[Congressional Bills 107th Congress]
[From the U.S. Government Publishing Office]
[S. 1055 Introduced in Senate (IS)]







107th CONGRESS
  1st Session
                                S. 1055

To require the consent of an individual prior to the sale and marketing 
of such individual's personally identifiable information, and for other 
                               purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             June 14, 2001

Mrs. Feinstein introduced the following bill; which was read twice and 
               referred to the Committee on the Judiciary

_______________________________________________________________________

                                 A BILL


 
To require the consent of an individual prior to the sale and marketing 
of such individual's personally identifiable information, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Privacy Act of 
2001''.
    (b) Table of Contents.--The table of contents of this Act is as 
follows:

Sec. 1. Short title; table of contents.
   TITLE I--COMMERCIAL SALE AND MARKETING OF PERSONALLY IDENTIFIABLE 
                              INFORMATION

Sec. 101. Collection and distribution of personally identifiable 
                            information.
Sec. 102. Enforcement.
Sec. 103. Safe harbor.
Sec. 104. Definitions.
Sec. 105. Preemption.
Sec. 106. Effective Date.
        TITLE II--LIMITATIONS ON USE OF SOCIAL SECURITY NUMBERS

Sec. 201. Findings.
Sec. 202. Prohibition of the display, sale, or purchase of social 
                            security numbers.
Sec. 203. No prohibition with respect to public records.
Sec. 204. Rulemaking authority of the Attorney General.
Sec. 205. Treatment of social security numbers on government documents.
Sec. 206. Limits on personal disclosure of a social security number for 
                            consumer transactions.
Sec. 207. Extension of civil monetary penalties for misuse of a social 
                            security number.
   TITLE III--LIMITATIONS ON SALE AND SHARING OF NONPUBLIC PERSONAL 
                         FINANCIAL INFORMATION

Sec. 301. Definition of sale.
Sec. 302. Rules applicable to sale of nonpublic personal information.
Sec. 303. Exceptions to sale prohibition.
Sec. 304. Effective date.
 TITLE IV--LIMITATIONS ON THE PROVISION OF PROTECTED HEALTH INFORMATION

Sec. 401. Definitions.
Sec. 402. Prohibition against selling protected health information.
Sec. 403. Authorization for sale of protected health information.
Sec. 404. Prohibition against retaliation.
Sec. 405. Prohibition against marketing protected health information.
Sec. 406. Rule of construction.
Sec. 407. Regulations.
Sec. 408. Enforcement.
                   TITLE V--DRIVER'S LICENSE PRIVACY

Sec. 501. Driver's license privacy.
                        TITLE VI--MISCELLANEOUS

Sec. 601. Enforcement by State Attorneys General.
Sec. 602. Federal injunctive authority.

   TITLE I--COMMERCIAL SALE AND MARKETING OF PERSONALLY IDENTIFIABLE 
                              INFORMATION

SEC. 101. COLLECTION AND DISTRIBUTION OF PERSONALLY IDENTIFIABLE 
              INFORMATION.

    (a) Prohibition.--
            (1) In general.--It is unlawful for a commercial entity to 
        collect personally identifiable information and disclose such 
        information to any nonaffiliated third party for marketing 
        purposes or sell such information to any nonaffiliated third 
        party, unless the commercial entity provides--
                    (A) notice to the individual to whom the 
                information relates in accordance with the requirements 
                of subsection (b); and
                    (B) an opportunity for such individual to restrict 
                the disclosure or sale of such information.
            (2) Exception.--A commercial entity may collect personally 
        identifiable information and use such information to market to 
        potential customers such entity's product.
    (b) Notice.--
            (1) In general.--A notice under subsection (a) shall 
        contain statements describing the following:
                    (A) The identity of the commercial entity 
                collecting the personally identifiable information.
                    (B) The types of personally identifiable 
                information that are being collected on the individual.
                    (C) How the commercial entity may use such 
                information.
                    (D) A description of the categories of potential 
                recipients of such personally identifiable information.
                    (E) Whether the individual is required to provide 
                personally identifiable information in order to do 
                business with the commercial entity.
                    (F) How an individual may decline to have such 
                personally identifiable information used or sold as 
                described in subsection (a).
            (2) Time of notice.--Notice shall be conveyed prior to the 
        sale or use of the personally identifiable information as 
        described in subsection (a) in such a manner as to allow the 
        individual a reasonable period of time to consider the notice 
        and limit such sale or use.
            (3) Medium of notice.--The medium for providing notice must 
        be--
                    (A) the same medium in which the personally 
                identifiable information is or will be collected, or a 
                medium approved by the individual; or
                    (B) in the case of oral communication, notice may 
                be conveyed orally or in writing.
            (4) Form of notice.--The notice shall be clear and 
        conspicuous.
    (c) Opt-Out.--
            (1) Opportunity to opt-out of sale or marketing.--The 
        opportunity provided to limit the sale of personally 
        identifiable information to nonaffiliated third parties or the 
        disclosure of such information for marketing purposes, shall be 
        easy to use, accessible and available in the medium the 
        information is collected, or in a medium approved by the 
        individual.
            (2) Duration of limitation.--An individual's limitation on 
        the sale or marketing of personally identifiable information 
        shall be considered permanent, unless otherwise specified by 
        the individual.
            (3) Revocation of consent.--After an individual grants 
        consent to the use of that individual's personally identifiable 
information, the individual may revoke the consent at any time, except 
to the extent that the commercial entity has taken action in reliance 
thereon. The commercial entity shall provide the individual an 
opportunity to revoke consent that is easy to use, accessible, and 
available in the medium the information was or is collected.
            (4) Not applicable.--This section shall not apply to 
        disclosure of personally identifiable information--
                    (A) that is necessary to facilitate a transaction 
                specifically requested by the consumer;
                    (B) is used for the sole purpose of facilitating 
                this transaction; and
                    (C) in which the entity receiving or obtaining such 
                information is limited, by contract, to use such 
                formation for the purpose of completing the 
                transaction.

SEC. 102. ENFORCEMENT.

    (a) In General.--In accordance with the provisions of this section, 
the Federal Trade Commission shall have the authority to enforce any 
violation of section 101 of this Act.
    (b) Violations.--The Federal Trade Commission shall treat a 
violation of section 101 as a violation of a rule under section 
18a(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)).
    (c) Transfer of Enforcement Authority.--The Federal Trade 
Commission shall promulgate rules in accordance with section 553 of 
title 5, United States Code, allowing for the transfer of enforcement 
authority from the Federal Trade Commission to a Federal agency 
regarding section 101 of this Act. The Federal Trade Commission may 
permit a Federal agency to enforce any violation of section 101 if such 
agency submits a written request to the Commission to enforce such 
violations and includes in such request--
            (1) a description of the entities regulated by such agency 
        that will be subject to the provisions of section 101;
            (2) an assurance that such agency has sufficient authority 
        over the entities to enforce violations of section 101; and
            (3) a list of proposed rules that such agency shall use in 
        regulating such entities and enforcing section 101.
    (d) Actions by the Commission.--Absent transfer of enforcement 
authority to a Federal agency under subsection (c), the Federal Trade 
Commission shall prevent any person from violating section 101 in the 
same manner, by the same means, and with the same jurisdiction, powers, 
and duties as provided to such Commission under the Federal Trade 
Commission Act (15 U.S.C. 41 et seq.). Any entity that violates section 
101 is subject to the penalties and entitled to the privileges and 
immunities provided in such Act in the same manner, by the same means, 
and with the same jurisdiction, power, and duties under such Act.
    (e) Relationship to Other Laws.--
            (1) Commission authority.--Nothing contained in this title 
        shall be construed to limit authority provided to the 
        Commission under any other law.
            (2) Communications act.--Nothing in section 101 requires an 
        operator of a website to take any action that is inconsistent 
        with the requirements of section 222 or 631 of the 
        Communications Act of 1934 (47 U.S.C. 222 and 5551).
            (3) Other acts.--Nothing in this title is intended to 
        affect the applicability or the enforceability of any provision 
        of, or any amendment made by--
                    (A) the Children's Online Privacy Protection Act of 
                1998 (15 U.S.C. 6501 et seq.);
                    (B) title V of the Gramm-Leach-Bliley Act;
                    (C) the Health Insurance Portability and 
                Accountability Act of 1996; or
                    (D) the Fair Credit Reporting Act.
    (f) Public Records.--Nothing in this title shall be construed to 
restrict commercial entities from obtaining or disclosing personally 
identifying information from public records.
    (g) Civil Penalties.--In addition to any other penalty applicable 
to a violation of section 101(a), a penalty of up to $25,000 may be 
issued for each violation.
    (h) Enforcement Regarding Programs.--
            (1) In general.--A Federal agency or department providing 
        financial assistance to any entity required to comply with 
        section 101 of this Act shall issue regulations requiring that 
        such entity comply with such section or forfeit some or all of 
        such assistance. Such regulations shall prescribe sanctions for 
        noncompliance, require that such department or agency provide 
        notice of failure to comply with such section prior to any 
        action being taken against such recipient, and require that a 
        determination be made prior to any action being taken against 
        such recipient that compliance cannot be secured by voluntary 
        means.
            (2) Federal financial assistance.--The term ``Federal 
        financial assistance'' means assistance through a grant, 
        cooperative agreement, loan, or contract other than a contract 
        of insurance or guaranty.

SEC. 103. SAFE HARBOR.

    A commercial entity may not be held to have violated any provision 
of this title if such entity complies with self-regulatory guidelines 
that--
            ``(1) are issued by seal programs or representatives of the 
        marketing or online industries or by any other person; and
            ``(2) are approved by the Federal Trade Commission, after 
        public comment has been received on such guidelines by the 
        Commission, as meeting the requirements of this title.

