[Congressional Bills 107th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4678 Introduced in House (IH)]







107th CONGRESS
  2d Session
                                H. R. 4678

    To protect and enhance consumer privacy, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                              May 8, 2002

Mr. Stearns (for himself, Mr. Boucher, Mr. Tauzin, Mr. Towns, Mr. Bass, 
Mr. Bilirakis, Mrs. Bono, Mr. Deal of Georgia, Ms. Eshoo, Mr. Gillmor, 
  Mr. Gordon, Mr. Greenwood, Mr. Kingston, Mr. Moran of Virginia, Mr. 
 Sawyer, Mr. Terry, Mr. Upton, Mr. Walden, Mr. Weldon of Florida, Mr. 
 Weller, and Mr. Dan Miller of Florida) introduced the following bill; 
  which was referred to the Committee on Energy and Commerce, and in 
 addition to the Committee on International Relations, for a period to 
      be subsequently determined by the Speaker, in each case for 
consideration of such provisions as fall within the jurisdiction of the 
                          committee concerned

_______________________________________________________________________

                                 A BILL


 
    To protect and enhance consumer privacy, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Consumer Privacy Protection Act of 
2002''.

SEC. 2. TABLE OF CONTENTS.

    The table of contents for this Act is as follows:

Sec. 1. Short title.
Sec. 2. Table of contents.
    TITLE I--PROTECTION OF INDIVIDUAL PRIVACY IN INTERSTATE COMMERCE

Sec. 101. Privacy notices to consumers.
Sec. 102. Privacy policy statements.
Sec. 103. Consumer opportunity to limit sale or disclosure of 
                            information.
Sec. 104. Consumer opportunity to limit other information practices.
Sec. 105. Information security obligations.
Sec. 106. Self-regulatory programs.
Sec. 107. Enforcement.
Sec. 108. No private right of action.
Sec. 109. Effect on other laws.
Sec. 110. Effective date.
            TITLE II--IDENTITY THEFT PREVENTION AND REMEDIES

Sec. 201. Facilitating electronic identity theft affidavits.
Sec. 202. Promoting use of common identity theft affidavit.
Sec. 203. Timely resolution of identity theft disputes.
Sec. 204. Improvements to consumer clearinghouse.
Sec. 205. Improved identity theft data.
Sec. 206. Change of address protections.
Sec. 207. Effective date.
                  TITLE III--INTERNATIONAL PROVISIONS

Sec. 301. Study by Comptroller General.
Sec. 302. Remediation of discriminatory impact by Secretary of 
                            Commerce.
Sec. 303. Effect of nonremediation.
Sec. 304. Harmonization of international privacy laws, regulations, and 
                            agreements.
                      TITLE IV--GENERAL PROVISIONS

Sec. 401. Definitions.

    TITLE I--PROTECTION OF INDIVIDUAL PRIVACY IN INTERSTATE COMMERCE

SEC. 101. PRIVACY NOTICES TO CONSUMERS.

    (a) Notice Required.--A data collection organization shall provide 
to a consumer a notice containing the information required under 
subsection (b) as follows:
            (1) Upon the first instance of collection from the consumer 
        of personally identifiable information, that may be used for a 
        purpose unrelated to the transaction, by a data collection 
        organization, the organization shall provide the notice at the 
        time personally identifiable information is collected.
            (2) Upon a material change in the organization's privacy 
        policy statement under section 102(5), the organization shall 
        provide the notice, not later than the first time after such 
        change in policy that the organization seeks to collect, sell, 
        disclose for consideration, or use personally identifiable 
        information to the extent practicable, to each consumer from 
        whom the organization has collected such information.
    (b) Form and Contents of Notice.--A notice required under 
subsection (a) shall be provided in a clear and concise manner, be 
prominently displayed or explicitly stated to the consumer, and contain 
the following information:
            (1) A statement that the information privacy practices of 
        the data collection organization raise an issue of privacy for 
        the consumer that may provide the consumer with rights under 
        law.
            (2) A description of the manner in which the consumer may 
        obtain a privacy policy statement that meets the requirements 
        of section 102, which may include providing the consumer with 
        an Internet website, a hyperlink to such a website, or a toll-
        free telephone number from which such a statement may be 
        obtained.
            (3) If the notice is required under subsection (a)(2), a 
        statement that there has been a material change in the 
        organization's privacy policy.

