[Congressional Bills 107th Congress]
[From the U.S. Government Publishing Office]
[S. 2201 Reported in Senate (RS)]
Calendar No. 551
107th CONGRESS
2d Session
S. 2201
[Report No. 107-240]
To protect the online privacy of individuals who use the Internet.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
April 18, 2002
Mr. Hollings (for himself, Mr. Stevens, Mr. Burns, Mr. Inouye, Mr.
Rockefeller, Mr. Kerry, Mr. Breaux, Mrs. Carnahan, Mr. Cleland, Mr.
Nelson of Florida, Mrs. Carnahan, and Mr. Torricelli) introduced the
following bill; which was read twice and referred to the Committee on
Commerce, Science, and Transportation
August 1, 2002
Reported by Mr. Hollings, with an amendment
[Strike all after the enacting clause and insert the part printed in
italic]
_______________________________________________________________________
A BILL
To protect the online privacy of individuals who use the Internet.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE.</DELETED>
<DELETED> This Act may be cited as the ``Online Personal Privacy
Act''.</DELETED>
<DELETED>SEC. 2. TABLE OF CONTENTS.</DELETED>
<DELETED> The table of contents of this Act is as follows:</DELETED>
<DELETED>Sec. 1. Short title.
<DELETED>Sec. 2. Table of contents.
<DELETED>Sec. 3. Findings.
<DELETED>Sec. 4. Preemption of State law or regulations.
<DELETED>Title I--Online Privacy
Protection
<DELETED>Sec. 101. Collection, use, or disclosure of personally
identifiable information.
<DELETED>Sec. 102. Notice and consent requirements.
<DELETED>Sec. 103. Policy changes; privacy breach.
<DELETED>Sec. 104. Exceptions.
<DELETED>Sec. 105. Access.
<DELETED>Sec. 106. Security.
<DELETED>Title II--Enforcement
<DELETED>Sec. 201. Enforcement by Federal Trade Commission.
<DELETED>Sec. 202. Violation is unfair or deceptive act or practice.
<DELETED>Sec. 203. Private right of action.
<DELETED>Sec. 204. Actions by States.
<DELETED>Sec. 205. Whistleblower protection.
<DELETED>Sec. 206. No effect on other remedies.
<DELETED>Title III--Application to
Congress and Federal Agencies
<DELETED>Sec. 301. Exercise of rulemaking power.
<DELETED>Sec. 302. Senate.
<DELETED>Sec. 303. Application to Federal agencies.
<DELETED>Title IV--Miscellaneous
<DELETED>Sec. 401. Definitions.
<DELETED>Sec. 402. Effective date.
<DELETED>Sec. 403. FTC rulemaking.
<DELETED>Sec. 404. FTC report.
<DELETED>Sec. 405. Development of automated privacy controls.
<DELETED>SEC. 3. FINDINGS.</DELETED>
<DELETED> The Congress finds the following:</DELETED>
<DELETED> (1) The right to privacy is a personal and
fundamental right worthy of protection through appropriate
legislation.</DELETED>
<DELETED> (2) Individuals engaging in and interacting with
companies engaged in interstate commerce have a significant
interest in their personal information, as well as a right to
control how that information is collected, used, or
transferred.</DELETED>
<DELETED> (3) Absent the recognition of these rights and the
establishment of consequent industry responsibilities to
safeguard those rights, the privacy of individuals who use the
Internet will soon be more gravely threatened.</DELETED>
<DELETED> (4) To extent that States regulate, their efforts
to address Internet privacy will lead to a patchwork of
inconsistent standards and protections.</DELETED>
<DELETED> (5) Existing State, local, and Federal laws
provide minimal privacy protection for Internet
users.</DELETED>
<DELETED> (6) With the exception of Federal Trade Commission
enforcement of laws against unfair and deceptive practices, the
Federal Government thus far has eschewed general Internet
privacy laws in favor of industry self-regulation, which has
led to several self-policing schemes, none of which are
enforceable in any meaningful way or provide sufficient privacy
protection to individuals.</DELETED>
<DELETED> (7) State governments have been reluctant to enter
the field of Internet privacy regulation because use of the
Internet often crosses State, or even national,
boundaries.</DELETED>
<DELETED> (8) States are nonetheless interested in providing
greater privacy protection to their citizens as evidenced by
recent lawsuits brought against offline and online companies by
State attorneys general to protect the privacy of individuals
using the Internet.</DELETED>
<DELETED> (9) The ease of gathering and compiling personal
information on the Internet, both overtly and surreptitiously,
is becoming increasingly efficient and effortless due to
advances in digital communications technology which have
provided information gatherers the ability to compile
seamlessly highly detailed personal histories of Internet
users.</DELETED>
<DELETED> (10) Personal information flowing over the
Internet requires greater privacy protection than is currently
available today. Vast amounts of personal information,
including sensitive information, about individual Internet
users are collected on the Internet and sold or otherwise
transferred to third parties.</DELETED>
<DELETED> (11) Poll after poll consistently demonstrates
that individual Internet users are highly troubled over their
lack of control over their personal information.</DELETED>
<DELETED> (12) Market research demonstrates that tens of
billions of dollars in e-commerce are lost due to individual
fears about a lack of privacy protection on the
Internet.</DELETED>
<DELETED> (13) Market research demonstrates that as many as
one-third of all Internet users give false information about
themselves to protect their privacy, due to fears about a lack
of privacy protection on the Internet.</DELETED>
<DELETED> (14) Notwithstanding these concerns, the Internet
is becoming a major part of the personal and commercial lives
of millions of Americans, providing increased access to
information, as well as communications and commercial
opportunities.</DELETED>
<DELETED> (15) It is important to establish personal privacy
rights and industry obligations now so that individuals have
confidence that their personal privacy is fully protected on
the Internet.</DELETED>
<DELETED> (16) The social and economic costs of establishing
baseline privacy standards now will be lower than if Congress
waits until the Internet becomes more prevalent in our everyday
lives in coming years.</DELETED>
<DELETED> (17) Whatever costs may be borne by industry will
be significantly offset by the economic benefits to the
commercial Internet created by increased consumer confidence
occasioned by greater privacy protection.</DELETED>
<DELETED> (18) Toward the close of the 20th Century, as
individuals' personal information was increasingly collected,
profiled, and shared for commercial purposes, and as technology
advanced to facilitate these practices, the Congress enacted
numerous statutes to protect privacy.</DELETED>
<DELETED> (19) Those statutes apply to the government,
telephones, cable television, e-mail, video tape rentals, and
the Internet (but only with respect to children).</DELETED>
<DELETED> (20) Those statutes all provide significant
privacy protections, but neither limit technology nor stifle
business.</DELETED>
<DELETED> (21) Those statutes ensure that the collection and
commercialization of individuals' personal information is fair,
transparent, and subject to law.</DELETED>
<DELETED>SEC. 4. PREEMPTION OF STATE LAW OR REGULATIONS.</DELETED>
<DELETED> This Act supersedes any State statute, regulation, or rule
regulating Internet privacy to the extent that it relates to the
collection, use, or disclosure of personally identifiable information
obtained through the Internet.</DELETED>
<DELETED>TITLE I--ONLINE PRIVACY PROTECTION</DELETED>
<DELETED>SEC. 101. COLLECTION, USE, OR DISCLOSURE OF PERSONALLY
IDENTIFIABLE INFORMATION.</DELETED>
<DELETED> (a) In General.--An internet service provider, online
service provider, or operator of a commercial website on the Internet
may not collect personally identifiable information from a user, or use
or disclose personally identifiable information about a user, of that
service or website except in accordance with the provisions of this
Act.</DELETED>
<DELETED> (b) Application to Certain Third-Party Operators.--The
provisions of this Act applicable to internet service providers, online
service providers, and commercial website operators apply to any third
party, including an advertising network, that uses an internet service
provider, online service provider, or commercial website operator to
collect information about users of that service or website.</DELETED>
<DELETED>SEC. 102. NOTICE AND CONSENT REQUIREMENTS.</DELETED>
<DELETED> (a) Notice.--Except as provided in section 104, an
internet service provider, online service provider, or operator of a
commercial website may not collect personally identifiable information
from a user of that service or website online unless that provider or
operator provides clear and conspicuous notice to the user in the
manner required by this section for the kind of personally identifiable
information to be collected. The notice shall disclose--</DELETED>
<DELETED> (1) the specific types of information that will be
collected;</DELETED>
<DELETED> (2) the methods of collecting and using the
information collected; and</DELETED>
<DELETED> (3) all disclosure practices of that provider or
operator for personally identifiable information so collected,
including whether it will be disclosed to third
parties.</DELETED>
<DELETED> (b) Sensitive Personally Identifiable Information Requires
Opt-in Consent.--An internet service provider, online service provider,
or operator of a commercial website may not--</DELETED>
<DELETED> (1) collect sensitive personally identifiable
information online, or</DELETED>
<DELETED> (2) disclose or otherwise use such information
collected online, from a user of that service or
website,</DELETED>
<DELETED>unless the provider or operator obtains that user's
affirmative consent to the collection and disclosure or use of that
information before, or at the time, the information is
collected.</DELETED>
<DELETED> (c) Nonsensitive Personally Identifiable Information
Requires Robust Notice and Opt-out Consent.--An internet service
provider, online service provider, or operator of a commercial website
may not--</DELETED>
<DELETED> (1) collect personally identifiable information
not described in subsection (b) online, or</DELETED>
<DELETED> (2) disclose or otherwise use such information
collected online, from a user of that service or
website,</DELETED>
<DELETED>unless the provider or operator provides robust notice to the
user, in addition to clear and conspicuous notice, and has given the
user an opportunity to decline consent for such collection and use by
the provider or operator before, or at the time, the information is
collected.</DELETED>
<DELETED> (d) Initial Notice Only for Robust Notice.--An internet
service provider, online service provider, or operator of a commercial
website shall provide robust notice under subsection (c) of this
section to a user only upon its first collection of non-sensitive
personally identifiable information from that user, except that a
subsequent collection of additional or materially different non-
sensitive personally identifiable information from that user shall be
treated as a first collection of such information from that
user.</DELETED>
<DELETED> (e) Permanence of Consent.--</DELETED>
<DELETED> (1) In general.--The consent or denial of consent
by a user of permission to an internet service provider, online
service provider, or operator of a commercial website to
collect, disclose, or otherwise use any information about that
user for which consent is required under this Act--</DELETED>
<DELETED> (A) shall remain in effect until changed
by the user; and</DELETED>
<DELETED> (B) shall apply to the collection,
disclosure, or other use of that information by any
entity that is a commercial successor of, or legal
successor-in-interest to, that provider or operator,
without regard to the legal form in which such
succession was accomplished (including any entity that
collects, discloses, or uses such information as a
result of a proceeding under chapter 7 or chapter 11 of
title 11, United States Code, with respect to the
provider or operator).</DELETED>
<DELETED> (2) Exception.--The consent by a user to the
collection, disclosure, or other use of information about that
user for which consent is required under this Act does not
apply to the collection, disclosure, or use of that information
by a successor entity under paragraph (1)(B) if--</DELETED>
<DELETED> (A) the kind of information collected by
the successor entity about the user is materially
different from the kind of information collected by the
predecessor entity;</DELETED>