SEC. 104. DEFINITIONS.

    In this title:
            (1) Commercial entity.--The term ``commercial entity''--
                    (A) means any person offering products or services 
                involving commerce--
                            (i) among the several States or with 1 or 
                        more foreign nations;
                            (ii) in any territory of the United States 
                        or in the District of Columbia, or between any 
                        such territory and--
                                    (I) another such territory; or
                                    (II) any State or foreign nation; 
                                or
                            (iii) between the District of Columbia and 
                        any State, territory, or foreign nation; and
                    (B) does not include--
                            (i) any nonprofit entity that would 
                        otherwise be exempt from coverage under section 
                        5 of the Federal Trade Commission Act (15 
                        U.S.C. 45);
                            (ii) any financial institution that is 
                        subject to title V of the Gramm-Leach-Bliley 
                        Act (15 U.S.C. 6801 et seq.); or
                            (iii) any group health plan, health 
                        insurance issuer, or other entity that is 
                        subject to the Health Insurance Portability and 
                        Accountability Act of 1996 (42 U.S.C. 201 
                        note).
            (2) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (3) Individual.--The term ``individual'' means a person 
        whose personally identifying information has been, is, or will 
        be collected by a commercial entity.
            (4) Marketing.--The term ``marketing'' means to make a 
        communication about a product or service a purpose of which is 
        to encourage recipients of the communication to purchase or use 
        the product or service.
            (5) Medium.--The term ``medium'' means any channel or 
        system of communication including oral, written, and online 
        communication.
            (6) Nonaffiliated third party.--The term ``nonaffiliated 
        third party'' means any entity that is not related by common 
        ownership or affiliated by corporate control with, the 
        commercial entity, but does not include a joint employee of 
        such institution.
            (7) Personally identifiable information.--The term 
        ``personally identifiable information'' means individually 
        identifiable information about the individual that is collected 
        including--
                    (A) a first, middle, or last name, whether given at 
                birth or adoption, assumed, or legally changed;
                    (B) a home or other physical address, including the 
                street name, zip code, and name of a city or town;
                    (C) an e-mail address;
                    (D) a telephone number;
                    (E) a photograph or other form of visual 
                identification;
                    (F) a birth date, birth certificate number, or 
                place of birth for that person; or
                    (G) information concerning the individual that is 
                combined with any other identifier in this paragraph.
            (8) Sale; Sell; Sold.--The terms ``sale'', ``sell'', and 
        ``sold'', with respect to personally identifiable information, 
        mean the exchanging of such information for any thing of value, 
        directly or indirectly, including the licensing, bartering, or 
        renting of such information.
            (9) Writing.--The term ``writing'' means writing in either 
        a paper-based or computer-based form, including electronic and 
        digital signatures.

SEC. 105. PREEMPTION.

    The provisions of this title shall supersede any statutory and 
common law of States and their political subdivisions insofar as that 
law may now or hereafter relate to the--
            (1) collection and disclosure of personally identifiable 
        information for marketing purposes; and
            (2) collection and sale of personally identifiable 
        information.

SEC. 106. EFFECTIVE DATE.

    This title and the amendments made by this title shall take effect 
1 year after the date of enactment of this Act.

        TITLE II--LIMITATIONS ON USE OF SOCIAL SECURITY NUMBERS

SEC. 201. FINDINGS.

    Congress makes the following findings:
            (1) The inappropriate display, sale, or purchase of social 
        security numbers has contributed to a growing range of illegal 
        activities, including fraud, identity theft, and, in some 
        cases, stalking and other violent crimes.
            (2) While financial institutions, health care providers, 
        and other entities have often used social security numbers to 
        confirm the identity of an individual, the general display to 
        the public, sale, or purchase of these numbers has been used to 
        commit crimes, and also can result in serious invasions of 
        individual privacy.
            (3) The Federal Government requires virtually every 
        individual in the United States to obtain and maintain a social 
        security number in order to pay taxes, to qualify for social 
        security benefits, or to seek employment. An unintended 
        consequence of these requirements is that social security 
        numbers have become tools that can be used to facilitate crime, 
        fraud, and invasions of the privacy of the individuals to whom 
        the numbers are assigned. Because the Federal Government 
        created and maintains this system, and because the Federal 
        Government does not permit individuals to exempt themselves 
        from those requirements, it is appropriate for the Federal 
        Government to take steps to stem the abuse of this system.
            (4) A social security number does not contain, reflect, or 
        convey any publicly significant information or concern any 
        public issue. The display, sale, or purchase of such numbers in 
        no way facilitates uninhibited, robust, and wide-open public 
        debate, and restrictions on such display, sale, or purchase 
        would not affect public debate.
            (5) No one should seek to profit from the display, sale, or 
        purchase of social security numbers in circumstances that 
        create a substantial risk of physical, emotional, or financial 
        harm to the individuals to whom those numbers are assigned.
            (6) Consequently, this Act offers each individual that has 
        been assigned a social security number necessary protection 
        from the display, sale, and purchase of that number in any 
        circumstance that might facilitate unlawful conduct.

SEC. 202. PROHIBITION OF THE DISPLAY, SALE, OR PURCHASE OF SOCIAL 
              SECURITY NUMBERS.

    (a) Prohibition.--
            (1) In general.--Chapter 47 of title 18, United States 
        Code, is amended by inserting after section 1028 the following:
``Sec. 1028A. Prohibition of the display, sale, or purchase of social 
              security numbers
    ``(a) Definitions.--In this section:
            ``(1) Display.--The term `display' means to intentionally 
        communicate or otherwise make available (on the Internet or in 
        any other manner) to the general public an individual's social 
        security number.
            ``(2) Person.--The term `person' means any individual, 
        partnership, corporation, trust, estate, cooperative, 
        association, or any other entity.
            ``(3) Purchase.--The term `purchase' means providing 
        directly or indirectly, anything of value in exchange for a 
        social security number.
            ``(4) Sale.--The term `sale' means obtaining, directly or 
        indirectly, anything of value in exchange for a social security 
        number.
            ``(5) State.--The term `State' means any State of the 
        United States, the District of Columbia, Puerto Rico, the 
        Northern Mariana Islands, the United States Virgin Islands, 
        Guam, American Samoa, and any territory or possession of the 
        United States.
    ``(b) Limitation on Display.--Except as provided in section 1028B, 
no person may display any individual's social security number to the 
general public without the affirmatively expressed consent of the 
individual.
    ``(c) Limitation on Sale or Purchase.--Except as otherwise provided 
in this section, no person may sell or purchase any individual's social 
security number without the affirmatively expressed consent of the 
individual.
    ``(d) Prohibition of Wrongful Use as Personal Identification 
Number.--No person may obtain any individual's social security number 
for purposes of locating or identifying an individual with the intent 
to physically injure, harm, or use the identity of the individual for 
any illegal purpose.
    ``(e) Prerequisites for Consent.--In order for consent to exist 
under subsection (b) or (c), the person displaying or seeking to 
display, selling or attempting to sell, or purchasing or attempting to 
purchase, an individual's social security number shall--
            ``(1) inform the individual of the general purpose for 
        which the number will be used, the types of persons to whom the 
        number may be available, and the scope of transactions 
        permitted by the consent; and
            ``(2) obtain the affirmatively expressed consent 
        (electronically or in writing) of the individual.
    ``(f) Exceptions.--
            ``(1) In general.--Except as provided in subsection (d), 
        nothing in this section shall be construed to prohibit or limit 
        the display, sale, or purchase of a social security number--
                    ``(A) permitted, required, or excepted, expressly 
                or by implication, under section 205(c)(2), 
                1124A(a)(3), or 1141(c) of the Social Security Act (42 
                U.S.C. 405(c)(2), 1320a-3a(a)(3), and 1320b-11(c)), 
                section 7(a)(2) of the Privacy Act of 1974 (5 U.S.C. 
                552a note), section 6109(d) of the Internal Revenue 
                Code of 1986, or section 6(b)(1) of the Professional 
                Boxing Safety Act of 1996 (15 U.S.C. 6305(b)(1));
                    ``(B) for a public health purpose, including the 
                protection of the health or safety of an individual in 
                an emergency situation;
                    ``(C) for a national security purpose;
                    ``(D) for a law enforcement purpose, including the 
                investigation of fraud, as required under subchapter II 
                of chapter 53 of title 31, United States Code, and 
                chapter 2 of title I of Public Law 91-508 (12 U.S.C. 
                1951-1959), and the enforcement of a child support 
                obligation;
                    ``(E) if the display, sale, or purchase of the 
                number is for a business-to-business use, including, 
                but not limited to--
                            ``(i) the prevention of fraud (including 
                        fraud in protecting an employee's right to 
                        employment benefits);
                            ``(ii) the facilitation of credit checks or 
                        the facilitation of background checks of 
                        employees, prospective employees, and 
                        volunteers;
                            ``(iii) compliance with any requirement 
                        related to the social security program 
                        established under title II of the Social 
                        Security Act (42 U.S.C. 401 et seq.); or
                            ``(iv) the retrieval of other information 
                        from, or by, other businesses, commercial 
                        enterprises, or private nonprofit 
                        organizations,
                except that, nothing in this subparagraph shall be 
                construed as permitting a professional or commercial 
                user to display or sell a social security number to the 
                general public;
                    ``(F) if the transfer of such a number is part of a 
                data matching program under the Computer Matching and 
                Privacy Protection Act of 1988 (5 U.S.C. 552a note) or 
                any similar computer data matching program involving a 
                Federal, State, or local agency; or
                    ``(G) if such number is required to be submitted as 
                part of the process for applying for any type of 
                Federal, State, or local government benefit or program.
    ``(g) Civil Action in United States District Court; Damages; 
Attorney's Fees and Costs.--
            ``(1) In general.--Any individual aggrieved by any act of 
        any person in violation of this section may bring a civil 
        action in a United States district court to recover--
                    ``(A) such preliminary and equitable relief as the 
                court determines to be appropriate; and
                    ``(B) the greater of--
                            ``(i) actual damages;
                            ``(ii) liquidated damages of $2,500; or
                            ``(iii) in the case of a violation that was 
                        willful and resulted in profit or monetary 
                        gain, liquidated damages of $10,000.
            ``(2) Statute of limitations.--No action may be commenced 
        under this subsection more than 3 years after the date on which 
        the violation was or should reasonably have been discovered by 
        the aggrieved individual.
            ``(3) Nonexclusive remedy.--The remedy provided under this 
        subsection shall be in addition to any other remedy available 
        to the individual.
    ``(h) Civil Penalties.--
            ``(1) In general.--Any person who the Attorney General 
        determines has violated this section shall be subject, in 
        addition to any other penalties that may be prescribed by law--
                    ``(A) to a civil penalty of not more than $5,000 
                for each such violation; and
                    ``(B) to a civil penalty of not more than $50,000, 
                if the violations have occurred with such frequency as 
                to constitute a general business practice.
            ``(2) Determination of violations.--Any willful violation 
        committed contemporaneously with respect to the social security 
        numbers of 2 or more individuals by means of mail, 
        telecommunication, or otherwise, shall be treated as a separate 
        violation with respect to each such individual.
            ``(3) Enforcement procedures.--The provisions of section 
        1128A of the Social Security Act (42 U.S.C. 1320a-7a), other 
        than subsections (a), (b), (f), (h), (i), (j), (m), and (n) and 
        the first sentence of subsection (c) of such section, and the 
        provisions of subsections (d) and (e) of section 205 of such 
        Act (42 U.S.C. 405) shall apply to a civil penalty under this 
        subsection in the same manner as such provisions apply to a 
        penalty or proceeding under section 1128A(a) of such Act (42 
        U.S.C. 1320a-7a(a)), except that, for purposes of this 
        paragraph, any reference in section 1128A of such Act (42 
        U.S.C. 1320a-7a) to the Secretary shall be deemed to be a 
        reference to the Attorney General.''.
            (2) Conforming amendment.--The chapter analysis for chapter 
        47 of title 18, United States Code, is amended by inserting 
        after the item relating to section 1028 the following:

