[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[S. 2606 Introduced in Senate (IS)]
106th CONGRESS
2d Session
S. 2606
To protect the privacy of American consumers.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
May 23, 2000
Mr. Hollings (for himself, Mr. Rockefeller, Mr. Bryan, Mr. Breaux, Mr.
Inouye, Mr. Feingold, Mr. Edwards, Mr. Kerrey, Mr. Cleland, Mr. Durbin,
and Mr. Byrd) introduced the following bill; which was read twice and
referred to the Committee on Commerce, Science, and Transportation
_______________________________________________________________________
A BILL
To protect the privacy of American consumers.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Consumer Privacy Protection Act''.
SEC. 2. FINDINGS.
The Congress makes the following findings:
(1) The right to privacy is a personal and fundamental
right worthy of protection through appropriate legislation.
(2) Consumers engaging in and interacting with companies
engaged in interstate commerce have an ownership interest in
their personal information, as well as a right to control how
that information is collected, used, or transferred.
(3) Existing State, local, and Federal laws provide
virtually no privacy protection for Internet users.
(4) Moreover, existing privacy regulation of the general,
or offline, marketplace provides inadequate consumer
protections in light of the significant data collection and
dissemination practices employed today.
(5) The Federal Government thus far has eschewed general
Internet privacy laws in favor of industry self-regulation,
which has led to several self-policing schemes, none of which
are enforceable in any meaningful way or provide sufficient
consumer protection.
(6) State governments have been reluctant to enter the
field of Internet privacy regulation because use of the
Internet often crosses State, or even national, boundaries.
(7) States are nonetheless interested in providing greater
privacy protection to their citizens as evidenced by recent
lawsuits brought against offline and online companies by State
attorneys general to protect consumer privacy.
(8) Personal information flowing over the Internet requires
greater privacy protection than is currently available today.
Vast amounts of personal information about individual Internet
users are collected on the Internet and sold or otherwise
transferred to third parties.
(9) Poll after poll consistently demonstrates that
individual Internet users are highly troubled over their lack
of control over their personal information.
(10) Research on the Internet industry demonstrates that
consumer concerns about their privacy on the Internet has a
correlative negative impact on the development of e-commerce.
(11) Notwithstanding these concerns, the Internet is
becoming a major part of the personal and commercial lives of
millions of Americans, providing increased access to
information, as well as communications and commercial
opportunities.
(12) It is important to establish personal privacy rights
and industry obligations now so that consumers have confidence
that their personal privacy is fully protected on our Nation's
telecommunications networks and on the Internet.
(13) The social and economic costs of imposing obligations
on industry now will be lower than if Congress waits until the
Internet becomes more prevalent in our everyday lives in coming
years.
(14) Absent the recognition of these rights and the
establishment of consequent industry responsibilities to
safeguard those rights, consumer privacy will soon be more
gravely threatened.
(15) The ease of gathering and compiling personal
information on the Internet, both overtly and surreptitiously,
is becoming increasingly efficient and effortless due to
advances in digital communications technology which have
provided information gatherers the ability to seamlessly
compile highly detailed personal histories of Internet users.
(16) Consumers must have--
(A) clear and conspicuous notice that information
is being collected about them;
(B) clear and conspicuous notice as to the
information gatherer's intent with respect to that
information;
(C) the ability to control the extent to which
information is collected about them; and
(D) the right to prohibit any unauthorized use,
reuse, disclosure, transfer, or sale of their
information.
(17) Fair information practices include providing consumers
with knowledge of any data collection clear and conspicuous
notice of an entity's information practices, the ability to
control whether or not those practices will be applied to them
personally, access to information collected about them, and
safeguards to ensure the integrity and security of that
information.
(18) Recent surveys of websites conducted by the Federal
Trade Commission and Georgetown University found that a small
minority of websites surveyed contained a privacy policy
embodying fair information practices such as notice, choice,
access, and security.
(19) Americans expect that their purchases of written
materials, videos, and music will remain confidential, whether
they are shopping online or in the traditional workplace.
(20) Consumer privacy with respect to written materials,
music, and movies should be protected vigilantly to ensure the
free exercise of First Amendment rights of expression,
regardless of medium.
(21) Under current law, millions of American cable
customers are protected against disclosures of their personal
subscriber information without notice and choice, whereas no
similar protection is available to subscribers of multichannel
video programming via satellite.
(22) Almost every American is a consumer of some form of
communications service, be it wireless, wireline, cable,
broadcast, or satellite.
(23) In light of the convergence of and emerging
competition among and between wireless, wireline, satellite,
broadcast, and cable companies, privacy safeguards should be
applied uniformly across different communications media so as
to provide consistent consumer privacy protections as well as a
level competitive playing field for industry.
(24) Notwithstanding the recent focus on Internet privacy,
privacy issues abound in the traditional, or offline,
marketplace that merit Federal attention.
(25) The Congress would benefit from an exhaustive analysis
of general marketplace privacy issues conducted by the agency
with the most expertise in this area, the Federal Trade
Commission.
(26) While American workers are growing increasingly
concerned that their employers may be violating their privacy,
many workers are unaware that their activities in the workplace
may be subject to significant and potentially invasive
monitoring.
(27) While employers may have a legitimate need to maintain
an efficient and productive workforce, that need should not
improperly impinge on employee privacy rights in the workplace.
(28) Databases containing personal information about
consumers' commercial purchasing, browsing, and shopping
habits, as well as their generalized product preferences,
represent considerable commercial value.
(29) These databases should not be considered an asset with
respect to creditors' interests if the asset holder has availed
itself of the protection of State or Federal bankruptcy laws.
SEC. 3. PREEMPTION OF INCONSISTENT STATE LAW OR REGULATIONS.
(a) In General.--Except as provided in subsection (b), this Act
preempts any State law, regulation, or rule that is inconsistent with
the provisions of this Act.
(b) Exceptions.--
(1) In general.--Nothing in this Act preempts--
(A) the law of torts in any State;
(B) the common law in any State; or
(C) any State law, regulation, or rule that
prohibits fraud or provides a remedy for fraud.
(2) Private right-of-action.--Notwithstanding subsection
(a), if a State law provides for a private right-of-action
under a statute enacted to provide consumer protection, nothing
in this Act precludes a person from bringing such an action
under that statute, even if the statute is otherwise preempted
in whole or in part under subsection (a).
SEC. 4. TABLE OF CONTENTS.
The table of contents of this Act is as follows:
Sec. 1. Short title.
Sec. 2. Findings.
Sec. 3. Preemption of inconsistent State law or regulations.
Sec. 4. Table of contents.
TITLE I--ONLINE PRIVACY
Sec. 101. Collection or disclosure of personally identifiable
information.
Sec. 102. Notice, consent, access, and security requirements.
Sec. 103. Other kinds of information.
Sec. 104. Exceptions.
Sec. 105. Permanence of consent.
Sec. 106. Disclosure to law enforcement agency or under court order.
Sec. 107. Effective date.
Sec. 108. FTC rulemaking procedure required.
TITLE II--PRIVACY PROTECTION FOR
CONSUMERS OF BOOKS, RECORDED
MUSIC, AND VIDEOS
Sec. 201. Extension of video rental protections to books and recorded
music.
Sec. 202. Effective Date.
TITLE III--ENFORCEMENT AND REMEDIES
Sec. 301. Enforcement.
Sec. 302. Violation is unfair or deceptive act or practice.
Sec. 303. Private right of action.
Sec. 304. Actions by States.
Sec. 305. Whistleblower protection.
Sec. 306. No effect on other remedies.
Sec. 307. FTC Office of Online Privacy.
