[Congressional Bills 112th Congress]
[From the U.S. Government Publishing Office]
[H.R. 1528 Introduced in House (IH)]
112th CONGRESS
1st Session
H. R. 1528
To protect and enhance consumer privacy, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
April 13, 2011
Mr. Stearns (for himself, Mr. Matheson, Mr. Bilbray, and Mr. Manzullo)
introduced the following bill; which was referred to the Committee on
Energy and Commerce
_______________________________________________________________________
A BILL
To protect and enhance consumer privacy, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Consumer Privacy Protection Act of
2011''.
SEC. 3. DEFINITIONS.
In this Act, the following definitions apply:
(1) Affiliate.--The term ``affiliate'' means any company
that controls, is controlled by, or is under common control
with another company.
(2) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(3) Consumer.--The term ``consumer'' means an individual
acting in the individual's personal, family, or household
capacity.
(4) Covered entity.--(A) The term ``covered entity'' means
an entity (or an agent or affiliate of the entity) that
collects (by any means, through any medium), sells, discloses
for consideration, or uses personally identifiable information
of more than 5,000 consumers during any consecutive 12-month
period, and includes a non-profit organization, including any
organization described in section 501(c) of the Internal
Revenue Code of 1986 that is exempt from taxation under section
501(a) of such Code, notwithstanding the definition of the term
``Acts to regulate commerce'' in section 4 of the Federal Trade
Commission Act (15 U.S.C. 44) and the exception provided by
section 5(a)(2) of such Act (15 U.S.C. 45(a)(2)) for such
organizations.
(B) Such term does not include--
(i) a governmental agency;
(ii) a provider of professional services, or any
affiliate thereof, to the extent that such provider is
obligated by rules of professional ethics, or by
applicable law or regulation, not to voluntarily
disclose confidential client information without the
consent of the client; or
(iii) a data processing outsourcing entity.
(5) Data processing outsourcing entity.--The term ``data
processing outsourcing entity'' means, with respect to a
covered entity, a non-affiliated entity that--
(A) provides information technology processing, Web
hosting, or telecommunications services to the covered
entity;
(B) is contractually obligated to comply with
security controls specified by the covered entity; and
(C) has no right to use the covered entity's
personally identifiable information other than for
performing data processing outsourcing services for the
covered entity or as required by contract or law.
(6) Display.--The term ``display'' means intentionally
communicating or otherwise making available (on the Internet or
in any other manner) to another person.
(7) Information-sharing affiliate.--The term ``information-
sharing affiliate'' means any affiliate that is under common
control with a covered entity, or is contractually obligated to
comply with the practices enumerated under the privacy policy
statement of the covered entity required under section 5.
(8) Personally identifiable information.--(A) The term
``personally identifiable information'', with respect to a
covered entity means individually identifiable information
relating to a living individual who can be identified from that
information, and includes:
(i) the combination of a first name (or
initial) and last name of an individual,
whether given at birth or time of adoption, or
resulting from a lawful change of name;
(ii) the postal address of a physical place
of residence of such individual;
(iii) an e-mail address of such individual;
(iv) a telephone number or mobile device
number dedicated to contacting such individual
at any place other than the individual's place
of work;
(v) a social security number or other
Federal or State government issued
identification number issued to such
individual; or
(vi) the complete account number of a
credit or debit card issued to such individual.
(B) Such term also includes, when disclosed in connection
with one or more of the items of information described in
subparagraph (A)--
(i) a birth date, the number of a certificate of
birth or adoption, or a place of birth; or
(ii) an electronic address, including an IP
address.
(C) Such term does not include--
(i) anonymous or aggregate data, or any other
information that does not identify a unique living
individual;
(ii) information about a consumer inferred from
data maintained about a consumer; or
(iii) information about a consumer that is publicly
available or obtained from a public record.
(9) Process.--The term ``process'', with respect to
personally identifiable information, means any value-added
activity performed on data by automated means.
