Summary: S.2201 — 107th Congress (2001-2002)All Information (Except Text)

Bill summaries are authored by CRS.

Shown Here:
Reported to Senate with amendment(s) (08/01/2002)

Online Personal Privacy Act - Title I: Online Privacy Protection - Prohibits an Internet service provider, online service provider, or operator of a commercial website (provider) from collecting or disclosing personally identifiable information (name, address, and phone number) of a user without clear and conspicuous user notice. Requires a provider to: (1) obtain affirmative written or electronic consent to the collection and disclosure of sensitive personally identifiable information (health, race, political party, religious belief, sexual orientation, social security number, or financial information); (2) provide robust notice, in addition to clear and conspicuous notice, of the opportunity to opt-out of the collection or disclosure of personally identifiable information; and (3) notify all users of a change in policy for the collection, use, or disclosure of sensitive or nonsensitive personally identifiable user information. Requires each provider to designate a privacy compliance officer responsible for ensuring compliance with this title and other privacy policies.

(Sec. 104) Provides exceptions to the privacy requirements, including emergency disclosures : (1) that are critical to the life, safety, or health of the user or other individuals; (2) with respect to which obtaining prior consent is not feasible; and (3) that are no greater in scope than is necessary to accomplish the emergency purpose.

(Sec. 105) Requires a provider to: (1) allow reasonable user access to personally identifiable information collected and retained; and (2) establish and maintain procedures to protect the security, confidentiality, and integrity of such information.

Title II: Enforcement - Provides for enforcement of this Act through the Federal Trade Commission (FTC), citing violations as unfair or deceptive acts or practices.

(Sec. 203) Presumes compliance with requirements of this title if a provider: (1) is a participant in a self-regulatory program approved by the FTC; and (2) is deemed by such program to be in full compliance. Provides for FTC approval of such programs that provide the privacy protection required under title I. Requires the FTC, every two years, to reevaluate its approval of each program. Allows for appeal of an FTC decision not to approve a program.

(Sec. 204) Makes this Act inapplicable to a small business that: (1) has annual gross revenue under $1 million; (2) has fewer than 25 employees; (3) collects or uses personally identifiable information from fewer than 1,000 consumers per year for a purpose unrelated to a regular consumer transaction; (4) does not process such collected information; and (5) does not sell or disclose such information for consideration.

(Sec. 205) Authorizes enforcement actions by both private users and States on behalf of their residents. Allows FTC intervention in State actions.

(Sec. 207) Provides whistleblower protections for provider employees.

Title III: Application to Congress and Federal Agencies - Requires the Sergeant at Arms of the United States Senate to develop regulations governing Internet use by Senate officers and employees is accordance with this Act. Applies this Act to each Federal agency that is an Internet or online service provider or that operates a website, except when application would compromise law enforcement activities or investigative, security, or safety operations.

Title IV: Miscellaneous - Provides definitions for purposes of this Act.

(Sec. 403) Requires the FTC to: (1) initiate and complete a rulemaking for implementing this Act; and (2) report to specified congressional committees on its implementation and effectiveness.

(Sec. 405) Amends the National Institute of Standards and Technology Act to direct the National Institute of Standards and Technology to encourage and support the development of computer programs, protocols, or software capable of being installed on computers with Internet access that would automatically execute a program for the protection of personally-identifiable or other sensitive, privacy-related information.

Title V: Offline Privacy - Requires the FTC Chairman to submit to specified congressional committees recommendations and proposed regulations on similar protection standards for entities that collect personally identifiable information using methods or actions that are not covered in this Act.