SEC. 102. PRIVACY POLICY STATEMENTS.

    (a) Privacy Policy.--A data collection organization shall establish 
a privacy policy with respect to the collection, sale, disclosure for 
consideration, or use of the personally identifiable information of 
consumers, the principal elements of which shall be embodied in a 
privacy policy statement (or statements) that meets the requirements of 
subsection (b).
    (b) Statement.--The statement (or statements) required under 
subsection (a) shall meet the following requirements:
            (1) The statement must be clear and conspicuous and written 
        in plain language.
            (2) The statement must be accessible to all consumers of 
        the data collection organization (regardless of the means by 
        which a consumer conducts a transaction with the 
        organization)--
                    (A) at no charge to the consumer; and
                    (B) at the time the data collection organization 
                first collects personally identifiable information 
                about the consumer that may be used for a purpose 
                unrelated to a transaction with the consumer and 
                subsequently.
            (3) With respect to personally identifiable information 
        that may be used for a purpose unrelated to a transaction with 
        the consumer and that is subject to being collected, sold, 
        disclosed for consideration, or used under the statement, the 
        statement must disclose only the following:
                    (A) The identity of each data collection 
                organization, or a description of each class or type of 
                data collection organization, that may collect or use 
                the information.
                    (B) The types of information that may be collected, 
                sold, disclosed for consideration, or used.
                    (C) How the information may be used.
                    (D) Whether the consumer is required to provide the 
                information in order to do business with the data 
                collection organization.
                    (E) The extent to which the information is subject 
                to sale or disclosure for consideration to a data 
                collection organization that is not an information-
                sharing affiliate of the data collection organization 
                providing the statement, including the following:
                            (i) A clear and prominent statement of the 
                        fact that the information is subject to such 
                        sale or disclosure for consideration.
                            (ii) A description of each class or type of 
                        data collection organization to which the 
                        information may be sold or disclosed for 
                        consideration.
                            (iii) The purpose for which the information 
                        may be used.
                    (F) Whether the information security practices of 
                the data collection organization meet the security 
                requirements of section 105 in order to prevent 
                unauthorized disclosure or release of personally 
                identifiable information.
    (c) Commission Facilitation.--The Commission shall take actions 
(including conducting industry-wide workshops) to facilitate the 
development of harmonized, universal wording or logo-based graphics in 
order to convey the contents of privacy policy statements required 
under this section.

SEC. 103. CONSUMER OPPORTUNITY TO LIMIT SALE OR DISCLOSURE OF 
              INFORMATION.

    (a) Preclusion of Sale or Disclosure.--
            (1) Requirement.--A data collection organization shall 
        provide to the consumer, without charge, the opportunity to 
        preclude any sale or disclosure for consideration of the 
        consumer's personally identifiable information, that may be 
        used for a purpose unrelated to a transaction with the 
        consumer, to any data collection organization that is not an 
        information-sharing partner of the data collection organization 
        providing such opportunity.
            (2) Duration.--A preclusion on sale or disclosure for 
        consideration of information established by a consumer under 
        this subsection shall remain in effect for 5 years or until the 
        consumer indicates otherwise, whichever occurs sooner. A data 
        collection organization may not seek reconsideration of a 
        consumer's preclusion of such sale or disclosure until at least 
        1 year after such preclusion has been imposed by the consumer.
    (b) Permission for Sale or Disclosure.--A data collection 
organization may provide the consumer an opportunity to permit the sale 
or disclosure described in subsection (a)(1) in exchange for a benefit 
to the consumer.
    (c) Accessibility.--The opportunity to preclude (or if offered, to 
permit) the sale or disclosure for consideration of information under 
this section must be both easy to access and use.