<DELETED> (B) the methods of collecting and using
the information employed by the successor entity are
materially different from the methods employed by the
predecessor entity; or</DELETED>
<DELETED> (C) the disclosure practices of the
successor entity are materially different from the
practices of the predecessor entity.</DELETED>
<DELETED>SEC. 103. POLICY CHANGES; BREACH OF PRIVACY.</DELETED>
<DELETED> (a) Notice of Policy Change.--Whenever an internet service
provider, online service provider, or operator of a commercial website
makes a material change in its policy for the collection, use, or
disclosure of sensitive or nonsensitive personally identifiable
information, it--</DELETED>
<DELETED> (1) shall notify all users of that service or
website of the change in policy; and</DELETED>
<DELETED> (2) may not collect, disclose, or otherwise use
any sensitive or nonsensitive personally identifiable
information in accordance with the changed policy unless the
user has been afforded an opportunity to consent, or withhold
consent, to its collection, disclosure, or use in accordance
with the requirements of section 102(b) or (c), whichever is
applicable.</DELETED>
<DELETED> (b) Notice of Breach of Privacy.--</DELETED>
<DELETED> (1) In general.--If the sensitive or nonsensitive
personally identifiable information of a user of an internet
service provider, online service provider, or operator of a
commercial website--</DELETED>
<DELETED> (A) is collected, disclosed, or otherwise
used by the provider or operator in violation of any
provision of this Act, or</DELETED>
<DELETED> (B) the security, confidentiality, or
integrity of such information is compromised by a
hacker or other third party, or by any act or failure
to act of the provider or operator,</DELETED>
<DELETED>then the provider or operator shall notify all users
whose sensitive or nonsensitive personally identifiable
information was affected by the unlawful collection,
disclosure, use, or compromise. The notice shall describe the
nature of the unlawful collection, disclosure, use, or
compromise and the steps taken by the provider or operator to
remedy it.</DELETED>
<DELETED> (2) Delay of notification.--</DELETED>
<DELETED> (A) Action taken by individuals.--If the
compromise of the security, confidentiality, or
integrity of the information is caused by a hacker or
other external interference with the service or
website, or by an employee of the service or website,
the provider or operator may postpone issuing the
notice required by paragraph (1) for a reasonable
period of time in order to--</DELETED>
<DELETED> (i) facilitate the detection and
apprehension of the person responsible for the
compromise; and</DELETED>
<DELETED> (ii) take such measures as may be
necessary to restore the integrity of the
service or website and prevent any further
compromise of the security, confidentiality,
and integrity of such information.</DELETED>
<DELETED> (B) System failures and other functional
causes.--If the unlawful collection, disclosure, use,
or compromise of the security, confidentiality, and
integrity of the information is the result of a system
failure, a problem with the operating system, software,
or program used by the internet service provider,
online service provider, or operator of the commercial
website, or other non-external interference with the
service or website, the provider or operator may
postpone issuing the notice required by paragraph (1)
for a reasonable period of time in order to--</DELETED>
<DELETED> (i) restore the system's
functionality or fix the problem; and</DELETED>
<DELETED> (ii) take such measures as may be
necessary to restore the integrity of the
service or website and prevent any further
compromise of the security, confidentiality,
and integrity of the information after the
failure or problem has been fixed and the
integrity of the service or website has been
restored.</DELETED>
<DELETED>SEC. 104. EXCEPTIONS.</DELETED>
<DELETED> (a) In General.--Section 102 does not apply to the
collection, disclosure, or use by an internet service provider, online
service provider, or operator of a commercial website of information
about a user of that service or website necessary--</DELETED>
<DELETED> (1) to protect the security or integrity of the
service or website or to ensure the safety of other people or
property;</DELETED>
<DELETED> (2) to conduct a transaction, deliver a product or
service, or complete an arrangement for which the user provided
the information; or</DELETED>
<DELETED> (3) to provide other products and services
integrally related to the transaction, service, product, or
arrangement for which the user provided the
information.</DELETED>
<DELETED> (b) Protected Disclosures.--An internet service provider,
online service provider, or operator of a commercial website may not be
held liable under this Act, any other Federal law, or any State law for
any disclosure made in good faith and following reasonable procedures
in responding to--</DELETED>
<DELETED> (1) a request for disclosure of personal
information under section 1302(b)(1)(B)(iii) of the Children's
Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.)
to the parent of a child; or</DELETED>
<DELETED> (2) a request for access to, or correction or
deletion of, personally identifiable information under section
105 of this Act.</DELETED>
<DELETED> (c) Disclosure to Law Enforcement Agency or under Court
Order.--</DELETED>
<DELETED> (1) In general.--Notwithstanding any other
provision of this Act, an internet service provider, online
service provider, operator of a commercial website, or third
party that uses such a service or website to collect
information about users of that service or website may disclose
personally identifiable information about a user of that
service or website--</DELETED>
<DELETED> (A) to a law enforcement, investigatory,
national security, or regulatory agency or department
of the United States in response to a request or demand
made under authority granted to that agency or
department, including a warrant issued under the
Federal Rules of Criminal Procedure, an equivalent
State warrant, a court order, or a properly executed
administrative compulsory process; and</DELETED>
<DELETED> (B) in response to a court order in a
civil proceeding granted upon a showing of compelling
need for the information that cannot be accommodated by
any other means if--</DELETED>
<DELETED> (i) the user to whom the
information relates is given reasonable notice
by the person seeking the information of the
court proceeding at which the order is
requested; and</DELETED>
<DELETED> (ii) that user is afforded a
reasonable opportunity to appear and contest
the issuance of requested order or to narrow
its scope.</DELETED>
<DELETED> (2) Safeguards against further disclosure.--A
court that issues an order described in paragraph (1) shall
impose appropriate safeguards on the use of the information to
protect against its unauthorized disclosure.</DELETED>
<DELETED>SEC. 105. ACCESS.</DELETED>
<DELETED> (a) In General.--An internet service provider, online
service provider, or operator of a commercial website shall--</DELETED>
<DELETED> (1) upon request provide reasonable access to a
user to personally identifiable information that the provider
or operator has collected from the user online, or that the
provider or operator has combined with personally identifiable
information collected from the user online after the effective
date of this Act;</DELETED>
<DELETED> (2) provide a reasonable opportunity for a user to
suggest a correction or deletion of any such information
maintained by that provider or operator to which the user was
granted access; and</DELETED>
<DELETED> (3) make the correction a part of that user's
sensitive personally identifiable information or nonsensitive
personally identifiable information (whichever is appropriate),
or make the deletion, for all future disclosure and other use
purposes.</DELETED>
<DELETED> (b) Exception.--An internet service provider, online
service provider, or operator of a commercial website may decline to
make a suggested correction a part of that user's sensitive personally
identifiable information or nonsensitive personally identifiable
information (whichever is appropriate), or to make a suggested deletion
if the provider or operator--</DELETED>
<DELETED> (1) reasonably believes that the suggested
correction or deletion is inaccurate or otherwise
inappropriate;</DELETED>
<DELETED> (2) notifies the user in writing, or in digital or
other electronic form, of the reasons the provider or operator
believes the suggested correction or deletion is inaccurate or
otherwise inappropriate; and</DELETED>
<DELETED> (3) provides a reasonable opportunity for the user
to refute the reasons given by the provider or operator for
declining to make the suggested correction or
deletion.</DELETED>
<DELETED> (c) Reasonableness Test.--The reasonableness of the access
or opportunity provided under subsection (a) or (b) by an internet
service provider, online service provider, or operator of a commercial
website shall be determined by taking into account such factors as the
sensitivity of the information requested and the burden or expense on
the provider or operator of complying with the request, correction, or
deletion.</DELETED>
<DELETED> (d) Reasonable Access Fee.--</DELETED>
<DELETED> (1) In general.--An internet service provider,
online service provider, or operator of a commercial website
may impose a reasonable charge for access under subsection
(a).</DELETED>
<DELETED> (2) Amount.--The amount of the fee shall not
exceed $3, except that upon request of a user, a provider or
operator shall provide such access without charge to that user
if the user certifies in writing that the user--</DELETED>
<DELETED> (A) is unemployed and intends to apply for
employment in the 60-day period beginning on the date
on which the certification is made;</DELETED>
<DELETED> (B) is a recipient of public welfare
assistance; or</DELETED>
<DELETED> (C) has reason to believe that the
incorrect information is due to fraud.</DELETED>
<DELETED>SEC. 106. SECURITY.</DELETED>
<DELETED> An internet service provider, online service provider, or
operator of a commercial website shall establish and maintain
reasonable procedures necessary to protect the security,
confidentiality, and integrity of personally identifiable information
maintained by that provider or operator.</DELETED>
<DELETED>TITLE II--ENFORCEMENT</DELETED>
<DELETED>SEC. 201. ENFORCEMENT BY FEDERAL TRADE COMMISSION.</DELETED>
<DELETED> Except as provided in section 202(b) of this Act and
section 2710(d) of title 18, United States Code, this Act shall be
enforced by the Commission.</DELETED>
<DELETED>SEC. 202. VIOLATION IS UNFAIR OR DECEPTIVE ACT OR
PRACTICE.</DELETED>
<DELETED> (a) In General.--The violation of any provision of title I
is an unfair or deceptive act or practice proscribed under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)).</DELETED>
<DELETED> (b) Enforcement by Certain Other Agencies.--Compliance
with title I of this Act shall be enforced under--</DELETED>
<DELETED> (1) section 8 of the Federal Deposit Insurance Act
(12 U.S.C. 1818), in the case of--</DELETED>
<DELETED> (A) national banks, and Federal branches
and Federal agencies of foreign banks, by the Office of
the Comptroller of the Currency;</DELETED>
<DELETED> (B) member banks of the Federal Reserve
System (other than national banks), branches and
agencies of foreign banks (other than Federal branches,
Federal agencies, and insured State branches of foreign
banks), commercial lending companies owned or
controlled by foreign banks, and organizations
operating under section 25 or 25A of the Federal
Reserve Act (12 U.S.C. 601 and 611), by the Board;
and</DELETED>
<DELETED> (C) banks insured by the Federal Deposit
Insurance Corporation (other than members of the
Federal Reserve System) and insured State branches of
foreign banks, by the Board of Directors of the Federal
Deposit Insurance Corporation;</DELETED>
<DELETED> (2) section 8 of the Federal Deposit Insurance Act
(12 U.S.C. 1818), by the Director of the Office of Thrift
Supervision, in the case of a savings association the deposits
of which are insured by the Federal Deposit Insurance
Corporation;</DELETED>
<DELETED> (3) the Federal Credit Union Act (12 U.S.C. 1751
et seq.) by the National Credit Union Administration Board with
respect to any Federal credit union;</DELETED>
<DELETED> (4) part A of subtitle VII of title 49, United
States Code, by the Secretary of Transportation with respect to
any air carrier or foreign air carrier subject to that
part;</DELETED>
<DELETED> (5) the Packers and Stockyards Act, 1921 (7 U.S.C.