(10) Publicly available.--The term ``publicly available'',
with respect to information, means information that is lawfully
made available to the general public.
(11) Public record.--The term ``public record'' means any
item, collection, or grouping of information about an
individual that is maintained by a Federal, State, or local
government entity and that is made available to the public.
(12) Purchase.--The term ``purchase'' means providing,
directly or indirectly, anything of value in exchange for a
good or service.
(13) State.--The term ``State'' includes the several
States, the District of Columbia, the Commonwealth of Puerto
Rico, the Commonwealth of the Northern Mariana Islands,
American Samoa, Guam, the Virgin Islands, the Freely Associated
States, and any other territory or possession of the United
States.
(14) Transaction.--The term ``transaction'' means an
interaction between a consumer and a covered entity resulting
in--
(A) any use of information that is necessary to
complete the interaction in the course of which
information is collected, or to maintain the
provisioning of a good or service requested by the
consumer, including use--
(i) to approve, guarantee, process,
administer, complete, enforce, provide, or
market a product, service, account, benefit,
transaction, or payment method that is
requested or approved by the consumer;
(ii) to deliver goods, services, funds, or
other consideration to, or on behalf of, the
consumer;
(iii) to protect the health and safety of
the consumer; and
(iv) related to website analytics methods
or measurements for improving or enhancing
products or services.
(B) any disclosure of information that is necessary
for the consumer to enforce any right of the consumer;
(C) any disclosure of information that is required
by law or by a court order;
(D) any use of information to verify personally
identifiable information by the consumer, evaluate,
detect, or reduce the risk of fraud or other criminal
activity, or other risk-management activities; and
(E) the collection or use of personally
identifiable information for the marketing or
advertising of a covered entity's products or services
to its own customers or potential customers.
SEC. 4. PRIVACY NOTICES TO CONSUMERS.
(a) Notice Required.--A covered entity shall provide to a consumer
a notice containing the information required under subsection (b) as
follows:
(1) The covered entity shall provide the notice before any
personally identifiable information that is collected from a
consumer is used by the covered entity for a purpose unrelated
to a transaction.
(2) Upon a material change in the covered entity's privacy
policy under section 5(a), the covered entity shall provide the
notice, not later than the first time after such change in
policy that the covered entity seeks to sell, disclose for
consideration, or use personally identifiable information to
the extent practicable, to each consumer from whom the covered
entity has collected such information.
(b) Form and Contents of Notice.--A notice required under
subsection (a) shall be provided in a clear and conspicuous manner, be
prominently displayed or explicitly stated to the consumer, and contain
the following information:
(1) A statement that the personally identifiable
information collected by the covered entity may be used or
disclosed for purposes or transactions unrelated to that for
which it was collected, as described in the covered entity's
privacy statement.
(2) A description, appropriate to the applicable medium, of
the manner in which the consumer may obtain a privacy policy
statement that meets the requirements of section 5, which may
include providing the consumer with an Internet website, a
hyperlink to such a website, or a toll-free telephone number
from which such a statement may be obtained. If the notice
required under subsection (a) is provided to the consumer by
means of an Internet website, one manner in which the consumer
may obtain the privacy policy statement must be by means of an
Internet website.
(3) If the notice is required under subsection (a)(2), a
statement that there has been a material change in the covered
entity's privacy policy.
SEC. 5. PRIVACY POLICY STATEMENTS.
(a) Privacy Policy.--A covered entity shall establish a privacy
policy with respect to the collection, sale, disclosure for
consideration, dissemination, use, and security of the personally
identifiable information of consumers, the principal elements of which
shall be embodied in a privacy policy statement (or statements) that
meets the requirements of subsection (b).
(b) Statement.--The statement (or statements) required under
subsection (a) shall meet the following requirements:
(1) The statement must be brief, concise, clear, and
conspicuous and written in plain language.