SEC. 104. CONSUMER OPPORTUNITY TO LIMIT OTHER INFORMATION PRACTICES.

    If a data collection organization provides to a consumer the 
opportunity to limit other practices of the data collection 
organization with respect to collection or use of personally 
identifiable information regarding the consumer, other than that 
required by section 103--
            (1) that opportunity must be easy to access and to use; and
            (2) any limitation exercised by the consumer pursuant to 
        the opportunity shall remain in effect, unless--
                    (A) the limitation is withdrawn by the consumer; or
                    (B) the data collection organization provides the 
                consumer at least 30 days notice before terminating its 
                compliance with the limitation.

SEC. 105. INFORMATION SECURITY OBLIGATIONS.

    (a) Information Security Policy.--
            (1) Implementation.--A data collection organization shall 
        prepare, revise as necessary, and implement an information 
        security policy that is applicable to the information security 
        practices and treatment of personally identifiable information 
        maintained by the data collection organization, in order to 
        prevent the unauthorized disclosure or release of such 
        information.
            (2) Management approval.--An information security policy 
        created pursuant to paragraph (1) shall be considered and 
        approved by the senior management officials of the data 
        collection organization.
            (3) Contents.--An information security policy required 
        under paragraph (1) shall include--
                    (A) a process for taking corrective action pursuant 
                to subsection (b); and
                    (B) identifying an officer of the data collection 
                organization as the point of contact with 
                responsibility for information security issues for the 
                organization.
    (b) Corrective Actions.--
            (1) Notification and action.--Except as provided in 
        paragraph (2), upon the joint issuance of an information 
        security notification by a Federal Government agency and the 
        CERT Coordination Center, a data collection organization shall 
        take appropriate action, within a reasonable period of time 
        after being informed and pursuant to its information security 
        policy, to implement any necessary changes to its security 
        practices and the architecture, installation, or implementation 
        of its network or operating software (including corrective 
        patches) in response to such a notification.
            (2) Exceptions.--A data collection organization shall not 
        be required to take the action specified in a notification 
        under paragraph (1) if--
                    (A) the corrective action required would cause harm 
                to, or weaken, the organization's existing information 
                security for personally identifiable information or the 
                procedures or systems of the organization;
                    (B) the organization takes, or has taken, other 
                appropriate steps or corrective action to mitigate the 
                vulnerabilities and exposure risks identified in the 
                notification; or
                    (C) the specified corrective action is not 
                necessary.
            (3) CERT coordination center described.--For purposes of 
        this section, the CERT Coordination Center is the Computer 
        Emergency Response Team Coordination Center of the Software 
        Engineering Institute operated by Carnegie Mellon University in 
        Pittsburgh, Pennsylvania, or if such center is unavailable, an 
        equivalent center designated by the Commission.
    (c) Effect of Release of Personally Identifiable Information.--If 
the security of a data collection organization has been compromised, 
resulting in the unauthorized release of a consumer's personally 
identifiable information, the Commission shall treat the failure of the 
data collection organization to comply with its own security policy or 
respond to a Federal agency information security notification in 
accordance with subsection (b)(1) as one factor in determining whether 
that data collection organization has violated this section.

SEC. 106. SELF-REGULATORY PROGRAMS.

