[Congressional Bills 105th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2368 Introduced in House (IH)]







105th CONGRESS
  1st Session
                                H.R. 2368

 To promote the privacy of interactive computer service users through 
   self-regulation by the providers of such services, and for other 
                               purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             July 31, 1997

Mr. Tauzin (for himself and Mr. Gillmor) introduced the following bill; 
            which was referred to the Committee on Commerce

_______________________________________________________________________

                                 A BILL


 
 To promote the privacy of interactive computer service users through 
   self-regulation by the providers of such services, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Data Privacy Act of 1997''.

SEC. 2. ESTABLISHMENT OF VOLUNTARY GUIDELINES REGARDING COMMERCIAL 
              MARKETING THROUGH INTERACTIVE COMPUTER SERVICES AND 
              UNSOLICITED COMMERCIAL ELECTRONIC MAIL.

    (a) Establishment.--Not later than 180 days after the date of the 
enactment of this Act, the industry working group (as such term is 
defined in section 8) shall establish the following guidelines:
            (1) Guidelines in accordance with section 3, which limit 
        the collection and use, for commercial marketing purposes, of 
        personally identifiable information obtained from individuals 
        through any interactive computer service.
            (2) Guidelines in accordance with section 4, relating to 
        the distribution of unsolicited commercial electronic mail.
    (b) Voluntary Nature.--The guidelines established under subsection 
(a) shall apply to providers of interactive computer services and 
persons transmitting unsolicited commercial electronic mail (as 
appropriate), but only if, and to the extent that, such a provider or 
person voluntarily agrees to such applicability by registration 
pursuant to section 5.

SEC. 3. VOLUNTARY GUIDELINES FOR COLLECTION OF PERSONAL INFORMATION FOR 
              COMMERCIAL MARKETING PURPOSES AND PERSONAL INFORMATION 
              FROM CHILDREN.

    (a) Guidelines Regarding Collection and Access to Information.--The 
guidelines established in accordance with this section shall contain 
the following requirements:
            (1) Notice of collection of information.--A provider of an 
        interactive computer service that collects personally 
        identifiable information from a user of the service through use 
        of such service for commercial marketing purposes shall notify 
        the user--
                    (A) that such information is being collected;
                    (B) of the nature of the information being 
                collected with respect to the individual user; and
                    (C) of the user's option under subsection (c) to 
                prohibit disclosure of such information.
        The notice shall be provided contemporaneously with or (if 
        technically feasible) before the collection of the information, 
        be prominently displayed, and be phrased in a manner that is 
        easy to read and understand.
            (2) Notice of disclosure of information.--Upon the request 
        of a user of an interactive computer service, the provider of 
        the service shall provide to the user a description of the 
        types of recipients of the personally identifiable information 
        collected with respect to that user and the purpose for the 
        disclosure to the third parties.
            (3) Access to information.--Upon the request of a user of 
        an interactive computer service, the provider of the service 
        shall--
                    (A) provide to the user, free of charge, the user's 
                personally identifiable information collected and 
                retained by the service to date; and
                    (B) permit the user to verify the information 
                collected by the service and to correct any error in 
                such information.
    (b) Guidelines Regarding Information Obtained From Children.--The 
guidelines established in accordance with this section shall contain 
the following requirements:
            (1) Notice to obtain consent of parent.--No provider of an 
        interactive computer service may, through the use of such 
        service by a child, collect any personal information regarding 
        the child or disclose or use any such information so collected, 
        without notifying the child (in advance of the collection or 
        use) that the child should not provide any information without 
        the consent of his or her parent.
            (2) Prohibition on solicitation of children to provide 
        information about parents.--No person may use an interactive 
        computer service to solicit or collect from children any 
        information regarding a parent of the child.
            (3) Notice of disclosure of information.--Upon the request 
        of the parent of a child user of an interactive computer 
        service, the provider of the service shall provide to the 
        parent a description of the types of recipients of the 
        personally identifiable information collected with respect to 
        that child user and the purpose for the disclosure to the third 
        parties.
            (4) Access to and deletion of information.--Upon the 
        request of the parent of a child user of an interactive 
        computer service, the provider of the service shall--
                    (A) provide to the parent, free of charge, the 
                child user's personally identifiable information 
                collected and retained by the service to date; and
                    (B) provide for--
                            (i) the parent to verify such information 
                        collected by the service to date and to correct 
                        any error in such information; or
                            (ii) the permanent deletion of any such 
                        information collected and retained by the 
                        service to date.
    (c) Consumer Opt-Out.--The guidelines established in accordance 
with this section shall provide a method by which an individual may 
choose to prohibit the disclosure (including the renting, selling, or 
exchanging), at any time and for any purpose, of any personally 
identifiable information, not necessary to be disclosed in connection 
with the particular transaction, with respect to such individual that 
is obtained through the use of an interactive computer service. The 
method established--
            (1) shall clearly and accurately inform users of such 
        services of their ability to prohibit disclosure of such 
        information and of the various options for communicating a 
        choice to prohibit disclosure, which shall each be clearly 
        described in the notice under subsection (a)(1);
            (2) shall be easy to use and free of cost to the user, 
        which may include electronic mail notification;
            (3) shall provide for the implementation of any choice to 
        prohibit disclosure in a timely manner; and
            (4) may include, once commercially available, software that 
        enables a user to encode their privacy preferences, or enables 
        a parent of a child user to encode the parent's privacy 
        preferences for the child, into their browsers.