(2) The statement must be available to all consumers of the
covered entity (regardless of the means by which a consumer
conducts a transaction with the covered entity)--
(A) at no charge to the consumer; and
(B) at the time the covered entity first collects
personally identifiable information about the consumer
that may be used for a purpose unrelated to a
transaction with the consumer and subsequently.
(3) The statement must disclose only the following:
(A) The identity of each covered entity, or a
description of each class or type of covered entity,
that may collect or use the information.
(B) The types of information that may be collected
or used.
(C) How the information may be used.
(D) Whether the consumer is required to provide the
information in order to do business with the covered
entity.
(E) The extent to which the information is subject
to sale or disclosure for consideration to a covered
entity that is not an information-sharing affiliate of
the covered entity providing the statement, including--
(i) a clear and prominent statement of the
fact that the information is subject to such
sale or disclosure for consideration;
(ii) a description of each class or type of
covered entity to which the information may be
sold or disclosed for consideration;
(iii) to the extent practicable, the
purpose for which the information may be used;
and
(iv) the types of information that may be
sold or disclosed for consideration.
(F) Whether the information security practices of
the covered entity meet the security requirements of
section 8 in order to prevent unauthorized disclosure
or release of personally identifiable information.
(c) Commission Facilitation.--The Commission may take actions
(including conducting industry-wide workshops) to facilitate the
development of harmonized, universal wording or logo-based graphics in
order to convey the contents of privacy policy statements required
under this section.
SEC. 6. CONSUMER OPPORTUNITY TO LIMIT SALE OR DISCLOSURE OF
INFORMATION.
(a) Preclusion of Sale or Disclosure.--
(1) Requirement.--A covered entity shall provide to the
consumer, without charge, the opportunity to preclude any sale
or disclosure for consideration of the consumer's personally
identifiable information, provided in a particular data
collection, that may be used for a purpose other than a
transaction with the consumer, to any covered entity that is
not an information-sharing affiliate of the covered entity
providing such opportunity.
(2) Duration.--A preclusion on sale or disclosure for
consideration of information established by a consumer under
this subsection shall remain in effect for 5 years or until the
consumer indicates otherwise, whichever occurs sooner. A
covered entity may not seek reconsideration of a consumer's
preclusion of such sale or disclosure until at least 1 year
after such preclusion has been imposed by the consumer.
(b) Permission for Sale or Disclosure.--A covered entity may
provide the consumer an opportunity to permit the sale or disclosure
described in subsection (a)(1) in exchange for a benefit to the
consumer.
(c) Accessibility.--The opportunity to preclude (or if offered, to
permit) the sale or disclosure for consideration of information under
this section must be both easy to access and use, and the notice of the
opportunity to preclude must be clear and conspicuous.
SEC. 7. CONSUMER OPPORTUNITY TO LIMIT OTHER INFORMATION PRACTICES.
If a covered entity provides to a consumer the opportunity to limit
other practices of the covered entity with respect to a particular
collection or use of personally identifiable information regarding the
consumer, other than that required by section 6--
(1) a notice and description of such opportunity must
appear in the privacy statement;
(2) such opportunity must be easy to access and to use; and
(3) any limitation exercised by the consumer pursuant to
such opportunity shall remain in effect, unless--
(A) the limitation is withdrawn by the consumer; or
(B) the covered entity provides the consumer at
least 30 days notice before materially changing the
limitation or terminating its compliance with the
limitation.
SEC. 8. INFORMATION SECURITY OBLIGATIONS.
(a) Implementation.--A covered entity shall prepare, revise as
necessary, and implement an information security policy that is
applicable to the information security practices and treatment of
personally identifiable information maintained by the covered entity,
that is designed to prevent the unauthorized disclosure or release of
such information.
(b) Management Approval.--An information security policy created
pursuant to paragraph (1) shall be considered and approved by the
senior management officials of the covered entity.
