[Congressional Bills 110th Congress]
[From the U.S. Government Publishing Office]
[H.R. 964 Reported in House (RH)]






                                                 Union Calendar No. 101
110th CONGRESS
  1st Session
                                H. R. 964

                          [Report No. 110-169]

 To protect users of the Internet from unknowing transmission of their 
 personally identifiable information through spyware programs, and for 
                            other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            February 8, 2007

 Mr. Towns (for himself, Mrs. Bono, Mr. Dingell, Mr. Barton of Texas, 
  Mr. Rush, Mr. Stearns, Mr. Markey, Ms. Schakowsky, Mr. Boucher, Mr. 
 Gordon of Tennessee, Ms. Eshoo, Mr. Stupak, Mr. Gene Green of Texas, 
   Ms. DeGette, Mrs. Capps, Mr. Doyle, Ms. Solis, Mr. Gonzalez, Mr. 
  Inslee, Ms. Hooley, Mr. Weiner, Mr. Matheson, Mr. Butterfield, Mr. 
 Hastert, Mr. Radanovich, Mr. Terry, Mrs. Myrick, Mr. Burgess, and Mr. 
    Engel) introduced the following bill; which was referred to the 
                    Committee on Energy and Commerce

                              May 24, 2007

 Additional sponsors: Mr. Upton, Mrs. Cubin, Mr. McCaul of Texas, Mr. 
   McCotter, Mr. Farr, Mr. McHugh, Mr. McNerney, Mr. Price of North 
Carolina, Ms. Watson, Mr. Moore of Kansas, Mr. Buyer, Mr. Fossella, and 
                              Mr. Calvert

                              May 24, 2007

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]
    [For text of introduced bill, see copy of bill as introduced on 
                           February 8, 2007]

_______________________________________________________________________

                                 A BILL


 
 To protect users of the Internet from unknowing transmission of their 
 personally identifiable information through spyware programs, and for 
                            other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Securely Protect Yourself Against 
Cyber Trespass Act'' or the ``Spy Act''.

SEC. 2. PROHIBITION OF UNFAIR OR DECEPTIVE ACTS OR PRACTICES RELATING 
              TO SPYWARE.