181 et seq.) (except as provided in section 406 of that Act (7
U.S.C. 226, 227)), by the Secretary of Agriculture with respect
to any activities subject to that Act; and</DELETED>
<DELETED> (6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et
seq.) by the Farm Credit Administration with respect to any
Federal land bank, Federal land bank association, Federal
intermediate credit bank, or production credit
association.</DELETED>
<DELETED> (c) Exercise of Certain Powers.--For the purpose of the
exercise by any agency referred to in subsection (b) of its powers
under any Act referred to in that subsection, a violation of title I is
deemed to be a violation of a requirement imposed under that Act. In
addition to its powers under any provision of law specifically referred
to in subsection (b), each of the agencies referred to in that
subsection may exercise, for the purpose of enforcing compliance with
any requirement imposed under title I, any other authority conferred on
it by law.</DELETED>
<DELETED> (d) Actions by the Commission.--The Commission shall
prevent any person from violating title I in the same manner, by the
same means, and with the same jurisdiction, powers, and duties as
though all applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a
part of this Act. Any entity that violates any provision of that
subtitle is subject to the penalties and entitled to the privileges and
immunities provided in the Federal Trade Commission Act in the same
manner, by the same means, and with the same jurisdiction, power, and
duties as though all applicable terms and provisions of the Federal
Trade Commission Act were incorporated into and made a part of that
subtitle.</DELETED>
<DELETED> (e) Disposition of Civil Penalties Obtained by FTC
Enforcement Action Involving Nonsensitive Personally Identifiable
Information.--</DELETED>
<DELETED> (1) In general.--If a civil penalty is imposed on
an internet service provider, online service provider, or
commercial website operator in an enforcement action brought by
the Commission for a violation of title I with respect to
nonsensitive personally identifiable information of users of
the service or website, the penalty shall be--</DELETED>
<DELETED> (A) paid to the Commission;</DELETED>
<DELETED> (B) held by the Commission in trust for
distribution under paragraph (2); and</DELETED>
<DELETED> (C) distributed in accordance with
paragraph (2).</DELETED>
<DELETED> (2) Distribution to users.--Under procedures to be
established by the Commission, the Commission shall hold any
amount received as a civil penalty for violation of title I for
a period of not less than 180 days for distribution under those
procedures to users--</DELETED>
<DELETED> (A) whose nonsensitive personally
identifiable information was the subject of the
violation; and</DELETED>
<DELETED> (B) who file claims with the Commission
for compensation for loss or damage from the violation
at such time, in such manner, and containing such
information as the Commission may require.</DELETED>
<DELETED> (3) Amount of payment.--The amount a user may
receive under paragraph (2)--</DELETED>
<DELETED> (i) shall not exceed $200;
and</DELETED>
<DELETED> (ii) may be limited by the
Commission as necessary to afford each such
user a reasonable opportunity to secure that
user's appropriate portion of the amount
available for distribution.</DELETED>
<DELETED> (4) Remainder.--If the amount of any such penalty
held by the Commission exceeds the sum of the amounts
distributed under paragraph (2) attributable to that penalty,
the excess shall be covered into the Treasury of the United
States as miscellaneous receipts no later than 12 months after
it was paid to the Commission.</DELETED>
<DELETED> (f) Effect on Other Laws.--</DELETED>
<DELETED> (1) Preservation of commission authority.--Nothing
contained in this subtitle shall be construed to limit the
authority of the Commission under any other provision of
law.</DELETED>
<DELETED> (2) Relation to title ii of communications act.--
Nothing in title I requires an operator of a website or online
service to take any action that is inconsistent with the
requirements of section 222 of the Communications Act of 1934
(47 U.S.C. 222).</DELETED>
<DELETED> (3) Relation to title vi of communications act.--
Section 631 of the Communications Act of 1934 (47 U.S.C. 551)
is amended by adding at the end the following:</DELETED>
<DELETED> ``(i) To the extent that the application of any provision
of this title to a cable operator as an internet service provider,
online service provider, or operator of a commercial website (as those
terms are defined in section 401 of the Online Personal Privacy Act)
with respect to the provision of Internet service or online service, or
the operation of a commercial website, conflicts with the application
of any provision of that Act to such provision or operation, the Act
shall be applied in lieu of the conflicting provision of this
title.''.</DELETED>
<DELETED>SEC. 203. ACTIONS BY USERS.</DELETED>
<DELETED> (a) Private Right of Action for Sensitive Personally
Identifiable Information.--If an internet service provider, online
service provider, or commercial website operator collects, discloses,
or uses the sensitive personally identifiable information of any person
or fails to provide reasonable access to or reasonable security for
such sensitive personally identifiable information in violation of any
provision of title I then that person may bring an action in a district
court of the United States of appropriate jurisdiction--</DELETED>
<DELETED> (1) to enjoin or restrain a violation of title I
or to obtain other appropriate relief; and</DELETED>
<DELETED> (2) upon a showing of actual harm to that person
caused by the violation, to recover the greater of--</DELETED>
<DELETED> (A) the actual monetary loss from the
violation; or</DELETED>
<DELETED> (B) $5,000.</DELETED>
<DELETED> (b) Repeated Violations.--If the court finds, in an action
brought under subsection (a) to recover damages, that the defendant
repeatedly and knowingly violated title I, the court may, in its
discretion, increase the amount of the award available under subsection
(a)(2)(B) to an amount not in excess of $100,000.</DELETED>
<DELETED> (c) Exception.--Neither an action to enjoin or restrain a
violation, nor an action to recover for loss or damage, may be brought
under this section for the accidental disclosure of information if the
disclosure was caused by an Act of God, unforeseeable network or
systems failure, or other event beyond the control of the Internet
service provider, online service provider, or operator of a commercial
website.</DELETED>
<DELETED>SEC. 204. ACTIONS BY STATES.</DELETED>
<DELETED> (a) In General.--</DELETED>
<DELETED> (1) Civil actions.--In any case in which the
attorney general of a State has reason to believe that an
interest of the residents of that State has been or is
threatened or adversely affected by the engagement of any
person in a practice that violates title I, the State, as
parens patriae, may bring a civil action on behalf of the
residents of the State in a district court of the United States
of appropriate jurisdiction--</DELETED>
<DELETED> (A) to enjoin that practice;</DELETED>
<DELETED> (B) to enforce compliance with the
rule;</DELETED>
<DELETED> (C) to obtain damage, restitution, or
other compensation on behalf of residents of the State;
or</DELETED>
<DELETED> (D) to obtain such other relief as the
court may consider to be appropriate.</DELETED>
<DELETED> (2) Notice.--</DELETED>
<DELETED> (A) In general.--Before filing an action
under paragraph (1), the attorney general of the State
involved shall provide to the Commission--</DELETED>
<DELETED> (i) written notice of that action;
and</DELETED>
<DELETED> (ii) a copy of the complaint for
that action.</DELETED>
<DELETED> (B) Exemption.--</DELETED>
<DELETED> (i) In general.--Subparagraph (A)
shall not apply with respect to the filing of
an action by an attorney general of a State
under this subsection, if the attorney general
determines that it is not feasible to provide
the notice described in that subparagraph
before the filing of the action.</DELETED>
<DELETED> (ii) Notification.--In an action
described in clause (i), the attorney general
of a State shall provide notice and a copy of
the complaint to the Commission at the same
time as the attorney general files the
action.</DELETED>
<DELETED> (b) Intervention.--</DELETED>
<DELETED> (1) In general.--On receiving notice under
subsection (a)(2), the Commission shall have the right to
intervene in the action that is the subject of the
notice.</DELETED>
<DELETED> (2) Effect of intervention.--If the Commission
intervenes in an action under subsection (a), it shall have the
right--</DELETED>
<DELETED> (A) to be heard with respect to any matter
that arises in that action; and</DELETED>
<DELETED> (B) to file a petition for
appeal.</DELETED>
<DELETED> (c) Construction.--For purposes of bringing any civil
action under subsection (a), nothing in this subtitle shall be
construed to prevent an attorney general of a State from exercising the
powers conferred on the attorney general by the laws of that State to--
</DELETED>
<DELETED> (1) conduct investigations;</DELETED>
<DELETED> (2) administer oaths or affirmations; or</DELETED>
<DELETED> (3) compel the attendance of witnesses or the
production of documentary and other evidence.</DELETED>
<DELETED> (d) Actions by the Commission.--In any case in which
an action is instituted by or on behalf of the Commission for violation
of title I, no State may, during the pendency of that action, institute
an action under subsection (a) against any defendant named in the
complaint in that action for violation of that rule.</DELETED>
<DELETED> (e) Venue; Service of Process.--</DELETED>
<DELETED> (1) Venue.--Any action brought under subsection
(a) may be brought in the district court of the United States
that meets applicable requirements relating to venue under
section 1391 of title 28, United States Code.</DELETED>
<DELETED> (2) Service of process.--In an action brought
under subsection (a), process may be served in any district in
which the defendant--</DELETED>
<DELETED> (A) is an inhabitant; or</DELETED>
<DELETED> (B) may be found.</DELETED>
<DELETED>SEC. 205. WHISTLEBLOWER PROTECTION.</DELETED>
<DELETED> (a) In General.--No internet service provider, online
service provider, or commercial website operator may discharge or
otherwise discriminate against any employee with respect to
compensation, terms, conditions, or privileges of employment because
the employee (or any person acting pursuant to the request of the
employee) provided information to any Federal or State agency or to the
Attorney General of the United States or of any State regarding a
violation of any provision of title I.</DELETED>
<DELETED> (b) Enforcement.--Any employee or former employee who
believes he has been discharged or discriminated against in violation
of subsection (a) may file a civil action in the appropriate United
States district court before the close of the 2-year period beginning
on the date of such discharge or discrimination. The complainant shall
also file a copy of the complaint initiating such action with the
appropriate Federal agency.</DELETED>
<DELETED> (c) Remedies.--If the district court determines that a
violation of subsection (a) has occurred, it may order the Internet
service provider, online service provider, or commercial website
operator that committed the violation--</DELETED>
<DELETED> (1) to reinstate the employee to his former
position;</DELETED>
<DELETED> (2) to pay compensatory damages; or</DELETED>
<DELETED> (3) to take other appropriate actions to remedy
any past discrimination.</DELETED>
<DELETED> (d) Limitation.--The protections of this section shall not
apply to any employee who--</DELETED>
<DELETED> (1) deliberately causes or participates in the
alleged violation; or</DELETED>
<DELETED> (2) knowingly or recklessly provides substantially
false information to such an agency or the Attorney
General.</DELETED>
<DELETED> (e) Burdens of Proof.--The legal burdens of proof that
prevail under subchapter III of chapter 12 of title 5, United States
Code (5 U.S.C. 1221 et seq.) shall govern adjudication of protected
activities under this section.</DELETED>
<DELETED>SEC. 206. NO EFFECT ON OTHER REMEDIES.</DELETED>
<DELETED> The remedies provided by sections 203 and 204 are in
addition to any other remedy available under any provision of
law.</DELETED>
<DELETED>TITLE III--APPLICATION TO CONGRESS AND FEDERAL
AGENCIES</DELETED>
<DELETED>SEC. 301. SENATE.</DELETED>
<DELETED> The Sergeant at Arms of the United States Senate shall
develop regulations setting forth an information security and
electronic privacy policy governing use of the Internet by officers and
employees of the Senate that meets the requirements of title
I.</DELETED>
<DELETED>SEC. 302. APPLICATION TO FEDERAL AGENCIES.</DELETED>
<DELETED> (a) In General.--Except as provided in subsection (b),
