[Congressional Bills 112th Congress]
[From the U.S. Government Publishing Office]
[H.R. 1528 Introduced in House (IH)]

112th CONGRESS
  1st Session
                                H. R. 1528

    To protect and enhance consumer privacy, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             April 13, 2011

Mr. Stearns (for himself, Mr. Matheson, Mr. Bilbray, and Mr. Manzullo) 
 introduced the following bill; which was referred to the Committee on 
                          Energy and Commerce

_______________________________________________________________________

                                 A BILL


 
    To protect and enhance consumer privacy, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Consumer Privacy Protection Act of 
2011''.

SEC. 3. DEFINITIONS.

    In this Act, the following definitions apply:
            (1) Affiliate.--The term ``affiliate'' means any company 
        that controls, is controlled by, or is under common control 
        with another company.
            (2) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (3) Consumer.--The term ``consumer'' means an individual 
        acting in the individual's personal, family, or household 
        capacity.
            (4) Covered entity.--(A) The term ``covered entity'' means 
        an entity (or an agent or affiliate of the entity) that 
        collects (by any means, through any medium), sells, discloses 
        for consideration, or uses personally identifiable information 
        of more than 5,000 consumers during any consecutive 12-month 
        period, and includes a non-profit organization, including any 
        organization described in section 501(c) of the Internal 
        Revenue Code of 1986 that is exempt from taxation under section 
        501(a) of such Code, notwithstanding the definition of the term 
        ``Acts to regulate commerce'' in section 4 of the Federal Trade 
        Commission Act (15 U.S.C. 44) and the exception provided by 
        section 5(a)(2) of such Act (15 U.S.C. 45(a)(2)) for such 
        organizations.
            (B) Such term does not include--
                    (i) a governmental agency;
                    (ii) a provider of professional services, or any 
                affiliate thereof, to the extent that such provider is 
                obligated by rules of professional ethics, or by 
                applicable law or regulation, not to voluntarily 
                disclose confidential client information without the 
                consent of the client; or
                    (iii) a data processing outsourcing entity.
            (5) Data processing outsourcing entity.--The term ``data 
        processing outsourcing entity'' means, with respect to a 
        covered entity, a non-affiliated entity that--
                    (A) provides information technology processing, Web 
                hosting, or telecommunications services to the covered 
                entity;
                    (B) is contractually obligated to comply with 
                security controls specified by the covered entity; and
                    (C) has no right to use the covered entity's 
                personally identifiable information other than for 
                performing data processing outsourcing services for the 
                covered entity or as required by contract or law.
            (6) Display.--The term ``display'' means intentionally 
        communicating or otherwise making available (on the Internet or 
        in any other manner) to another person.
            (7) Information-sharing affiliate.--The term ``information-
        sharing affiliate'' means any affiliate that is under common 
        control with a covered entity, or is contractually obligated to 
        comply with the practices enumerated under the privacy policy 
        statement of the covered entity required under section 5.
            (8) Personally identifiable information.--(A) The term 
        ``personally identifiable information'', with respect to a 
        covered entity means individually identifiable information 
        relating to a living individual who can be identified from that 
        information, and includes:
                            (i) the combination of a first name (or 
                        initial) and last name of an individual, 
                        whether given at birth or time of adoption, or 
                        resulting from a lawful change of name;
                            (ii) the postal address of a physical place 
                        of residence of such individual;
                            (iii) an e-mail address of such individual;
                            (iv) a telephone number or mobile device 
                        number dedicated to contacting such individual 
                        at any place other than the individual's place 
                        of work;
                            (v) a social security number or other 
                        Federal or State government issued 
                        identification number issued to such 
                        individual; or
                            (vi) the complete account number of a 
                        credit or debit card issued to such individual.
            (B) Such term also includes, when disclosed in connection 
        with one or more of the items of information described in 
        subparagraph (A)--
                    (i) a birth date, the number of a certificate of 
                birth or adoption, or a place of birth; or
                    (ii) an electronic address, including an IP 
                address.
            (C) Such term does not include--
                    (i) anonymous or aggregate data, or any other 
                information that does not identify a unique living 
                individual;
                    (ii) information about a consumer inferred from 
                data maintained about a consumer; or
                    (iii) information about a consumer that is publicly 
                available or obtained from a public record.
            (9) Process.--The term ``process'', with respect to 
        personally identifiable information, means any value-added 
        activity performed on data by automated means.
            (10) Publicly available.--The term ``publicly available'', 
        with respect to information, means information that is lawfully 
        made available to the general public.
            (11) Public record.--The term ``public record'' means any 
        item, collection, or grouping of information about an 
        individual that is maintained by a Federal, State, or local 
        government entity and that is made available to the public.
            (12) Purchase.--The term ``purchase'' means providing, 
        directly or indirectly, anything of value in exchange for a 
        good or service.
            (13) State.--The term ``State'' includes the several 
        States, the District of Columbia, the Commonwealth of Puerto 
        Rico, the Commonwealth of the Northern Mariana Islands, 
        American Samoa, Guam, the Virgin Islands, the Freely Associated 
        States, and any other territory or possession of the United 
        States.
            (14) Transaction.--The term ``transaction'' means an 
        interaction between a consumer and a covered entity resulting 
        in--
                    (A) any use of information that is necessary to 
                complete the interaction in the course of which 
                information is collected, or to maintain the 
                provisioning of a good or service requested by the 
                consumer, including use--
                            (i) to approve, guarantee, process, 
                        administer, complete, enforce, provide, or 
                        market a product, service, account, benefit, 
                        transaction, or payment method that is 
                        requested or approved by the consumer;
                            (ii) to deliver goods, services, funds, or 
                        other consideration to, or on behalf of, the 
                        consumer;
                            (iii) to protect the health and safety of 
                        the consumer; and
                            (iv) related to website analytics methods 
                        or measurements for improving or enhancing 
                        products or services.
                    (B) any disclosure of information that is necessary 
                for the consumer to enforce any right of the consumer;
                    (C) any disclosure of information that is required 
                by law or by a court order;
                    (D) any use of information to verify personally 
                identifiable information by the consumer, evaluate, 
                detect, or reduce the risk of fraud or other criminal 
                activity, or other risk-management activities; and
                    (E) the collection or use of personally 
                identifiable information for the marketing or 
                advertising of a covered entity's products or services 
                to its own customers or potential customers.