    (a) Self-Regulatory Program.--
            (1) Presumption of compliance.--The Commission shall 
        presume that a data collection organization is in compliance 
        with the provisions of sections 101 through 105 if that 
        organization--
                    (A) participates in a self-regulatory program 
                approved under subsection (b); and
                    (B) complies with the guidelines, procedures, 
                requirements, and restrictions of the program 
                (including a remedial process under subsection (c)(7)).
            (2) Effect of willful noncompliance.--A data collection 
        organization that participates in a self-regulatory program 
        under this section shall not be liable for a civil penalty 
        arising out of a violation of any provision of sections 101 
        through 105 unless such violation results from willful 
        noncompliance with the guidelines, procedures, requirements, or 
        restrictions of the program.
    (b) Approval by Commission.--
            (1) Approval.--The Commission shall, within 90 days after 
        submission of an application for approval of a self-regulatory 
        program under this section (or of a material change in a 
        program previously approved by the Commission), approve such 
        program (or change) if the Commission finds that the program 
        (or change) complies with the requirements of subsection (c).
            (2) Form of application.--The Commission shall accept an 
        application for approval under paragraph (1) in any reasonable 
        form the applicant may submit.
            (3) Duration until renewal.--A self-regulatory program 
        approved by the Commission under paragraph (1) shall be 
        approved for a period of 8 years.
            (4) Revocation of approval.--The Commission may, after 
        notice and opportunity for a hearing, revoke approval granted 
        under paragraph (1), if the Commission finds that a self-
        regulatory program fails to meet the requirements of subsection 
        (c).
    (c) Requirements of Self-Regulatory Program.--A self-regulatory 
program complies with the requirements of this subsection if the 
program provides each of the following:
            (1) Guidelines and procedures requiring a program 
        participant to provide equivalent or greater protections for 
        consumers and their personally identifiable information as are 
        provided under sections 101 through 105.
            (2) Procedures and requirements to provide for--
                    (A) an initial self-review and self-certification 
                of a participant's privacy policy and practices to 
                ensure compliance with the guidelines, procedures, 
                requirements, and restrictions of the program 
                established under this subsection;
                    (B) subsequent periodic self-reviews and self-
                certifications, which shall occur at least annually, of 
                the participant's privacy policy and practices to 
                ensure continued compliance with such guidelines, 
                procedures, requirements, and restrictions;
                    (C) submission of self-reviews and self-
                certifications under this paragraph to any 
                administrator of the program;
                    (D) random compliance testing of participants, and 
                compliance testing of participants with a high number 
                of complaints against them, to determine the tested 
                participant's compliance with the program; and
                    (E) regular compliance testing of a participant, 
                which shall take place not less frequently than every 4 
                years, with respect to the privacy  policy and 
practices of the participant, to ensure that the self-reviews and self-
certifications of the participant are accurate and comply with the 
program.
            (3) Procedures and requirements that ensure that a program 
        participant provides a process for resolving disputes with 
        consumers relating to the privacy policy and practices of the 
        participant. Such dispute resolution process--
                    (A) must be available without charge to a consumer;
                    (B) must be available at a cost to the participant 
                that is reasonable and does not discourage 
                participation by the participant in such process;
                    (C) must ensure that consumers are informed of how 
                to utilize the process;
                    (D) may include, as one choice among others, 
                binding arbitration; and
                    (E)
