

	

		II

		109th CONGRESS

		1st Session

		S. 116

		IN THE SENATE OF THE UNITED STATES

		

			January 24, 2005

			Mrs. Feinstein

			 introduced the following bill; which was read twice and referred to the

			 Committee on the

			 Judiciary

		

		A BILL

		To require the consent of an individual prior to the sale

		  and marketing of such individual’s personally identifiable information, and for

		  other purposes.

	

	

		1.Short title; table of

			 contents

			(a)Short

			 titleThis Act may be cited as the Privacy Act of 2005.

			(b)Table of

			 contentsThe table of contents of this Act is as follows:

				

					Sec. 1. Short title; table of

				contents

					Title I—Commercial sale and marketing of

				personally identifiable information

					Sec. 101. Collection and distribution of

				personally identifiable information

					Sec. 102. Enforcement

					Sec. 103. Safe harbor

					Sec. 104. Definitions

					Sec. 105. Preemption

					Sec. 106. Effective Date

					Title II—Social security number misuse

				prevention

					Sec. 201. Findings

					Sec. 202. Prohibition of the display,

				sale, or purchase of social security numbers

					Sec. 203. Application of prohibition of

				the display, sale, or purchase of social security numbers to public

				records

					Sec. 204. Rulemaking authority of the

				Attorney General

					Sec. 205. Treatment of social security

				numbers on government documents

					Sec. 206. Limits on personal disclosure of

				a social security number for consumer transactions

					Sec. 207. Extension of civil monetary

				penalties for misuse of a social security number

					Sec. 208. Criminal penalties for the

				misuse of a social security number

					Sec. 209. Civil actions and civil

				penalties

					Sec. 210. Federal injunctive

				authority

					Title III—Limitations on sale and sharing of

				nonpublic personal financial information

					Sec. 301. Definition of sale

					Sec. 302. Rules applicable to sale of

				nonpublic personal information

					Sec. 303. Exceptions to disclosure

				prohibition

					Sec. 304. Conforming

				amendments

					Sec. 305. Regulatory authority

					Sec. 306. Effective date

					Title IV—Limitations on the provision of

				protected health information

					Sec. 401. Definitions

					Sec. 402. Prohibition against selling

				protected health information

					Sec. 403. Authorization for sale or

				marketing of protected health information by noncovered entities

					Sec. 404. Prohibition against

				retaliation

					Sec. 405. Rule of construction

					Sec. 406. Regulations

					Sec. 407. Enforcement

					Title V—Driver’s license privacy

					Sec. 501. Driver’s license

				privacy

					Title VI—Miscellaneous

					Sec. 601. Enforcement by State Attorneys

				General

					Sec. 602. Federal injunctive

				authority

				

			ICommercial sale

			 and marketing of personally identifiable information

			101.Collection and

			 distribution of personally identifiable information

				(a)Prohibition

					(1)In

			 generalIt is unlawful for a commercial entity to collect

			 personally identifiable information and disclose such information to any

			 nonaffiliated third party for marketing purposes or sell such information to

			 any nonaffiliated third party, unless the commercial entity provides—

						(A)notice to the

			 individual to whom the information relates in accordance with the requirements

			 of subsection (b); and

						(B)an opportunity

			 for such individual to restrict the disclosure or sale of such

			 information.

						(2)ExceptionA

			 commercial entity may collect personally identifiable information and use such

			 information to market to potential customers such entity’s product.

					(b)Notice

					(1)In

			 generalA notice under subsection (a) shall contain statements

			 describing the following:

						(A)The identity of

			 the commercial entity collecting the personally identifiable

			 information.

						(B)The types of

			 personally identifiable information that are being collected on the

			 individual.

						(C)How the

			 commercial entity may use such information.

						(D)A description of

			 the categories of potential recipients of such personally identifiable

			 information.

						(E)Whether the

			 individual is required to provide personally identifiable information in order

			 to do business with the commercial entity.

						(F)How an individual

			 may decline to have such personally identifiable information used or sold as

			 described in subsection (a).

						(2)Time of

			 noticeNotice shall be conveyed prior to the sale or use of the

			 personally identifiable information as described in subsection (a) in such a

			 manner as to allow the individual a reasonable period of time to consider the

			 notice and limit such sale or use.

					(3)Medium of

			 noticeThe medium for providing notice must be—

						(A)the same medium

			 in which the personally identifiable information is or will be collected, or a

			 medium approved by the individual; or

						(B)in the case of

			 oral communication, notice may be conveyed orally or in writing.

						(4)Form of

			 noticeThe notice shall be clear and conspicuous.

					(c)Opt-Out

					(1)Opportunity to

			 opt-out of sale or marketingThe opportunity provided to limit

			 the sale of personally identifiable information to nonaffiliated third parties

			 or the disclosure of such information for marketing purposes, shall be easy to

			 use, accessible and available in the medium the information is collected, or in

			 a medium approved by the individual.

					(2)Duration of

			 limitationAn individual’s limitation on the sale or marketing of

			 personally identifiable information shall be considered permanent, unless

			 otherwise specified by the individual.

					(3)Revocation of

			 consentAfter an individual grants consent to the use of that

			 individual’s personally identifiable information, the individual may revoke the

			 consent at any time, except to the extent that the commercial entity has taken

			 action in reliance thereon. The commercial entity shall provide the individual

			 an opportunity to revoke consent that is easy to use, accessible, and available

			 in the medium the information was or is collected.

					(4)Not

			 applicableThis section shall not apply to disclosure of

			 personally identifiable information—

						(A)that is necessary

			 to facilitate a transaction specifically requested by the consumer;

						(B)is used for the

			 sole purpose of facilitating this transaction; and

						(C)in which the

			 entity receiving or obtaining such information is limited, by contract, to use

			 such formation for the purpose of completing the transaction.

						102.Enforcement

				(a)In

			 generalIn accordance with the provisions of this section, the

			 Federal Trade Commission shall have the authority to enforce any violation of

			 section 101 of this Act.

				(b)ViolationsThe

			 Federal Trade Commission shall treat a violation of section 101 as a violation

			 of a rule under

			 section

			 18a(a)(1)(B) of the Federal

			 Trade Commission Act (15 U.S.C.

			 57a(a)(1)(B)).

				(c)Transfer of

			 enforcement authorityThe Federal Trade Commission shall

			 promulgate rules in accordance with section 553 of title 5, United States Code,

			 allowing for the transfer of enforcement authority from the Federal Trade

			 Commission to a Federal agency regarding section 101 of this Act. The Federal

			 Trade Commission may permit a Federal agency to enforce any violation of

			 section 101 if such agency submits a written request to the Commission to

			 enforce such violations and includes in such request—

					(1)a description of

			 the entities regulated by such agency that will be subject to the provisions of

			 section 101;

					(2)an assurance that

			 such agency has sufficient authority over the entities to enforce violations of

			 section 101; and

					(3)a list of

			 proposed rules that such agency shall use in regulating such entities and

			 enforcing section 101.

					(d)Actions by the

			 CommissionAbsent transfer of enforcement authority to a Federal

			 agency under subsection (c), the Federal Trade Commission shall prevent any

			 person from violating section 101 in the same manner, by the same means, and

			 with the same jurisdiction, powers, and duties as provided to such Commission

			 under the Federal Trade Commission

			 Act (15

			 U.S.C. 41 et seq.). Any entity that violates section 101 is

			 subject to the penalties and entitled to the privileges and immunities provided

			 in such Act in the same manner, by the same means, and with the same

			 jurisdiction, power, and duties under such Act.

				(e)Relationship to

			 other laws

					(1)Commission

			 authorityNothing contained in this title shall be construed to

			 limit authority provided to the Commission under any other law.

					(2)Communications

			 ActNothing in section 101 requires an operator of a website to

			 take any action that is inconsistent with the requirements of

			 section 222 or

			 631 of the Communications Act of

			 1934 (47

			 U.S.C. 222 and 5551).

					(3)Other

			 ActsNothing in this title is intended to affect the

			 applicability or the enforceability of any provision of, or any amendment made

			 by—

						(A)the Children’s

			 Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.);

						(B)title V of the

			 Gramm-Leach-Bliley Act;

						(C)the

			 Health Insurance Portability and Accountability

			 Act of 1996; or

						(D)the

			 Fair Credit Reporting Act.

						(f)Public

			 recordsNothing in this title shall be construed to restrict

			 commercial entities from obtaining or disclosing personally identifying

			 information from public records.

				(g)Civil

			 penaltiesIn addition to any other penalty applicable to a

			 violation of section 101(a), a penalty of up to $25,000 may be issued for each

			 violation.

				(h)Enforcement

			 regarding programs

					(1)In

			 generalA Federal agency or department providing financial

			 assistance to any entity required to comply with section 101 of this Act shall

			 issue regulations requiring that such entity comply with such section or

			 forfeit some or all of such assistance. Such regulations shall prescribe

			 sanctions for noncompliance, require that such department or agency provide

			 notice of failure to comply with such section prior to any action being taken

			 against such recipient, and require that a determination be made prior to any

			 action being taken against such recipient that compliance cannot be secured by

			 voluntary means.

					(2)Federal

			 financial assistanceThe term Federal financial

			 assistance means assistance through a grant, cooperative agreement,

			 loan, or contract other than a contract of insurance or guaranty.

					103.Safe

			 harborA commercial entity may

			 not be held to have violated any provision of this title if such entity

			 complies with self-regulatory guidelines that—

				(1)are issued by

			 seal programs or representatives of the marketing or online industries or by

			 any other person; and

				(2)are approved by

			 the Federal Trade Commission, after public comment has been received on such

			 guidelines by the Commission, as meeting the requirements of this title.

				104.DefinitionsIn this title:

				(1)Commercial

			 entityThe term commercial entity—

					(A)means any person

			 offering products or services involving commerce—

						(i)among the several

			 States or with 1 or more foreign nations;

						(ii)in

			 any territory of the United States or in the District of Columbia, or between

			 any such territory and—

							(I)another such

			 territory; or

							(II)any State or

			 foreign nation; or

							(iii)between the

			 District of Columbia and any State, territory, or foreign nation; and

						(B)does not

			 include—

						(i)any

			 nonprofit entity that would otherwise be exempt from coverage under

			 section 5

			 of the Federal Trade Commission Act

			 (15 U.S.C.

