[Congressional Bills 107th Congress]
[From the U.S. Government Publishing Office]
[S. 2201 Reported in Senate (RS)]






                                                       Calendar No. 551
107th CONGRESS
  2d Session
                                S. 2201

                          [Report No. 107-240]

   To protect the online privacy of individuals who use the Internet.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             April 18, 2002

  Mr. Hollings (for himself, Mr. Stevens, Mr. Burns, Mr. Inouye, Mr. 
  Rockefeller, Mr. Kerry, Mr. Breaux, Mrs. Carnahan, Mr. Cleland, Mr. 
 Nelson of Florida, Mrs. Carnahan, and Mr. Torricelli) introduced the 
 following bill; which was read twice and referred to the Committee on 
                 Commerce, Science, and Transportation

                             August 1, 2002

              Reported by Mr. Hollings, with an amendment
 [Strike all after the enacting clause and insert the part printed in 
                                italic]

_______________________________________________________________________

                                 A BILL


 
   To protect the online privacy of individuals who use the Internet.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``Online Personal Privacy 
Act''.</DELETED>

<DELETED>SEC. 2. TABLE OF CONTENTS.</DELETED>

<DELETED>    The table of contents of this Act is as follows:</DELETED>

<DELETED>Sec. 1. Short title.
<DELETED>Sec. 2. Table of contents.
<DELETED>Sec. 3. Findings.
<DELETED>Sec. 4. Preemption of State law or regulations.
                              <DELETED>Title I--Online Privacy 
                                        Protection
<DELETED>Sec. 101. Collection, use, or disclosure of personally 
                            identifiable information.
<DELETED>Sec. 102. Notice and consent requirements.
<DELETED>Sec. 103. Policy changes; privacy breach.
<DELETED>Sec. 104. Exceptions.
<DELETED>Sec. 105. Access.
<DELETED>Sec. 106. Security.
                              <DELETED>Title II--Enforcement
<DELETED>Sec. 201. Enforcement by Federal Trade Commission.
<DELETED>Sec. 202. Violation is unfair or deceptive act or practice.
<DELETED>Sec. 203. Private right of action.
<DELETED>Sec. 204. Actions by States.
<DELETED>Sec. 205. Whistleblower protection.
<DELETED>Sec. 206. No effect on other remedies.
                              <DELETED>Title III--Application to 
                                        Congress and Federal Agencies
<DELETED>Sec. 301. Exercise of rulemaking power.
<DELETED>Sec. 302. Senate.
<DELETED>Sec. 303. Application to Federal agencies.
                              <DELETED>Title IV--Miscellaneous
<DELETED>Sec. 401. Definitions.
<DELETED>Sec. 402. Effective date.
<DELETED>Sec. 403. FTC rulemaking.
<DELETED>Sec. 404. FTC report.
<DELETED>Sec. 405. Development of automated privacy controls.

<DELETED>SEC. 3. FINDINGS.</DELETED>

<DELETED>    The Congress finds the following:</DELETED>
        <DELETED>    (1) The right to privacy is a personal and 
        fundamental right worthy of protection through appropriate 
        legislation.</DELETED>
        <DELETED>    (2) Individuals engaging in and interacting with 
        companies engaged in interstate commerce have a significant 
        interest in their personal information, as well as a right to 
        control how that information is collected, used, or 
        transferred.</DELETED>
        <DELETED>    (3) Absent the recognition of these rights and the 
        establishment of consequent industry responsibilities to 
        safeguard those rights, the privacy of individuals who use the 
        Internet will soon be more gravely threatened.</DELETED>
        <DELETED>    (4) To extent that States regulate, their efforts 
        to address Internet privacy will lead to a patchwork of 
        inconsistent standards and protections.</DELETED>
        <DELETED>    (5) Existing State, local, and Federal laws 
        provide minimal privacy protection for Internet 
        users.</DELETED>
        <DELETED>    (6) With the exception of Federal Trade Commission 
        enforcement of laws against unfair and deceptive practices, the 
        Federal Government thus far has eschewed general Internet 
        privacy laws in favor of industry self-regulation, which has 
        led to several self-policing schemes, none of which are 
        enforceable in any meaningful way or provide sufficient privacy 
        protection to individuals.</DELETED>
        <DELETED>    (7) State governments have been reluctant to enter 
        the field of Internet privacy regulation because use of the 
        Internet often crosses State, or even national, 
        boundaries.</DELETED>
        <DELETED>    (8) States are nonetheless interested in providing 
        greater privacy protection to their citizens as evidenced by 
        recent lawsuits brought against offline and online companies by 
        State attorneys general to protect the privacy of individuals 
        using the Internet.</DELETED>
        <DELETED>    (9) The ease of gathering and compiling personal 
        information on the Internet, both overtly and surreptitiously, 
        is becoming increasingly efficient and effortless due to 
        advances in digital communications technology which have 
        provided information gatherers the ability to compile 
        seamlessly highly detailed personal histories of Internet 
        users.</DELETED>
        <DELETED>    (10) Personal information flowing over the 
        Internet requires greater privacy protection than is currently 
        available today. Vast amounts of personal information, 
        including sensitive information, about individual Internet 
        users are collected on the Internet and sold or otherwise 
        transferred to third parties.</DELETED>
        <DELETED>    (11) Poll after poll consistently demonstrates 
        that individual Internet users are highly troubled over their 
        lack of control over their personal information.</DELETED>
        <DELETED>    (12) Market research demonstrates that tens of 
        billions of dollars in e-commerce are lost due to individual 
        fears about a lack of privacy protection on the 
        Internet.</DELETED>
        <DELETED>    (13) Market research demonstrates that as many as 
        one-third of all Internet users give false information about 
        themselves to protect their privacy, due to fears about a lack 
        of privacy protection on the Internet.</DELETED>
        <DELETED>    (14) Notwithstanding these concerns, the Internet 
        is becoming a major part of the personal and commercial lives 
        of millions of Americans, providing increased access to 
        information, as well as communications and commercial 
        opportunities.</DELETED>
        <DELETED>    (15) It is important to establish personal privacy 
        rights and industry obligations now so that individuals have 
        confidence that their personal privacy is fully protected on 
        the Internet.</DELETED>
        <DELETED>    (16) The social and economic costs of establishing 
        baseline privacy standards now will be lower than if Congress 
        waits until the Internet becomes more prevalent in our everyday 
        lives in coming years.</DELETED>
        <DELETED>    (17) Whatever costs may be borne by industry will 
        be significantly offset by the economic benefits to the 
        commercial Internet created by increased consumer confidence 
        occasioned by greater privacy protection.</DELETED>
        <DELETED>    (18) Toward the close of the 20th Century, as 
        individuals' personal information was increasingly collected, 
        profiled, and shared for commercial purposes, and as technology 
        advanced to facilitate these practices, the Congress enacted 
        numerous statutes to protect privacy.</DELETED>
        <DELETED>    (19) Those statutes apply to the government, 
        telephones, cable television, e-mail, video tape rentals, and 
        the Internet (but only with respect to children).</DELETED>
        <DELETED>    (20) Those statutes all provide significant 
        privacy protections, but neither limit technology nor stifle 
        business.</DELETED>
        <DELETED>    (21) Those statutes ensure that the collection and 
        commercialization of individuals' personal information is fair, 
        transparent, and subject to law.</DELETED>

<DELETED>SEC. 4. PREEMPTION OF STATE LAW OR REGULATIONS.</DELETED>

<DELETED>    This Act supersedes any State statute, regulation, or rule 
regulating Internet privacy to the extent that it relates to the 
collection, use, or disclosure of personally identifiable information 
obtained through the Internet.</DELETED>

         <DELETED>TITLE I--ONLINE PRIVACY PROTECTION</DELETED>

<DELETED>SEC. 101. COLLECTION, USE, OR DISCLOSURE OF PERSONALLY 
              IDENTIFIABLE INFORMATION.</DELETED>

<DELETED>    (a) In General.--An internet service provider, online 
service provider, or operator of a commercial website on the Internet 
may not collect personally identifiable information from a user, or use 
or disclose personally identifiable information about a user, of that 
service or website except in accordance with the provisions of this 
Act.</DELETED>
<DELETED>    (b) Application to Certain Third-Party Operators.--The 
provisions of this Act applicable to internet service providers, online 
service providers, and commercial website operators apply to any third 
party, including an advertising network, that uses an internet service 
provider, online service provider, or commercial website operator to 
collect information about users of that service or website.</DELETED>

<DELETED>SEC. 102. NOTICE AND CONSENT REQUIREMENTS.</DELETED>

<DELETED>    (a) Notice.--Except as provided in section 104, an 
internet service provider, online service provider, or operator of a 
commercial website may not collect personally identifiable information 
from a user of that service or website online unless that provider or 
operator provides clear and conspicuous notice to the user in the 
manner required by this section for the kind of personally identifiable 
information to be collected. The notice shall disclose--</DELETED>
        <DELETED>    (1) the specific types of information that will be 
        collected;</DELETED>
        <DELETED>    (2) the methods of collecting and using the 
        information collected; and</DELETED>
        <DELETED>    (3) all disclosure practices of that provider or 
        operator for personally identifiable information so collected, 
        including whether it will be disclosed to third 
        parties.</DELETED>
<DELETED>    (b) Sensitive Personally Identifiable Information Requires 
Opt-in Consent.--An internet service provider, online service provider, 
or operator of a commercial website may not--</DELETED>
        <DELETED>    (1) collect sensitive personally identifiable 
        information online, or</DELETED>
        <DELETED>    (2) disclose or otherwise use such information 
        collected online, from a user of that service or 
        website,</DELETED>
<DELETED>unless the provider or operator obtains that user's 
affirmative consent to the collection and disclosure or use of that 
information before, or at the time, the information is 
collected.</DELETED>
<DELETED>    (c) Nonsensitive Personally Identifiable Information 
Requires Robust Notice and Opt-out Consent.--An internet service 
provider, online service provider, or operator of a commercial website 
may not--</DELETED>
        <DELETED>    (1) collect personally identifiable information 
        not described in subsection (b) online, or</DELETED>
        <DELETED>    (2) disclose or otherwise use such information 
        collected online, from a user of that service or 
        website,</DELETED>
<DELETED>unless the provider or operator provides robust notice to the 
user, in addition to clear and conspicuous notice, and has given the 
user an opportunity to decline consent for such collection and use by 
the provider or operator before, or at the time, the information is 
collected.</DELETED>
<DELETED>    (d) Initial Notice Only for Robust Notice.--An internet 
service provider, online service provider, or operator of a commercial 
website shall provide robust notice under subsection (c) of this 
section to a user only upon its first collection of non-sensitive 
personally identifiable information from that user, except that a 
subsequent collection of additional or materially different non-
sensitive personally identifiable information from that user shall be 
treated as a first collection of such information from that 
user.</DELETED>
<DELETED>    (e) Permanence of Consent.--</DELETED>
        <DELETED>    (1) In general.--The consent or denial of consent 
        by a user of permission to an internet service provider, online 
        service provider, or operator of a commercial website to 
        collect, disclose, or otherwise use any information about that 
        user for which consent is required under this Act--</DELETED>
                <DELETED>    (A) shall remain in effect until changed 
                by the user; and</DELETED>
                <DELETED>    (B) shall apply to the collection, 
                disclosure, or other use of that information by any 
                entity that is a commercial successor of, or legal 
                successor-in-interest to, that provider or operator, 
                without regard to the legal form in which such 
                succession was accomplished (including any entity that 
                collects, discloses, or uses such information as a 
                result of a proceeding under chapter 7 or chapter 11 of 
                title 11, United States Code, with respect to the 
                provider or operator).</DELETED>
        <DELETED>    (2) Exception.--The consent by a user to the 
        collection, disclosure, or other use of information about that 
        user for which consent is required under this Act does not 
        apply to the collection, disclosure, or use of that information 
        by a successor entity under paragraph (1)(B) if--</DELETED>
                <DELETED>    (A) the kind of information collected by 
                the successor entity about the user is materially 
                different from the kind of information collected by the 
                predecessor entity;</DELETED>
                <DELETED>    (B) the methods of collecting and using 
                the information employed by the successor entity are 
                materially different from the methods employed by the 
                predecessor entity; or</DELETED>
                <DELETED>    (C) the disclosure practices of the 
                successor entity are materially different from the 
                practices of the predecessor entity.</DELETED>

