[Congressional Bills 107th Congress]
[From the U.S. Government Publishing Office]
[S. 197 Introduced in Senate (IS)]







107th CONGRESS
  1st Session
                                 S. 197

To provide for the disclosure of the collection of information through 
               computer software, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            January 29, 2001

  Mr. Edwards (for himself and Mr. Hollings) introduced the following 
 bill; which was read twice and referred to the Committee on Commerce, 
                      Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
To provide for the disclosure of the collection of information through 
               computer software, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Spyware Control and Privacy 
Protection Act of 2001''.

SEC. 2. COLLECTION OF INFORMATION BY COMPUTER SOFTWARE.

    (a) Notice and Choice Required.--
            (1) In general.--Any computer software made available to 
        the public, whether by sale or without charge, that includes a 
        capability to collect information about the user of such 
        computer software, the hardware on which such computer software 
        is used, or the manner in which such computer software is used, 
        and to disclose to such information to any person other than 
        the user of such computer software, shall include--
                    (A) a clear and conspicuous written notice, on the 
                first electronic page of the instructions for the 
                installation of such computer software, that such 
                computer software includes such capability;
                    (B) a description of the information subject to 
                collection and the name and address of each person to 
                whom such computer software will transmit or otherwise 
                communicate such information; and
                    (C) a clear and conspicuous written electronic 
                notice, in a manner reasonably calculated to provide 
                the user of such computer software with easily 
                understood instructions on how to disable such 
                capability without affecting the performance or 
                operation of such computer software for the purposes 
                for which such computer software was intended.
            (2) Enablement of capability.--A capability of computer 
        software described in paragraph (1) may not be enabled unless 
        the user of such computer software provides affirmative 
        consent, in advance, to the enablement of the capability.
            (3) Exception.--The requirements in paragraphs (1) and (2) 
        shall not apply to any capability of computer software that is 
        reasonably needed to--
                    (A) determine whether or not the user is a licensed 
                or authorized user of such computer software;
                    (B) provide, upon request of the user, technical 
                support of the use of such computer software by the 
                user; or
                    (C) enable an employer to monitor computer usage by 
                its employees while such employees are within the scope 
                of employment as authorized by applicable Federal, 
                State, or local law.
            (4) Use of information collected through excepted 
        capability.--Any information collected through a capability 
        described in paragraph (1) for a purpose referred to in 
        paragraph (3) may be utilized only for the purpose for which 
        such information is collected under paragraph (3).
            (5) Access to information collected through excepted 
        capability.--Any person collecting information about a user of 
        computer software through a capability described in paragraph 
        (1) shall--
                    (A) upon request of the user, provide reasonable 
                access by user to information so collected;
                    (B) provide a reasonable opportunity for the user 
                to correct, delete, or supplement such information; and
                    (C) make the correction or supplementary 
                information a part of the information about the user 
                for purposes of any future use of such information 
                under this subsection.
            (6) Security of information collected through excepted 
        capability.--Any person collecting information through a 
        capability described in paragraph (1) shall establish and 
        maintain reasonable procedures necessary to protect the 
        security, confidentiality, and integrity of such information.
    (b) Preinstallation.--In the case of computer software described in 
subsection (a)(1) that is installed on a computer by someone other than 
the user of such computer software, whether through preinstallation by 
the provider of such computer or computer software, by installation by 
someone before delivery of such computer to the user, or otherwise, the 
notice and instructions under that subsection shall be provided in 
electronic form to the user before the first use of such computer 
software by the user.
    (c) Violations.--A violation of subsection (a) or (b) shall be 
treated as an unfair or deceptive act or practice proscribed by section 
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)).
    (d) Disclosure to Law Enforcement or Under Court Order.--
            (1) In general.--Notwithstanding any other provision of 
        this section, a computer software provider that collects 
        information about users of the computer software may disclose 
        information about a user of the computer software--
                    (A) to a law enforcement agency in response to a 
                warrant issued under the Federal Rules of Criminal 
                Procedure, an equivalent State warrant, or a court 
                order issued in accordance with paragraph (3); or
                    (B) in response to a court order in a civil 
                proceeding granted upon a showing of compelling need 
                for the information that cannot be accommodated by any 
                other means if--
                            (i) the user to whom the information 
                        relates is given reasonable notice by the 
                        person seeking the information of the court 
                        proceeding at which the order is requested; and
                            (ii) the user is afforded a reasonable 