``1028A. Prohibition of the display, sale, or purchase of social 
                            security numbers.''.
    (b) Criminal Sanctions.--Section 208(a) of the Social Security Act 
(42 U.S.C. 408(a)) is amended--
            (1) in paragraph (8), by inserting ``or'' after the 
        semicolon; and
            (2) by inserting after paragraph (8) the following new 
        paragraphs:
            ``(9) except as provided in paragraph (5) of section 
        1028A(a) of title 18, United States Code, knowingly and 
        willfully displays, sells, or purchases (as those terms are 
        defined in paragraph (1) of such section) any individual's 
        social security number (as defined in such paragraph) without 
        the affirmatively expressed consent of that individual after 
        having met the prerequisites for consent under paragraph (4) of 
        such section, electronically or in writing, with respect to 
        that individual; or
            ``(10) obtains any individual's social security number for 
        the purpose of locating or identifying the individual with the 
        intent to injure or to harm that individual, or to use the 
        identity of that individual for an illegal purpose;''.
    (c) Effective Date.--Section 1028A of title 18, United States Code 
(as added by subsection (a)), and section 208 of the Social Security 
Act (42 U.S.C. 408) (as amended by subsection (b)) shall take effect 30 
days after the date on which the final regulations promulgated under 
section 204(b) are published in the Federal Register.

SEC. 203. NO PROHIBITION WITH RESPECT TO PUBLIC RECORDS.

    (a) Public Records Exception.--
            (1) In general.--Chapter 47 of title 18, United States Code 
        (as amended by section 202(a)(1)), is amended by inserting 
        after section 1028A the following:
``Sec. 1028B. No prohibition of the display, sale, or purchase of 
              social security numbers included in public records
    ``(a) In General.--Nothing in section 1028A shall be construed to 
prohibit or limit the display, sale, or purchase of any public record 
which includes a social security number that--
            ``(1) is incidentally included in a public record, as 
        defined in subsection (d);
            ``(2) is intended to be purchased, sold, or displayed 
        pursuant to an exception contained in section 1028A(f);
            ``(3) is intended to be purchased, sold, or displayed 
        pursuant to the consent provisions of subsections (b), (c), and 
        (e) of section 1028A; or
            ``(4) includes a redaction of the nonincidental occurrences 
        of the social security numbers when sold or displayed to 
        members of the general public.
    ``(b) Agency Requirements.--Each agency in possession of documents 
that contain social security numbers which are nonincidental, shall, 
with respect to such documents--
            ``(1) ensure that access to such numbers is restricted to 
        persons who may obtain them in accordance with applicable law;
            ``(2) require an individual who is not exempt under section 
1028A(f) to provide the social security number of the person who is the 
subject of the document before making such document available; or
            ``(3) redact the social security number from the document 
        prior to providing a copy of the requested document to an 
        individual who is not exempt under section 1028A(f) and who is 
        unable to provide the social security number of the person who 
        is the subject of the document.
    ``(c) Rule of Construction.--Nothing in this section shall be used 
as a basis for permitting or requiring a State or local government 
entity or other repository of public documents to expand or to limit 
access to documents containing social security numbers to entities 
covered by the exception in section 1028A(f).
    ``(d) Definitions.--In this section:
            ``(1) Incidental.--The term `incidental' means that the 
        social security number is not routinely displayed in a 
        consistent and predictable manner on the public record by a 
        government entity, such as on the face of a document.
            ``(2) Public record.--The term `public record' means any 
        item, collection, or grouping of information about an 
        individual that is maintained by a Federal, State, or local 
        government entity and that is made available to the public.''.
            (2) Conforming amendment.--The chapter analysis for chapter 
        47 of title 18, United States Code (as amended by section 
        202(a)(2)), is amended by inserting after the item relating to 
        section 1028A the following:

``1028B. No prohibition of the display, sale, or purchase of social 
                            security numbers included in public 
                            records.''.

SEC. 204. RULEMAKING AUTHORITY OF THE ATTORNEY GENERAL.

    (a) In General.--Except as provided in subsection (b), the Attorney 
General may prescribe such rules and regulations as the Attorney 
General deems necessary to carry out the provisions of section 202.
    (b) Business-to-Business Commercial Display, Sale, or Purchase 
Rulemaking.--
            (1) In general.--Not later than 1 year after the date of 
        enactment of this Act, the Attorney General, in consultation 
        with the Commissioner of Social Security, the Federal Trade 
        Commission, and such other Federal agencies as the Attorney 
        General determines appropriate, may conduct such rulemaking 
        procedures in accordance with subchapter II of chapter 5 of 
        title 5, United States Code, as are necessary to promulgate 
        regulations to implement and clarify the business-to-business 
        provisions pertaining to section 1028A(f)(1)(E) of title 18, 
        United States Code (as added by section 202(a)(1)). The 
        Attorney General shall consult with other agencies to ensure, 
        where possible, that these provisions are consistent with other 
        privacy laws, including title V of the Gramm-Leach-Bliley Act 
        (15 U.S.C. 6801 et seq.).
            (2) Factors to be considered.--In promulgating the 
        regulations required under paragraph (1), the Attorney General 
        shall, at a minimum, consider the following factors:
                    (A) The benefit to a particular business practice 
                and to the general public of the sale or purchase of an 
                individual's social security number.
                    (B) The risk that a particular business practice 
                will promote the use of the social security number to 
                commit fraud, deception, or crime.
                    (C) The presence of adequate safeguards to prevent 
                the misappropriation of social security numbers by the 
                general public, while permitting internal business uses 
                of such numbers.
                    (D) The implementation of procedures to prevent 
                identity thieves, stalkers, and others with ill intent 
                from posing as legitimate businesses to obtain social 
                security numbers.

SEC. 205. TREATMENT OF SOCIAL SECURITY NUMBERS ON GOVERNMENT DOCUMENTS.

