[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4059 Introduced in House (IH)]







106th CONGRESS
  2d Session
                                H. R. 4059

To establish a system for businesses engaged in electronic commerce to 
 adopt, and certify their compliance with, internationally recognized 
    principles concerning the collection, use, and dissemination of 
             personal information, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             March 22, 2000

 Mr. Campbell (for himself, Mr. Udall of New Mexico, Mr. Gillmor, Mr. 
Hall of Texas, and Mr. Hutchinson) introduced the following bill; which 
               was referred to the Committee on Commerce

_______________________________________________________________________

                                 A BILL


 
To establish a system for businesses engaged in electronic commerce to 
 adopt, and certify their compliance with, internationally recognized 
    principles concerning the collection, use, and dissemination of 
             personal information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Online Privacy and Disclosure Act of 
2000''.

SEC. 2. DEFINITIONS.

    For purposes of this Act, the following definitions apply:
            (1) Data controller.--The term ``data controller'' means a 
        person who, by any means of interstate commerce, collects 
        personal data, regardless of whether or not such data are 
        collected, stored, processed, or disseminated by that person or 
        by an agent on its behalf.
            (2) Personal data.--The term ``personal data'' means any 
        information relating to an identified or identifiable 
        individual (data subject).
            (3) Data subject.--The term ``data subject'' means an 
        individual to whom personal data pertain.
            (4) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (5) Person.--The term ``person'' has the meaning provided 
        such term in section 1 of title 1, United States Code.

SEC. 3. PURPOSES.

    The purposes of this Act are--
            (1) to identify and establish principles concerning fair 
        and nondeceptive business practices for the collection, use, 
        and dissemination of personal data;
            (2) to permit businesses that have adopted and implemented 
        such principles to certify the implementation by publicly 
        displaying a uniform seal; and
            (3) to require the Commission to prohibit and prevent 
        unfair and deceptive acts and practices in the use of that 
        uniform seal.

SEC. 4. PRINCIPLES FOR FAIR PERSONAL INFORMATION PRACTICES.

    Data controllers who abide by the following rules shall be 
permitted to display an official seal certifying such compliance under 
such regulations as the Commission shall prescribe:
            (1) Collection limitation principle.--The collection of any 
        personal data through means of interstate commerce should be 
        obtained by lawful and fair means and with the knowledge of the 
        data subject.
            (2) Data quality principle.--Personal data should be 
        accurate, complete, and current.
            (3) Purpose specification principle.--The purposes for 
        which personal data are collected should be specified and 
        disclosed to the data subject not later than the time of data 
        collection, and any subsequent use should be limited to the 
        fulfillment of those disclosed purposes, or such other purposes 
        as are not incompatible with those disclosed purposes and as 
        are also disclosed to the data subject on each occasion of a 
        change of purpose.
            (4) Use limitation principle.--Personal data should not be 
        disclosed, made available, or otherwise used for purposes other 
        than those specified and disclosed in accordance with paragraph 
        (3), except--
                    (A) with the consent of the data subject; or
                    (B) by the authority of law.
            (5) Openness principle.--A data subject should have readily 
        available means of establishing the existence and nature of 
        personal data, and the main purposes of their use, as well as 
        the identity and usual place of business of the data 
        controller.
            (6) Individual participation principle.--An individual 
        should have the right--
                    (A) to obtain from a data controller, or otherwise, 
                confirmation of whether or not the data controller has 
                data relating to the individual;
                    (B) to have communicated to the individual, data 
                relating to the individual--
                            (i) within a reasonable time;
                            (ii) at a charge, if any, that is not 
                        excessive;
                            (iii) in a reasonable manner; and
                            (iv) in a form that is readily intelligible 
                        to the individual;
                    (C) to be given reasons if a request made under 
                subparagraphs (A) and (B) is denied, and to be able to 
                challenge such denial; and
                    (D) to challenge data relating to the individual 
                and, if the challenge is successful to have the data 
                erased, rectified, completed, or amended.
            (7) Accountability principle.--A data controller should be 
        accountable for complying with measures which give effect to 
        the principles stated in paragraphs (1) through (6) of this 
        section.

SEC. 5. PREVENTION OF UNFAIR AND DECEPTIVE PRACTICES IN ADOPTION AND 
              IMPLEMENTATION OF PRINCIPLES.

    (a) Regulations Required.--
            (1) In general.--The Commission shall prescribe rules for 
        the adoption of a seal that may be publicly displayed by a data 
        controller that--
                    (A) complies with the principles set forth in 
                section 4; and
                    (B) desires to certify that compliance publicly.
            (2) Deceptive use of seal prohibited.--Such rules shall 
        prohibit as a deceptive act or practice any display of such 
        seal, or any imitation of such seal, by a data controller that 
        is not in compliance with such principles.
    (b) Rulemaking.--The Commission shall prescribe the rules under 
subsection (a) within 270 days after the date of enactment of this Act. 
Such rules shall be prescribed in accordance with section 553 of title 
5, United States Code.
    (c) Enforcement.--Any violation of any rule prescribed under 
subsection (a) shall be treated as a violation of a rule respecting 
unfair or deceptive acts or practices under section 5 of the Federal 
Trade Commission Act (15 U.S.C. 45). Notwithstanding section 5(a)(2) of 
such Act (15 U.S.C. 45(a)(2)), communications common carriers shall be 
subject to the jurisdiction of the Commission for purposes of this Act.

SEC. 6. ADMINISTRATION AND APPLICABILITY OF ACT.

    (a) In General.--Except as otherwise provided in section 7, this 
Act shall be enforced by the Commission under the Federal Trade 
Commission Act (15 U.S.C. 41 et seq.). Consequently, no activity which 
is outside the jurisdiction of that Act shall be affected by this Act, 
except for purposes of this Act.
    (b) Actions by the Commission.--The Commission shall prevent any 
person from violating a rule of the Commission under section 5 in the 
same manner, by the same means, and with the same jurisdiction, powers, 
and duties as though all applicable terms and provisions of the Federal 
Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and 
made a part of this Act. Any person who violates such rule shall be 
subject to the penalties and entitled to the privileges and immunities 
provided in the Federal Trade Commission Act in the same manner, by the 
same means, and with the same jurisdiction, power, and duties as though 
all applicable terms and provisions of the Federal Trade Commission Act 
were incorporated into and made a part of this Act.

SEC. 7. STATE ENFORCEMENT.

    Nothing in this Act shall preempt any State from adopting or 
enforcing State laws dealing with the same or similar subject matter as 
the subject matter of this Act.
                                 <all>