SEC. 4. PRIVACY NOTICES TO CONSUMERS.

    (a) Notice Required.--A covered entity shall provide to a consumer 
a notice containing the information required under subsection (b) as 
follows:
            (1) The covered entity shall provide the notice before any 
        personally identifiable information that is collected from a 
        consumer is used by the covered entity for a purpose unrelated 
        to a transaction.
            (2) Upon a material change in the covered entity's privacy 
        policy under section 5(a), the covered entity shall provide the 
        notice, not later than the first time after such change in 
        policy that the covered entity seeks to sell, disclose for 
        consideration, or use personally identifiable information to 
        the extent practicable, to each consumer from whom the covered 
        entity has collected such information.
    (b) Form and Contents of Notice.--A notice required under 
subsection (a) shall be provided in a clear and conspicuous manner, be 
prominently displayed or explicitly stated to the consumer, and contain 
the following information:
            (1) A statement that the personally identifiable 
        information collected by the covered entity may be used or 
        disclosed for purposes or transactions unrelated to that for 
        which it was collected, as described in the covered entity's 
        privacy statement.
            (2) A description, appropriate to the applicable medium, of 
        the manner in which the consumer may obtain a privacy policy 
        statement that meets the requirements of section 5, which may 
        include providing the consumer with an Internet website, a 
        hyperlink to such a website, or a toll-free telephone number 
        from which such a statement may be obtained. If the notice 
        required under subsection (a) is provided to the consumer by 
        means of an Internet website, one manner in which the consumer 
        may obtain the privacy policy statement must be by means of an 
        Internet website.
            (3) If the notice is required under subsection (a)(2), a 
        statement that there has been a material change in the covered 
        entity's privacy policy.

SEC. 5. PRIVACY POLICY STATEMENTS.