                            (i) must be completed within 30 days after 
                        submission of the dispute by the consumer; or
                            (ii) must be completed within 60 days after 
                        submission of the dispute by the consumer, if 
                        the participant--
                                    (I) determines that additional time 
                                is required to obtain information to 
                                make an informed decision with respect 
                                to the dispute; and
                                    (II) notifies the consumer that 
                                such additional time is required.
            (4) Provisions for the use by participants in the program 
        of a means (including the use of a seal) to represent the 
        participant's participation in the program.
            (5) With respect to any nonvoluntary suspension or 
        termination of participation in the program because of the 
        participant's failure to comply with the program, procedures or 
        requirements to provide for the following:
                    (A) Publication of notice and the reasons for any 
                such suspension or termination, except that no 
                personally identifiable information related to such 
                suspension or termination may be published.
                    (B) Notice to the Commission of any such 
                termination.
            (6) Requirements and restrictions that assure independence 
        with respect to program eligibility, compliance, and dispute 
        resolution mechanisms and decisions from improper interference 
        by management or ownership of the self-regulatory program 
        participant.
            (7) A process for a noncompliant participant to take timely 
        remedial action in order to come back into compliance with the 
        program before suspension or termination of participation in 
        the program.
    (d) Consumer Dispute Resolution.--
            (1) Self-regulatory dispute process.--If a consumer has a 
        dispute with a participant in a self-regulatory program under 
        this section, the consumer shall initially seek resolution 
        through the participant's dispute resolution process 
        (established in accordance with subsection (c)(3)). The 
        Commission shall promptly refer to the participant involved any 
        dispute submitted to the Commission for which resolution has 
        not been initially sought through such process.
            (2) Resolution by commission.--A consumer may submit to the 
        Commission for resolution a dispute with a participant in a 
        self-regulatory program under this section, if the following 
        requirements are met:
                    (A) The dispute was initially submitted under 
                paragraph (1) for resolution through the participant's 
                dispute resolution process.
                    (B) The dispute submitted under paragraph (1) is 
                not resolved--
                            (i) within 30 days after submission of the 
                        dispute by the consumer; or
                            (ii) to the satisfaction of the consumer.
                    (C) Notice of the facts of the dispute is submitted 
                to the Commission not later than 30 days after the date 
                on which the consumer is notified of the resolution 
                through the participant's dispute resolution process.
                    (D) The consumer has not voluntarily accepted a 
                resolution of the dispute under paragraph (1).
                    (E) The dispute was not resolved through binding 
                arbitration.
    (e) Nonrelease of Certain Information.--The Commission may not 
compel a participant in a self-regulatory program approved under 
subsection (b) (or an administrator of such a program) to provide 
proprietary information or personally identifiable information of 
consumers to the Commission unless the Commission provides  assurances 
that such information will not be released to the public.
    (f) Misrepresentation of Self-Regulatory Program Participation.--It 
is unlawful for a data collection organization to misrepresent that it 
is a participant in a self-regulatory program (including through any 
mechanism provided under subsection (c)(4)) when such organization is 
not, in fact, such a participant.
    (g) Exempted Entity Participation.--An entity that is not a data 
collection organization and that voluntarily participates in a self-
regulatory program under this section shall enjoy the rights and 
benefits provided under this section.

