[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3321 Introduced in House (IH)]







106th CONGRESS
  1st Session
                                H. R. 3321

To prevent unfair and deceptive practices in the collection and use of 
             personal information, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           November 10, 1999

Mr. Markey (for himself and Mr. Luther) introduced the following bill; 
which was referred to the Committee on Commerce, and in addition to the 
   Committees on Banking and Financial Services, Transportation and 
   Infrastructure, and Agriculture, for a period to be subsequently 
   determined by the Speaker, in each case for consideration of such 
 provisions as fall within the jurisdiction of the committee concerned

_______________________________________________________________________

                                 A BILL


 
To prevent unfair and deceptive practices in the collection and use of 
             personal information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Electronic Privacy Bill of Rights 
Act of 1999''.

SEC. 2. FINDINGS.

    The Congress finds the following:
            (1) As our Nation's communications networks continue to 
        grow and become ever more sophisticated, more individuals and 
        industries will be using such networks to communicate and 
        conduct commercial transactions.
            (2) The ease of gathering and compiling personal 
        information during such communications, both overtly and 
        surreptitiously, is becoming increasingly efficient and almost 
        effortless due to advances in digital telecommunications 
        technology.
            (3) Consumers have an ownership interest in their personal 
        information.
            (4) Consumers must have knowledge that personal information 
        is being collected about them; consumers must be given 
        conspicuous notice if the recipient of that information intends 
        to reuse it for other purposes, or disclose, or sell it; and 
        consumers must have the ability to control the extent to which 
        personal information is collected about them and the right to 
        prohibit or curtail any unauthorized use, reuse, disclosure or 
        sale of their personal information.
            (5) Internet protocols, which continue to evolve, may place 
        decision-making power in the hands of consumers and enable them 
        to effectively and efficiently authorize or deny collection and 
        use of their personal information.
            (6) Fair information practices include providing consumers 
        with knowledge of any data collection, conspicuous consumer 
        notice of an entity's data practices, consumer choice to 
        provide consent or deny authorization for such practices, 
        access to data collected, safeguards to ensure data integrity, 
        and contact information.
            (7) A recent survey of websites conducted by Georgetown 
        Business School found that only 9.5 percent of Web sites 
        surveyed contained a privacy policy embodying fair information 
        practices such as knowledge, notice, choice, access, security, 
        and contact information.
            (8) It is important to establish personal privacy rights 
        and industry obligations now so that consumers have confidence 
        that their personal privacy is fully protected on our Nation's 
        telecommunications networks.
            (9) Industry efforts, with Government encouragement and 
        oversight, to assist consumers through the development of 
        standards and protocols that embody fair information practices 
        for the collection and dissemination of personal information 
        are critical to permit consumers to better control 
        dissemination of their personal information.
            (10) Robust Internet commerce throughout the nation is 
        threatened by consumer concern over privacy and the lack of 
        national rules governing personal privacy rights.
            (11) Adoption of fair information policies, standards, and 
        practices, along with the widespread implementation and 
        utilization of technological tools designed to empower 
        consumers, may limit the scope of Government rules needed to 
        protect consumers.
            (12) A national privacy policy that relies in part upon 
        industry self-regulatory initiatives, technological tools for 
        consumers, and Government-backed protections is needed to 
        foster future development of electronic commerce and to 
        safeguard the essential rights of individuals with respect to 
        collection and use of their personal data.

SEC. 3. TREATMENT OF UNFAIR AND DECEPTIVE ACTS AND PRACTICES IN 
              CONNECTION WITH THE COLLECTION AND USE OF PERSONAL 
              INFORMATION.