    (a) Prohibition.--It is unlawful for any person, who is not the 
owner or authorized user of a protected computer, to engage in unfair 
or deceptive acts or practices that involve any of the following 
conduct with respect to the protected computer:
            (1) Taking control of the computer by--
                    (A) utilizing such computer to send unsolicited 
                information or material from the computer to others;
                    (B) diverting the Internet browser of the computer, 
                or similar program of the computer used to access and 
                navigate the Internet--
                            (i) without authorization of the owner or 
                        authorized user of the computer; and
                            (ii) away from the site the user intended 
                        to view, to one or more other Web pages, such 
                        that the user is prevented from viewing the 
                        content at the intended Web page, unless such 
                        diverting is otherwise authorized;
                    (C) accessing, hijacking, or otherwise using the 
                modem, or Internet connection or service, for the 
                computer and thereby causing damage to the computer or 
                causing the owner or authorized user or a third party 
                defrauded by such conduct to incur charges or other 
                costs for a service that is not authorized by such 
                owner or authorized user;
                    (D) using the computer as part of an activity 
                performed by a group of computers that causes damage to 
                another computer; or
                    (E) delivering advertisements or a series of 
                advertisements that a user of the computer cannot close 
                or terminate without undue effort or knowledge by the 
                user or without turning off the computer or closing all 
                sessions of the Internet browser for the computer.
            (2) Modifying settings related to use of the computer or to 
        the computer's access to or use of the Internet by altering--
                    (A) the Web page that appears when the owner or 
                authorized user launches an Internet browser or similar 
                program used to access and navigate the Internet;
                    (B) the default provider used to access or search 
                the Internet, or other existing Internet connections 
                settings;
                    (C) a list of bookmarks used by the computer to 
                access Web pages; or
                    (D) security or other settings of the computer that 
                protect information about the owner or authorized user 
                for the purposes of causing damage or harm to the 
                computer or owner or user.
            (3) Collecting personally identifiable information through 
        the use of a keystroke logging function.
            (4) Inducing the owner or authorized user of the computer 
        to disclose personally identifiable information by means of a 
        Web page that--
                    (A) is substantially similar to a Web page 
                established or provided by another person; and
                    (B) misleads the owner or authorized user that such 
                Web page is provided by such other person.
            (5) Inducing the owner or authorized user to install a 
        component of computer software onto the computer, or preventing 
        reasonable efforts to block the installation or execution of, 
        or to disable, a component of computer software by--
                    (A) presenting the owner or authorized user with an 
                option to decline installation of such a component such 
                that, when the option is selected by the owner or 
                authorized user or when the owner or authorized user 
                reasonably attempts to decline the installation, the 
                installation nevertheless proceeds; or
                    (B) causing such a component that the owner or 
                authorized user has properly removed or disabled to 
                automatically reinstall or reactivate on the computer.
            (6) Misrepresenting that installing a separate component of 
        computer software or providing log-in and password information 
        is necessary for security or privacy reasons, or that 
        installing a separate component of computer software is 
        necessary to open, view, or play a particular type of content.
            (7) Inducing the owner or authorized user to install or 
        execute computer software by misrepresenting the identity or 
        authority of the person or entity providing the computer 
        software to the owner or user.
            (8) Inducing the owner or authorized user to provide 
        personally identifiable, password, or account information to 
        another person--
                    (A) by misrepresenting the identity of the person 
                seeking the information; or
                    (B) without the authority of the intended recipient 
                of the information.
            (9) Removing, disabling, or rendering inoperative a 
        security, anti-spyware, or anti-virus technology installed on 
        the computer.
            (10) Installing or executing on the computer one or more 
        additional components of computer software with the intent of 
        causing a person to use such components in a way that violates 
        any other provision of this section.
    (b) Guidance.--The Commission shall issue guidance regarding 
compliance with and violations of this section. This subsection shall 
take effect upon the date of the enactment of this Act.
    (c) Effective Date.--Except as provided in subsection (b), this 
section shall take effect upon the expiration of the 6-month period 
that begins on the date of the enactment of this Act.

SEC. 3. PROHIBITION OF COLLECTION OF CERTAIN INFORMATION WITHOUT NOTICE 
              AND CONSENT.

