[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[S. 2928 Introduced in Senate (IS)]


106th CONGRESS
  2d Session
                                S. 2928

       To protect the privacy of consumers who use the Internet.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             July 26, 2000

   Mr. McCain (for himself, Mr. Kerry, Mr. Abraham, and Mrs. Boxer) 
introduced the following bill; which was read twice and referred to the 
           Committee on Commerce, Science, and Transporation

_______________________________________________________________________

                                 A BILL


 
       To protect the privacy of consumers who use the Internet.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Consumer Internet Privacy 
Enhancement Act''.

SEC. 2. COLLECTION OF PERSONALLY IDENTIFIABLE INFORMATION.

    (a) In General.--It is unlawful for a commercial website operator 
to collect personally identifiable information online from a user of 
that website unless the operator provides--
            (1) notice to the user on the website in accordance with 
        the requirements of subsection (b); and
            (2) an opportunity to that user to limit the use for 
        marketing purposes, or disclosure to third parties of 
        personally identifiable information collected that is--
                    (A) not related to provision of the products or 
                services provided by the website; or
                    (B) not required to be disclosed by law.
    (b) Notice.--
            (1) In general.--For purposes of subsection (a), notice 
        consists of a statement that informs a user of a website of the 
        following:
                    (A) The identity of the operator of the website and 
                of any third party the operator knowingly permits to 
                collect personally identifiable information from users 
                through the website, including the provision of an 
                electronic means of going to a website operated by any 
                such third party.
                    (B) A list of the types of personally identifiable 
                information that may be collected online by the 
                operator and the categories of information the operator 
                may collect in connection with the user's visit to the 
                website.
                    (C) A description of how the operator uses such 
                information, including a statement as to whether the 
                information may be sold, distributed, disclosed, or 
                otherwise made available to third parties for marketing 
                purposes.
                    (D) A description of the categories of potential 
                recipients of any such personally identifiable 
                information.
                    (E) Whether the user is required to provide 
                personally identifiable information in order to use the 
                website and any other consequences of failure to 
                provide that information.
                    (F) A general description of what steps the 
                operator takes to protect the security of personally 
                identifiable information collected online by that 
                operator.
                    (G) A description of the means by which a user may 
                elect not to have the user's personally identifiable 
                information used by the operator for marketing purposes 
                or sold, distributed, disclosed, or otherwise made 
                available to a third party, except for--
                            (i) information related to the provision of 
                        the product or service provided by the website; 
                        or
                            (ii) information required to be disclosed 
                        by law.
                    (H) The address or telephone number at which the 
                user may contact the website operator about its 
                information practices and also an electronic means of 
                contacting the operator.
            (2) Form of notice.--The notice required by subsection (a) 
        shall be clear, conspicuous, and easily understood.
            (3) Opportunity to limit disclosure.--The opportunity 
        provided to users to limit use and disclosure of personally 
        identifiable information shall be easy to use, easily 
        accessible, and shall be available online.
    (c) Inconsistent State Law.--No State or local government may 
impose any liability for commercial activities or actions by a 
commercial website operator in interstate or foreign commerce in 
connection with an activity or action described in this Act that is 
inconsistent with, or more restrictive than, the treatment of that 
activity or action under this section.
    (d) Safe Harbor.--A commercial website operator may not be held to 
have violated any provision of this Act if it complies with self-
regulatory guidelines that--
            (1) are issued by seal programs or representatives of the 
        marketing or online industries or by any other person; and
            (2) are approved by the Commission as containing all the 
        requirements set forth in subsection (b).

SEC. 3. ENFORCEMENT.

