[Congressional Bills 112th Congress]
[From the U.S. Government Publishing Office]
[H.R. 654 Introduced in House (IH)]
112th CONGRESS
1st Session
H. R. 654
To direct the Federal Trade Commission to prescribe regulations
regarding the collection and use of information obtained by tracking
the Internet activity of an individual, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
February 11, 2011
Ms. Speier (for herself, Mr. Hastings of Florida, and Mr. Filner)
introduced the following bill; which was referred to the Committee on
Energy and Commerce
_______________________________________________________________________
A BILL
To direct the Federal Trade Commission to prescribe regulations
regarding the collection and use of information obtained by tracking
the Internet activity of an individual, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Do Not Track Me Online Act''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(2) Covered entity.--The term ``covered entity'' means a
person engaged in interstate commerce that collects or stores
online data containing covered information. Such term does not
include--
(A) the Federal Government or any instrumentality
of the Federal Government, nor the government of any
State or political subdivision of a State; or
(B) any person that can demonstrate that such
person--
(i) stores covered information from or
about fewer than 15,000 individuals;
(ii) collects covered information from or
about fewer than 10,000 individuals during any
12-month period;
(iii) does not collect or store sensitive
information; and
(iv) does not use covered information to
study, monitor, or analyze the behavior of
individuals as the person's primary business.
(3) Covered information.--
(A) In general.--The term ``covered information''
means, with respect to an individual, any of the
following that is transmitted online:
(i) The online activity of the individual,
including--
(I) the web sites and content from
such web sites accessed;
(II) the date and hour of online
access;
(III) the computer and geolocation
from which online information was
accessed; and
(IV) the means by which online
information was accessed, such as a
device, browser, or application.
(ii) Any unique or substantially unique
identifier, such as a customer number or
Internet protocol address.
(iii) Personal information such as--
(I) the name;
(II) a postal address or other
location;
(III) an email address or other
user name;
(IV) a telephone or fax number;
(V) a government-issued
identification number, such as a tax
identification number, a passport
number, or a driver's license number;
or
(VI) a financial account number, or
credit card or debit card number, or
any required security code, access
code, or password that is necessary to
permit access to an individual's
financial account.
(B) Exclusion.--Such term shall not include--
(i) the title, business address, business
email address, business telephone number, or
business fax number associated with an
individual's status as an employee of an
organization, or an individual's name when
collected, stored, used, or disclosed in
connection with such employment status; or
(ii) any information collected from or
about an employee by an employer, prospective
employer, or former employer that directly
relates to the employee-employer relationship.
(4) Sensitive information.--
(A) Definition.--The term ``sensitive information''
means--
(i) any information that is associated with
covered information of an individual and
relates directly to that individual's--
(I) medical history, physical or
mental health, or the provision of
health care to the individual;
(II) race or ethnicity;
(III) religious beliefs and
affiliation;
(IV) sexual orientation or sexual
behavior;
(V) income, assets, liabilities, or
financial records, and other financial
information associated with a financial
account, including balances and other
financial information, except when
financial account information is
provided by the individual and is used
only to process an authorized credit or
debit to the account; or
(VI) precise geolocation
information and any information about
the individual's activities and
relationships associated with such
geolocation; or
(ii) an individual's--
(I) unique biometric data,
including a fingerprint or retina scan;
or
(II) Social Security number.
(B) Modified definition by rulemaking.--The
Commission may, by regulations promulgated under
section 553 of title 5, United States Code, modify the
scope or application of the definition of ``sensitive
information'' for purposes of this Act. In promulgating
such regulations, the Commission shall consider--
(i) the purposes of the collection of the
information and the context of the use of the
information;
(ii) how easily the information can be used
to identify a specific individual;
(iii) the nature and extent of authorized
access to the information;
(iv) an individual's reasonable
expectations under the circumstances; and
(v) adverse effects that may be experienced
by an individual if the information is
disclosed to an unauthorized person.
SEC. 3. REGULATIONS REQUIRING ``DO-NOT-TRACK'' MECHANISM.
(a) FTC Rulemaking.--Not later than 18 months after the date of
enactment of this Act, the Commission shall promulgate regulations
under section 553 of title 5, United States Code, that establish
standards for the required use of an online opt-out mechanism to allow
a consumer to effectively and easily prohibit the collection or use of
any covered information and to require a covered entity to respect the
choice of such consumer to opt-out of such collection or use.
Regulations prescribed pursuant to this subsection shall be treated as
regulations defining unfair and deceptive acts or practices affecting
commerce prescribed under section 18(a)(1)(B) of the Federal Trade
Commission Act (15 U.S.C. 57a(a)(1)(B)).
(b) Requirements To Be Included in Regulations.--The regulations
prescribed under subsection (a)--
(1) shall include a requirement for a covered entity to
disclose, in a manner that is easily accessible to a consumer,
information on the collection of information practices of such
entity, how such entity uses or discloses such information, and
the names of the persons to whom such entity would disclose
such information; and
(2) shall prohibit the collection or use of covered
information by a covered entity for which a consumer has opted-
out of such collection or use, unless the consumer changes
their opt-out preference to allow the collection or use of such
information.
(c) Additional Regulatory Authority.--The regulations prescribed
under subsection (a)--
(1) may include a requirement that a covered entity provide
a consumer with a means to access the covered information of
such consumer and the data retention and security policies of
the covered entity in a format that is clear and easy to
understand; and
(2) may include a requirement that some or all of the
regulations apply with regard to the collection and use of
covered information, regardless of the source.