this Act applies to each Federal agency that is an internet service
provider or an online service provider, or that operates a website, to
the extent provided by section 2674 of title 28, United States
Code.</DELETED>
<DELETED> (b) Exceptions.--This Act does not apply to any Federal
agency to the extent that the application of this Act would compromise
law enforcement activities or the administration of any investigative,
security, or safety operation conducted in accordance with Federal
law.</DELETED>
<DELETED>TITLE IV--MISCELLANEOUS</DELETED>
<DELETED>SEC. 401. DEFINITIONS.</DELETED>
<DELETED> In this Act:</DELETED>
<DELETED> (1) Collect.--The term ``collect'' means the
gathering of personally identifiable information about a user
of an Internal service, online service, or commercial website
by or on behalf of the provider or operator of that service or
website by any means, direct or indirect, active or passive,
including--</DELETED>
<DELETED> (A) an online request for such information
by the provider or operator, regardless of how the
information is transmitted to the provider or
operator;</DELETED>
<DELETED> (B) the use of a chat room, message board,
or other online service to gather the information;
or</DELETED>
<DELETED> (C) tracking or use of any identifying
code linked to a user of such a service or website,
including the use of cookies or other tracking
technology.</DELETED>
<DELETED> (2) Commission.--The term ``Commission'' means the
Federal Trade Commission.</DELETED>
<DELETED> (3) Cookie.--The term ``cookie'' means any
program, function, or device, commonly known as a ``cookie'',
that makes a record on the user's computer (or other electronic
device) of that user's access to an internet service, online
service, or commercial website.</DELETED>
<DELETED> (4) Disclose.--The term ``disclose'' means the
release of personally identifiable information about a user of
an Internet service, online service, or commercial website by
an internet service provider, online service provider, or
operator of a commercial website for any purpose, except where
such information is provided to a person who provides support
for the internal operations of the service or website and who
does not disclose or use that information for any other
purpose.</DELETED>
<DELETED> (5) Federal agency.--The term ``Federal agency''
means an agency, as that term is defined in section 551(1) of
title 5, United States Code.</DELETED>
<DELETED> (6) Internal operations support.--The term
``support for the internal operations of a service or website''
means any activity necessary to maintain the technical
functionality of that service or website.</DELETED>
<DELETED> (7) Internet.--The term ``Internet'' means
collectively the myriad of computer and telecommunications
facilities, including equipment and operating software, which
comprise the interconnected world-wide network of networks that
employ the Transmission Control Protocol/Internet Protocol, or
any predecessor or successor protocols to such protocol, to
communicate information of all kinds by wire or
radio.</DELETED>
<DELETED> (8) Internet service provider; online service
provider; website.--The Commission shall by rule define the
terms ``internet service provider'', ``online service
provider'', and ``website'', and shall revise or amend such
rule to take into account changes in technology, practice, or
procedure with respect to the collection of personal
information over the Internet.</DELETED>
<DELETED> (9) Online.--The term ``online'' refers to any
activity regulated by this Act or by section 2710 of title 18,
United States Code, that is effected by active or passive use
of an Internet connection, regardless of the medium by or
through which that connection is established.</DELETED>
<DELETED> (10) Operator of a commercial website.--The term
``operator of a commercial website''--</DELETED>
<DELETED> (A) means any person who operates a
website located on the Internet or an online service
and who collects or maintains personal information from
or about the users of or visitors to such website or
online service, or on whose behalf such information is
collected or maintained, where such website or online
service is operated for commercial purposes, including
any person offering products or services for sale
through that website or online service, involving
commerce--</DELETED>
<DELETED> (i) among the several States or
with 1 or more foreign nations;</DELETED>
<DELETED> (ii) in any territory of the
United States or in the District of Columbia,
or between any such territory and--</DELETED>
<DELETED> (I) another such
territory; or</DELETED>
<DELETED> (II) any State or foreign
nation; or</DELETED>
<DELETED> (iii) between the District of
Columbia and any State, territory, or foreign
nation; but</DELETED>
<DELETED> (B) does not include any nonprofit entity
that would otherwise be exempt from coverage under
section 5 of the Federal Trade Commission Act (15
U.S.C. 45).</DELETED>
<DELETED> (11) Personally identifiable information.--
</DELETED>
<DELETED> (A) In general.--The term ``personally
identifiable information'' means individually
identifiable information about an individual collected
online, including--</DELETED>
<DELETED> (i) a first and last name, whether
given at birth or adoption, assumed, or legally
changed;</DELETED>
<DELETED> (ii) a home or other physical
address including street name and name of a
city or town;</DELETED>
<DELETED> (iii) an e-mail address;</DELETED>
<DELETED> (iv) a telephone number;</DELETED>
<DELETED> (v) a birth certificate
number;</DELETED>
<DELETED> (vi) any other identifier for
which the Commission finds there is a
substantial likelihood that the identifier
would permit the physical or online contacting
of a specific individual; or</DELETED>
<DELETED> (vii) information that an Internet
service provider, online service provider, or
operator of a commercial website collects and
combines with an identifier described in
clauses (i) through (vi) of this
subparagraph.</DELETED>
<DELETED> (B) Inferential information excluded.--
Information about an individual derived or inferred
from data collected online but not actually collected
online is not personally identifiable
information.</DELETED>
<DELETED> (12) Release.--The term ``release of personally
identifiable information'' means the direct or indirect,
sharing, selling, renting, or other provision of personally
identifiable information of a user of an internet service,
online service, or commercial website to any other person other
than the user.</DELETED>
<DELETED> (13) Robust notice.--The term ``robust notice''
means actual notice at the point of collection of the
personally identifiable information describing briefly and
succinctly the intent of the Internet service provider, online
service provider, or operator of a commercial website to use or
disclose that information for marketing or other
purposes.</DELETED>
<DELETED> (14) Sensitive financial information.--The term
``sensitive financial information'' means--</DELETED>
<DELETED> (A) the amount of income earned or losses
suffered by an individual;</DELETED>
<DELETED> (B) an individual's account number or
balance information for a savings, checking, money
market, credit card, brokerage, or other financial
services account;</DELETED>
<DELETED> (C) the access code, security password, or
similar mechanism that permits access to an
individual's financial services account;</DELETED>
<DELETED> (D) an individual's insurance policy
information, including the existence, premium, face
amount, or coverage limits of an insurance policy held
by or for the benefit of an individual; or</DELETED>
<DELETED> (E) an individual's outstanding credit
card, debt, or loan obligations.</DELETED>
<DELETED> (15) Sensitive personally identifiable
information.--The term ``sensitive personally identifiable
information'' means personally identifiable information about
an individual's--</DELETED>
<DELETED> (A) individually identifiable health
information (as defined in section 164.501 of title 45,
Code of Federal Regulations);</DELETED>
<DELETED> (B) race or ethnicity;</DELETED>
<DELETED> (C) political party affiliation;</DELETED>
<DELETED> (D) religious beliefs;</DELETED>
<DELETED> (E) sexual orientation;</DELETED>
<DELETED> (F) a Social Security number; or</DELETED>
<DELETED> (G) sensitive financial
information.</DELETED>
<DELETED>SEC. 402. EFFECTIVE DATE OF TITLE I.</DELETED>
<DELETED> Title I of this Act takes effect on the day after the date
on which the Commission publishes a final rule under section
403.</DELETED>
<DELETED>SEC. 403. FTC RULEMAKING.</DELETED>
<DELETED> The Commission shall--</DELETED>
<DELETED> (1) initiate a rulemaking within 90 days after the
date of enactment of this Act for regulations to implement the
provisions of title I; and</DELETED>
<DELETED> (2) complete that rulemaking within 270 days after
initiating it.</DELETED>
<DELETED>SEC. 404. FTC REPORT.</DELETED>
<DELETED> (a) Report.--The Commission shall submit a report to the
Senate Committee on Commerce, Science, and Transportation and the House
of Representatives Committee on Commerce 18 months after the effective
date of title I, and annually thereafter, on--</DELETED>
<DELETED> (1) whether this Act is accomplishing the purposes
for which it was enacted;</DELETED>
<DELETED> (2) whether technology that protects privacy is
being utilized in the marketplace in such a manner as to
facilitate administration of and compliance with title
I;</DELETED>
<DELETED> (3) whether additional legislation is required to
accomplish those purposes or improve the administrability or
effectiveness of this Act;</DELETED>
<DELETED> (4) whether legislation is appropriate or
necessary to regulate the collection, use, and distribution of
personally identifiable information collected other than via
the Internet;</DELETED>
<DELETED> (5) whether and how the government might assist
industry in developing standard online privacy notices that
substantially comply with the requirements of section
102(a);</DELETED>
<DELETED> (6) whether and how the creation of a set of self-
regulatory guidelines established by independent safe harbor
organizations and approved by the Commission would facilitate
administration of and compliance with title I; and</DELETED>
<DELETED> (7) whether additional legislation is necessary or
appropriate to regulate the collection, use, and disclosure of
personally identifiable information collected online before the
effective date of title I.</DELETED>
<DELETED> (b) FTC Notice of Inquiry.--The Commission shall initiate
a notice of inquiry within 90 days after the date of enactment of this
Act to request comment on the matter described in paragraphs (1)
through (7) of subsection (a).</DELETED>
<DELETED>SEC. 405. DEVELOPMENT OF AUTOMATED PRIVACY CONTROLS.</DELETED>
<DELETED> Section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3) is amended--</DELETED>
<DELETED> (1) by redesignating subsection (d) as subsection
(e); and</DELETED>
<DELETED> (2) by inserting after subsection (c) the
following:</DELETED>
<DELETED> ``(d) Development of Internet Privacy Program.--The
Institute shall encourage and support the development of one or more
computer programs, protocols, or other software, such as the World Wide
Web Consortium's P3P program, capable of being installed on computers,
or computer networks, with Internet access that would reflect the
user's preferences for protecting personally-identifiable or other
sensitive, privacy-related information, and automatically execute the
program, once activated, without requiring user
intervention.''.</DELETED>
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Online Personal Privacy Act''.
SEC. 2. TABLE OF CONTENTS.
The table of contents of this Act is as follows:
Sec. 1. Short title.
Sec. 2. Table of contents.
Sec. 3. Findings.
Sec. 4. Preemption of State law or regulations.
TITLE I--ONLINE PRIVACY PROTECTION
Sec. 101. Collection, use, or disclosure of personally identifiable
information.
Sec. 102. Notice and consent requirements.
Sec. 103. Policy changes; privacy breach.
Sec. 104. Exceptions.
Sec. 105. Access.
Sec. 106. Security.
TITLE II--ENFORCEMENT
Sec. 201. Enforcement by Federal Trade Commission.
Sec. 202. Violation is unfair or deceptive act or practice.
Sec. 203. Safe harbor self-regulatory programs.
Sec. 204. Small business safe harbor.
Sec. 205. Private right of action.
Sec. 206. Actions by States.
Sec. 207. Whistleblower protection.
Sec. 208. No effect on other remedies.
TITLE III--APPLICATION TO CONGRESS AND FEDERAL AGENCIES
Sec. 301. Exercise of rulemaking power.
Sec. 302. Senate.
Sec. 303. Application to Federal agencies.
TITLE IV--MISCELLANEOUS
Sec. 401. Definitions.
Sec. 402. Effective date.
Sec. 403. FTC rulemaking.
Sec. 404. FTC report.
Sec. 405. Development of automated privacy controls.
TITLE V--OFFLINE PRIVACY
Sec. 501. Collection, use, and disclosure of personally identifiable
information collected offline.
SEC. 3. FINDINGS.