    (a) In General.--The violation of section 2(a) or (b) shall be 
treated as a violation of a rule defining an unfair or deceptive act or 
practice in or affecting commerce proscribed by section 18(a)(1)(B) of 
the Federal Trade Commission Act (15 U.S.C. 57(a)(1)(B)).
    (b) Enforcement by Certain Other Agencies.--Compliance with section 
2(a) or (b) shall be enforced under--
            (1) section 8 of the Federal Deposit Insurance Act (12 
        U.S.C. 1818), in the case of--
                    (A) national banks, and Federal branches and 
                Federal agencies of foreign banks, by the Office of the 
                Comptroller of the Currency;
                    (B) member banks of the Federal Reserve System 
                (other than national banks), branches and agencies of 
                foreign banks (other than Federal branches, Federal 
                agencies, and insured State branches of foreign banks), 
                commercial lending companies owned or controlled by 
foreign banks, and organizations operating under section 25 or 25(a) of 
the Federal Reserve Act (12 U.S.C. 601 et seq. and 611 et seq.), by the 
Board; and
                    (C) banks insured by the Federal Deposit Insurance 
                Corporation (other than members of the Federal Reserve 
                System) and insured State branches of foreign banks, by 
                the Board of Directors of the Federal Deposit Insurance 
                Corporation;
            (2) section 8 of the Federal Deposit Insurance Act (12 
        U.S.C. 1818), by the Director of the Office of Thrift 
        Supervision, in the case of a savings association the deposits 
        of which are insured by the Federal Deposit Insurance 
        Corporation;
            (3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) 
        by the National Credit Union Administration Board with respect 
        to any Federal credit union;
            (4) part A of subtitle VII of title 49, United States Code, 
        by the Secretary of Transportation with respect to any air 
        carrier or foreign air carrier subject to that part;
            (5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et 
        seq.) (except as provided in section 406 of that Act (7 U.S.C. 
        226, 227)), by the Secretary of Agriculture with respect to any 
        activities subject to that Act; and
            (6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by 
        the Farm Credit Administration with respect to any Federal land 
        bank, Federal land bank association, Federal intermediate 
        credit bank, or production credit association.
    (c) Exercise of Certain Powers.--For the purpose of the exercise by 
any agency referred to in subsection (b) of its powers under any Act 
referred to in that subsection, a violation of section 2(a) or (b) is 
deemed to be a violation of a requirement imposed under that Act. In 
addition to its powers under any provision of law specifically referred 
to in subsection (b), each of the agencies referred to in that 
subsection may exercise, for the purpose of enforcing compliance with 
any requirement imposed under section 2(a) or (b), any other authority 
conferred on it by law.
    (d) Actions by the Commission.--The Commission shall prevent any 
person from violating section 2(a) or (b) in the same manner, by the 
same means, and with the same jurisdiction, powers, and duties as 
though all applicable terms and provisions of the Federal Trade 
Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a 
part of this Act. Any entity that violates any provision of that title 
is subject to the penalties and entitled to the privileges and 
immunities provided in the Federal Trade Commission Act in the same 
manner, by the same means, and with the same jurisdiction, power, and 
duties as though all applicable terms and provisions of the Federal 
Trade Commission Act were incorporated into and made a part of that 
title.
    (e) Relationship to Other Laws.--
            (1) Commission authority.--Nothing contained in this Act 
        shall be construed to limit the authority of the Commission 
        under any other provision of law.
            (2) Communications act.--Nothing in section 2(a) or (b) 
        requires an operator of a website to take any action that is 
        inconsistent with the requirements of section 222 or 631 of the 
        Communications Act of 1934 (47 U.S.C. 222 or 551, 
        respectively).
            (3) Other acts.--Nothing in this Act is intended to affect 
        any provision of, or any amendment made by--
                    (A) the Children's Online Privacy Protection Act of 
                1998;
                    (B) the Gramm-Leach-Bliley Act; or
                    (C) the Health Insurance Portability and 
                Accountability Act of 1996.
    (f) Civil Penalty.--In addition to any other penalty applicable to 
a violation of section 2(a), there is hereby imposed a civil penalty of 
$22,000 for each such violation. In the event of a continuing 
violation, each day on which the violation continues shall be 
considered as a separate violation for purposes of this subsection. The 
maximum penalty under this subsection for a related series of 
violations is $500,000. For purposes of this subsection, the violation 
of an order issued by the Commission under this Act shall not be 
considered to be a violation of section 2(a) of this Act.

SEC. 4. ACTIONS BY STATES.

    (a) In General.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State has reason to believe that an interest of 
        the residents of that State has been or is threatened or 
        adversely affected by the engagement of any person in a 
        practice that violates section 2(a) or (b), the State, as 
        parens patriae, may bring a civil action on behalf of the 
        residents of the State in a district court of the United States 
        of appropriate jurisdiction to--
                    (A) enjoin that practice;
                    (B) obtain damage, restitution, or other 
                compensation on behalf of residents of the State; or
                    (C) obtain such other relief as the court may 
                consider to be appropriate.
            (2) Notice.--
                    (A) In general.--Before filing an action under 
                paragraph (1), the attorney general of the State 
                involved shall provide to the Commission--
                            (i) written notice of that action; and
                            (ii) a copy of the complaint for that 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subsection, if the attorney general determines 
                        that it is not feasible to provide the notice 
                        described in that subparagraph before the 
                        filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
                        shall provide notice and a copy of the 
                        complaint to the Commission at the same time as 
                        the attorney general files the action.
    (b) Intervention.--
            (1) In general.--On receiving notice under subsection 
        (a)(2), the Commission shall have the right to intervene in the 
        action that is the subject of the notice.
            (2) Effect of intervention.--If the Commission intervenes 
        in an action under subsection (a), it shall have the right--
                    (A) to be heard with respect to any matter that 
                arises in that action; and
                    (B) to file a petition for appeal.
            (3) Amicus curiae.--Upon application to the court, a person 
        whose self-regulatory guidelines have been approved by the 
        Commission and are relied upon as a defense by any defendant to 
        a proceeding under this section may file amicus curiae in that 
        proceeding.
    (c) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this Act shall be construed to prevent an 
attorney general of a State from exercising the powers conferred on the 
attorney general by the laws of that State to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
    (d) Actions by the Commission.--In any case in which an action is 
instituted by or on behalf of the Commission for violation of section 
2(a) or (b) no State may, during the pendency of that action, institute 
an action under subsection (a) against any defendant named in the 
complaint in that action for violation of that rule.
    (e) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in the district court of the United States that meets 
        applicable requirements relating to venue under section 1391 of 
        title 28, United States Code.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.