(d) Exemptive Authority.--The Commission may exempt from some or
all of the regulations required by this section certain commonly
accepted commercial practices, including the following:
(1) Providing, operating, or improving a product or service
used, requested, or authorized by an individual, including the
ongoing provision of customer service and support.
(2) Analyzing data related to use of the product or service
for purposes of improving the products, services, or
operations.
(3) Basic business functions such as accounting, inventory
and supply chain management, quality assurance, and internal
auditing.
(4) Protecting or defending rights or property, including
intellectual property, against actual or potential security
threats, fraud, theft, unauthorized transactions, or other
illegal activities.
(5) Preventing imminent danger to the personal safety of an
individual or group of individuals.
(6) Complying with a Federal, State, or local law, rule, or
other applicable legal requirement, including disclosures
pursuant to a court order, subpoena, summons, or other properly
executed compulsory process.
(7) Any other category of operational use specified by the
Commission by regulation that is consistent with the purposes
of this Act.
SEC. 4. ADDITIONAL FTC AUTHORITY.
In implementing and enforcing the regulations prescribed under
section 3, the Commission shall--
(1) have the authority to prescribe such regulations as may
be necessary to carry out the purposes of this Act in
accordance with section 553 of title 5, United States Code;
(2) monitor for risks to consumers in the provision of
products and services, including the development of new
hardware or software designed to limit, restrict, or circumvent
the ability of a consumer to control the collection and use of
the covered information of such consumer, as set forth in the
regulations prescribed under section 3;
(3) perform random audits of covered entities, including
Internet browsing for investigative purposes, to ensure
compliance with the regulations issued under section 3;
(4) assess consumers' understanding of the risks posed by
the tracking of a consumer's Internet activity and the
collection and use of covered information relating to a
consumer; and
(5) make available to the public at least 1 report of
significant findings of the monitoring required by this section
in each calendar year after the date on which final regulations
are issued pursuant to section 3(a).
SEC. 5. ENFORCEMENT BY STATE ATTORNEYS GENERAL.
(a) Civil Action.--In any case in which the Attorney General of a
State, or an official or agency of a State, has reason to believe that
an interest of the residents of that State has been or is threatened or
adversely affected by any person who violates the regulations
prescribed under section 3, the attorney general, official, or agency
of the State, as parens patriae, may bring a civil action on behalf of
the residents of the State in an appropriate district court of the
United States--
(1) to enjoin further violation of the regulations
prescribed under section 3 by the defendant;
(2) to compel compliance with the regulations prescribed
under section 3; or
(3) to obtain civil penalties for violations of the
regulations prescribed under section 3 in the amount determined
under subsection (b).
(b) Civil Penalties.--
(1) Calculation.--For purposes of calculating the civil
penalties that may be obtained under subsection (a)(3), the
amount determined under this paragraph is the amount calculated
by multiplying the number of days that a covered entity is not
in compliance with the regulations prescribed under section 3
by an amount not to exceed $11,000.
(2) Adjustment for inflation.--Beginning on the date that
the Consumer Price Index for All Urban Consumers is first
published by the Bureau of Labor Statistics that is after 1
year after the date of enactment of this Act, and each year
thereafter, the amount specified in paragraph (1) shall be
increased by the percentage increase in the Consumer Price
Index published on that date from the Consumer Price Index
published the previous year.
(3) Maximum total liability.--Notwithstanding the number of
actions which may be brought against a person under this
section the maximum civil penalty for which any person may be
liable under this section shall not exceed $5,000,000 for any
related series of violations of the regulations prescribed
under section 3.
(c) Intervention by the FTC.--
(1) Notice and intervention.--The State shall provide prior
written notice of any action under subsection (a) to the
Commission and provide the Commission with a copy of its
complaint, except in any case in which such prior notice is not
feasible, in which case the State shall serve such notice
immediately upon instituting such action. The Commission shall
have the right--
(A) to intervene in the action;
(B) upon so intervening, to be heard on all matters
arising therein; and
(C) to file petitions of appeal.
(2) Limitation on state action while federal action is
pending.--If the Commission has instituted a civil action for
violation of the regulations prescribed under section 3, no
attorney general of a State, or official, or agency of a State,
may bring an action under this section during the pendency of
that action against any defendant named in the complaint of the
Commission for any violation of the regulations issued under
this Act alleged in the complaint.
SEC. 6. EFFECT ON OTHER LAWS.
(a) Other Authority of Federal Trade Commission.--Nothing in this
Act shall be construed to limit or affect in any way the Commission's
authority to bring enforcement actions or take any other measure under
the Federal Trade Commission Act (15 U.S.C. 41 et seq.) or any other
provision of law.
(b) State Law.--The regulations prescribed under section 3 shall
not annul, alter, affect, or exempt any person subject to the
provisions of such regulations from complying with the law of any State
except to the extent that such law is inconsistent with any provision
of such regulations, and then only to the extent of the inconsistency.
For purposes of this subsection, a State statute, regulation, order, or
interpretation is not inconsistent with the provisions of the
regulations prescribed under section 3 if the protection such statute,
regulation, order, or interpretation affords any person is greater than
the protection provided under the regulations prescribed under section
3.
<all>