    (a) Prohibition of Use of Social Security Account Numbers on Checks 
Issued for Payment by Governmental Agencies.--
            (1) In general.--Section 205(c)(2)(C) of the Social 
        Security Act (42 U.S.C. 405(c)(2)(C)) is amended by adding at 
        the end the following new clause:
    ``(x) No Federal, State, or local agency may display the social 
security account number of any individual, or any derivative of such 
number, on any check issued for any payment by the Federal, State, or 
local agency.''.
            (2) Effective date.--The amendment made by this subsection 
        shall apply with respect to violations of section 
        205(c)(2)(C)(x) of the Social Security Act (42 U.S.C. 
        405(c)(2)(C)(x)), as added by paragraph (1), occurring after 
        the date that is 3 years after the date of enactment of this 
        Act.
    (b) Prohibition of Appearance of Social Security Account Numbers on 
Driver's Licenses or Motor Vehicle Registration.--
            (1) In general.--Section 205(c)(2)(C)(vi) of the Social 
        Security Act (42 U.S.C. 405(c)(2)(C)(vi)) is amended--
                    (A) by inserting ``(I)'' after ``(vi)''; and
                    (B) by adding at the end the following new 
                subclause:
    ``(II)(aa) An agency of a State (or political subdivision thereof), 
in the administration of any driver's license or motor vehicle 
registration law within its jurisdiction, may not disclose the social 
security account numbers issued by the Commissioner of Social Security, 
or any derivative of such numbers, on any driver's license or motor 
vehicle registration or any other document issued by such State (or 
political subdivision thereof) to an individual for purposes of 
identification of such individual.
    ``(bb) Nothing in this subclause shall be construed as precluding 
an agency of a State (or political subdivision thereof), in the 
administration of any driver's license or motor vehicle registration 
law within its jurisdiction, from using a social security account 
number for an internal use or to link with the database of an agency of 
another State that is responsible for the administration of any 
driver's license or motor vehicle registration law.''.
            (2) Effective date.--The amendment made by this subsection 
        shall apply with respect to licenses, registrations, and other 
        documents issued or reissued after the date that is 1 year 
        after the date of enactment of this Act.
    (c) Prohibition of Inmate Access to Social Security Account 
Numbers.--
            (1) In general.--Section 205(c)(2)(C) of the Social 
        Security Act (42 U.S.C. 405(c)(2)(C)) (as amended by subsection 
(b)) is amended by adding at the end the following new clause:
    ``(xi) No Federal, State, or local agency may employ, or enter into 
a contract for the use or employment of, prisoners in any capacity that 
would allow such prisoners access to the social security account 
numbers of other individuals. For purposes of this clause, the term 
`prisoner' means an individual confined in a jail, prison, or other 
penal institution or correctional facility pursuant to such 
individual's conviction of a criminal offense.''.
            (2) Effective date.--The amendment made by this subsection 
        shall apply with respect to employment of prisoners, or entry 
        into contract with prisoners, after the date that is 1 year 
        after the date of enactment of this Act.

SEC. 206. LIMITS ON PERSONAL DISCLOSURE OF A SOCIAL SECURITY NUMBER FOR 
              CONSUMER TRANSACTIONS.

    (a) In General.--Part A of title XI of the Social Security Act (42 
U.S.C. 1301 et seq.) is amended by adding at the end the following new 
section:

``SEC. 1150A. LIMITS ON PERSONAL DISCLOSURE OF A SOCIAL SECURITY NUMBER 
              FOR CONSUMER TRANSACTIONS.

    ``(a) In General.--A commercial entity may not require an 
individual to provide the individual's social security number when 
purchasing a commercial good or service or deny an individual the good 
or service for refusing to provide that number except--
            ``(1) for any purpose relating to--
                    ``(A) obtaining a consumer report for any purpose 
                permitted under the Fair Credit Reporting Act;
                    ``(B) a background check of the individual 
                conducted by a landlord, lessor, employer, voluntary 
                service agency, or other entity as determined by the 
                Attorney General;
                    ``(C) law enforcement; or
                    ``(D) a Federal or State law requirement; or
            ``(2) if the social security number is necessary to verify 
        identity and to prevent fraud with respect to the specific 
        transaction requested by the consumer and no other form of 
        identification can produce comparable information.
    ``(b) Other Forms of Identification.--Nothing in this section shall 
be construed to prohibit a commercial entity from--
            ``(1) requiring an individual to provide 2 forms of 
        identification that do not contain the social security number 
        of the individual; or
            ``(2) denying an individual a good or service for refusing 
        to provide 2 forms of identification that do not contain such 
        number.
    ``(c) Application of Civil Money Penalties.--A violation of this 
section shall be deemed to be a violation of section 1129(a)(3)(F).
    ``(d) Application of Criminal Penalties.--A violation of this 
section shall be deemed to be a violation of section 208(a)(8).''.
    (b) Effective Date.--The amendment made by subsection (a) shall 
apply to requests to provide a social security number made on or after 
the date of enactment of this Act.

SEC. 207. EXTENSION OF CIVIL MONETARY PENALTIES FOR MISUSE OF A SOCIAL 
              SECURITY NUMBER.

    (a) Treatment of Withholding of Material Facts.--
            (1) Civil penalties.--The first sentence of section 
        1129(a)(1) of the Social Security Act (42 U.S.C. 1320a-8(a)(1)) 
        is amended--
                    (A) by striking ``who'' and inserting ``who--'';
                    (B) by striking ``makes'' and all that follows 
                through ``shall be subject to'' and inserting the 
                following:
            ``(A) makes, or causes to be made, a statement or 
        representation of a material fact, for use in determining any 
        initial or continuing right to or the amount of monthly 
        insurance benefits under title II or benefits or payments under 
        title VIII or XVI, that the person knows or should know is 
        false or misleading;
            ``(B) makes such a statement or representation for such use 
        with knowing disregard for the truth; or
            ``(C) omits from a statement or representation for such 
        use, or otherwise withholds disclosure of, a fact which the 
        individual knows or should know is material to the 
        determination of any initial or continuing right to or the 
        amount of monthly insurance benefits under title II or benefits 
        or payments under title VIII or XVI and the individual knows, 
        or should know, that the statement or representation with such 
        omission is false or misleading or that the withholding of such 
        disclosure is misleading,
shall be subject to'';
                    (C) by inserting ``or each receipt of such benefits 
                while withholding disclosure of such fact'' after 
                ``each such statement or representation'';
                    (D) by inserting ``or because of such withholding 
                of disclosure of a material fact'' after ``because of 
                such statement or representation''; and
                    (E) by inserting ``or such a withholding of 
                disclosure'' after ``such a statement or 
                representation''.
            (2) Administrative procedure for imposing penalties.--The 
        first sentence of section 1129A(a) of the Social Security Act 
        (42 U.S.C. 1320a-8a(a)) is amended--
                    (A) by striking ``who'' and inserting ``who--''; 
                and
                    (B) by striking ``makes'' and all that follows 
                through ``shall be subject to'' and inserting the 
                following new paragraphs:
            ``(1) makes, or causes to be made, a statement or 
        representation of a material fact, for use in determining any 
        initial or continuing right to or the amount of monthly 
        insurance benefits under title II or benefits or payments under 
        title VIII or XVI, that the person knows or should know is 
        false or misleading;
            ``(2) makes such a statement or representation for such use 
        with knowing disregard for the truth; or
            ``(3) omits from a statement or representation for such 
        use, or otherwise withholds disclosure of, a fact which the 
        individual knows or should know is material to the 
        determination of any initial or continuing right to or the 
        amount of monthly insurance benefits under title II or benefits 
        or payments under title VIII or XVI and the individual knows, 
        or should know, that the statement or representation with such 
        omission is false or misleading or that the withholding of such 
        disclosure is misleading,
shall be subject to''.
    (b) Application of Civil Money Penalties to Elements of Criminal 
Violations.--Section 1129(a) of the Social Security Act (42 U.S.C. 
1320a-8(a)), as amended by subsection (a)(1), is amended--
            (1) by redesignating paragraph (2) as paragraph (4);
            (2) by redesignating the last sentence of paragraph (1) as 
        paragraph (2) and inserting such paragraph after paragraph (1); 
        and
            (3) by inserting after paragraph (2) (as so redesignated) 
        the following new paragraph:
    ``(3) Any person (including an organization, agency, or other 
entity) who--
            ``(A) uses a social security account number that such 
        person knows or should know has been assigned by the 
        Commissioner of Social Security (in an exercise of authority 
        under section 205(c)(2) to establish and maintain records) on 
        the basis of false information furnished to the Commissioner by 
        any person;
            ``(B) falsely represents a number to be the social security 
        account number assigned by the Commissioner of Social Security 
        to any individual, when such person knows or should know that 
        such number is not the social security account number assigned 
        by the Commissioner to such individual;
            ``(C) knowingly alters a social security card issued by the 
        Commissioner of Social Security, or possesses such a card with 
        intent to alter it;
            ``(D) knowingly displays, sells, or purchases a card that 
        is, or purports to be, a card issued by the Commissioner of 
        Social Security, or possesses such a card with intent to 
        display, purchase, or sell it;
            ``(E) counterfeits a social security card, or possesses a 
        counterfeit social security card with intent to display, sell, 
        or purchase it;
            ``(F) discloses, uses, compels the disclosure of, or 
        knowingly displays, sells, or purchases the social security 
        account number of any person in violation of the laws of the 
        United States;
            ``(G) with intent to deceive the Commissioner of Social 
        Security as to such person's true identity (or the true 
        identity of any other person) furnishes or causes to be 
        furnished false information to the Commissioner with respect to 
        any information required by the Commissioner in connection with 
        the establishment and maintenance of the records provided for 
        in section 205(c)(2);
            ``(H) offers, for a fee, to acquire for any individual, or 
        to assist in acquiring for any individual, an additional social 
        security account number or a number which purports to be a 
        social security account number; or
            ``(I) being an officer or employee of a Federal, State, or 
        local agency in possession of any individual's social security 
        account number, willfully acts or fails to act so as to cause a 
        violation by such agency of clause (vi)(II) or (x) of section 
        205(c)(2)(C),
shall be subject to, in addition to any other penalties that may be 
prescribed by law, a civil money penalty of not more than $5,000 for 
each violation. Such person shall also be subject to an assessment, in 
lieu of damages sustained by the United States resulting from such 
violation, of not more than twice the amount of any benefits or 
payments paid as a result of such violation.''.
    (c) Clarification of Treatment of Recovered Amounts.--Section 
1129(e)(2)(B) of the Social Security Act (42 U.S.C. 1320a-8(e)(2)(B)) 
is amended by striking ``In the case of amounts recovered arising out 
of a determination relating to title VIII or XVI,'' and inserting ``In 
the case of any other amounts recovered under this section,''.
    (d) Conforming Amendments.--
            (1) Section 1129(b)(3)(A) of the Social Security Act (42 
        U.S.C. 1320a-8(b)(3)(A)) is amended by striking ``charging 
        fraud or false statements''.
            (2) Section 1129(c)(1) of the Social Security Act (42 
        U.S.C. 1320a-8(c)(1)) is amended by striking ``and 
        representations'' and inserting ``, representations, or 
        actions''.
            (3) Section 1129(e)(1)(A) of the Social Security Act (42 
        U.S.C. 1320a-8(e)(1)(A)) is amended by striking ``statement or 
        representation referred to in subsection (a) was made'' and 
        inserting ``violation occurred''.
    (e) Effective Dates.--
            (1) In general.--Except as provided in paragraph (2), the 
        amendments made by this section shall apply with respect to 
        violations of sections 1129 and 1129A of the Social Security 
        Act (42 U.S.C. 1320-8 and 1320a-8a), as amended by this 
        section, committed after the date of enactment of this Act.
            (2) Violations by government agents in possession of social 
        security numbers.--Section 1129(a)(3)(I) of the Social Security 
        Act (42 U.S.C. 1320a-8(a)(3)(I)), as added by subsection (b), 
        shall apply with respect to violations of that section 
        occurring on or after the effective date under section 202(c).