SEC. 4. VOLUNTARY GUIDELINES FOR TRANSMISSION OF UNSOLICITED COMMERCIAL 
              ELECTRONIC MAIL.

    (a) Guidelines Regarding Identification of Originator.--The 
guidelines established in accordance with this section shall provide 
that any person who transmits unsolicited commercial electronic mail 
shall cause to appear in an electronic mail message transmitted as part 
of such transmission the following information in the following 
locations:
            (1) Notice of originator.--The business or trade name of 
        person who initiates transmission of the message shall appear 
        as the first word or words of the subject line of the 
        electronic mail message without any prior text or symbol.
            (2) Information regarding originator.--The business or 
        trade name, physical address, electronic mail address, and 
        telephone number of the person who initiates transmission of 
        the message shall each appear prominently in the body of the 
        message.
            (3) Information regarding opt-out.--Notice of the 
        recipient's option under subsection (c) to prohibit delivery of 
        unsolicited commercial electronic mail shall appear prominently 
        in the body of the message.
    (b) Guidelines Regarding Misidentification of Originator.--The 
guidelines established in accordance with this section shall contain 
the following requirements:
            (1) Prohibition on preventing replies.--No person may 
        initiate the transmission of unsolicited commercial electronic 
        mail from an unregistered or fictitious Internet domain, or an 
        unregistered or fictitious electronic mail address, for the 
        purpose of--
                    (A) preventing replies to such message through use 
                of a standard reply mechanism in the recipient's 
                electronic mail system; or
                    (B) preventing receipt of standard notices of non-
                delivery.
            (2) Prohibition on blocking filtering.--No person may 
        disguise the source of any unsolicited commercial electronic 
        mail message for the purpose of preventing recipients, or 
        recipient interactive computer services, from implementing a 
        mail filtering tool to block the messages from reaching the 
        intended recipients.
    (c) Opt-Out for Mail Recipients.--The guidelines established in 
accordance with this section shall provide a method by which an 
individual may choose to prohibit the delivery to such individual, at 
any time and for any purpose, of any unsolicited commercial electronic 
mail. The method established shall--
            (1) clearly and accurately inform electronic mail users of 
        their ability to prohibit delivery of such mail and of the 
        various options for communicating a choice to prohibit 
        delivery, which shall each be clearly described as provided in 
        subsection (a)(3);
            (2) be easy to use and free of cost to the recipient of 
        unsolicited commercial electronic mail, which may include 
        procedures to automatically return such mail; and
            (3) provide for the implementation of any choice to 
        prohibit delivery in a timely manner.

SEC. 5. APPLICABILITY OF VOLUNTARY GUIDELINES AND NEGOTIATION AND 
              ARBITRATION OF COMPLAINTS.

