 (2) COMMISSION.—The term ‘‘Commission’’ 22 means the Federal Trade Commission. 23 [Text truncated for display. Full text available on Congress.gov.]