			 45);

						(ii)any financial

			 institution that is subject to title V of the Gramm-Leach-Bliley Act

			 (15 U.S.C.

			 6801 et seq.); or

						(iii)any group

			 health plan, health insurance issuer, or other entity that is subject to the

			 Health Insurance Portability and Accountability

			 Act of 1996 (42 U.S.C. 201 note).

						(2)CommissionThe

			 term Commission means the Federal Trade Commission.

				(3)IndividualThe

			 term individual means a person whose personally identifying

			 information has been, is, or will be collected by a commercial entity.

				(4)MarketingThe

			 term marketing means to make a communication about a product or

			 service a purpose of which is to encourage recipients of the communication to

			 purchase or use the product or service.

				(5)MediumThe

			 term medium means any channel or system of communication including

			 oral, written, and online communication.

				(6)Nonaffiliated

			 third partyThe term nonaffiliated third party means

			 any entity that is not related by common ownership or affiliated by corporate

			 control with, the commercial entity, but does not include a joint employee of

			 such institution.

				(7)Personally

			 identifiable informationThe term personally identifiable

			 information means individually identifiable information about the

			 individual that is collected including—

					(A)a first, middle,

			 or last name, whether given at birth or adoption, assumed, or legally

			 changed;

					(B)a home or other

			 physical address, including the street name, zip code, and name of a city or

			 town;

					(C)an e-mail

			 address;

					(D)a telephone

			 number;

					(E)a photograph or

			 other form of visual identification;

					(F)a birth date,

			 birth certificate number, or place of birth for that person; or

					(G)information

			 concerning the individual that is combined with any other identifier in this

			 paragraph.

					(8)Sale; sell;

			 soldThe terms sale, sell, and

			 sold, with respect to personally identifiable information, mean

			 the exchanging of such information for any thing of value, directly or

			 indirectly, including the licensing, bartering, or renting of such

			 information.

				(9)WritingThe

			 term writing means writing in either a paper-based or

			 computer-based form, including electronic and digital signatures.

				105.PreemptionThe provisions of this title shall supersede

			 any statutory and common law of States and their political subdivisions insofar

			 as that law may now or hereafter relate to the—

				(1)collection and

			 disclosure of personally identifiable information for marketing purposes;

			 and

				(2)collection and

			 sale of personally identifiable information.

				106.Effective

			 DateThis title and the

			 amendments made by this title shall take effect 1 year after the date of

			 enactment of this Act.

			IISocial security

			 number misuse prevention

			201.FindingsCongress makes the following

			 findings:

				(1)The inappropriate

			 display, sale, or purchase of social security numbers has contributed to a

			 growing range of illegal activities, including fraud, identity theft, and, in

			 some cases, stalking and other violent crimes.

				(2)While financial

			 institutions, health care providers, and other entities have often used social

			 security numbers to confirm the identity of an individual, the general display

			 to the public, sale, or purchase of these numbers has been used to commit

			 crimes, and also can result in serious invasions of individual privacy.

				(3)The Federal

			 Government requires virtually every individual in the United States to obtain

			 and maintain a social security number in order to pay taxes, to qualify for

			 social security benefits, or to seek employment. An unintended consequence of

			 these requirements is that social security numbers have become one of the tools

			 that can be used to facilitate crime, fraud, and invasions of the privacy of

			 the individuals to whom the numbers are assigned. Because the Federal

			 Government created and maintains this system, and because the Federal

			 Government does not permit individuals to exempt themselves from those

			 requirements, it is appropriate for the Federal Government to take steps to

			 stem the abuse of social security numbers.

				(4)The display,

			 sale, or purchase of social security numbers in no way facilitates uninhibited,

			 robust, and wide-open public debate, and restrictions on such display, sale, or

			 purchase would not affect public debate.

				(5)No one should

			 seek to profit from the display, sale, or purchase of social security numbers

			 in circumstances that create a substantial risk of physical, emotional, or

			 financial harm to the individuals to whom those numbers are assigned.

				(6)Consequently,

			 this title provides each individual that has been assigned a social security

			 number some degree of protection from the display, sale, and purchase of that

			 number in any circumstance that might facilitate unlawful conduct.

				202.Prohibition of

			 the display, sale, or purchase of social security numbers

				(a)Prohibition

					(1)In

			 generalChapter 47 of title 18, United States Code, is amended by

			 inserting after section 1028 the following:

						

							1028A.Prohibition

				of the display, sale, or purchase of social security numbers

								(a)DefinitionsIn

				this section:

									(1)DisplayThe

				term display means to intentionally communicate or otherwise make

				available (on the Internet or in any other manner) to the general public an

				individual’s social security number.

									(2)PersonThe

				term person means any individual, partnership, corporation, trust,

				estate, cooperative, association, or any other entity.

									(3)PurchaseThe

				term purchase means providing directly or indirectly, anything of

				value in exchange for a social security number.

									(4)SaleThe

				term sale means obtaining, directly or indirectly, anything of

				value in exchange for a social security number.

									(5)StateThe

				term State means any State of the United States, the District of

				Columbia, Puerto Rico, the Northern Mariana Islands, the United States Virgin

				Islands, Guam, American Samoa, and any territory or possession of the United

				States.

									(b)Limitation on

				displayExcept as provided in section 1028B, no person may

				display any individual’s social security number to the general public without

				the affirmatively expressed consent of the individual.

								(c)Limitation on

				sale or purchaseExcept as otherwise provided in this section, no

				person may sell or purchase any individual’s social security number without the

				affirmatively expressed consent of the individual.

								(d)Prerequisites

				for consentIn order for consent to exist under subsection (b) or

				(c), the person displaying or seeking to display, selling or attempting to

				sell, or purchasing or attempting to purchase, an individual’s social security

				number shall—

									(1)inform the

				individual of the general purpose for which the number will be used, the types

				of persons to whom the number may be available, and the scope of transactions

				permitted by the consent; and

									(2)obtain the

				affirmatively expressed consent (electronically or in writing) of the

				individual.

									(e)ExceptionsNothing

				in this section shall be construed to prohibit or limit the display, sale, or

				purchase of a social security number—

									(1)required,

				authorized, or excepted under any Federal law;

									(2)for a public

				health purpose, including the protection of the health or safety of an

				individual in an emergency situation;

									(3)for a national

				security purpose;

									(4)for a law

				enforcement purpose, including the investigation of fraud and the enforcement

				of a child support obligation;

									(5)if the display,

				sale, or purchase of the number is for a use occurring as a result of an

				interaction between businesses, governments, or business and government

				(regardless of which entity initiates the interaction), including, but not

				limited to—

										(A)the prevention of

				fraud (including fraud in protecting an employee’s right to employment

				benefits);

										(B)the facilitation

				of credit checks or the facilitation of background checks of employees,

				prospective employees, or volunteers;

										(C)the retrieval of

				other information from other businesses, commercial enterprises, government

				entities, or private nonprofit organizations; or

										(D)when the

				transmission of the number is incidental to, and in the course of, the sale,

				lease, franchising, or merger of all, or a portion of, a business;

										(6)if the transfer

				of such a number is part of a data matching program involving a Federal, State,

				or local agency; or

									(7)if such number is

				required to be submitted as part of the process for applying for any type of

				Federal, State, or local government benefit or program;

									except

				that, nothing in this subsection shall be construed as permitting a

				professional or commercial user to display or sell a social security number to

				the general public.(f)LimitationNothing

				in this section shall prohibit or limit the display, sale, or purchase of

				social security numbers as permitted under title V of the Gramm-Leach-Bliley

				Act, or for the purpose of affiliate sharing as permitted under the

				Fair Credit Reporting Act, except

				that no entity regulated under such Acts may make social security numbers

				available to the general public, as may be determined by the appropriate

				regulators under such Acts. For purposes of this subsection, the general public

				shall not include affiliates or unaffiliated third-party business entities as

				may be defined by the appropriate regulators.

								.

					(2)Conforming

			 amendmentThe chapter analysis for chapter 47 of title 18, United

			 States Code, is amended by inserting after the item relating to section 1028

			 the following:

						

							

								1028A. Prohibition of the display, sale,

				or purchase of social security

				numbers.

							

							.

					(b)Study;

			 report

					(1)In

			 generalThe Attorney General shall conduct a study and prepare a

			 report on all of the uses of social security numbers permitted, required,

			 authorized, or excepted under any Federal law. The report shall include a

			 detailed description of the uses allowed as of the date of enactment of this

			 Act and shall evaluate whether such uses should be continued or discontinued by

			 appropriate legislative action.

					(2)ReportNot

			 later than 1 year after the date of enactment of this Act, the Attorney General

			 shall report to Congress findings under this subsection. The report shall

			 include such recommendations for legislation based on criteria the Attorney

			 General determines to be appropriate.

					(c)Effective

			 DateThe amendments made by this section shall take effect on the

			 date that is 30 days after the date on which the final regulations promulgated

			 under section 5 are published in the Federal Register.

				203.Application of

			 Prohibition of the display, sale, or purchase of social security numbers to

			 public records

				(a)Public records

			 exception

					(1)In

			 generalChapter 47 of title 18, United States Code (as amended by

			 section 3(a)(1)), is amended by inserting after section 1028A the

			 following:

						

							1028B.Display,

				sale, or purchase of public records containing social security numbers

								(a)DefinitionIn

				this section, the term public record means any governmental record

				that is made available to the general public.

								(b)In

				generalExcept as provided in subsections (c), (d), and (e),

				section 1028A shall not apply to a public record.

								(c)Public records

				on the Internet or in an electronic medium

									(1)In

				generalSection 1028A shall apply to any public record first

				posted onto the Internet or provided in an electronic medium by, or on behalf

				of a government entity after the date of enactment of this section, except as

				limited by the Attorney General in accordance with paragraph (2).

									(2)Exception for

				government entities already placing public records on the Internet or in

				electronic formNot later than 60 days after the date of

				enactment of this section, the Attorney General shall issue regulations

				regarding the applicability of section 1028A to any record of a category of

				public records first posted onto the Internet or provided in an electronic

				medium by, or on behalf of a government entity prior to the date of enactment

				of this section. The regulations will determine which individual records within

				categories of records of these government entities, if any, may continue to be

				posted on the Internet or in electronic form after the effective date of this

				section. In promulgating these regulations, the Attorney General may include in

				the regulations a set of procedures for implementing the regulations and shall

				consider the following:

										(A)The cost and

				availability of technology available to a governmental entity to redact social

				security numbers from public records first provided in electronic form after

				the effective date of this section.

