
	
		I
		112th CONGRESS
		1st Session
		H. R. 1528
		IN THE HOUSE OF REPRESENTATIVES
		
			April 13, 2011
			Mr. Stearns (for
			 himself, Mr. Matheson,
			 Mr. Bilbray, and
			 Mr. Manzullo) introduced the following
			 bill; which was referred to the Committee
			 on Energy and Commerce
		
		A BILL
		To protect and enhance consumer privacy, and for other
		  purposes.
	
	
		1.Short titleThis Act may be cited as the
			 Consumer Privacy Protection Act of
			 2011.
		3.DefinitionsIn this Act, the following definitions
			 apply:
			(1)AffiliateThe
			 term affiliate means any company that controls, is controlled by,
			 or is under common control with another company.
			(2)CommissionThe
			 term Commission means the Federal Trade Commission.
			(3)ConsumerThe
			 term consumer means an individual acting in the individual’s
			 personal, family, or household capacity.
			(4)Covered
			 entity(A)The term covered entity means
			 an entity (or an agent or affiliate of the entity) that collects (by any means,
			 through any medium), sells, discloses for consideration, or uses personally
			 identifiable information of more than 5,000 consumers during any consecutive
			 12-month period, and includes a non-profit organization, including any
			 organization described in section 501(c) of the Internal Revenue Code of 1986
			 that is exempt from taxation under section 501(a) of such Code, notwithstanding
			 the definition of the term Acts to regulate commerce in section 4
			 of the Federal Trade Commission Act (15 U.S.C. 44) and the exception provided
			 by section 5(a)(2) of such Act (15 U.S.C. 45(a)(2)) for such
			 organizations.
				(B)Such term does not include—
					(i)a governmental agency;
					(ii)a provider of professional
			 services, or any affiliate thereof, to the extent that such provider is
			 obligated by rules of professional ethics, or by applicable law or regulation,
			 not to voluntarily disclose confidential client information without the consent
			 of the client; or
					(iii)a data processing outsourcing
			 entity.
					(5)Data processing
			 outsourcing entityThe term data processing outsourcing
			 entity means, with respect to a covered entity, a non-affiliated entity
			 that—
				(A)provides
			 information technology processing, Web hosting, or telecommunications services
			 to the covered entity;
				(B)is contractually
			 obligated to comply with security controls specified by the covered entity;
			 and
				(C)has no right to
			 use the covered entity’s personally identifiable information other than for
			 performing data processing outsourcing services for the covered entity or as
			 required by contract or law.
				(6)DisplayThe
			 term display means intentionally communicating or otherwise making
			 available (on the Internet or in any other manner) to another person.
			(7)Information-sharing
			 affiliateThe term information-sharing affiliate
			 means any affiliate that is under common control with a covered entity, or is
			 contractually obligated to comply with the practices enumerated under the
			 privacy policy statement of the covered entity required under section 5.
			(8)Personally
			 identifiable information(A)The term
			 personally identifiable information, with respect to a covered
			 entity means individually identifiable information relating to a living
			 individual who can be identified from that information, and includes:
					(i)the combination of a first name (or
			 initial) and last name of an individual, whether given at birth or time of
			 adoption, or resulting from a lawful change of name;
					(ii)the
			 postal address of a physical place of residence of such individual;
					(iii)an
			 e-mail address of such individual;
					(iv)a
			 telephone number or mobile device number dedicated to contacting such
			 individual at any place other than the individual’s place of work;
					(v)a
			 social security number or other Federal or State government issued
			 identification number issued to such individual; or
					(vi)the
			 complete account number of a credit or debit card issued to such
			 individual.
					(B)Such term also includes, when disclosed in
			 connection with one or more of the items of information described in
			 subparagraph (A)—
					(i)a birth date, the number of a
			 certificate of birth or adoption, or a place of birth; or
					(ii)an electronic address, including
			 an IP address.
					(C)Such term does not include—
					(i)anonymous or aggregate data, or any
			 other information that does not identify a unique living individual;
					(ii)information about a consumer
			 inferred from data maintained about a consumer; or
					(iii)information about a consumer that
			 is publicly available or obtained from a public record.
					(9)ProcessThe
			 term process, with respect to personally identifiable information,
			 means any value-added activity performed on data by automated means.