TITLE IV--COMMUNICATIONS TECHNOLOGY
PRIVACY PROTECTIONS
Sec. 401. Privacy protection for subscribers of satellite television
services for private home viewing.
Sec. 402. Customer proprietary network information.
TITLE V--RULEMAKING AND STUDIES
Sec. 501. Federal Trade Commission examination.
Sec. 502. Federal Communications Commission rulemaking.
Sec. 503. Department of Labor study of privacy issues in the workplace.
TITLE VI--PROTECTION OF PERSONALLY
IDENTIFIABLE INFORMATION IN
BANKRUPTCY
Sec. 601. Personally identifiable information not asset in bankruptcy.
TITLE VII--INTERNET SECURITY INITIATIVES
Sec. 701. Findings.
Sec. 702. Computer Security Partnership Council.
Sec. 703. Research and development.
Sec. 704. Computer security training programs.
Sec. 705. Government information security standards.
Sec. 706. Recognition of quality in computer security practices.
Sec. 707. Development of automated privacy controls.
TITLE VIII--CONGRESSIONAL INFORMATION
SECURITY STANDARDS
Sec. 801. Exercise of rulemaking power.
Sec. 802. Senate.
TITLE IX--DEFINITIONS
Sec. 901. Definitions.
TITLE I--ONLINE PRIVACY
SEC. 101. COLLECTION OR DISCLOSURE OF PERSONALLY IDENTIFIABLE
INFORMATION.
An Internet service provider, online service provider, or operator
of a commercial website on the Internet may not collect, use, or
disclose personally identifiable information about a user of that
service or website except in accordance with the provisions of this
title.
SEC. 102. NOTICE, CONSENT, ACCESS, AND SECURITY REQUIREMENTS.
(a) Notice.--An Internet service provider, online service provider,
or operator of a commercial website may not collect personally
identifiable information from a user of that service or website unless
that provider or operator gives clear and conspicuous notice in a
manner reasonably calculated to provide actual notice to any user or
prospective user that personally identifiable information may be
collected from that user. The notice shall disclose--
(1) the specific information that will be collected;
(2) the methods of collecting and using the information
collected; and
(3) all disclosure practices of that provider or operator
for personally identifiable information so collected, including
whether it will be disclosed to third parties.
(b) Consent.--An Internet service provider, online service
provider, or operator of a commercial website may not--
(1) collect personally identifiable information from a user
of that service or website, or
(2) except as provided in section 107, disclose or
otherwise use such information about a user of that service or
website,
unless the provider or operator obtains that user's affirmative
consent, in advance, to the collection and disclosure or use of that
information.
(c) Access.--An Internet service provider, online service provider,
or operator of a commercial website shall--
(1) upon request provide reasonable access to a user to
personally identifiable information that the provider or
operator has collected after the effective date of this title
relating to that user;
(2) provide a reasonable opportunity for a user to correct,
delete, or supplement any such information maintained by that
provider or operator; and
(3) make the correction or supplementary information a part
of that user's personally identifiable information for all
future disclosure and other use purposes.
(d) Security.--An Internet service provider, online service
provider, or operator of a commercial website shall establish and
maintain reasonable procedures necessary to protect the security,
confidentiality, and integrity of personally identifiable information
maintained by that provider or operator.
(e) Notice of Policy Change.--Whenever an Internet service
provider, online service provider, or operator of a commercial website
makes a material change in its policy for the collection, use, or
disclosure of personally identifiable information, it--
(1) shall notify all users of that service or website of
the change in policy; and
(2) may not collect, disclose, or otherwise use any
personally identifiable information in accordance with the
changed policy unless the user has affirmatively consented,
under subsection (b), to its collection, disclosure, or use in
accordance with the changed policy.
(f) Notice of Privacy Breach.--
(1) In general.--If an Internet service provider, online
service provider, or operator of a commercial website commits a
breach of privacy with respect to the personally identifiable
information of a user, then it shall, as soon as reasonably
possible, notify all users whose personally identifiable
information was affected by that breach. The notice shall
describe the nature of the breach and the steps taken by the
provider or operator to remedy it.
(2) Breach of privacy.--For purposes of paragraph (1), an
Internet service provider, online service provider, or operator
of a commercial website commits a breach of privacy with
respect to personally identifiable information of a user if--
(A) it collects, discloses, or otherwise uses
personally identifiable information in violation of any
provision of this title; or
(B) it knows that the security, confidentiality, or
integrity of personally identifiable information is
compromised by any act or failure to act on the part of
the provider or operator or by any function of the
Internet service or online service provided, or
commercial website operated, by that provider or
operator that resulted in a disclosure, or possible
disclosure, of that information.
(g) Application to Certain Third-Party Operators.--The provisions
of this section applicable to Internet service providers, online
service providers, and commercial website operators apply to any third
party, including an advertiser, that uses that service or website to
collect information about users of that service or website.
SEC. 103. OTHER KINDS OF INFORMATION.
(a) In General.--Except as provided in subsection (b), the
provisions of sections 101 and 102 (except for subsections (b), (c),
and (e)(2)) that apply to personally identifiable information apply
also to the collection and disclosure or other use of information about
users of an Internet service, online service, or commercial website
that is not personally identifiable information.
(b) Consent Rule.--An Internet service provider, online service
provider, or operator of a commercial website may not--
(1) collect information described in subsection (a) from a
user of that service or website, or
(2) except as provided in section 107, disclose or
otherwise use such information about a user of that service or
website,
unless the provider or operator obtains that user's consent to the
collection and disclosure or other use of that information. For
purposes of this subsection, the user will be deemed to have consented
unless the user objects to the collection and disclosure or other use
of the information.
(c) Application to Certain Third-Party Operators.--The provisions
of this section applicable to Internet service providers, online
service providers, and commercial website operators apply to any third
party, including an advertiser, that uses that service or website to
collect information about users of that service or website.
SEC. 104. EXCEPTIONS.
(a) In General.--Sections 102 and 103 do not apply to the
collection, disclosure, or use by an Internet service provider, online
service provider, or operator of a commercial website of information
about a user of that service or website--
(1) to protect the security or integrity of the service or
website; or
(2) to conduct a transaction, deliver a product or service,
or complete an arrangement for which the user provided the
information.
(b) Disclosure to Parent Protected.--An Internet service provider,
online service provider, or operator of a commercial website may not be
held liable under this title, any other Federal law, or any State law
for any disclosure made in good faith and following reasonable
procedures in responding to a request for disclosure of personal
information under section 1302(b)(1)(B)(iii) of the Children's Online
Privacy Protection Act of 1998 to the parent of a child.
SEC. 105. PERMANENCE OF CONSENT.
The consent or denial of consent by a user of permission to an
Internet service provider, online service provider, or operator of a
commercial website to collect, disclose, or otherwise use any
information about that user for which consent is required under this
title--
(1) shall remain in effect until changed by the user;
(2) except as provided in section 102(e), shall apply to
any revised, modified, new, or improved service provided by
that provider or operator to that user; and
(3) except as provided in section 102(e), shall apply to
the collection, disclosure, or other use of that information by
any entity that is a commercial successor of that provider or
operator, without regard to the legal form in which such
succession was accomplished.
SEC. 106. DISCLOSURE TO LAW ENFORCEMENT AGENCY OR UNDER COURT ORDER.