   TITLE III--LIMITATIONS ON SALE AND SHARING OF NONPUBLIC PERSONAL 
                         FINANCIAL INFORMATION

SEC. 301. DEFINITION OF SALE.

    Section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809) is 
amended by adding at the end the following:
            ``(12) Sale.--The terms `sale', `sell', and `sold', with 
        respect to nonpublic personal information, mean the exchange of 
        such information for any thing of value, directly or 
        indirectly, including the licensing, bartering, or renting of 
        such information.''.

SEC. 302. RULES APPLICABLE TO SALE OF NONPUBLIC PERSONAL INFORMATION.

    Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802) is 
amended--
            (1) in the section heading, by inserting ``and sales'' 
        after ``disclosures'';
            (2) in subsection (a), by inserting ``or sell'' after 
        ``disclose'';
            (3) in subsection (b)--
                    (A) in the heading, by inserting ``for Certain 
                Disclosures'' before the period; and
                    (B) by adding at the end the following:
            ``(3) Limitation.--Paragraphs (1) and (2) do not apply to 
        the sale of nonpublic personal information.'';
            (4) by striking subsection (e);
            (5) by redesignating subsections (c) and (d) as subsections 
        (d) and (e), respectively; and
            (6) by inserting after subsection (b) the following:
    ``(c) Opt-In for Sale of Information.--
            ``(1) Affirmative consent required.--Each agency or 
        authority described in section 504(a) shall, by rule prescribed 
        under that section, prohibit a financial institution that is 
        subject to its jurisdiction from selling any nonpublic personal 
        information to any nonaffiliated third party, unless the 
        consumer to whom the information pertains--
                    ``(A) has affirmatively consented in accordance 
                with such rule to the sale of such information; and
                    ``(B) has not withdrawn the consent.
            ``(2) Denial of service prohibited.--The rule prescribed 
        pursuant to paragraph (1) shall prohibit a financial 
        institution from denying any consumer a financial product or a 
        financial service for the refusal by the consumer to grant the 
        consent required by such rule.''.

SEC. 303. EXCEPTIONS TO SALE PROHIBITION.

    Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802), as 
amended by this title, is amended by adding at the end the following:
    ``(f) General Exceptions.--This section does not prohibit--
            ``(1) the sale or other disclosure of nonpublic personal 
        information to a nonaffiliated third party--
                    ``(A) as necessary to effect, administer, or 
                enforce a transaction requested or authorized by the 
                consumer to whom the information pertains, or in 
                connection with--
                            ``(i) servicing or processing a financial 
                        product or service requested or authorized by 
                        the consumer;
                            ``(ii) maintaining or servicing the account 
                        of the consumer with the financial institution, 
                        or with another entity as part of a private 
                        label credit card program or other extension of 
                        credit on behalf of such entity; or
                            ``(iii) a proposed or actual 
                        securitization, secondary market sale 
                        (including sales of servicing rights), or 
                        similar transaction related to a transaction of 
                        the consumer;
                    ``(B) with the consent or at the direction of the 
                consumer, in accordance with applicable rules 
                prescribed under this subtitle;
                    ``(C) to the extent specifically permitted or 
                required under other provisions of law and in 
                accordance with the Right to Financial Privacy Act of 
                1978; or
                    ``(D) to law enforcement agencies (including a 
                Federal functional regulator, the Secretary of the 
                Treasury, with respect to subchapter II of chapter 53 
                of title 31, United States Code, and chapter 2 of title 
                I of Public Law 91-508 (12 U.S.C. 1951-1959), a State 
                insurance authority, or the Federal Trade Commission), 
                self-regulatory organizations, or for an investigation 
                on a matter related to public safety; or
            ``(2) the disclosure, other than the sale, of nonpublic 
        personal information--
                    ``(A) to protect the confidentiality or security of 
                the records of the financial institution pertaining to 
                the consumer, the service or product, or the 
                transaction therein;
                    ``(B) to protect against or prevent actual or 
                potential fraud, unauthorized transactions, claims, or 
                other liability;
                    ``(C) for required institutional risk control, or 
                for resolving customer disputes or inquiries;
                    ``(D) to persons holding a legal or beneficial 
                interest relating to the consumer;
                    ``(E) to persons acting in a fiduciary or 
                representative capacity on behalf of the consumer;
                    ``(F) to provide information to insurance rate 
                advisory organizations, guaranty funds or agencies, 
                applicable rating agencies of the financial 
                institution, persons assessing the compliance of the 
                institution with industry standards, or the attorneys, 
                accountants, or auditors of the institution;
                    ``(G) to a consumer reporting agency, in accordance 
                with the Fair Credit Reporting Act or from a consumer 
                report reported by a consumer reporting agency, as 
                those terms are defined in that Act;
                    ``(H) in connection with a proposed or actual sale, 
                merger, transfer, or exchange of all or a portion of a 
                business or operating unit if the disclosure of 
                nonpublic personal information concerns solely 
                consumers of such business or unit;
                    ``(I) to comply with Federal, State, or local laws, 
                rules, or other applicable legal requirements, or with 
                a properly authorized civil, criminal, or regulatory 
                investigation or subpoena or summons by Federal, State, 
                or local authorities; or
                    ``(J) to respond to judicial process or government 
                regulatory authorities having jurisdiction over the 
                financial institution for examination, compliance, or 
                other purposes, as authorized by law.''.

SEC. 304. EFFECTIVE DATE.

    This title shall take effect 6 months after the date on which the 
rules are required to be prescribed under section 504(a)(3).

 TITLE IV--LIMITATIONS ON THE PROVISION OF PROTECTED HEALTH INFORMATION

SEC. 401. DEFINITIONS.