			(10)Publicly
			 availableThe term
			 publicly available, with respect to information, means information
			 that is lawfully made available to the general public.
			(11)Public
			 recordThe term public record means any item,
			 collection, or grouping of information about an individual that is maintained
			 by a Federal, State, or local government entity and that is made available to
			 the public.
			(12)PurchaseThe
			 term purchase means providing, directly or indirectly, anything of
			 value in exchange for a good or service.
			(13)StateThe
			 term State includes the several States, the District of Columbia,
			 the Commonwealth of Puerto Rico, the Commonwealth of the Northern Mariana
			 Islands, American Samoa, Guam, the Virgin Islands, the Freely Associated
			 States, and any other territory or possession of the United States.
			(14)TransactionThe
			 term transaction means an interaction between a consumer and a
			 covered entity resulting in—
				(A)any use of
			 information that is necessary to complete the interaction in the course of
			 which information is collected, or to maintain the provisioning of a good or
			 service requested by the consumer, including use—
					(i)to
			 approve, guarantee, process, administer, complete, enforce, provide, or market
			 a product, service, account, benefit, transaction, or payment method that is
			 requested or approved by the consumer;
					(ii)to
			 deliver goods, services, funds, or other consideration to, or on behalf of, the
			 consumer;
					(iii)to protect the health and safety of the
			 consumer; and
					(iv)related to
			 website analytics methods or measurements for improving or enhancing products
			 or services.
					(B)any disclosure of
			 information that is necessary for the consumer to enforce any right of the
			 consumer;
				(C)any disclosure of
			 information that is required by law or by a court order;
				(D)any use of
			 information to verify personally identifiable information by the consumer,
			 evaluate, detect, or reduce the risk of fraud or other criminal activity, or
			 other risk-management activities; and
				(E)the collection or use of personally
			 identifiable information for the marketing or advertising of a covered entity’s
			 products or services to its own customers or potential customers.
				4.Privacy notices
			 to consumers
			(a)Notice
			 requiredA covered entity shall provide to a consumer a notice
			 containing the information required under subsection (b) as follows:
				(1)The covered entity shall provide the notice
			 before any personally identifiable information that is collected from a
			 consumer is used by the covered entity for a purpose unrelated to a
			 transaction.
				(2)Upon a material
			 change in the covered entity’s privacy policy under section 5(a), the covered
			 entity shall provide the notice, not later than the first time after such
			 change in policy that the covered entity seeks to sell, disclose for
			 consideration, or use personally identifiable information to the extent
			 practicable, to each consumer from whom the covered entity has collected such
			 information.
				(b)Form and
			 contents of noticeA notice required under subsection (a) shall
			 be provided in a clear and conspicuous manner, be prominently displayed or
			 explicitly stated to the consumer, and contain the following
			 information:
				(1)A
			 statement that the personally identifiable information collected by the covered
			 entity may be used or disclosed for purposes or transactions unrelated to that
			 for which it was collected, as described in the covered entity’s privacy
			 statement.
				(2)A
			 description, appropriate to the applicable medium, of the manner in which the
			 consumer may obtain a privacy policy statement that meets the requirements of
			 section 5, which may include providing the consumer with an Internet website, a
			 hyperlink to such a website, or a toll-free telephone number from which such a
			 statement may be obtained. If the notice required under subsection (a) is
			 provided to the consumer by means of an Internet website, one manner in which
			 the consumer may obtain the privacy policy statement must be by means of an
			 Internet website.
				(3)If the notice is
			 required under subsection (a)(2), a statement that there has been a material
			 change in the covered entity’s privacy policy.
				5.Privacy policy
			 statements
			(a)Privacy
			 policyA covered entity shall establish a privacy policy with
			 respect to the collection, sale, disclosure for consideration, dissemination,
			 use, and security of the personally identifiable information of consumers, the
			 principal elements of which shall be embodied in a privacy policy statement (or
			 statements) that meets the requirements of subsection (b).
			(b)StatementThe
			 statement (or statements) required under subsection (a) shall meet the
			 following requirements:
				(1)The statement must
			 be brief, concise, clear, and conspicuous and written in plain language.