										(B)The cost or

				burden to the general public, businesses, commercial enterprises, non-profit

				organizations, and to Federal, State, and local governments of complying with

				section 1028A with respect to such records.

										(C)The benefit to

				the general public, businesses, commercial enterprises, non-profit

				organizations, and to Federal, State, and local governments if the Attorney

				General were to determine that section 1028A should apply to such

				records.

										Nothing in

				the regulation shall permit a public entity to post a category of public

				records on the Internet or in electronic form after the effective date of this

				section if such category had not been placed on the Internet or in electronic

				form prior to such effective date.(d)Harvested

				social security numbersSection 1028A shall apply to any public

				record of a government entity which contains social security numbers extracted

				from other public records for the purpose of displaying or selling such numbers

				to the general public.

								(e)Attorney

				General rulemaking on paper records

									(1)In

				generalNot later than 60 days after the date of enactment of

				this section, the Attorney General shall determine the feasibility and

				advisability of applying section 1028A to the records listed in paragraph (2)

				when they appear on paper or on another nonelectronic medium. If the Attorney

				General deems it appropriate, the Attorney General may issue regulations

				applying section 1028A to such records.

									(2)List of paper

				and other nonelectronic recordsThe records listed in this

				paragraph are as follows:

										(A)Professional or

				occupational licenses.

										(B)Marriage

				licenses.

										(C)Birth

				certificates.

										(D)Death

				certificates.

										(E)Other short

				public documents that display a social security number in a routine and

				consistent manner on the face of the document.

										(3)Criteria for

				Attorney General reviewIn determining whether section 1028A

				should apply to the records listed in paragraph (2), the Attorney General shall

				consider the following:

										(A)The cost or

				burden to the general public, businesses, commercial enterprises, non-profit

				organizations, and to Federal, State, and local governments of complying with

				section 1028A.

										(B)The benefit to

				the general public, businesses, commercial enterprises, non-profit

				organizations, and to Federal, State, and local governments if the Attorney

				General were to determine that section 1028A should apply to such

				records.

										.

					(2)Conforming

			 amendmentThe chapter analysis for chapter 47 of title 18, United

			 States Code (as amended by section 202(a)(2)), is amended by inserting after

			 the item relating to section 1028A the following:

						

							

								1028B. Display, sale, or purchase of

				public records containing social security

				numbers.

							

							.

					(b)Study and

			 report on social security numbers in public records

					(1)StudyThe

			 Comptroller General of the United States shall conduct a study and prepare a

			 report on social security numbers in public records. In developing the report,

			 the Comptroller General shall consult with the Administrative Office of the

			 United States Courts, State and local governments that store, maintain, or

			 disseminate public records, and other stakeholders, including members of the

			 private sector who routinely use public records that contain social security

			 numbers.

					(2)ReportNot

			 later than 1 year after the date of enactment of this Act, the Comptroller

			 General of the United States shall submit to Congress a report on the study

			 conducted under paragraph (1). The report shall include a detailed description

			 of the activities and results of the study and recommendations for such

			 legislative action as the Comptroller General considers appropriate. The

			 report, at a minimum, shall include—

						(A)a review of the

			 uses of social security numbers in non-federal public records;

						(B)a review of the

			 manner in which public records are stored (with separate reviews for both paper

			 records and electronic records);

						(C)a review of the

			 advantages or utility of public records that contain social security numbers,

			 including the utility for law enforcement, and for the promotion of homeland

			 security;

						(D)a review of the

			 disadvantages or drawbacks of public records that contain social security

			 numbers, including criminal activity, compromised personal privacy, or threats

			 to homeland security;

						(E)the costs and

			 benefits for State and local governments of removing social security numbers

			 from public records, including a review of current technologies and procedures

			 for removing social security numbers from public records; and

						(F)an assessment of

			 the benefits and costs to businesses, their customers, and the general public

			 of prohibiting the display of social security numbers on public records (with

			 separate assessments for both paper records and electronic records).

						(c)Effective

			 DateThe prohibition with respect to electronic versions of new

			 classes of public records under section 1028B(b) of title 18, United States

			 Code (as added by subsection (a)(1)) shall not take effect until the date that

			 is 60 days after the date of enactment of this Act.

				204.Rulemaking

			 authority of the Attorney General

				(a)In

			 generalExcept as provided in subsection (b), the Attorney

			 General may prescribe such rules and regulations as the Attorney General deems

			 necessary to carry out the provisions of section 1028A(e)(5) of title 18,

			 United States Code (as added by section 202(a)(1)).

				(b)Display, sale,

			 or purchase rulemaking with respect to interactions between businesses,

			 governments, or business and government

					(1)In

			 generalNot later than 1 year after the date of enactment of this

			 Act, the Attorney General, in consultation with the Commissioner of Social

			 Security, the Chairman of the Federal Trade Commission, and such other heads of

			 Federal agencies as the Attorney General determines appropriate, shall conduct

			 such rulemaking procedures in accordance with subchapter II of chapter 5 of

			 title 5, United States Code, as are necessary to promulgate regulations to

			 implement and clarify the uses occurring as a result of an interaction between

			 businesses, governments, or business and government (regardless of which entity

			 initiates the interaction) permitted under section 1028A(e)(5) of title 18,

			 United States Code (as added by section 202(a)(1)).

					(2)Factors to be

			 consideredIn promulgating the regulations required under

			 paragraph (1), the Attorney General shall, at a minimum, consider the

			 following:

						(A)The benefit to a

			 particular business, to customers of the business, and to the general public of

			 the display, sale, or purchase of an individual’s social security

			 number.

						(B)The costs that

			 businesses, customers of businesses, and the general public may incur as a

			 result of prohibitions on the display, sale, or purchase of social security

			 numbers.

						(C)The risk that a

			 particular business practice will promote the use of a social security number

			 to commit fraud, deception, or crime.

						(D)The presence of

			 adequate safeguards and procedures to prevent—

							(i)misuse of social

			 security numbers by employees within a business; and

							(ii)misappropriation

			 of social security numbers by the general public, while permitting internal

			 business uses of such numbers.

							(E)The presence of

			 procedures to prevent identity thieves, stalkers, and other individuals with

			 ill intent from posing as legitimate businesses to obtain social security

			 numbers.

						205.Treatment of

			 social security numbers on government documents

				(a)Prohibition of

			 use of social security account numbers on checks issued for payment by

			 governmental agencies

					(1)In

			 generalSection 205(c)(2)(C) of the

			 Social Security Act (42 U.S.C.

			 405(c)(2)(C)) is amended by adding at the end the

			 following:

						

							(x)No Federal,

				State, or local agency may display the social security account number of any

				individual, or any derivative of such number, on any check issued for any

				payment by the Federal, State, or local agency.

							.

					(2)Effective

			 DateThe amendment made by this subsection shall apply with

			 respect to violations of

			 section

			 205(c)(2)(C)(x) of the Social

			 Security Act (42 U.S.C.

			 405(c)(2)(C)(x)), as added by paragraph (1), occurring after

			 the date that is 3 years after the date of enactment of this Act.

					(b)Prohibition of

			 appearance of social security account numbers on Driver’s licenses or motor

			 vehicle registration

					(1)In

			 generalSection 205(c)(2)(C)(vi)

			 of the Social Security Act

			 (42

			 U.S.C. 405(c)(2)(C)(vi)) is amended—

						(A)by inserting

			 (I) after (vi); and

						(B)by adding at the

			 end the following:

							

								(II)(aa)An agency of a State

				(or political subdivision thereof), in the administration of any driver’s

				license or motor vehicle registration law within its jurisdiction, may not

				display the social security account numbers issued by the Commissioner of

				Social Security, or any derivative of such numbers, on the face of any driver’s

				license or motor vehicle registration or any other document issued by such

				State (or political subdivision thereof) to an individual for purposes of

				identification of such individual.

									(bb)Nothing in this subclause shall be

				construed as precluding an agency of a State (or political subdivision

				thereof), in the administration of any driver’s license or motor vehicle

				registration law within its jurisdiction, from using a social security account

				number for an internal use or to link with the database of an agency of another

				State that is responsible for the administration of any driver’s license or

				motor vehicle registration law.

									.

						(2)Effective

			 DateThe amendments made by this subsection shall apply with

			 respect to licenses, registrations, and other documents issued or reissued

			 after the date that is 1 year after the date of enactment of this Act.

					(c)Prohibition of

			 inmate access to social security account numbers

					(1)In

			 generalSection 205(c)(2)(C) of the

			 Social Security Act (42 U.S.C.

			 405(c)(2)(C)) (as amended by subsection (b)) is amended by

			 adding at the end the following:

						

							(xi)No Federal, State, or local agency

				may employ, or enter into a contract for the use or employment of, prisoners in

				any capacity that would allow such prisoners access to the social security

				account numbers of other individuals. For purposes of this clause, the term

				prisoner means an individual confined in a jail, prison, or other

				penal institution or correctional facility pursuant to such individual’s

				conviction of a criminal offense.

							.

					(2)Effective

			 DateThe amendment made by this subsection shall apply with

			 respect to employment of prisoners, or entry into contract with prisoners,

			 after the date that is 1 year after the date of enactment of this Act.

					206.Limits on

			 personal disclosure of a social security number for consumer

			 transactions

				(a)In

			 generalPart A of title XI of the Social Security Act (42 U.S.C. 1301 et

			 seq.) is amended by adding at the end the following:

					

						1150A.Limits on

				personal disclosure of a social security number for consumer

				transactions

							(a)In

				generalA commercial entity may not require an individual to

				provide the individual’s social security number when purchasing a commercial

				good or service or deny an individual the good or service for refusing to

				provide that number except—

								(1)for any purpose

				relating to—

									(A)obtaining a

				consumer report for any purpose permitted under the

				Fair Credit Reporting Act;

									(B)a background

				check of the individual conducted by a landlord, lessor, employer, voluntary

				service agency, or other entity as determined by the Attorney General;

									(C)law enforcement;

				or

									(D)a Federal, State,

				or local law requirement; or

									(2)if the social

				security number is necessary to verify the identity of the consumer to effect,

				administer, or enforce the specific transaction requested or authorized by the

				consumer, or to prevent fraud.