    In this title:
            (1) Business associate.--
                    (A) In general.--Except as provided in subparagraph 
                (B), the term ``business associate'' means, with 
                respect to a covered entity, a person who--
                            (i) on behalf of such covered entity or of 
                        an organized health care arrangement in which 
                        the covered entity participates, but other than 
                        in the capacity of a member of the workforce of 
                        such covered entity or arrangement, performs, 
                        or assists in the performance of--
                                    (I) a function or activity 
                                involving the use or disclosure of 
                                individually identifiable health 
                                information, including claims 
                                processing or administration, data 
                                analysis, processing or administration, 
                                utilization review, quality assurance, 
                                billing, benefit management, practice 
                                management, and repricing; or
                                    (II) any other function or activity 
                                regulated under parts 160 through 164 
                                of title 45, Code of Federal 
                                Regulations; or
                            (ii) provides, other than in the capacity 
                        of a member of the workforce of such covered 
                        entity, legal, actuarial, accounting, 
                        consulting, data aggregation, management, 
                        administrative, accreditation, or financial 
                        services to or for such covered entity, or to 
                        or for an organized health care arrangement in 
                        which the covered entity participates, where 
                        the provision of the service involves the 
                        disclosure of individually identifiable health 
                        information from such covered entity or 
                        arrangement, or from another business associate 
                        of such covered entity or arrangement, to the 
                        person.
                    (B) Limitations.--
                            (i) In general.--A covered entity 
                        participating in an organized health care 
                        arrangement that performs a function or 
                        activity as described by subparagraph (A)(i) 
                        for or on behalf of such organized health care 
                        arrangement, or that provides a service as 
                        described in subparagraph (A)(ii) to or for 
                        such organized health care arrangement, does 
                        not, simply through the performance of such 
                        function or activity or the provision of such 
                        service, become a business associate of other 
                        covered entities participating in such 
                        organized health care arrangement.
                            (ii) Limitation.--A covered entity may be a 
                        business associate of another covered entity.
            (2) Covered entity.--The term ``covered entity'' means--
                    (A) a health plan;
                    (B) a health care clearinghouse; and
                    (C) a health care provider who transmits any health 
                information in electronic form in connection with a 
                transaction covered by parts 160 through 164 of title 
                45, Code of Federal Regulations.
            (3) Disclosure.--The term ``disclosure'' means the release, 
        transfer, provision of access to, or divulging in any other 
        manner of information outside the entity holding the 
        information.
            (4) Employer.--The term ``employer'' means a person or 
        organization for whom an individual performs or has performed 
        any service, of whatever nature, as the employee of that person 
        or organization, except that--
                    (A) if the person for whom the individual performs 
                or has performed the service does not have control of 
                the payment of wages for such service, the term 
                ``employer'' means the person having control of the 
                payment of those wages; and
                    (B) in the case of a person paying wages on behalf 
                of a nonresident alien individual, foreign partnership, 
                or foreign corporation, not engaged in trade or 
                business within the United States, the term 
                ``employer'' means that person.
            (5) Group health plan.--The term ``group health plan'' 
        means an employee welfare benefit plan (as defined in section 
        3(1) of the Employee Retirement Income and Security Act of 1974 
        (29 U.S.C. 1002(1)), including insured and self-insured plans, 
        to the extent that the plan provides medical care (as defined 
        in section 2791(a)(2) of the Public Health Service Act, 42 
U.S.C. 300gg-91(a)(2)), including items and services paid for as 
medical care, to employees or their dependents directly or through 
insurance, reimbursement, or otherwise, that--
                    (A) has 50 or more participants (as defined in 
                section 3(7) of Employee Retirement Income and Security 
                Act of 1974, 29 U.S.C. 1002(7)); or
                    (B) is administered by an entity other than the 
                employer that established and maintains the plan.
            (6) Health care.--The term ``health care'' means care, 
        services, or supplies related to the health of an individual, 
        including--
                    (A) preventive, diagnostic, therapeutic, 
                rehabilitative, maintenance, or palliative care and 
                counseling services, assessment, or procedure with 
                respect to the physical or mental condition, or 
                functional status, of an individual or that affects the 
                structure or function of the body; and
                    (B) a sale or dispensing of a drug, device, 
                equipment, or other item in accordance with a 
                prescription.
            (7) Health care clearinghouse.--The term ``health care 
        clearinghouse'' means a public or private entity, including a 
        billing service, repricing company, community health management 
        information system or community health information system, and 
        value-added networks and switches, that--
                    (A) processes or facilitates the processing of 
                health information received from another entity in a 
                nonstandard format or containing nonstandard data 
                content into standard data elements or a standard 
                transaction; or
                    (B) receives a standard transaction from another 
                entity and processes or facilitates the processing of 
                health information into nonstandard format or 
                nonstandard data content for the receiving entity.
            (8) Health care provider.--The term ``health care 
        provider'' has the same meaning given the terms ``provider of 
        services'' and ``provider of medical or health services'' in 
        subsections (u) and (s) of section 1861 of the Social Security 
        Act (42 U.S.C. 1395x), and includes any other person or 
        organization who furnishes, bills, or is paid for health care 
        in the normal course of business.
            (9) Health information.--The term ``health information'' 
        means any information, whether oral or recorded in any form or 
        medium, that--
                    (A) is created or received by a health care 
                provider, health plan, public health authority, 
                employer, life insurer, school or university, or health 
                care clearinghouse; and
                    (B) relates to the past, present, or future 
                physical or mental health or condition of an 
                individual; the provision of health care to an 
                individual; or the past, present, or future payment for 
                the provision of health care to an individual.
            (10) Health insurance issuer.--The term ``health insurance 
        issuer'' means a health insurance issuer (as defined in section 
        2791(b)(2) of the Public Health Service Act, 42 U.S.C. 300gg-
        91(b)(2)) and used in the definition of health plan in this 
        section and includes an insurance company, insurance service, 
        or insurance organization (including an HMO) that is licensed 
        to engage in the business of insurance in a State and is 
        subject to State law that regulates insurance. Such term does 
        not include a group health plan.
            (11) Health maintenance organization.--The term ``health 
        maintenance organization'' (HMO) (as defined in section 
        2791(b)(3) of the Public Health Service Act, 42 U.S.C. 300gg-91 
        (b)(3)) and used in the definition of health plan in this 
        section, means a federally qualified HMO, an organization 
        recognized as an HMO under State law, or a similar organization 
        regulated for solvency under State law in the same manner and 
        to the same extent as such an HMO.
            (12) Health oversight agency.--The term ``health oversight 
        agency'' means an agency or authority of the United States, a 
        State, a territory, a political subdivision of a State or 
        territory, or an Indian tribe, or a person or entity acting 
        under a grant of authority from or contract with such public 
        agency, including the employees or agents of such public agency 
        or its contractors or persons or entities to whom it has 
        granted authority, that is authorized by law to oversee the 
        health care system (whether public or private) or government 
        programs in which health information is necessary to determine 
        eligibility or compliance, or to enforce civil rights laws for 
        which health information is relevant.
            (13) Health plan.--The term ``health plan'' means an 
        individual or group plan that provides, or pays the cost of, 
        medical care, as defined in section 2791(a)(2) of the Public 
        Health Service Act (42 U.S.C. 300gg-91(a)(2))--
                    (A) including, singly or in combination--
                            (i) a group health plan;
                            (ii) a health insurance issuer;
                            (iii) an HMO;
                            (iv) part A or B of the medicare program 
                        under title XVIII of the Social Security Act 
                        (42 U.S.C. 1395 et seq.);
                            (v) the medicaid program under title XIX of 
                        the Social Security Act (42 U.S.C. 1396 et 
                        seq.);
                            (vi) an issuer of a medicare supplemental 
                        policy (as defined in section 1882(g)(1) of the 
                        Social Security Act, 42 U.S.C. 1395ss(g)(1));
                            (vii) an issuer of a long-term care policy, 
                        excluding a nursing home fixed-indemnity 
                        policy;
                            (viii) an employee welfare benefit plan or 
                        any other arrangement that is established or 
                        maintained for the purpose of offering or 
                        providing health benefits to the employees of 2 
                        or more employers;
                            (ix) the health care program for active 
                        military personnel under title 10, United 
                        States Code;
                            (x) the veterans health care program under 
                        chapter 17 of title 38, United States Code;
                            (xi) the Civilian Health and Medical 
                        Program of the Uniformed Services (CHAMPUS) (as 
                        defined in section 1072(4) of title 10, United 
                        States Code);
                            (xii) the Indian Health Service program 
                        under the Indian Health Care Improvement Act 
                        (25 U.S.C. 1601 et seq.);
                            (xiii) the Federal Employees Health 
                        Benefits Program under chapter 89 of title 5, 
                        United States Code;
                            (xiv) an approved State child health plan 
                        under title XXI of the Social Security Act (42 
                        U.S.C. 1397aa et seq.), providing benefits for 
                        child health assistance that meet the 
                        requirements of section 2103 of such Act (42 
                        U.S.C. 1397cc);
                            (xv) the Medicare+Choice program under part 
                        C of title XVIII of the Social Security Act (42 
                        U.S.C. 1395w-21 et seq.);
                            (xvi) a high risk pool that is a mechanism 
                        established under State law to provide health 
                        insurance coverage or comparable coverage to 
                        eligible individuals; and
                            (xvii) any other individual or group plan, 
                        or combination of individual or group plans, 
                        that provides or pays for the cost of medical 
                        care (as defined in section 2791(a)(2) of the 
                        Public Health Service Act (42 U.S.C. 300gg-
                        91(a)(2)); and
                    (B) excluding--
                            (i) any policy, plan, or program to the 
                        extent that it provides, or pays for the cost 
                        of, excepted benefits that are listed in 
                        section 2791(c)(1) of the Public Health Service 
                        Act (42 U.S.C. 300gg-91(c)(1)); and
                            (ii) a government-funded program (other 
                        than 1 listed in clause (i) through (xvi) of 
                        paragraph (1)), whose principal purpose is 
                        other than providing, or paying the cost of, 
                        health care, or whose principal activity is the 
                        direct provision of health care to persons, or 
                        the making of grants to fund the direct 
                        provision of health care to persons.
            (14) Individually identifiable health information.--The 
        term ``individually identifiable health information'' means 
        information that is a subset of health information, including 
        demographic information collected from an individual, that--
                    (A) is created or received by a covered entity or 
                employer; and
                    (B)(i) relates to the past, present, or future 
                physical or mental health or condition of an 
                individual, the provision of health care to an 
                individual, or the past, present, or future payment for 
                the provision of health care to an individual; and
                    (ii)(I) identifies an individual; or
                    (II) with respect to which there is a reasonable 
                basis to believe that the information can be used to 
                identify an individual.
            (15) Law enforcement official.--The term ``law enforcement 
        official'' means an officer or employee of any agency or 
        authority of the United States, a State, a territory, a 
        political subdivision of a State or territory, or an Indian 
        tribe, who is empowered by law to--
                    (A) investigate or conduct an official inquiry into 
                a potential violation of law; or
                    (B) prosecute or otherwise conduct a criminal, 
                civil, or administrative proceeding arising from an 
                alleged violation of law.
            (16) Life insurer.--The term ``life insurer'' means a life 
        insurance company (as defined in section 816 of the Internal 
        Revenue Code of 1986), including the employees and agents of 
        such company.
            (17) Marketing.--
                    (A) In general.--The term ``marketing'' means to 
                make a communication about a product or service a 
                purpose of which is to encourage recipients of the 
                communication to purchase or use the product or 
                service.
                    (B) Limitation.--Such term does not include 
                communications that meet the requirements of 
                subparagraph (C) and that are made by a covered 
                entity--
                            (i) for the purpose of describing the 
                        entities participating in a health care 
                        provider network or health plan network, or for 
                        the purpose of describing if and the extent to 
                        which a product or service (or payment for such 
                        product or service) is provided by a covered 
                        entity or included in a plan of benefits; or
                            (ii) that are tailored to the circumstances 
                        of a particular individual and the 
                        communications are--
                                    (I) made by a health care provider 
                                to an individual as part of the 
                                treatment of the individual, and for 
                                the purpose of furthering the treatment 
                                of that individual; or
                                    (II) made by a health care provider 
                                to an individual in the course of 
                                managing the treatment of that 
                                individual, or for the purpose of 
                                directing or recommending to that 
                                individual alternative treatments, 
                                therapies, health care providers, or 
                                settings of care.
                    (C) Not included.--A communication described in 
                subparagraph (B) is not included in marketing if--
                            (i) the communication is made orally; or
                            (ii) the communication is in writing and 
                        the covered entity does not receive direct or 
                        indirect remuneration from a third party for 
                        making the communication.
            (18) Noncovered entity.--
                    (A) In general.--The term ``noncovered entity'' 
                means any person or public or private entity, including 
                but not limited to a health researcher, school or 
                university, life insurer, employer, public health 
                authority, health oversight agency, or law enforcement 
                official, or any person acting as an agent of such 
                entities or persons, that is not a covered entity.
                    (B) Limitation.--The term ``noncovered entity'' 
                includes a covered entity if such covered entity is 
                acting as a business associate.
            (19) Organized health care arrangement.--The term 
        ``organized health care arrangement'' means--
                    (A) a clinically integrated care setting in which 
                individuals typically receive health care from more 
                than 1 health care provider;
                    (B) an organized system of health care in which 
                more than 1 covered entity participates, and in which 
                the participating covered entities--
                            (i) hold themselves out to the public as 
                        participating in a joint arrangement; and
                            (ii) participate in joint activities 
                        including at least--
                                    (I) utilization review, in which 
                                health care decisions by participating 
                                covered entities are reviewed by other 
                                participating covered entities or by a 
                                third party on their behalf;
                                    (II) quality assessment and 
                                improvement activities, in which 
                                treatment provided by participating 
                                covered entities is assessed by other 
                                participating covered entities or by a 
                                third party on their behalf; or
                                    (III) payment activities, if the 
                                financial risk for delivering health 
                                care is shared, in part or in whole, by 
                                participating covered entities through 
                                the joint arrangement and if protected 
                                health information created or received 
                                by a covered entity is reviewed by 
                                other participating covered entities or 
                                by a third party on their behalf for 
                                the purpose of administering the 
                                sharing of financial risk;
                    (C) a group health plan and a health insurance 
                issuer or HMO with respect to such group health plan, 
                but only with respect to protected health information 
                created or received by such health insurance issuer or 
                HMO that relates to individuals who are or who have 
                been participants or beneficiaries in such group health 
                plan;
                    (D) a group health plan and 1 or more other group 
                health plans each of which are maintained by the same 
                plan sponsor; or
                    (E) the group health plans described in 
                subparagraph (D) and health insurance issuers or HMOs 
                with respect to such group health plans, but only with 
                respect to protected health information created or 
                received by such health insurance issuers or HMOs that 
                relates to individuals who are or have been 
                participants or beneficiaries in any of such group 
                health plans.
            (20) Protected health information.--The term ``protected 
        health information'' means individually identifiable health 
        information that is in any form or medium. The term does not 
        include individually identifiable health information in 
        education records covered by section 444 of the General 
        Education Provisions Act (20 U.S.C. 1232g).
            (21) Public health authority.--The term ``public health 
        authority'' means an agency or authority of the United States, 
        a State, a territory, a political subdivision of a State or 
        territory, or an Indian tribe, or a person or entity acting 
        under a grant of authority from or contract with such public 
        agency, including employees or agents of such public agency or 
        its contractors or persons or entities to whom it has granted 
        authority, that is responsible for public health matters as 
        part of its official mandate.
            (22) School or university.--The term ``school or 
        university'' means an institution or place for instruction or 
        education, including an elementary school, secondary school, or 
        institution of higher learning, a college, or an assemblage of 
        colleges united under 1 corporate organization or government.
            (23) Secretary.--The term ``Secretary'' means the Secretary 
        of Health and Human Services.
            (24) Sale; sell; sold.--The terms ``sale'', ``sell'', and 
        ``sold'', with respect to protected health information, mean 
        the exchange of such information for anything of value, 
        directly or indirectly, including the licensing, bartering, or 
        renting of such information.
            (25) Use.--The term ``use'' means, with respect to 
        individually identifiable health information, the sharing, 
        employment, application, utilization, examination, or analysis 
        of such information within an entity that maintains such 
        information.
            (26) Writing.--The term ``writing'' means writing in either 
        a paper-based or computer-based form, including electronic and 
        digital signatures.