				(2)The statement must
			 be available to all consumers of the covered entity (regardless of the means by
			 which a consumer conducts a transaction with the covered entity)—
					(A)at no charge to
			 the consumer; and
					(B)at the time the
			 covered entity first collects personally identifiable information about the
			 consumer that may be used for a purpose unrelated to a transaction with the
			 consumer and subsequently.
					(3)The statement must
			 disclose only the following:
					(A)The identity of
			 each covered entity, or a description of each class or type of covered entity,
			 that may collect or use the information.
					(B)The types of
			 information that may be collected or used.
					(C)How the
			 information may be used.
					(D)Whether the
			 consumer is required to provide the information in order to do business with
			 the covered entity.
					(E)The extent to
			 which the information is subject to sale or disclosure for consideration to a
			 covered entity that is not an information-sharing affiliate of the covered
			 entity providing the statement, including—
						(i)a
			 clear and prominent statement of the fact that the information is subject to
			 such sale or disclosure for consideration;
						(ii)a
			 description of each class or type of covered entity to which the information
			 may be sold or disclosed for consideration;
						(iii)to
			 the extent practicable, the purpose for which the information may be used;
			 and
						(iv)the
			 types of information that may be sold or disclosed for consideration.
						(F)Whether the
			 information security practices of the covered entity meet the security
			 requirements of section 8 in order to prevent unauthorized disclosure or
			 release of personally identifiable information.
					(c)Commission
			 facilitationThe Commission may take actions (including
			 conducting industry-wide workshops) to facilitate the development of
			 harmonized, universal wording or logo-based graphics in order to convey the
			 contents of privacy policy statements required under this section.
			6.Consumer
			 opportunity to limit sale or disclosure of information
			(a)Preclusion of
			 sale or disclosure
				(1)RequirementA
			 covered entity shall provide to the consumer, without charge, the opportunity
			 to preclude any sale or disclosure for consideration of the consumer’s
			 personally identifiable information, provided in a particular data collection,
			 that may be used for a purpose other than a transaction with the consumer, to
			 any covered entity that is not an information-sharing affiliate of the covered
			 entity providing such opportunity.
				(2)DurationA
			 preclusion on sale or disclosure for consideration of information established
			 by a consumer under this subsection shall remain in effect for 5 years or until
			 the consumer indicates otherwise, whichever occurs sooner. A covered entity may
			 not seek reconsideration of a consumer’s preclusion of such sale or disclosure
			 until at least 1 year after such preclusion has been imposed by the
			 consumer.
				(b)Permission for
			 sale or disclosureA covered entity may provide the consumer an
			 opportunity to permit the sale or disclosure described in subsection (a)(1) in
			 exchange for a benefit to the consumer.
			(c)AccessibilityThe
			 opportunity to preclude (or if offered, to permit) the sale or disclosure for
			 consideration of information under this section must be both easy to access and
			 use, and the notice of the opportunity to preclude must be clear and
			 conspicuous.
			7.Consumer
			 opportunity to limit other information practicesIf a covered entity provides to a consumer
			 the opportunity to limit other practices of the covered entity with respect to
			 a particular collection or use of personally identifiable information regarding
			 the consumer, other than that required by section 6—
			(1)a
			 notice and description of such opportunity must appear in the privacy
			 statement;
			(2)such opportunity
			 must be easy to access and to use; and
			(3)any limitation
			 exercised by the consumer pursuant to such opportunity shall remain in effect,
			 unless—
				(A)the limitation is
			 withdrawn by the consumer; or
				(B)the covered entity
			 provides the consumer at least 30 days notice before materially changing the
			 limitation or terminating its compliance with the limitation.
				8.Information
			 security obligations
			(a)ImplementationA
			 covered entity shall prepare, revise as necessary, and implement an information
			 security policy that is applicable to the information security practices and
			 treatment of personally identifiable information maintained by the covered
			 entity, that is designed to prevent the unauthorized disclosure or release of
			 such information.
			(b)Management
			 approvalAn information security policy created pursuant to
			 paragraph (1) shall be considered and approved by the senior management
			 officials of the covered entity.