The Congress finds the following:
(1) The right to privacy is a personal and fundamental
right worthy of protection through appropriate legislation.
(2) Individuals engaging in and interacting with companies
engaged in interstate commerce have a significant interest in
their personal information, as well as a right to control how
that information is collected, used, or transferred.
(3) Absent the recognition of these rights and the
establishment of consequent industry responsibilities to
safeguard those rights, the privacy of individuals who use the
Internet will soon be more gravely threatened.
(4) To extent that States regulate, their efforts to
address Internet privacy will lead to a patchwork of
inconsistent standards and protections.
(5) Existing State, local, and Federal laws provide minimal
privacy protection for Internet users.
(6) With the exception of Federal Trade Commission
enforcement of laws against unfair and deceptive practices, the
Federal Government thus far has eschewed general Internet
privacy laws in favor of industry self-regulation, which has
led to several self-policing schemes, some of which are
enforceable, and some of which provide insufficient privacy
protection to individuals.
(7) Many Internet businesses have developed good Internet
privacy policies that provide consumers notice, choice, access,
and security with respect to their personal information.
(8) Many other Internet businesses, however, have yet to
provide these baseline fair information practices, and, absent
legislative requirements to the contrary, seem unlikely to do
so in the near future.
(9) State governments have been reluctant to enter the
field of Internet privacy regulation because use of the
Internet often crosses State, or even national, boundaries.
(10) States are nonetheless interested in providing greater
privacy protection to their citizens as evidenced by recent
lawsuits brought against offline and online companies by State
attorneys general to protect the privacy of individuals using
the Internet.
(11) The ease of gathering and compiling personal
information on the Internet, both overtly and surreptitiously,
is becoming increasingly efficient and effortless due to
advances in digital communications technology which have
provided information gatherers the ability to compile
seamlessly highly detailed personal histories of Internet
users.
(12) Personal information flowing over the Internet
requires greater privacy protection than is currently available
today. Vast amounts of personal information, including
sensitive information, about individual Internet users are
collected on the Internet and sold or otherwise transferred to
third parties.
(13) Poll after poll consistently demonstrates that
individual Internet users are highly troubled over their lack
of control over their personal information.
(14) Market research demonstrates that tens of billions of
dollars in e-commerce are lost due to individual fears about a
lack of privacy protection on the Internet.
(15) Market research demonstrates that as many as one-third
of all Internet users give false information about themselves
to protect their privacy, due to fears about a lack of privacy
protection on the Internet.
(16) Notwithstanding these concerns, the Internet is
becoming a major part of the personal and commercial lives of
millions of Americans, providing increased access to
information, as well as communications and commercial
opportunities.
(17) It is important to establish personal privacy rights
and industry obligations now so that individuals have
confidence that their personal privacy is fully protected on
the Internet.
(18) The social and economic costs of establishing baseline
privacy standards now will be lower than if Congress waits
until the Internet becomes more prevalent in our everyday lives
in coming years.
(19) Whatever costs may be borne by industry will be
significantly offset by the economic benefits to the commercial
Internet created by increased consumer confidence occasioned by
greater privacy protection.
(20) Toward the close of the 20th Century, as individuals'
personal information was increasingly collected, profiled, and
shared for commercial purposes, and as technology advanced to
facilitate these practices, the Congress enacted numerous
statutes to protect privacy.
(21) Those statutes apply to the government, telephones,
cable television, e-mail, video tape rentals, and the Internet
(but only with respect to children).
(22) Those statutes all provide significant privacy
protections, but neither limit technology nor stifle business.
(23) Those statutes ensure that the collection and
commercialization of individuals' personal information is fair,
transparent, and subject to law.
(24) As in those instances, the Federal government has a
substantial interest in promoting privacy on the Internet.
SEC. 4. PREEMPTION OF STATE LAW OR REGULATIONS.
This Act supersedes any State statute, regulation, or rule
regulating Internet privacy to the extent that it relates to the
collection, use, or disclosure of personally identifiable information
obtained through the Internet.
TITLE I--ONLINE PRIVACY PROTECTION
SEC. 101. COLLECTION, USE, OR DISCLOSURE OF PERSONALLY IDENTIFIABLE
INFORMATION.
(a) In General.--An internet service provider, online service
provider, or operator of a commercial website on the Internet may not
collect personally identifiable information online from a user, or use
or disclose personally identifiable information about a user, of that
service or website except in accordance with the provisions of this
Act.
(b) Application to Certain Third-Party Operators.--The provisions
of this Act applicable to internet service providers, online service
providers, and commercial website operators apply to any third party,
including an advertising network, that--
(1) uses an internet service provider, online service
provider, or commercial website operator to collect information
about users of that service or website; or
(2) makes computer software available to the public, by
sale or otherwise, that is capable of--
(A) collecting personally identifiable information
about the user, the hardware on which it is used, or
the manner in which it is used; and
(B) disclosing such information to any person other
than the user.
SEC. 102. NOTICE AND CONSENT REQUIREMENTS.
(a) Notice.--Except as provided in section 104, an internet service
provider, online service provider, or operator of a commercial website
may not collect personally identifiable information from a user of that
service or website online unless that provider or operator provides
clear and conspicuous notice to the user in the manner required by this
section for the kind of personally identifiable information to be
collected. The notice shall disclose--
(1) the specific types of information that will be
collected;
(2) the methods of collecting and using the information
collected; and
(3) all disclosure practices of that provider or operator
for personally identifiable information so collected, including
whether it will be disclosed to third parties.
(b) Sensitive Personally Identifiable Information Requires Opt-in
Consent.--An internet service provider, online service provider, or
operator of a commercial website may not--
(1) collect sensitive personally identifiable information
online, or
(2) disclose or otherwise use such information collected
online, from a user of that service or website,
unless the provider or operator obtains that user's consent to the
collection and disclosure or use of that information before, or at the
time, the information is collected and the user's consent is manifested
by an affirmative act in a written or electronic communication.
(c) Nonsensitive Personally Identifiable Information Requires
Robust Notice and Opt-out Consent.--An internet service provider,
online service provider, or operator of a commercial website may not--
(1) collect personally identifiable information not
described in subsection (b) online, or
(2) disclose or otherwise use such information collected
online, from a user of that service or website,
unless the provider or operator provides robust notice to the user, in
addition to clear and conspicuous notice, and has given the user an
opportunity to decline consent for such collection and use by the
provider or operator before, or at the time, the information is
collected.
(d) Initial Notice Only for Robust Notice.--An internet service
provider, online service provider, or operator of a commercial website
shall provide robust notice under subsection (c) of this section to a
user only upon its first collection of non-sensitive personally
identifiable information from that user, except that a subsequent
collection of materially different non-sensitive personally
identifiable information from that user shall be treated as a first
collection of such information from that user.
(e) Permanence of Consent.--
(1) In general.--The consent or denial of consent by a user
of permission to an internet service provider, online service
provider, or operator of a commercial website to collect,
disclose, or otherwise use any information about that user for
which consent is required under this Act--
(A) shall remain in effect until changed by the
user; and
(B) shall apply to the collection, disclosure, or
other use of that information by any entity that is a
commercial successor of, or legal successor-in-interest
to, that provider or operator, without regard to the
legal form in which such succession was accomplished
(including any entity that collects, discloses, or uses
such information as a result of a proceeding under
chapter 7 or chapter 11 of title 11, United States
Code, with respect to the provider or operator).
(2) Exception.--The consent by a user to the collection,
disclosure, or other use of information about that user for
which consent is required under this Act does not apply to the
collection, disclosure, or use of that information by a
successor entity under paragraph (1)(B) if--
(A) the kind of information collected by the
successor entity about the user is materially different
from the kind of information collected by the
predecessor entity;
(B) the methods of collecting and using the
information employed by the successor entity are
materially different from the methods employed by the
predecessor entity; or
(C) the disclosure practices of the successor
entity are materially different from the practices of
the predecessor entity.
SEC. 103. POLICY CHANGES; BREACH OF PRIVACY.
(a) Notice of Policy Change.--Whenever an internet service
provider, online service provider, or operator of a commercial website
makes a material change in its policy for the collection, use, or
disclosure of sensitive or nonsensitive personally identifiable
information, it--
(1) shall notify all users of that service or website of
the change in policy; and
(2) may not collect, disclose, or otherwise use any
sensitive or nonsensitive personally identifiable information
in accordance with the changed policy unless the user has been
afforded an opportunity to consent, or withhold consent, to its
collection, disclosure, or use in accordance with the
requirements of section 102(b) or (c), whichever is applicable.
(b) Notice of Breach of Privacy.--
(1) In general.--If the sensitive or nonsensitive
personally identifiable information of a user of an internet
service provider, online service provider, or operator of a
commercial website--
(A) is disclosed by the provider or operator in
violation of any provision of this Act, or
(B) the security, confidentiality, or integrity of
such information is compromised by a hacker or other
third party, or by any act or failure to act of the
provider or operator and the compromise, act, or
failure to act results in a disclosure of personally
identifiable information in violation of any provision
of this Act,
then the provider or operator shall notify all users whose
sensitive or nonsensitive personally identifiable information
was affected by the unlawful collection, disclosure, use,
compromise, act, or failure to act. The notice shall describe
the nature of the unlawful collection, disclosure, use,
compromise, act, or failure to act and the steps taken by the
provider or operator to remedy it.
(2) Delay of notification.--
(A) Action taken by individuals.--If the compromise
of the security, confidentiality, or integrity of the
information is caused by a hacker or other external
interference with the service or website, or by an
employee of the service or website, the provider or
operator may postpone issuing the notice required by
paragraph (1) for a reasonable period of time in order
to--
(i) facilitate the detection and
apprehension of the person responsible for the
compromise; and
(ii) take such measures as may be necessary
to restore the integrity of the service or
website and prevent any further compromise of
the security, confidentiality, and integrity of
such information.
(B) System failures and other functional causes.--
If the unlawful collection, disclosure, use, or
compromise of the security, confidentiality, and
integrity of the information is the result of a system
failure, a problem with the operating system, software,
or program used by the internet service provider,
online service provider, or operator of the commercial
website, or other non-external interference with the
service or website, the provider or operator may
postpone issuing the notice required by paragraph (1)
for a reasonable period of time in order to--
(i) restore the system's functionality or
fix the problem; and
(ii) take such measures as may be necessary
to restore the integrity of the service or
website and prevent any further compromise of
the security, confidentiality, and integrity of
the information after the failure or problem
has been fixed and the integrity of the service
or website has been restored.
(c) Compliance Officers.--Each internet service provider, online
service provider, and operator of a commercial website shall designate
a privacy compliance officer, who shall be responsible for ensuring
compliance with the requirements of this title and the privacy policies
of that provider or operator.
SEC. 104. EXCEPTIONS.
(a) In General.--Section 102 does not apply to the collection,
disclosure, or use by an internet service provider, online service
provider, or operator of a commercial website of information about a
user of that service or website necessary--
(1) to protect the security or integrity of the service or
website or to ensure the safety, health, or life of other
people or property;
(2) to conduct a transaction, deliver a product or service,
or complete an arrangement for which the user provided the
information;
(3) to provide other products and services or conduct
activities integrally related to the transaction, service,
product, or arrangement for which the user provided the
information; or
(4) to comply with the Fair Credit Reporting Act (15 U.S.C.