SEC. 107. ENFORCEMENT.

    (a) Unfair or Deceptive Act or Practice.--A violation of any 
provision of this title is an unfair or deceptive act or practice 
unlawful under section 5(a)(1) of the Federal Trade Commission Act (15 
U.S.C. 45(a)(1)), except that the amount of any civil penalty under 
such Act shall be doubled for a violation of this title, but may not 
exceed $500,000 for all related violations by a single violator 
(without respect to the number of consumers affected or the duration of 
the related violations).
    (b) Guidelines and Opinions.--In order to assist in compliance with 
this title, the Federal Trade Commission may issue generally applicable 
guidelines and, upon request, advisory opinions with respect specific 
types of acts or practices that would, or would not, comply with this 
title, but may not prescribe regulations to carry out this title.

SEC. 108. NO PRIVATE RIGHT OF ACTION.

    This title may not be considered or construed to provide any 
private right of action. No private civil action relating to any act or 
practice governed under this title may be commenced or maintained in 
any State court or under State law (including a pendent State claim to 
an action under Federal law).

SEC. 109. EFFECT ON OTHER LAWS.

    (a) Qualified Exemption for Compliance With Other Federal Privacy 
Laws.--To the extent that personally identifiable information protected 
under this title is also protected under a provision of Federal privacy 
law described in subsection (c), a data collection organization that 
complies with the relevant provision of such other Federal privacy law 
shall be deemed to have complied with the corresponding provision of 
this title.
    (b) Protection of Other Federal Privacy Laws.--Nothing in this 
title may be construed to modify, limit, or supersede the operation of 
the Federal privacy laws described in subsection (c) or the provision 
of information permitted or required, expressly or by implication, by 
such laws, with respect to Federal rights and practices.
    (c) Other Federal Privacy Laws Described.--The provisions of law to 
which subsections (a) and (b) apply are the following:
            (1) Section 552a of title 5, United States Code (commonly 
        known as the Privacy Act of 1974).
            (2) The Right to Financial Privacy Act of 1978 (12 U.S.C. 
        3401 et seq.).
            (3) The Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).
            (4) The Fair Debt Collection Practices Act (15 U.S.C. 1692 
        et seq.).
            (5) The Children's Online Privacy Protection Act of 1998 
        (15 U.S.C. 6501 et seq.).
            (6) Title V of the Gramm-Leach-Bliley Act of 1999 (15 
        U.S.C. 6801 et seq.).
            (7) The Electronic Communications Privacy Act of 1986 
        (Public Law 99-508).
            (8) The Driver's Privacy Protection Act of 1994 (18 U.S.C. 
        2721 et seq.).
            (9) The Family Educational Rights and Privacy Act of 1974 
        (20 U.S.C. 1221 note, 1232g).
            (10) Section 445 of the General Education Provisions Act 
        (20 U.S.C. 1232h).
            (11) The Privacy Protection Act of 1980 (42 U.S.C. 2000aa 
        et seq.).
            (12) Section 222 of the Communications Act of 1934 (47 
        U.S.C. 222) relating to the Customer Proprietary Network 
        Information.
            (13) The Cable Communications Policy Act of 1984 (47 U.S.C. 
        521 et seq.).
            (14) The Communications Assistance for Law Enforcement Act 
        (47 U.S.C. 1001 et seq.).
            (15) The Video Privacy Protection Act of 1988 (Public Law 
        100-618).
            (16) The Telephone Consumer Protection Act of 1991 (Public 
        Law 102-243).
            (17) The Health Insurance Portability and Accountability 
        Act of 1996 (Public Law 104-191), as it relates to an entity 
        described in section 1172(a) of the Social Security Act (42 
        U.S.C. 1320d-1(a)) or to activities regulated under section 
        1173 of such Act (42 U.S.C. 1320d-2).
    (d) Preemption of State Privacy Laws.--This title preempts any 
statutory law, common law, rule, or regulation of a State, or a 
political subdivision of a State, to the extent such law, rule, or 
regulation relates to or affects the collection, use, sale, disclosure, 
or dissemination of personally identifiable information in commerce. No 
State, or political subdivision of a State, may take any action to 
enforce this title.

SEC. 110. EFFECTIVE DATE.

    This title shall apply with respect to personally identifiable 
information collected on or after the date that is 1 year after the 
date of enactment of this Act.

            TITLE II--IDENTITY THEFT PREVENTION AND REMEDIES

SEC. 201. FACILITATING ELECTRONIC IDENTITY THEFT AFFIDAVITS.

    The Commission shall take such action as necessary to permit 
(including by electronic means) consumers that have a reasonable belief 
that they are a victim of identity theft--
            (1) to enter required consumer information in the 
        commission-developed document entitled ``Identity Theft 
        Affidavit''; and
            (2) to submit completed forms and other supplemental 
        information to the Commission and other entities.

SEC. 202. PROMOTING USE OF COMMON IDENTITY THEFT AFFIDAVIT.

    The Commission shall take such action as necessary to solicit the 
acceptance and acknowledgement of standardized Identity Theft Affidavit 
by entities that receive disputes regarding the unauthorized use of 
accounts of such entities from consumers that have reason to believe 
that they are a victim of identity theft.

SEC. 203. TIMELY RESOLUTION OF IDENTITY THEFT DISPUTES.

    The Commission shall require entities that receive disputes 
regarding the unauthorized use of accounts of such entities from 
consumers that have reason to believe that they are a victim of 
identity theft to conduct any necessary investigation and decide an 
outcome of a claim within 90 days from the date on which all necessary 
information to investigate the claim has been submitted to the entity.

SEC. 204. IMPROVEMENTS TO CONSUMER CLEARINGHOUSE.

    The Commission shall utilize the Identity Theft Clearinghouse to 
permit consumers that have a reasonable belief that they are victim of 
identity theft to submit any information relevant to such identity 
theft to the Clearinghouse (including by means of an Identity Theft 
Affidavit), so that such information may be transmitted by the 
Clearinghouse to appropriate entities for necessary protective action 
and to mitigate losses resulting from such identity theft.