                        opportunity to appear and contest the issuance 
                        of the requested order or to narrow its scope.
            (2) Safeguards against further disclosure.--A court that 
        issues an order described in paragraph (1) shall impose 
        appropriate safeguards on the use of the information to protect 
        against its unauthorized disclosure.
            (3) Court orders.--A court order authorizing disclosure 
        under paragraph (1)(A) may issue only with prior notice to the 
        user and only if the law enforcement agency shows that there is 
        probable cause to believe that the user has engaged, is 
        engaging, or is about to engage in criminal activity and that 
        the records or other information sought are material to the 
        investigation of such activity. In the case of a State 
        government authority, such a court order shall not issue if 
        prohibited by the law of such State. A court issuing an order 
        pursuant to this paragraph, on a motion made promptly by the 
        computer software provider may quash or modify such order if 
        the information or records requested are unreasonably 
        voluminous in nature or if compliance with such order otherwise 
        would cause an unreasonable burden on the provider.
    (e) Private Right of Action.--
            (1) Actions authorized.--A person may, if otherwise 
        permitted by the laws or rules of court of a State, bring in an 
        appropriate Federal court, if such laws or rules prohibit such 
        actions, either or both of the actions as follows:
                    (A) An action based on a violation of subsection 
                (a) or (b) to enjoin such violation.
                    (B) An action to recover actual monetary loss for a 
                violation of subsection (a) or (b) in an amount equal 
                to the greater of--
                            (i) the amount of such actual monetary 
                        loss; or
                            (ii) $2,500 for such violation, not to 
                        exceed a total amount of $500,000.
            (2) Additional remedy.--If the court in an action under 
        paragraph (1) finds that the defendant willfully, knowingly, or 
        repeatedly violated subsection (a) or (b), the court may, in 
        its discretion, increase the amount of the award under 
        paragraph (1)(B) to an amount not greater than three times the 
        amount available under paragraph (1)(B)(ii).
            (3) Litigation costs and attorney fees.--In any action 
        under paragraph (1), the court may, in its discretion, require 
        an undertaking for the payment of the costs of such action and 
        assess reasonable costs, including reasonable attorney fees, 
        against the defendant.
            (4) Venue.--In addition to any contractual provision 
        otherwise, venue for an action under paragraph (1) shall lie 
        where the computer software concerned was installed or used or 
        where the person alleged to have committed the violation 
        concerned is found.
            (5) Protection of trade secrets.--At the request of any 
        party to an action under paragraph (1), or any other 
        participant in such action, the court may, in its discretion, 
        issue a protective order and conduct proceedings in such action 
        so as to protect the secrecy and security of the computer, 
        computer network, computer data, computer program, and computer 
        software involved in order to--
                    (A) prevent possible recurrence of the same or a 
                similar act by another person; or
                    (B) protect any trade secrets of such party or 
                participant.
    (f) Definitions.--In this section:
            (1) Collect.--The term ``collect'' means the gathering of 
        information about a computer or a user of computer software by 
        any means, whether direct or indirect and whether active or 
        passive.
            (2) Computer.--The term ``computer'' means a programmable 
        electronic device that can store, retrieve, and process data.
            (3) Computer software.--(A) Except as provided in 
        subparagraph (B), the term ``computer software'' means any 
        program designed to cause a computer to perform a desired 
        function or functions.
            (B) The term does not include a text file, or cookie, 
        placed on a person's computer system by an Internet service 
        provider, interactive computer service, or commercial Internet 
        website to return information to the Internet service provider, 
        interactive computer service, commercial Internet website, or 
        third party if the person subsequently uses the Internet 
        service provider or interactive computer service, or accesses 
        the commercial Internet website.
            (4) Information.--The term ``information'' means 
        information that personally identifies a user of computer 
        software, including the following:
                    (A) A first and last name, whether given at birth 
                or adoption, assumed, or legally changed.
                    (B) A home or other physical address including 
                street name and name of a city or town.
                    (C) An electronic mail address.
                    (D) A telephone number.
                    (E) A social security number.
                    (F) A credit card number, any access code 
                associated with the credit card, or both.
                    (G) A birth date, birth certificate number, or 
                place of birth.
                    (H) Any other unique information identifying an 
                individual that a computer software provider, Internet 
                service provider, interactive computer service, or 
                operator of a commercial Internet website collects and 
                combines with information described in subparagraphs 
                (A) through (G) of this paragraph.
            (5) Person.--The term ``person'' has the meaning given that 
        term in section 3(32) of the Communications Act of 1934 (47 
        U.S.C. 153(32)).
            (6) User.--The term ``user'' means an individual who 
        acquires, through purchase or otherwise, computer software for 
        purposes other than resale.
    (g) Effective Date.--This section shall take effect 180 days after 
the date of the enactment of this Act.
                                 <all>