1681 et seq.) determined without regard to section 603(d)(2) of
that Act (15 U.S.C. 1681a(d)(2)).
(b) Protected Disclosures and Other Regulated Activities.--
(1) In general.--An internet service provider, online
service provider, or operator of a commercial website may not
be held liable under this Act, any other Federal law, or any
State law for any disclosure made in good faith and following
reasonable procedures in responding to--
(A) a request for disclosure of personal
information under section 1302(b)(1)(B)(iii) of the
Children's Online Privacy Protection Act of 1998 (15
U.S.C. 6501 et seq.) to the parent of a child; or
(B) a request for access to, or correction or
deletion of, personally identifiable information under
section 105 of this Act.
(2) Financial institutions.--A financial institution (as
defined in section 509(3) of the Gramm-Leach-Bliley Act (15
U.S.C. 6809(3)) that is an internet service provider, online
service provider, or operator of a commercial website may not
be held liable under this Act for any disclosure described in
section 502(e) of that Act (15 U.S.C. 6802(e)).
(c) Disclosure to Law Enforcement Agency or Under Court Order.--
(1) In general.--Notwithstanding any other provision of
this Act, an internet service provider, online service
provider, operator of a commercial website, or third party that
uses such a service or website to collect information about
users of that service or website, may disclose personally
identifiable information about a user of that service or
website--
(A) to a law enforcement, investigatory, national
security, or regulatory agency or department of the
United States in response to a request or demand made
under authority granted to that agency or department by
statute, rule, or regulation, or pursuant to a warrant
issued under the Federal Rules of Criminal Procedure,
an equivalent State warrant, a court order, or a
properly executed administrative compulsory process; or
(B) in response to a court order in a civil
proceeding granted upon a showing of compelling need
for the information that cannot be accommodated by any
other means if--
(i) the user to whom the information
relates is given reasonable notice by the
person seeking the information of the court
proceeding at which the order is requested; and
(ii) that user is afforded a reasonable
opportunity to appear and contest the issuance
of requested order or to narrow its scope.
(2) Safeguards against further disclosure.--A court that
issues an order described in paragraph (1)(B) shall impose
appropriate safeguards on the use of the information to protect
against its unauthorized disclosure.
(d) Emergency Disclosures.--Notwithstanding any other provision of
this Act, an internet service provider, online service provider,
operator of a commercial website, or third party that uses such a
service or website to collect information about users of that service
or website, may disclose personally identifiable information about a
user of that service or website to a law enforcement officer, hospital,
clinic, or other lawful medical organization or a licensed physician or
other healthcare professional if--
(1) the disclosure is critical to the life, safety, or
health of the user or other individuals;
(2) it is not feasible under the circumstances to obtain
timely consent; and
(3) the disclosure is no greater than necessary to
accomplish the purpose for which the information is disclosed.
(e) Disclosure for Professional Services Purposes.--Notwithstanding
any other provision of this Act, an internet service provider, online
service provider, operator of a commercial website, or third party that
uses such a service or website to collect information about users of
that service or website, may disclose personally identifiable
information about a user of that service or website to a provider of
professional services, or any wholly-owned affiliate thereof, of which
the user is a client, patient, or customer if the provider or affiliate
is subject to professional ethical standards, regulations, rules, or
law requiring the provider or affiliate not to disclose confidential
client information without the consent of the client.
SEC. 105. ACCESS.
(a) In General.--An internet service provider, online service
provider, or operator of a commercial website shall--
(1) upon request provide reasonable access to a user to
personally identifiable information that the provider or
operator has collected and retained from the user online, or
that the provider or operator has combined with personally
identifiable information collected and retained from the user
online after the effective date of this Act, except that, as
long as a user is not denied reasonable access to personally
identifiable information pertaining to that use, the provider
or operator is not required to disclose information that would
compromise its ability to protect proprietary information about
how it collects and stores its information;
(2) provide a reasonable opportunity for a user to suggest
a correction or deletion of any such information maintained by
that provider or operator to which the user was granted access;
and
(3) make the correction a part of that user's sensitive
personally identifiable information or nonsensitive personally
identifiable information (whichever is appropriate), or make
the deletion, for all future disclosure and other use purposes.
(b) Exception.--An internet service provider, online service
provider, or operator of a commercial website may decline to make a
suggested correction a part of that user's sensitive personally
identifiable information or nonsensitive personally identifiable
information (whichever is appropriate), or to make a suggested deletion
if the provider or operator--
(1) reasonably believes that the suggested correction or
deletion is inaccurate or otherwise inappropriate;
(2) notifies the user in writing, or in digital or other
electronic form, of the reasons the provider or operator
believes the suggested correction or deletion is inaccurate or
otherwise inappropriate; and
(3) provides a reasonable opportunity for the user to
refute the reasons given by the provider or operator for
declining to make the suggested correction or deletion.
(c) Reasonableness Test.--The reasonableness of the access or
opportunity provided under subsection (a) or (b) by an internet service
provider, online service provider, or operator of a commercial website
shall be determined by taking into account such factors as the
sensitivity of the information requested and the burden or expense on
the provider or operator of complying with the request, correction, or
deletion.
(d) Reasonable Access Fee.--
(1) In general.--An internet service provider, online
service provider, or operator of a commercial website may
impose a reasonable charge for access under subsection (a).
(2) Amount.--The amount of the fee shall not exceed $3,
except that upon request of a user, a provider or operator
shall provide such access without charge to that user if the
user certifies in writing that the user--
(A) is unemployed and intends to apply for
employment in the 60-day period beginning on the date
on which the certification is made;
(B) is a recipient of public welfare assistance; or
(C) has reason to believe that the incorrect
information is due to fraud.
SEC. 106. SECURITY.
An internet service provider, online service provider, or operator
of a commercial website shall establish and maintain reasonable
procedures necessary to protect the security, confidentiality, and
integrity of personally identifiable information maintained by that
provider or operator.
TITLE II--ENFORCEMENT
SEC. 201. ENFORCEMENT BY FEDERAL TRADE COMMISSION.
Except as provided in section 202(b) of this Act and section
2710(d) of title 18, United States Code, this Act shall be enforced by
the Commission.
SEC. 202. VIOLATION IS UNFAIR OR DECEPTIVE ACT OR PRACTICE.
(a) In General.--The violation of any provision of title I is an
unfair or deceptive act or practice proscribed under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)).
(b) Enforcement by Certain Other Agencies.--Compliance with title I
of this Act shall be enforced--
(1) under section 8 of the Federal Deposit Insurance Act
(12 U.S.C. 1818), in the case of--
(A) national banks, and Federal branches and
Federal agencies of foreign banks, and any subsidiaries
of such entities (except brokers, dealers, persons
providing insurance, investment companies, and
investment advisers), by the Office of the Comptroller
of the Currency;
(B) member banks of the Federal Reserve System
(other than national banks), branches and agencies of
foreign banks (other than Federal branches, Federal
agencies, and insured State branches of foreign banks),
commercial lending companies owned or controlled by
foreign banks, organizations operating under section 25
or 25A of the Federal Reserve Act (12 U.S.C. 601 and
611), and bank holding companies and their nonbank
subsidiaries or affiliates (except brokers, dealers,
persons providing insurance, investment companies, and
investment advisers), by the Board;
(C) banks insured by the Federal Deposit Insurance
Corporation (other than members of the Federal Reserve
System) insured State branches of foreign banks, and
any subsidiaries of such entities (except brokers,
dealers, persons providing insurance, investment
companies, and investment advisers), by the Board of
Directors of the Federal Deposit Insurance Corporation;
and
(D) savings associations the deposits of which are
insured by the Federal Deposit Insurance Corporation,
and any subsidiaries of such savings associations
(except brokers, dealers, persons providing insurance,
investment companies, and investment advisers), by the
Director of the Office of Thrift Supervision;
(2) under the Federal Credit Union Act (12 U.S.C. 1751 et
seq.) by the Board of the National Credit Union Administration
with respect to any Federally insured credit union, and any
subsidiaries of such a credit union;
(3) under the Securities Exchange Act of 1934 (15 U.S.C.
78a et seq.) by the Securities and Exchange Commission with
respect to any broker or dealer;
(4) under the Investment Company Act of 1940 (15 U.S.C.
80a-1 et seq.) by the Securities and Exchange Commission with
respect to investment companies;
(5) under the Investment Advisers Act of 1940 (15 U.S.C.
80b-1 et seq.) by the Securities and Exchange Commission with
respect to investment advisers registered under that Act;
(6) under State insurance law in the case of any person
engaged in providing insurance, by the applicable State
insurance authority of the State in which the person is
domiciled, subject to section 104 of the Gramm-Bliley-Leach Act
(15 U.S.C. 6701);
(7) under part A of subtitle VII of title 49, United States
Code, by the Secretary of Transportation with respect to any
air carrier or foreign air carrier subject to that part;
(8) under the Packers and Stockyards Act, 1921 (7 U.S.C.
181 et seq.) (except as provided in section 406 of that Act (7
U.S.C. 226, 227)), by the Secretary of Agriculture with respect
to any activities subject to that Act;
(9) under the Farm Credit Act of 1971 (12 U.S.C. 2001 et
seq.) by the Farm Credit Administration with respect to any
Federal land bank, Federal land bank association, Federal
intermediate credit bank, or production credit association; and
(10) under title XI of the Social Security Act (42 U.S.C.
1301 et seq.) by the Secretary of Health and Human Services
with respect to persons regulated under that title.
(c) Exercise of Certain Powers.--For the purpose of the exercise by
any agency referred to in subsection (b) of its powers under any Act
referred to in that subsection, a violation of title I is deemed to be
a violation of a requirement imposed under that Act. In addition to its
powers under any provision of law specifically referred to in
subsection (b), each of the agencies referred to in that subsection may
exercise, for the purpose of enforcing compliance with any requirement
imposed under title I, any other authority conferred on it by law.
(d) Actions by the Commission.--The Commission shall prevent any
person from violating title I in the same manner, by the same means,
and with the same jurisdiction, powers, and duties as though all
applicable terms and provisions of the Federal Trade Commission Act (15
U.S.C. 41 et seq.) were incorporated into and made a part of this Act.
Any entity that violates any provision of that subtitle is subject to
the penalties and entitled to the privileges and immunities provided in
the Federal Trade Commission Act in the same manner, by the same means,
and with the same jurisdiction, power, and duties as though all
applicable terms and provisions of the Federal Trade Commission Act
were incorporated into and made a part of that subtitle.
(e) Disposition of Civil Penalties Obtained by FTC Enforcement
Action Involving Nonsensitive Personally Identifiable Information.--
(1) In general.--If a civil penalty is imposed on an
internet service provider, online service provider, or
commercial website operator in an enforcement action brought by
the Commission for a violation of title I with respect to
nonsensitive personally identifiable information of users of
the service or website, the penalty shall be--
(A) paid to the Commission;
(B) held by the Commission in trust for
distribution under paragraph (2); and
(C) distributed in accordance with paragraph (2).
(2) Distribution to users.--Under procedures to be
established by the Commission, the Commission shall hold any
amount received as a civil penalty for violation of title I for
a period of not less than 180 days for distribution under those
procedures to users--
(A) whose nonsensitive personally identifiable
information was the subject of the violation; and
(B) who file claims with the Commission for
compensation for loss or damage from the violation at
such time, in such manner, and containing such
information as the Commission may require.