								(b)Application of

				civil money penaltiesA violation of this section shall be deemed

				to be a violation of section 1129(a)(3)(F).

							(c)Application of

				criminal penaltiesA violation of this section shall be deemed to

				be a violation of section 208(a)(8).

							(d)Limitation on

				class actionsNo class action alleging a violation of this

				section shall be maintained under this section by an individual or any private

				party in Federal or State court.

							(e)State Attorney

				General enforcement

								(1)In

				general

									(A)Civil

				actionsIn any case in which the attorney general of a State has

				reason to believe that an interest of the residents of that State has been or

				is threatened or adversely affected by the engagement of any person in a

				practice that is prohibited under this section, the State, as parens patriae,

				may bring a civil action on behalf of the residents of the State in a district

				court of the United States of appropriate jurisdiction to—

										(i)enjoin that

				practice;

										(ii)enforce

				compliance with such section;

										(iii)obtain damages,

				restitution, or other compensation on behalf of residents of the State;

				or

										(iv)obtain such

				other relief as the court may consider appropriate.

										(B)Notice

										(i)In

				generalBefore filing an action under subparagraph (A), the

				attorney general of the State involved shall provide to the Attorney

				General—

											(I)written notice of

				the action; and

											(II)a copy of the

				complaint for the action.

											(ii)Exemption

											(I)In

				generalClause (i) shall not apply with respect to the filing of

				an action by an attorney general of a State under this subsection, if the State

				attorney general determines that it is not feasible to provide the notice

				described in such subparagraph before the filing of the action.

											(II)NotificationWith

				respect to an action described in subclause (I), the attorney general of a

				State shall provide notice and a copy of the complaint to the Attorney General

				at the same time as the State attorney general files the action.

											(2)Intervention

									(A)In

				generalOn receiving notice under paragraph (1)(B), the Attorney

				General shall have the right to intervene in the action that is the subject of

				the notice.

									(B)Effect of

				interventionIf the Attorney General intervenes in the action

				under paragraph (1), the Attorney General shall have the right to be heard with

				respect to any matter that arises in that action.

									(3)ConstructionFor

				purposes of bringing any civil action under paragraph (1), nothing in this

				section shall be construed to prevent an attorney general of a State from

				exercising the powers conferred on such attorney general by the laws of that

				State to—

									(A)conduct

				investigations;

									(B)administer oaths

				or affirmations; or

									(C)compel the

				attendance of witnesses or the production of documentary and other

				evidence.

									(4)Actions by the

				Attorney General of the United StatesIn any case in which an

				action is instituted by or on behalf of the Attorney General for violation of a

				practice that is prohibited under this section, no State may, during the

				pendency of that action, institute an action under paragraph (1) against any

				defendant named in the complaint in that action for violation of that

				practice.

								(5)Venue; service

				of process

									(A)VenueAny

				action brought under paragraph (1) may be brought in the district court of the

				United States that meets applicable requirements relating to venue under

				section 1391 of title 28, United States Code.

									(B)Service of

				processIn an action brought under paragraph (1), process may be

				served in any district in which the defendant—

										(i)is an inhabitant;

				or

										(ii)may be

				found.

										(f)SunsetThis

				section shall not apply on or after the date that is 6 years after the

				effective date of this section.

							.

				(b)Evaluation and

			 reportNot later than the date that is 6 years and 6 months after

			 the date of enactment of this Act, the Attorney General, in consultation with

			 the chairman of the Federal Trade Commission, shall issue a report evaluating

			 the effectiveness and efficiency of

			 section

			 1150A of the Social Security

			 Act (as added by subsection (a)) and shall make recommendations to

			 Congress as to any legislative action determined to be necessary or advisable

			 with respect to such section, including a recommendation regarding whether to

			 reauthorize such section.

				(c)Effective

			 DateThe amendment made by subsection (a) shall apply to requests

			 to provide a social security number occurring after the date that is 1 year

			 after the date of enactment of this Act.

				207.Extension of

			 civil monetary penalties for misuse of a social security number

				(a)Treatment of

			 withholding of material facts

					(1)Civil

			 penaltiesThe first sentence of

			 section

			 1129(a)(1) of the Social Security

			 Act (42 U.S.C. 1320a–8(a)(1))

			 is amended—

						(A)by striking

			 who and inserting who—;

						(B)by striking

			 makes and all that follows through shall be subject

			 to and inserting the following:

							

								(A)makes, or causes to be made, a

				statement or representation of a material fact, for use in determining any

				initial or continuing right to or the amount of monthly insurance benefits

				under title II or benefits or payments under title VIII or XVI, that the person

				knows or should know is false or misleading;

								(B)makes such a statement or

				representation for such use with knowing disregard for the truth; or

								(C)omits from a statement or

				representation for such use, or otherwise withholds disclosure of, a fact which

				the individual knows or should know is material to the determination of any

				initial or continuing right to or the amount of monthly insurance benefits

				under title II or benefits or payments under title VIII or XVI and the

				individual knows, or should know, that the statement or representation with

				such omission is false or misleading or that the withholding of such disclosure

				is misleading, shall be subject to

								;

						(C)by inserting

			 or each receipt of such benefits while withholding disclosure of such

			 fact after each such statement or representation;

						(D)by inserting

			 or because of such withholding of disclosure of a material fact

			 after because of such statement or representation; and

						(E)by inserting

			 or such a withholding of disclosure after such a

			 statement or representation.

						(2)Administrative

			 procedure for imposing penaltiesThe first sentence of

			 section

			 1129A(a) of the Social Security

			 Act (42 U.S.C. 1320a–8a(a)) is

			 amended—

						(A)by striking

			 who and inserting who—; and

						(B)by striking

			 makes and all that follows through shall be subject

			 to and inserting the following:

							

								(1)makes, or causes

				to be made, a statement or representation of a material fact, for use in

				determining any initial or continuing right to or the amount of monthly

				insurance benefits under title II or benefits or payments under title VIII or

				XVI, that the person knows or should know is false or misleading;

								(2)makes such a

				statement or representation for such use with knowing disregard for the truth;

				or

								(3)omits from a

				statement or representation for such use, or otherwise withholds disclosure of,

				a fact which the individual knows or should know is material to the

				determination of any initial or continuing right to or the amount of monthly

				insurance benefits under title II or benefits or payments under title VIII or

				XVI and the individual knows, or should know, that the statement or

				representation with such omission is false or misleading or that the

				withholding of such disclosure is misleading, shall be subject to

								.

						(b)Application of

			 civil money penalties to elements of criminal

			 violationsSection 1129(a) of the

			 Social Security Act (42 U.S.C.

			 1320a–8(a)), as amended by subsection (a)(1), is

			 amended—

					(1)by redesignating

			 paragraph (2) as paragraph (4);

					(2)by redesignating

			 the last sentence of paragraph (1) as paragraph (2) and inserting such

			 paragraph after paragraph (1); and

					(3)by inserting

			 after paragraph (2) (as so redesignated) the following:

						

							(3)Any person (including an

				organization, agency, or other entity) who—

								(A)uses a social security account number

				that such person knows or should know has been assigned by the Commissioner of

				Social Security (in an exercise of authority under section 205(c)(2) to

				establish and maintain records) on the basis of false information furnished to

				the Commissioner by any person;

								(B)falsely represents a number to be the

				social security account number assigned by the Commissioner of Social Security

				to any individual, when such person knows or should know that such number is

				not the social security account number assigned by the Commissioner to such

				individual;

								(C)knowingly alters a social security

				card issued by the Commissioner of Social Security, or possesses such a card

				with intent to alter it;

								(D)knowingly displays, sells, or

				purchases a card that is, or purports to be, a card issued by the Commissioner

				of Social Security, or possesses such a card with intent to display, purchase,

				or sell it;

								(E)counterfeits a social security card,

				or possesses a counterfeit social security card with intent to display, sell,

				or purchase it;

								(F)discloses, uses, compels the

				disclosure of, or knowingly displays, sells, or purchases the social security

				account number of any person in violation of the laws of the United

				States;

								(G)with intent to deceive the

				Commissioner of Social Security as to such person’s true identity (or the true

				identity of any other person) furnishes or causes to be furnished false

				information to the Commissioner with respect to any information required by the

				Commissioner in connection with the establishment and maintenance of the

				records provided for in section 205(c)(2);

								(H)offers, for a fee, to acquire for any

				individual, or to assist in acquiring for any individual, an additional social

				security account number or a number which purports to be a social security

				account number; or

								(I)being an officer or employee of a

				Federal, State, or local agency in possession of any individual’s social

				security account number, willfully acts or fails to act so as to cause a

				violation by such agency of clause (vi)(II) or (x) of section 205(c)(2)(C),

				shall be subject to, in addition to any other penalties that may be prescribed

				by law, a civil money penalty of not more than $5,000 for each violation. Such

				person shall also be subject to an assessment, in lieu of damages sustained by

				the United States resulting from such violation, of not more than twice the

				amount of any benefits or payments paid as a result of such violation.

								.

					(c)Clarification

			 of treatment of recovered amountsSection 1129(e)(2)(B) of the

			 Social Security Act (42 U.S.C.

			 1320a–8(e)(2)(B)) is amended by striking In the case of

			 amounts recovered arising out of a determination relating to title VIII or

			 XVI, and inserting In the case of any other amounts recovered

			 under this section,.

				(d)Conforming

			 amendments

					(1)Section

			 1129(b)(3)(A) of the Social

			 Security Act (42 U.S.C.

			 1320a–8(b)(3)(A)) is amended by striking charging fraud

			 or false statements.

					(2)Section

			 1129(c)(1) of the Social Security

			 Act (42 U.S.C. 1320a–8(c)(1))

			 is amended by striking and representations and inserting

			 , representations, or actions.

					(3)Section

			 1129(e)(1)(A) of the Social

			 Security Act (42 U.S.C.

			 1320a–8(e)(1)(A)) is amended by striking statement or

			 representation referred to in subsection (a) was made and inserting

			 violation occurred.

					(e)Effective

			 dates

					(1)In

			 generalExcept as provided in paragraph (2), the amendments made

			 by this section shall apply with respect to violations of sections 1129 and

			 1129A of the Social Security Act

			 (42 U.S.C.