(a) In General.--Notwithstanding any other provision of this title,
an Internet service provider, online service provider, operator of a
commercial website, or third party that uses such a service or website
to collect information about users of that service or website may
disclose personally identifiable information about a user of that
service or website--
(1) to a law enforcement agency in response to a warrant
issued under the Federal Rules of Criminal Procedure, an
equivalent State warrant, or a court order issued in accordance
with subsection (c); and
(2) in response to a court order in a civil proceeding
granted upon a showing of compelling need for the information
that cannot be accommodated by any other means if--
(A) the user to whom the information relates is
given reasonable notice by the person seeking the
information of the court proceeding at which the order
is requested; and
(B) that user is afforded a reasonable opportunity
to appear and contest the issuance of requested order
or to narrow its scope.
(b) Safeguards Against Further Disclosure.--A court that issues an
order described in subsection (a) shall impose appropriate safeguards
on the use of the information to protect against its unauthorized
disclosure.
(c) Court Orders.--A court order authorizing disclosure under
subsection (a)(1) may issue only with prior notice to the user and only
if the law enforcement agency shows that there is probable cause to
believe that the user has engaged, is engaging, or is about to engage
in criminal activity and that the records or other information sought
are material to the investigation of such activity. In the case of a
State government authority, such a court order shall not issue if
prohibited by the law of such State. A court issuing an order pursuant
to this subsection, on a motion made promptly by the Internet service
provider, online service provider, or operator of the commercial
website, may quash or modify such order if the information or records
requested are unreasonably voluminous in nature or if compliance with
such order otherwise would cause an unreasonable burden on the provider
or operator.
SEC. 107. EFFECTIVE DATE.
(a) In General.--This title takes effect after the Federal Trade
Commission completes the rulemaking procedure under section 109.
(b) Application to Pre-Existing Data.--
(1) In general.--After the effective date of this title,
and except as provided in paragraphs (2) and (3), sections 101,
102, and 103 apply to information collected before the date of
enactment of this Act.
(2) Collection of both kinds of information.--Section
102(b)(1) and 103(b)(1) do not apply to information collected
before the effective date of this title.
(3) Access to personally identifiable information.--Section
102(c) applies to personally identifiable information collected
before the effective date of this title unless it is
economically unfeasible for the Internet service provider,
online service provider, or commercial website operator to
comply with that section for the information.
SEC. 108. FTC RULEMAKING PROCEDURE REQUIRED.
The Federal Trade Commission shall initiate a rulemaking procedure
within 90 days after the date of enactment of this Act to implement the
provisions of this title. Notwithstanding any requirement of chapter 5
of title 5, United States Code, the Commission shall complete the
rulemaking procedure not later than 270 days after it is commenced.
TITLE II--PRIVACY PROTECTION FOR CONSUMERS OF BOOKS, RECORDED MUSIC,
AND VIDEOS
SEC. 201. EXTENSION OF VIDEO RENTAL PROTECTIONS TO BOOKS AND RECORDED
MUSIC.
(a) In General.--Section 2710 of title 18, United States Code, is
amended by striking the section designation and all that follows
through the end of subsection (b) and inserting the following:
``Sec. 2710. Wrongful disclosure of information about video, book, or
recorded music rental, sale, or delivery
``(a) Definitions.--In this section:
``(1) The term `book dealer' means any person engaged in
the business, in or affecting interstate or foreign commerce,
of renting, selling, or delivering books, magazines, or other
written or printed material (regardless of the format or
medium), or any person or other entity to whom a disclosure is
made under subparagraph (D) or (E) of subsection (b)(2), but
only with respect to the information contained in the
disclosure.
``(2) The term `recorded music dealer' means any person,
engaged in the business, in or affecting interstate or foreign
commerce, of selling, renting, or delivering recorded music,
regardless of the format in which or medium on which it is
recorded, or any person or other entity to whom a disclosure is
made under subparagraph (D) or (E) of subsection (b)(2), but
only with respect to the information contained in the
disclosure.
``(3) The term `consumer' means any renter, purchaser, or
user of goods or services from a video provider, book dealer,
or recorded music dealer.
``(4) The term `ordinary course of business' means only
debt-collection activities, order fulfillment, request
processing, and the transfer of ownership.
``(5) The term `personally identifiable information' means
information that identifies a person as having requested or
obtained specific video materials or services, specific books,
magazines, or other written or printed materials, or specific
recorded music.
``(6) The term `video provider' means any person engaged in
the business, in or affecting interstate or foreign commerce,
of rental, sale, or delivery of recorded videos, regardless of
the format in which, or medium on which they are recorded, or
similar audio-visual materials, or any person or other entity
to whom a disclosure is made under subparagraph (D) or (E) of
subsection (b)(2), but only with respect to the information
contained in the disclosure.
``(b) Video, Book, or Recorded Music Rental, Sale, or Delivery.--
``(1) In general.--A video provider, book dealer, or
recorded music dealer who knowingly discloses, to any person,
personally identifiable information concerning any consumer of
such provider or seller, as the case may be, shall be liable to
the aggrieved person for the relief provided in subsection (d).
``(2) Disclosure.--A video provider, book dealer, or
recorded music dealer may disclose personally identifiable
information concerning any consumer--
``(A) to the consumer;
``(B) to any person with the informed, written
consent of the consumer given at the time the
disclosure is sought;
``(C) to a law enforcement agency pursuant to a
warrant issued under the Federal Rules of Criminal
Procedure, an equivalent State warrant, or a court
order issued in accordance with paragraph (4);
``(D) to any person if the disclosure is solely of
the names and addresses of consumers and if--
``(i) the video provider, book dealer, or
recorded music dealer, as the case may be, has
provided the consumer, in a clear and
conspicuous manner, with the opportunity to
prohibit such disclosure; and
``(ii) the disclosure does not identify the
title, description, or subject matter of any
video or other audio-visual material, books,
magazines, or other printed material, or
recorded music;
``(E) to any person if the disclosure is incident
to the ordinary course of business of the video
provider, book dealer, or recorded music dealer; or
``(F) pursuant to a court order, in a civil
proceeding upon a showing of compelling need for the
information that cannot be accommodated by any other
means, if--
``(i) the consumer is given reasonable
notice, by the person seeking the disclosure,
of the court proceeding relevant to the
issuance of the court order; and
``(ii) the consumer is afforded the
opportunity to appear and contest the claim of
the person seeking the disclosure.
``(3) Safeguards.--If an order is granted pursuant to
subparagraph (C) or (F) of paragraph (2), the court shall
impose appropriate safeguards against unauthorized disclosure.
``(4) Court orders.--A court order authorizing disclosure
under paragraph (2)(C) shall issue only with prior notice to
the consumer and only if the law enforcement agency shows that
there is probable cause to believe that a person has engaged,
is engaging, or is about to engage in criminal activity and
that the records or other information sought are material to
the investigation of such activity. In the case of a State
government authority, such a court order shall not issue if
prohibited by the law of such State. A court issuing an order
pursuant to this subsection, on a motion made promptly by the
video provider, book dealer, or recorded music dealer, may
quash or modify such order if the information or records
requested are unreasonably voluminous in nature or if
compliance with such order otherwise would cause an
unreasonable burden on such video provider, book dealer, or
recorded music dealer, as the case may be.''.
(b) Conforming Amendments.--
(1) Subsections (c) through (f) of section 2701 of title
18, United States Code, are amended by striking ``video tape
service provider'' each place it appears and inserting ``video
provider''.
(2) The item relating to section 2701 in the analysis for
chapter 121 of title 18, United States Code, is amended to read
as follows:
``2710. Wrongful disclosure of information about video, book, or
recorded music rental or sales.''.
SEC. 202. EFFECTIVE DATE.
The amendments made by section 201 take effect 12 months after the
date of enactment of this Act.
TITLE III--ENFORCEMENT AND REMEDIES
SEC. 301. ENFORCEMENT.