    (a) Privacy Policy.--A covered entity shall establish a privacy 
policy with respect to the collection, sale, disclosure for 
consideration, dissemination, use, and security of the personally 
identifiable information of consumers, the principal elements of which 
shall be embodied in a privacy policy statement (or statements) that 
meets the requirements of subsection (b).
    (b) Statement.--The statement (or statements) required under 
subsection (a) shall meet the following requirements:
            (1) The statement must be brief, concise, clear, and 
        conspicuous and written in plain language.
            (2) The statement must be available to all consumers of the 
        covered entity (regardless of the means by which a consumer 
        conducts a transaction with the covered entity)--
                    (A) at no charge to the consumer; and
                    (B) at the time the covered entity first collects 
                personally identifiable information about the consumer 
                that may be used for a purpose unrelated to a 
                transaction with the consumer and subsequently.
            (3) The statement must disclose only the following:
                    (A) The identity of each covered entity, or a 
                description of each class or type of covered entity, 
                that may collect or use the information.
                    (B) The types of information that may be collected 
                or used.
                    (C) How the information may be used.
                    (D) Whether the consumer is required to provide the 
                information in order to do business with the covered 
                entity.
                    (E) The extent to which the information is subject 
                to sale or disclosure for consideration to a covered 
                entity that is not an information-sharing affiliate of 
                the covered entity providing the statement, including--
                            (i) a clear and prominent statement of the 
                        fact that the information is subject to such 
                        sale or disclosure for consideration;
                            (ii) a description of each class or type of 
                        covered entity to which the information may be 
                        sold or disclosed for consideration;
                            (iii) to the extent practicable, the 
                        purpose for which the information may be used; 
                        and
                            (iv) the types of information that may be 
                        sold or disclosed for consideration.
                    (F) Whether the information security practices of 
                the covered entity meet the security requirements of 
                section 8 in order to prevent unauthorized disclosure 
                or release of personally identifiable information.
    (c) Commission Facilitation.--The Commission may take actions 
(including conducting industry-wide workshops) to facilitate the 
development of harmonized, universal wording or logo-based graphics in 
order to convey the contents of privacy policy statements required 
under this section.

SEC. 6. CONSUMER OPPORTUNITY TO LIMIT SALE OR DISCLOSURE OF 
              INFORMATION.

    (a) Preclusion of Sale or Disclosure.--
            (1) Requirement.--A covered entity shall provide to the 
        consumer, without charge, the opportunity to preclude any sale 
        or disclosure for consideration of the consumer's personally 
        identifiable information, provided in a particular data 
        collection, that may be used for a purpose other than a 
        transaction with the consumer, to any covered entity that is 
        not an information-sharing affiliate of the covered entity 
        providing such opportunity.
            (2) Duration.--A preclusion on sale or disclosure for 
        consideration of information established by a consumer under 
        this subsection shall remain in effect for 5 years or until the 
        consumer indicates otherwise, whichever occurs sooner. A 
        covered entity may not seek reconsideration of a consumer's 
        preclusion of such sale or disclosure until at least 1 year 
        after such preclusion has been imposed by the consumer.
    (b) Permission for Sale or Disclosure.--A covered entity may 
provide the consumer an opportunity to permit the sale or disclosure 
described in subsection (a)(1) in exchange for a benefit to the 
consumer.
    (c) Accessibility.--The opportunity to preclude (or if offered, to 
permit) the sale or disclosure for consideration of information under 
this section must be both easy to access and use, and the notice of the 
opportunity to preclude must be clear and conspicuous.

SEC. 7. CONSUMER OPPORTUNITY TO LIMIT OTHER INFORMATION PRACTICES.

    If a covered entity provides to a consumer the opportunity to limit 
other practices of the covered entity with respect to a particular 
collection or use of personally identifiable information regarding the 
consumer, other than that required by section 6--
            (1) a notice and description of such opportunity must 
        appear in the privacy statement;
            (2) such opportunity must be easy to access and to use; and
            (3) any limitation exercised by the consumer pursuant to 
        such opportunity shall remain in effect, unless--
                    (A) the limitation is withdrawn by the consumer; or
                    (B) the covered entity provides the consumer at 
                least 30 days notice before materially changing the 
                limitation or terminating its compliance with the 
                limitation.

SEC. 8. INFORMATION SECURITY OBLIGATIONS.

    (a) Implementation.--A covered entity shall prepare, revise as 
necessary, and implement an information security policy that is 
applicable to the information security practices and treatment of 
personally identifiable information maintained by the covered entity, 
that is designed to prevent the unauthorized disclosure or release of 
such information.
    (b) Management Approval.--An information security policy created 
pursuant to paragraph (1) shall be considered and approved by the 
senior management officials of the covered entity.
    (c) Contents.--An information security policy required under 
paragraph (1) shall include--
            (1) a process for taking corrective action to prevent or 
        mitigate unauthorized disclosure of information; and
            (2) identifying an officer of the covered entity as the 
        point of contact with responsibility for information security 
        issues for the covered entity.