(c) Contents.--An information security policy required under
paragraph (1) shall include--
(1) a process for taking corrective action to prevent or
mitigate unauthorized disclosure of information; and
(2) identifying an officer of the covered entity as the
point of contact with responsibility for information security
issues for the covered entity.
SEC. 9. SELF-REGULATORY PROGRAMS.
(a) Self-Regulatory Program.--
(1) Presumption of compliance.--The Commission shall
presume that a covered entity is in compliance with the
provisions of sections 4 through 8 if that covered entity--
(A) participates in a self-regulatory program
approved under subsection (b); and
(B) is subject to enforcement under a self-
regulatory program's guidelines, procedures,
requirements, and restrictions (including a remedial
process under subsection (c)(7)).
(2) Effect of willful noncompliance.--A covered entity that
participates in a self-regulatory program under this section
shall not be liable for a civil penalty arising out of a
violation of any provision of sections 4 through 8 unless such
violation results from willful noncompliance with the
guidelines, procedures, requirements, or restrictions of the
program.
(b) Approval by Commission.--
(1) Approval.--The Commission shall, within 90 days after
submission of an application for approval of a self-regulatory
program under this section (or of a material change in a
program previously approved by the Commission), approve such
program (or change) if the Commission finds that the program
(or change) complies with the requirements of subsection (c).
(2) Form of application.--The Commission shall accept an
application for approval under paragraph (1) in any reasonable
form the applicant may submit.
(3) Duration until renewal.--A self-regulatory program
approved by the Commission under paragraph (1) shall be
approved for a period of 5 years.
(4) Revocation of approval.--The Commission may, after
notice and opportunity for a hearing, revoke approval granted
under paragraph (1), if the Commission finds that a self-
regulatory program fails to meet the requirements of subsection
(c).
(5) Judicial review.--Any order by the Commission denying
approval of a self-regulatory program shall be subject to
judicial review, as provided in section 706 of title 5, United
States Code.
(c) Requirements of Self-Regulatory Program.--A self-regulatory
program complies with the requirements of this subsection if the
program provides each of the following:
(1) Guidelines and procedures requiring a program
participant to provide substantially equivalent or greater
protections for consumers and their personally identifiable
information as are provided under sections 4 through 8.
(2) Procedures and requirements to provide for--
(A) an initial review of a participant's privacy
statement and privacy policy, and subsequent review
whenever such statement or policy is substantively
changed;
(B) a participant's self-review and self-
certification of its privacy policy and practices to
ensure compliance with the guidelines, procedures,
requirements, and restrictions of the program
established under this subsection;
(C) a participant's subsequent periodic self-
reviews and self-certifications, which shall occur at
least annually, of the its privacy policy and practices
to ensure continued compliance with such guidelines,
procedures, requirements, and restrictions;
(D) submission of self-reviews and self-
certifications under this paragraph to any
administrator of the program; and
(E) random review of participants, which may
concentrate on selected compliance issues, if the self-
regulatory program conducts--
(i) random compliance tests with respect to
each participant not less frequently than every
3 years;
(ii) a full compliance test of a particular
participant in any case where non-compliance
with any of the selected compliance issues has
been identified; and
(iii) full compliance tests of participants
with a high number of complaints against them.
(3) Procedures and requirements that ensure that a program
participant provides a process for resolving disputes with
consumers relating to the privacy policy and practices of the
participant. Such dispute resolution process--
(A) must be available without charge to a consumer;
(B) must be available at a cost to the participant
that is reasonable and does not discourage
participation by the participant in such process;
(C) must ensure that consumers are informed of how
to utilize the process;
(D) may include, as one choice among others,
binding arbitration; and
(E)(i) must be completed within 60 days after
submission of the dispute by the consumer; or
(ii) must be completed within 90 days after
submission of the dispute by the consumer, if the
participant--
(I) determines that additional time is
required to obtain information to make an
informed decision with respect to the dispute;
and
(II) notifies the consumer and the self-
regulatory program that such additional time is
required.