    (a) Opt-In Requirement.--Except as provided in subsection (e), it 
is unlawful for any person--
            (1) to transmit to a protected computer, which is not owned 
        by such person and for which such person is not an authorized 
        user, any information collection program, unless--
                    (A) such information collection program provides 
                notice in accordance with subsection (c) before 
                downloading or installing any of the information 
                collection program; and
                    (B) such information collection program includes 
                the functions required under subsection (d); or
            (2) to execute any information collection program installed 
        on such a protected computer unless--
                    (A) before execution of any of the information 
                collection functions of the program, the owner or an 
                authorized user of the protected computer has consented 
                to such execution pursuant to notice in accordance with 
                subsection (c); and
                    (B) such information collection program includes 
                the functions required under subsection (d).
    (b) Information Collection Program.--
            (1) In general.--For purposes of this section, the term 
        ``information collection program'' means computer software that 
        performs either of the following functions:
                    (A) Collection of personally identifiable 
                information.--The computer software--
                            (i) collects personally identifiable 
                        information; and
                            (ii)(I) sends such information to a person 
                        other than the owner or authorized user of the 
                        computer, or
                            (II) uses such information to deliver 
                        advertising to, or display advertising on, the 
                        computer.
                    (B) Collection of information regarding internet 
                activity to deliver advertising.--The computer 
                software--
                            (i) collects information regarding the 
                        user's Internet activity using the computer; 
                        and
                            (ii) uses such information to deliver 
                        advertising to, or display advertising on, the 
                        computer.
            (2) Exception for software collecting information regarding 
        internet activity within a particular web site.--Computer 
        software that otherwise would be considered an information 
        collection program by reason of paragraph (1)(B) shall not be 
        considered such a program if--
                    (A) the only information collected by the software 
                regarding the user's internet activity, and used to 
                deliver advertising to, or display advertising on, the 
                protected computer, is--
                            (i) information regarding Web pages within 
                        a particular Web site; or
                            (ii) in the case of any Internet-based 
                        search function, user-supplied search terms 
                        necessary to complete the search and return 
                        results to the user;
                    (B) such information collected is not sent to a 
                person other than--
                            (i) the provider of the Web site accessed 
                        or Internet-based search function; or
                            (ii) a party authorized to facilitate the 
                        display or functionality of Web pages within 
                        the Web site accessed; and
                    (C) the only advertising delivered to or displayed 
                on the computer using such information is advertising 
                on Web pages within that particular Web site.
    (c) Notice and Consent.--
            (1) In general.--Notice in accordance with this subsection 
        with respect to an information collection program is clear and 
        conspicuous notice in plain language, set forth as the 
        Commission shall provide, that meets all of the following 
        requirements:
                    (A) The notice clearly distinguishes a statement 
                required under subparagraph (B) from any other 
                information visually presented contemporaneously on the 
                computer.
                    (B) The notice contains one of the following 
                statements, as applicable, or a substantially similar 
                statement:
                            (i) With respect to an information 
                        collection program described in subsection 
                        (b)(1)(A): ``This program will collect and 
                        transmit information about you. Do you 
                        accept?''.
                            (ii) With respect to an information 
                        collection program described in subsection 
                        (b)(1)(B): ``This program will collect 
                        information about Web pages you access and will 
                        use that information to display advertising on 
                        your computer. Do you accept?''.
                            (iii) With respect to an information 
                        collection program that performs the actions 
                        described in both subparagraphs (A) and (B) of 
                        subsection (b)(1): ``This program will collect 
                        and transmit information about you and will 
                        collect information about Web pages you access 
                        and use that information to display advertising 
                        on your computer. Do you accept?''.
                    (C) The notice provides for the user--
                            (i) to grant or deny consent referred to in 
                        subsection (a) by selecting an option to grant 
                        or deny such consent; and
                            (ii) to abandon or cancel the transmission 
                        or execution referred to in subsection (a) 
                        without granting or denying such consent.
                    (D) The notice provides an option for the user to 
                select to display on the computer, before granting or 
                denying consent using the option required under 
                subparagraph (C), a clear description of--
                            (i) the types of information to be 
                        collected and sent (if any) by the information 
                        collection program;
                            (ii) the purpose for which such information 
                        is to be collected and sent; and
                            (iii) in the case of an information 
                        collection program that first executes any of 
                        the information collection functions of the 
                        program together with the first execution of 
                        other computer software, the identity of any 
                        such software that is an information collection 