(3) Amount of payment.--The amount a user may receive under
paragraph (2)--
(i) shall not exceed $200; and
(ii) may be limited by the Commission as
necessary to afford each such user a reasonable
opportunity to secure that user's appropriate
portion of the amount available for
distribution.
(4) Remainder.--If the amount of any such penalty held by
the Commission exceeds the sum of the amounts distributed under
paragraph (2) attributable to that penalty, the excess shall be
covered into the Treasury of the United States as miscellaneous
receipts no later than 12 months after it was paid to the
Commission.
(f) Effect on Other Laws.--
(1) Preservation of commission authority.--Nothing
contained in this subtitle shall be construed to limit the
authority of the Commission under any other provision of law.
(2) Relation to title ii of communications act.--Nothing in
title I requires an operator of a website or online service to
take any action that is inconsistent with the requirements of
section 222 of the Communications Act of 1934 (47 U.S.C. 222).
(3) Relation to title vi of communications act.--Section
631 of the Communications Act of 1934 (47 U.S.C. 551) is
amended by adding at the end the following:
``(i) Application of Online Personal Privacy Act.--With respect to
the provision by a cable operator of Internet service or online service
and the operation by a cable operator of a commercial website, as such
terms are defined in or under the Online Personal Privacy Act, the
provisions of that Act shall apply in lieu of this section.''.
SEC. 203. SAFE HARBOR SELF-REGULATORY PROGRAMS.
(a) In General.--An internet service provider, online service
provider, or operator of a commercial website shall be presumed to be
in compliance with the requirements of this title if the provider or
operator--
(1) is a participant in a self-regulatory program approved
by the Commission under subsection (b) and has agreed in
writing to meet the requirements for participation established
by the self-regulatory program; and
(2) is deemed by the self-regulatory program to be in full
compliance with the requirements of that self-regulatory
program.
(b) Approval of Self-Regulatory Programs.--The Commission may
approve a self-regulatory program under subsection (a) only if the
Commission finds the following:
(1) Participation requirements.--The self-regulatory
program will require participants, at a minimum, to provide
privacy protection to users of the internet service, online
service, or commercial website that is substantially equivalent
to or greater than the protection afforded to users by title I.
(2) Eligibility and verification.--The self-regulatory
program--
(A) will require, prior to determining eligibility
to participate in the self-regulatory program, and on a
periodic basis thereafter no less frequent than
annually--
(i) a review by the self-regulatory program
or a certified independent verification
organization of the prospective participant's
privacy statement and privacy policy; and
(ii) a determination by the self-regulatory
program or a certified independent verification
organization that the privacy statement and
privacy policy comply with the self-regulatory
program's requirements;
(B) will obtain, prior to determining eligibility
to participate in the self-regulatory program, and on a
periodic basis thereafter no less frequently than
annually, a written certification from a senior
corporate officer or other responsible executive of the
participant that--
(i) the participant has procedures and
practices in place that are designed to fulfill
the representations in the participant's
privacy policy and satisfy, at a minimum the
requirements of the self-regulatory program;
and
(ii) the participant is in compliance with
the privacy policy and the requirements of the
self-regulatory program;
(C) will require each participant to obtain written
verification of each written certification required by
subparagraph (B) from a certified independent
verification organization or provide sufficient
information to the self-regulatory program to enable
the program reasonably to conclude that the
certification is materially accurate; and
(D) has a program for verification of continued
eligibility of program participants under which program
resources are effectively utilized to ensure compliance
with, and discover violations of, the self-regulatory
program's requirements, including random audits of
participants.
(3) Transparency.--The self-regulatory program will make
available to the public via the Internet the results of audits
and violations of the program's requirements, excluding
information that would reveal the identity of any complainant
whose privacy was violated.
(4) Cooperation with commission.--The self-regulatory
program, and any independent verification organization used by
participants in that program, will report to the Commission any
violations of its requirements by participants and any
determinations that a participant has failed to comply with the
self-regulatory program requirements after being afforded a
reasonable opportunity to do so.
(5) Independence.--The self-regulatory program has
established requirements that assure that program eligibility
and compliance determinations concerning a participant are made
exclusively by persons who are independent of the participant.
(c) Commission to Monitor Compliance.--
(1) Publication of reported failures to comply.--The
Commission shall publish a list of all violations reported to
it by self-regulatory programs and independent verification
organizations.
(2) Biennial review.--The Commission shall re-evaluate its
approval of each self-regulatory program under subsection (b)
at least once every 2 years.
(d) Certification of Independent Verification Organizations.--
(1) In general.--The Commission may certify an entity as an
independent verification organization for purposes of this
section. In carrying out this subsection, the Commission shall
consider both the technical expertise and the experience of a
prospective independent verification organization in providing
assurance services.
(2) Eligible entities.--An independent verification
organization may be--
(A) a self-regulatory program, but only with
respect to an internet service provider, online service
provider, or commercial website operator that is not a
participant in that program; or
(B) any other entity that provides assurance
services and that demonstrates to the satisfaction of
the Commission that it has the ability and knowledge
required to examine and evaluate the business practices
of a participant or prospective participant.
(e) Application Process.--
(1) Application.--The Commission shall establish an
application process for the approval of a self-regulatory
program under subsection (b). The application shall be
submitted at such time, in such manner, and contain such
information as the Commission may require. Upon receipt of an
application, the Commission shall provide notice of the
application and an opportunity for comment on the application
to the public. The Commission shall make a decision on an
application within 120 days after receipt of the application.
(2) Appeal.--A self-regulatory program that is aggrieved by
final action of the Commission or a failure by the Commission
to take action on a timely basis as required by paragraph (1)
may file an action in a district court under section 706 of
title 5, United States Code, to obtain review of the decision
without regard to the amount in controversy.
(f) Unauthorized Claim of Participation.--An internet service
provider, online service provider, or operator of a commercial website
that willfully and falsely represents to the public by a statement,
display of an emblem, or otherwise that it is a participant in an
approved self-regulatory program under this section shall be liable for
a civil penalty of up to $50,000 for each such false representation.
The civil penalty may be recovered in an action brought by the
Commission or a State attorney general in any court of competent
jurisdiction.
(g) Qualified Privilege.--A self-regulatory program is not liable
to any person as a result of a publication under subsection (b)(3)
unless it is found to have acted with malice or recklessness.
SEC. 204. SMALL BUSINESS SAFE HARBOR.
This Act does not apply to any entity that--
(1) has annual gross revenue under $1,000,000 (based on the
value of such amount in fiscal year 2000, adjusted for current
dollars);
(2) has fewer than 25 employees;
(3) collects or uses personally identifiable information or
sensitive personally identifiable information from fewer than
1,000 consumers per year for a purpose unrelated to a
transaction with the consumer;
(4) does not process personally identifiable information or
sensitive personally identifiable information of consumers; and
(5) does not sell or disclose for consideration such
information to another person.
SEC. 205. PRIVATE RIGHTS OF ACTION BY USERS.
(a) Fraudulent Notice; Wrongful Disclosure.--A person to whom
fraudulent notice with respect to sensitive personally identifiable
information was given under this Act or whose sensitive personally
identifiable information has been disclosed in violation of title I,
may, if otherwise permitted by the laws or rules of court of a State,
bring in an appropriate court of that State--
(1) an action based on the violation to enjoin the
violation;
(2) an action to recover the amount of any actual monetary
loss from the violation or, to receive up to $500 in damages
for each such violation, whichever is greater; or
(3) both such actions.
(b) Other Violations.--A person harmed by any violation of title I
not described in subsection (a) but related to sensitive personally
identifiable information may, if otherwise permitted by the laws or
rules of court of a State, bring in an appropriate court of that
State--
(1) an action based on the violation to enjoin the
violation;
(2) an action to recover the amount of any actual monetary
loss from the violation; or
(3) both such actions.
(c) Affirmative Defense.--It shall be an affirmative defense in any
action brought under this section that the defendant--
(1) has established and implemented with due care
reasonable practices and procedures to ensure compliance with
the requirements of title I; or
(2) is a participant in, and is deemed by a self-regulatory
organization or a certified independent verification
organization to be in full compliance with the requirements of,
a self-regulatory program approved by the Commission under
section 203.
(d) Willful or Knowing Violations.--If the court finds that the
defendant willfully or knowingly violated title I, the court may, in
its discretion, increase the amount of the award to an amount equal to
not more than 3 times the amount available under this section.
SEC. 206. ACTIONS BY STATES.
(a) In General.--
(1) Civil actions.--In any case in which the attorney
general of a State has reason to believe that an interest of
the residents of that State has been or is threatened or
adversely affected by the engagement of any person in a
practice that violates title I, the State, as parens patriae,
may bring a civil action on behalf of the residents of the
State in a district court of the United States of appropriate
jurisdiction--
(A) to enjoin that practice;
(B) to enforce compliance with the rule;
(C) to obtain damage, restitution, or other
compensation on behalf of residents of the State; or
(D) to obtain such other relief as the court may
consider to be appropriate.
(2) Notice.--
(A) In general.--Before filing an action under
paragraph (1), the attorney general of the State
involved shall provide to the Commission--
(i) written notice of that action; and
(ii) a copy of the complaint for that
action.
(B) Exemption.--
(i) In general.--Subparagraph (A) shall not
apply with respect to the filing of an action
by an attorney general of a State under this
subsection, if the attorney general determines
that it is not feasible to provide the notice
described in that subparagraph before the
filing of the action.
(ii) Notification.--In an action described
in clause (i), the attorney general of a State
shall provide notice and a copy of the
complaint to the Commission at the same time as
the attorney general files the action.
(b) Intervention.--
(1) In general.--On receiving notice under subsection
(a)(2), the Commission shall have the right to intervene in the
action that is the subject of the notice.
(2) Effect of intervention.--If the Commission intervenes
in an action under subsection (a), it shall have the right--
(A) to be heard with respect to any matter that
arises in that action; and
(B) to file a petition for appeal.
(c) Construction.--For purposes of bringing any civil action under
subsection (a), nothing in this subtitle shall be construed to prevent
an attorney general of a State from exercising the powers conferred on
the attorney general by the laws of that State to--
(1) conduct investigations;
(2) administer oaths or affirmations; or
(3) compel the attendance of witnesses or the production of
documentary and other evidence.
(d) Actions by the Commission.--In any case in which an
action is instituted by or on behalf of the Commission for violation of
title I, no State may, during the pendency of that action, institute an
action under subsection (a) against any defendant named in the
complaint in that action for violation of that rule.
(e) Venue; Service of Process.--
(1) Venue.--Any action brought under subsection (a) may be
brought in the district court of the United States that meets
applicable requirements relating to venue under section 1391 of
title 28, United States Code.
(2) Service of process.--In an action brought under
subsection (a), process may be served in any district in which
the defendant--
(A) is an inhabitant; or
(B) may be found.
SEC. 207. WHISTLEBLOWER PROTECTION.
(a) In General.--No internet service provider, online service
provider, or commercial website operator may discharge or otherwise
discriminate against any employee with respect to compensation, terms,
conditions, or privileges of employment because the employee (or any
person acting pursuant to the request of the employee) provided
information to any Federal or State agency or to the Attorney General
of the United States or of any State regarding a violation of any
provision of title I.