SEC. 205. IMPROVED IDENTITY THEFT DATA.

    (a) In General.--The Commission shall--
            (1) establish a process to contact, not less than annually, 
        public and private entities that receive and process complaints 
        from consumers that have a reasonable belief that they are a 
        victim of identity theft; and
            (2) obtain accurate data on the incidences and nature of 
        complaints from such entitles.
    (b) Inclusion in Database.--Such information shall be made part of 
the Commission's Identity Theft Clearinghouse database.

SEC. 206. CHANGE OF ADDRESS PROTECTIONS.

    The Commission shall require appropriate entities to take 
reasonable steps to verify the accuracy of a consumer's address, 
including by confirming a consumer's change of address by sending a 
confirmation of such change to the old and the new address of the 
consumer.

SEC. 207. EFFECTIVE DATE.

    This title shall take effect 180 days after the date of enactment 
of this Act.

                  TITLE III--INTERNATIONAL PROVISIONS

SEC. 301. STUDY BY COMPTROLLER GENERAL.

    The Comptroller General of the United States shall conduct a study 
and issue a report analyzing the impact on the interstate and foreign 
commerce of the United States of information privacy laws, regulations, 
or agreements enacted, promulgated, or adopted by other nations, 
including regional or international agreements between nations, and 
whether the enforcement mechanisms or procedures of those laws, 
regulations, or agreements result in discriminatory treatment of United 
States entities. The first report under this section shall be issued 
not later than 120 days after the date of enactment of this Act and 
subsequent reports shall be issued every 3 years thereafter.

SEC. 302. REMEDIATION OF DISCRIMINATORY IMPACT BY SECRETARY OF 
              COMMERCE.

    If the Comptroller General of the United States finds, in the study 
and report under subsection (a), that such information privacy laws, 
regulations, or agreements substantially impede interstate and foreign 
commerce of the United States and that the enforcement mechanisms or 
procedures of the information privacy laws, regulations, or agreements 
described in such subsection result in discriminatory treatment of 
United States entities, the Secretary of Commerce shall, to the extent 
permitted by law take all steps necessary to mitigate against such 
discriminatory impact within 180 days after the report making such 
findings is issued.

SEC. 303. EFFECT OF NONREMEDIATION.

    (a) Recommendations.--If by the end of the 180-day period described 
in section 302, the Secretary of Commerce has not attained complete 
relief from the discriminatory impact described in such subsection, the 
Secretary shall report to the Congress and the President 
recommendations on action to relieve any such remaining discriminatory 
impact.
    (b) Federal Agency Action After Consideration by Congress.--During 
the period after the Secretary reports recommendations under subsection 
(b) for mitigation of discriminatory impact and before the Congress 
acts with respect to such recommendations, no officer or employee of 
any Federal agency may take or continue any action to enjoin, or impose 
any penalty on, a United States entity, or a citizen or legal resident 
of the United States, for the purpose of fulfilling an international 
obligation of the United States under an international privacy 
agreement (other than such an obligation under a ratified treaty) that 
resulted in such discriminatory impact.

SEC. 304. HARMONIZATION OF INTERNATIONAL PRIVACY LAWS, REGULATIONS, AND 
              AGREEMENTS.

    Beginning on the date of enactment of this Act, the Secretary of 
Commerce shall provide notice of the provisions of this Act to other 
nations, individually, or as members of international organizations or 
unions that have enacted, promulgated, or adopted information privacy 
laws, regulations, or agreements, and shall seek recognition of this 
Act by such nations, organizations, or unions. The Secretary shall seek 
the harmonization of this Act with such information privacy laws, 
regulations, or agreements, to the extent such harmonization is 
necessary for the advancement of transnational commerce, including 
electronic commerce.

                      TITLE IV--GENERAL PROVISIONS

SEC. 401. DEFINITIONS.