                        program.
                    (E) The notice provides for concurrent display of 
                the information required under subparagraphs (B) and 
                (C) and the option required under subparagraph (D) 
                until the user--
                            (i) grants or denies consent using the 
                        option required under subparagraph (C)(i);
                            (ii) abandons or cancels the transmission 
                        or execution pursuant to subparagraph (C)(ii); 
                        or
                            (iii) selects the option required under 
                        subparagraph (D).
            (2) Single notice.--The Commission shall provide that, in 
        the case in which multiple information collection programs are 
        provided to the protected computer together, or as part of a 
        suite of functionally related software, the notice requirements 
        of paragraphs (1)(A) and (2)(A) of subsection (a) may be met by 
        providing, before execution of any of the information 
        collection functions of the programs, clear and conspicuous 
        notice in plain language in accordance with paragraph (1) of 
        this subsection by means of a single notice that applies to all 
        such information collection programs, except that such notice 
        shall provide the option under subparagraph (D) of paragraph 
        (1) of this subsection with respect to each such information 
        collection program.
            (3) Change in information collection.--If an owner or 
        authorized user has granted consent to execution of an 
        information collection program pursuant to a notice in 
        accordance with this subsection:
                    (A) In general.--No subsequent such notice is 
                required, except as provided in subparagraph (B).
                    (B) Subsequent notice.--The person who transmitted 
                the program shall provide another notice in accordance 
                with this subsection and obtain consent before such 
                program may be used to collect or send information of a 
                type or for a purpose that is materially different 
                from, and outside the scope of, the type or purpose set 
                forth in the initial or any previous notice.
            (4) Regulations.--The Commission shall issue regulations to 
        carry out this subsection.
    (d) Required Functions.--The functions required under this 
subsection to be included in an information collection program that 
executes any information collection functions with respect to a 
protected computer are as follows:
            (1) Disabling function.--With respect to any information 
        collection program, a function of the program that allows a 
        user of the program to remove the program or disable operation 
        of the program with respect to such protected computer by a 
        function that--
                    (A) is easily identifiable to a user of the 
                computer; and
                    (B) can be performed without undue effort or 
                knowledge by the user of the protected computer.
            (2) Identity function.--
                    (A) In general.--With respect only to an 
                information collection program that uses information 
                collected in the manner described in subparagraph 
                (A)(ii)(II) or (B)(ii) of subsection (b)(1) and subject 
                to subparagraph (B) of this paragraph, a function of 
                the program that provides that each display of an 
                advertisement directed or displayed using such 
                information, when the owner or authorized user is 
                accessing a Web page or online location other than of 
                the provider of the computer software, is accompanied 
                by the name of the information collection program, a 
                logogram or trademark used for the exclusive purpose of 
                identifying the program, or a statement or other 
                information sufficient to clearly identify the program.
                    (B) Exemption for embedded advertisements.--The 
                Commission shall, by regulation, exempt from the 
                applicability of subparagraph (A) the embedded display 
                of any advertisement on a Web page that 
                contemporaneously displays other information.
            (3) Rulemaking.--The Commission may issue regulations to 
        carry out this subsection.
    (e) Limitation on Liability.--A telecommunications carrier, a 
provider of information service or interactive computer service, a 
cable operator, or a provider of transmission capability shall not be 
liable under this section to the extent that the carrier, operator, or 
provider--
            (1) transmits, routes, hosts, stores, or provides 
        connections for an information collection program through a 
        system or network controlled or operated by or for the carrier, 
        operator, or provider; or
            (2) provides an information location tool, such as a 
        directory, index, reference, pointer, or hypertext link, 
        through which the owner or user of a protected computer locates 
        an information collection program.
    (f) Study and Additional Exemption.--
            (1) Study and report.--The Commission shall conduct a study 
        to determine the applicability of the information collection 
        prohibitions of this section to information that is input 
        directly by users in a field provided on a website. The study 
        shall examine--
                    (A) the nature of such fields for user input;
                    (B) the use of a user's information once input and 
                whether such information is sent to a person other than 
                the provider of the Web site;
                    (C) whether such information is used to deliver 
                advertisements to the user's computer; and
                    (D) the extent of any notice provided to the user 
                prior to such input.
            (2) Report.--The Commission shall transmit a report on such 
        study to the Committee on Energy and Commerce of the House of 
        Representatives and the Committee on Commerce, Science, and 
        Transportation of the Senate not later than the expiration of 
        the 6-month period that begins on the date on which final 
        regulations are issued under section 9. The requirements of 
        subchapter I of chapter 35 of title 44, United States Code, 
        shall not apply to the report required under this subsection.
            (3) Regulation.--If the Commission finds that users have 
        adequate notice regarding the uses of any information input 
        directly by the user in a field provided on a website, such 
        that an exemption from the requirements of this section, or a 
        modification of the notice required by this section is 
        appropriate for such information, and that such an exemption or 
        modification is consistent with the public interest, the 
        protection of consumers, and the purposes of this Act, the 
        Commission may prescribe such an exemption or modification by 
        regulation.