			 1320–8 and 1320a–8a), as amended by this section, committed

			 after the date of enactment of this Act.

					(2)Violations by

			 government agents in possession of social security

			 numbersSection 1129(a)(3)(I) of the

			 Social Security Act (42 U.S.C.

			 1320a–8(a)(3)(I)), as added by subsection (b), shall apply with

			 respect to violations of that section occurring on or after the effective date

			 described in section 202(c).

					208.Criminal

			 penalties for the misuse of a social security number

				(a)Prohibition of

			 wrongful use as personal identification numberNo person may

			 obtain any individual’s social security number for purposes of locating or

			 identifying an individual with the intent to physically injure, harm, or use

			 the identity of the individual for any illegal purpose.

				(b)Criminal

			 sanctionsSection 208(a) of the

			 Social Security Act (42 U.S.C. 408(a))

			 is amended—

					(1)in paragraph (8),

			 by inserting or after the semicolon; and

					(2)by inserting

			 after paragraph (8) the following:

						

							(9)except as

				provided in subsections (e) and (f) of section 1028A of title 18, United States

				Code, knowingly and willfully displays, sells, or purchases (as those terms are

				defined in section 1028A(a) of title 18, United States Code) any individual’s

				social security account number without having met the prerequisites for consent

				under section 1028A(d) of title 18, United States Code; or

							(10)obtains any

				individual’s social security number for the purpose of locating or identifying

				the individual with the intent to injure or to harm that individual, or to use

				the identity of that individual for an illegal purpose;

							.

					209.Civil actions

			 and civil penalties

				(a)Civil action in

			 State courts

					(1)In

			 generalAny individual aggrieved by an act of any person in

			 violation of this title or any amendments made by this title may, if otherwise

			 permitted by the laws or rules of the court of a State, bring in an appropriate

			 court of that State—

						(A)an action to

			 enjoin such violation;

						(B)an action to

			 recover for actual monetary loss from such a violation, or to receive up to

			 $500 in damages for each such violation, whichever is greater; or

						(C)both such

			 actions.

						It shall be

			 an affirmative defense in any action brought under this paragraph that the

			 defendant has established and implemented, with due care, reasonable practices

			 and procedures to effectively prevent violations of the regulations prescribed

			 under this title. If the court finds that the defendant willfully or knowingly

			 violated the regulations prescribed under this subsection, the court may, in

			 its discretion, increase the amount of the award to an amount equal to not more

			 than 3 times the amount available under subparagraph (B).(2)Statute of

			 limitationsAn action may be commenced under this subsection not

			 later than the earlier of—

						(A)5 years after the

			 date on which the alleged violation occurred; or

						(B)3 years after the

			 date on which the alleged violation was or should have been reasonably

			 discovered by the aggrieved individual.

						(3)Nonexclusive

			 remedyThe remedy provided under this subsection shall be in

			 addition to any other remedies available to the individual.

					(b)Civil

			 penalties

					(1)In

			 generalAny person who the Attorney General determines has

			 violated any section of this title or of any amendments made by this title

			 shall be subject, in addition to any other penalties that may be prescribed by

			 law—

						(A)to a civil

			 penalty of not more than $5,000 for each such violation; and

						(B)to a civil

			 penalty of not more than $50,000, if the violations have occurred with such

			 frequency as to constitute a general business practice.

						(2)Determination

			 of violationsAny willful violation committed contemporaneously

			 with respect to the social security numbers of 2 or more individuals by means

			 of mail, telecommunication, or otherwise, shall be treated as a separate

			 violation with respect to each such individual.

					(3)Enforcement

			 proceduresThe provisions of

			 section

			 1128A of the Social Security

			 Act (42 U.S.C. 1320a–7a), other than

			 subsections (a), (b), (f), (h), (i), (j), (m), and (n) and the first sentence

			 of subsection (c) of such section, and the provisions of subsections (d) and

			 (e) of section 205 of such Act (42 U.S.C. 405) shall apply to a

			 civil penalty action under this subsection in the same manner as such

			 provisions apply to a penalty or proceeding under section 1128A(a) of such Act

			 (42 U.S.C.

			 1320a–7a(a)), except that, for purposes of this paragraph, any

			 reference in section 1128A of such Act (42 U.S.C. 1320a–7a) to the

			 Secretary shall be deemed to be a reference to the Attorney General.

					210.Federal

			 injunctive authorityIn

			 addition to any other enforcement authority conferred under this title or the

			 amendments made by this title, the Federal Government shall have injunctive

			 authority with respect to any violation by a public entity of any provision of

			 this title or of any amendments made by this title.

			IIILimitations on

			 sale and sharing of nonpublic personal financial information

			301.Definition of

			 saleSection 509 of the

			 Gramm-Leach-Bliley Act (15 U.S.C. 6809) is amended by

			 adding at the end the following:

				

					(12)SaleThe

				terms sale, sell, and sold, with respect

				to nonpublic personal information, mean the exchange of such information for

				any thing of value, directly or indirectly, including the licensing, bartering,

				or renting of such information.

					.

			302.Rules

			 applicable to sale of nonpublic personal informationSection 502 of the Gramm-Leach-Bliley Act

			 (15 U.S.C.

			 6802) is amended—

				(1)in the section

			 heading, by inserting sales, and other

			 sharing after

			 disclosures;

				(2)in subsection

			 (a), by striking disclose to and inserting sell or

			 otherwise disclose to an affiliate or;

				(3)in subsection

			 (b)—

					(A)in the subsection

			 heading, by inserting for Disclosures to

			 Affiliates before the period;

					(B)by striking

			 a nonaffiliated third party each place that term appears and

			 inserting an affiliate;

					(C)by striking

			 such third party each place that term appears and inserting

			 such affiliate;

					(D)by striking

			 may not disclose and inserting may not sell or otherwise

			 disclose; and

					(E)by striking

			 paragraph (2) and inserting the following:

						

							(2)ExceptionThis

				subsection shall not prevent a financial institution from providing nonpublic

				personal information to an affiliated third party to perform services for or

				functions on behalf of the financial institution, including marketing of the

				financial institution’s own products or services, if the financial institution

				fully discloses the provision of such information and requires the affiliate to

				maintain the confidentiality of such information.

							;

					(4)in subsection

			 (d), by striking disclose and inserting sell or otherwise

			 disclose;

				(5)by striking

			 subsection (e);

				(6)by redesignating

			 subsections (c) and (d) as subsections (e) and (f), respectively; and

				(7)by inserting

			 after subsection (b) the following:

					

						(c)Opt in for

				disclosures to nonaffiliated third parties

							(1)Affirmative

				consent requiredA financial institution may not sell or

				otherwise disclose nonpublic personal information to any nonaffiliated third

				party, unless the consumer to whom the information pertains—

								(A)has affirmatively

				consented to the sale or disclosure of such information; and

								(B)has not withdrawn

				the consent.

								(2)ExceptionThis

				subsection shall not prevent a financial institution from providing nonpublic

				personal information to a nonaffiliated third party to perform services for or

				functions on behalf of the financial institution, including marketing of the

				financial institution’s own products or services (subject to subsection (d)

				with respect to joint agreements between 2 or more financial institutions), if

				the financial institution fully discloses the provision of such information and

				enters into a contractual agreement with the nonaffiliated third party that

				requires that third party to maintain the confidentiality of such

				information.

							(d)Opt out for

				joint agreementsA financial institution may not sell or

				otherwise disclose nonpublic personal information to a nonaffiliated third

				party for the purpose of offering financial products or services pursuant to a

				joint agreement between 2 or more financial institutions, unless—

							(1)the financial

				institution clearly and conspicuously discloses to the consumer to whom the

				information pertains, in writing or in electronic form or other form permitted

				by the regulations prescribed under section 504, that such information may be

				disclosed to such nonaffiliated third party;

							(2)the consumer is

				given the opportunity, before the time that such information is initially

				disclosed, to direct that such information not be disclosed to such

				nonaffiliated third party;

							(3)the consumer is

				given an explanation of how the consumer can exercise that nondisclosure

				option; and

							(4)the financial

				institution receiving the nonpublic personal information signs a written

				agreement obliging it—

								(A)to maintain the

				confidentiality of the information; and

								(B)to refrain from

				using, selling, or otherwise disclosing the information other than to carry out

				the joint offering or servicing of the financial product or financial service

				that is the subject of the written agreement.

								.

				303.Exceptions to

			 disclosure prohibition

				(a)In

			 generalSection 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802), as

			 amended by this title, is amended by adding at the end the following:

					

						(g)General

				exceptionsNotwithstanding any other provision of this section,

				this section does not prohibit—

							(1)the sale or other

				disclosure of nonpublic personal information to an affiliate or a nonaffiliated

				third party—

								(A)as necessary to

				effect, administer, or enforce a transaction requested or authorized by the

				consumer to whom the information pertains, or in connection with—

									(i)servicing or

				processing a financial product or service requested or authorized by the

				consumer;

									(ii)maintaining or

				servicing the account of the consumer with the financial institution, or with

				another entity as part of a private label credit card program or other

				extension of credit on behalf of such entity; or

									(iii)a proposed or

				actual securitization, secondary market sale (including sales of servicing

				rights), or similar transaction related to a transaction of the

				consumer;

									(B)with the consent

				or at the direction of the consumer, in accordance with applicable rules

				prescribed under this subtitle;

								(C)to the extent

				specifically permitted or required under other provisions of law and in

				accordance with the Right to Financial Privacy

				Act of 1978; or

								(D)to law

				enforcement agencies (including a Federal functional regulator, the Secretary

				of the Treasury, with respect to subchapter II of chapter 53 of title 31,

				United States Code, and chapter 2 of title I of

				Public Law

				91–508 (12 U.S.C. 1951–1959), a State

				insurance authority, or the Federal Trade Commission), self-regulatory

				organizations, or for an investigation on a matter related to public

				safety;

								(2)the disclosure,

				other than the sale, of nonpublic personal information to identify or locate

				missing and abducted children, witnesses, criminals, and fugitives, parties to

				lawsuits, parents, delinquents in child support payments, organ and bone marrow

				donors, pension fund beneficiaries, and missing heirs; or

							(3)the disclosure,

				other than the sale, of nonpublic personal information—

								(A)to protect the

				confidentiality or security of the records of the financial institution

				pertaining to the consumer, the service or product, or the transaction

				therein;

								(B)to protect

				against or prevent actual or potential fraud, unauthorized transactions,

				claims, or other liability;

								(C)for required

				institutional risk control, or for resolving customer disputes or

				inquiries;

								(D)to persons

				holding a legal or beneficial interest relating to the consumer;

								(E)to persons acting

				in a fiduciary or representative capacity on behalf of the consumer;

								(F)to provide

				information to insurance rate advisory organizations, guaranty funds or

				agencies, applicable rating agencies of the financial institution, persons

				assessing the compliance of the institution with industry standards, or the

				attorneys, accountants, or auditors of the institution;

								(G)to a consumer

				reporting agency, in accordance with the Fair

				Credit Reporting Act or from a consumer report reported by a

				consumer reporting agency, as those terms are defined in that Act;

								(H)in connection

				with a proposed or actual sale, merger, transfer, or exchange of all or a

				portion of a business or operating unit if the disclosure of nonpublic personal

				information concerns solely consumers of such business or unit;

								(I)to comply with

				Federal, State, or local laws, rules, or other applicable legal requirements,

				or with a properly authorized civil, criminal, or regulatory investigation or

				subpoena or summons by Federal, State, or local authorities; or

								(J)to respond to

				judicial process or government regulatory authorities having jurisdiction over

				the financial institution for examination, compliance, or other purposes, as

				authorized by law.