    In this Act:
            (1) The term ``Commission'' means the Federal Trade 
        Commission.
            (2) The term ``consumer'' means an individual acting in the 
        individual's personal, family, or household capacity.
            (3)(A) The term ``data collection organization'' means an 
        entity (or an agent or affiliate of the entity) that collects 
        (by any means, through any medium), sells, discloses for 
        consideration, or uses personally identifiable information of 
        the consumer.
            (B) Such term does not include--
                    (i) a governmental agency; or
                    (ii) a not-for-profit entity, to the extent that 
                personally identifiable information is not used for a 
                commercial purpose; or
                    (iii) an entity that--
                            (I) has annual gross revenue under 
                        $1,000,000 (based on the value of such amount 
                        in fiscal year 2000, adjusted for current 
                        dollars);
                            (II) has fewer than 25 employees;
                            (III) collects or uses personally 
                        identifiable information from fewer than 1,000 
                        consumers for a purpose unrelated to a 
                        transaction with the consumer;
                            (IV) does not process personally 
                        identifiable information of consumers; and
                            (V) does not sell or disclose for 
                        consideration such information to another 
                        person.
            (4)(A) The term ``personally identifiable information'', 
        with respect to a data collection organization means 
        individually identifiable information relating to a living 
        individual who can be identified from that information.
            (B) Such term includes--
                    (i) first and last name, whether given at birth or 
                adoption, assumed, or legally changed;
                    (ii) home or other physical address including 
                street name and name of a city or town;
                    (iii) electronic mail address;
                    (iv) telephone number;
                    (v) social security number; or
                    (vi) any other unique identifying information that 
                a data collector and processor collects and combines 
                with any information described in the preceding 
                subparagraphs of this paragraph.
            (C) Such term does not include--
                    (i) anonymous or aggregate data, or any other 
                information that does not identify a unique living 
                individual;
                    (ii) information about a consumer inferred from 
                data maintained about a consumer; or
                    (iii) information about a consumer obtained from a 
                public record.
            (5) The term ``affiliate'' means any company that controls, 
        is controlled by, or is under common control with another 
        company.
            (6) The term ``information-sharing partner'' means, with 
        respect to a data collection organization, an entity that is 
        contractually obligated to comply with the practices enumerated 
        under the privacy policy statement of the organization required 
        under section 102.
            (7) The term ``process'', with respect to personally 
        identifiable information, means any value-added activity 
        performed on data by automated means.
            (8) The term ``transaction'' means an interaction between a 
        consumer and a data collection organization resulting in--
                    (A) any use of information that is necessary to 
                complete the interaction in the course of which 
                information is collected, or to maintain the 
                provisioning of a good or service requested by the 
                consumer, including use--
                            (i) to approve, guarantee, process, 
                        administer, complete, enforce, provide, or 
                        market a product, service, account, benefit, 
                        transaction, or payment method that is 
                        requested or approved by the consumer; or
                            (ii) to deliver goods, services, funds, or 
                        other consideration to, or on behalf of, the 
                        consumer;
                    (B) any disclosure of information that is necessary 
                for the consumer to enforce any right of the consumer;
                    (C) any disclosure of information that is required 
                by law or by a court order; and
                    (D) any use of information to evaluate, detect, or 
                reduce the risk of fraud or other criminal activity, or 
                other risk-management activities.
            (9) The term ``display'' means intentionally communicating 
        or otherwise making available (on the Internet or in any other 
        manner) to another person.
            (10) The term ``public record'' means any item, collection, 
        or grouping of information about an individual that is 
        maintained by a Federal, State, or local government entity and 
        that is made available to the public.
            (11) The term ``purchase'' means providing, directly or 
        indirectly, anything of value in exchange for a benefit.
            (12) The term ``State'' includes the several States, the 
        District of Columbia, the Commonwealth of Puerto Rico, the 
        Commonwealth of the Northern Mariana Islands, American Samoa, 
        Guam, the Virgin Islands, the Freely Associated States, and any 
        other territory or possession of the United States.
                                 <all>