SEC. 4. ENFORCEMENT.

    (a) Unfair or Deceptive Act or Practice.--This Act shall be 
enforced by the Commission under the Federal Trade Commission Act (15 
U.S.C. 41 et seq.). A violation of any provision of this Act or of a 
regulation issued under this Act shall be treated as an unfair or 
deceptive act or practice violating a rule promulgated under section 18 
of the Federal Trade Commission Act (15 U.S.C. 57a).
    (b) Penalty for Pattern or Practice Violations.--
            (1) In general.--Notwithstanding subsection (a) and the 
        Federal Trade Commission Act, in the case of a person who 
        engages in a pattern or practice that violates section 2 or 3, 
        the Commission may, in its discretion, seek a civil penalty for 
        such pattern or practice of violations in an amount, as 
        determined by the Commission, of not more than--
                    (A) $3,000,000 for each violation of section 2; and
                    (B) $1,000,000 for each violation of section 3.
            (2) Treatment of single action or conduct.--In applying 
        paragraph (1)--
                    (A) any single action or conduct that violates 
                section 2 or 3 with respect to multiple protected 
                computers shall be treated as a single violation; and
                    (B) any single action or conduct that violates more 
                than one paragraph of section 2(a) shall be considered 
                multiple violations, based on the number of such 
                paragraphs violated.
    (c) Required Scienter.--Civil penalties sought under this section 
for any action may not be granted by the Commission or any court unless 
the Commission or court, respectively, establishes that the action was 
committed with actual knowledge or knowledge fairly implied on the 
basis of objective circumstances that such act is unfair or deceptive 
or violates this Act.
    (d) Factors in Amount of Penalty.--In determining the amount of any 
penalty pursuant to subsection (a) or (b), the court shall take into 
account the degree of culpability, any history of prior such conduct, 
ability to pay, effect on ability to continue to do business, and such 
other matters as justice may require.
    (e) Exclusiveness of Remedies.--The remedies in this section (and 
other remedies available to the Commission in an enforcement action 
against unfair and deceptive acts and practices) are the exclusive 
remedies for violations of this Act.
    (f) Effective Date.--To the extent only that this section applies 
to violations of section 2(a), this section shall take effect upon the 
expiration of the 6-month period that begins on the date of the 
enactment of this Act.

SEC. 5. LIMITATIONS.

    (a) Law Enforcement Authority.--Sections 2 and 3 shall not apply 
to--
            (1) any act taken by a law enforcement agent in the 
        performance of official duties; or
            (2) the transmission or execution of an information 
        collection program in compliance with a law enforcement, 
        investigatory, national security, or regulatory agency or 
        department of the United States or any State in response to a 
        request or demand made under authority granted to that agency 
        or department, including a warrant issued under the Federal 
        Rules of Criminal Procedure, an equivalent State warrant, a 
        court order, or other lawful process.
    (b) Exception Relating to Security.--Nothing in this Act shall 
apply to--
            (1) any monitoring of, or interaction with, a protected 
        computer--
                    (A) in connection with the provision of a network 
                access service or other service or product with respect 
                to which the user of the protected computer is an 
                actual or prospective customer, subscriber, registered 
                user, or account holder;
                    (B) by the provider of that service or product or 
                with such provider's authorization; and
                    (C) that involves or enables the collection of 
                information about the user's activities only with 
                respect to the user's relationship with or use of such 
                service or product,
        to the extent that such monitoring or interaction is for the 
        purpose of network security, computer security, diagnostics, 
        technical support or repair, network management, authorized 
        updates of software, or for the detection or prevention of 
        fraudulent activities; or
            (2) a discrete interaction with a protected computer by a 
        provider of computer software solely to determine whether the 
        user of the computer is authorized to use such software, that 
        occurs upon--
                    (A) initialization of the software; or
                    (B) an affirmative request by the owner or 
                authorized user for an update of, addition to, or 
                technical service for, the software.
    (c) Good Samaritan Protection.--
            (1) In general.--No provider of computer software or of 
        interactive computer service may be held liable under this Act 
        on account of any action voluntarily taken, or service 
        provided, in good faith to remove or disable a program used to 
        violate section 2 or 3 that is installed on a computer of a 
        customer of such provider, if such provider notifies the 
        customer and obtains the consent of the customer before 
        undertaking such action or providing such service.
            (2) Construction.--Nothing in this subsection shall be 
        construed to limit the liability of a provider of computer 
        software or of an interactive computer service for any anti-
        competitive act otherwise prohibited by law.
    (d) Limitation on Liability.--A manufacturer or retailer of 
computer equipment shall not be liable under this Act to the extent 
that the manufacturer or retailer is providing third party branded 
computer software that is installed on the equipment the manufacturer 
or retailer is manufacturing or selling.
    (e) Services Provided by Cable Operators and Satellite Carriers.--
It shall not be a violation of section 3 for a satellite carrier (as 
such term is defined in section 338(k) of the Communications Act of 
1934 (47 U.S.C. 338(k)) or cable operator (as such term is defined in 
section 631(a)(2) of such Act (47 U.S.C. 551(a)(2))) to--
            (1) utilize a navigation device (as such term is defined in 
        the rules of the Federal Communications Commission);
            (2) interact with such a navigation device; or
            (3) transmit software to or execute software installed on 
        such a navigation device to provide service or collect or 
        disclose subscriber information,
if the provision of such service, the utilization of or the interaction 
with such device, or the collection of or disclosure of such 
information, is subject to section 338(i) or section 631 of the 
Communications Act of 1934.