<DELETED>SEC. 103. POLICY CHANGES; BREACH OF PRIVACY.</DELETED>

<DELETED>    (a) Notice of Policy Change.--Whenever an internet service 
provider, online service provider, or operator of a commercial website 
makes a material change in its policy for the collection, use, or 
disclosure of sensitive or nonsensitive personally identifiable 
information, it--</DELETED>
        <DELETED>    (1) shall notify all users of that service or 
        website of the change in policy; and</DELETED>
        <DELETED>    (2) may not collect, disclose, or otherwise use 
        any sensitive or nonsensitive personally identifiable 
        information in accordance with the changed policy unless the 
        user has been afforded an opportunity to consent, or withhold 
        consent, to its collection, disclosure, or use in accordance 
        with the requirements of section 102(b) or (c), whichever is 
        applicable.</DELETED>
<DELETED>    (b) Notice of Breach of Privacy.--</DELETED>
        <DELETED>    (1) In general.--If the sensitive or nonsensitive 
        personally identifiable information of a user of an internet 
        service provider, online service provider, or operator of a 
        commercial website--</DELETED>
                <DELETED>    (A) is collected, disclosed, or otherwise 
                used by the provider or operator in violation of any 
                provision of this Act, or</DELETED>
                <DELETED>    (B) the security, confidentiality, or 
                integrity of such information is compromised by a 
                hacker or other third party, or by any act or failure 
                to act of the provider or operator,</DELETED>
        <DELETED>then the provider or operator shall notify all users 
        whose sensitive or nonsensitive personally identifiable 
        information was affected by the unlawful collection, 
        disclosure, use, or compromise. The notice shall describe the 
        nature of the unlawful collection, disclosure, use, or 
        compromise and the steps taken by the provider or operator to 
        remedy it.</DELETED>
        <DELETED>    (2) Delay of notification.--</DELETED>
                <DELETED>    (A) Action taken by individuals.--If the 
                compromise of the security, confidentiality, or 
                integrity of the information is caused by a hacker or 
                other external interference with the service or 
                website, or by an employee of the service or website, 
                the provider or operator may postpone issuing the 
                notice required by paragraph (1) for a reasonable 
                period of time in order to--</DELETED>
                        <DELETED>    (i) facilitate the detection and 
                        apprehension of the person responsible for the 
                        compromise; and</DELETED>
                        <DELETED>    (ii) take such measures as may be 
                        necessary to restore the integrity of the 
                        service or website and prevent any further 
                        compromise of the security, confidentiality, 
                        and integrity of such information.</DELETED>
                <DELETED>    (B) System failures and other functional 
                causes.--If the unlawful collection, disclosure, use, 
                or compromise of the security, confidentiality, and 
                integrity of the information is the result of a system 
                failure, a problem with the operating system, software, 
                or program used by the internet service provider, 
                online service provider, or operator of the commercial 
                website, or other non-external interference with the 
                service or website, the provider or operator may 
                postpone issuing the notice required by paragraph (1) 
                for a reasonable period of time in order to--</DELETED>
                        <DELETED>    (i) restore the system's 
                        functionality or fix the problem; and</DELETED>
                        <DELETED>    (ii) take such measures as may be 
                        necessary to restore the integrity of the 
                        service or website and prevent any further 
                        compromise of the security, confidentiality, 
                        and integrity of the information after the 
                        failure or problem has been fixed and the 
                        integrity of the service or website has been 
                        restored.</DELETED>

<DELETED>SEC. 104. EXCEPTIONS.</DELETED>

<DELETED>    (a) In General.--Section 102 does not apply to the 
collection, disclosure, or use by an internet service provider, online 
service provider, or operator of a commercial website of information 
about a user of that service or website necessary--</DELETED>
        <DELETED>    (1) to protect the security or integrity of the 
        service or website or to ensure the safety of other people or 
        property;</DELETED>
        <DELETED>    (2) to conduct a transaction, deliver a product or 
        service, or complete an arrangement for which the user provided 
        the information; or</DELETED>
        <DELETED>    (3) to provide other products and services 
        integrally related to the transaction, service, product, or 
        arrangement for which the user provided the 
        information.</DELETED>
<DELETED>    (b) Protected Disclosures.--An internet service provider, 
online service provider, or operator of a commercial website may not be 
held liable under this Act, any other Federal law, or any State law for 
any disclosure made in good faith and following reasonable procedures 
in responding to--</DELETED>
        <DELETED>    (1) a request for disclosure of personal 
        information under section 1302(b)(1)(B)(iii) of the Children's 
        Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.) 
        to the parent of a child; or</DELETED>
        <DELETED>    (2) a request for access to, or correction or 
        deletion of, personally identifiable information under section 
        105 of this Act.</DELETED>
<DELETED>    (c) Disclosure to Law Enforcement Agency or under Court 
Order.--</DELETED>
        <DELETED>    (1) In general.--Notwithstanding any other 
        provision of this Act, an internet service provider, online 
        service provider, operator of a commercial website, or third 
        party that uses such a service or website to collect 
        information about users of that service or website may disclose 
        personally identifiable information about a user of that 
        service or website--</DELETED>
                <DELETED>    (A) to a law enforcement, investigatory, 
                national security, or regulatory agency or department 
                of the United States in response to a request or demand 
                made under authority granted to that agency or 
                department, including a warrant issued under the 
                Federal Rules of Criminal Procedure, an equivalent 
                State warrant, a court order, or a properly executed 
                administrative compulsory process; and</DELETED>
                <DELETED>    (B) in response to a court order in a 
                civil proceeding granted upon a showing of compelling 
                need for the information that cannot be accommodated by 
                any other means if--</DELETED>
                        <DELETED>    (i) the user to whom the 
                        information relates is given reasonable notice 
                        by the person seeking the information of the 
                        court proceeding at which the order is 
                        requested; and</DELETED>
                        <DELETED>    (ii) that user is afforded a 
                        reasonable opportunity to appear and contest 
                        the issuance of requested order or to narrow 
                        its scope.</DELETED>
        <DELETED>    (2) Safeguards against further disclosure.--A 
        court that issues an order described in paragraph (1) shall 
        impose appropriate safeguards on the use of the information to 
        protect against its unauthorized disclosure.</DELETED>

<DELETED>SEC. 105. ACCESS.</DELETED>

<DELETED>    (a) In General.--An internet service provider, online 
service provider, or operator of a commercial website shall--</DELETED>
        <DELETED>    (1) upon request provide reasonable access to a 
        user to personally identifiable information that the provider 
        or operator has collected from the user online, or that the 
        provider or operator has combined with personally identifiable 
        information collected from the user online after the effective 
        date of this Act;</DELETED>
        <DELETED>    (2) provide a reasonable opportunity for a user to 
        suggest a correction or deletion of any such information 
        maintained by that provider or operator to which the user was 
        granted access; and</DELETED>
        <DELETED>    (3) make the correction a part of that user's 
        sensitive personally identifiable information or nonsensitive 
        personally identifiable information (whichever is appropriate), 
        or make the deletion, for all future disclosure and other use 
        purposes.</DELETED>
<DELETED>    (b) Exception.--An internet service provider, online 
service provider, or operator of a commercial website may decline to 
make a suggested correction a part of that user's sensitive personally 
identifiable information or nonsensitive personally identifiable 
information (whichever is appropriate), or to make a suggested deletion 
if the provider or operator--</DELETED>
        <DELETED>    (1) reasonably believes that the suggested 
        correction or deletion is inaccurate or otherwise 
        inappropriate;</DELETED>
        <DELETED>    (2) notifies the user in writing, or in digital or 
        other electronic form, of the reasons the provider or operator 
        believes the suggested correction or deletion is inaccurate or 
        otherwise inappropriate; and</DELETED>
        <DELETED>    (3) provides a reasonable opportunity for the user 
        to refute the reasons given by the provider or operator for 
        declining to make the suggested correction or 
        deletion.</DELETED>
<DELETED>    (c) Reasonableness Test.--The reasonableness of the access 
or opportunity provided under subsection (a) or (b) by an internet 
service provider, online service provider, or operator of a commercial 
website shall be determined by taking into account such factors as the 
sensitivity of the information requested and the burden or expense on 
the provider or operator of complying with the request, correction, or 
deletion.</DELETED>
<DELETED>    (d) Reasonable Access Fee.--</DELETED>
        <DELETED>    (1) In general.--An internet service provider, 
        online service provider, or operator of a commercial website 
        may impose a reasonable charge for access under subsection 
        (a).</DELETED>
        <DELETED>    (2) Amount.--The amount of the fee shall not 
        exceed $3, except that upon request of a user, a provider or 
        operator shall provide such access without charge to that user 
        if the user certifies in writing that the user--</DELETED>
                <DELETED>    (A) is unemployed and intends to apply for 
                employment in the 60-day period beginning on the date 
                on which the certification is made;</DELETED>
                <DELETED>    (B) is a recipient of public welfare 
                assistance; or</DELETED>
                <DELETED>    (C) has reason to believe that the 
                incorrect information is due to fraud.</DELETED>

<DELETED>SEC. 106. SECURITY.</DELETED>

<DELETED>    An internet service provider, online service provider, or 
operator of a commercial website shall establish and maintain 
reasonable procedures necessary to protect the security, 
confidentiality, and integrity of personally identifiable information 
maintained by that provider or operator.</DELETED>

                <DELETED>TITLE II--ENFORCEMENT</DELETED>

<DELETED>SEC. 201. ENFORCEMENT BY FEDERAL TRADE COMMISSION.</DELETED>

<DELETED>    Except as provided in section 202(b) of this Act and 
section 2710(d) of title 18, United States Code, this Act shall be 
enforced by the Commission.</DELETED>

<DELETED>SEC. 202. VIOLATION IS UNFAIR OR DECEPTIVE ACT OR 
              PRACTICE.</DELETED>

<DELETED>    (a) In General.--The violation of any provision of title I 
is an unfair or deceptive act or practice proscribed under section 
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)).</DELETED>
<DELETED>    (b) Enforcement by Certain Other Agencies.--Compliance 
with title I of this Act shall be enforced under--</DELETED>
        <DELETED>    (1) section 8 of the Federal Deposit Insurance Act 
        (12 U.S.C. 1818), in the case of--</DELETED>
                <DELETED>    (A) national banks, and Federal branches 
                and Federal agencies of foreign banks, by the Office of 
                the Comptroller of the Currency;</DELETED>
                <DELETED>    (B) member banks of the Federal Reserve 
                System (other than national banks), branches and 
                agencies of foreign banks (other than Federal branches, 
                Federal agencies, and insured State branches of foreign 
                banks), commercial lending companies owned or 
                controlled by foreign banks, and organizations 
                operating under section 25 or 25A of the Federal 
                Reserve Act (12 U.S.C. 601 and 611), by the Board; 
                and</DELETED>
                <DELETED>    (C) banks insured by the Federal Deposit 
                Insurance Corporation (other than members of the 
                Federal Reserve System) and insured State branches of 
                foreign banks, by the Board of Directors of the Federal 
                Deposit Insurance Corporation;</DELETED>
        <DELETED>    (2) section 8 of the Federal Deposit Insurance Act 
        (12 U.S.C. 1818), by the Director of the Office of Thrift 
        Supervision, in the case of a savings association the deposits 
        of which are insured by the Federal Deposit Insurance 
        Corporation;</DELETED>
        <DELETED>    (3) the Federal Credit Union Act (12 U.S.C. 1751 
        et seq.) by the National Credit Union Administration Board with 
        respect to any Federal credit union;</DELETED>
        <DELETED>    (4) part A of subtitle VII of title 49, United 
        States Code, by the Secretary of Transportation with respect to 
        any air carrier or foreign air carrier subject to that 
        part;</DELETED>
        <DELETED>    (5) the Packers and Stockyards Act, 1921 (7 U.S.C. 
        181 et seq.) (except as provided in section 406 of that Act (7 
        U.S.C. 226, 227)), by the Secretary of Agriculture with respect 
        to any activities subject to that Act; and</DELETED>
        <DELETED>    (6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et 
        seq.) by the Farm Credit Administration with respect to any 
        Federal land bank, Federal land bank association, Federal 
        intermediate credit bank, or production credit 
        association.</DELETED>
<DELETED>    (c) Exercise of Certain Powers.--For the purpose of the 
exercise by any agency referred to in subsection (b) of its powers 
under any Act referred to in that subsection, a violation of title I is 
deemed to be a violation of a requirement imposed under that Act. In 
addition to its powers under any provision of law specifically referred 
to in subsection (b), each of the agencies referred to in that 
subsection may exercise, for the purpose of enforcing compliance with 
any requirement imposed under title I, any other authority conferred on 
it by law.</DELETED>
<DELETED>    (d) Actions by the Commission.--The Commission shall 
prevent any person from violating title I in the same manner, by the 
same means, and with the same jurisdiction, powers, and duties as 
though all applicable terms and provisions of the Federal Trade 
Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a 
part of this Act. Any entity that violates any provision of that 
subtitle is subject to the penalties and entitled to the privileges and 
immunities provided in the Federal Trade Commission Act in the same 
manner, by the same means, and with the same jurisdiction, power, and 
duties as though all applicable terms and provisions of the Federal 
Trade Commission Act were incorporated into and made a part of that 
subtitle.</DELETED>
<DELETED>    (e) Disposition of Civil Penalties Obtained by FTC 
Enforcement Action Involving Nonsensitive Personally Identifiable 
Information.--</DELETED>
        <DELETED>    (1) In general.--If a civil penalty is imposed on 
        an internet service provider, online service provider, or 
        commercial website operator in an enforcement action brought by 
        the Commission for a violation of title I with respect to 
        nonsensitive personally identifiable information of users of 
        the service or website, the penalty shall be--</DELETED>
                <DELETED>    (A) paid to the Commission;</DELETED>
                <DELETED>    (B) held by the Commission in trust for 
                distribution under paragraph (2); and</DELETED>
                <DELETED>    (C) distributed in accordance with 
                paragraph (2).</DELETED>
        <DELETED>    (2) Distribution to users.--Under procedures to be 
        established by the Commission, the Commission shall hold any 
        amount received as a civil penalty for violation of title I for 
        a period of not less than 180 days for distribution under those 
        procedures to users--</DELETED>
                <DELETED>    (A) whose nonsensitive personally 
                identifiable information was the subject of the 
                violation; and</DELETED>
                <DELETED>    (B) who file claims with the Commission 
                for compensation for loss or damage from the violation 
                at such time, in such manner, and containing such 
                information as the Commission may require.</DELETED>
        <DELETED>    (3) Amount of payment.--The amount a user may 
        receive under paragraph (2)--</DELETED>
                        <DELETED>    (i) shall not exceed $200; 
                        and</DELETED>
                        <DELETED>    (ii) may be limited by the 
                        Commission as necessary to afford each such 
                        user a reasonable opportunity to secure that 
                        user's appropriate portion of the amount 
                        available for distribution.</DELETED>
        <DELETED>    (4) Remainder.--If the amount of any such penalty 
        held by the Commission exceeds the sum of the amounts 
        distributed under paragraph (2) attributable to that penalty, 
        the excess shall be covered into the Treasury of the United 
        States as miscellaneous receipts no later than 12 months after 
        it was paid to the Commission.</DELETED>
<DELETED>    (f) Effect on Other Laws.--</DELETED>
        <DELETED>    (1) Preservation of commission authority.--Nothing 
        contained in this subtitle shall be construed to limit the 
        authority of the Commission under any other provision of 
        law.</DELETED>
        <DELETED>    (2) Relation to title ii of communications act.--
        Nothing in title I requires an operator of a website or online 
        service to take any action that is inconsistent with the 
        requirements of section 222 of the Communications Act of 1934 
        (47 U.S.C. 222).</DELETED>
        <DELETED>    (3) Relation to title vi of communications act.--
        Section 631 of the Communications Act of 1934 (47 U.S.C. 551) 
        is amended by adding at the end the following:</DELETED>
<DELETED>    ``(i) To the extent that the application of any provision 
of this title to a cable operator as an internet service provider, 
online service provider, or operator of a commercial website (as those 
terms are defined in section 401 of the Online Personal Privacy Act) 
with respect to the provision of Internet service or online service, or 
the operation of a commercial website, conflicts with the application 
of any provision of that Act to such provision or operation, the Act 
shall be applied in lieu of the conflicting provision of this 
title.''.</DELETED>

<DELETED>SEC. 203. ACTIONS BY USERS.</DELETED>

<DELETED>    (a) Private Right of Action for Sensitive Personally 
Identifiable Information.--If an internet service provider, online 
service provider, or commercial website operator collects, discloses, 
or uses the sensitive personally identifiable information of any person 
or fails to provide reasonable access to or reasonable security for 
such sensitive personally identifiable information in violation of any 
provision of title I then that person may bring an action in a district 
court of the United States of appropriate jurisdiction--</DELETED>
        <DELETED>    (1) to enjoin or restrain a violation of title I 
        or to obtain other appropriate relief; and</DELETED>
        <DELETED>    (2) upon a showing of actual harm to that person 
        caused by the violation, to recover the greater of--</DELETED>
                <DELETED>    (A) the actual monetary loss from the 
                violation; or</DELETED>
                <DELETED>    (B) $5,000.</DELETED>
<DELETED>    (b) Repeated Violations.--If the court finds, in an action 
brought under subsection (a) to recover damages, that the defendant 
repeatedly and knowingly violated title I, the court may, in its 
discretion, increase the amount of the award available under subsection 
(a)(2)(B) to an amount not in excess of $100,000.</DELETED>
<DELETED>    (c) Exception.--Neither an action to enjoin or restrain a 
violation, nor an action to recover for loss or damage, may be brought 
under this section for the accidental disclosure of information if the 
disclosure was caused by an Act of God, unforeseeable network or 
systems failure, or other event beyond the control of the Internet 
service provider, online service provider, or operator of a commercial 
website.</DELETED>

<DELETED>SEC. 204. ACTIONS BY STATES.</DELETED>

        <DELETED>  (a) In General.--</DELETED>
        <DELETED>    (1) Civil actions.--In any case in which the 
        attorney general of a State has reason to believe that an 
        interest of the residents of that State has been or is 
        threatened or adversely affected by the engagement of any 
        person in a practice that violates title I, the State, as 
        parens patriae, may bring a civil action on behalf of the 
        residents of the State in a district court of the United States 
        of appropriate jurisdiction--</DELETED>
                <DELETED>    (A) to enjoin that practice;</DELETED>
                <DELETED>    (B) to enforce compliance with the 
                rule;</DELETED>
                <DELETED>    (C) to obtain damage, restitution, or 
                other compensation on behalf of residents of the State; 
                or</DELETED>
                <DELETED>    (D) to obtain such other relief as the 
                court may consider to be appropriate.</DELETED>
        <DELETED>    (2) Notice.--</DELETED>
                <DELETED>    (A) In general.--Before filing an action 
                under paragraph (1), the attorney general of the State 
                involved shall provide to the Commission--</DELETED>
                        <DELETED>    (i) written notice of that action; 
                        and</DELETED>
                        <DELETED>    (ii) a copy of the complaint for 
                        that action.</DELETED>
                <DELETED>    (B) Exemption.--</DELETED>
                        <DELETED>    (i) In general.--Subparagraph (A) 
                        shall not apply with respect to the filing of 
                        an action by an attorney general of a State 
                        under this subsection, if the attorney general 
                        determines that it is not feasible to provide 
                        the notice described in that subparagraph 
                        before the filing of the action.</DELETED>
                        <DELETED>    (ii) Notification.--In an action 
                        described in clause (i), the attorney general 
                        of a State shall provide notice and a copy of 
                        the complaint to the Commission at the same 
                        time as the attorney general files the 
                        action.</DELETED>
<DELETED>    (b) Intervention.--</DELETED>
        <DELETED>    (1) In general.--On receiving notice under 
        subsection (a)(2), the Commission shall have the right to 
        intervene in the action that is the subject of the 
        notice.</DELETED>
        <DELETED>    (2) Effect of intervention.--If the Commission 
        intervenes in an action under subsection (a), it shall have the 
        right--</DELETED>
                <DELETED>    (A) to be heard with respect to any matter 
                that arises in that action; and</DELETED>
                <DELETED>    (B) to file a petition for 
                appeal.</DELETED>
<DELETED>    (c) Construction.--For purposes of bringing any civil 
action under subsection (a), nothing in this subtitle shall be 
construed to prevent an attorney general of a State from exercising the 
powers conferred on the attorney general by the laws of that State to--
</DELETED>
        <DELETED>    (1) conduct investigations;</DELETED>
        <DELETED>    (2) administer oaths or affirmations; or</DELETED>
        <DELETED>    (3) compel the attendance of witnesses or the 
        production of documentary and other evidence.</DELETED>
        <DELETED>  (d) Actions by the Commission.--In any case in which 
an action is instituted by or on behalf of the Commission for violation 
of title I, no State may, during the pendency of that action, institute 
an action under subsection (a) against any defendant named in the 
complaint in that action for violation of that rule.</DELETED>
        <DELETED>  (e) Venue; Service of Process.--</DELETED>
        <DELETED>    (1) Venue.--Any action brought under subsection 
        (a) may be brought in the district court of the United States 
        that meets applicable requirements relating to venue under 
        section 1391 of title 28, United States Code.</DELETED>
        <DELETED>    (2) Service of process.--In an action brought 
        under subsection (a), process may be served in any district in 
        which the defendant--</DELETED>
                <DELETED>    (A) is an inhabitant; or</DELETED>
                <DELETED>    (B) may be found.</DELETED>

<DELETED>SEC. 205. WHISTLEBLOWER PROTECTION.</DELETED>

<DELETED>    (a) In General.--No internet service provider, online 
service provider, or commercial website operator may discharge or 
otherwise discriminate against any employee with respect to 
compensation, terms, conditions, or privileges of employment because 
the employee (or any person acting pursuant to the request of the 
employee) provided information to any Federal or State agency or to the 
Attorney General of the United States or of any State regarding a 
violation of any provision of title I.</DELETED>
<DELETED>    (b) Enforcement.--Any employee or former employee who 
believes he has been discharged or discriminated against in violation 
of subsection (a) may file a civil action in the appropriate United 
States district court before the close of the 2-year period beginning 
on the date of such discharge or discrimination. The complainant shall 
also file a copy of the complaint initiating such action with the 
appropriate Federal agency.</DELETED>
<DELETED>    (c) Remedies.--If the district court determines that a 
violation of subsection (a) has occurred, it may order the Internet 
service provider, online service provider, or commercial website 
operator that committed the violation--</DELETED>
        <DELETED>    (1) to reinstate the employee to his former 
        position;</DELETED>
        <DELETED>    (2) to pay compensatory damages; or</DELETED>
        <DELETED>    (3) to take other appropriate actions to remedy 
        any past discrimination.</DELETED>
<DELETED>    (d) Limitation.--The protections of this section shall not 
apply to any employee who--</DELETED>
        <DELETED>    (1) deliberately causes or participates in the 
        alleged violation; or</DELETED>
        <DELETED>    (2) knowingly or recklessly provides substantially 
        false information to such an agency or the Attorney 
        General.</DELETED>
<DELETED>    (e) Burdens of Proof.--The legal burdens of proof that 
prevail under subchapter III of chapter 12 of title 5, United States 
Code (5 U.S.C. 1221 et seq.) shall govern adjudication of protected 
activities under this section.</DELETED>

<DELETED>SEC. 206. NO EFFECT ON OTHER REMEDIES.</DELETED>

<DELETED>    The remedies provided by sections 203 and 204 are in 
addition to any other remedy available under any provision of 
law.</DELETED>

        <DELETED>TITLE III--APPLICATION TO CONGRESS AND FEDERAL 
                           AGENCIES</DELETED>

<DELETED>SEC. 301. SENATE.</DELETED>

<DELETED>    The Sergeant at Arms of the United States Senate shall 
develop regulations setting forth an information security and 
electronic privacy policy governing use of the Internet by officers and 
employees of the Senate that meets the requirements of title 
I.</DELETED>

<DELETED>SEC. 302. APPLICATION TO FEDERAL AGENCIES.</DELETED>

<DELETED>    (a) In General.--Except as provided in subsection (b), 
this Act applies to each Federal agency that is an internet service 
provider or an online service provider, or that operates a website, to 
the extent provided by section 2674 of title 28, United States 
Code.</DELETED>
<DELETED>    (b) Exceptions.--This Act does not apply to any Federal 
agency to the extent that the application of this Act would compromise 
law enforcement activities or the administration of any investigative, 
security, or safety operation conducted in accordance with Federal 
law.</DELETED>

               <DELETED>TITLE IV--MISCELLANEOUS</DELETED>

<DELETED>SEC. 401. DEFINITIONS.</DELETED>

<DELETED>    In this Act:</DELETED>
        <DELETED>    (1) Collect.--The term ``collect'' means the 
        gathering of personally identifiable information about a user 
        of an Internal service, online service, or commercial website 
        by or on behalf of the provider or operator of that service or 
        website by any means, direct or indirect, active or passive, 
        including--</DELETED>
                <DELETED>    (A) an online request for such information 
                by the provider or operator, regardless of how the 
                information is transmitted to the provider or 
                operator;</DELETED>
                <DELETED>    (B) the use of a chat room, message board, 
                or other online service to gather the information; 
                or</DELETED>
                <DELETED>    (C) tracking or use of any identifying 
                code linked to a user of such a service or website, 
                including the use of cookies or other tracking 
                technology.</DELETED>
        <DELETED>    (2) Commission.--The term ``Commission'' means the 
        Federal Trade Commission.</DELETED>
        <DELETED>    (3) Cookie.--The term ``cookie'' means any 
        program, function, or device, commonly known as a ``cookie'', 
        that makes a record on the user's computer (or other electronic 
        device) of that user's access to an internet service, online 
        service, or commercial website.</DELETED>
        <DELETED>    (4) Disclose.--The term ``disclose'' means the 
        release of personally identifiable information about a user of 
        an Internet service, online service, or commercial website by 
        an internet service provider, online service provider, or 
        operator of a commercial website for any purpose, except where 
        such information is provided to a person who provides support 
        for the internal operations of the service or website and who 
        does not disclose or use that information for any other 
        purpose.</DELETED>
        <DELETED>    (5) Federal agency.--The term ``Federal agency'' 
        means an agency, as that term is defined in section 551(1) of 
        title 5, United States Code.</DELETED>
        <DELETED>    (6) Internal operations support.--The term 
        ``support for the internal operations of a service or website'' 
        means any activity necessary to maintain the technical 
        functionality of that service or website.</DELETED>
        <DELETED>    (7) Internet.--The term ``Internet'' means 
        collectively the myriad of computer and telecommunications 
        facilities, including equipment and operating software, which 
        comprise the interconnected world-wide network of networks that 
        employ the Transmission Control Protocol/Internet Protocol, or 
        any predecessor or successor protocols to such protocol, to 
        communicate information of all kinds by wire or 
        radio.</DELETED>
        <DELETED>    (8) Internet service provider; online service 
        provider; website.--The Commission shall by rule define the 
        terms ``internet service provider'', ``online service 
        provider'', and ``website'', and shall revise or amend such 
        rule to take into account changes in technology, practice, or 
        procedure with respect to the collection of personal 
        information over the Internet.</DELETED>
        <DELETED>    (9) Online.--The term ``online'' refers to any 
        activity regulated by this Act or by section 2710 of title 18, 
        United States Code, that is effected by active or passive use 
        of an Internet connection, regardless of the medium by or 
        through which that connection is established.</DELETED>
        <DELETED>    (10) Operator of a commercial website.--The term 
        ``operator of a commercial website''--</DELETED>
                <DELETED>    (A) means any person who operates a 
                website located on the Internet or an online service 
                and who collects or maintains personal information from 
                or about the users of or visitors to such website or 
                online service, or on whose behalf such information is 
                collected or maintained, where such website or online 
                service is operated for commercial purposes, including 
                any person offering products or services for sale 
                through that website or online service, involving 
                commerce--</DELETED>
                        <DELETED>    (i) among the several States or 
                        with 1 or more foreign nations;</DELETED>
                        <DELETED>    (ii) in any territory of the 
                        United States or in the District of Columbia, 
                        or between any such territory and--</DELETED>
                                <DELETED>    (I) another such 
                                territory; or</DELETED>
                                <DELETED>    (II) any State or foreign 
                                nation; or</DELETED>
                        <DELETED>    (iii) between the District of 
                        Columbia and any State, territory, or foreign 
                        nation; but</DELETED>
                <DELETED>    (B) does not include any nonprofit entity 
                that would otherwise be exempt from coverage under 
                section 5 of the Federal Trade Commission Act (15 
                U.S.C. 45).</DELETED>
        <DELETED>    (11) Personally identifiable information.--
        </DELETED>
                <DELETED>    (A) In general.--The term ``personally 
                identifiable information'' means individually 
                identifiable information about an individual collected 
                online, including--</DELETED>
                        <DELETED>    (i) a first and last name, whether 
                        given at birth or adoption, assumed, or legally 
                        changed;</DELETED>
                        <DELETED>    (ii) a home or other physical 
                        address including street name and name of a 
                        city or town;</DELETED>
                        <DELETED>    (iii) an e-mail address;</DELETED>
                        <DELETED>    (iv) a telephone number;</DELETED>
                        <DELETED>    (v) a birth certificate 
                        number;</DELETED>
                        <DELETED>    (vi) any other identifier for 
                        which the Commission finds there is a 
                        substantial likelihood that the identifier 
                        would permit the physical or online contacting 
                        of a specific individual; or</DELETED>
                        <DELETED>    (vii) information that an Internet 
                        service provider, online service provider, or 
                        operator of a commercial website collects and 
                        combines with an identifier described in 
                        clauses (i) through (vi) of this 
                        subparagraph.</DELETED>
                <DELETED>    (B) Inferential information excluded.--
                Information about an individual derived or inferred 
                from data collected online but not actually collected 
                online is not personally identifiable 
                information.</DELETED>
        <DELETED>    (12) Release.--The term ``release of personally 
        identifiable information'' means the direct or indirect, 
        sharing, selling, renting, or other provision of personally 
        identifiable information of a user of an internet service, 
        online service, or commercial website to any other person other 
        than the user.</DELETED>
        <DELETED>    (13) Robust notice.--The term ``robust notice'' 
        means actual notice at the point of collection of the 
        personally identifiable information describing briefly and 
        succinctly the intent of the Internet service provider, online 
        service provider, or operator of a commercial website to use or 
        disclose that information for marketing or other 
        purposes.</DELETED>
        <DELETED>    (14) Sensitive financial information.--The term 
        ``sensitive financial information'' means--</DELETED>
                <DELETED>    (A) the amount of income earned or losses 
                suffered by an individual;</DELETED>
                <DELETED>    (B) an individual's account number or 
                balance information for a savings, checking, money 
                market, credit card, brokerage, or other financial 
                services account;</DELETED>
                <DELETED>    (C) the access code, security password, or 
                similar mechanism that permits access to an 
                individual's financial services account;</DELETED>
                <DELETED>    (D) an individual's insurance policy 
                information, including the existence, premium, face 
                amount, or coverage limits of an insurance policy held 
                by or for the benefit of an individual; or</DELETED>
                <DELETED>    (E) an individual's outstanding credit 
                card, debt, or loan obligations.</DELETED>
        <DELETED>    (15) Sensitive personally identifiable 
        information.--The term ``sensitive personally identifiable 
        information'' means personally identifiable information about 
        an individual's--</DELETED>
                <DELETED>    (A) individually identifiable health 
                information (as defined in section 164.501 of title 45, 
                Code of Federal Regulations);</DELETED>
                <DELETED>    (B) race or ethnicity;</DELETED>
                <DELETED>    (C) political party affiliation;</DELETED>
                <DELETED>    (D) religious beliefs;</DELETED>
                <DELETED>    (E) sexual orientation;</DELETED>
                <DELETED>    (F) a Social Security number; or</DELETED>
                <DELETED>    (G) sensitive financial 
                information.</DELETED>

<DELETED>SEC. 402. EFFECTIVE DATE OF TITLE I.</DELETED>

<DELETED>    Title I of this Act takes effect on the day after the date 
on which the Commission publishes a final rule under section 
403.</DELETED>

<DELETED>SEC. 403. FTC RULEMAKING.</DELETED>

<DELETED>    The Commission shall--</DELETED>
        <DELETED>    (1) initiate a rulemaking within 90 days after the 
        date of enactment of this Act for regulations to implement the 
        provisions of title I; and</DELETED>
        <DELETED>    (2) complete that rulemaking within 270 days after 
        initiating it.</DELETED>

<DELETED>SEC. 404. FTC REPORT.</DELETED>

<DELETED>    (a) Report.--The Commission shall submit a report to the 
Senate Committee on Commerce, Science, and Transportation and the House 
of Representatives Committee on Commerce 18 months after the effective 
date of title I, and annually thereafter, on--</DELETED>
        <DELETED>    (1) whether this Act is accomplishing the purposes 
        for which it was enacted;</DELETED>
        <DELETED>    (2) whether technology that protects privacy is 
        being utilized in the marketplace in such a manner as to 
        facilitate administration of and compliance with title 
        I;</DELETED>
        <DELETED>    (3) whether additional legislation is required to 
        accomplish those purposes or improve the administrability or 
        effectiveness of this Act;</DELETED>
        <DELETED>    (4) whether legislation is appropriate or 
        necessary to regulate the collection, use, and distribution of 
        personally identifiable information collected other than via 
        the Internet;</DELETED>
        <DELETED>    (5) whether and how the government might assist 
        industry in developing standard online privacy notices that 
        substantially comply with the requirements of section 
        102(a);</DELETED>
        <DELETED>    (6) whether and how the creation of a set of self-
        regulatory guidelines established by independent safe harbor 
        organizations and approved by the Commission would facilitate 
        administration of and compliance with title I; and</DELETED>
        <DELETED>    (7) whether additional legislation is necessary or 
        appropriate to regulate the collection, use, and disclosure of 
        personally identifiable information collected online before the 
        effective date of title I.</DELETED>
<DELETED>    (b) FTC Notice of Inquiry.--The Commission shall initiate 
a notice of inquiry within 90 days after the date of enactment of this 
Act to request comment on the matter described in paragraphs (1) 
through (7) of subsection (a).</DELETED>

<DELETED>SEC. 405. DEVELOPMENT OF AUTOMATED PRIVACY CONTROLS.</DELETED>

<DELETED>    Section 20 of the National Institute of Standards and 
Technology Act (15 U.S.C. 278g-3) is amended--</DELETED>
        <DELETED>    (1) by redesignating subsection (d) as subsection 
        (e); and</DELETED>
        <DELETED>    (2) by inserting after subsection (c) the 
        following:</DELETED>
<DELETED>    ``(d) Development of Internet Privacy Program.--The 
Institute shall encourage and support the development of one or more 
computer programs, protocols, or other software, such as the World Wide 
Web Consortium's P3P program, capable of being installed on computers, 
or computer networks, with Internet access that would reflect the 
user's preferences for protecting personally-identifiable or other 
sensitive, privacy-related information, and automatically execute the 
program, once activated, without requiring user 
intervention.''.</DELETED>

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Online Personal Privacy Act''.

SEC. 2. TABLE OF CONTENTS.

    The table of contents of this Act is as follows:

Sec. 1. Short title.
Sec. 2. Table of contents.
Sec. 3. Findings.
Sec. 4. Preemption of State law or regulations.

                   TITLE I--ONLINE PRIVACY PROTECTION

Sec. 101. Collection, use, or disclosure of personally identifiable 
                            information.
Sec. 102. Notice and consent requirements.
Sec. 103. Policy changes; privacy breach.
Sec. 104. Exceptions.
Sec. 105. Access.
Sec. 106. Security.

                         TITLE II--ENFORCEMENT

Sec. 201. Enforcement by Federal Trade Commission.
Sec. 202. Violation is unfair or deceptive act or practice.
Sec. 203. Safe harbor self-regulatory programs.
Sec. 204. Small business safe harbor.
Sec. 205. Private right of action.
Sec. 206. Actions by States.
Sec. 207. Whistleblower protection.
Sec. 208. No effect on other remedies.

        TITLE III--APPLICATION TO CONGRESS AND FEDERAL AGENCIES

Sec. 301. Exercise of rulemaking power.
Sec. 302. Senate.
Sec. 303. Application to Federal agencies.

                        TITLE IV--MISCELLANEOUS

Sec. 401. Definitions.
Sec. 402. Effective date.
Sec. 403. FTC rulemaking.
Sec. 404. FTC report.
Sec. 405. Development of automated privacy controls.