								(h)Denial of

				service prohibitedA financial institution may not deny any

				consumer a financial product or a financial service as a result of the refusal

				by the consumer to grant consent to disclosure under this section or the

				exercise by the consumer of a nondisclosure option under this section, except

				that nothing in this subsection may be construed to prohibit a financial

				institution from offering incentives to elicit consumer consent to the use of

				his or her nonpublic personal information.

						.

				(b)Repeal of

			 regulatory exemption authoritySection 504 of the

			 Gramm-Leach-Bliley Act (15 U.S.C. 6804) is amended—

					(1)by striking

			 subsection (b);

					(2)by striking

			 (a) Regulatory

			 Authority.—;

					(3)by redesignating

			 paragraphs (1), (2), and (3) as subsections (a), (b), and (c), respectively,

			 and moving the margins 2 ems to the left; and

					(4)by striking

			 paragraph (1) and inserting subsection

			 (a).

					304.Conforming

			 amendmentsTitle V of the

			 Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) is

			 amended—

				(1)in section

			 503(b)(1) (15

			 U.S.C. 6803(b)(1))—

					(A)by inserting

			 affiliates and before nonaffiliated; and

					(B)in subparagraph

			 (A), by striking 502(e) and inserting 502(g);

			 and

					(2)in section

			 509(3)(D) (15

			 U.S.C. 6809(3)(D)), by striking 502(e)(1)(C) and

			 inserting 502(g)(1)(A)(iii).

				305.Regulatory

			 authorityNot later than 6

			 months after the date of enactment of this Act, the agencies referred to in

			 section 504(a)(1) of the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)(1)) shall

			 promulgate final regulations in accordance with that section 504 to carry out

			 the amendments made by this Act.

			306.Effective

			 DateThis title and the

			 amendments made by this title shall take effect 6 months after the date of

			 enactment of this Act.

			IVLimitations on

			 the provision of protected health information

			401.DefinitionsIn this title:

				(1)Business

			 associate

					(A)In

			 generalExcept as provided in subparagraph (B), the term

			 business associate means, with respect to a covered entity, a

			 person who—

						(i)on

			 behalf of such covered entity or of an organized health care arrangement in

			 which the covered entity participates, but other than in the capacity of a

			 member of the workforce of such covered entity or arrangement, performs, or

			 assists in the performance of—

							(I)a function or

			 activity involving the use or disclosure of individually identifiable health

			 information, including claims processing or administration, data analysis,

			 processing or administration, utilization review, quality assurance, billing,

			 benefit management, practice management, and repricing; or

							(II)any other

			 function or activity regulated under subchapter C of title 45, Code of Federal

			 Regulations; or

							(ii)provides, other

			 than in the capacity of a member of the workforce of such covered entity,

			 legal, actuarial, accounting, consulting, data aggregation (as defined in

			 section 164.501 of title 45, Code of Federal Regulations), management,

			 administrative, accreditation, or financial services to or for such covered

			 entity, or to or for an organized health care arrangement in which the covered

			 entity participates, where the provision of the service involves the disclosure

			 of individually identifiable health information from such covered entity or

			 arrangement, or from another business associate of such covered entity or

			 arrangement, to the person.

						(B)Limitations

						(i)In

			 generalA covered entity participating in an organized health

			 care arrangement that performs a function or activity as described by

			 subparagraph (A)(i) for or on behalf of such organized health care arrangement,

			 or that provides a service as described in subparagraph (A)(ii) to or for such

			 organized health care arrangement, does not, simply through the performance of

			 such function or activity or the provision of such service, become a business

			 associate of other covered entities participating in such organized health care

			 arrangement.

						(ii)LimitationA

			 covered entity may be a business associate of another covered entity.

						(2)Covered

			 entityThe term covered entity means—

					(A)a health

			 plan;

					(B)a health care

			 clearinghouse; and

					(C)a health care

			 provider who transmits any health information in electronic form in connection

			 with a transaction covered by parts 160 through 164 of title 45, Code of

			 Federal Regulations.

					(3)DisclosureThe

			 term disclosure means the release, transfer, provision of access

			 to, or divulging in any other manner of information outside the entity holding

			 the information.

				(4)EmployerThe

			 term employer has the meaning given that term in section 3401(d)

			 of the Internal Revenue Code of 1986.

				(5)Group health

			 planThe term group health plan means an employee

			 welfare benefit plan (as defined in section 3(1) of the Employee Retirement

			 Income and Security Act of 1974 (29 U.S.C. 1002(1)), including

			 insured and self-insured plans, to the extent that the plan provides medical

			 care (as defined in

			 section

			 2791(a)(2) of the Public Health

			 Service Act,

			 42 U.S.C.

			 300gg–91(a)(2)), including items and services paid for as

			 medical care, to employees or their dependents directly or through insurance,

			 reimbursement, or otherwise, that—

					(A)has 50 or more

			 participants (as defined in section 3(7) of Employee Retirement Income and

			 Security Act of 1974,

			 29 U.S.C.

			 1002(7)); or

					(B)is administered

			 by an entity other than the employer that established and maintains the

			 plan.

					(6)Health

			 careThe term health care includes, but is not

			 limited to, the following:

					(A)Preventive,

			 diagnostic, therapeutic, rehabilitative, maintenance, or palliative care and

			 counseling, service, assessment, or procedure with respect to the physical or

			 mental condition, or functional status, of an individual or that affects the

			 structure or function of the body.

					(B)The sale or

			 dispensing of a drug, device, equipment, or other item in accordance with a

			 prescription.

					(7)Health care

			 clearinghouseThe term health care clearinghouse

			 means a public or private entity, including a billing service, repricing

			 company, community health management information system or community health

			 information system, and value-added networks and switches, that—

					(A)processes or

			 facilitates the processing of health information received from another entity

			 in a nonstandard format or containing nonstandard data content into standard

			 data elements or a standard transaction; or

					(B)receives a

			 standard transaction from another entity and processes or facilitates the

			 processing of health information into nonstandard format or nonstandard data

			 content for the receiving entity.

					(8)Health care

			 providerThe term health care provider has the

			 meaning given the terms provider of services and provider of

			 medical or health services in subsections (u) and (s) of section 1861 of

			 the Social Security Act

			 (42 U.S.C.

			 1395x), respectively, and includes any other person or

			 organization who furnishes, bills, or is paid for health care in the normal

			 course of business.

				(9)Health

			 informationThe term health information means any

			 information, whether oral or recorded in any form or medium, that—

					(A)is created or

			 received by a health care provider, health plan, public health authority,

			 employer, life insurer, school or university, or health care clearinghouse;

			 and

					(B)relates to the

			 past, present, or future physical or mental health or condition of an

			 individual; the provision of health care to an individual; or the past,

			 present, or future payment for the provision of health care to an

			 individual.

					(10)Health

			 insurance issuerThe term health insurance issuer

			 means a health insurance issuer (as defined in

			 section

			 2791(b)(2) of the Public Health

			 Service Act,

			 42 U.S.C.

			 300gg–91(b)(2)) and used in the definition of health plan in

			 this section and includes an insurance company, insurance service, or insurance

			 organization (including an HMO) that is licensed to engage in the business of

			 insurance in a State and is subject to State law that regulates insurance. Such

			 term does not include a group health plan.

				(11)Health

			 maintenance organizationThe term health maintenance

			 organization (HMO) (as defined in

			 section

			 2791(b)(3) of the Public Health

			 Service Act,

			 42 U.S.C.

			 300gg–91 (b)(3)) and used in the definition of health plan in

			 this section, means a federally qualified HMO, an organization recognized as an

			 HMO under State law, or a similar organization regulated for solvency under

			 State law in the same manner and to the same extent as such an HMO.

				(12)Health

			 oversight agencyThe term health oversight agency

			 means an agency or authority of the United States, a State, a territory, a

			 political subdivision of a State or territory, or an Indian tribe, or a person

			 or entity acting under a grant of authority from or contract with such public

			 agency, including the employees or agents of such public agency or its

			 contractors or persons or entities to whom it has granted authority, that is

			 authorized by law to oversee the health care system (whether public or private)

			 or government programs in which health information is necessary to determine

			 eligibility or compliance, or to enforce civil rights laws for which health

			 information is relevant.