(b) Enforcement.--Any employee or former employee who believes he
has been discharged or discriminated against in violation of subsection
(a) may file a civil action in the appropriate United States district
court before the close of the 2-year period beginning on the date of
such discharge or discrimination. The complainant shall also file a
copy of the complaint initiating such action with the appropriate
Federal agency.
(c) Remedies.--If the district court determines that a violation of
subsection (a) has occurred, it may order the Internet service
provider, online service provider, or commercial website operator that
committed the violation--
(1) to reinstate the employee to his former position;
(2) to pay compensatory damages; or
(3) to take other appropriate actions to remedy any past
discrimination.
(d) Limitation.--The protections of this section shall not apply to
any employee who--
(1) deliberately causes or participates in the alleged
violation; or
(2) knowingly or recklessly provides substantially false
information to such an agency or the Attorney General.
(e) Burdens of Proof.--The legal burdens of proof that prevail
under subchapter III of chapter 12 of title 5, United States Code (5
U.S.C. 1221 et seq.) shall govern adjudication of protected activities
under this section.
SEC. 208. NO EFFECT ON OTHER REMEDIES.
The remedies provided by sections 205 and 206 are in addition to
any other remedy available under any provision of law.
TITLE III--APPLICATION TO CONGRESS AND FEDERAL AGENCIES
SEC. 301. SENATE.
The Sergeant at Arms of the United States Senate shall develop
regulations setting forth an information security and electronic
privacy policy governing use of the Internet by officers and employees
of the Senate that meets the requirements of title I.
SEC. 302. APPLICATION TO FEDERAL AGENCIES.
(a) In General.--Except as provided in subsection (b), this Act
applies to each Federal agency that is an internet service provider or
an online service provider, or that operates a website, to the extent
provided by section 2674 of title 28, United States Code.
(b) Exceptions.--This Act does not apply to any Federal agency to
the extent that the application of this Act would compromise law
enforcement activities or the administration of any investigative,
security, or safety operation conducted in accordance with Federal law.
TITLE IV--MISCELLANEOUS
SEC. 401. DEFINITIONS.
In this Act:
(1) Collect.--
(A) In general.--The term ``collect'' means the
online gathering of personally identifiable information
from a user of an Internet service, online service, or
commercial website by or on behalf of the provider or
operator of that service or website by any means,
direct or indirect, active or passive, including--
(i) an online request for such information
by the provider or operator, regardless of how
the information is transmitted to the provider
or operator;
(ii) the use of a chat room, a message
board, e-mail, instant messaging, or any other
online service to gather the information; or
(iii) tracking or use of any identifying
code linked to a user of such a service or
website, including the use of cookies or other
tracking technology.
(B) Temporary collection or storage exception.--
Notwithstanding subparagraph (A)(ii), the term
``collect'' does not include the temporary collection
or storage of information by a chat room, message
board, e-mail server, instant messaging service, or
other online service for the sole purpose of operating
that chat room, message board, e-mail server, instant
messaging service, or other online service.
(2) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(3) Cookie.--The term ``cookie'' means any program,
function, or device, commonly known as a ``cookie'', that makes
a record on the user's computer (or other electronic device) of
that user's access to an internet service, online service, or
commercial website.
(4) Disclose.--The term ``disclose'' means the release of
personally identifiable information about a user of an Internet
service, online service, or commercial website by an internet
service provider, online service provider, or operator of a
commercial website for any purpose, except where such
information is provided to a person who provides support for
the internal operations of the service or website and who does
not disclose or use that information for any other purpose.
(5) Federal agency.--The term ``Federal agency'' means an
agency, as that term is defined in section 551(1) of title 5,
United States Code.
(6) Internal operations support.--The term ``support for
the internal operations of a service or website'' means any
activity necessary to maintain the operational functionality of
that service or website.
(7) Internet.--The term ``Internet'' means collectively the
myriad of computer and telecommunications facilities, including
equipment and operating software, which comprise the
interconnected world-wide network of networks that employ the
Transmission Control Protocol/Internet Protocol, or any
predecessor or successor protocols to such protocol, to
communicate information of all kinds by wire or radio.
(8) Internet service provider; online service provider;
website.--The Commission shall by rule define the terms
``internet service provider'', ``online service provider'', and
``website'', and shall revise or amend such rule to take into
account changes in technology, practice, or procedure with
respect to the collection of personal information over the
Internet.
(9) Online.--The term ``online'' refers to any activity
regulated by this Act or by section 2710 of title 18, United
States Code, that is effected by active or passive use of an
Internet connection, regardless of the medium by or through
which that connection is established.
(10) Operator of a commercial website.--The term ``operator
of a commercial website''--
(A) means any person who operates a website located
on the Internet or an online service and who collects
or maintains personal information from or about the
users of or visitors to such website or online service,
or on whose behalf such information is collected or
maintained, where such website or online service is
operated for commercial purposes, including any person
offering products or services for sale through that
website or online service, involving commerce--
(i) among the several States or with 1 or
more foreign nations;
(ii) in any territory of the United States
or in the District of Columbia, or between any
such territory and--
(I) another such territory; or
(II) any State or foreign nation;
or
(iii) between the District of Columbia and
any State, territory, or foreign nation; but
(B) does not include any nonprofit entity that
would otherwise be exempt from coverage under section 5
of the Federal Trade Commission Act (15 U.S.C. 45).
(11) Personally identifiable information.--
(A) In general.--The term ``personally identifiable
information'' means individually identifiable
information about an individual collected online,
including--
(i) a first and last name, whether given at
birth or adoption, assumed, or legally changed;
(ii) a home or other physical address
including street name and name of a city or
town;
(iii) an e-mail address;
(iv) a telephone number;
(v) a birth certificate number;
(vi) any other identifier for which the
Commission finds there is a substantial
likelihood that the identifier would permit the
physical or online contacting of a specific
individual; or
(vii) information that an Internet service
provider, online service provider, or operator
of a commercial website combines with an
identifier described in clauses (i) through (vi) of this subparagraph.
(B) Inferential information excluded.--Information
about an individual derived or inferred from data
collected online but not actually collected online is
not personally identifiable information.
(12) Release.--The term ``release of personally
identifiable information'' means the direct or indirect,
sharing, selling, renting, or other provision of personally
identifiable information of a user of an internet service,
online service, or commercial website to any other person other
than the user.
(13) Robust notice.--The term ``robust notice'' means
actual notice at the point of collection of the personally
identifiable information describing briefly and succinctly the
intent of the Internet service provider, online service
provider, or operator of a commercial website to use or
disclose that information for marketing or other purposes.
(14) Sensitive financial information.--The term ``sensitive
financial information'' means--
(A) the amount of income earned or losses suffered
by an individual;
(B) an individual's account number or balance
information for a savings, checking, money market,
credit card, brokerage, or other financial services
account;
(C) the access code, security password, or similar
mechanism that permits access to an individual's
financial services account;
(D) an individual's insurance policy information,
including the existence, premium, face amount, or
coverage limits of an insurance policy held by or for
the benefit of an individual; or
(E) an individual's outstanding credit card, debt,
or loan obligations.
(15) Sensitive personally identifiable information.--The
term ``sensitive personally identifiable information'' means
personally identifiable information about an individual's--
(A) individually identifiable health information
(as defined in section 164.501 of title 45, Code of
Federal Regulations);
(B) race or ethnicity;
(C) political party affiliation;
(D) religious beliefs;
(E) sexual orientation;
(F) a Social Security number; or
(G) sensitive financial information.
SEC. 402. EFFECTIVE DATE OF TITLE I.
Title I of this Act takes effect on the day after the date on which
the Commission publishes a final rule under section 403.
SEC. 403. FTC RULEMAKING.
The Commission shall--
(1) initiate a rulemaking within 90 days after the date of
enactment of this Act for regulations to implement the
provisions of title I; and
(2) complete that rulemaking within 270 days after
initiating it.
SEC. 404. FTC REPORT.
(a) Report.--The Commission shall submit a report to the Senate
Committee on Commerce, Science, and Transportation and the House of
Representatives Committee on Commerce 18 months after the effective
date of title I, and annually thereafter, on--
(1) whether this Act is accomplishing the purposes for
which it was enacted;
(2) whether technology that protects privacy is being
utilized in the marketplace in such a manner as to facilitate
administration of and compliance with title I;
(3) whether additional legislation is required to
accomplish those purposes or improve the administrability or
effectiveness of this Act;
(4) whether and how the government might assist industry in
developing standard online privacy notices that substantially
comply with the requirements of section 102(a); and
(5) whether additional legislation is necessary or
appropriate to regulate the collection, use, and disclosure of
personally identifiable information collected online before the
effective date of title I.
(b) FTC Notice of Inquiry.--The Commission shall initiate a notice
of inquiry within 90 days after the date of enactment of this Act to
request comment on the matter described in paragraphs (1) through (7)
of subsection (a).
SEC. 405. DEVELOPMENT OF AUTOMATED PRIVACY CONTROLS.
Section 20 of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3) is amended--
(1) by redesignating subsection (d) as subsection (e); and
(2) by inserting after subsection (c) the following:
``(d) Development of Internet Privacy Program.--The Institute shall
encourage and support the development of one or more computer programs,
protocols, or other software, such as the World Wide Web Consortium's
P3P program, capable of being installed on computers, or computer
networks, with Internet access that would reflect the user's
preferences for protecting personally-identifiable or other sensitive,
privacy-related information, and automatically execute the program,
once activated, without requiring user intervention.''.
TITLE V--OFFLINE PRIVACY]
SEC. 501. COLLECTION, USE, AND DISCLOSURE OF PERSONALLY IDENTIFIABLE
INFORMATION COLLECTED OFFLINE.
(a) In General.--Not later than the date that is 6 months after the
date of the enactment of this Act, the Chairman of the Federal Trade
Commission shall submit to the Committee on Commerce, Science, and
Transportation of the United States Senate, and the Committee on Energy
and Commerce of the United States House of Representatives, detailed
recommendations and proposed regulations on standards with respect to
entities that engage in the collection of personally identifiable
information, or employ methods involving, or other actions involving,
the collection of personally identifiable information, that are not
covered in this Act, at a level of protection similar to that provided
under this Act for similar types of information.
(b) Subjects for Recommendations.--The recommendations and proposed
regulations under subsection (a) shall address at least the following:
(1) How the fair information practices of notice, choice,
access, security, and enforcement should apply to the uses and
disclosures of such information in a manner consistent with the
level of protection provided by this Act.
(2) The fines that should be established for violating
requirements promulgated under the regulations.
(c) Regulations.--
(1) Contingent on legislation.--If an Act of Congress
that--
(A) establishes standards with respect to entities
that engage in the collection of personally
identifiable information, or employ methods or other
actions involving the collection of personally
identifiable information that are not covered in this
Act, and
(B) refers to this paragraph,
does not become law within 18 months after the date of
enactment of this Act, then the Commission shall promulgate
final regulations (addressing at least the subjects described
in subsection (b)) containing such standards not later than the
date that is 19 months after the date of enactment of this Act.
(2) Preemption.--A regulation promulgated under paragraph
(1) shall supersede State law only to the extent that this Act
supersedes State law under section 4 of this Act.
Calendar No. 551
107th CONGRESS
2d Session
S. 2201
[Report No. 107-240]
_______________________________________________________________________
A BILL
To protect the online privacy of individuals who use the Internet.
_______________________________________________________________________
August 1, 2002
Reported with an amendment