SEC. 9. SELF-REGULATORY PROGRAMS.

    (a) Self-Regulatory Program.--
            (1) Presumption of compliance.--The Commission shall 
        presume that a covered entity is in compliance with the 
        provisions of sections 4 through 8 if that covered entity--
                    (A) participates in a self-regulatory program 
                approved under subsection (b); and
                    (B) is subject to enforcement under a self-
                regulatory program's guidelines, procedures, 
                requirements, and restrictions (including a remedial 
                process under subsection (c)(7)).
            (2) Effect of willful noncompliance.--A covered entity that 
        participates in a self-regulatory program under this section 
        shall not be liable for a civil penalty arising out of a 
        violation of any provision of sections 4 through 8 unless such 
        violation results from willful noncompliance with the 
        guidelines, procedures, requirements, or restrictions of the 
        program.
    (b) Approval by Commission.--
            (1) Approval.--The Commission shall, within 90 days after 
        submission of an application for approval of a self-regulatory 
        program under this section (or of a material change in a 
        program previously approved by the Commission), approve such 
        program (or change) if the Commission finds that the program 
        (or change) complies with the requirements of subsection (c).
            (2) Form of application.--The Commission shall accept an 
        application for approval under paragraph (1) in any reasonable 
        form the applicant may submit.
            (3) Duration until renewal.--A self-regulatory program 
        approved by the Commission under paragraph (1) shall be 
        approved for a period of 5 years.
            (4) Revocation of approval.--The Commission may, after 
        notice and opportunity for a hearing, revoke approval granted 
        under paragraph (1), if the Commission finds that a self-
        regulatory program fails to meet the requirements of subsection 
        (c).
            (5) Judicial review.--Any order by the Commission denying 
        approval of a self-regulatory program shall be subject to 
        judicial review, as provided in section 706 of title 5, United 
        States Code.
    (c) Requirements of Self-Regulatory Program.--A self-regulatory 
program complies with the requirements of this subsection if the 
program provides each of the following:
            (1) Guidelines and procedures requiring a program 
        participant to provide substantially equivalent or greater 
        protections for consumers and their personally identifiable 
        information as are provided under sections 4 through 8.
            (2) Procedures and requirements to provide for--
                    (A) an initial review of a participant's privacy 
                statement and privacy policy, and subsequent review 
                whenever such statement or policy is substantively 
                changed;
                    (B) a participant's self-review and self-
                certification of its privacy policy and practices to 
                ensure compliance with the guidelines, procedures, 
                requirements, and restrictions of the program 
                established under this subsection;
                    (C) a participant's subsequent periodic self-
                reviews and self-certifications, which shall occur at 
                least annually, of the its privacy policy and practices 
                to ensure continued compliance with such guidelines, 
                procedures, requirements, and restrictions;
                    (D) submission of self-reviews and self-
                certifications under this paragraph to any 
                administrator of the program; and
                    (E) random review of participants, which may 
                concentrate on selected compliance issues, if the self-
                regulatory program conducts--
                            (i) random compliance tests with respect to 
                        each participant not less frequently than every 
                        3 years;
                            (ii) a full compliance test of a particular 
                        participant in any case where non-compliance 
                        with any of the selected compliance issues has 
                        been identified; and
                            (iii) full compliance tests of participants 
                        with a high number of complaints against them.
            (3) Procedures and requirements that ensure that a program 
        participant provides a process for resolving disputes with 
        consumers relating to the privacy policy and practices of the 
        participant. Such dispute resolution process--
                    (A) must be available without charge to a consumer;
                    (B) must be available at a cost to the participant 
                that is reasonable and does not discourage 
                participation by the participant in such process;
                    (C) must ensure that consumers are informed of how 
                to utilize the process;
                    (D) may include, as one choice among others, 
                binding arbitration; and
                    (E)(i) must be completed within 60 days after 
                submission of the dispute by the consumer; or
                    (ii) must be completed within 90 days after 
                submission of the dispute by the consumer, if the 
                participant--
                            (I) determines that additional time is 