SEC. 6. EFFECT ON OTHER LAWS.

    (a) Preemption of State Law.--
            (1) Preemption of spyware laws.--This Act supersedes any 
        provision of a statute, regulation, or rule of a State or 
        political subdivision of a State that expressly regulates--
                    (A) unfair or deceptive conduct with respect to 
                computers similar to that described in section 2(a);
                    (B) the transmission or execution of a computer 
                program similar to that described in section 3; or
                    (C) the use of computer software that displays 
                advertising content based on the Web pages accessed 
                using a computer.
            (2) Additional preemption.--
                    (A) In general.--No person other than the Attorney 
                General of a State may bring a civil action under the 
                law of any State if such action is premised in whole or 
                in part upon the defendant violating any provision of 
                this Act.
                    (B) Protection of consumer protection laws.--This 
                paragraph shall not be construed to limit the 
                enforcement of any State consumer protection law by an 
                Attorney General of a State.
            (3) Protection of certain state laws.--This Act shall not 
        be construed to preempt the applicability of--
                    (A) State trespass, contract, or tort law; or
                    (B) other State laws to the extent that those laws 
                relate to acts of fraud.
            (4) Effective date.--The preemption provided for under this 
        subsection shall take effect, with respect to specific 
        provisions of this Act, on the effective date for such 
        provisions.
    (b) Preservation of FTC Authority.--Nothing in this Act may be 
construed in any way to limit or affect the Commission's authority 
under any other provision of law, including the authority to issue 
advisory opinions (under part 1 of volume 16 of the Code of Federal 
Regulations), policy statements, or guidance regarding this Act.

SEC. 7. FTC REPORT ON COOKIES.

    (a) In General.--Not later than the expiration of the 6-month 
period that begins on the date on which final regulations are issued 
under section 9, the Commission shall submit a report to the Congress 
regarding the use of cookies in the delivery or display of advertising 
to the owners and users of computers. The report shall examine the 
extent to which cookies are or may be used to transmit to a third party 
personally identifiable information of a computer owner or user, 
information regarding Web pages accessed by the owner or user, or 
information regarding advertisements previously delivered to a 
computer, for the purpose of--
            (1) delivering or displaying advertising to the owner or 
        user; or
            (2) assisting the intended recipient to deliver or display 
        advertising to the owner, user, or others.
The report shall examine and describe the methods by which cookies and 
the Web sites that place them on computers function separately and 
together, and shall compare the use of cookies with the use of 
information collection programs (as such term is defined in section 3) 
to determine the extent to which such uses are similar or different. 
The report may include such recommendations as the Commission considers 
necessary and appropriate, including treatment of cookies under this 
Act or other laws.
    (b) Effective Date.--This section shall take effect on the date of 
the enactment of this Act.
    (c) Paperwork Reduction Requirements.--The requirements of 
subchapter I of chapter 35 of title 44, United States Code, shall not 
apply to the report required under this section.

SEC. 8. FTC REPORT ON INFORMATION COLLECTION PROGRAMS INSTALLED BEFORE 
              EFFECTIVE DATE.