Except as provided in section 302(b) and section 2710(d) of title
18, United States Code, this Act shall be enforced by the Federal Trade
Commission. Except as otherwise provided in this Act, a violation of
this Act may be punished in the same manner as a violation of a
regulation of the Federal Trade Commission.
SEC. 302. VIOLATION IS UNFAIR OR DECEPTIVE ACT OR PRACTICE.
(a) In General.--The violation of any provision of title I is an
unfair or deceptive act or practice proscribed by section 18(a)(1)(B)
of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(b) Enforcement by Certain Other Agencies.--Compliance with title I
of this Act shall be enforced under--
(1) section 8 of the Federal Deposit Insurance Act (12
U.S.C. 1818), in the case of--
(A) national banks, and Federal branches and
Federal agencies of foreign banks, by the Office of the
Comptroller of the Currency;
(B) member banks of the Federal Reserve System
(other than national banks), branches and agencies of
foreign banks (other than Federal branches, Federal
agencies, and insured State branches of foreign banks),
commercial lending companies owned or controlled by
foreign banks, and organizations operating under
section 25 or 25(a) of the Federal Reserve Act (12
U.S.C. 601 et seq. and 611 et seq.), by the Board; and
(C) banks insured by the Federal Deposit Insurance
Corporation (other than members of the Federal Reserve
System) and insured State branches of foreign banks, by
the Board of Directors of the Federal Deposit Insurance
Corporation;
(2) section 8 of the Federal Deposit Insurance Act (12
U.S.C. 1818), by the Director of the Office of Thrift
Supervision, in the case of a savings association the deposits
of which are insured by the Federal Deposit Insurance
Corporation;
(3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.)
by the National Credit Union Administration Board with respect
to any Federal credit union;
(4) part A of subtitle VII of title 49, United States Code,
by the Secretary of Transportation with respect to any air
carrier or foreign air carrier subject to that part;
(5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et
seq.) (except as provided in section 406 of that Act (7 U.S.C.
226, 227)), by the Secretary of Agriculture with respect to any
activities subject to that Act; and
(6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by
the Farm Credit Administration with respect to any Federal land
bank, Federal land bank association, Federal intermediate
credit bank, or production credit association.
(c) Exercise of Certain Powers.--For the purpose of the exercise by
any agency referred to in subsection (b) of its powers under any Act
referred to in that subsection, a violation of title I is deemed to be
a violation of a requirement imposed under that Act. In addition to its
powers under any provision of law specifically referred to in
subsection (b), each of the agencies referred to in that subsection may
exercise, for the purpose of enforcing compliance with any requirement
imposed under title I of this Act, any other authority conferred on it
by law.
(d) Actions by the Commission.--The Commission shall prevent any
person from violating title I in the same manner, by the same means,
and with the same jurisdiction, powers, and duties as though all
applicable terms and provisions of the Federal Trade Commission Act (15
U.S.C. 41 et seq.) were incorporated into and made a part of this Act.
Any entity that violates any provision of that title is subject to the
penalties and entitled to the privileges and immunities provided in the
Federal Trade Commission Act in the same manner, by the same means, and
with the same jurisdiction, power, and duties as though all applicable
terms and provisions of the Federal Trade Commission Act were
incorporated into and made a part of that title.
(e) Effect on Other Laws.--
(1) Preservation of commission authority.--Nothing
contained in this title shall be construed to limit the
authority of the Commission under any other provision of law.
(2) Relation to communications act.--Nothing in title I
requires an operator of a website or online service to take any
action that is inconsistent with the requirements of section
222 or 631 of the Communications Act of 1934 (47 U.S.C. 222 or
551, respectively).
SEC. 303. PRIVATE RIGHT OF ACTION.
(a) Private Right of Action.--A person whose personally
identifiable information is collected, disclosed or used, or is likely
to be disclosed or used, in violation of title I may, if otherwise
permitted by the laws or rules of court of a State, bring in an
appropriate court of that State--
(1) an action to enjoin or restrain such violation;
(2) an action to recover for actual monetary loss from such
a violation, or to receive $5,000 in damages for each such
violation, whichever is greater; or
(3) both such actions.
(b) Willful and Knowing Violations.--If the court finds that the
defendant willfully or knowingly violated title I, the court may, in
its discretion, increase the amount of the award available under
subsection (a)(2) to $50,000.
(c) Exception.--Neither an action to enjoin or restrain a
violation, nor an action to recover for loss or damage, may be brought
under this section for the accidental disclosure of information if the
disclosure was caused by an Act of God, network or systems failure, or
other event beyond the control of the Internet service provider, online
service provider, or operator of a commercial website if the provider
or operator took reasonable precautions to prevent such disclosure in
the event of such a failure or other event.
(d) Attorneys Fees; Punitive Damages.--Notwithstanding subsection
(a)(2), the court in an action brought under this section, may award
reasonable attorneys fees and punitive damages to the prevailing party.
SEC. 304. ACTIONS BY STATES.
(a) In General.--
(1) Civil actions.--In any case in which the attorney
general of a State has reason to believe that an interest of
the residents of that State has been or is threatened or
adversely affected by the engagement of any person in a
practice that violates title I, the State, as parens patriae,
may bring a civil action on behalf of the residents of the
State in a district court of the United States of appropriate
jurisdiction to--
(A) enjoin that practice;
(B) enforce compliance with the rule;
(C) obtain damage, restitution, or other
compensation on behalf of residents of the State; or
(D) obtain such other relief as the court may
consider to be appropriate.
(2) Notice.--
(A) In general.--Before filing an action under
paragraph (1), the attorney general of the State
involved shall provide to the Commission--
(i) written notice of that action; and
(ii) a copy of the complaint for that
action.
(B) Exemption.--
(i) In general.--Subparagraph (A) shall not
apply with respect to the filing of an action
by an attorney general of a State under this
subsection, if the attorney general determines
that it is not feasible to provide the notice
described in that subparagraph before the
filing of the action.
(ii) Notification.--In an action described
in clause (i), the attorney general of a State
shall provide notice and a copy of the
complaint to the Commission at the same time as
the attorney general files the action.
(b) Intervention.--
(1) In general.--On receiving notice under subsection
(a)(2), the Commission shall have the right to intervene in the
action that is the subject of the notice.
(2) Effect of intervention.--If the Commission intervenes
in an action under subsection (a), it shall have the right--
(A) to be heard with respect to any matter that
arises in that action; and
(B) to file a petition for appeal.
(c) Construction.--For purposes of bringing any civil action under
subsection (a), nothing in this Act shall be construed to prevent an
attorney general of a State from exercising the powers conferred on the
attorney general by the laws of that State to--
(1) conduct investigations;
(2) administer oaths or affirmations; or
(3) compel the attendance of witnesses or the production of
documentary and other evidence.
(d) Actions by the Commission.--In any case in which an action is
instituted by or on behalf of the Commission for violation of title I,
no State may, during the pendency of that action, institute an action
under subsection (a) against any defendant named in the complaint in
that action for violation of that rule.
(e) Venue; Service of Process.--
(1) Venue.--Any action brought under subsection (a) may be
brought in the district court of the United States that meets
applicable requirements relating to venue under section 1391 of
title 28, United States Code.
(2) Service of process.--In an action brought under
subsection (a), process may be served in any district in which
the defendant--
(A) is an inhabitant; or
(B) may be found.
SEC. 305. WHISTLEBLOWER PROTECTION.
(a) In General.--No Internet service provider, online service
provider, or commercial website operator may discharge or otherwise
discriminate against any employee with respect to compensation, terms,
conditions, or privileges of employment because the employee (or any
person acting pursuant to the request of the employee) provided
information to any Federal or State agency or to the Attorney General
of the United States or of any State regarding a possible violation of
any provision of title I.