			(c)ContentsAn
			 information security policy required under paragraph (1) shall include—
				(1)a process for taking corrective action to
			 prevent or mitigate unauthorized disclosure of information; and
				(2)identifying an
			 officer of the covered entity as the point of contact with responsibility for
			 information security issues for the covered entity.
				9.Self-regulatory
			 programs
			(a)Self-Regulatory
			 program
				(1)Presumption of
			 complianceThe Commission shall presume that a covered entity is
			 in compliance with the provisions of sections 4 through 8 if that covered
			 entity—
					(A)participates in a
			 self-regulatory program approved under subsection (b); and
					(B)is subject to enforcement under a
			 self-regulatory program’s guidelines, procedures, requirements, and
			 restrictions (including a remedial process under subsection (c)(7)).
					(2)Effect of
			 willful noncomplianceA covered entity that participates in a
			 self-regulatory program under this section shall not be liable for a civil
			 penalty arising out of a violation of any provision of sections 4 through 8
			 unless such violation results from willful noncompliance with the guidelines,
			 procedures, requirements, or restrictions of the program.
				(b)Approval by
			 Commission
				(1)ApprovalThe
			 Commission shall, within 90 days after submission of an application for
			 approval of a self-regulatory program under this section (or of a material
			 change in a program previously approved by the Commission), approve such
			 program (or change) if the Commission finds that the program (or change)
			 complies with the requirements of subsection (c).
				(2)Form of
			 applicationThe Commission shall accept an application for
			 approval under paragraph (1) in any reasonable form the applicant may
			 submit.
				(3)Duration until
			 renewalA self-regulatory program approved by the Commission
			 under paragraph (1) shall be approved for a period of 5 years.
				(4)Revocation of
			 approvalThe Commission may, after notice and opportunity for a
			 hearing, revoke approval granted under paragraph (1), if the Commission finds
			 that a self-regulatory program fails to meet the requirements of subsection
			 (c).
				(5)Judicial
			 reviewAny order by the Commission denying approval of a
			 self-regulatory program shall be subject to judicial review, as provided in
			 section 706 of title 5, United States Code.
				(c)Requirements of
			 self-Regulatory programA self-regulatory program complies with
			 the requirements of this subsection if the program provides each of the
			 following:
				(1)Guidelines and
			 procedures requiring a program participant to provide substantially equivalent
			 or greater protections for consumers and their personally identifiable
			 information as are provided under sections 4 through 8.
				(2)Procedures and
			 requirements to provide for—
					(A)an initial review
			 of a participant’s privacy statement and privacy policy, and subsequent review
			 whenever such statement or policy is substantively changed;
					(B)a participant’s self-review and
			 self-certification of its privacy policy and practices to ensure compliance
			 with the guidelines, procedures, requirements, and restrictions of the program
			 established under this subsection;
					(C)a participant’s
			 subsequent periodic self-reviews and self-certifications, which shall occur at
			 least annually, of the its privacy policy and practices to ensure continued
			 compliance with such guidelines, procedures, requirements, and
			 restrictions;
					(D)submission of
			 self-reviews and self-certifications under this paragraph to any administrator
			 of the program; and
					(E)random review of
			 participants, which may concentrate on selected compliance issues, if the
			 self-regulatory program conducts—
						(i)random compliance
			 tests with respect to each participant not less frequently than every 3
			 years;
						(ii)a full compliance test of a particular
			 participant in any case where non-compliance with any of the selected
			 compliance issues has been identified; and
						(iii)full compliance
			 tests of participants with a high number of complaints against them.
						(3)Procedures and
			 requirements that ensure that a program participant provides a process for
			 resolving disputes with consumers relating to the privacy policy and practices
			 of the participant. Such dispute resolution process—
					(A)must be available
			 without charge to a consumer;
					(B)must be available
			 at a cost to the participant that is reasonable and does not discourage
			 participation by the participant in such process;
					(C)must ensure that
			 consumers are informed of how to utilize the process;
					(D)may include, as
			 one choice among others, binding arbitration; and
					(E)(i)must be completed within
			 60 days after submission of the dispute by the consumer; or
						(ii)must be completed within 90 days
			 after submission of the dispute by the consumer, if the participant—
							(I)determines that additional time is
			 required to obtain information to make an informed decision with respect to the
			 dispute; and
							(II)notifies the consumer and the
			 self-regulatory program that such additional time is required.