SEC. 5. STUDY OF ONLINE PRIVACY.

    (a) In General.--Within 90 days after the date of enactment of this 
Act, the Commission shall execute a contract with the National Research 
Council of the National Academy of Sciences for a study of privacy that 
will examine causes for concern about privacy in the information age 
and tools and strategies for responding to those concerns.
    (b) Scope.--The study required by subsection (a) shall--
            (1) survey the risks to, and benefits associated with the 
        use of, personal information associated with information 
        technology, including actual and potential issues related to 
        trends in technology;
            (2) examine the costs and benefits involved in the 
        collection and use of personal information;
            (3) examine the differences, if any, between the collection 
        and use of personal information by the online industry and the 
        collection and use of personal information by other businesses;
            (4) examine the costs, risks, and benefits of providing 
        consumer access to information collected online, and examine 
        approaches to providing such access;
            (5) examine the security of personal information collected 
        online;
            (6) examine such other matters relating to the collection, 
        use, and protection of personal information online as the 
        Council and the Commission consider appropriate; and
            (7) examine efforts being made by industry to provide 
        notice, choice, access, and security.
    (c) Recommendations.--Within 12 months after the Commission's 
request under subsection (a), the Council shall complete the study and 
submit a report to the Congress, including recommendations for private 
and public sector actions including self-regulation, laws, regulations, 
or special agreements.
    (d) Agency Cooperation.--The head of each Federal department or 
agency shall, at the request of the Commission or the Council, 
cooperate as fully as possible with the Council in its activities in 
carrying out the study.
    (e) Funding.--The Commission is authorized to be obligate not more 
than $1,000,000 to carry out this section from funds appropriated to 
the Commission.

SEC. 6. DEFINITIONS.

    In this Act:
            (1) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (2) Commercial website operator.--The term ``operator of a 
        commercial website''--
                    (A) means any person who operates a website located 
                on the Internet or an online service and who collects 
or maintains personal information from or about the users of or 
visitors to such website or online service, or on whose behalf such 
information is collected or maintained, where such website or online 
service is operated for commercial purposes, including any person 
offering products or services for sale through that website or online 
service, involving commerce--
                            (i) among the several States or with 1 or 
                        more foreign nations;
                            (ii) in any territory of the United States 
                        or in the District of Columbia, or between any 
                        such territory and--
                                    (I) another such territory; or
                                    (II) any State or foreign nation; 
                                or
                            (iii) between the District of Columbia and 
                        any State, territory, or foreign nation; but
                    (B) does not include any nonprofit entity that 
                would otherwise be exempt from coverage under section 5 
                of the Federal Trade Commission Act (15 U.S.C. 45).
            (3) Collect.--The term ``collect'' means the gathering of 
        personally identifiable information about a user of an Internet 
        service, online service, or commercial website by or on behalf 
        of the provider or operator of that service or website by any 
        means, direct or indirect, active or passive, including--
                    (A) an online request for such information by the 
                provider or operator, regardless of how the information 
                is transmitted to the provider or operator;
                    (B) the use of an online service to gather the 
                information; or
                    (C) tracking or use of any identifying code linked 
                to a user of such a service or website, including the 
                use of cookies.
            (4) Internet.--The term ``Internet'' means collectively the 
        myriad of computer and telecommunications facilities, including 
        equipment and operating software, which comprise the 
        interconnected world-wide network of networks that employ the 
        Transmission Control Protocol/Internet Protocol, or any 
        predecessor or successor protocols to such protocol, to 
        communicate information of all kinds by wire or radio.
            (5) Personally identifiable information.--The term 
        ``personally identifiable information'' means individually 
        identifiable information about an individual collected online, 
        including--
                    (A) a first and last name, whether given at birth 
                or adoption, assumed, or legally changed;
                    (B) a home or other physical address including 
                street name and name of a city or town;
                    (C) an e-mail address;
                    (D) a telephone number;
                    (E) a Social Security number; or
                    (F) unique identifying information that an Internet 
                service provider or operator of a commercial website 
                collects and combines with any information described in 
                the preceding subparagraphs of this paragraph.
            (6) Online.--The term ``online'' refers to any activity 
        regulated by this Act or by section 2710 of title 18, United 
        States Code, that is effected by active or passive use of an 
        Internet connection, regardless of the medium by or through 
        which that connection is established.
            (7) Third party.--The term ``third party'', when used in 
        reference to a commercial website operator, means any person 
        other than the operator.
                                 <all>