    (a) Registration System.--For purposes of facilitating compliance 
with the voluntary guidelines established pursuant to sections 2, 3, 
and 4, the industry working group shall develop and promote a 
registration system by which providers of interactive computer services 
and persons transmitting commercial electronic mail may, by 
registering, agree to comply with such guidelines. The industry working 
group shall provide for monitoring compliance of registered entities 
with such guidelines to ensure the integrity of the registration 
system.
    (b) Incentives for Voluntary Applicability.--
            (1) In general.--The industry working group shall develop 
        and make available incentives to encourage compliance with such 
        voluntary guidelines and registration under subsection (a).
            (2) Icon identifying compliance.--The incentives under 
        paragraph (1) shall include developing a icon or logo that--
                    (A) is made available for use only by--
                            (i) providers of interactive computer 
                        services who agree to comply with all of the 
                        guidelines established pursuant to sections 
                        2(a)(1) and 3 through registration under 
                        subsection (a); and
                            (ii) persons transmitting commercial 
                        electronic mail who agree to comply with all of 
the guidelines established pursuant to sections 2(a)(2) and 4; and
                    (B) identifies the user of the icon or logo as a 
                provider or person that complies with all such 
                guidelines.
    (c) Resolution of Consumer Complaints.--The system for registration 
established under subsection (a) shall provide that, by registering, a 
provider of interactive computer services or person who transmits 
commercial electronic mail agrees that, if such provider or person is 
contacted by a user of the service or recipient of such mail regarding 
an alleged failure on the part of that provider or person to comply 
with the applicable voluntary guidelines, the complaint shall be 
resolved in the following manner:
            (1) Consumer redress.--The provider of the service or 
        transmitter of the mail shall, during the 60-day period 
        beginning upon receipt of the complaint, attempt to resolve or 
        remedy the complaint.
            (2) Arbitration.--If, upon the expiration of the period 
        under paragraph (1), a mutually satisfactory resolution or 
        remedy has not been reached the issue may, at the request or 
        either party involved, be referred for settlement by 
        arbitration, which shall be binding on the parties. The 
        arbitrator shall be selected by the user from a list of 
        arbitrators independent to either party involved in the 
        arbitration, which shall be established by the industry working 
        group.
    (d) Safe Harbor.--
            (1) In general.--Any activity described in paragraph (2) 
        engaged in by any person who has registered under the system 
        established under subsection (a) which is not in violation of 
        the voluntary guidelines established under sections 2, 3, and 4 
        of this Act shall not be considered to an unfair or deceptive 
        trade practice under section 5 of the Federal Trade Commission 
        Act (15 U.S.C. 45).
            (2) Protected activities.--Activity described in this 
        paragraph is activity consisting of--
                    (A) the collection and use, for commercial 
                marketing purposes, of personally identifiable 
                information obtained from individuals through an 
                interactive computer service;
                    (B) the solicitation or collection from a child, 
                through an interactive computer service, of personal 
                information regarding the child or information 
                regarding the parent of the child; or
                    (C) the transmission of unsolicited commercial 
                electronic mail.
            (3) Determination of compliance.--In determining, for 
        purposes of paragraph (1), whether a person complies with the 
        voluntary guidelines established under sections 2, 3, and 4 (as 
        applicable), the Federal Trade Commission shall not make any 
        final determination without obtaining from the entity 
        responsible for monitoring compliance with the guidelines a 
        determination by such entity regarding compliance by such 
        person. In making a final determination for purposes of 
        paragraph (1), the Commission shall give substantial weight to 
        the determination by such entity.

SEC. 6. PROHIBITION AGAINST DISCLOSURE AND USE OF CERTAIN GOVERNMENT 
              INFORMATION.

    (a) Restriction on Commercial Marketing Use Without Consent of 
Individual.--
            (1) In general.--No person may use for commercial marketing 
        purposes any personal information regarding an individual that 
        is described in paragraph (2) and is obtained through the use 
        of any interactive computer service, without the prior consent 
        of the individual.
            (2) Personal information.--The personal information 
        described in this paragraph is, with respect to an individual, 
        any personally identifiable or other information regarding the 
        individual that is submitted to or maintained by any agency of 
        the Federal Government in a confidential manner or subject to 
        any law, regulation, agreement, or assurance protecting the 
        confidentiality of such information.
    (b) Limitation on Display of Social Security Numbers.--No person 
may, through the use of an interactive computer service, display the 
social security number of any individual to a third party, except--
            (1) when the social security number is displayed as part of 
        a public record on file with an agency of the Federal 
        Government or a State or local government, which record is 
        available to the general public;
            (2) to a law enforcement agency or licensed private 
        investigator; or
            (3) when the person has agreed in writing to follow 
        industry guidelines, on file with the Federal Trade Commission, 
        that limit the display of social security numbers.
This subsection may not be construed to limit the use of the social 
security number of an individual, provided by a user of an interactive 
computer service, to retrieve other information regarding the 
individual by entering the social security number in an interactive 
computer service, if the user has a prior business relationship or a 
valid contract with the provider of the interactive computer service.

SEC. 7. PROHIBITION AGAINST COMMERCIAL MARKETING USE OF MEDICAL 
              INFORMATION.