                        required to obtain information to make an 
                        informed decision with respect to the dispute; 
                        and
                            (II) notifies the consumer and the self-
                        regulatory program that such additional time is 
                        required.
            (4) Provisions for the use by participants in the program 
        of a means (including the use of a seal) to represent the 
        participant's participation in the program.
            (5) With respect to any nonvoluntary suspension or 
        termination of participation in the program because of the 
        participant's failure to comply with the program, procedures or 
        requirements to provide for the following:
                    (A) Publication of notice and the reasons for any 
                such suspension or termination, except that no 
                personally identifiable information related to such 
                suspension or termination may be published.
                    (B) Notice to the Commission of any such 
                termination.
            (6) Requirements and restrictions that assure independence 
        with respect to program eligibility, compliance, and dispute 
        resolution mechanisms and decisions from improper interference 
        by management or ownership of the self-regulatory program 
        participant.
            (7) A process for a noncompliant participant to take timely 
        remedial action in order to come back into compliance with the 
        program before suspension or termination of participation in 
        the program.
    (d) Consumer Dispute Resolution.--
            (1) Self-regulatory dispute process.--If a consumer has a 
        dispute with a participant in a self-regulatory program under 
        this section or under section 5 of the Federal Trade Commission 
        Act (15 U.S.C. 45) to the extent that such dispute pertains to 
        the entity's privacy policy or practices required for 
        participation in the self-regulatory program, the consumer 
        shall initially seek resolution through the participant's 
        dispute resolution process (established in accordance with 
        subsection (c)(3)). The Commission shall promptly refer to the 
        participant involved any dispute submitted to the Commission 
        for which resolution has not been initially sought through such 
        process.
            (2) Resolution by commission.--A consumer may submit to the 
        Commission for resolution a dispute with a participant in a 
        self-regulatory program under this section, if the following 
        requirements are met:
                    (A) The dispute was initially submitted under 
                paragraph (1) for resolution through the participant's 
                dispute resolution process.
                    (B) The dispute submitted under paragraph (1) is 
                not resolved--
                            (i) within 60 days after submission of the 
                        dispute by the consumer; or
                            (ii) to the satisfaction of the consumer.
                    (C) Notice of the facts of the dispute is submitted 
                to the Commission not later than 30 days after the date 
                on which the consumer is notified of the resolution 
                through the participant's dispute resolution process.
                    (D) The consumer has not voluntarily accepted a 
                resolution of the dispute under paragraph (1).
                    (E) The dispute was not resolved through binding 
                arbitration.
            (3) Limitation.--Nothing in this Act shall prevent the 
        Commission from investigating compliance with this Act by a 
        participant in a self-regulatory covered entity based upon a 
        complaint from an individual or covered entity other than a 
        consumer with a dispute with such participant, or on its own 
        initiative, except that prior to instituting any such 
        investigation the Commission shall afford the self-regulatory 
        covered entity a reasonable opportunity to invoke its own 
        remedial procedures and assure compliance by the participant.
            (4) Clear and convincing evidence.--The presumption 
        established by paragraph (1) of subsection (a) may be overcome 
        by clear and convincing evidence of non-compliance.
    (e) Nonrelease of Certain Information.--The Commission may not 
compel a participant in a self-regulatory program approved under 
subsection (b) (or an administrator of such a program) to provide 
proprietary information or personally identifiable information of 
consumers to the Commission unless the Commission provides assurances 
that such information will not be released to the public.
    (f) Misrepresentation of Self-Regulatory Program Participation.--It 
is unlawful for a covered entity to misrepresent that it is a 
participant in a self-regulatory program (including through any 
mechanism provided under subsection (c)(4)) when such covered entity is 
not, in fact, such a participant.
    (g) Exempted Entity Participation.--An entity that is not a covered 
entity and that voluntarily participates in a self-regulatory program 
under this section shall enjoy the rights and benefits provided under 
this section in any action or investigation under section 5 of the 
Federal Trade Commission Act (15 U.S.C. 45) to the extent that such 
action or investigation pertains to the entity's privacy policy or 
practices required for participation in the self-regulatory program.

SEC. 10. ENFORCEMENT.