          (a) Acts Prohibited.--
            (1) In general.--It is unlawful for an operator of a 
        website or online service to collect personal information from 
        an individual in a manner that violates the rules prescribed 
        under subsection (b).
            (2) Disclosure to parent protected.--Notwithstanding 
        paragraph (1), neither an operator of such a website or online 
        service nor the operator's agent shall be held to be liable 
        under any Federal or State law for any disclosure made in good 
        faith and following reasonable procedures in responding to a 
        request for disclosure of personal information under section 
        1302(b)(1)(B)(iii) of the Children's Online Privacy Protection 
        Act of 1998 to the parent of a child.
          (b) Privacy Protections.--
            (1) In general.--Not later than 18 months after the date of 
        the enactment of this Act, the Commission shall promulgate 
        under section 553 of title 5, United States Code, rules that--
                    (A) require the operator of any website or online 
                service that collects personal information to provide 
                clear and conspicuous notice on the website of the 
                specific types of personal information collected by the 
                operator, how the operator uses such information, and 
                the operator's disclosure practices for such 
                information;
                    (B)(i) require the operator of such a website or 
                online service to provide, whenever such operator 
                collects personal information, a clear and explicit 
                online method by which an individual grants or denies 
                consent to the collection and uses disclosed pursuant 
                to the rules prescribed under subparagraph (A); and
                    (ii) permit the operator of such a website or 
                online service to establish, in accordance with self-
                regulatory guidelines approved under section 5, a 
                method or methods by which an individual can preset 
                protocols for granting or denying such consent in 
                accordance with the individual's choices concerning 
                such collection and use;
                    (C) prohibit the operator of such a website or 
                online service to collect and use personal information 
                unless--
                            (i) such collection or use has been 
                        disclosed in accordance with the rules 
                        prescribed under subparagraph (A); and
                            (ii) such collection or use has been 
                        consented to by the individual by a method that 
                        complies with the rules prescribed under clause 
                        (i) or (ii) of subparagraph (B);
                    (D) require the operator of such a website or 
                online service to provide individuals, upon request--
                            (i) access to personal information 
                        pertaining to them collected by such operator 
                        for correction; and
                            (ii) notice of whether any personal 
                        information pertaining to such individual has 
                        been reused, disclosed, or sold and to whom; 
                        and
                    (E) require the operator of such a website or 
                online service to establish and maintain reasonable 
                procedures to protect the confidentiality, security, 
                and integrity of personal information collected.
            (2) Exception.--The rules prescribed under paragraph (1) 
        shall not prohibit the collection, use, or dissemination of 
        such information by the operator of such a website or online 
        service necessary--
                    (A) to protect the security or integrity of its 
                website;
                    (B) to take precautions against liability;
                    (C) to respond to judicial process; or
                    (D) to the extent permitted under other provisions 
                of law, to provide information to law enforcement 
                agencies.
            (3) Termination of service.--The rules shall permit the 
        operator of a website or an online service to terminate service 
        provided to an individual who has refused to consent to the 
        collection and use of information pursuant to the rules 
        prescribed under paragraph (1)(B).
    (c) Enforcement.--Subject to sections 4 through 7, a violation of a 
rule prescribed under subsection (a) shall be treated as a violation of 
a rule defining an unfair or deceptive act or practice prescribed under 
section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)).
    (d) Inconsistent State Law.--No State or local government may 
impose any liability for commercial activities or actions by operators 
in interstate or foreign commerce in connection with an activity or 
action described in this Act that is inconsistent with the treatment of 
those activities or actions under this section.

SEC. 4. SAFE HARBORS.

    (a) Guidelines.--An operator may satisfy the requirements of rules 
issued under section 3(b) by following a set of self-regulatory 
guidelines, issued by representatives of the marketing or online 
industries, or by other persons, approved under subsection (b).
    (b) Incentives.--
            (1) Self-regulatory incentives.--In prescribing rules under 
        section 3, the Commission shall provide incentives for self-
        regulation by operators to implement the protections afforded 
        individuals under the regulatory requirements described in 
        subsection (b) of that section.
            (2) Deemed compliance.--Such incentives shall include 
        provisions for ensuring that a person will be deemed to be in 
        compliance with the requirements of the rules under section 3 
        if that person complies with guidelines that, after notice and 
        comment, are approved by the Commission upon making a 
        determination that the guidelines meet the requirements of the 
        rules issued under section 3.
            (3) Expedited response to requests.--The Commission shall 
        act upon requests for safe harbor treatment within 180 days of 
        the filing of the request, and shall set forth in writing its 
        conclusions with regard to such requests.
    (c) Appeals.--Final action by the Commission on a request for 
approval of guidelines, or the failure to act within 180 days on a 
request for approval of guidelines, submitted under subsection (b) may 
be appealed to a district court of the United States of appropriate 
jurisdiction as provided for in section 706 of title 5, United States 
Code.

SEC. 5. ACTIONS BY STATES.