    (a) Prohibition of Use.--No person may use, for commercial 
marketing purposes, any personal health or medical information obtained 
through an interactive computer service unless--
            (1) the person has obtained the prior consent of the 
        individual to whom such information relates for such use; or
            (2) such use is otherwise authorized by law.
    (b) Enforcement and Relief.--
            (1) Unfair trade practices.--Any violation of subsection 
        (a) is unlawful and is an unfair method of competition, and an 
        unfair and deceptive act or practice, in commerce under section 
        5 of the Federal Trade Commission Act (15 U.S.C. 45).
            (2) Authority of ftc.--Except as otherwise specifically 
        provided in this subsection, subsection (a) shall be enforced 
        by the Federal Trade Commission under rules, regulations, and 
        procedures provided for in the Federal Trade Commission Act. 
        The Commission may prevent any person from violating the 
        provisions of subsection (a) in the same manner, by the same 
        means, and with the same jurisdiction, powers, and duties as 
        though all applicable terms and provisions of the Federal Trade 
        Commission Act were incorporated into and made a part of this 
        section.
            (3) Privileges and immunities.--Any person violating the 
        provisions of subsection (a) shall be subject to the penalties 
        and entitled to the privileges and immunities provided in the 
        Federal Trade Commission Act, in the same manner, by the same 
        means, and with the same jurisdiction, powers, and duties as 
        though all applicable terms and provisions of the Federal Trade 
        Commission Act were incorporated into and made a part of this 
        section.

SEC. 8. DEFINITIONS.

    For purposes of this Act, the following definitions shall apply:
            (1) Child.--The term `child' means a person who has not 
        attained the age of 13 years.
            (2) Commercial electronic mail.--The term ``commercial 
        electronic mail'' means any electronic mail that--
                    (A) advertises a product or service;
                    (B) contains a solicitation for the use of a toll-
                free telephone number or a telephone number with a 900 
                prefix the use of which connects the user to a person 
                or service that advertises the sale of or sells a 
                product or service; or
                    (C) contains a list of one or more Internet sites 
                that contain an advertisement or a solicitation 
                referred to in subparagraph (B).
            (3) Commercial marketing.--The term ``commercial 
        marketing'' includes practices that--
                    (A) promote, sell, or deliver goods or services 
                through direct sales marketing, campaigns to increase 
                brand awareness, and other similar marketing 
                strategies;
                    (B) perform market research; or
                    (C) foster the promotion, sale, or delivery of 
                goods and services through the sale, rental, 
                compilation, or exchange of lists.
            (4) Industry working group.--The term ``industry working 
        group'' means an entity formed by the members of the 
        interactive computer services industry, whose members shall 
        consist of representatives of participants in the industry and 
        interested organizations serving the industry, such as--
                    (A) the Direct Marketing Association;
                    (B) the Interactive Services Association;
                    (C) the Internet Privacy Working Group;
                    (D) the various members of TRUSTe;
                    (E) the Commercial Internet eXchange Association;
                    (F) the American Association of Advertisers;
                    (G) the Association of National Advertisers; and
                    (H) the Individual Reference Services.
            (5) Interactive computer service.--The term ``interactive 
        computer service'' means any information service, system, or 
        access software provider that provides or enables computer 
        access by multiple users to a computer server, including 
        specifically--
                    (A) a service or system that provides access to the 
                Internet; and
                    (B) an on-line information service.
            (6) Interactive computer services industry.--The term 
        ``interactive computer services industry'' includes providers 
        of interactive computer services, providers of on-line direct 
        marketing services, advisory and trade organizations for such 
        services, and providers of hardware and software for such 
        services.
            (7) Internet.--The term ``Internet'' means the 
        international computer network of both Federal and non-Federal 
        interoperable packet switched data networks.
            (8) On-line information service.--The term ``on-line 
        information service'' means any person operating a worldwide 
        web site for commercial or noncommercial purposes, including 
        any person offering products or services for sale.
            (9) Parent.--The term `parent' includes a legal guardian.
            (10) Personal health or medical information.--The term 
        ``personal health or medical information'' means any 
        information, in any form or medium, that relates to the past, 
        present, or future physical or mental health, predisposition, 
        or condition of an individual or the provision of health care 
        to an individual.
            (11) Personally identifiable information.--The term 
        ``personally identifiable information'' means information about 
        an individual that would facilitate or enable the physical 
        locating and contacting of that individual, including an 
        individual's name, street or electronic mail address, telephone 
        number, social security number, physical description, credit 
        card number, checking account number, or debit account number. 
        The term does not include any record of aggregate data which 
        does not identify particular persons.
            (12) Social security account number.--The term ``Social 
        Security account number'' means, with respect to an individual, 
        the number assigned to the individual under section 
        205(c)(2)(B) of the Social Security Act (and any derivative of 
        such number).
                                 <all>