(4) Provisions for the use by participants in the program
of a means (including the use of a seal) to represent the
participant's participation in the program.
(5) With respect to any nonvoluntary suspension or
termination of participation in the program because of the
participant's failure to comply with the program, procedures or
requirements to provide for the following:
(A) Publication of notice and the reasons for any
such suspension or termination, except that no
personally identifiable information related to such
suspension or termination may be published.
(B) Notice to the Commission of any such
termination.
(6) Requirements and restrictions that assure independence
with respect to program eligibility, compliance, and dispute
resolution mechanisms and decisions from improper interference
by management or ownership of the self-regulatory program
participant.
(7) A process for a noncompliant participant to take timely
remedial action in order to come back into compliance with the
program before suspension or termination of participation in
the program.
(d) Consumer Dispute Resolution.--
(1) Self-regulatory dispute process.--If a consumer has a
dispute with a participant in a self-regulatory program under
this section or under section 5 of the Federal Trade Commission
Act (15 U.S.C. 45) to the extent that such dispute pertains to
the entity's privacy policy or practices required for
participation in the self-regulatory program, the consumer
shall initially seek resolution through the participant's
dispute resolution process (established in accordance with
subsection (c)(3)). The Commission shall promptly refer to the
participant involved any dispute submitted to the Commission
for which resolution has not been initially sought through such
process.
(2) Resolution by commission.--A consumer may submit to the
Commission for resolution a dispute with a participant in a
self-regulatory program under this section, if the following
requirements are met:
(A) The dispute was initially submitted under
paragraph (1) for resolution through the participant's
dispute resolution process.
(B) The dispute submitted under paragraph (1) is
not resolved--
(i) within 60 days after submission of the
dispute by the consumer; or
(ii) to the satisfaction of the consumer.
(C) Notice of the facts of the dispute is submitted
to the Commission not later than 30 days after the date
on which the consumer is notified of the resolution
through the participant's dispute resolution process.
(D) The consumer has not voluntarily accepted a
resolution of the dispute under paragraph (1).
(E) The dispute was not resolved through binding
arbitration.
(3) Limitation.--Nothing in this Act shall prevent the
Commission from investigating compliance with this Act by a
participant in a self-regulatory covered entity based upon a
complaint from an individual or covered entity other than a
consumer with a dispute with such participant, or on its own
initiative, except that prior to instituting any such
investigation the Commission shall afford the self-regulatory
covered entity a reasonable opportunity to invoke its own
remedial procedures and assure compliance by the participant.
(4) Clear and convincing evidence.--The presumption
established by paragraph (1) of subsection (a) may be overcome
by clear and convincing evidence of non-compliance.
(e) Nonrelease of Certain Information.--The Commission may not
compel a participant in a self-regulatory program approved under
subsection (b) (or an administrator of such a program) to provide
proprietary information or personally identifiable information of
consumers to the Commission unless the Commission provides assurances
that such information will not be released to the public.
(f) Misrepresentation of Self-Regulatory Program Participation.--It
is unlawful for a covered entity to misrepresent that it is a
participant in a self-regulatory program (including through any
mechanism provided under subsection (c)(4)) when such covered entity is
not, in fact, such a participant.
(g) Exempted Entity Participation.--An entity that is not a covered
entity and that voluntarily participates in a self-regulatory program
under this section shall enjoy the rights and benefits provided under
this section in any action or investigation under section 5 of the
Federal Trade Commission Act (15 U.S.C. 45) to the extent that such
action or investigation pertains to the entity's privacy policy or
practices required for participation in the self-regulatory program.
SEC. 10. ENFORCEMENT.
(a) Unfair or Deceptive Act or Practice.--A violation of any
provision of this Act by a covered entity is an unfair or deceptive act
or practice unlawful under section 5(a)(1) of the Federal Trade
Commission Act (15 U.S.C. 45(a)(1)), except that the amount of any
civil penalty under such Act shall be doubled for a violation of this
Act, but may not exceed $500,000 for all related violations by a single
violator (without respect to the number of consumers affected or the
duration of the related violations).
