Prohibits collecting, processing, maintaining, or disclosing personal information for behavioral personalization without consent. Requires annual consent renewals. Mandates non-personalized versions if consent is denied. Allows service denial if non-personalization is infeasible. Exempts small businesses.
Analysis summaries, actor details, and coverage mappings were LLM-classified and may contain errors.
This is a binding legislative statute from the United States Congress with mandatory obligations, enforcement mechanisms, and legal penalties for non-compliance.
The document has good coverage of approximately 3-4 subdomains, with strong focus on privacy compromise (2.1), loss of human agency and autonomy (5.2), and fraud/manipulation (4.3). Coverage is concentrated in privacy, human-computer interaction, and malicious actor domains related to behavioral personalization and data processing.
This legislation applies broadly across all sectors that collect and process personal information for behavioral personalization. The most heavily impacted sectors are Information (social media, data processing, telecommunications), Finance and Insurance (personalized financial services), Professional and Technical Services (marketing, IT consulting), and Health Care (personalized health services). The cross-sector applicability reflects the ubiquitous nature of behavioral personalization technologies.
The document primarily addresses the Deploy and Operate and Monitor stages of the AI lifecycle, focusing on how behavioral personalization systems must be deployed with consent mechanisms and monitored through annual consent renewals. It also implicitly covers Build and Use Model through restrictions on how personal information can be used to create and improve algorithms.
The document explicitly mentions algorithms and models designed for behavioral personalization but does not use specific AI terminology like 'AI systems', 'frontier AI', 'general purpose AI', or 'foundation models'. It focuses on behavioral personalization mechanisms regardless of the underlying technology type.
United States Congress
The document header explicitly identifies the United States Congress as the authority that created this legislative instrument.
No specific enforcement agency or body is named in this section. As a federal statute, enforcement would typically fall to federal regulatory agencies, but they are not specified in Section 106.
No specific monitoring body or oversight mechanism is identified in this section. Monitoring responsibilities would likely be specified in other sections of the broader Online Privacy Act of 2023.
covered entity; small businesses (exempted)
The document repeatedly references 'covered entity' as the regulated party that must comply with requirements regarding behavioral personalization. Small businesses are explicitly exempted from these requirements.
3 subdomains (2 Good, 1 Minimal)