    Not later than the expiration of the 6-month period that begins on 
the date on which final regulations are issued under section 9, the 
Commission shall submit a report to the Congress on the extent to which 
there are installed on protected computers information collection 
programs that, but for installation prior to the effective date under 
section 11(a), would be subject to the requirements of section 3. The 
report shall include recommendations regarding the means of affording 
computer users affected by such information collection programs the 
protections of section 3, including recommendations regarding requiring 
a one-time notice and consent by the owner or authorized user of a 
computer to the continued collection of information by such a program 
so installed on the computer. The requirements of subchapter I of 
chapter 35 of title 44, United States Code, shall not apply to the 
report required under this section.

SEC. 9. REGULATIONS.

    (a) In General.--The Commission shall issue the regulations 
required by this Act not later than the expiration of the 9-month 
period beginning on the date of the enactment of this Act. In 
exercising its authority to issue any regulation under this Act, the 
Commission shall determine that the regulation is consistent with the 
public interest and the purposes of this Act. Any regulations issued 
pursuant to this Act shall be issued in accordance with section 553 of 
title 5, United States Code.
    (b) Effective Date.--This section shall take effect on the date of 
the enactment of this Act.

SEC. 10. DEFINITIONS.

    For purposes of this Act:
            (1) Cable operator.--The term ``cable operator'' has the 
        meaning given such term in section 602 of the Communications 
        Act of 1934 (47 U.S.C. 522).
            (2) Collect.--The term ``collect'', when used with respect 
        to information and for purposes only of section 3(b)(1)(A), 
        does not include obtaining of the information by a party who is 
        intended by the owner or authorized user of a protected 
        computer to receive the information or by a third party 
        authorized by such intended recipient to receive the 
        information, pursuant to the owner or authorized user--
                    (A) transferring the information to such intended 
                recipient using the protected computer; or
                    (B) storing the information on the protected 
                computer in a manner so that it is accessible by such 
                intended recipient.
            (3) Computer; protected computer.--The terms ``computer'' 
        and ``protected computer'' have the meanings given such terms 
        in section 1030(e) of title 18, United States Code.
            (4) Computer software.--
                    (A) In general.--Except as provided in subparagraph 
                (B), the term ``computer software'' means a set of 
                statements or instructions that can be installed and 
                executed on a computer for the purpose of bringing 
                about a certain result.
                    (B) Exceptions.--Such term does not include--
                            (i) computer software that is placed on the 
                        computer system of a user by an Internet 
                        service provider, interactive computer service, 
                        or Internet Web site solely to enable the user 
                        subsequently to use such provider or service or 
                        to access such Web site; or
                            (ii) a text or data file known as a cookie, 
                        to the extent that the text or data file--
                                    (I) is used, written to, or placed 
                                on the computer of a user by an 
                                Internet service provider, interactive 
                                computer service, or Internet website, 
                                or any entity acting with the 
                                authorization of and on behalf of such 
                                Internet service provider, interactive 
                                computer service, or Internet website; 
                                and
                                    (II) can be read or recognized 
                                solely to return information to such 
                                Internet service provider, interactive 
                                computer service, or Internet website, 
                                or any entity acting with the 
                                authorization of and on behalf of such 
                                Internet service provider, interactive 
                                computer service, or Internet website.
            (5) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (6) Damage.--The term ``damage'' has the meaning given such 
        term in section 1030(e) of title 18, United States Code.
            (7) Unfair or deceptive acts or practices.--The term 
        ``unfair or deceptive acts or practices'' has the meaning 
        applicable to such term for purposes of section 5 of the 
        Federal Trade Commission Act (15 U.S.C. 45).
            (8) Disable.--The term ``disable'' means, with respect to 
        an information collection program, to permanently prevent such 
        program from executing any of the functions described in 
        section 3(b)(1) that such program is otherwise capable of 
        executing (including by removing, deleting, or disabling the 
        program), unless the owner or operator of a protected computer 
        takes a subsequent affirmative action to enable the execution 
        of such functions.
            (9) Information collection functions.--The term 
        ``information collection functions'' means, with respect to an 
        information collection program, the functions of the program 
