LYN23143 XV8 S.L.C.

S. ll
118TH CONGRESS
1ST SESSION

To establish duties for online service providers with respect to end user
data that such providers collect and use.

IN THE SENATE OF THE UNITED STATES

llllllllll
Mr. SCHATZ (for himself, Ms. CORTEZ MASTO, Mr. MERKLEY, Ms. WARREN,
Mr. BENNET, Mr. MURPHY, Ms. HIRONO, Ms. KLOBUCHAR, Ms. BALD-
WIN, Mr. KING, Ms. HASSAN, Mr. SANDERS, Mr. MARKEY, Mr. BOOKER,
Ms. DUCKWORTH, Ms. SMITH, Mr. LUJÁN, and Mr. HEINRICH) intro-
duced the following bill; which was read twice and referred to the Com-
mittee on llllllllll

A BILL
To establish duties for online service providers with respect
to end user data that such providers collect and use.

1 Be it enacted by the Senate and House of Representa-

2 tives of the United States of America in Congress assembled,
3 SECTION 1. SHORT TITLE.

4 This Act may be cited as the ‘‘Data Care Act of

5 2023’’.
6 SEC. 2. DEFINITIONS.

7 In this Act:
LYN23143 XV8 S.L.C.

2
1 (1) COMMISSION.—The term ‘‘Commission’’
2 means the Federal Trade Commission.
3 (2) END USER.—The term ‘‘end user’’ means
4 an individual who engages with an online service
5 provider or logs into or uses services provided by the
6 online service provider over the internet or any other
7 digital network.
8 (3) INDIVIDUAL IDENTIFYING DATA.—The term
9 ‘‘individual identifying data’’ means any data that
10 is—
11 (A) collected over the internet or any other
12 digital network; and
13 (B) linked, or reasonably linkable, to—
14 (i) a specific end user; or
15 (ii) a computing device that is associ-
16 ated with or routinely used by an end user.
17 (4) ONLINE SERVICE PROVIDER.—The term
18 ‘‘online service provider’’ means an entity that—
19 (A) is engaged in interstate commerce over
20 the internet or any other digital network; and
21 (B) in the course of business, collects indi-
22 vidual identifying data about end users, includ-
23 ing in a manner that is incidental to the busi-
24 ness conducted.
LYN23143 XV8 S.L.C.

3
1 (5) SENSITIVE DATA.—The term ‘‘sensitive
2 data’’ means any data that includes—
3 (A) a social security number;
4 (B) personal information (as defined in
5 section 1302 of the Children’s Online Privacy
6 Protection Act of 1998 (15 U.S.C. 6501)) col-
7 lected from a child (as defined in such section
8 1302);
9 (C) a driver’s license number, passport
10 number, military identification number, or any
11 other similar number issued on a government
12 document used to verify identity;
13 (D) a financial account number, credit or
14 debit card number, or any required security
15 code, access code, or password that is necessary
16 to permit access to a financial account of an in-
17 dividual;
18 (E) unique biometric data such as a finger
19 print, voice print, a retina or iris image, or any
20 other unique physical representation;
21 (F) information sufficient to access an ac-
22 count of an individual, such as user name and
23 password or email address and password;
LYN23143 XV8 S.L.C.

4
1 (G) the first and last name of an indi-
2 vidual, or first initial and last name, or other
3 unique identifier in combination with—
4 (i) the month, day, and year of birth
5 of the individual;
6 (ii) the maiden name of the mother of
7 the individual; or
8 (iii) the past or present precise
9 geolocation of the individual;
10 (H) information that relates to—
11 (i) the past, present, or future phys-
12 ical or mental health or condition of an in-
13 dividual; or
14 (ii) the provision of health care to an
15 individual; and
16 (I) the nonpublic communications or other
17 nonpublic user-created content of an individual.
18 SEC. 3. PROVIDER DUTIES.

19 (a) IN GENERAL.—An online service provider shall

20 fulfill the duties of care, loyalty, and confidentiality under
21 paragraphs (1), (2), and (3), respectively, of subsection
22 (b).
23 (b) DUTIES.—
24 (1) DUTY OF CARE.—An online service provider
25 shall—
LYN23143 XV8 S.L.C.

5
1 (A) reasonably secure individual identifying
2 data from unauthorized access; and
3 (B) subject to subsection (d), promptly in-
4 form an end user of any breach of the duty de-
5 scribed in subparagraph (A) of this paragraph
6 with respect to sensitive data of that end user.
7 (2) DUTY OF LOYALTY.—An online service pro-
8 vider may not use individual identifying data, or
9 data derived from individual identifying data, in any
10 way that—
11 (A) will benefit the online service provider
12 to the detriment of an end user; and
13 (B)(i) will result in reasonably foreseeable
14 and material physical or financial harm to an
15 end user; or
16 (ii) would be unexpected and highly offen-
17 sive to a reasonable end user.
18 (3) DUTY OF CONFIDENTIALITY.—An online
19 service provider—
20 (A) may not disclose or sell individual
21 identifying data to, or share individual identi-
22 fying data with, any other person except as con-
23 sistent with the duties of care and loyalty under
24 paragraphs (1) and (2), respectively;
LYN23143 XV8 S.L.C.

6
1 (B) may not disclose or sell individual
2 identifying data to, or share individual identi-
3 fying data with, any other person unless that
4 person enters into a contract with the online
5 service provider that imposes on the person the
6 same duties of care, loyalty, and confidentiality
7 toward the applicable end user as are imposed
8 on the online service provider under this sub-
9 section; and
10 (C) shall take reasonable steps to ensure
11 that the practices of any person to whom the
12 online service provider discloses or sells, or with
13 whom the online service provider shares, indi-
14 vidual identifying data fulfill the duties of care,
15 loyalty, and confidentiality assumed by the per-
16 son under the contract described in subpara-
17 graph (B), including by auditing, on a regular
18 basis, the data security and data information
19 practices of any such person.
20 (c) APPLICATION OF DUTIES TO THIRD PARTIES.—
21 If an online service provider transfers or otherwise pro-
22 vides access to individual identifying data to another per-
23 son, the requirements of paragraphs (1), (2), and (3) of
24 subsection (b) shall apply to such person with respect to
LYN23143 XV8 S.L.C.

7
1 such data in the same manner that such requirements
2 apply to the online service provider.
3 (d) EXPANSION OF DUTY TO INFORM REGARDING
4 BREACHES.—The Commission may promulgate regula-
5 tions under section 553 of title 5, United States Code,
6 to apply the breach notification requirement under sub-
7 section (b)(1)(B) with respect to specific categories of in-
8 dividual identifying data other than sensitive data, as the
9 Commission determines necessary.
10 (e) EXCEPTIONS.—
11 (1) REGULATIONS.—The Commission may pro-
12 mulgate regulations under section 553 of title 5,
13 United States Code, to exempt categories of online
14 service providers or persons described in subsection
15 (c) from the requirement under subsection (a) or
16 subsection (c) (as applicable).
17 (2) CONSIDERATIONS.—In promulgating regu-
18 lations under paragraph (1), the Commission shall
19 consider, among other factors—
20 (A) the privacy risks posed by the use of
21 individual identifying data by an online service
22 provider or person described in subsection (c)
23 based on—
24 (i) the size of the provider or person;
LYN23143 XV8 S.L.C.

8
1 (ii) the complexity of the offerings of
2 the provider;
3 (iii) the nature and scope of the ac-
4 tivities of the provider or person; and
5 (iv) the sensitivity of the consumer in-
6 formation handled by the provider or per-
7 son; and
8 (B) the costs and benefits of applying the
9 requirement under subsection (a) or subsection
10 (c) (as applicable) to online service providers or
11 persons with particular combinations of charac-
12 teristics considered under subparagraph (A) of
13 this paragraph.
14 SEC. 4. ENFORCEMENT.

15 (a) ENFORCEMENT BY COMMISSION.—

16 (1) UNFAIR OR DECEPTIVE ACTS OR PRAC-

17 TICES.—A violation of section 3 by an online service

18 provider or a person described in section 3(c) shall
19 be treated as a violation of a rule defining an unfair
20 or deceptive act or practice prescribed under section
21 18(a)(1)(B) of the Federal Trade Commission Act
22 (15 U.S.C. 57a(a)(1)(B)).
23 (2) POWERS OF COMMISSION.—

24 (A) IN GENERAL.—Except as provided in

25 subparagraph (C), the Commission shall enforce
LYN23143 XV8 S.L.C.

9
1 this Act in the same manner, by the same
2 means, and with the same jurisdiction, powers,
3 and duties as though all applicable terms and
4 provisions of the Federal Trade Commission
5 Act (15 U.S.C. 41 et seq.) were incorporated
6 into and made a part of this Act.
7 (B) PRIVILEGES AND IMMUNITIES.—Ex-

8 cept as provided in subparagraph (C), any per-

9 son who violates section 3 shall be subject to
10 the penalties and entitled to the privileges and
11 immunities provided in the Federal Trade Com-
12 mission Act (15 U.S.C. 41 et seq.).
13 (C) NONPROFIT ORGANIZATIONS AND COM-

14 MON CARRIERS.—Notwithstanding section 4 or

15 5(a)(2) of the Federal Trade Commission Act
16 (15 U.S.C. 44, 45(a)(2)) or any jurisdictional
17 limitation of the Commission, the Commission
18 shall also enforce this Act, in the same manner
19 provided in subparagraphs (A) and (B) of this
20 paragraph, with respect to—
21 (i) organizations not organized to
22 carry on business for their own profit or
23 that of their members; and
LYN23143 XV8 S.L.C.

10
1 (ii) common carriers subject to the
2 Communications Act of 1934 (47 U.S.C.
3 151 et seq.).
4 (3) RULEMAKING AUTHORITY.—The Commis-
5 sion shall promulgate regulations under this Act in
6 accordance with section 553 of title 5, United States
7 Code.
8 (b) ENFORCEMENT BY STATES.—
9 (1) AUTHORIZATION.—Subject to paragraph
10 (3), in any case in which the attorney general of a
11 State has reason to believe that an interest of the
12 residents of the State has been or is threatened or
13 adversely affected by the engagement of an online
14 service provider or a person described in section 3(c)
15 in a practice that violates section 3, the attorney
16 general of the State may, as parens patriae, bring
17 a civil action against the online service provider or
18 person on behalf of the residents of the State in an
19 appropriate district court of the United States to ob-
20 tain appropriate relief, including civil penalties in
21 the amount determined under paragraph (2).
22 (2) CIVIL PENALTIES.—An online service pro-
23 vider or person described in section 3(c) that is
24 found, in an action brought under paragraph (1), to
25 have knowingly or repeatedly violated section 3 shall,
LYN23143 XV8 S.L.C.

11
1 in addition to any other penalty otherwise applicable
2 to a violation of section 3, be liable for a civil pen-
3 alty equal to the amount calculated by multiplying—
4 (A) the greater of—
5 (i) the number of days during which
6 the online service provider or person was
7 not in compliance with that section; or
8 (ii) the number of end users who were
9 harmed as a result of the violation, by
10 (B) an amount not to exceed the maximum
11 civil penalty for which a person, partnership, or
12 corporation may be liable under section
13 5(m)(1)(A) of the Federal Trade Commission
14 Act (15 U.S.C. 45(m)(1)(A)) (including any ad-
15 justments for inflation).
16 (3) RIGHTS OF FEDERAL TRADE COMMIS-

17 SION.—

18 (A) NOTICE TO FEDERAL TRADE COMMIS-

19 SION.—

20 (i) IN GENERAL.—Except as provided

21 in clause (iii), the attorney general of a
22 State shall notify the Commission in writ-
23 ing that the attorney general intends to
24 bring a civil action under paragraph (1)
25 before initiating the civil action.
LYN23143 XV8 S.L.C.