SEC. 402. PROHIBITION AGAINST SELLING PROTECTED HEALTH INFORMATION.

    (a) In General.--A noncovered entity shall not sell the protected 
health information of an individual without an authorization that is 
valid under section 403. When a noncovered entity obtains or receives 
authorization to sell such information, such sale must be consistent 
with such authorization.
    (b) Scope.--A sale of protected health information as described 
under subsection (a) shall be limited to the minimum amount of 
information necessary to accomplish the purpose for which the sale is 
made.
    (c) Purpose.--A recipient of information sold pursuant to this 
title may use or disclose such information solely to carry out the 
purpose for which the information was sold.
    (d) Not Required.--Nothing in this title permitting the sale of 
protected health information shall be construed to require such sale.
    (e) Identification of Information as Protected Health 
Information.--Information sold pursuant to this title shall be clearly 
identified as protected health information.
    (f) No Waiver.--Except as provided in this title, an individual's 
authorization to sell protected health information shall not be 
construed as a waiver of any rights that the individual has under other 
Federal or State laws, the rules of evidence, or common law.

SEC. 403. AUTHORIZATION FOR SALE OF PROTECTED HEALTH INFORMATION.

    (a) Valid Authorization.--A valid authorization is a document that 
complies with all requirements of this section. Such authorization may 
include additional information not required under this section, 
provided that such information is not inconsistent with the 
requirements of this section.
    (b) Defective Authorization.--An authorization is not valid, if the 
document submitted has any of the following defects:
            (1) The expiration date has passed or the expiration event 
        is known by the noncovered entity to have occurred.
            (2) The authorization has not been filled out completely, 
        with respect to an element described in subsections (e) and 
        (f).
            (3) The authorization is known by the noncovered entity to 
        have been revoked.
            (4) The authorization lacks an element required by 
        subsections (e) and (f).
            (5) Any material information in the authorization is known 
        by the noncovered entity to be false.
    (c) Revocation of Authorization.--An individual may revoke an 
authorization provided under this section at any time provided that the 
revocation is in writing, except to the extent that the noncovered 
entity has taken action in reliance thereon.
    (d) Documentation.--
            (1) In general.--A noncovered entity must document and 
        retain any signed authorization under this section as required 
        under paragraph (2).
            (2) Standard.--A noncovered entity shall, if a 
        communication is required by this title to be in writing, 
        maintain such writing, or an electronic copy, as documentation.
            (3) Retention period.--A noncovered entity shall retain the 
        documentation required by this section for 6 years from the 
        date of its creation or the date when it last was in effect, 
        whichever is later.
    (e) Content of Authorization.--
            (1) Content.--An authorization described in subsection (a) 
        shall--
                    (A) contain a description of the information to be 
                sold that identifies such information in a specific and 
                meaningful manner;
                    (B) contain the name or other specific 
                identification of the person, or class of persons, 
                authorized to sell the information;
                    (C) contain the name or other specific 
                identification of the person, or class of persons, to 
                whom the information is to be sold;
                    (D) include an expiration date or an expiration 
                event relating to the selling of such information that 
                signifies that the authorization is valid until such 
                date or event;
                    (E) include a statement that the individual has a 
                right to revoke the authorization in writing and the 
                exceptions to the right to revoke, and a description of 
                the procedure involved in such revocation;
                    (F) be in writing and include the signature of the 
                individual and the date, or if the authorization is 
                signed by a personal representative of the individual, 
                a description of such representative's authority to act 
                for the individual; and
                    (G) include a statement explaining the purpose for 
                which such information is sold.
            (2) Plain language.--The authorization shall be written in 
        plain language.
    (f) Notice.--
            (1) In general.--The authorization shall include a 
        statement that the individual may--
                    (A) inspect or copy the protected health 
                information to be sold; and
                    (B) refuse to sign the authorization.
            (2) Copy to the individual.--A noncovered entity shall 
        provide the individual with a copy of the signed authorization.
    (g) Model Authorizations.--The Secretary, after notice and 
opportunity for public comment, shall develop and disseminate model 
written authorizations of the type described in this section and model 
statements of the limitations on such authorizations. Any authorization 
obtained on a model authorization form developed by the 
Secretary pursuant to the preceding sentence shall be deemed to satisfy 
the requirements of this section.
    (h) Noncoercion.--A covered entity or noncovered entity shall not 
condition the purchase of a product or the provision of a service to an 
individual based on whether such individual provides an authorization 
to such entity as described in this section.

SEC. 404. PROHIBITION AGAINST RETALIATION.

    A noncovered entity that collects protected health information, may 
not adversely affect another person, directly or indirectly, because 
such person has exercised a right under this title, disclosed 
information relating to a possible violation of this title, or 
associated with, or assisted, a person in the exercise of a right under 
this title.

SEC. 405. PROHIBITION AGAINST MARKETING PROTECTED HEALTH INFORMATION.

