1.This Act may be cited as the
Do Not Track Me Online
Act
.
2.In this Act:
(1)The
term Commission means the Federal Trade Commission.
(2)The term covered entity means a person
engaged in interstate commerce that collects or stores online data containing
covered information. Such term does not include—
(A)the Federal
Government or any instrumentality of the Federal Government, nor the government
of any State or political subdivision of a State; or
(B)any person that
can demonstrate that such person—
(i)stores covered information from or about
fewer than 15,000 individuals;
(ii)collects covered
information from or about fewer than 10,000 individuals during any 12-month
period;
(iii)does not collect
or store sensitive information; and
(iv)does not use
covered information to study, monitor, or analyze the behavior of individuals
as the person’s primary business.
(3)
(A)The term covered information means, with
respect to an individual, any of the following that is transmitted
online:
(i)The online
activity of the individual, including—
(I)the web sites and
content from such web sites accessed;
(II)the date and hour
of online access;
(III)the computer and
geolocation from which online information was accessed; and
(IV)the means by which online information was
accessed, such as a device, browser, or application.
(ii)Any unique or substantially unique
identifier, such as a customer number or Internet protocol address.
(iii)Personal information such as—
(I)the name;
(II)a postal address
or other location;
(III)an email address
or other user name;
(IV)a telephone or
fax number;
(V)a
government-issued identification number, such as a tax identification number, a
passport number, or a driver’s license number; or
(VI)a financial
account number, or credit card or debit card number, or any required security
code, access code, or password that is necessary to permit access to an
individual’s financial account.
(B)Such
term shall not include—
(i)the title,
business address, business email address, business telephone number, or
business fax number associated with an individual’s status as an employee of an
organization, or an individual’s name when collected, stored, used, or
disclosed in connection with such employment status; or
(ii)any information
collected from or about an employee by an employer, prospective employer, or
former employer that directly relates to the employee-employer
relationship.
(4)
(A)The
term sensitive information means—
(i)any
information that is associated with covered information of an individual and
relates directly to that individual’s—
(I)medical history,
physical or mental health, or the provision of health care to the
individual;
(II)race or
ethnicity;
(III)religious
beliefs and affiliation;
(IV)sexual
orientation or sexual behavior;
(V)income, assets,
liabilities, or financial records, and other financial information associated
with a financial account, including balances and other financial information,
except when financial account information is provided by the individual and is
used only to process an authorized credit or debit to the account; or
(VI)precise
geolocation information and any information about the individual’s activities
and relationships associated with such geolocation; or
(ii)an
individual’s—
(I)unique biometric
data, including a fingerprint or retina scan; or
(II)Social Security
number.
(B)Modified
definition by rulemakingThe Commission may, by regulations
promulgated under section 553 of title 5, United States Code, modify the scope
or application of the definition of sensitive information
for
purposes of this Act. In promulgating such regulations, the Commission shall
consider—
(i)the
purposes of the collection of the information and the context of the use of the
information;
(ii)how
easily the information can be used to identify a specific individual;
(iii)the nature and
extent of authorized access to the information;
(iv)an
individual’s reasonable expectations under the circumstances; and
(v)adverse effects
that may be experienced by an individual if the information is disclosed to an
unauthorized person.
3.Regulations
requiring do-not-track
mechanism
(a)Not later than 18
months after the date of enactment of this Act, the Commission shall promulgate
regulations under section 553 of title 5, United States Code, that establish
standards for the required use of an online opt-out mechanism to allow a
consumer to effectively and easily prohibit the collection or use of any
covered information and to require a covered entity to respect the choice of
such consumer to opt-out of such collection or use. Regulations prescribed
pursuant to this subsection shall be treated as regulations defining unfair and
deceptive acts or practices affecting commerce prescribed under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(b)Requirements To
be included in regulationsThe regulations prescribed under subsection
(a)—
(1)shall include a
requirement for a covered entity to disclose, in a manner that is easily
accessible to a consumer, information on the collection of information
practices of such entity, how such entity uses or discloses such information,
and the names of the persons to whom such entity would disclose such
information; and
(2)shall prohibit the
collection or use of covered information by a covered entity for which a
consumer has opted-out of such collection or use, unless the consumer changes
their opt-out preference to allow the collection or use of such
information.
(c)Additional
regulatory authorityThe regulations prescribed under subsection
(a)—
(1)may include a
requirement that a covered entity provide a consumer with a means to access the
covered information of such consumer and the data retention and security
policies of the covered entity in a format that is clear and easy to
understand; and
(2)may include a
requirement that some or all of the regulations apply with regard to the
collection and use of covered information, regardless of the source.