        described in subsection (b)(1) of section 3.
            (10) Information service.--The term ``information service'' 
        has the meaning given such term in section 3 of the 
        Communications Act of 1934 (47 U.S.C. 153).
            (11) Interactive computer service.--The term ``interactive 
        computer service'' has the meaning given such term in section 
        230(f) of the Communications Act of 1934 (47 U.S.C. 230(f)).
            (12) Internet.--The term ``Internet'' means collectively 
        the myriad of computer and telecommunications facilities, 
        including equipment and operating software, which comprise the 
        interconnected world-wide network of networks that employ the 
        Transmission Control Protocol/Internet Protocol, or any 
        predecessor or successor protocols to such protocol, to 
        communicate information of all kinds by wire or radio.
            (13) Personally identifiable information.--
                    (A) In general.--The term ``personally identifiable 
                information'' means the following information, to the 
                extent only that such information allows a living 
                individual to be identified from that information:
                            (i) First and last name of an individual.
                            (ii) A home or other physical address of an 
                        individual, including street name, name of a 
                        city or town, and zip code.
                            (iii) An electronic mail address.
                            (iv) A telephone number.
                            (v) A social security number, tax 
                        identification number, passport number, 
                        driver's license number, or any other 
                        government-issued identification number.
                            (vi) A credit card number.
                            (vii) Any access code, password, or account 
                        number, other than an access code or password 
                        transmitted by an owner or authorized user of a 
                        protected computer to the intended recipient to 
                        register for, or log onto, a Web page or other 
                        Internet service or a network connection or 
                        service of a subscriber that is protected by an 
                        access code or password.
                            (viii) Date of birth, birth certificate 
                        number, or place of birth of an individual, 
                        except in the case of a date of birth 
                        transmitted or collected for the purpose of 
                        compliance with the law.
                    (B) Rulemaking.--The Commission may, by regulation, 
                add to the types of information described in 
                subparagraph (A) that shall be considered personally 
                identifiable information for purposes of this Act, 
                except that such additional types of information shall 
                be considered personally identifiable information only 
                to the extent that such information allows living 
                individuals, particular computers, particular users of 
                computers, or particular email addresses or other 
                locations of computers to be identified from that 
                information.
            (14) Suite of functionally related software.--The term 
        suite of ``functionally related software'' means a group of 
        computer software programs distributed to an end user by a 
        single provider, which programs enable features or 
        functionalities of an integrated service offered by the 
        provider.
            (15) Telecommunications carrier.--The term 
        ``telecommunications carrier'' has the meaning given such term 
        in section 3 of the Communications Act of 1934 (47 U.S.C. 153).
            (16) Transmit.--The term ``transmit'' means, with respect 
        to an information collection program, transmission by any 
        means.
            (17) Web page.--The term ``Web page'' means a location, 
        with respect to the World Wide Web, that has a single Uniform 
        Resource Locator or another single location with respect to the 
        Internet, as the Federal Trade Commission may prescribe.
            (18) Web site.--The term ``web site'' means a collection of 
        Web pages that are presented and made available by means of the 
        World Wide Web as a single Web site (or a single Web page so 
        presented and made available), which Web pages have any of the 
        following characteristics:
                    (A) A common domain name.
                    (B) Common ownership, management, or registration.

SEC. 11. APPLICABILITY AND SUNSET.

    (a) Effective Date.--Except as specifically provided otherwise in 
this Act, this Act shall take effect upon the expiration of the 12-
month period that begins on the date of the enactment of this Act.
    (b) Applicability.--Section 3 shall not apply to an information 
collection program installed on a protected computer before the 
effective date under subsection (a) of this section.
    (c) Sunset.--This Act shall not apply after December 31, 2013.
                                                 Union Calendar No. 101

110th CONGRESS

  1st Session

                               H. R. 964

                          [Report No. 110-169]

_______________________________________________________________________

                                 A BILL

 To protect users of the Internet from unknowing transmission of their 
 personally identifiable information through spyware programs, and for 
                            other purposes.

_______________________________________________________________________

                              May 24, 2007

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed