[Congressional Bills 108th Congress]
[From the U.S. Government Publishing Office]
[H.R. 69 Introduced in House (IH)]






108th CONGRESS
  1st Session
                                 H. R. 69

  To require the Federal Trade Commission to prescribe regulations to 
 protect the privacy of personal information collected from and about 
   individuals who are not covered by the Children's Online Privacy 
 Protection Act of 1998 on the Internet, to provide greater individual 
control over the collection and use of that information, and for other 
                               purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            January 7, 2003

Mr. Frelinghuysen introduced the following bill; which was referred to 
                  the Committee on Energy and Commerce

_______________________________________________________________________

                                 A BILL


 
  To require the Federal Trade Commission to prescribe regulations to 
 protect the privacy of personal information collected from and about 
   individuals who are not covered by the Children's Online Privacy 
 Protection Act of 1998 on the Internet, to provide greater individual 
control over the collection and use of that information, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

     This Act may be cited as the ``Online Privacy Protection Act of 
2003''.

SEC. 2. REGULATION OF UNFAIR AND DECEPTIVE ACTS AND PRACTICES IN 
              CONNECTION WITH THE COLLECTION, USE AND DISCLOSURE OF 
              PERSONAL INFORMATION.

    (a) Acts Prohibited.--
            (1) In general.--It is unlawful for an operator of a Web 
        site or online service to collect, use or disclose personal 
        information in a manner that violates the regulations 
        prescribed under subsection (b).
            (2) Disclosure.--Notwithstanding paragraph (1), neither an 
        operator of a Web site or online service nor the operator's 
        agent shall be held to be liable under this Act for any 
        disclosure made in good faith and following reasonable 
        procedures in responding to a request under subsection 
        (b)(1)(B) by an individual for disclosure of personal 
        information pertaining to such individual.
    (b) Regulations.--
            (1) In general.--Not later than 1 year after the date of 
        the enactment of this Act, the Commission shall promulgate 
        under section 553 of title 5, United States Code, regulations 
        that--
                    (A) require the operator of any Web site or online 
                service--
                            (i) to provide notice on its Web site, in a 
                        clear and conspicuous manner, of the identity 
                        of the operator, what personal information is 
                        collected by the operator, how the operator 
                        uses such information, and what information may 
                        be shared with other companies; and
                            (ii) to provide a meaningful and simple 
                        online process for individuals to consent to or 
                        limit the disclosure of personal information 
                        for purposes unrelated to those for which such 
                        information was obtained or described in the 
                        notice under clause (i);
                    (B) require the operator to provide, upon request 
                of an individual under this subparagraph who has 
                provided personal information to that Web site or 
                online service, upon proper identification--
                            (i) a description of the specific types of 
                        personal information collected by that operator 
                        that was sold or transferred to an external 
                        company; and
                            (ii) notwithstanding any other provision of 
                        law, a means that is reasonable under the 
                        circumstances for the individual to obtain the 
                        personal information described in paragraph (i) 
                        from such individual; and
                    (C) require the operator of such Web site or online 
                service to establish and maintain reasonable procedures 
                to protect the confidentiality, security, and integrity 
                of personal information it collects or maintains.
            (2) When purpose limitation not required.--The regulations 
        shall provide that the purpose limitation required under 
        paragraph (1)(A)(ii) is not required for--
                    (A) transactional information where identifiable 
                information is not removed;
                    (B) personal information where it is used to render 
                or conduct a legitimate business activity related to 
                the business of the operator (for example, the use of 
                an e-mail address to respond to an e-mail 
                communication); or
                    (C) the collection, use, or dissemination of such 
                information by the operator of such a web site or 
                online service necessary to the extent permitted under 
                other provisions of law.
            (3) When access not required.--The regulations shall 
        provide that access as required under paragraph (1)(B)(ii) is 
        not required--
                    (A) to transactional information where identifiable 
                information is not removed;
                    (B) to information that is commercially 
                confidential to the operator and is obtained from 
                sources outside of the individual's contact with the 
                operator's web site;
                    (C) to information that is solely for internal 
                company processes and is neither sold, transferred, nor 
                used for activities external to the web site's 
                operator;
                    (D) to information that is discarded upon the 
                conclusion of the process that generates it; or
                    (E) to information that has no impact upon an 
                individual.
            (4) Termination of service.--The regulations shall permit 
        the operator of a Web site or an online service to terminate 
        service provided to an individual who has refused, under the 
        regulations prescribed under paragraph (1)(B)(ii), to permit 
        the operator's further use or maintenance in retrievable form, 
        or future collection, of personal information.
    (c) Enforcement.--Subject to sections 3 and 5, a violation of a 
regulation prescribed under subsection (a) shall be treated as a 
violation of a rule defining an unfair or deceptive act or practice 
prescribed under section 18(a)(1)(B) of the Federal Trade Commission 
Act (15 U.S.C. 57a(a)(1)(B)).
    (d) No Requirement to Collect or Maintain Data.--Nothing in this 
Act shall be interpreted to require an operator to collect or maintain 
any data that would not otherwise be collected or maintained.

SEC. 3. SAFE HARBORS.

    (a) Guidelines.--An operator may satisfy the requirements of 
regulations issued under section 2(b) by following a set of self-
regulatory guidelines, issued by representatives of the marketing or 
online industries, or by other persons, approved under subsection (b).
    (b) Incentives.--
            (1) Self-regulatory incentives.--In prescribing regulations 
        under section 2, the Commission shall provide incentives for 
        self-regulation by operators to implement the protections 
        afforded under the regulatory requirements described in 
        subsection (b) of that section.
            (2) Deemed compliance.--Such incentives shall include 
        provisions for ensuring that a person will be deemed to be in 
        compliance with the requirements of the regulations under 
        section 2 if that person complies with guidelines that, after 
        notice and comment, are approved by the Commission upon making 
        a determination that the guidelines meet the requirements of 
        the regulations issued under section 2.
            (3) Expedited response to requests.--The Commission shall 
        act upon requests for safe harbor treatment within 180 days of 
        the filing of the request, and shall set forth in writing its 
        conclusions with regard to such requests.
    (c) Appeals.--Final action by the Commission on a request for 
approval of guidelines, or the failure to act within 180 days on a 
request for approval of guidelines, submitted under subsection (b) may 
be appealed to a district court of the United States of appropriate 
jurisdiction as provided for in section 706 of title 5, United States 
Code.

SEC. 4. ACTIONS BY STATES.

    (a) In General.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State has reason to believe that an interest of 
        the residents of that State has been or is threatened or 
        adversely affected by the engagement of any person in a 
        practice that violates any regulation of the Commission 
        prescribed under section 2(b) of this Act, the State may bring 
        a civil action on behalf of the residents of the State in a 
        district court of the United States of appropriate jurisdiction 
        to--
                    (A) enjoin that practice;
                    (B) enforce compliance with the regulation;
                    (C) obtain damage, restitution, or other 
                compensation on behalf of residents of the State; or
                    (D) obtain such other relief as the court may 
                consider to be appropriate.
            (2) Notice.--
                    (A) In general.--Before filing an action under 
                paragraph (1), the attorney general of the State 
                involved shall provide to the Commission--
                            (i) written notice of that action; and
                            (ii) a copy of the complaint for that 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subsection, if the attorney general determines 
                        that it is not feasible to provide the notice 
                        described in that subparagraph before the 
                        filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
                        shall provide notice and a copy of the 
                        complaint to the Commission at the same time as 
                        the attorney general files the action.
    (b) Intervention.--
            (1) In general.--On receiving notice under subsection 
        (a)(2), the Commission shall have the right to intervene in the 
        action that is the subject of the notice.
            (2) Effect of intervention.--If the Commission intervenes 
        in an action under subsection (a), it shall have the right--
                    (A) to be heard with respect to any matter that 
                arises in that action; and
                    (B) to file a petition for appeal.
            (3) Amicus curiae.--Upon application to the court, a person 
        whose self-regulatory guidelines have been approved by the 
        Commission and are relied upon as a defense by any defendant to 
        a proceeding under this section may file amicus curiae in that 
        proceeding.
    (c) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this Act shall be construed to prevent an 
attorney general of a State from exercising the powers conferred on the 
attorney general by the laws of that State to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
    (d) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in the district court of the United States that meets 
        applicable requirements relating to venue under section 1391 of 
        title 28, United States Code.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.

SEC. 5. ADMINISTRATION AND APPLICABILITY OF ACT.