(b) Enforcement.--Any employee or former employee who believes he
has been discharged or discriminated against in violation of subsection
(a) may file a civil action in the appropriate United States district
court before the close of the 2-year period beginning on the date of
such discharge or discrimination. The complainant shall also file a
copy of the complaint initiating such action with the appropriate
Federal agency.
(c) Remedies.--If the district court determines that a violation of
subsection (a) has occurred, it may order the Internet service
provider, online service provider, or commercial website operator that
committed the violation--
(1) to reinstate the employee to his former position;
(2) to pay compensatory damages; or
(3) take other appropriate actions to remedy any past
discrimination.
(d) Attorneys Fees; Punitive Damages.--Notwithstanding subsection
(c)(2), the court in an action brought under this section, may award
reasonable attorneys fees and punitive damages to the prevailing party.
(e) Limitation.--The protections of this section shall not apply to
any employee who--
(1) deliberately causes or participates in the alleged
violation; or
(2) knowingly or recklessly provides substantially false
information to such an agency or the Attorney General.
(f) Burdens of Proof.--The legal burdens of proof that prevail
under subchapter III of chapter 12 of title 5, United States Code (5
U.S.C. 1221 et seq.) shall govern adjudication of protected activities
under this section.
SEC. 306. NO EFFECT ON OTHER REMEDIES.
The remedies provided by this sections 303 and 304 are in addition
to any other remedy available under any provision of law.
SEC. 307. FTC OFFICE OF ONLINE PRIVACY.
The Federal Trade Commission shall establish an Office of Online
Privacy headed by a senior level position officer who reports directly
to the Commission and its General Counsel. The Office shall study
privacy issues associated with electronic commerce and the Internet,
the operation of this Act and the effectiveness of the privacy
protections provided by title I. The Office shall report its findings
and recommendations from time to time to the Commission, and,
notwithstanding any law, regulation, or executive order to the
contrary, shall submit an annual report directly to the Senate
Committee on Commerce, Science, and Transportation and the House of
Representatives Committee on Commerce on the status of online and
Internet privacy issues, together with any recommendations for
additional legislation relating to those issues.
TITLE IV--COMMUNICATIONS TECHNOLOGY PRIVACY PROTECTIONS
SEC. 401. PRIVACY PROTECTION FOR SUBSCRIBERS OF SATELLITE TELEVISION
SERVICES FOR PRIVATE HOME VIEWING.
(a) In General.--Section 631 of the Communications Act of 1934 (47
U.S.C. 551) is amended to read as follows:
``SEC. 631. PRIVACY OF SUBSCRIBER INFORMATION FOR SUBSCRIBERS OF CABLE
SERVICE AND SATELLITE TELEVISION SERVICE.
``(a) Notice to Subscribers Regarding Personally Identifiable
Information.--At the time of entering into an agreement to provide any
cable service, satellite home viewing service, or other service to a
subscriber, and not less often than annually thereafter, a cable
operator, satellite carrier, or distributor shall provide notice in the
form of a separate, written statement to such subscriber that clearly
and conspicuously informs the subscriber of--
``(1) the nature of personally identifiable information
collected or to be collected with respect to the subscriber as
a result of the provision of such service and the nature of the
use of such information;
``(2) the nature, frequency, and purpose of any disclosure
that may be made of such information, including an
identification of the types of persons to whom the disclosure
may be made;
``(3) the period during which such information will be
maintained by the cable operator, satellite carrier, or
distributor;
``(4) the times and place at which the subscriber may have
access to such information in accordance with subsection (d);
and
``(5) the limitations provided by this section with respect
to the collection and disclosure of information by the cable
operator, satellite carrier, or distributor and the right of
the subscriber under this section to enforce such limitations.
``(b) Collection of Personally Identifiable Information.--
``(1) In general.--Except as provided in paragraph (2), a
cable operator, satellite carrier, or distributor shall not use
its cable or satellite system to collect personally
identifiable information concerning any subscriber without the
prior written or electronic consent of the subscriber.
``(2) Exception.--A cable operator, satellite carrier, or
distributor may use its cable or satellite system to collect
information described in paragraph (1) in order to--
``(A) obtain information necessary to render a
cable or satellite service or other service provided by
the cable operator, satellite carrier, or distributor
to the subscriber; or
``(B) detect unauthorized reception of cable or
satellite communications.
``(c) Disclosure of Personally Identifiable Information.--
``(1) In general.--Except as provided in paragraph (2), a
cable operator, satellite carrier, or distributor may not
disclose personally identifiable information concerning any
subscriber without the prior written or electronic consent of
the subscriber and shall take such actions as are necessary to
prevent unauthorized access to such information by a person
other than the subscriber or the cable operator, satellite
carrier, or distributor.
``(2) Exceptions.--A cable operator, satellite carrier, or
distributor may disclose information described in paragraph (1)
if the disclosure is--
``(A) necessary to render, or conduct a legitimate
business activity related to, a cable or satellite
service or other service provided by the cable
operator, satellite carrier, or distributor to the
subscriber;
``(B) subject to paragraph (3), made pursuant to a
court order authorizing such disclosure, if the
subscriber is notified of such order by the person to
whom the order is directed; or
``(C) a disclosure of the names and addresses of
subscribers to any other provider of cable or satellite
service or other service, if--
``(i) the cable operator, satellite
carrier, or distributor has provided the
subscriber the opportunity to prohibit or limit
such disclosure; and
``(ii) the disclosure does not reveal,
directly or indirectly--
``(I) the extent of any viewing or
other use by the subscriber of a cable
or satellite service or other service
provided by the cable operator,
satellite carrier, or distributor; or
``(II) the nature of any
transaction made by the subscriber
over the cable or satellite system of the cable operator, satellite
carrier, or distributor.
``(3) Court orders.--A governmental entity may obtain
personally identifiable information concerning a cable or
satellite subscriber pursuant to a court order only if, in the
court proceeding relevant to such court order--
``(A) such entity offers clear and convincing
evidence that the subject of the information is
reasonably suspected of engaging in criminal activity
and that the information sought would be material
evidence in the case; and
``(B) the subject of the information is afforded
the opportunity to appear and contest such entity's
claim.
``(d) Subscriber Access to Information.--A cable or satellite
subscriber shall be provided access to all personally identifiable
information regarding that subscriber that is collected and maintained
by a cable operator, satellite carrier, or distributor. Such
information shall be made available to the subscriber at reasonable
times and at a convenient place designated by such cable operator,
satellite carrier, or distributor. A cable or satellite subscriber
shall be provided reasonable opportunity to correct any error in such
information.
``(e) Destruction of Information.--A cable operator, satellite
carrier, or distributor shall destroy personally identifiable
information if the information is no longer necessary for the purpose
for which it was collected and there are no pending requests or orders
for access to such information under subsection (d) or pursuant to a
court order.
``(f) Relief.--
``(1) In general.--Any person aggrieved by any act of a
cable operator, satellite carrier, or distributor in violation
of this section may bring a civil action in a district court of
the United States.
``(2) Damages and costs.--In any action brought under
paragraph (1), the court may award a prevailing plaintiff--
``(A) actual damages but not less than liquidated
damages computed at the rate of $100 a day for each day
of violation or $1,000, whichever is greater;
``(B) punitive damages; and
``(C) reasonable attorneys' fees and other
litigation costs reasonably incurred.
``(3) No effect on other remedies.--The remedy provided by
this subsection shall be in addition to any other remedy
available under any provision of law to a cable or satellite
subscriber.