				(13)Health

			 planThe term health plan means an individual or

			 group plan that provides, or pays the cost of, medical care, as defined in

			 section

			 2791(a)(2) of the Public Health

			 Service Act (42 U.S.C. 300gg–91(a)(2))—

					(A)including, singly

			 or in combination—

						(i)a

			 group health plan;

						(ii)a

			 health insurance issuer;

						(iii)an HMO;

						(iv)part A or B of

			 the medicare program under title XVIII of the Social Security Act (42 U.S.C. 1395 et

			 seq.);

						(v)the

			 medicaid program under title XIX of the Social

			 Security Act (42 U.S.C. 1396 et seq.);

						(vi)an

			 issuer of a medicare supplemental policy (as defined in

			 section

			 1882(g)(1) of the Social Security

			 Act,

			 42 U.S.C.

			 1395ss(g)(1));

						(vii)an issuer of a

			 long-term care policy, excluding a nursing home fixed-indemnity policy;

						(viii)an employee

			 welfare benefit plan or any other arrangement that is established or maintained

			 for the purpose of offering or providing health benefits to the employees of 2

			 or more employers;

						(ix)the health care

			 program for active military personnel under title 10, United States

			 Code;

						(x)the

			 veterans health care program under chapter 17 of title 38, United States

			 Code;

						(xi)the Civilian

			 Health and Medical Program of the Uniformed Services (CHAMPUS) (as defined in

			 section 1072(4) of title 10, United States Code);

						(xii)the Indian

			 Health Service program under the Indian Health

			 Care Improvement Act (25 U.S.C. 1601 et seq.);

						(xiii)the Federal

			 Employees Health Benefits Program under chapter 89 of title 5, United States

			 Code;

						(xiv)an approved

			 State child health plan under title XXI of the Social Security Act (42 U.S.C. 1397aa

			 et seq.), providing benefits for child health assistance that meet the

			 requirements of section 2103 of such Act (42 U.S.C. 1397cc);

						(xv)the

			 Medicare+Choice program under part C of title XVIII of the

			 Social Security Act (42 U.S.C.

			 1395w–21 et seq.);

						(xvi)a

			 high risk pool that is a mechanism established under State law to provide

			 health insurance coverage or comparable coverage to eligible individuals;

			 and

						(xvii)any other

			 individual or group plan, or combination of individual or group plans, that

			 provides or pays for the cost of medical care (as defined in

			 section

			 2791(a)(2) of the Public Health

			 Service Act (42 U.S.C.

			 300gg–91(a)(2)); and

						(B)excluding—

						(i)any

			 policy, plan, or program to the extent that it provides, or pays for the cost

			 of, excepted benefits that are listed in

			 section

			 2791(c)(1) of the Public Health

			 Service Act (42 U.S.C.

			 300gg–91(c)(1)); and

						(ii)a

			 government-funded program (other than 1 listed in clause (i) through (xvi) of

			 subparagraph (A)), whose principal purpose is other than providing, or paying

			 the cost of, health care, or whose principal activity is the direct provision

			 of health care to persons, or the making of grants to fund the direct provision

			 of health care to persons.

						(14)Individually

			 identifiable health informationThe term individually

			 identifiable health information means information that is a subset of

			 health information, including demographic information collected from an

			 individual, that—

					(A)is created or

			 received by a covered entity or employer; and

					(B)(i)relates to the past,

			 present, or future physical or mental health or condition of an individual, the

			 provision of health care to an individual, or the past, present, or future

			 payment for the provision of health care to an individual; and

						(ii)(I)identifies an

			 individual; or

							(II)with respect to which there is a

			 reasonable basis to believe that the information can be used to identify an

			 individual.

							(15)Law

			 enforcement officialThe term law enforcement

			 official means an officer or employee of any agency or authority of the

			 United States, a State, a territory, a political subdivision of a State or

			 territory, or an Indian tribe, who is empowered by law to—

					(A)investigate or

			 conduct an official inquiry into a potential violation of law; or

					(B)prosecute or

			 otherwise conduct a criminal, civil, or administrative proceeding arising from

			 an alleged violation of law.

					(16)Life

			 insurerThe term life insurer means a life insurance

			 company (as defined in section 816 of the Internal Revenue Code of 1986),

			 including the employees and agents of such company.

				(17)MarketingThe

			 term marketing means to make a communication about a product or

			 service that encourages recipients of the communication to purchase or use the

			 product or service.

				(18)Noncovered

			 entityThe term noncovered entity means any person

			 or public or private entity that is not a covered entity, including but not

			 limited to a business associate of a covered entity, a covered entity if such

			 covered entity is acting as a business associate, a health researcher, school

			 or university, life insurer, employer, public health authority, health

			 oversight agency, or law enforcement official, or any person acting as an agent

			 of such entities or persons.

				(19)Organized

			 health care arrangementThe term organized health care

			 arrangement means—

					(A)a clinically

			 integrated care setting in which individuals typically receive health care from

			 more than 1 health care provider;

					(B)an organized

			 system of health care in which more than 1 covered entity participates, and in

			 which the participating covered entities—

						(i)hold themselves

			 out to the public as participating in a joint arrangement; and

						(ii)participate in

			 joint activities including at least—

							(I)utilization

			 review, in which health care decisions by participating covered entities are

			 reviewed by other participating covered entities or by a third party on their

			 behalf;

							(II)quality

			 assessment and improvement activities, in which treatment provided by

			 participating covered entities is assessed by other participating covered

			 entities or by a third party on their behalf; or

							(III)payment

			 activities, if the financial risk for delivering health care is shared, in part

			 or in whole, by participating covered entities through the joint arrangement

			 and if protected health information created or received by a covered entity is

			 reviewed by other participating covered entities or by a third party on their

			 behalf for the purpose of administering the sharing of financial risk;

							(C)a group health

			 plan and a health insurance issuer or HMO with respect to such group health

			 plan, but only with respect to protected health information created or received

			 by such health insurance issuer or HMO that relates to individuals who are or

			 who have been participants or beneficiaries in such group health plan;

					(D)a group health

			 plan and 1 or more other group health plans each of which are maintained by the

			 same plan sponsor; or

					(E)the group health

			 plans described in subparagraph (D) and health insurance issuers or HMOs with

			 respect to such group health plans, but only with respect to protected health

			 information created or received by such health insurance issuers or HMOs that

			 relates to individuals who are or have been participants or beneficiaries in

			 any of such group health plans.

					(20)Protected

			 health information

					(A)In

			 generalThe term protected health information means

			 individually identifiable health information that, except as provided in

			 subparagraph (B), is—

						(i)transmitted by

			 electronic media;

						(ii)maintained in

			 any medium described in the definition of electronic media in section 162.103

			 of title 45, Code of Federal Regulations; or

						(iii)transmitted or

			 maintained in any other form or medium.

						(B)ExclusionsSuch

			 term does not include individually identifiable health information in—

						(i)education records

			 covered by the Family Educational Rights and Privacy Act of 1974 (section 444

			 of the General Education Provisions Act (20 U.S.C. 1232g));

						(ii)records

			 described in subsection (a)(4)(B)(iv) of that Act; or

						(iii)employment

			 records held by a covered entity in its role as an employer.

						(21)Public health

			 authorityThe term public health authority means an

			 agency or authority of the United States, a State, a territory, a political

			 subdivision of a State or territory, or an Indian tribe, or a person or entity

			 acting under a grant of authority from or contract with such public agency,

			 including employees or agents of such public agency or its contractors or

			 persons or entities to whom it has granted authority, that is responsible for

			 public health matters as part of its official mandate.

				(22)School or

			 universityThe term school or university means an

			 institution or place for instruction or education, including an elementary

			 school, secondary school, or institution of higher learning, a college, or an

			 assemblage of colleges united under 1 corporate organization or

			 government.

				(23)SecretaryThe

			 term Secretary means the Secretary of Health and Human

			 Services.

				(24)Sale; sell;

			 soldThe terms sale, sell, and

			 sold, with respect to protected health information, mean the

			 exchange of such information for anything of value, directly or indirectly,

			 including the licensing, bartering, or renting of such information.

				(25)UseThe

			 term use means, with respect to individually identifiable health

			 information, the sharing, employment, application, utilization, examination, or

			 analysis of such information within an entity that maintains such

			 information.

				(26)WritingThe

			 term writing means writing in either a paper-based or

			 computer-based form, including electronic and digital signatures.

				402.Prohibition

			 against selling protected health information

				(a)Valid

			 authorization required

					(1)In

			 generalA noncovered entity shall not sell the protected health

			 information of an individual or use such information for marketing purposes

			 without an authorization that is valid under section 403. When a noncovered

			 entity obtains or receives authorization to sell such information, such sale

			 must be consistent with such authorization.

					(2)No duplicate

			 authorization requiredNothing in paragraph (1) shall be

			 construed as requiring a noncovered entity that receives from a covered entity

			 an authorization that is valid under section 403 to obtain a separate

			 authorization from an individual before the sale or use of the individual’s

			 protected health information so long as the sale or use of the information is

			 consistent with the terms of the authorization.

					(b)ScopeA

			 sale of protected health information as described under subsection (a) shall be

			 limited to the minimum amount of information necessary to accomplish the

			 purpose for which the sale is made.

				(c)PurposeA

			 recipient of information sold pursuant to this title may use or disclose such

			 information solely to carry out the purpose for which the information was

			 sold.

				(d)Not

			 requiredNothing in this title permitting the sale of protected

			 health information shall be construed to require such sale.

				(e)Identification

			 of information as protected health informationInformation sold

			 pursuant to this title shall be clearly identified as protected health

			 information.

				(f)No

			 waiverExcept as provided in this title, an individual’s

			 authorization to sell protected health information shall not be construed as a

			 waiver of any rights that the individual has under other Federal or State laws,

			 the rules of evidence, or common law.

				403.Authorization

			 for sale or marketing of protected health information by noncovered

			 entities

				(a)Valid

			 authorizationA valid authorization is a document that complies

			 with all requirements of this section. Such authorization may include

			 additional information not required under this section, provided that such

			 information is not inconsistent with the requirements of this section.

				(b)Defective

			 authorizationAn authorization is not valid, if the document

			 submitted has any of the following defects:

					(1)The expiration

			 date has passed or the expiration event is known by the noncovered entity to

			 have occurred.

					(2)The authorization

			 has not been filled out completely, with respect to an element described in

			 subsections (e) and (f).

					(3)The authorization

			 is known by the noncovered entity to have been revoked.

					(4)The authorization

			 lacks an element required by subsections (e) and (f).

					(5)Any material

			 information in the authorization is known by the noncovered entity to be

			 false.

					(c)Revocation of

			 authorizationAn individual may revoke an authorization provided

			 under this section at any time provided that the revocation is in writing,

			 except to the extent that the noncovered entity has taken action in reliance

			 thereon.

				(d)Documentation

					(1)In

			 generalA noncovered entity must document and retain any signed

			 authorization under this section as required under paragraph (2).

					(2)StandardA

			 noncovered entity shall, if a communication is required by this title to be in

			 writing, maintain such writing, or an electronic copy, as documentation.

