Any information that identifies, relates to, describes, or could reasonably be linked to an individual, including:

• Direct identifiers: name, SSN, driver's license, passport, government ID
• Contact information: address, phone, email, IP address
• Biometric data: as specially defined in Section 102(b)
• Behavioral data: browsing history, search queries, purchase history, app usage, location history
• Financial data: income, transactions, credit history, account numbers
• Health data: medical records, diagnoses, prescriptions, vital signs, genetic information
• Communications: content and metadata of messages, calls, emails
• Environmental data: smart home activity, IoT device data, vehicle telemetry
• Inferred data: profiles, predictions, scores, categories derived from personal data

Special class of personal data consisting of: fingerprints, facial geometry, voice prints, iris/retinal scans, cardiac rhythm, gait patterns, vein patterns, DNA, behavioral biometrics (typing patterns, gestures), and any physiological or behavioral characteristic used for identification.

A registered system, designated by an individual, serving as the sole point of contact for consent queries. Four options:

• Hardware owned and operated by the individual
• Rented server space with encryption keys held solely by individual
• Certified public utility provider
• Certified private provider meeting Title VII standards

Personal data may not be transferred outside jurisdiction unless:

• Recipient jurisdiction has equivalent protections (certified by Commission)
• Individual grants explicit consent with clear disclosure of reduced protections
• Transfer uses approved binding contractual safeguards

Reciprocity clause: Jurisdictions adopting substantially equivalent laws receive streamlined recognition.

Data broker activities prohibited entirely. Existing brokers must cease operations within 24 months. Violation constitutes Tier 3 violation with maximum penalties.

Personal data is the legal property of the individual. Property rights are:

• Inalienable: cannot be permanently transferred or waived
• Inheritable: pass to designated beneficiary or estate upon death
• Divisible: consent may be granted for specific uses while retaining ownership

Within 14 days, covered entities must provide: complete copy of all personal data, source of each element, all parties with whom shared, purposes of use, any inferred data or profiles, and storage duration. Must be in machine-readable, portable format at no cost.

Entities must delete all personal data within 30 days, direct all processors and third parties to delete, confirm deletion in writing, and purge from backups within 90 days. Limited exceptions for pending legal proceedings and legitimate tax/accounting records.

Denial of consent cannot result in:

• Denial of essential services (utilities, healthcare, government, banking, employment)
• Discriminatory pricing or terms
• Reduced service quality for non-data-dependent features
• Retaliation of any kind

Consent must be:

• Specific: defined data types and purposes
• Informed: plain language explanation
• Revocable: withdrawal at any time with immediate effect
• Time-limited: maximum 12 months, renewable
• Unbundled: separate consent for each purpose and category

Prohibited: Blanket consent, pre-checked boxes, implied consent, consent-by-continued-use are void.

Right to human review of significant decisions (credit, employment, insurance, housing, benefits, education). Entities using AI/ML must disclose: whether AI processes data, training data sources, logic and weighting factors, and bias audit results. Right to opt out of AI/ML processing.

Ages 13-17 may establish independent PDA with parental notification. Harmful categories (location tracking, behavioral profiling) require parental co-consent. Marketing and advertising targeting of minors prohibited regardless of consent.

Every individual has the right to establish a PDA serving as the sole gateway for consent queries. PDA is recognized as the legal representative for all data consent matters. No entity may collect personal data without querying the registered PDA.

Hardware owned and physically controlled by individual, meeting security standards, with individual holding all encryption keys.

Server space leased from certified provider where encryption keys held solely by individual and provider cannot access data.

Operated by Commission or authorized public entity, available at no cost, with individual retaining full control of consent settings.

Private entity with fiduciary duty to individual, cannot monetize data, subject to audit and decertification.

Commission establishes standardized protocol. All queries must include: legal identity of requester, specific data categories, specific purposes, proposed duration, third parties receiving data, and plain-language summary. Transmitted via encrypted channel with authenticated sender.

If PDA doesn't respond within 72 hours, response is legally deemed DENY. If individual has no registered PDA and cannot be contacted, deemed DENY. No entity may infer consent from silence or unrelated actions.

All approved PDA infrastructure must implement open standards ensuring: communication with any covered entity, migration without data loss, portable consent records, no proprietary lock-in. Commission publishes open-source reference implementation.