(b) Guidelines and Opinions.--In order to assist in compliance with
this Act, the Federal Trade Commission may promulgate regulations and
interpretive rules under section 18 of the Federal Trade Commission Act
(15 U.S.C. 57a), with respect to specific types of acts or practices
that would, or would not, comply with this Act.
SEC. 11. NO PRIVATE RIGHT OF ACTION.
This Act may not be considered or construed to provide any private
right of action. No private civil action relating to any act or
practice governed under this Act may be commenced or maintained in any
State court or under State law (including a pendent State claim to an
action under Federal law).
SEC. 12. EFFECT ON OTHER LAWS.
(a) Qualified Exemption for Compliance With Other Federal Privacy
Laws.--To the extent that personally identifiable information protected
under this Act is also protected under a provision of Federal privacy
law described in subsection (c), a covered entity that complies with
the relevant provision of such other Federal privacy law shall be
deemed to have complied with the corresponding provision of this Act.
(b) Protection of Other Federal Privacy Laws.--Nothing in this Act
may be construed to modify, limit, supersede, or interfere with the
operation of the Federal privacy laws described in subsection (c) or
the provision of information permitted or required, expressly or by
implication, by such laws, with respect to Federal rights and
practices.
(c) Other Federal Privacy Laws Described.--The provisions of law to
which subsections (a) and (b) apply are the following:
(1) Section 552a of title 5, United States Code (commonly
known as the Privacy Act of 1974).
(2) The Right to Financial Privacy Act of 1978 (12 U.S.C.
3401 et seq.).
(3) The Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).
(4) The Fair Debt Collection Practices Act (15 U.S.C. 1692
et seq.).
(5) The Children's Online Privacy Protection Act of 1998
(15 U.S.C. 6501 et seq.).
(6) Title V of the Gramm-Leach-Bliley Act of 1999 (15
U.S.C. 6801 et seq.).
(7) The Electronic Communications Privacy Act of 1986
(Public Law 99-508).
(8) The Driver's Privacy Protection Act of 1994 (18 U.S.C.
2721 et seq.).
(9) The Family Educational Rights and Privacy Act of 1974
(20 U.S.C. 1221 note, 1232g).
(10) Section 445 of the General Education Provisions Act
(20 U.S.C. 1232h).
(11) The Privacy Protection Act of 1980 (42 U.S.C. 2000aa
et seq.).
(12) Section 222 of the Communications Act of 1934 (47
U.S.C. 222) relating to the Customer Proprietary Network
Information.
(13) The Cable Communications Policy Act of 1984 (47 U.S.C.
521 et seq.).
(14) The Communications Assistance for Law Enforcement Act
(47 U.S.C. 1001 et seq.).
(15) The Video Privacy Protection Act of 1988 (Public Law
100-618).
(16) The Telephone Consumer Protection Act of 1991 (Public
Law 102-243).
(17) The Health Insurance Portability and Accountability
Act of 1996 (Public Law 104-191), as it relates to an entity
described in section 1172(a) of the Social Security Act (42
U.S.C. 1320d-1(a)) or to activities regulated under section
1173 of such Act (42 U.S.C. 1320d-2).
(18) The CAN-SPAM Act of 2003 (15 U.S.C. 7701 et seq.).
(d) Preemption of State Privacy Laws.--This Act preempts any
statutory law, common law, rule, or regulation of a State, or a
political subdivision of a State, to the extent such law, rule, or
regulation relates to or affects the collection, use, sale, disclosure,
retention, or dissemination of personally identifiable information in
commerce. No State, or political subdivision of a State, may take any
action to enforce this Act.
SEC. 13. EFFECTIVE DATE.
This Act shall apply with respect to personally identifiable
information collected on or after the date that is 1 year after the
date of enactment of this Act.
<all>