(d)The Commission may exempt from some or all of the
regulations required by this section certain commonly accepted commercial
practices, including the following:
(1)Providing,
operating, or improving a product or service used, requested, or authorized by
an individual, including the ongoing provision of customer service and
support.
(2)Analyzing data
related to use of the product or service for purposes of improving the
products, services, or operations.
(3)Basic business
functions such as accounting, inventory and supply chain management, quality
assurance, and internal auditing.
(4)Protecting or
defending rights or property, including intellectual property, against actual
or potential security threats, fraud, theft, unauthorized transactions, or
other illegal activities.
(5)Preventing
imminent danger to the personal safety of an individual or group of
individuals.
(6)Complying with a
Federal, State, or local law, rule, or other applicable legal requirement,
including disclosures pursuant to a court order, subpoena, summons, or other
properly executed compulsory process.
(7)Any other category
of operational use specified by the Commission by regulation that is consistent
with the purposes of this Act.
4.In implementing and
enforcing the regulations prescribed under section 3, the Commission
shall—
(1)have the authority to prescribe such
regulations as may be necessary to carry out the purposes of this Act in
accordance with section 553 of title 5, United States Code;
(2)monitor for risks to consumers in the
provision of products and services, including the development of new hardware
or software designed to limit, restrict, or circumvent the ability of a
consumer to control the collection and use of the covered information of such
consumer, as set forth in the regulations prescribed under section 3;
(3)perform random
audits of covered entities, including Internet browsing for investigative
purposes, to ensure compliance with the regulations issued under section
3;
(4)assess consumers’
understanding of the risks posed by the tracking of a consumer’s Internet
activity and the collection and use of covered information relating to a
consumer; and
(5)make available to the public at least 1
report of significant findings of the monitoring required by this section in
each calendar year after the date on which final regulations are issued
pursuant to section 3(a).
5.Enforcement by
State Attorneys General
(a)In any case in which the Attorney General of a State, or
an official or agency of a State, has reason to believe that an interest of the
residents of that State has been or is threatened or adversely affected by any
person who violates the regulations prescribed under section 3, the attorney
general, official, or agency of the State, as parens patriae, may bring a civil
action on behalf of the residents of the State in an appropriate district court
of the United States—
(1)to enjoin further violation of the
regulations prescribed under section 3 by the defendant;
(2)to compel compliance with the regulations
prescribed under section 3; or
(3)to obtain civil penalties for violations of
the regulations prescribed under section 3 in the amount determined under
subsection (b).
(b)
(1)For purposes of calculating the civil
penalties that may be obtained under subsection (a)(3), the amount determined
under this paragraph is the amount calculated by multiplying the number of days
that a covered entity is not in compliance with the regulations prescribed
under section 3 by an amount not to exceed $11,000.
(2)Beginning on the date that the Consumer Price Index for
All Urban Consumers is first published by the Bureau of Labor Statistics that
is after 1 year after the date of enactment of this Act, and each year
thereafter, the amount specified in paragraph (1) shall be increased by the
percentage increase in the Consumer Price Index published on that date from the
Consumer Price Index published the previous year.
(3)Notwithstanding the
number of actions which may be brought against a person under this section the
maximum civil penalty for which any person may be liable under this section
shall not exceed $5,000,000 for any related series of violations of the
regulations prescribed under section 3.
(c)
(1)The State shall provide prior written notice of any
action under subsection (a) to the Commission and provide the Commission with a
copy of its complaint, except in any case in which such prior notice is not
feasible, in which case the State shall serve such notice immediately upon
instituting such action. The Commission shall have the right—
(A)to intervene in
the action;
(B)upon so
intervening, to be heard on all matters arising therein; and
(C)to file petitions
of appeal.
(2)Limitation on
State action while Federal action is pendingIf the Commission has instituted a civil
action for violation of the regulations prescribed under section 3, no attorney
general of a State, or official, or agency of a State, may bring an action
under this section during the pendency of that action against any defendant
named in the complaint of the Commission for any violation of the regulations
issued under this Act alleged in the complaint.
6.
(a)Other authority
of Federal Trade CommissionNothing in this Act shall be construed to
limit or affect in any way the Commission’s authority to bring enforcement
actions or take any other measure under the Federal Trade Commission Act (15
U.S.C. 41 et seq.) or any other provision of law.
(b)The regulations
prescribed under section 3 shall not annul, alter, affect, or exempt any person
subject to the provisions of such regulations from complying with the law of
any State except to the extent that such law is inconsistent with any provision
of such regulations, and then only to the extent of the inconsistency. For
purposes of this subsection, a State statute, regulation, order, or
interpretation is not inconsistent with the provisions of the regulations
prescribed under section 3 if the protection such statute, regulation, order,
or interpretation affords any person is greater than the protection provided
under the regulations prescribed under section 3.