							(4)Provisions for the
			 use by participants in the program of a means (including the use of a seal) to
			 represent the participant’s participation in the program.
				(5)With respect to
			 any nonvoluntary suspension or termination of participation in the program
			 because of the participant’s failure to comply with the program, procedures or
			 requirements to provide for the following:
					(A)Publication of
			 notice and the reasons for any such suspension or termination, except that no
			 personally identifiable information related to such suspension or termination
			 may be published.
					(B)Notice to the
			 Commission of any such termination.
					(6)Requirements and
			 restrictions that assure independence with respect to program eligibility,
			 compliance, and dispute resolution mechanisms and decisions from improper
			 interference by management or ownership of the self-regulatory program
			 participant.
				(7)A
			 process for a noncompliant participant to take timely remedial action in order
			 to come back into compliance with the program before suspension or termination
			 of participation in the program.
				(d)Consumer dispute
			 resolution
				(1)Self-regulatory
			 dispute processIf a consumer has a dispute with a participant in
			 a self-regulatory program under this section or under section 5 of the
			 Federal Trade Commission Act (15
			 U.S.C. 45) to the extent that such dispute pertains to the entity’s privacy
			 policy or practices required for participation in the self-regulatory program,
			 the consumer shall initially seek resolution through the participant’s dispute
			 resolution process (established in accordance with subsection (c)(3)). The
			 Commission shall promptly refer to the participant involved any dispute
			 submitted to the Commission for which resolution has not been initially sought
			 through such process.
				(2)Resolution by
			 CommissionA consumer may submit to the Commission for resolution
			 a dispute with a participant in a self-regulatory program under this section,
			 if the following requirements are met:
					(A)The dispute was
			 initially submitted under paragraph (1) for resolution through the
			 participant’s dispute resolution process.
					(B)The dispute
			 submitted under paragraph (1) is not resolved—
						(i)within 60 days
			 after submission of the dispute by the consumer; or
						(ii)to
			 the satisfaction of the consumer.
						(C)Notice of the
			 facts of the dispute is submitted to the Commission not later than 30 days
			 after the date on which the consumer is notified of the resolution through the
			 participant’s dispute resolution process.
					(D)The consumer has
			 not voluntarily accepted a resolution of the dispute under paragraph
			 (1).
					(E)The dispute was
			 not resolved through binding arbitration.
					(3)LimitationNothing
			 in this Act shall prevent the Commission from investigating compliance with
			 this Act by a participant in a self-regulatory covered entity based upon a
			 complaint from an individual or covered entity other than a consumer with a
			 dispute with such participant, or on its own initiative, except that prior to
			 instituting any such investigation the Commission shall afford the
			 self-regulatory covered entity a reasonable opportunity to invoke its own
			 remedial procedures and assure compliance by the participant.
				(4)Clear and
			 convincing evidenceThe presumption established by paragraph (1)
			 of subsection (a) may be overcome by clear and convincing evidence of
			 non-compliance.
				(e)Nonrelease of
			 certain informationThe Commission may not compel a participant
			 in a self-regulatory program approved under subsection (b) (or an administrator
			 of such a program) to provide proprietary information or personally
			 identifiable information of consumers to the Commission unless the Commission
			 provides assurances that such information will not be released to the
			 public.
			(f)Misrepresentation
			 of self-Regulatory program participationIt is unlawful for a
			 covered entity to misrepresent that it is a participant in a self-regulatory
			 program (including through any mechanism provided under subsection (c)(4)) when
			 such covered entity is not, in fact, such a participant.
			(g)Exempted entity
			 participationAn entity that is not a covered entity and that
			 voluntarily participates in a self-regulatory program under this section shall
			 enjoy the rights and benefits provided under this section in any action or
			 investigation under section 5 of the Federal
			 Trade Commission Act (15 U.S.C. 45) to the extent that such action
			 or investigation pertains to the entity’s privacy policy or practices required
			 for participation in the self-regulatory program.