Biometric data is the highest sensitivity category because it is:

• Immutable: cannot be changed if compromised
• Uniquely identifying: links irrevocably to one individual
• Increasingly essential: becoming the universal key to identity
• Irreversibly harmful if compromised

Biometric data stored ONLY on hardware owned and physically controlled by individual or designated agent under strict fiduciary duty.

Prohibited storage: cloud servers regardless of encryption, centralized databases, third-party processors, any system where encryption keys held by others.

Limited exception: Real-time authentication may transmit encrypted end-to-end, process in volatile memory only, with no retention beyond 30 seconds and immediate cryptographic erasure.

No entity—government or private—may establish, maintain, or operate centralized biometric database of multiple individuals. Prohibited: aggregating templates, searchable repositories, cross-referencing across individuals, building identification systems querying centralized stores.

Existing databases: reported within 90 days, decentralized within 2 years.

Requires: separate standalone consent, explicit written or recorded verbal consent, 24-hour waiting period, clear disclosure, and annual renewal (no auto-renewal). Revocation triggers immediate cessation and deletion certification within 24 hours.

Cannot condition employment, housing, essential services, government services, education, or public accommodation on biometric collection. Alternative authentication must always be offered. Coerced consent is void.

Any biometric breach classified as Severe with notification within 24 hours to individuals, Commission, and public within 72 hours. Remediation: lifetime identity protection, compensation for re-enrollment, minimum $10,000 per individual plus actual and punitive damages.

Passive biometric collection without prior consent prohibited, including: facial recognition in public spaces, gait analysis, ambient voice capture, any collection without individual's knowledge. Exception only for individual's own security on their own property or explicit opt-in with full Section 405 consent.

No entity may collect personal data without first querying the PDA and receiving GRANT response. Limited emergency exception for immediate threat to life: collection limited to necessary data, query within 24 hours, deletion within 48 hours if DENY received. National security and law enforcement require judicial process per Section 603.

May collect only: data explicitly granted, reasonably necessary for stated purpose, minimum required. Prohibited: collection beyond scope, "just in case" collection, bundled requests.

Data may not be shared unless specific third party and purpose identified in original query and granted. Selling personal data is prohibited under all circumstances. Consent to sale is void as against public policy.

Must implement reasonable security including: encryption, access controls, security assessments, training, incident response. Failure constitutes negligence per se.

Required for entities: collecting from 10,000+ individuals, processing biometric/health/financial data, or exceeding $10M revenue. DPO must be independent with compliance oversight, reporting to executive leadership, protected from retaliation.

Failure to query, collection beyond consent, late responses, documentation deficiencies, privacy policy issues, DPO failures.

Collection after DENY, undisclosed purposes, unauthorized sharing, late breach notification, inadequate security, coerced consent, retaliation, obstruction.

Any biometric violation, selling data, centralized biometric database, biometric surveillance, repeated violations, falsified records, destroyed audit trails.

• Tier 1: Up to $1,000 per individual or 1% revenue, doubled for repeats
• Tier 2: $5,000-$25,000 per individual or 4% revenue, trebled for repeats
• Tier 3: $25,000-$100,000 per individual or 10% revenue, quadrupled for repeats, $1M minimum

Phased introduction: Year 1 warning-first for Tier 1 with 90-day cure and 50% reduction for good faith. Year 2+ full penalties. No phase-in for Tier 3 or biometric.

Government entities subject to same penalties paid from agency budget with equivalent reduction in subsequent fiscal year. Officials authorizing violations face personal fines up to $10,000; Tier 3 violations trigger removal proceedings. No qualified immunity. Law enforcement requires judicial warrant specifying exact data, served on PDA unless court-sealed.

Personal liability for CEO, CIO, CPO/DPO, board members who authorized, directed, or knowingly permitted violations.

• Tier 1: $10,000 fine
• Tier 2: $100,000 and 1-5 year suspension
• Tier 3: $500,000, permanent bar, criminal referral

Indemnification prohibited.

• Misdemeanor (up to 1 year): Repeated Tier 2 after enforcement, obstruction, falsified documentation
• Felony (up to 5 years): Intentional centralized biometric database, biometric surveillance, selling biometrics, repeated Tier 3, identity theft
• Aggravated Felony (up to 10 years): 100,000+ individuals affected, targeting vulnerable populations, documented harm

Individuals may bring civil action with statutory damages: $500-$5,000 (Tier 1); $5,000-$25,000 (Tier 2); $25,000-$100,000 (Tier 3), plus punitive damages up to 3x and injunctive relief. Prevailing plaintiff recovers attorney fees. Pre-dispute arbitration and class action waivers void. 4-year statute from discovery, 7-year absolute.