``(g) Definitions.--In this section:
``(1) Distributor.--The term `distributor' means an entity
that contracts to distribute secondary transmissions from a
satellite carrier and, either as a single channel or in a
package with other programming, provides the secondary
transmission either directly to individual subscribers for
private home viewing or indirectly through other program
distribution entities.
``(2) Cable operator.--
``(A) In general.--The term `cable operator' has
the meaning given that term in section 602.
``(B) Inclusion.--The term includes any person
who--
``(i) is owned or controlled by, or under
common ownership or control with, a cable
operator; and
``(ii) provides any wire or radio
communications service.
``(3) Other service.--The term `other service' includes any
wire, electronic, or radio communications service provided
using any of the facilities of a cable operator, satellite
carrier, or distributor that are used in the provision of cable
service or satellite home viewing service.
``(4) Personally identifiable information.--The term
`personally identifiable information' does not include any
record of aggregate data that does not identify particular
persons.
``(5) Satellite carrier.--The term `satellite carrier'
means an entity that uses the facilities of a satellite or
satellite service licensed by the Federal Communications
Commission and operates in the Fixed-Satellite Service under
part 25 of title 47 of the Code of Federal Regulations or the
Direct Broadcast Satellite Service under part 100 of title 47
of the Code of Federal Regulations, to establish and operate a
channel of communications for point-to-multipoint distribution
of television station signals, and that owns or leases a
capacity or service on a satellite in order to provide such
point-to-multipoint distribution, except to the extent that
such entity provides such distribution pursuant to tariff under
the Communications Act of 1934, other than for private home
viewing.''.
(b) Notice With Respect to Certain Agreements.--
(1) In general.--Except as provided in paragraph (2), a
cable operator, satellite carrier, or distributor who has
entered into agreements referred to in section 631(a) of the
Communications Act of 1934, as amended by subsection (a),
before the date of enactment of this Act, shall provide any
notice required under that section, as so amended, to
subscribers under such agreements not later than 180 days after
that date.
(2) Exception.--Paragraph (1) shall not apply with respect
to any agreement under which a cable operator, satellite
carrier, or distributor was providing notice under section
631(a) of the Communications Act of 1934, as in effect on the
day before the date of enactment of this Act, as of such date.
SEC. 402. CUSTOMER PROPRIETARY NETWORK INFORMATION.
Section 222 (c)(1) of the Communications Act of 1934 (47 U.S.C. 222
(c)(1)) is amended by striking ``approval'' and inserting ``express
prior authorization''.
TITLE V--RULEMAKING AND STUDIES
SEC. 501. FEDERAL TRADE COMMISSION EXAMINATION.
(a) Proceeding Required.--The Federal Trade Commission shall--
(1) study consumer privacy issues in the traditional,
offline marketplace, including whether--
(A) consumers are able, and, if not, the methods by
which consumers may be enabled--
(i) to have knowledge that consumer
information is being collected about them
through their utilization of various offline
services and systems;
(ii) to have clear and conspicuous notice
that such information could be used, or is
intended to be used, by the entity collecting
the data for reasons unrelated to the original
communications, or that such information could
be sold, rented, shared, or otherwise disclosed
(or is intended to be sold rented, shared, or
otherwise disclosed) to other companies or
entities; and
(iii) to stop the reuse, disclosure, or
sale of that information;
(B) in the case of consumers who are children, the
abilities described in clauses (i), (ii), and (iii) of
subparagraph (A) are or can be exercised by their
parents; and
(C) changes in the Commission's regulations could
provide greater assurance of the offline privacy rights
and remedies of parents and consumers generally;
(2) review responses and suggestions from affected
commercial and nonprofit entities to changes proposed under
paragraph (1)(C); and
(3) make recommendations to the Congress for any
legislative changes necessary to ensure such rights and
remedies.
(b) Schedule for Federal Trade Commission Responses.--The Federal
Trade Commission shall, within 6 months after the date of enactment of
this Act, submit to Congress a report containing the recommendations
required by subsection (a)(3).
SEC. 502. FEDERAL COMMUNICATIONS COMMISSION RULEMAKING.
(a) Proceeding Required.--The Federal Communications Commission
shall initiate a rulemaking proceeding to establish uniform consumer
privacy rules for all communications providers. The rulemaking
proceeding shall--
(1) examine the privacy rights and remedies of the
consumers of all online and offline technologies, including
telecommunications providers, cable, broadcast, satellite,
wireless, and telephony services;
(2) determine whether consumers are able, and, if not, the
methods by which consumers may be enabled to exercise such
rights and remedies; and
(3) change the Commission's regulations to coordinate,
rationalize, and harmonize laws and regulations administered by
the Commission that relate to those rights and remedies.
(b) Deadline for Changes.--The Federal Communications Commission
shall complete the rulemaking within 6 months after the date of
enactment of this Act.
SEC. 503. DEPARTMENT OF LABOR STUDY OF EMPLOYEE-MONITORING ACTIVITIES.
The Secretary of Labor shall study the extent and nature of
employer practices that involving monitoring employee activities both
at the workplace and away from the workplace, by electronic or other
remote means, including surveillance of electronic mail and Internet
use, to determine whether and to what extent such practices constitute
an inappropriate violation of employee privacy. The Secretary shall
report the results of the study, including findings and
recommendations, if any, for legislation or regulation to the Congress
within 6 months after the date of enactment of this Act.
TITLE VI--PROTECTION OF PERSONALLY IDENTIFIABLE INFORMATION IN
BANKRUPTCY
SEC. 601. PERSONALLY IDENTIFIABLE INFORMATION NOT ASSET IN BANKRUPTCY.
Section 541(b) of title 11, United States Code, is amended--
(1) by striking ``or'' after the semicolon in paragraph
(4)(B)(ii);
(2) by striking ``prohibition.'' in paragraph (5) and
inserting ``prohibition; or''; and
(3) by inserting after paragraph (5) the following:
``(6) any personally identifiable information (as defined
in section 901(6) of the Consumer Privacy Protection Act), or
any compilation, or record (in electronic or any other form) of
such information.''.
TITLE VII--INTERNET SECURITY INITIATIVES
SEC. 701. FINDINGS.
The Congress finds the following:
(1) Good computer security practices are an underpinning of
any privacy protection. The operator of a computer system
should protect that system from unauthorized use and secure any
private, personal information.
(2) The Federal Government should be a role model in
securing its computer systems and should ensure the protection
of private, personal information controlled by Federal
agencies.
(3) The National Institute of Standards and Technology has
the responsibility for developing standards and guidelines
needed to ensure the cost-effective security and privacy of
private, personal information in Federal computer systems.
(4) This Nation faces a shortage of trained, qualified
information technology workers, including computer security
professionals. As the demand for information technology workers
grows, the Federal government will have an increasingly
difficult time attracting such workers into the Federal
workforce.
(5) Some commercial off-the-shelf hardware and off-the-
shelf software components to protect computer systems are
widely available. There is still a need for long-term computer
security research, particularly in the area of infrastructure
protection.
(6) The Nation's information infrastructures are owned, for
the most part, by the private sector, and partnerships and
cooperation will be needed for the security of these
infrastructures.
(7) There is little financial incentive for private
companies to enhance the security of the Internet and other
infrastructures as a whole. The Federal government will need to
make investments in this area to address issues and concerns
not addressed by the private sector.
SEC. 702. COMPUTER SECURITY PARTNERSHIP COUNCIL.
(a) Establishment.--The Secretary of Commerce, in consultation with
the President's Information Technology Advisory Committee established
by Executive Order No. 13035 of February 11, 1997 (62 F.R. 7231), shall
establish a 25-member Computer Security Partnership Council.
