**A** **BILL** **TO** Ensure that personal data collected by online services are handled with accountability and transparency. *"BE IT ENACTED by the Queen’s Most Excellent Majesty, by and with the advice and consent of the Lords, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:—*” **Section 1: Definitions** (1) A covered entity is defined as any online service including but not limited to sites and apps that has more than 5 million pounds in revenue. (2) Covered data is defined as any personal data collected from users by a covered entity. (3) Third-party is defined as any entity outside of the original data collector that receives, stores or processes covered data. (4) Opt-in is defined allowing the user to take affirmative action to offer their consent for data collection such as a checkmark box. (5) The authority refers to the Information Commissioner's office (ICO) **Section 2: Data Gathering Policies** (1) Within one year of this Act receiving royal assent all covered entities must: (a) Provide clear notice of all data gathering practices in a clear and concise manner to users. (b) Provide all users with a clear affirmative opt-in notice prior to any information gathering. (c) Provide clear notice of the entity’s privacy practices in a clear and conspicuous manner. (2) All covered entities must provide a full report upon request to the user consisting at least of: (a) All covered data that has been collected by the entity on the user. (b) Why their data was collected and how their covered data was used. (c) A history of all third parties that purchased or otherwise had access to the user’s collected covered data. (d) An option to delete the user’s account and or covered data permanently from the entity’s storage. (e) If any of the above data is not known or available to the covered entity, they do not have to provide it, and shall notify users that they cannot provide the data. (3) A covered entity shall not discriminate against a user because of any action the user took under their rights as described in Section 2, subsection 2. Including but not limited to: (a) Denying goods or services to the individual. (b) Charging, or advertising, different prices or rates for goods or services. (c) Providing different quality of goods or services. (4) In the event that the user deletes data that is necessary to running a service under subsection 2, the covered entity will not be in breach of this act if it denies a service to the user. **Section 3: Privacy Breaches** (1) In the case of a breach where a covered entity has their covered data hacked or improperly accessed they must: a) At the earliest possible time, notify all users who had their data improperly accessed. b) Inform users of what covered data was compromised and the circumstances with at least the following information: (i) Who accessed their covered data. (ii) When the data was compromised and how many times it was accessed. (iii) How the data was able to be compromised. (iv) What action(s) the entity will be taking to better protect their covered data, if any at all. c) If the information required by paragraph B is not known by the covered entity, they are exempt from being mandated to provide it. **Section 4: Enforcement** (1) the authority shall be responsible for enforcing this Act and ensuring covered entities are upholding their responsibility to provide clear notice as outlined in Section 2. (2) The authority shall set-up an online hotline for receiving complaints about covered entities in violation of this act. (a) Within 90 days of a complaint being received, an investigation must have begun. (b) Within 90 days, the complainant shall receive a written response on the state of the investigation back from the authority. (c) The authority shall have the power to fine entities found in violation of this act in accordance with the scope of their offense, with fines for a single offense not exceeding one million pounds. **Section 5: Extent, commencement, and short title** (1) This Act shall extend to England and Wales. (2) This Act shall come into force 180 days after receiving Royal Assent. (3) This Act may be cited as the Internet Privacy Act of 2020.