          (a) In General.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State has reason to believe that an interest of 
        the residents of that State has been or is threatened or 
        adversely affected by the engagement of any person in a 
        practice that violates any rule of the Commission prescribed 
        under section 3(b), the State, as parens patriae, may bring a 
        civil action on behalf of the residents of the State in a 
        district court of the United States of appropriate jurisdiction 
        to--
                    (A) enjoin that practice;
                    (B) enforce compliance with the rule;
                    (C) obtain damage, restitution, or other 
                compensation on behalf of residents of the State; or
                    (D) obtain such other relief as the court may 
                consider to be appropriate.
            (2) Notice.--
                    (A) In general.--Before filing an action under 
                paragraph (1), the attorney general of the State 
                involved shall provide to the Commission--
                            (i) written notice of that action; and
                            (ii) a copy of the complaint for that 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subsection, if the attorney general determines 
                        that it is not feasible to provide the notice 
                        described in that subparagraph before the 
                        filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
                        shall provide notice and a copy of the 
                        complaint to the Commission at the same time as 
                        the attorney general files the action.
    (b) Intervention.--
            (1) In general.--On receiving notice under subsection 
        (a)(2), the Commission shall have the right to intervene in the 
        action that is the subject of the notice.
            (2) Effect of intervention.--If the Commission intervenes 
        in an action under subsection (a), it shall have the right--
                    (A) to be heard with respect to any matter that 
                arises in that action; and
                    (B) to file a petition for appeal.
            (3) Amicus curiae.--Upon application to the court, a person 
        whose self-regulatory guidelines have been approved by the 
        Commission and are relied upon as a defense by any defendant to 
        a proceeding under this section may file amicus curiae in that 
        proceeding.
    (c) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this Act shall be construed to prevent an 
attorney general of a State from exercising the powers conferred on the 
attorney general by the laws of that State to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
          (d) Actions by the Commission.--In any case in which an 
action is instituted by or on behalf of the Commission for violation of 
any rule prescribed under section 3, no State may, during the pendency 
of that action, institute an action under subsection (a) against any 
defendant named in the complaint in that action for violation of that 
rule.
          (e) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in the district court of the United States that meets 
        applicable requirements relating to venue under section 1391 of 
        title 28, United States Code.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.

SEC. 6. ADMINISTRATION AND APPLICABILITY OF ACT.

          (a) In General.--Except as otherwise provided, this Act shall 
be enforced by the Commission under the Federal Trade Commission Act 
(15 U.S.C. 41 et seq.).
          (b) Provisions.--Compliance with the requirements imposed 
under this Act shall be enforced under--
            (1) section 8 of the Federal Deposit Insurance Act (12 
        U.S.C. 1818), in the case of--
                    (A) national banks, and Federal branches and 
                Federal agencies of foreign banks, by the Office of the 
                Comptroller of the Currency;
                    (B) member banks of the Federal Reserve System 
                (other than national banks), branches and agencies of 
                foreign banks (other than Federal branches, Federal 
                agencies, and insured State branches of foreign banks), 
                commercial lending companies owned or controlled by 
                foreign banks, and organizations operating under 
                section 25 or 25(a) of the Federal Reserve Act (12 
                U.S.C. 601 et seq. and 611 et seq.), by the Board; and
                    (C) banks insured by the Federal Deposit Insurance 
                Corporation (other than members of the Federal Reserve 
                System) and insured State branches of foreign banks, by 
                the Board of Directors of the Federal Deposit Insurance 
                Corporation;
            (2) section 8 of the Federal Deposit Insurance Act (12 
        U.S.C. 1818), by the Director of the Office of Thrift 
        Supervision, in the case of a savings association the deposits 
        of which are insured by the Federal Deposit Insurance 
        Corporation;
            (3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) 
        by the National Credit Union Administration Board with respect 
        to any Federal credit union;
            (4) part A of subtitle VII of title 49, United States Code, 
        by the Secretary of Transportation with respect to any air 
        carrier or foreign air carrier subject to that part;
            (5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et 
        seq.) (except as provided in section 406 of that Act (7 U.S.C. 
        226, 227)), by the Secretary of Agriculture with respect to any 
        activities subject to that Act; and
            (6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by 
        the Farm Credit Administration with respect to any Federal land 
        bank, Federal land bank association, Federal intermediate 
        credit bank, or production credit association.
    (c) Exercise of Certain Powers.--For the purpose of the exercise by 
any agency referred to in subsection (a) of its powers under any Act 
referred to in that subsection, a violation of any requirement imposed 
under this Act shall be deemed to be a violation of a requirement 
imposed under that Act. In addition to its powers under any provision 
of law specifically referred to in subsection (a), each of the agencies 
referred to in that subsection may exercise, for the purpose of 
enforcing compliance with any requirement imposed under this Act, any 
other authority conferred on it by law.
    (d) Actions by the Commission.--The Commission shall prevent any 
person from violating a rule of the Commission under section 3 in the 
same manner, by the same means, and with the same jurisdiction, powers, 
and duties as though all applicable terms and provisions of the Federal 
Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and 
made a part of this Act. Any entity that violates such rule shall be 
subject to the penalties and entitled to the privileges and immunities 
provided in the Federal Trade Commission Act in the same manner, by the 
same means, and with the same jurisdiction, power, and duties as though 
all applicable terms and provisions of the Federal Trade Commission Act 
were incorporated into and made a part of this Act.
    (e) Effect on Other Laws.--
            (1) Preservation of commission authority.--Nothing 
        contained in the Act shall be construed to limit the authority 
        of the Commission under any other provisions of law.
            (2) Relation to communications act.--Nothing in this Act or 
        the rules prescribed thereunder shall require an operator of a 
        website or online service to take any action that is 
        inconsistent with the requirements of section 222 or 631 of the 
        Communications Act of 1934 (47 U.S.C. 222, 551).