                        TITLE V--OFFLINE PRIVACY

Sec. 501. Collection, use, and disclosure of personally identifiable 
                            information collected offline.

SEC. 3. FINDINGS.

    The Congress finds the following:
            (1) The right to privacy is a personal and fundamental 
        right worthy of protection through appropriate legislation.
            (2) Individuals engaging in and interacting with companies 
        engaged in interstate commerce have a significant interest in 
        their personal information, as well as a right to control how 
        that information is collected, used, or transferred.
            (3) Absent the recognition of these rights and the 
        establishment of consequent industry responsibilities to 
        safeguard those rights, the privacy of individuals who use the 
        Internet will soon be more gravely threatened.
            (4) To extent that States regulate, their efforts to 
        address Internet privacy will lead to a patchwork of 
        inconsistent standards and protections.
            (5) Existing State, local, and Federal laws provide minimal 
        privacy protection for Internet users.
            (6) With the exception of Federal Trade Commission 
        enforcement of laws against unfair and deceptive practices, the 
        Federal Government thus far has eschewed general Internet 
        privacy laws in favor of industry self-regulation, which has 
        led to several self-policing schemes, some of which are 
        enforceable, and some of which provide insufficient privacy 
        protection to individuals.
            (7) Many Internet businesses have developed good Internet 
        privacy policies that provide consumers notice, choice, access, 
        and security with respect to their personal information.
            (8) Many other Internet businesses, however, have yet to 
        provide these baseline fair information practices, and, absent 
        legislative requirements to the contrary, seem unlikely to do 
        so in the near future.
            (9) State governments have been reluctant to enter the 
        field of Internet privacy regulation because use of the 
        Internet often crosses State, or even national, boundaries.
            (10) States are nonetheless interested in providing greater 
        privacy protection to their citizens as evidenced by recent 
        lawsuits brought against offline and online companies by State 
        attorneys general to protect the privacy of individuals using 
        the Internet.
            (11) The ease of gathering and compiling personal 
        information on the Internet, both overtly and surreptitiously, 
        is becoming increasingly efficient and effortless due to 
        advances in digital communications technology which have 
        provided information gatherers the ability to compile 
        seamlessly highly detailed personal histories of Internet 
        users.
            (12) Personal information flowing over the Internet 
        requires greater privacy protection than is currently available 
        today. Vast amounts of personal information, including 
        sensitive information, about individual Internet users are 
        collected on the Internet and sold or otherwise transferred to 
        third parties.
            (13) Poll after poll consistently demonstrates that 
        individual Internet users are highly troubled over their lack 
        of control over their personal information.
            (14) Market research demonstrates that tens of billions of 
        dollars in e-commerce are lost due to individual fears about a 
        lack of privacy protection on the Internet.
            (15) Market research demonstrates that as many as one-third 
        of all Internet users give false information about themselves 
        to protect their privacy, due to fears about a lack of privacy 
        protection on the Internet.
            (16) Notwithstanding these concerns, the Internet is 
        becoming a major part of the personal and commercial lives of 
        millions of Americans, providing increased access to 
        information, as well as communications and commercial 
        opportunities.
            (17) It is important to establish personal privacy rights 
        and industry obligations now so that individuals have 
        confidence that their personal privacy is fully protected on 
        the Internet.
            (18) The social and economic costs of establishing baseline 
        privacy standards now will be lower than if Congress waits 
        until the Internet becomes more prevalent in our everyday lives 
        in coming years.
            (19) Whatever costs may be borne by industry will be 
        significantly offset by the economic benefits to the commercial 
        Internet created by increased consumer confidence occasioned by 
        greater privacy protection.
            (20) Toward the close of the 20th Century, as individuals' 
        personal information was increasingly collected, profiled, and 
        shared for commercial purposes, and as technology advanced to 
        facilitate these practices, the Congress enacted numerous 
        statutes to protect privacy.
            (21) Those statutes apply to the government, telephones, 
        cable television, e-mail, video tape rentals, and the Internet 
        (but only with respect to children).
            (22) Those statutes all provide significant privacy 
        protections, but neither limit technology nor stifle business.
            (23) Those statutes ensure that the collection and 
        commercialization of individuals' personal information is fair, 
        transparent, and subject to law.
            (24) As in those instances, the Federal government has a 
        substantial interest in promoting privacy on the Internet.

SEC. 4. PREEMPTION OF STATE LAW OR REGULATIONS.

    This Act supersedes any State statute, regulation, or rule 
regulating Internet privacy to the extent that it relates to the 
collection, use, or disclosure of personally identifiable information 
obtained through the Internet.

                   TITLE I--ONLINE PRIVACY PROTECTION

SEC. 101. COLLECTION, USE, OR DISCLOSURE OF PERSONALLY IDENTIFIABLE 
              INFORMATION.

    (a) In General.--An internet service provider, online service 
provider, or operator of a commercial website on the Internet may not 
collect personally identifiable information online from a user, or use 
or disclose personally identifiable information about a user, of that 
service or website except in accordance with the provisions of this 
Act.
    (b) Application to Certain Third-Party Operators.--The provisions 
of this Act applicable to internet service providers, online service 
providers, and commercial website operators apply to any third party, 
including an advertising network, that--
            (1) uses an internet service provider, online service 
        provider, or commercial website operator to collect information 
        about users of that service or website; or
            (2) makes computer software available to the public, by 
        sale or otherwise, that is capable of--
                    (A) collecting personally identifiable information 
                about the user, the hardware on which it is used, or 
                the manner in which it is used; and
                    (B) disclosing such information to any person other 
                than the user.

SEC. 102. NOTICE AND CONSENT REQUIREMENTS.

    (a) Notice.--Except as provided in section 104, an internet service 
provider, online service provider, or operator of a commercial website 
may not collect personally identifiable information from a user of that 
service or website online unless that provider or operator provides 
clear and conspicuous notice to the user in the manner required by this 
section for the kind of personally identifiable information to be 
collected. The notice shall disclose--
            (1) the specific types of information that will be 
        collected;
            (2) the methods of collecting and using the information 
        collected; and
            (3) all disclosure practices of that provider or operator 
        for personally identifiable information so collected, including 
        whether it will be disclosed to third parties.
    (b) Sensitive Personally Identifiable Information Requires Opt-in 
Consent.--An internet service provider, online service provider, or 
operator of a commercial website may not--
            (1) collect sensitive personally identifiable information 
        online, or
            (2) disclose or otherwise use such information collected 
        online, from a user of that service or website,
unless the provider or operator obtains that user's consent to the 
collection and disclosure or use of that information before, or at the 
time, the information is collected and the user's consent is manifested 
by an affirmative act in a written or electronic communication.
    (c) Nonsensitive Personally Identifiable Information Requires 
Robust Notice and Opt-out Consent.--An internet service provider, 
online service provider, or operator of a commercial website may not--
            (1) collect personally identifiable information not 
        described in subsection (b) online, or
            (2) disclose or otherwise use such information collected 
        online, from a user of that service or website,
unless the provider or operator provides robust notice to the user, in 
addition to clear and conspicuous notice, and has given the user an 
opportunity to decline consent for such collection and use by the 
provider or operator before, or at the time, the information is 
collected.
    (d) Initial Notice Only for Robust Notice.--An internet service 
provider, online service provider, or operator of a commercial website 
shall provide robust notice under subsection (c) of this section to a 
user only upon its first collection of non-sensitive personally 
identifiable information from that user, except that a subsequent 
collection of materially different non-sensitive personally 
identifiable information from that user shall be treated as a first 
collection of such information from that user.
    (e) Permanence of Consent.--
            (1) In general.--The consent or denial of consent by a user 
        of permission to an internet service provider, online service 
        provider, or operator of a commercial website to collect, 
        disclose, or otherwise use any information about that user for 
        which consent is required under this Act--
                    (A) shall remain in effect until changed by the 
                user; and
                    (B) shall apply to the collection, disclosure, or 
                other use of that information by any entity that is a 
                commercial successor of, or legal successor-in-interest 
                to, that provider or operator, without regard to the 
                legal form in which such succession was accomplished 
                (including any entity that collects, discloses, or uses 
                such information as a result of a proceeding under 
                chapter 7 or chapter 11 of title 11, United States 
                Code, with respect to the provider or operator).
            (2) Exception.--The consent by a user to the collection, 
        disclosure, or other use of information about that user for 
        which consent is required under this Act does not apply to the 
        collection, disclosure, or use of that information by a 
        successor entity under paragraph (1)(B) if--
                    (A) the kind of information collected by the 
                successor entity about the user is materially different 
                from the kind of information collected by the 
                predecessor entity;
                    (B) the methods of collecting and using the 
                information employed by the successor entity are 
                materially different from the methods employed by the 
                predecessor entity; or
                    (C) the disclosure practices of the successor 
                entity are materially different from the practices of 
                the predecessor entity.

SEC. 103. POLICY CHANGES; BREACH OF PRIVACY.

    (a) Notice of Policy Change.--Whenever an internet service 
provider, online service provider, or operator of a commercial website 
makes a material change in its policy for the collection, use, or 
disclosure of sensitive or nonsensitive personally identifiable 
information, it--
            (1) shall notify all users of that service or website of 
        the change in policy; and
            (2) may not collect, disclose, or otherwise use any 
        sensitive or nonsensitive personally identifiable information 
        in accordance with the changed policy unless the user has been 
        afforded an opportunity to consent, or withhold consent, to its 
        collection, disclosure, or use in accordance with the 
        requirements of section 102(b) or (c), whichever is applicable.
    (b) Notice of Breach of Privacy.--
            (1) In general.--If the sensitive or nonsensitive 
        personally identifiable information of a user of an internet 
        service provider, online service provider, or operator of a 
        commercial website--
                    (A) is disclosed by the provider or operator in 
                violation of any provision of this Act, or
                    (B) the security, confidentiality, or integrity of 
                such information is compromised by a hacker or other 
                third party, or by any act or failure to act of the 
                provider or operator and the compromise, act, or 
                failure to act results in a disclosure of personally 
                identifiable information in violation of any provision 
                of this Act,
        then the provider or operator shall notify all users whose 
        sensitive or nonsensitive personally identifiable information 
        was affected by the unlawful collection, disclosure, use, 
        compromise, act, or failure to act. The notice shall describe 
        the nature of the unlawful collection, disclosure, use, 
        compromise, act, or failure to act and the steps taken by the 
        provider or operator to remedy it.
            (2) Delay of notification.--
                    (A) Action taken by individuals.--If the compromise 
                of the security, confidentiality, or integrity of the 
                information is caused by a hacker or other external 
                interference with the service or website, or by an 
                employee of the service or website, the provider or 
                operator may postpone issuing the notice required by 
                paragraph (1) for a reasonable period of time in order 
                to--
                            (i) facilitate the detection and 
                        apprehension of the person responsible for the 
                        compromise; and
                            (ii) take such measures as may be necessary 
                        to restore the integrity of the service or 
                        website and prevent any further compromise of 
                        the security, confidentiality, and integrity of 
                        such information.
                    (B) System failures and other functional causes.--
                If the unlawful collection, disclosure, use, or 
                compromise of the security, confidentiality, and 
                integrity of the information is the result of a system 
                failure, a problem with the operating system, software, 
                or program used by the internet service provider, 
                online service provider, or operator of the commercial 
                website, or other non-external interference with the 
                service or website, the provider or operator may 
                postpone issuing the notice required by paragraph (1) 
                for a reasonable period of time in order to--
                            (i) restore the system's functionality or 
                        fix the problem; and
                            (ii) take such measures as may be necessary 
                        to restore the integrity of the service or 
                        website and prevent any further compromise of 
                        the security, confidentiality, and integrity of 
                        the information after the failure or problem 
                        has been fixed and the integrity of the service 
                        or website has been restored.
    (c) Compliance Officers.--Each internet service provider, online 
service provider, and operator of a commercial website shall designate 
a privacy compliance officer, who shall be responsible for ensuring 
compliance with the requirements of this title and the privacy policies 
of that provider or operator.

SEC. 104. EXCEPTIONS.

    (a) In General.--Section 102 does not apply to the collection, 
disclosure, or use by an internet service provider, online service 
provider, or operator of a commercial website of information about a 
user of that service or website necessary--
            (1) to protect the security or integrity of the service or 
        website or to ensure the safety, health, or life of other 
        people or property;
            (2) to conduct a transaction, deliver a product or service, 
        or complete an arrangement for which the user provided the 
        information;
            (3) to provide other products and services or conduct 
        activities integrally related to the transaction, service, 
        product, or arrangement for which the user provided the 
        information; or
            (4) to comply with the Fair Credit Reporting Act (15 U.S.C. 
        1681 et seq.) determined without regard to section 603(d)(2) of 
        that Act (15 U.S.C. 1681a(d)(2)).
    (b) Protected Disclosures and Other Regulated Activities.--
            (1) In general.--An internet service provider, online 
        service provider, or operator of a commercial website may not 
        be held liable under this Act, any other Federal law, or any 
        State law for any disclosure made in good faith and following 
        reasonable procedures in responding to--
                    (A) a request for disclosure of personal 
                information under section 1302(b)(1)(B)(iii) of the 
                Children's Online Privacy Protection Act of 1998 (15 
                U.S.C. 6501 et seq.) to the parent of a child; or
                    (B) a request for access to, or correction or 
                deletion of, personally identifiable information under 
                section 105 of this Act.
            (2) Financial institutions.--A financial institution (as 
        defined in section 509(3) of the Gramm-Leach-Bliley Act (15 
        U.S.C. 6809(3)) that is an internet service provider, online 
        service provider, or operator of a commercial website may not 
        be held liable under this Act for any disclosure described in 
        section 502(e) of that Act (15 U.S.C. 6802(e)).
    (c) Disclosure to Law Enforcement Agency or Under Court Order.--
            (1) In general.--Notwithstanding any other provision of 
        this Act, an internet service provider, online service 
        provider, operator of a commercial website, or third party that 
        uses such a service or website to collect information about 
        users of that service or website, may disclose personally 
        identifiable information about a user of that service or 
        website--
                    (A) to a law enforcement, investigatory, national 
                security, or regulatory agency or department of the 
                United States in response to a request or demand made 
                under authority granted to that agency or department by 
                statute, rule, or regulation, or pursuant to a warrant 
                issued under the Federal Rules of Criminal Procedure, 
                an equivalent State warrant, a court order, or a 
                properly executed administrative compulsory process; or
                    (B) in response to a court order in a civil 
                proceeding granted upon a showing of compelling need 
                for the information that cannot be accommodated by any 
                other means if--
                            (i) the user to whom the information 
                        relates is given reasonable notice by the 
                        person seeking the information of the court 
                        proceeding at which the order is requested; and
                            (ii) that user is afforded a reasonable 
                        opportunity to appear and contest the issuance 
                        of requested order or to narrow its scope.
            (2) Safeguards against further disclosure.--A court that 
        issues an order described in paragraph (1)(B) shall impose 
        appropriate safeguards on the use of the information to protect 
        against its unauthorized disclosure.
    (d) Emergency Disclosures.--Notwithstanding any other provision of 
this Act, an internet service provider, online service provider, 
operator of a commercial website, or third party that uses such a 
service or website to collect information about users of that service 
or website, may disclose personally identifiable information about a 
user of that service or website to a law enforcement officer, hospital, 
clinic, or other lawful medical organization or a licensed physician or 
other healthcare professional if--
            (1) the disclosure is critical to the life, safety, or 
        health of the user or other individuals;
            (2) it is not feasible under the circumstances to obtain 
        timely consent; and
            (3) the disclosure is no greater than necessary to 
        accomplish the purpose for which the information is disclosed.
    (e) Disclosure for Professional Services Purposes.--Notwithstanding 
any other provision of this Act, an internet service provider, online 
service provider, operator of a commercial website, or third party that 
uses such a service or website to collect information about users of 
that service or website, may disclose personally identifiable 
information about a user of that service or website to a provider of 
professional services, or any wholly-owned affiliate thereof, of which 
the user is a client, patient, or customer if the provider or affiliate 
is subject to professional ethical standards, regulations, rules, or 
law requiring the provider or affiliate not to disclose confidential 
client information without the consent of the client.

SEC. 105. ACCESS.

    (a) In General.--An internet service provider, online service 
provider, or operator of a commercial website shall--
            (1) upon request provide reasonable access to a user to 
        personally identifiable information that the provider or 
        operator has collected and retained from the user online, or 
        that the provider or operator has combined with personally 
        identifiable information collected and retained from the user 
        online after the effective date of this Act, except that, as 
        long as a user is not denied reasonable access to personally 
        identifiable information pertaining to that use, the provider 
        or operator is not required to disclose information that would 
        compromise its ability to protect proprietary information about 
        how it collects and stores its information;
            (2) provide a reasonable opportunity for a user to suggest 
        a correction or deletion of any such information maintained by 
        that provider or operator to which the user was granted access; 
        and
            (3) make the correction a part of that user's sensitive 
        personally identifiable information or nonsensitive personally 
        identifiable information (whichever is appropriate), or make 
        the deletion, for all future disclosure and other use purposes.
    (b) Exception.--An internet service provider, online service 
provider, or operator of a commercial website may decline to make a 
suggested correction a part of that user's sensitive personally 
identifiable information or nonsensitive personally identifiable 
information (whichever is appropriate), or to make a suggested deletion 
if the provider or operator--
            (1) reasonably believes that the suggested correction or 
        deletion is inaccurate or otherwise inappropriate;
            (2) notifies the user in writing, or in digital or other 
        electronic form, of the reasons the provider or operator 
        believes the suggested correction or deletion is inaccurate or 
        otherwise inappropriate; and
            (3) provides a reasonable opportunity for the user to 
        refute the reasons given by the provider or operator for 
        declining to make the suggested correction or deletion.
    (c) Reasonableness Test.--The reasonableness of the access or 
opportunity provided under subsection (a) or (b) by an internet service 
provider, online service provider, or operator of a commercial website 
shall be determined by taking into account such factors as the 
sensitivity of the information requested and the burden or expense on 
the provider or operator of complying with the request, correction, or 
deletion.
    (d) Reasonable Access Fee.--
            (1) In general.--An internet service provider, online 
        service provider, or operator of a commercial website may 
        impose a reasonable charge for access under subsection (a).
            (2) Amount.--The amount of the fee shall not exceed $3, 
        except that upon request of a user, a provider or operator 
        shall provide such access without charge to that user if the 
        user certifies in writing that the user--
                    (A) is unemployed and intends to apply for 
                employment in the 60-day period beginning on the date 
                on which the certification is made;
                    (B) is a recipient of public welfare assistance; or
                    (C) has reason to believe that the incorrect 
                information is due to fraud.

SEC. 106. SECURITY.

    An internet service provider, online service provider, or operator 
of a commercial website shall establish and maintain reasonable 
procedures necessary to protect the security, confidentiality, and 
integrity of personally identifiable information maintained by that 
provider or operator.

                         TITLE II--ENFORCEMENT

SEC. 201. ENFORCEMENT BY FEDERAL TRADE COMMISSION.

    Except as provided in section 202(b) of this Act and section 
2710(d) of title 18, United States Code, this Act shall be enforced by 
the Commission.

SEC. 202. VIOLATION IS UNFAIR OR DECEPTIVE ACT OR PRACTICE.

    (a) In General.--The violation of any provision of title I is an 
unfair or deceptive act or practice proscribed under section 
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)).
    (b) Enforcement by Certain Other Agencies.--Compliance with title I 
of this Act shall be enforced--
            (1) under section 8 of the Federal Deposit Insurance Act 
        (12 U.S.C. 1818), in the case of--
                    (A) national banks, and Federal branches and 
                Federal agencies of foreign banks, and any subsidiaries 
                of such entities (except brokers, dealers, persons 
                providing insurance, investment companies, and 
                investment advisers), by the Office of the Comptroller 
                of the Currency;
                    (B) member banks of the Federal Reserve System 
                (other than national banks), branches and agencies of 
                foreign banks (other than Federal branches, Federal 
                agencies, and insured State branches of foreign banks), 
                commercial lending companies owned or controlled by 
                foreign banks, organizations operating under section 25 
                or 25A of the Federal Reserve Act (12 U.S.C. 601 and 
                611), and bank holding companies and their nonbank 
                subsidiaries or affiliates (except brokers, dealers, 
                persons providing insurance, investment companies, and 
                investment advisers), by the Board;
                    (C) banks insured by the Federal Deposit Insurance 
                Corporation (other than members of the Federal Reserve 
                System) insured State branches of foreign banks, and 
                any subsidiaries of such entities (except brokers, 
                dealers, persons providing insurance, investment 
                companies, and investment advisers), by the Board of 
                Directors of the Federal Deposit Insurance Corporation; 
                and
                    (D) savings associations the deposits of which are 
                insured by the Federal Deposit Insurance Corporation, 
                and any subsidiaries of such savings associations 
                (except brokers, dealers, persons providing insurance, 
                investment companies, and investment advisers), by the 
                Director of the Office of Thrift Supervision;
            (2) under the Federal Credit Union Act (12 U.S.C. 1751 et 
        seq.) by the Board of the National Credit Union Administration 
        with respect to any Federally insured credit union, and any 
        subsidiaries of such a credit union;
            (3) under the Securities Exchange Act of 1934 (15 U.S.C. 
        78a et seq.) by the Securities and Exchange Commission with 
        respect to any broker or dealer;
            (4) under the Investment Company Act of 1940 (15 U.S.C. 
        80a-1 et seq.) by the Securities and Exchange Commission with 
        respect to investment companies;
            (5) under the Investment Advisers Act of 1940 (15 U.S.C. 
        80b-1 et seq.) by the Securities and Exchange Commission with 
        respect to investment advisers registered under that Act;
            (6) under State insurance law in the case of any person 
        engaged in providing insurance, by the applicable State 
        insurance authority of the State in which the person is 
        domiciled, subject to section 104 of the Gramm-Bliley-Leach Act 
        (15 U.S.C. 6701);
            (7) under part A of subtitle VII of title 49, United States 
        Code, by the Secretary of Transportation with respect to any 
        air carrier or foreign air carrier subject to that part;
            (8) under the Packers and Stockyards Act, 1921 (7 U.S.C. 
        181 et seq.) (except as provided in section 406 of that Act (7 
        U.S.C. 226, 227)), by the Secretary of Agriculture with respect 
        to any activities subject to that Act;
            (9) under the Farm Credit Act of 1971 (12 U.S.C. 2001 et 
        seq.) by the Farm Credit Administration with respect to any 
        Federal land bank, Federal land bank association, Federal 
        intermediate credit bank, or production credit association; and
            (10) under title XI of the Social Security Act (42 U.S.C. 
        1301 et seq.) by the Secretary of Health and Human Services 
        with respect to persons regulated under that title.
    (c) Exercise of Certain Powers.--For the purpose of the exercise by 
any agency referred to in subsection (b) of its powers under any Act 
referred to in that subsection, a violation of title I is deemed to be 
a violation of a requirement imposed under that Act. In addition to its 
powers under any provision of law specifically referred to in 
subsection (b), each of the agencies referred to in that subsection may 
exercise, for the purpose of enforcing compliance with any requirement 
imposed under title I, any other authority conferred on it by law.
    (d) Actions by the Commission.--The Commission shall prevent any 
person from violating title I in the same manner, by the same means, 
and with the same jurisdiction, powers, and duties as though all 
applicable terms and provisions of the Federal Trade Commission Act (15 
U.S.C. 41 et seq.) were incorporated into and made a part of this Act. 
Any entity that violates any provision of that subtitle is subject to 
the penalties and entitled to the privileges and immunities provided in 
the Federal Trade Commission Act in the same manner, by the same means, 
and with the same jurisdiction, power, and duties as though all 
applicable terms and provisions of the Federal Trade Commission Act 
were incorporated into and made a part of that subtitle.
    (e) Disposition of Civil Penalties Obtained by FTC Enforcement 
Action Involving Nonsensitive Personally Identifiable Information.--
            (1) In general.--If a civil penalty is imposed on an 
        internet service provider, online service provider, or 
        commercial website operator in an enforcement action brought by 
        the Commission for a violation of title I with respect to 
        nonsensitive personally identifiable information of users of 
        the service or website, the penalty shall be--
                    (A) paid to the Commission;
                    (B) held by the Commission in trust for 
                distribution under paragraph (2); and
                    (C) distributed in accordance with paragraph (2).
            (2) Distribution to users.--Under procedures to be 
        established by the Commission, the Commission shall hold any 
        amount received as a civil penalty for violation of title I for 
        a period of not less than 180 days for distribution under those 
        procedures to users--
                    (A) whose nonsensitive personally identifiable 
                information was the subject of the violation; and
                    (B) who file claims with the Commission for 
                compensation for loss or damage from the violation at 
                such time, in such manner, and containing such 
                information as the Commission may require.
            (3) Amount of payment.--The amount a user may receive under 
        paragraph (2)--
                            (i) shall not exceed $200; and
                            (ii) may be limited by the Commission as 
                        necessary to afford each such user a reasonable 
                        opportunity to secure that user's appropriate 
                        portion of the amount available for 
                        distribution.
            (4) Remainder.--If the amount of any such penalty held by 
        the Commission exceeds the sum of the amounts distributed under 
        paragraph (2) attributable to that penalty, the excess shall be 
        covered into the Treasury of the United States as miscellaneous 
        receipts no later than 12 months after it was paid to the 
        Commission.
    (f) Effect on Other Laws.--
            (1) Preservation of commission authority.--Nothing 
        contained in this subtitle shall be construed to limit the 
        authority of the Commission under any other provision of law.
            (2) Relation to title ii of communications act.--Nothing in 
        title I requires an operator of a website or online service to 
        take any action that is inconsistent with the requirements of 
        section 222 of the Communications Act of 1934 (47 U.S.C. 222).
            (3) Relation to title vi of communications act.--Section 
        631 of the Communications Act of 1934 (47 U.S.C. 551) is 
        amended by adding at the end the following:
    ``(i) Application of Online Personal Privacy Act.--With respect to 
the provision by a cable operator of Internet service or online service 
and the operation by a cable operator of a commercial website, as such 
terms are defined in or under the Online Personal Privacy Act, the 
provisions of that Act shall apply in lieu of this section.''.

SEC. 203. SAFE HARBOR SELF-REGULATORY PROGRAMS.

    (a) In General.--An internet service provider, online service 
provider, or operator of a commercial website shall be presumed to be 
in compliance with the requirements of this title if the provider or 
operator--
            (1) is a participant in a self-regulatory program approved 
        by the Commission under subsection (b) and has agreed in 
        writing to meet the requirements for participation established 
        by the self-regulatory program; and
            (2) is deemed by the self-regulatory program to be in full 
        compliance with the requirements of that self-regulatory 
        program.
    (b) Approval of Self-Regulatory Programs.--The Commission may 
approve a self-regulatory program under subsection (a) only if the 
Commission finds the following:
            (1) Participation requirements.--The self-regulatory 
        program will require participants, at a minimum, to provide 
        privacy protection to users of the internet service, online 
        service, or commercial website that is substantially equivalent 
        to or greater than the protection afforded to users by title I.
            (2) Eligibility and verification.--The self-regulatory 
        program--
                    (A) will require, prior to determining eligibility 
                to participate in the self-regulatory program, and on a 
                periodic basis thereafter no less frequent than 
                annually--
                            (i) a review by the self-regulatory program 
                        or a certified independent verification 
                        organization of the prospective participant's 
                        privacy statement and privacy policy; and
                            (ii) a determination by the self-regulatory 
                        program or a certified independent verification 
                        organization that the privacy statement and 
                        privacy policy comply with the self-regulatory 
                        program's requirements;
                    (B) will obtain, prior to determining eligibility 
                to participate in the self-regulatory program, and on a 
                periodic basis thereafter no less frequently than 
                annually, a written certification from a senior 
                corporate officer or other responsible executive of the 
                participant that--
                            (i) the participant has procedures and 
                        practices in place that are designed to fulfill 
                        the representations in the participant's 
                        privacy policy and satisfy, at a minimum the 
                        requirements of the self-regulatory program; 
                        and
                            (ii) the participant is in compliance with 
                        the privacy policy and the requirements of the 
                        self-regulatory program;
                    (C) will require each participant to obtain written 
                verification of each written certification required by 
                subparagraph (B) from a certified independent 
                verification organization or provide sufficient 
                information to the self-regulatory program to enable 
                the program reasonably to conclude that the 
                certification is materially accurate; and
                    (D) has a program for verification of continued 
                eligibility of program participants under which program 
                resources are effectively utilized to ensure compliance 
                with, and discover violations of, the self-regulatory 
                program's requirements, including random audits of 
                participants.
            (3) Transparency.--The self-regulatory program will make 
        available to the public via the Internet the results of audits 
        and violations of the program's requirements, excluding 
        information that would reveal the identity of any complainant 
        whose privacy was violated.
            (4) Cooperation with commission.--The self-regulatory 
        program, and any independent verification organization used by 
        participants in that program, will report to the Commission any 
        violations of its requirements by participants and any 
        determinations that a participant has failed to comply with the 
        self-regulatory program requirements after being afforded a 
        reasonable opportunity to do so.
            (5) Independence.--The self-regulatory program has 
        established requirements that assure that program eligibility 
        and compliance determinations concerning a participant are made 
        exclusively by persons who are independent of the participant.
    (c) Commission to Monitor Compliance.--
            (1) Publication of reported failures to comply.--The 
        Commission shall publish a list of all violations reported to 
        it by self-regulatory programs and independent verification 
        organizations.
            (2) Biennial review.--The Commission shall re-evaluate its 
        approval of each self-regulatory program under subsection (b) 
        at least once every 2 years.
    (d) Certification of Independent Verification Organizations.--
            (1) In general.--The Commission may certify an entity as an 
        independent verification organization for purposes of this 
        section. In carrying out this subsection, the Commission shall 
        consider both the technical expertise and the experience of a 
        prospective independent verification organization in providing 
        assurance services.
            (2) Eligible entities.--An independent verification 
        organization may be--
                    (A) a self-regulatory program, but only with 
                respect to an internet service provider, online service 
                provider, or commercial website operator that is not a 
                participant in that program; or
                    (B) any other entity that provides assurance 
                services and that demonstrates to the satisfaction of 
                the Commission that it has the ability and knowledge 
                required to examine and evaluate the business practices 
                of a participant or prospective participant.
    (e) Application Process.--
            (1) Application.--The Commission shall establish an 
        application process for the approval of a self-regulatory 
        program under subsection (b). The application shall be 
        submitted at such time, in such manner, and contain such 
        information as the Commission may require. Upon receipt of an 
        application, the Commission shall provide notice of the 
        application and an opportunity for comment on the application 
        to the public. The Commission shall make a decision on an 
        application within 120 days after receipt of the application.
            (2) Appeal.--A self-regulatory program that is aggrieved by 
        final action of the Commission or a failure by the Commission 
        to take action on a timely basis as required by paragraph (1) 
        may file an action in a district court under section 706 of 
        title 5, United States Code, to obtain review of the decision 
        without regard to the amount in controversy.
    (f) Unauthorized Claim of Participation.--An internet service 
provider, online service provider, or operator of a commercial website 
that willfully and falsely represents to the public by a statement, 
display of an emblem, or otherwise that it is a participant in an 
approved self-regulatory program under this section shall be liable for 
a civil penalty of up to $50,000 for each such false representation. 
The civil penalty may be recovered in an action brought by the 
Commission or a State attorney general in any court of competent 
jurisdiction.
    (g) Qualified Privilege.--A self-regulatory program is not liable 
to any person as a result of a publication under subsection (b)(3) 
unless it is found to have acted with malice or recklessness.

SEC. 204. SMALL BUSINESS SAFE HARBOR.

    This Act does not apply to any entity that--
            (1) has annual gross revenue under $1,000,000 (based on the 
        value of such amount in fiscal year 2000, adjusted for current 
        dollars);
            (2) has fewer than 25 employees;
            (3) collects or uses personally identifiable information or 
        sensitive personally identifiable information from fewer than 
        1,000 consumers per year for a purpose unrelated to a 
        transaction with the consumer;
            (4) does not process personally identifiable information or 
        sensitive personally identifiable information of consumers; and
            (5) does not sell or disclose for consideration such 
        information to another person.

SEC. 205. PRIVATE RIGHTS OF ACTION BY USERS.

    (a) Fraudulent Notice; Wrongful Disclosure.--A person to whom 
fraudulent notice with respect to sensitive personally identifiable 
information was given under this Act or whose sensitive personally 
identifiable information has been disclosed in violation of title I, 
may, if otherwise permitted by the laws or rules of court of a State, 
bring in an appropriate court of that State--
            (1) an action based on the violation to enjoin the 
        violation;
            (2) an action to recover the amount of any actual monetary 
        loss from the violation or, to receive up to $500 in damages 
        for each such violation, whichever is greater; or
            (3) both such actions.
    (b) Other Violations.--A person harmed by any violation of title I 
not described in subsection (a) but related to sensitive personally 
identifiable information may, if otherwise permitted by the laws or 
rules of court of a State, bring in an appropriate court of that 
State--
            (1) an action based on the violation to enjoin the 
        violation;
            (2) an action to recover the amount of any actual monetary 
        loss from the violation; or
            (3) both such actions.
    (c) Affirmative Defense.--It shall be an affirmative defense in any 
action brought under this section that the defendant--
            (1) has established and implemented with due care 
        reasonable practices and procedures to ensure compliance with 
        the requirements of title I; or
            (2) is a participant in, and is deemed by a self-regulatory 
        organization or a certified independent verification 
        organization to be in full compliance with the requirements of, 
        a self-regulatory program approved by the Commission under 
        section 203.
    (d) Willful or Knowing Violations.--If the court finds that the 
defendant willfully or knowingly violated title I, the court may, in 
its discretion, increase the amount of the award to an amount equal to 
not more than 3 times the amount available under this section.

SEC. 206. ACTIONS BY STATES.

          (a) In General.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State has reason to believe that an interest of 
        the residents of that State has been or is threatened or 
        adversely affected by the engagement of any person in a 
        practice that violates title I, the State, as parens patriae, 
        may bring a civil action on behalf of the residents of the 
        State in a district court of the United States of appropriate 
        jurisdiction--
                    (A) to enjoin that practice;
                    (B) to enforce compliance with the rule;
                    (C) to obtain damage, restitution, or other 
                compensation on behalf of residents of the State; or
                    (D) to obtain such other relief as the court may 
                consider to be appropriate.
            (2) Notice.--
                    (A) In general.--Before filing an action under 
                paragraph (1), the attorney general of the State 
involved shall provide to the Commission--
                            (i) written notice of that action; and
                            (ii) a copy of the complaint for that 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subsection, if the attorney general determines 
                        that it is not feasible to provide the notice 
                        described in that subparagraph before the 
                        filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
                        shall provide notice and a copy of the 
                        complaint to the Commission at the same time as 
                        the attorney general files the action.
    (b) Intervention.--
            (1) In general.--On receiving notice under subsection 
        (a)(2), the Commission shall have the right to intervene in the 
        action that is the subject of the notice.
            (2) Effect of intervention.--If the Commission intervenes 
        in an action under subsection (a), it shall have the right--
                    (A) to be heard with respect to any matter that 
                arises in that action; and
                    (B) to file a petition for appeal.
    (c) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this subtitle shall be construed to prevent 
an attorney general of a State from exercising the powers conferred on 
the attorney general by the laws of that State to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
          (d) Actions by the Commission.--In any case in which an 
action is instituted by or on behalf of the Commission for violation of 
title I, no State may, during the pendency of that action, institute an 
action under subsection (a) against any defendant named in the 
complaint in that action for violation of that rule.
          (e) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in the district court of the United States that meets 
        applicable requirements relating to venue under section 1391 of 
        title 28, United States Code.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.

SEC. 207. WHISTLEBLOWER PROTECTION.

    (a) In General.--No internet service provider, online service 
provider, or commercial website operator may discharge or otherwise 
discriminate against any employee with respect to compensation, terms, 
conditions, or privileges of employment because the employee (or any 
person acting pursuant to the request of the employee) provided 
information to any Federal or State agency or to the Attorney General 
of the United States or of any State regarding a violation of any 
provision of title I.
    (b) Enforcement.--Any employee or former employee who believes he 
has been discharged or discriminated against in violation of subsection 
(a) may file a civil action in the appropriate United States district 
court before the close of the 2-year period beginning on the date of 
such discharge or discrimination. The complainant shall also file a 
copy of the complaint initiating such action with the appropriate 
Federal agency.
    (c) Remedies.--If the district court determines that a violation of 
subsection (a) has occurred, it may order the Internet service 
provider, online service provider, or commercial website operator that 
committed the violation--
            (1) to reinstate the employee to his former position;
            (2) to pay compensatory damages; or
            (3) to take other appropriate actions to remedy any past 
        discrimination.
    (d) Limitation.--The protections of this section shall not apply to 
any employee who--
            (1) deliberately causes or participates in the alleged 
        violation; or
            (2) knowingly or recklessly provides substantially false 
        information to such an agency or the Attorney General.
    (e) Burdens of Proof.--The legal burdens of proof that prevail 
under subchapter III of chapter 12 of title 5, United States Code (5 
U.S.C. 1221 et seq.) shall govern adjudication of protected activities 
under this section.

SEC. 208. NO EFFECT ON OTHER REMEDIES.

    The remedies provided by sections 205 and 206 are in addition to 
any other remedy available under any provision of law.

        TITLE III--APPLICATION TO CONGRESS AND FEDERAL AGENCIES

SEC. 301. SENATE.

    The Sergeant at Arms of the United States Senate shall develop 
regulations setting forth an information security and electronic 
privacy policy governing use of the Internet by officers and employees 
of the Senate that meets the requirements of title I.

SEC. 302. APPLICATION TO FEDERAL AGENCIES.

    (a) In General.--Except as provided in subsection (b), this Act 
applies to each Federal agency that is an internet service provider or 
an online service provider, or that operates a website, to the extent 
provided by section 2674 of title 28, United States Code.
    (b) Exceptions.--This Act does not apply to any Federal agency to 
the extent that the application of this Act would compromise law 
enforcement activities or the administration of any investigative, 
security, or safety operation conducted in accordance with Federal law.

                        TITLE IV--MISCELLANEOUS

SEC. 401. DEFINITIONS.

    In this Act:
            (1) Collect.--
                    (A) In general.--The term ``collect'' means the 
                online gathering of personally identifiable information 
                from a user of an Internet service, online service, or 
                commercial website by or on behalf of the provider or 
                operator of that service or website by any means, 
                direct or indirect, active or passive, including--
                            (i) an online request for such information 
                        by the provider or operator, regardless of how 
                        the information is transmitted to the provider 
                        or operator;
                            (ii) the use of a chat room, a message 
                        board, e-mail, instant messaging, or any other 
                        online service to gather the information; or
                            (iii) tracking or use of any identifying 
                        code linked to a user of such a service or 
                        website, including the use of cookies or other 
                        tracking technology.
                    (B) Temporary collection or storage exception.--
                Notwithstanding subparagraph (A)(ii), the term 
                ``collect'' does not include the temporary collection 
                or storage of information by a chat room, message 
                board, e-mail server, instant messaging service, or 
                other online service for the sole purpose of operating 
                that chat room, message board, e-mail server, instant 
                messaging service, or other online service.
            (2) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (3) Cookie.--The term ``cookie'' means any program, 
        function, or device, commonly known as a ``cookie'', that makes 
        a record on the user's computer (or other electronic device) of 
        that user's access to an internet service, online service, or 
        commercial website.
            (4) Disclose.--The term ``disclose'' means the release of 
        personally identifiable information about a user of an Internet 
        service, online service, or commercial website by an internet 
        service provider, online service provider, or operator of a 
        commercial website for any purpose, except where such 
        information is provided to a person who provides support for 
        the internal operations of the service or website and who does 
        not disclose or use that information for any other purpose.
            (5) Federal agency.--The term ``Federal agency'' means an 
        agency, as that term is defined in section 551(1) of title 5, 
        United States Code.
            (6) Internal operations support.--The term ``support for 
        the internal operations of a service or website'' means any 
        activity necessary to maintain the operational functionality of 
        that service or website.
            (7) Internet.--The term ``Internet'' means collectively the 
        myriad of computer and telecommunications facilities, including 
        equipment and operating software, which comprise the 
        interconnected world-wide network of networks that employ the 
        Transmission Control Protocol/Internet Protocol, or any 
        predecessor or successor protocols to such protocol, to 
        communicate information of all kinds by wire or radio.
            (8) Internet service provider; online service provider; 
        website.--The Commission shall by rule define the terms 
        ``internet service provider'', ``online service provider'', and 
        ``website'', and shall revise or amend such rule to take into 
        account changes in technology, practice, or procedure with 
        respect to the collection of personal information over the 
        Internet.
            (9) Online.--The term ``online'' refers to any activity 
        regulated by this Act or by section 2710 of title 18, United 
        States Code, that is effected by active or passive use of an 
        Internet connection, regardless of the medium by or through 
        which that connection is established.
            (10) Operator of a commercial website.--The term ``operator 
        of a commercial website''--
                    (A) means any person who operates a website located 
                on the Internet or an online service and who collects 
                or maintains personal information from or about the 
                users of or visitors to such website or online service, 
                or on whose behalf such information is collected or 
                maintained, where such website or online service is 
                operated for commercial purposes, including any person 
                offering products or services for sale through that 
                website or online service, involving commerce--
                            (i) among the several States or with 1 or 
                        more foreign nations;
                            (ii) in any territory of the United States 
                        or in the District of Columbia, or between any 
                        such territory and--
                                    (I) another such territory; or
                                    (II) any State or foreign nation; 
                                or
                            (iii) between the District of Columbia and 
                        any State, territory, or foreign nation; but
                    (B) does not include any nonprofit entity that 
                would otherwise be exempt from coverage under section 5 
                of the Federal Trade Commission Act (15 U.S.C. 45).
            (11) Personally identifiable information.--
                    (A) In general.--The term ``personally identifiable 
                information'' means individually identifiable 
                information about an individual collected online, 
                including--
                            (i) a first and last name, whether given at 
                        birth or adoption, assumed, or legally changed;
                            (ii) a home or other physical address 
                        including street name and name of a city or 
                        town;
                            (iii) an e-mail address;
                            (iv) a telephone number;
                            (v) a birth certificate number;
                            (vi) any other identifier for which the 
                        Commission finds there is a substantial 
                        likelihood that the identifier would permit the 
                        physical or online contacting of a specific 
                        individual; or
                            (vii) information that an Internet service 
                        provider, online service provider, or operator 
                        of a commercial website combines with an 
identifier described in clauses (i) through (vi) of this subparagraph.
                    (B) Inferential information excluded.--Information 
                about an individual derived or inferred from data 
                collected online but not actually collected online is 
                not personally identifiable information.
            (12) Release.--The term ``release of personally 
        identifiable information'' means the direct or indirect, 
        sharing, selling, renting, or other provision of personally 
        identifiable information of a user of an internet service, 
        online service, or commercial website to any other person other 
        than the user.
            (13) Robust notice.--The term ``robust notice'' means 
        actual notice at the point of collection of the personally 
        identifiable information describing briefly and succinctly the 
        intent of the Internet service provider, online service 
        provider, or operator of a commercial website to use or 
        disclose that information for marketing or other purposes.
            (14) Sensitive financial information.--The term ``sensitive 
        financial information'' means--
                    (A) the amount of income earned or losses suffered 
                by an individual;
                    (B) an individual's account number or balance 
                information for a savings, checking, money market, 
                credit card, brokerage, or other financial services 
                account;
                    (C) the access code, security password, or similar 
                mechanism that permits access to an individual's 
                financial services account;
                    (D) an individual's insurance policy information, 
                including the existence, premium, face amount, or 
                coverage limits of an insurance policy held by or for 
                the benefit of an individual; or
                    (E) an individual's outstanding credit card, debt, 
                or loan obligations.
            (15) Sensitive personally identifiable information.--The 
        term ``sensitive personally identifiable information'' means 
        personally identifiable information about an individual's--
                    (A) individually identifiable health information 
                (as defined in section 164.501 of title 45, Code of 
                Federal Regulations);
                    (B) race or ethnicity;
                    (C) political party affiliation;
                    (D) religious beliefs;
                    (E) sexual orientation;
                    (F) a Social Security number; or
                    (G) sensitive financial information.

SEC. 402. EFFECTIVE DATE OF TITLE I.

    Title I of this Act takes effect on the day after the date on which 
the Commission publishes a final rule under section 403.

SEC. 403. FTC RULEMAKING.

    The Commission shall--
            (1) initiate a rulemaking within 90 days after the date of 
        enactment of this Act for regulations to implement the 
        provisions of title I; and
            (2) complete that rulemaking within 270 days after 
        initiating it.

SEC. 404. FTC REPORT.

    (a) Report.--The Commission shall submit a report to the Senate 
Committee on Commerce, Science, and Transportation and the House of 
Representatives Committee on Commerce 18 months after the effective 
date of title I, and annually thereafter, on--
            (1) whether this Act is accomplishing the purposes for 
        which it was enacted;
            (2) whether technology that protects privacy is being 
        utilized in the marketplace in such a manner as to facilitate 
        administration of and compliance with title I;
            (3) whether additional legislation is required to 
        accomplish those purposes or improve the administrability or 
        effectiveness of this Act;
            (4) whether and how the government might assist industry in 
        developing standard online privacy notices that substantially 
        comply with the requirements of section 102(a); and
            (5) whether additional legislation is necessary or 
        appropriate to regulate the collection, use, and disclosure of 
        personally identifiable information collected online before the 
        effective date of title I.
    (b) FTC Notice of Inquiry.--The Commission shall initiate a notice 
of inquiry within 90 days after the date of enactment of this Act to 
request comment on the matter described in paragraphs (1) through (7) 
of subsection (a).

SEC. 405. DEVELOPMENT OF AUTOMATED PRIVACY CONTROLS.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3) is amended--
            (1) by redesignating subsection (d) as subsection (e); and
            (2) by inserting after subsection (c) the following:
    ``(d) Development of Internet Privacy Program.--The Institute shall 
encourage and support the development of one or more computer programs, 
protocols, or other software, such as the World Wide Web Consortium's 
P3P program, capable of being installed on computers, or computer 
networks, with Internet access that would reflect the user's 
preferences for protecting personally-identifiable or other sensitive, 
privacy-related information, and automatically execute the program, 
once activated, without requiring user intervention.''.

                       TITLE V--OFFLINE PRIVACY]

SEC. 501. COLLECTION, USE, AND DISCLOSURE OF PERSONALLY IDENTIFIABLE 
              INFORMATION COLLECTED OFFLINE.

    (a) In General.--Not later than the date that is 6 months after the 
date of the enactment of this Act, the Chairman of the Federal Trade 
Commission shall submit to the Committee on Commerce, Science, and 
Transportation of the United States Senate, and the Committee on Energy 
and Commerce of the United States House of Representatives, detailed 
recommendations and proposed regulations on standards with respect to 
entities that engage in the collection of personally identifiable 
information, or employ methods involving, or other actions involving, 
the collection of personally identifiable information, that are not 
covered in this Act, at a level of protection similar to that provided 
under this Act for similar types of information.
    (b) Subjects for Recommendations.--The recommendations and proposed 
regulations under subsection (a) shall address at least the following:
            (1) How the fair information practices of notice, choice, 
        access, security, and enforcement should apply to the uses and 
        disclosures of such information in a manner consistent with the 
        level of protection provided by this Act.
            (2) The fines that should be established for violating 
        requirements promulgated under the regulations.
    (c) Regulations.--
            (1) Contingent on legislation.--If an Act of Congress 
        that--
                    (A) establishes standards with respect to entities 
                that engage in the collection of personally 
                identifiable information, or employ methods or other 
                actions involving the collection of personally 
                identifiable information that are not covered in this 
                Act, and
                    (B) refers to this paragraph,
        does not become law within 18 months after the date of 
        enactment of this Act, then the Commission shall promulgate 
        final regulations (addressing at least the subjects described 
        in subsection (b)) containing such standards not later than the 
        date that is 19 months after the date of enactment of this Act.
            (2) Preemption.--A regulation promulgated under paragraph 
        (1) shall supersede State law only to the extent that this Act 
        supersedes State law under section 4 of this Act.




                                                       Calendar No. 551

107th CONGRESS

  2d Session

                                S. 2201

                          [Report No. 107-240]

_______________________________________________________________________

                                 A BILL

   To protect the online privacy of individuals who use the Internet.

_______________________________________________________________________

                             August 1, 2002

                       Reported with an amendment