Summary
Creates rules that give people control over their personal information online, letting them see, fix, and delete data companies have collected about them.
What problem does this solve?
Companies often collect and sell people's personal data without their full understanding or clear permission. This law gives individuals ownership of their data and sets strict rules on how companies can collect, use, and share it.
What does this bill do?
Establishes user data ownership
Declares that data is the property of the user who creates it, and the user keeps ownership even if the data is sold or leased with their permission.
Reference
Text:
Section:
Sec. 3(b)
Header:
Access to, and correction, deletion, and portability of, covered data
Grants rights to access, correct, and delete data
Requires companies to let users see the data collected about them, correct any mistakes, and delete it upon request within 90 days.
Allows individuals to sue companies
Gives any person the right to file a lawsuit against a large company for violating these data rules, with potential awards of $100 to $750 per violation.
Requires parental consent for minors' data
Prohibits companies from collecting, keeping, or sharing data of users under 18 years old without clear permission from a parent or guardian.
Limits data collection
Restricts companies to collecting and sharing only the information that is reasonably needed to provide a service the user has requested.
Bans tracking cookies without consent
Forbids companies from using tracking cookies on websites or mobile apps unless the user gives permission. Companies must provide the same service even if a user says no.
Sets data retention limits
Requires companies that collect a user's browsing history or biometric data (like face scans) to delete that data within 60 days.
Mandates simple privacy notices
Requires companies to provide a clear and easy-to-understand privacy notice that is 1,000 words or less.
Requires data breach notifications
Forces companies to promptly tell users about any data breach involving their information and provide help, such as credit monitoring services.
Prohibits retaliation against users
Forbids companies from providing worse service or higher prices to users who choose to exercise their data privacy rights under this law.
Who does this affect?
- Internet users
- Online companies and data brokers
- Advertisers
What is the real world impact?
•
Empowers individuals with data rights
Gives people the power to control their personal information by letting them access, correct, and delete data held by large online companies. This shifts the balance of power from corporations to consumers.
•
Restricts common business practices
Limits how companies can collect and sell user data, which is a major source of income for many tech companies. This could force changes to business models that rely on monetizing personal information.
•
Increases legal risk for companies
Creates new ways for companies to be sued. The Federal Trade Commission, state attorneys general, and even individuals can now take legal action against companies that violate these data rules, potentially leading to large fines.
When does this start?
Most rules would start right away, but companies have two years to create tools for users to directly delete their data.
User data deletion tools
Within 2 years of the law passing, companies must provide users with a way to directly delete their data.
Data access requests
Companies must respond to user requests for their data no later than 90 days after receiving the request.