			10.Enforcement
			(a)Unfair or
			 deceptive Act or practiceA violation of any provision of this
			 Act by a covered entity is an unfair or deceptive act or practice unlawful
			 under section 5(a)(1) of the Federal Trade
			 Commission Act (15 U.S.C. 45(a)(1)), except that the amount of any
			 civil penalty under such Act shall be doubled for a violation of this Act, but
			 may not exceed $500,000 for all related violations by a single violator
			 (without respect to the number of consumers affected or the duration of the
			 related violations).
			(b)Guidelines and
			 opinionsIn order to assist in compliance with this Act, the
			 Federal Trade Commission may promulgate regulations and interpretive rules
			 under section 18 of the Federal Trade Commission
			 Act (15 U.S.C. 57a), with respect to specific types of acts or
			 practices that would, or would not, comply with this Act.
			11.No private right
			 of actionThis Act may not be
			 considered or construed to provide any private right of action. No private
			 civil action relating to any act or practice governed under this Act may be
			 commenced or maintained in any State court or under State law (including a
			 pendent State claim to an action under Federal law).
		12.Effect on other
			 laws
			(a)Qualified
			 exemption for compliance with other Federal privacy lawsTo the
			 extent that personally identifiable information protected under this Act is
			 also protected under a provision of Federal privacy law described in subsection
			 (c), a covered entity that complies with the relevant provision of such other
			 Federal privacy law shall be deemed to have complied with the corresponding
			 provision of this Act.
			(b)Protection of
			 other Federal privacy lawsNothing in this Act may be construed
			 to modify, limit, supersede, or interfere with the operation of the Federal
			 privacy laws described in subsection (c) or the provision of information
			 permitted or required, expressly or by implication, by such laws, with respect
			 to Federal rights and practices.
			(c)Other Federal
			 privacy laws describedThe provisions of law to which subsections
			 (a) and (b) apply are the following:
				(1)Section 552a of
			 title 5, United States Code (commonly known as the Privacy Act of 1974).
				(2)The
			 Right to Financial Privacy Act of
			 1978 (12 U.S.C. 3401 et seq.).
				(3)The
			 Fair Credit Reporting Act (15 U.S.C.
			 1681 et seq.).
				(4)The Fair Debt
			 Collection Practices Act (15 U.S.C. 1692 et seq.).
				(5)The Children’s
			 Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.).
				(6)Title V of the
			 Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 et seq.).
				(7)The Electronic
			 Communications Privacy Act of 1986 (Public Law 99–508).
				(8)The Driver’s
			 Privacy Protection Act of 1994 (18 U.S.C. 2721 et seq.).
				(9)The Family
			 Educational Rights and Privacy Act of 1974 (20 U.S.C. 1221 note, 1232g).
				(10)Section 445 of
			 the General Education Provisions Act (20 U.S.C. 1232h).
				(11)The Privacy
			 Protection Act of 1980 (42 U.S.C. 2000aa et seq.).
				(12)Section 222 of
			 the Communications Act of 1934 (47
			 U.S.C. 222) relating to the Customer Proprietary Network Information.
				(13)The Cable
			 Communications Policy Act of 1984 (47 U.S.C. 521 et seq.).
				(14)The
			 Communications Assistance for Law Enforcement Act (47 U.S.C. 1001 et
			 seq.).
				(15)The Video Privacy
			 Protection Act of 1988 (Public Law 100–618).
				(16)The Telephone
			 Consumer Protection Act of 1991 (Public Law 102–243).
				(17)The
			 Health Insurance Portability and Accountability
			 Act of 1996 (Public Law 104–191), as it relates to an entity
			 described in section 1172(a) of the Social
			 Security Act (42 U.S.C. 1320d–1(a)) or to activities regulated under
			 section 1173 of such Act (42 U.S.C. 1320d–2).
				(18)The CAN–SPAM Act of 2003 (15 U.S.C. 7701 et
			 seq.).
				(d)Preemption of
			 State privacy lawsThis Act preempts any statutory law, common
			 law, rule, or regulation of a State, or a political subdivision of a State, to
			 the extent such law, rule, or regulation relates to or affects the collection,
			 use, sale, disclosure, retention, or dissemination of personally identifiable
			 information in commerce. No State, or political subdivision of a State, may
			 take any action to enforce this Act.
			13.Effective
			 dateThis Act shall apply with
			 respect to personally identifiable information collected on or after the date
			 that is 1 year after the date of enactment of this Act.
		