					(3)Retention

			 periodA noncovered entity shall retain the documentation

			 required by this section for 6 years from the date of its creation or the date

			 when it last was in effect, whichever is later.

					(e)Content of

			 authorization

					(1)ContentAn

			 authorization described in subsection (a) shall—

						(A)contain a

			 description of the information to be sold that identifies such information in a

			 specific and meaningful manner;

						(B)contain the name

			 or other specific identification of the person, or class of persons, authorized

			 to sell the information;

						(C)contain the name

			 or other specific identification of the person, or class of persons, to whom

			 the information is to be sold;

						(D)include an

			 expiration date or an expiration event relating to the selling of such

			 information that signifies that the authorization is valid until such date or

			 event;

						(E)include a

			 statement that the individual has a right to revoke the authorization in

			 writing and the exceptions to the right to revoke, and a description of the

			 procedure involved in such revocation;

						(F)be in writing and

			 include the signature of the individual and the date, or if the authorization

			 is signed by a personal representative of the individual, a description of such

			 representative’s authority to act for the individual; and

						(G)include a

			 statement explaining the purpose for which such information is sold.

						(2)Plain

			 languageThe authorization shall be written in plain

			 language.

					(f)Notice

					(1)In

			 generalThe authorization shall include a statement that the

			 individual may—

						(A)inspect or copy

			 the protected health information to be sold; and

						(B)refuse to sign

			 the authorization.

						(2)Copy to the

			 individualA noncovered entity shall provide the individual with

			 a copy of the signed authorization.

					(g)Model

			 authorizationsThe Secretary, after notice and opportunity for

			 public comment, shall develop and disseminate model written authorizations of

			 the type described in this section and model statements of the limitations on

			 such authorizations. Any authorization obtained on a model authorization form

			 developed by the Secretary pursuant to the preceding sentence shall be deemed

			 to satisfy the requirements of this section.

				(h)NoncoercionA

			 covered entity or noncovered entity shall not condition the purchase of a

			 product or the provision of a service to an individual based on whether such

			 individual provides an authorization to such entity as described in this

			 section.

				404.Prohibition

			 against retaliationA

			 noncovered entity that collects protected health information, may not adversely

			 affect another person, directly or indirectly, because such person has

			 exercised a right under this title, disclosed information relating to a

			 possible violation of this title, or associated with, or assisted, a person in

			 the exercise of a right under this title.

			405.Rule of

			 constructionThe requirements

			 of this title shall not be construed to impose any additional requirements or

			 in any way alter the requirements imposed upon covered entities under parts 160

			 through 164 of title 45, Code of Federal Regulations.

			406.Regulations

				(a)In

			 generalThe Secretary shall promulgate regulations implementing

			 the provisions of this title.

				(b)TimeframeNot

			 later than 1 year after the date of enactment of this Act, the Secretary shall

			 publish proposed regulations in the Federal Register. With regard to such

			 proposed regulations, the Secretary shall provide an opportunity for submission

			 of comments by interested persons during a period of not less than 90 days. Not

			 later than 2 years after the date of enactment of this Act, the Secretary shall

			 publish final regulations in the Federal Register.

				407.Enforcement

				(a)In

			 generalA covered entity or noncovered entity that knowingly

			 violates section 402 shall be subject to a civil money penalty under this

			 section.

				(b)AmountThe

			 civil money penalty described in subsection (a) shall not exceed $100,000. In

			 determining the amount of any penalty to be assessed, the Secretary shall take

			 into account the previous record of compliance of the entity being assessed

			 with the applicable provisions of this title and the gravity of the

			 violation.

				(c)Administrative

			 review

					(1)Opportunity for

			 hearingThe entity assessed shall be afforded an opportunity for

			 a hearing by the Secretary upon request made within 30 days after the date of

			 the issuance of a notice of assessment. In such hearing the decision shall be

			 made on the record pursuant to section 554 of title 5, United States Code. If

			 no hearing is requested, the assessment shall constitute a final and

			 unappealable order.

					(2)Hearing

			 procedureIf a hearing is requested, the initial agency decision

			 shall be made by an administrative law judge, and such decision shall become

			 the final order unless the Secretary modifies or vacates the decision. Notice

			 of intent to modify or vacate the decision of the administrative law judge

			 shall be issued to the parties within 30 days after the date of the decision of

			 the judge. A final order which takes effect under this paragraph shall be

			 subject to review only as provided under subsection (d).

					(d)Judicial

			 review

					(1)Filing of

			 action for reviewAny entity against whom an order imposing a

			 civil money penalty has been entered after an agency hearing under this section

			 may obtain review by the United States district court for any district in which

			 such entity is located or the United States District Court for the District of

			 Columbia by filing a notice of appeal in such court within 30 days from the

			 date of such order, and simultaneously sending a copy of such notice by

			 registered mail to the Secretary.

					(2)Certification

			 of administrative recordThe Secretary shall promptly certify and

			 file in such court the record upon which the penalty was imposed.

					(3)Standard for

			 reviewThe findings of the Secretary shall be set aside only if

			 found to be unsupported by substantial evidence as provided by section

			 706(2)(E) of title 5, United States Code.

					(4)AppealAny

			 final decision, order, or judgment of the district court concerning such review

			 shall be subject to appeal as provided in chapter 83 of title 28 of such

			 Code.

					(e)Failure to pay

			 assessment; maintenance of action

					(1)Failure to pay

			 assessmentIf any entity fails to pay an assessment after it has

			 become a final and unappealable order, or after the court has entered final

			 judgment in favor of the Secretary, the Secretary shall refer the matter to the

			 Attorney General who shall recover the amount assessed by action in the

			 appropriate United States district court.

					(2)NonreviewabilityIn

			 such action the validity and appropriateness of the final order imposing the

			 penalty shall not be subject to review.

					(f)Payment of

			 penaltiesExcept as otherwise provided, penalties collected under

			 this section shall be paid to the Secretary (or other officer) imposing the

			 penalty and shall be available without appropriation and until expended for the

			 purpose of enforcing the provisions with respect to which the penalty was

			 imposed.

				VDriver’s license

			 privacy

			501.Driver’s

			 license privacySection 2725

			 of title 18, United States Code, is amended by striking paragraphs (2) through

			 (4) and adding the following:

				

					(2)person

				means an individual, organization, or entity, but does not include a State or

				agency thereof;

					(3)personal

				information means information that identifies an individual, including

				an individual’s photograph, social security number, driver identification

				number, name, address (but not the 5-digit zip code), telephone number, medical

				or disability information, any physical copy of a driver’s license, birth date,

				information on physical characteristics, including height, weight, sex or eye

				color, or any biometric identifiers on a license, including a finger print, but

				not information on vehicular accidents, driving violations, and driver’s

				status;

					(4)highly

				restricted personal information means an individual’s photograph or

				image, social security number, medical or disability information, any physical

				copy of a driver’s license, driver identification number, birth date,

				information on physical characteristics, including height, weight, sex, or eye

				color, or any biometric identifiers on a license, including a finger print;

				and

					.

			VIMiscellaneous

			601.Enforcement by

			 State Attorneys General

				(a)In

			 general

					(1)Civil

			 actionsIn any case in which the attorney general of a State has

			 reason to believe that an interest of the residents of that State has been or

			 is threatened or adversely affected by the engagement of any person in a

			 practice that is prohibited under title I, II, or IV of this Act or under any

			 amendment made by such a title, the State, as parens patriae, may bring a civil

			 action on behalf of the residents of the State in a district court of the

			 United States of appropriate jurisdiction to—

						(A)enjoin that

			 practice;

						(B)enforce

			 compliance with such titles or such amendments;

						(C)obtain damage,

			 restitution, or other compensation on behalf of residents of the State;

			 or

						(D)obtain such other

			 relief as the court may consider to be appropriate.

						(2)Notice

						(A)In

			 generalBefore filing an action under paragraph (1), the attorney

			 general of the State involved shall provide to the Attorney General—

							(i)written notice of

			 the action; and

							(ii)a

			 copy of the complaint for the action.

							(B)Exemption

							(i)In

			 generalSubparagraph (A) shall not apply with respect to the

			 filing of an action by an attorney general of a State under this subsection, if

			 the State attorney general determines that it is not feasible to provide the

			 notice described in such subparagraph before the filing of the action.

							(ii)NotificationIn

			 an action described in clause (i), the attorney general of a State shall

			 provide notice and a copy of the complaint to the Attorney General at the same

			 time as the State attorney general files the action.

							(b)Intervention

					(1)In

			 generalOn receiving notice under subsection (a)(2), the Attorney

			 General shall have the right to intervene in the action that is the subject of

			 the notice.

					(2)Effect of

			 interventionIf the Attorney General intervenes in an action

			 under subsection (a), the Attorney General shall have the right to be heard

			 with respect to any matter that arises in that action.

					(c)ConstructionFor

			 purposes of bringing any civil action under subsection (a), nothing in this Act

			 shall be construed to prevent an attorney general of a State from exercising

			 the powers conferred on such attorney general by the laws of that State

			 to—

					(1)conduct

			 investigations;

					(2)administer oaths

			 or affirmations; or

					(3)compel the

			 attendance of witnesses or the production of documentary and other

			 evidence.

					(d)Actions by the

			 Attorney General of the United StatesIn any case in which an

			 action is instituted by or on behalf of the Attorney General for violation of a

			 practice that is prohibited under title I, II, IV, or V of this Act or under

			 any amendment made by such a title, no State may, during the pendency of that

			 action, institute an action under subsection (a) against any defendant named in

			 the complaint in that action for violation of that practice.

				(e)Venue; service

			 of process

					(1)VenueAny

			 action brought under subsection (a) may be brought in the district court of the

			 United States that meets applicable requirements relating to venue under

			 section 1391 of title 28, United States Code.

					(2)Service of

			 processIn an action brought under subsection (a), process may be

			 served in any district in which the defendant—

						(A)is an inhabitant;

			 or

						(B)may be

			 found.

						602.Federal

			 injunctive authorityIn

			 addition to any other enforcement authority conferred under this Act or under

			 an amendment made by this Act, the Federal Government shall have injunctive

			 authority with respect to any violation of any provision of title I, II, or IV

			 of this Act or of any amendment made by such a title, without regard to whether

			 a public or private entity violates such provision.

			