    (a) Unfair or Deceptive Act or Practice.--A violation of any 
provision of this Act by a covered entity is an unfair or deceptive act 
or practice unlawful under section 5(a)(1) of the Federal Trade 
Commission Act (15 U.S.C. 45(a)(1)), except that the amount of any 
civil penalty under such Act shall be doubled for a violation of this 
Act, but may not exceed $500,000 for all related violations by a single 
violator (without respect to the number of consumers affected or the 
duration of the related violations).
    (b) Guidelines and Opinions.--In order to assist in compliance with 
this Act, the Federal Trade Commission may promulgate regulations and 
interpretive rules under section 18 of the Federal Trade Commission Act 
(15 U.S.C. 57a), with respect to specific types of acts or practices 
that would, or would not, comply with this Act.

SEC. 11. NO PRIVATE RIGHT OF ACTION.

    This Act may not be considered or construed to provide any private 
right of action. No private civil action relating to any act or 
practice governed under this Act may be commenced or maintained in any 
State court or under State law (including a pendent State claim to an 
action under Federal law).

SEC. 12. EFFECT ON OTHER LAWS.

    (a) Qualified Exemption for Compliance With Other Federal Privacy 
Laws.--To the extent that personally identifiable information protected 
under this Act is also protected under a provision of Federal privacy 
law described in subsection (c), a covered entity that complies with 
the relevant provision of such other Federal privacy law shall be 
deemed to have complied with the corresponding provision of this Act.
    (b) Protection of Other Federal Privacy Laws.--Nothing in this Act 
may be construed to modify, limit, supersede, or interfere with the 
operation of the Federal privacy laws described in subsection (c) or 
the provision of information permitted or required, expressly or by 
implication, by such laws, with respect to Federal rights and 
practices.
    (c) Other Federal Privacy Laws Described.--The provisions of law to 
which subsections (a) and (b) apply are the following:
            (1) Section 552a of title 5, United States Code (commonly 
        known as the Privacy Act of 1974).
            (2) The Right to Financial Privacy Act of 1978 (12 U.S.C. 
        3401 et seq.).
            (3) The Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).
            (4) The Fair Debt Collection Practices Act (15 U.S.C. 1692 
        et seq.).
            (5) The Children's Online Privacy Protection Act of 1998 
        (15 U.S.C. 6501 et seq.).
            (6) Title V of the Gramm-Leach-Bliley Act of 1999 (15 
        U.S.C. 6801 et seq.).
            (7) The Electronic Communications Privacy Act of 1986 
        (Public Law 99-508).
            (8) The Driver's Privacy Protection Act of 1994 (18 U.S.C. 
        2721 et seq.).
            (9) The Family Educational Rights and Privacy Act of 1974 
        (20 U.S.C. 1221 note, 1232g).
            (10) Section 445 of the General Education Provisions Act 
        (20 U.S.C. 1232h).
            (11) The Privacy Protection Act of 1980 (42 U.S.C. 2000aa 
        et seq.).
            (12) Section 222 of the Communications Act of 1934 (47 
        U.S.C. 222) relating to the Customer Proprietary Network 
        Information.
            (13) The Cable Communications Policy Act of 1984 (47 U.S.C. 
        521 et seq.).
            (14) The Communications Assistance for Law Enforcement Act 
        (47 U.S.C. 1001 et seq.).
            (15) The Video Privacy Protection Act of 1988 (Public Law 
        100-618).
            (16) The Telephone Consumer Protection Act of 1991 (Public 
        Law 102-243).
            (17) The Health Insurance Portability and Accountability 
        Act of 1996 (Public Law 104-191), as it relates to an entity 
        described in section 1172(a) of the Social Security Act (42 
        U.S.C. 1320d-1(a)) or to activities regulated under section 
        1173 of such Act (42 U.S.C. 1320d-2).
            (18) The CAN-SPAM Act of 2003 (15 U.S.C. 7701 et seq.).
    (d) Preemption of State Privacy Laws.--This Act preempts any 
statutory law, common law, rule, or regulation of a State, or a 
political subdivision of a State, to the extent such law, rule, or 
regulation relates to or affects the collection, use, sale, disclosure, 
retention, or dissemination of personally identifiable information in 
commerce. No State, or political subdivision of a State, may take any 
action to enforce this Act.

SEC. 13. EFFECTIVE DATE.

    This Act shall apply with respect to personally identifiable 
information collected on or after the date that is 1 year after the 
date of enactment of this Act.
                                 <all>