    (a) In General.--Except as otherwise provided, this Act shall be 
enforced by the Commission under the Federal Trade Commission Act (15 
U.S.C. 41 et seq.).
    (b) Provisions.--Compliance with the requirements imposed under 
this Act shall be enforced under--
            (1) section 8 of the Federal Deposit Insurance Act (12 
        U.S.C. 1818), in the case of--
                    (A) national banks, and Federal branches and 
                Federal agencies of foreign banks, by the Office of the 
                Comptroller of the Currency;
                    (B) member banks of the Federal Reserve System 
                (other than national banks), branches and agencies of 
                foreign banks (other than Federal branches, Federal 
                agencies, and insured State branches of foreign banks), 
                commercial lending companies owned or controlled by 
                foreign banks, and organizations operating under 
                section 25 or 25(a) of the Federal Reserve Act (12 
                U.S.C. 601 et seq. and 611 et seq.), by the Board; and
                    (C) banks insured by the Federal Deposit Insurance 
                Corporation (other than members of the Federal Reserve 
                System) and insured State branches of foreign banks, by 
                the Board of Directors of the Federal Deposit Insurance 
                Corporation;
            (2) section 8 of the Federal Deposit Insurance Act (12 
        U.S.C. 1818), by the Director of the Office of Thrift 
        Supervision, in the case of a savings association the deposits 
        of which are insured by the Federal Deposit Insurance 
        Corporation;
            (3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) 
        by the National Credit Union Administration Board with respect 
        to any Federal credit union;
            (4) part A of subtitle VII of title 49, United States Code, 
        by the Secretary of Transportation with respect to any air 
        carrier or foreign air carrier subject to that part;
            (5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et 
        seq.) (except as provided in section 406 of that Act (7 U.S.C. 
        226, 227)), by the Secretary of Agriculture with respect to any 
        activities subject to that Act; and
            (6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by 
        the Farm Credit Administration with respect to any Federal land 
        bank, Federal land bank association, Federal intermediate 
        credit bank, or production credit association.
    (c) Exercise of Certain Powers.--For the purpose of the exercise by 
any agency referred to in subsection (b) of its powers under any other 
Act referred to in that subsection, a violation of any requirement 
imposed under this Act shall be deemed to be a violation of a 
requirement imposed under that other Act. In addition to its powers 
under any provision of law specifically referred to in subsection (b), 
each of the agencies referred to in that subsection may exercise, for 
the purpose of enforcing compliance with any requirement imposed under 
this Act, any other authority conferred on such agency by law.
    (d) Actions by the Commission.--The Commission shall prevent any 
person from violating a rule of the Commission under section 2 in the 
same manner, by the same means, and with the same jurisdiction, powers, 
and duties as though all applicable terms and provisions of the Federal 
Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and 
made a part of this title. Any entity that violates such rule shall be 
subject to the penalties and entitled to the privileges and immunities 
provided in the Federal Trade Commission Act in the same manner, by the 
same means, and with the same jurisdiction, power, and duties as though 
all applicable terms and provisions of the Federal Trade Commission Act 
were incorporated into and made a part of this title.
    (e) Effect on Other Laws.--Nothing contained in this Act shall be 
construed to limit the authority of the Commission under any other 
provisions of law.
    (f) Preemption.--Except as otherwise provided in this Act, this Act 
supersedes State law to the extent that it establishes a rule of law 
applicable to an online privacy action that is inconsistent with State 
law. Nothing in this Act supersedes State law with respect to 
prosecution of fraud.

SEC. 6. REVIEW.

     Not later than 5 years after the effective date of the regulations 
initially issued under section 2, the Commission shall--
            (1) review the implementation of this Act, including the 
        effect of the implementation of this title on practices 
        relating to the collection and disclosure of information; and
            (2) prepare and submit to Congress a report on the results 
        of the review under paragraph (1).

SEC. 7. EFFECTIVE DATE.

     Sections 3(a), 5, and 6 of this Act shall take effect on the later 
of--
            (1) the date that is 18 months after the date of enactment 
        of this Act; or
            (2) the date on which the Commission rules on the first 
        application filed for safe harbor treatment under section 3 if 
        the Commission does not rule on the first such application 
        within one year after the date of enactment of this Act, but in 
        no case later than the date that is 30 months after the date of 
        enactment of this Act.

SEC. 8. DEFINITIONS.

     In this Act:
            (1) Individual.--The term ``individual'' means a natural 
        person of age 13 and above.
            (2) Operator.--The term ``operator''--
                    (A) means any person who operates a Web site 
                located on the Internet or an online service and who 
                collects or maintains personal information from or 
                about the users of or visitors to such Web site or 
                online service, or on whose behalf such information is 
                collected or maintained, where such Web site or online 
                service is operated for commercial purposes, including 
                any person offering products or services for sale 
                through that Web site or online service, involving 
                commerce--
                            (i) among the several States or with 1 or 
                        more foreign nations;
                            (ii) in any territory of the United States 
                        or in the District of Columbia, or between any 
                        such territory and--
                                    (I) another such territory; or
                                    (II) any State or foreign nation; 
                                or
                            (iii) between the District of Columbia and 
                        any State, territory, or foreign nation; but
                    (B) does not include any nonprofit entity that 
                would otherwise be exempt from coverage under section 5 
                of the Federal Trade Commission Act (15 U.S.C. 45).
            (3) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (4) Disclosure.--The term ``disclosure'' means, with 
        respect to personal information the release of personal 
        information collected in identifiable form by an operator for 
        any purpose, except where such information is provided to a 
        person other than the operator who provides support for the 
        internal operations of the Web site and does not disclose or 
        use that information for any other purpose.
            (5) Federal agency.--The term ``Federal agency'' means an 
        agency, as that term is defined in section 551(1) of title 5, 
        United States Code.
            (6) Internet.--The term ``Internet'' means collectively the 
        myriad of computer and telecommunications facilities, including 
        equipment and operating software, which comprise the 
        interconnected world-wide network of networks that employ the 
        Transmission Control Protocol/Internet Protocol, or any 
        predecessor or successor protocols to such protocol, to 
        communicate information of all kinds by wire or radio.
            (7) Transactional information.--The term ``transactional 
        information'' means information generated in connection with 
        the process of requesting, accessing, or otherwise using the 
        Internet.
            (8) Personal information.--The term ``personal 
        information'' means information collected online from an 
        individual that identifies that individual, including--
                    (A) first and last name;
                    (B) home and other physical address;
                    (C) e-mail address;
                    (D) social security number;
                    (E) telephone number;
                    (F) any other identifier that the Commission 
                determines identifies an individual; or
                    (G) information that is maintained with, or can be 
                searched or retrieved by means of, data described in 
                subparagraphs (A) through (F).
                                 <all>