The Act aims to protect the personal data of all individuals residing in the U.S. and would apply to all businesses under the purview of the Federal Trade Commission as well as non-profits and common carriers. Small businesses are exempt from complying with an individual's right to access and rights to accuracy and correction. To qualify for the exemption, the business must:
Service providers (i.e., a business that operates under a contract with the business from which it receives personal information) are exempt. However, at the end of the contract or service, the service provider must delete, de-identify, or return the personal data to the business with which it contracted.
The Act broadly defines personal data to mean information that "identifies or is linked or reasonably linkable to a specific person." This would include, but is not limited to, a consumer's real name, postal address, account name, email address, social security number, driver's license number, or passport number.
The Act would provide individuals with the right to:
The Act would require a business that collects personal data to:
Businesses may collect personal data without consent to the extent reasonably necessary and for a permissible purpose. The Act establishes the following permissible purposes: (1) provision of service or performance of a contract; (2) compliance with laws; (3) to prevent immediate danger to the personal safety of any individual (including to effectuate a product recall); (4) to prevent fraud and protect the security of the covered entity’s, service providers’, or individual’s rights, property, services, or information systems; (5) research performed by the covered entity or service provider (at the direction of the covered entity); and (6) the covered entity’s or service provider’s operational purposes.
The Act designates the Federal Trade Commission as the federal agency responsible for administering the Act and grants it rule-making. A business that violates the Act would be subject to civil penalties amounting to the number of individuals affected multiplied by an amount not to exceed $42,530. In considering the penalty, the following factors will be taken into account: (1) the degree of harm; (2) the intent of the business; (3) the size and complexity of the business; (4) the controls put in place by the business; (5) whether the business self-reported; and (6) the mitigation efforts of the business.
State Attorneys General may also commence a civil action in federal court on behalf of the residents of their state to the extent it has reason to believe that a business is engaging in an act or practice in violation of the Act that threatens the interests of residents.