SEC. 7. PRIVATE RIGHT OF ACTION.

    (a) Private Right of Action.--A person or entity may, if otherwise 
permitted by the laws or rules of court of a State, bring in an 
appropriate court of that State--
            (1) an action based on a violation of any rule prescribed 
        under section 3 to enjoin such violation;
            (2) an action to recover for actual monetary loss from such 
        a violation, or to receive $1,000 in damages for each such 
        violation, whichever is greater; or
            (3) both such actions.
    (b) Willful and Knowing Violations.--If the court finds that the 
defendant willfully or knowingly violated any rule prescribed under 
section 3, the court may, in its discretion, increase the amount of the 
award available under subsection (a)(2) to $10,000.

SEC. 8. REVIEW.

    Not later than 5 years after the effective date of the rules 
initially issued under section 3, the Commission shall--
            (1) review the implementation of this Act, including the 
        effect of the implementation of this Act on practices relating 
        to the collection and disclosure of information relating to 
        children, children's ability to obtain access to information of 
        their choice online, and on the availability of websites 
        directed to children; and
            (2) prepare and submit to Congress a report on the results 
        of the review under paragraph (1).

SEC. 9. DEFINITIONS.

    In this Act:
            (1) Operator.--The term ``operator''--
                    (A) means any person who operates a website located 
                on the Internet or an online service and who collects 
                or maintains personal information from or about the 
                users of or visitors to such website or online service, 
                or on whose behalf such information is collected or 
                maintained, where such website or online service is 
                operated for commercial purposes, including any person 
                offering products or services for sale through that 
                website or online service, involving commerce--
                            (i) among the several States or with 1 or 
                        more foreign nations;
                            (ii) in any territory of the United States 
                        or in the District of Columbia, or between any 
                        such territory and--
                                    (I) another such territory; or
                                    (II) any State or foreign nation; 
                                or
                            (iii) between the District of Columbia and 
                        any State, territory, or foreign nation; but
                    (B) does not include any nonprofit entity that 
                would otherwise be exempt from coverage under section 5 
                of the Federal Trade Commission Act (15 U.S.C. 45).
            (2) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (3) Disclosure.--The term ``disclosure'' means, with 
        respect to personal information--
                    (A) the release of personal information collected 
                from an individual in identifiable form by an operator 
                for any purpose, except where such information is 
                provided to a person other than the operator who 
                provides support for the internal operations of the 
                website and does not disclose or use that information 
                for any other purpose; and
                    (B) making personal information collected from an 
                individual by a website or online service publicly 
                available in identifiable form, by any means including 
                by a public posting, through the Internet, or through--
                            (i) a home page of a website;
                            (ii) a pen pal service;
                            (iii) an electronic mail service;
                            (iv) a message board; or
                            (v) a chat room.
            (4) Federal agency.--The term ``Federal agency'' means an 
        agency, as that term is defined in section 551(1) of title 5, 
        United States Code.
            (5) Internet.--The term ``Internet'' means collectively the 
        myriad of computer and telecommunications facilities, including 
        equipment and operating software, which comprise the 
        interconnected world-wide network of networks that employ the 
        Transmission Control Protocol/Internet Protocol, or any 
        predecessor or successor protocols to such protocol, to 
        communicate information of all kinds by wire or radio.
            (6) Personal information.--The term ``personal 
        information'' means individually identifiable information about 
        an individual collected online, including--
                    (A) a first and last name;
                    (B) a home or other physical address including 
                street name and name of a city or town;
                    (C) an e-mail address;
                    (D) a telephone number;
                    (E) a Social Security number;
                    (F) any other identifier that the Commission 
                determines permits the physical or online contacting of 
                a specific individual; or
                    (G) unique identifying information that the website 
                collects online and combines with an identifier 
                described in this paragraph.
            (7) Person.--The term ``person'' means any individual, 
        partnership, corporation, trust, estate, cooperative, 
        association, or other entity.
            (8) Website; online service.--The Commission shall by rule 
        define the terms ``website'' and ``online service'' in a manner 
        consistent with the purposes of this Act, and shall revise or 
        amend such rule to take into account changes in technology, 
        practice, or procedure with respect to the collection of 
        personal information over the Internet.

SEC. 10. EFFECTIVE DATE.

    Sections 3(a), 5, and 6 of this Act take effect on the later of--
            (1) the date that is 18 months after the date of enactment 
        of this Act; or
            (2) the date on which the Commission rules on the first 
        application filed for safe harbor treatment under section 4 if 
        the Commission does not rule on the first such application 
        within one year after the date of enactment of this Act, but in 
        no case later than the date that is 30 months after the date of 
        enactment of this Act.
                                 <all>