(b) Chairman; Membership.--The Council shall have a chairman,
appointed by the Secretary, and 24 additional members, appointed by the
Secretary as follows:
(1) 5 members, who are not officers or employees of the
United States, who are recognized as leaders in the networking
and computer security business, at least 1 of whom represents a
small or medium-sized company.
(2) 5 members, who are--
(A) not officers or employees of the United States,
and
(B) not in the networking and computer security
business,
at least 1 of whom represents a small or medium-sized company.
(3) 5 members, who are not officers or employees of the
United States, who represent public interest groups or State or
local governments, of whom at least 2 represent such groups and
at least 2 represent such governments.
(4) 5 members, who are not officers or employees of the
United States, affiliated with a college, university, or other
academic, research-oriented, or public policy institution, with
recognized expertise in the field of networking and computer
security, whose primary source of employment is by that
college, university, or other institution rather than a
business organization involved in the networking and computer
security business.
(5) 4 members, who are officers or employees of the United
States, with recognized expertise in computer systems
management, including computer and network security.
(c) Function.--The Council shall collect and share information
about, and increase public awareness of, information security practices
and programs, threats to information security, and responses to those
threats.
(d) Study.--Within 12 months after the date of enactment of this
Act, the Council shall publish a report which evaluates and describes
areas of computer security research and development that are not
adequately developed or funded.
(e) Additional Recommendations.--The Council shall periodically
make recommendations to appropriate government and private sector
entities for enhancing the security of networked computers operated or
maintained by those entities.
SEC. 703. RESEARCH AND DEVELOPMENT.
Section 20 of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3) is amended--
(1) by redesignating subsections (c) and (d) as subsections
(d) and (e), respectively; and
(2) by inserting after subsection (b) the following:
``(c) Research and Development of Protection Technologies.--
``(1) In general.--The Institute shall establish a program
at the National Institute of Standards and Technology to
conduct, or to fund the conduct of, research and development of
technology and techniques to provide security for advanced
communications and computing systems and networks including the
Next Generation Internet, the underlying structure of the
Internet, and networked computers.
``(2) Purpose.--A purpose of the program established under
paragraph (1) is to address issues or problems that are not
addressed by market-driven, private-sector information security
research. This may include research--
``(A) to identify Internet security problems which
are not adequately addressed by current security
technologies;
``(B) to develop interactive tools to analyze
security risks in an easy-to-understand manner;
``(C) to enhance the security and reliability of
the underlying Internet infrastructure while minimizing
any adverse operational impacts such as speed; and
``(D) to allow networks to become self-healing and
provide for better analysis of the state of Internet
and infrastructure operations and security.
``(3) Matching grants.--A grant awarded by the Institute
under the program established under paragraph (1) to a
commercial enterprise may not exceed 50 percent of the cost of
the project to be funded by the grant.
``(4) Authorization of appropriations.--There are
authorized to be appropriated to the Institute to carry out
this subsection--
``(A) $50,000,000 for fiscal year 2001;
``(B) $60,000,000 for fiscal year 2002;
``(C) $70,000,000 for fiscal year 2003;
``(D) $80,000,000 for fiscal year 2004;
``(E) $90,000,000 for fiscal year 2005; and
``(F) $100,000,000 for fiscal year 2006.''.
SEC. 704. COMPUTER SECURITY TRAINING PROGRAMS.
(a) In General.--The Secretary of Commerce, in consultation with
appropriate Federal agencies, shall establish a program to support the
training of individuals in computer security, Internet security, and
related fields at institutions of higher education located in the
United States.
(b) Support Authorized.--Under the program established under
subsection (a), the Secretary may provide scholarships, loans, and
other forms of financial aid to students at institutions of higher
education. The Secretary shall require a recipient of a scholarship
under this program to provide a reasonable period of service as an
employee of the United States government after graduation as a
condition of the scholarship, and may authorize full or partial
forgiveness of indebtedness for loans made under this program in
exchange for periods of employment by the United States government.
(c) Authorization of Appropriations.--There are authorized to be
appropriated to the Secretary such sums as may be necessary to carry
out this section--
(A) $15,000,000 for fiscal year 2001;
(B) $17,000,000 for fiscal year 2002;
(C) $20,000,000 for fiscal year 2003;
(D) $25,000,000 for fiscal year 2004;
(E) $30,000,000 for fiscal year 2005; and
(F) $35,000,000 for fiscal year 2006.
SEC. 705. GOVERNMENT INFORMATION SECURITY STANDARDS.
(a) In General.--Section 20(b) of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3(b)) is amended--
(1) by striking ``and'' after the semicolon in paragraph
(4);
(2) by redesignating paragraph (5) as paragraph (6); and
(3) by inserting after paragraph (4) the following:
``(5) to provide guidance and assistance to Federal
agencies in the protection of interconnected computer systems
and to coordinate Federal response efforts related to
unauthorized access to Federal computer systems; and''.
(b) Federal Computer System Security Training.--Section 5(b) of the
Computer Security Act of 1987 (49 U.S.C. 759 note) is amended--
(1) by striking ``and'' at the end of paragraph (1);
(2) by striking the period at the end of paragraph (2) and
inserting in lieu thereof ``; and''; and
(3) by adding at the end the following new paragraph:
``(3) to include emphasis on protecting the availability of
Federal electronic citizen services and protecting sensitive
information in Federal databases and Federal computer sites
that are accessible through public networks.''.
SEC. 706. RECOGNITION OF QUALITY IN COMPUTER SECURITY PRACTICES.
Section 20 of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3), as amended by section 703, is further amended--
(1) by redesignating subsections (d) and (e) as subsections
(e) and (f), respectively; and
(2) by inserting after subsection (c), the following:
``(d) Award Program.--The Institute may establish a program for the
recognition of excellence in Federal computer system security
practices, including the development of a seal, symbol, mark, or logo
that could be displayed on the website maintained by the operator of
such a system recognized under the program. In order to be recognized
under the program, the operator--
``(1) shall have implemented exemplary processes for the
protection of its systems and the information stored on that
system;
``(2) shall have met any standard established under
subsection (a);
``(3) shall have a process in place for updating the system
security procedures; and
``(4) shall meet such other criteria as the Institute may
require.''.
SEC. 707. DEVELOPMENT OF AUTOMATED PRIVACY CONTROLS.
Section 20 of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3), as amended by section 706, is further amended--
(1) by redesignating subsection (f) as subsection (g); and
(2) by inserting after subsection (e) the following:
``(f) Development of Internet Privacy Program.--The Institute shall
encourage and support the development of one or more computer programs,
protocols, or other software, such as the World Wide Web Consortium's
P3P program, capable of being installed on computers, or computer
networks, with Internet access that would reflect the user's
preferences for protecting personally-identifiable or other sensitive,
privacy-related information, and automatically execute the program,
once activated, without requiring user intervention.''.
TITLE VIII--CONGRESSIONAL INFORMATION SECURITY STANDARDS
SEC. 801. EXERCISE OF RULEMAKING POWER.
This title is enacted by the Congress--
(1) as an exercise of the rulemaking power of the House of
Representatives and the Senate, respectively, and as such it is
deemed a part of the rules of each House, respectively, but
applicable only with respect to that House; and it supersedes
other rules only to the extent that it are inconsistent
therewith; and
(2) with full recognition of the constitutional right of
either House to change the rules (so far as relating to that
House) at any time, in the same manner and to the same extent
as in the case of any other rule of that House.
SEC. 802. SENATE.
(a) In General.--The Sergeant at Arms of the United States Senate
shall develop regulations setting forth an information security and
electronic privacy policy governing use of the Internet by officers and
employees of the Senate in accordance with the following 4 principles
of privacy:
(1) Notice and awareness.--Websites must provide users
notice of their information practices.