    (a) In General.--Notwithstanding any other provision of law, a 
covered entity or noncovered entity shall not use, disclose, or sell 
protected health information for marketing without an authorization 
that is valid under subsection (c), except as provided in subsection 
(b).
    (b) Exception.--A health care provider may use or disclose 
protected health information for marketing without an authorization 
when it uses or discloses such information to make a marketing 
communication to an individual if the communication occurs in a face-
to-face encounter between the health care provider and the individual.
    (c) Authorization.--
            (1) In general.--An authorization under subsection (a) 
        shall--
                    (A) contain a description of the information to be 
                used, disclosed, or sold that identifies such 
                information in a specific and meaningful manner;
                    (B) contain the name or other specific 
                identification of the person, or class of persons, 
                authorized to use, disclose, or sell the information;
                    (C) identify persons to whom the information is to 
                be provided or sold;
                    (D) include an expiration date or an expiration 
                event relating to the use, disclosure, or sale of such 
                information that signifies that the authorization is 
                valid until such date or event;
                    (E) include a statement that the individual has a 
                right to revoke the authorization in writing and that 
                there are exceptions to the right to revoke, and a 
                description of the procedure involved in such 
                revocation;
                    (F) be in writing and include the signature of the 
                individual and the date, or if the authorization is 
                signed by a personal representative of the individual, 
                a description of such representative's authority to act 
                for the individual; and
                    (G) include a statement explaining the purpose for 
                which such information is used, disclosed, or sold.
            (2) Plain language.--The authorization must be written in 
        plain language.
    (d) Notice.--The authorization shall include a statement that the 
individual may--
            (1) inspect or copy the protected health information to be 
        marketed as provided under section 164.524 of title 45, Code of 
        Federal Regulations (or a successor regulation); and
            (2) refuse to sign the authorization.
    (e) Documentation.--A covered entity shall retain such 
documentation as required for any use, disclosure, or sale, as 
described under section 403(d).
    (f) Rescission of Individually Identifiable Health Information 
Regulation.--Effective as of December 28, 2000--
            (1) section 164.514(e) of title 45, Code of Federal 
        Regulations (relating to standards for uses and disclosures of 
        protected health information for marketing), promulgated by the 
        Secretary of Health and Human Services in the final rule 
        entitled ``Standards for Privacy of Individually Identifiable 
        Health Information'' (65 Fed. Reg. 82462 (December 28, 2000)) 
        is void; and
            (2) section 164.514 shall take effect as if subsection (e) 
        of such section had not been included in the promulgation of 
        the final regulation.
    (g) Noncoercion.--A covered entity or noncovered entity shall not 
condition the purchase of a product or the provision of a service to an 
individual based on whether such individual provides an authorization 
to such entity as described in this section.

SEC. 406. RULE OF CONSTRUCTION.

    Except for the provisions of section 405, all requirements of this 
title shall not be construed to impose any additional requirements or 
in any way alter the requirements imposed upon covered entities under 
parts 160 through 164 of title 45, Code of Federal Regulations.

SEC. 407. REGULATIONS.

    (a) In General.--The Secretary shall promulgate regulations 
implementing the provisions of this title.
    (b) Timeframe.--Not later than 1 year after the date of enactment 
of this Act, the Secretary shall publish proposed regulations in the 
Federal Register. With regard to such proposed regulations, the 
Secretary shall provide an opportunity for submission of comments by 
interested persons during a period of not less than 90 days. Not later 
than 2 years after the date of enactment of this Act, the Secretary 
shall publish final regulations in the Federal Register.

SEC. 408. ENFORCEMENT.

    (a) In General.--A covered entity or noncovered entity that 
knowingly violates section 402 or 405 shall be subject to a civil money 
penalty under this section.
    (b) Amount.--The civil money penalty described in subsection (a) 
shall not exceed $100,000. In determining the amount of any penalty to 
be assessed, the Secretary shall take into account the previous record 
of compliance of the entity being assessed with the applicable 
provisions of this title and the gravity of the violation.
    (c) Administrative Review.--
            (1) Opportunity for hearing.--The entity assessed shall be 
        afforded an opportunity for a hearing by the Secretary upon 
        request made within 30 days after the date of the issuance of a 
        notice of assessment. In such hearing the decision shall be 
        made on the record pursuant to section 554 of title 5, United 
        States Code. If no hearing is requested, the assessment shall 
constitute a final and unappealable order.
            (2) Hearing procedure.--If a hearing is requested, the 
        initial agency decision shall be made by an administrative law 
        judge, and such decision shall become the final order unless 
        the Secretary modifies or vacates the decision. Notice of 
        intent to modify or vacate the decision of the administrative 
        law judge shall be issued to the parties within 30 days after 
        the date of the decision of the judge. A final order which 
        takes effect under this paragraph shall be subject to review 
        only as provided under subsection (d).
    (d) Judicial Review.--
            (1) Filing of action for review.--Any entity against whom 
        an order imposing a civil money penalty has been entered after 
        an agency hearing under this section may obtain review by the 
        United States district court for any district in which such 
        entity is located or the United States District Court for the 
        District of Columbia by filing a notice of appeal in such court 
        within 30 days from the date of such order, and simultaneously 
        sending a copy of such notice by registered mail to the 
        Secretary.
            (2) Certification of administrative record.--The Secretary 
        shall promptly certify and file in such court the record upon 
        which the penalty was imposed.
            (3) Standard for review.--The findings of the Secretary 
        shall be set aside only if found to be unsupported by 
        substantial evidence as provided by section 706(2)(E) of title 
        5, United States Code.
            (4) Appeal.--Any final decision, order, or judgment of the 
        district court concerning such review shall be subject to 
        appeal as provided in chapter 83 of title 28 of such Code.
    (e) Failure To Pay Assessment; Maintenance of Action.--
            (1) Failure to pay assessment.--If any entity fails to pay 
        an assessment after it has become a final and unappealable 
        order, or after the court has entered final judgment in favor 
        of the Secretary, the Secretary shall refer the matter to the 
        Attorney General who shall recover the amount assessed by 
        action in the appropriate United States district court.
            (2) Nonreviewability.--In such action the validity and 
        appropriateness of the final order imposing the penalty shall 
        not be subject to review.
    (f) Payment of Penalties.--Except as otherwise provided, penalties 
collected under this section shall be paid to the Secretary (or other 
officer) imposing the penalty and shall be available without 
appropriation and until expended for the purpose of enforcing the 
provisions with respect to which the penalty was imposed.

                   TITLE V--DRIVER'S LICENSE PRIVACY

SEC. 501. DRIVER'S LICENSE PRIVACY.

    Section 2725 of title 18, United States Code, is amended by 
striking paragraphs (2) and (3) and adding the following:
            ``(2) `person' means an individual, organization, or 
        entity, but does not include a State or agency thereof;
            ``(3) `personal information' means information that 
        identifies an individual, including an individual's photograph, 
        social security number, driver identification number, name, 
        address (but not the 5-digit zip code), telephone number, 
        medical or disability information, any physical copy of a 
        driver's license, birth date, information on physical 
        characteristics, including height, weight, sex or eye color, or 
        any biometric identifiers on a license, including a finger 
        print, but not information on vehicular accidents, driving 
        violations, and driver's status; and
            ``(4) `highly restricted personal information' means an 
        individual's photograph or image, social security number, 
        medical or disability information, any physical copy of a 
        driver's license, driver identification number, birth date, 
        information on physical characteristics, including height, 
        weight, sex, or eye color, or any biometric identifiers on a 
        license, including a finger print.''.

                        TITLE VI--MISCELLANEOUS

SEC. 601. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) In General.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State has reason to believe that an interest of 
        the residents of that State has been or is threatened or 
        adversely affected by the engagement of any person in a 
        practice that is prohibited under title I, II, or IV of this 
        Act or under any amendment made by such a title, the State, as 
        parens patriae, may bring a civil action on behalf of the 
        residents of the State in a district court of the United States 
        of appropriate jurisdiction to--
                    (A) enjoin that practice;
                    (B) enforce compliance with such titles or such 
                amendments;
                    (C) obtain damage, restitution, or other 
                compensation on behalf of residents of the State; or
                    (D) obtain such other relief as the court may 
                consider to be appropriate.
            (2) Notice.--
                    (A) In general.--Before filing an action under 
                paragraph (1), the attorney general of the State 
                involved shall provide to the Attorney General--
                            (i) written notice of the action; and
                            (ii) a copy of the complaint for the 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subsection, if the State attorney general 
                        determines that it is not feasible to provide 
                        the notice described in such subparagraph 
                        before the filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
shall provide notice and a copy of the complaint to the Attorney 
General at the same time as the State attorney general files the 
action.
    (b) Intervention.--
            (1) In general.--On receiving notice under subsection 
        (a)(2), the Attorney General shall have the right to intervene 
        in the action that is the subject of the notice.
            (2) Effect of intervention.--If the Attorney General 
        intervenes in an action under subsection (a), the Attorney 
        General shall have the right to be heard with respect to any 
        matter that arises in that action.
    (c) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this Act shall be construed to prevent an 
attorney general of a State from exercising the powers conferred on 
such attorney general by the laws of that State to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
    (d) Actions by the Attorney General of the United States.--In any 
case in which an action is instituted by or on behalf of the Attorney 
General for violation of a practice that is prohibited under title I, 
II, IV, or V of this Act or under any amendment made by such a title, 
no State may, during the pendency of that action, institute an action 
under subsection (a) against any defendant named in the complaint in 
that action for violation of that practice.
    (e) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in the district court of the United States that meets 
        applicable requirements relating to venue under section 1391 of 
        title 28, United States Code.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.

SEC. 602. FEDERAL INJUNCTIVE AUTHORITY.

    In addition to any other enforcement authority conferred under this 
Act or under an amendment made by this Act, the Federal Government 
shall have injunctive authority with respect to any violation of any 
provision of title I, II, or IV of this Act or of any amendment made by 
such a title, without regard to whether a public or private entity 
violates such provision.
                                 <all>