12
1 (ii) CONTENTS.—The notification re-
2 quired under clause (i) with respect to a
3 civil action shall include a copy of the com-
4 plaint to be filed to initiate the civil action.
5 (iii) EXCEPTION.—If it is not feasible
6 for the attorney general of a State to pro-
7 vide the notification required under clause
8 (i) before initiating a civil action under
9 paragraph (1), the attorney general shall
10 notify the Commission immediately upon
11 instituting the civil action.
12 (B) INTERVENTION BY FEDERAL TRADE

13 COMMISSION.—The Commission may—

14 (i) intervene in any civil action
15 brought by the attorney general of a State
16 under paragraph (1); and
17 (ii) upon intervening—
18 (I) be heard on all matters aris-
19 ing in the civil action; and
20 (II) file petitions for appeal of a
21 decision in the civil action.
22 (4) INVESTIGATORY POWERS.—Nothing in this
23 subsection may be construed to prevent the attorney
24 general of a State from exercising the powers con-
LYN23143 XV8 S.L.C.

13
1 ferred on the attorney general by the laws of the
2 State to—
3 (A) conduct investigations;
4 (B) administer oaths or affirmations; or
5 (C) compel the attendance of witnesses or
6 the production of documentary or other evi-
7 dence.
8 (5) PREEMPTIVE ACTION BY FEDERAL TRADE

9 COMMISSION.—If the Commission institutes a civil

10 action or an administrative action with respect to a
11 violation of section 3, the attorney general of a State
12 may not, during the pendency of the action, bring a
13 civil action under paragraph (1) against any defend-
14 ant named in the complaint of the Commission
15 based on the same set of facts giving rise to the al-
16 leged violation with respect to which the Commission
17 instituted the action.
18 (6) VENUE; SERVICE OF PROCESS.—

19 (A) VENUE.—Any action brought under

20 paragraph (1) may be brought in—
21 (i) the district court of the United
22 States that meets applicable requirements
23 relating to venue under section 1391 of
24 title 28, United States Code; or
LYN23143 XV8 S.L.C.

14
1 (ii) another court of competent juris-
2 diction.
3 (B) SERVICE OF PROCESS.—In an action
4 brought under paragraph (1), process may be
5 served in any district in which the defendant—
6 (i) is an inhabitant; or
7 (ii) may be found.
8 (7) ACTIONS BY OTHER STATE OFFICIALS.—

9 (A) IN GENERAL.—In addition to civil ac-

10 tions brought by attorneys general under para-
11 graph (1), any other consumer protection offi-
12 cer of a State who is authorized by the State
13 to do so may bring a civil action under para-
14 graph (1), subject to the same requirements
15 and limitations that apply under this subsection
16 to civil actions brought by attorneys general.
17 (B) SAVINGS PROVISION.—Nothing in this
18 subsection may be construed to prohibit an au-
19 thorized official of a State from initiating or
20 continuing any proceeding in a court of the
21 State for a violation of any civil or criminal law
22 of the State.
LYN23143 XV8 S.L.C.

15
1 SEC. 5. NONENFORCEABILITY OF CERTAIN PROVISIONS

2 WAIVING RIGHTS AND REMEDIES.

3 The rights and remedies provided under this Act may

4 not be waived or limited by contract or otherwise.
5 SEC. 6. RELATION TO OTHER PRIVACY AND SECURITY

6 LAWS.

7 Nothing in this Act may be construed to—

8 (1) modify, limit, or supersede the operation of
9 any privacy or security provision in any other Fed-
10 eral or State statute or regulation; or
11 (2) limit the authority of the Commission under
12 any other provision of law.
13 SEC. 7. EFFECTIVE DATE.

14 (a) IN GENERAL.—This Act shall take effect on the

15 date of enactment of this Act.
16 (b) APPLICABILITY.—Section 3 shall apply with re-
17 spect to an online service provider or person described in
18 section 3(c) on and after the date that is 180 days after
19 the date of enactment of this Act.