(2) Choices and consent.--Websites must offer users choices
as to how personally identifiable information is used beyond
the use for which the information was provided.
(3) Access and participation.--Websites must offer users
reasonable access to personally identifiable information and an
opportunity to correct inaccuracies.
(4) Security and integrity.--Websites must take reasonable
steps to protect the security and integrity of personally
identifiable information.
(b) Procedure.--
(1) Proposal.--The Sergeant at Arms shall publish a general
notice of proposed rulemaking under section 553(b) of title 5,
United States Code, but, instead of publication of a general
notice of proposed rulemaking in the Federal Register, the
Sergeant at Arms shall transmit such notice to the President
pro tempore of the Senate for publication in the Congressional
Record on the first day on which the Senate is in session
following such transmittal. Such notice shall set forth the
recommendations of the Sergeant at Arms for regulations under
subsection (a).
(2) Comment.--Before adopting regulations, the Sergeant at
Arms shall provide a comment period of at least 30 days after
publication of general notice of proposed rulemaking.
(3) Adoption.--After considering comments, the Sergeant at
Arms shall adopt regulations and shall transmit notice of such
action together with a copy of such regulations to the
President pro tempore of the Senate for publication in the
Congressional Record on the first day on which the Senate is in
session following such transmittal.
(c) Approval of Regulations.--
(1) In general.--The regulations adopted by the Sergeant at
Arms may be approved by the Senate by resolution.
(2) Referral.--Upon receipt of a notice of adoption of
regulations under subsection (b)(3), the presiding officers of
the Senate shall refer such notice, together with a copy of
such regulations, to the Committee on Rules and Administration
of the Senate. The purpose of the referral shall be to consider
whether such regulations should be approved.
(3) Joint referral and discharge.--The presiding officer of
the Senate may refer the notice of issuance of regulations, or
any resolution of approval of regulations, to one committee or
jointly to more than one committee. If a committee of the
Senate acts to report a jointly referred measure, any other
committee of the Senate must act within 30 calendar days of
continuous session, or be automatically discharged.
(4) Resolution of approval.--In the case of a resolution of
the Senate, the matter after the resolving clause shall be the
following: ``the following regulations issued by the Sergeant
at Arms on ---------- ----, 2------ are hereby approved:'' (the
blank spaces being appropriately filled in and the text of the
regulations being set forth).
(d) Issuance and Effective Date.--
(1) Publication.--After approval of the regulations under
subsection (c), the Sergeant at Arms shall submit the
regulations to the President pro tempore of the Senate for
publication in the Congressional Record on the first day on
which the Senate is in session following such transmittal.
(2) Date of issuance.--The date of issuance of the
regulations shall be the date on which they are published in
the Congressional Record under paragraph (1).
(3) Effective date.--The regulations shall become effective
not less than 60 days after the regulations are issued, except
that the Sergeant at Arms may provide for an earlier effective
date for good cause found (within the meaning of section
553(d)(3) of title 5, United States Code) and published with
the regulation.
(e) Amendment of Regulations.--Regulations may be amended in the
same manner as is described in this section for the adoption, approval,
and issuance of regulations, except that the Sergeant at Arms may
dispense with publication of a general notice of proposed rulemaking of
minor, technical, or urgent amendments that satisfy the criteria for
dispensing with publication of such notice pursuant to section
553(b)(B) of title 5, United States Code.
(f) Right to Petition for Rulemaking.--Any interested party may
petition to the Sergeant at Arms for the issuance, amendment, or repeal
of a regulation.
TITLE IX--DEFINITIONS
SEC. 901. DEFINITIONS.
In this Act:
(1) Operator of a commercial website.--The term ``operator
of a commercial website''--
(A) means any person who operates a website located
on the Internet or an online service and who collects
or maintains personal information from or about the
users of or visitors to such website or online service,
or on whose behalf such information is collected or
maintained, where such website or online service is
operated for commercial purposes, including any person
offering products or services for sale through that
website or online service, involving commerce--
(i) among the several States or with 1 or
more foreign nations;
(ii) in any territory of the United States
or in the District of Columbia, or between any
such territory and--
(I) another such territory; or
(II) any State or foreign nation;
or
(iii) between the District of Columbia and
any State, territory, or foreign nation; but
(B) does not include any nonprofit entity that
would otherwise be exempt from coverage under section 5
of the Federal Trade Commission Act (15 U.S.C. 45).
(2) Disclose.--The term ``disclose'' means the release of
personally identifiable information about a user of an Internet
service, online service, or commercial website by an Internet
service provider, online service provider, or operator of a
commercial website for any purpose, except where such
information is provided to a person who provides support
for the internal operations of the service or website and who does not
disclose or use that information for any other purpose.
(3) Release.--The term ``release of personally identifiable
information'' means the direct or indirect, active or passive,
sharing, selling, renting, or other provision of personally
identifiable information of a user of an Internet service,
online service, or commercial website to any other person other
than the user.
(4) Internal operations support.--The term ``support for
the internal operations of a service or website'' means any
activity necessary to maintain the technical functionality of
that service or website.
(5) Collect.--The term ``collect'' means the gathering of
personally identifiable information about a user of an Internal
service, online service, or commercial website by or on behalf
of the provider or operator of that service or website by any
means, direct or indirect, active or passive, including--
(A) an online request for such information by the
provider or operator, regardless of how the information
is transmitted to the provider or operator;
(B) the use of a chat room, message board, or other
online service to gather the information; or
(C) tracking or use of any identifying code linked
to a user of such a service or website, including the
use of cookies.
(3) Cookie.--The term ``cookie'' means any program,
function, or device, commonly known as a ``cookie'', that makes
a record on the user's computer (or other electronic device) of
that user's access to an Internet service, online service, or
commercial website.
(4) Federal agency.--The term ``Federal agency'' means an
agency, as that term is defined in section 551(1) of title 5,
United States Code.
(5) Internet.--The term ``Internet'' means collectively the
myriad of computer and telecommunications facilities, including
equipment and operating software, which comprise the
interconnected world-wide network of networks that employ the
Transmission Control Protocol/Internet Protocol, or any
predecessor or successor protocols to such protocol, to
communicate information of all kinds by wire or radio.
(6) Personally identifiable information.--The term
``personally identifiable information'' means individually
identifiable information about an individual collected online,
including--
(A) a first and last name, whether given at birth
or adoption, assumed, or legally changed;
(B) a home or other physical address including
street name and name of a city or town;
(C) an e-mail address;
(D) a telephone number;
(E) a Social Security number;
(F) a credit card number;
(G) a birth date, birth certificate number, or
place of birth;
(H) any other identifier that the Commission
determines permits the physical or online contacting of
a specific individual; or
(I) unique identifying information that an Internet
service provider, online service provider, or operator
of a commercial website collects and combines with an
identifier described in this paragraph.
(7) Internet service provider; online service provider;
website.--The Commission shall by rule define the terms
``Internet service provider'', ``online service provider'', and
``website'', and shall revise or amend such rule to take into
account changes in technology, practice, or procedure with
respect to the collection of personal information over the
Internet.
(8) Offline.--The term ``offline'' refers to any activity
regulated by this Act or by section 2710 of title 18, United
States Code, that occurs other than by or through the active or
passive use of an Internet connection, regardless of the medium
by or through which that connection is established.
(9) Online.--The term ``online'' refers to any activity
regulated by this Act or by section 2710 of title 18, United
States Code, that is effected by active or passive use of an
Internet connection, regardless of the medium by or through
which that connection is established.
<all>