• Violator Registry: Public searchable database, entries remain 10 years
• Public Disclosure: Tier 2/3 violators display prominent notice on website and physical locations for 1 year
• Compliance Ratings: Annual A-F ratings published and displayed at point of collection
• Executive Registry: Personally liable individuals listed 15 years or permanently if barred
• Mandatory Apology: Tier 3 violators must publish Commission-approved acknowledgment through marketing channels

Protected activity includes reporting, participating in investigations, refusing violations, internal reporting. Remedies: reinstatement, back pay, compensatory damages, fees, and 10-30% bounty of penalties collected.

Minimum standards: secure boot, tamper detection, AES-256 encryption, secure key management, automatic updates, audit logging, CQP compliance. Manufacturers may certify; individuals may self-certify via Commission testing tool. Open-source designs encouraged.

Commission establishes Public Utility PDA: no-cost basic tier, accessible interface (ADA/WCAG 2.1 AA), multilingual, phone/in-person support.

Offline/unconnected populations: automatic enrollment after 24 months with default DENY ALL, paper-based consent available, Social Security/post offices as access points, home visits for homebound.

Funding: appropriation, nominal premium fees, capped per-query fees ($0.01), penalty revenue. Independent governance board with public meetings.

Free resources: compliance guide, templates, checklists, webinars. Technical assistance: free assessment under $1M revenue, subsidized $1-10M, compliance hotline.

Safe harbor: businesses under $500K/10 employees using approved templates immune from Tier 1 penalties (with cure), 50% reduced Tier 2. No safe harbor for Tier 3 or biometric.

Open standards for CQP, PDA interfaces, portability formats, audit structure, biometric protocols. Patent-free, publicly available, open development, biennial review. Commission funds open-source reference implementation. No proprietary lock-in.

Low-bandwidth operation, offline capability, SMS options. Every county has in-person location, mobile units for remote areas. Subsidy: free hardware below 150% FPL, subsidized connectivity.

Presumptive compliance for products/services where: all processing on user-controlled hardware, no external transmission except encrypted PDA queries, no cloud backup, user holds all keys, biometrics never leave device.

Benefits: reduced audit frequency, good-faith defense, certification mark eligibility. Does not shield intentional violations.

• Upon Enactment: Commission authority established, rulemaking activated, appropriations effective, criminal provisions effective
• 6 Months: PDA Registry operational, Public Utility basic functions, CQP published, certification applications accepted
• 12 Months: Registration opens, certified providers listed, small business resources available, education campaign launched, Violator Registry established
• 18 Months: Mandatory query for large entities ($50M+ revenue or 500K+ individuals), biometric protections fully effective, private right of action available
• 24 Months: Mandatory query for medium entities ($10-50M or 100K-500K individuals), full enforcement, government compliance required
• 36 Months: All covered entities, small business compliance with safe harbor, full Act in effect

12 months: inventory and submit summary. 18 months: notify individuals. 24 months: obtain retroactive consent via PDA or delete (default deletion if no response in 90 days).

Biometric databases: reported 90 days, plan 6 months, decentralized 24 months, deleted 30 months.

• Year 1: $75M (Agency $15M, Registry/infrastructure $30M, Public Utility $20M, Education $10M)
• Year 2: $60M (Operations $35M, Enforcement $15M, Education $10M)
• Years 3-5: $50M annually
• Ongoing: $40M plus penalty revenue
• Accessibility subsidies: $10M annually (separate line)

Penalty revenue to dedicated fund for victim compensation, enforcement, education, accessibility.

Establishes Personal Data Sovereignty Commission (PDSC): 5 commissioners, staggered 5-year terms, no more than 3 from same party, removal only for cause.

Independence: direct appropriation, independent litigation authority, no executive direction on enforcement.

Anti-capture: 5-year cooling-off for commissioners, 2-year for staff, no industry funding.

Jurisdictions adopting substantially equivalent data sovereignty laws receive: streamlined compliance recognition, expedited certification of their PDA providers, mutual enforcement cooperation agreements.