[Congressional Record Volume 146, Number 65 (Tuesday, May 23, 2000)]
[Senate]
[Pages S4299-S4311]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. HOLLINGS (for himself, Mr. Rockefeller, Mr. Bryan, Mr. 
        Breaux, Mr. Inouye, Mr. Feingold, Mr. Edwards, Mr. Kerrey, Mr. 
        Cleland, Mr. Durbin, and Mr. Byrd):
  S. 2606. A bill to protect the privacy of American consumers; to the 
Committee on Commerce, Science, and Transportation.


                  the consumer privacy protection act

  Mr. HOLLINGS. Mr. President, I rise today to introduce legislation to 
address one of the most pressing problems facing American consumers 
today--the constant assault on citizens' privacy by the denizens of the 
private marketplace. This legislation, the Consumer Privacy Protection 
Act of 2000, represents an attempt to provide basic, widespread, and 
warranted privacy protections to consumers in both the online and 
offline marketplace. On the Internet, our bill sets forth a regulatory 
regime to ensure pro-consumer privacy protections, coupling a strong 
federal standard with preemption of inconsistent state laws on Internet 
privacy. We need a strong federal standard to protect consumer privacy 
online, and we need preemption to ensure business certainty in the 
marketplace, given the numerous state privacy initiatives that are 
currently pending. Off the Internet, this bill extends privacy 
protections that are already on the books to similarly regulated 
industries or business practices, and requires a broad examination of 
privacy practices in the traditional marketplace to help Congress 
better understand whether further regulation is appropriate.
  The introduction of this legislation comes as the Federal Trade 
Commission releases its eagerly awaited report on Internet Privacy. 
Released yesterday, that report concludes that Internet industry self-
regulation efforts have failed to protect adequately consumer privacy. 
Accordingly, the report calls for legislation that requires commercial 
web sites to comply with the ``four widely accepted fair information 
practices'' of notice, consent, access, and security. The legislation 
that we introduce today accomplishes just that.
  On the Internet, many users unfortunately are unaware of the 
significant amount of information they are surrendering every time they 
visit a web site. For many others, the fear of a loss of personal 
privacy on the Internet represents the last hurdle impeding their full 
embrace of this exciting and promising new medium. Nonetheless, 
millions of Americans every day utilize the Internet and put their 
personal information at risk. As the Washington Post reported on May 
17, 2000:

       The numbers tell the story. About 44.4 million households 
     will be online by the end of this year . . . up from 12.7 
     million in 1995, an increase of nearly 250 percent over five 
     years. Roughly 55 million Americans log into the Internet on 
     a typical day. . . . Industry experts estimate that the 
     amount of Internet traffic doubles every 100 days. . . . 
     These changes are not without a price. Along with wired life 
     comes growing concern about intrusions into privacy and the 
     ability to protect identities online.

  As Internet use proliferates, there needs to be some regulation and 
enforcement to ensure pro-consumer privacy policies, particularly where 
the collection, consolidation, and dissemination of private, personal 
information is so readily achievable in this digital age. Indeed, 
advances in technology have provided information gatherers the tools to 
seamlessly compile and enhance highly detailed personal histories of 
Internet users. Despite these indisputable facts, industry has to this 
point nearly unanimously opposed even a basic regulatory framework that 
would ensure the protection of consumer privacy on the Internet--a 
basic framework that has been successfully adopted in other areas of 
our economy.
  Our bill gives customers, not companies, control over their personal 
information on the Internet. It accomplishes this goal by establishing 
in law the five basic tenets of the long-established fair information 
practices standards--notice, consent, access, security, and 
enforcement. The premise of these standards is simple:
  (1) Consumers should be given notice of companies' information 
practices and what they intend to do with people's personal 
information.
  (2) Consumers should be given the opportunity to consent, or not to 
consent, to those information practices.
  (3) Consumers should be given the right to access whatever 
information has been collected about them and to correct that 
information where necessary.
  (4) Companies should be required to establish reasonable procedures 
to ensure that consumers' personal information is kept secure.
  (5) A viable enforcement mechanism must be established to safeguard 
consumers' privacy rights.
  While the Internet industry argues that the need for these 
protections are premature, the threat to personal privacy posed by 
advances in technology was anticipated twenty three years ago by the 
Privacy Protection Study Commission, which was created pursuant to the 
Privacy Act of 1974. In 1977, that Commission reported to the Congress 
and the federal government on the issue of privacy and technology. The 
Commission's portrait of the world in 1977 might well still be used 
today. That report found that society is increasingly dependant on 
``computer based record keeping systems,'' which result in a ``rapidly 
changing world in which insufficient attention is being paid--by policy 
makers, system designers, or system users--to the privacy protection 
implications of these trends.'' The report went on to state that even 
where some privacy protections exist under the law, ``there is the 
danger that personal privacy will be further eroded due to applications 
of new technology. Policy makers must not be complacent about this 
potential. The economic and social costs of incorporating privacy 
protection safeguards into a record-keeping systems are always greater 
when it is done retroactively than when it is done at the system's 
inception.''
  Today, twenty three years later, as we enter what America Online 
chairman Steve Case calls the ``Internet Century,'' the words of the 
Privacy Commission could not be more appropriate. Poll after poll 
indicates that Americans fear that their privacy is not being 
sufficiently protected on the Internet. Last September, the Wall St. 
Journal reported that Americans' number one concern (measured at 29 
percent as we enter the 21st century was a fear of a loss of personal 
privacy. Just two months ago, Business Week reported that 57 percent of 
Americans believe that Congress should pass laws to govern how personal 
information is collected and used on the Internet. Moreover, a recent 
survey by the Federal Trade Commission found that 87 percent of 
respondents are concerned about threats to their privacy in relation to 
their online usage. And, while industry claims that self-regulation is 
working, only 15 percent of those polled by Business Week believed that 
the Government should defer to voluntary, industry-developed privacy 
standards.
  Are these fears significant enough to require federal action? 
Absolutely, particularly in light of predictions by people such as John 
Chambers, the CEO of CISCO Systems, who forecasts that one quarter of 
all global commerce will be conducted online by 2010. As the Privacy 
Commission stated a quarter of a century ago, the ``economic and social 
costs'' of mandating pro-privacy protections will be far lower now than 
when the Internet is handling twenty

[[Page S4300]]

five percent of all global commerce. Besides if John Chambers is right, 
the Internet industry should embrace, rather than resist, strong 
privacy policies. Simply put, strong privacy policies represent good 
business. For example, a study conducted by Forrester Research in 
September 1999 revealed that e-commerce spending was deprived of $2.8 
billion in possible revenue last year because of consumer fears over 
privacy.
  Indeed, the fears and concerns reflected in these analyses are borne 
out in study after study on the privacy practices--or lack thereof--of 
the companies operating on the Internet. Last year, an industry 
commissioned study found that of the top 100 web sites, while 99 
collect information about Internet users, only 22 comply with all four 
of the core privacy principles of notice, choice, access, and security. 
A broader industry funded survey reports that only 10 percent of the 
top 350 Web sites implement all four of these privacy principles. This 
week, our Committee will hold a hearing to receive the report of the 
Federal Trade Commission on its most recent analysis of the privacy 
policies of the Internet industry. While the industry will claim that 
they have made tremendous progress in their self-regulatory efforts, 
the FTC apparently, is not convinced--finding in its report release 
yesterday that ``only 20% of the busiest sites on the World Wide Web 
implement to some extent all four fair information practices in their 
privacy disclosures. Even when only Notice and Choice are considered, 
fewer than half of the sites surveyed (41%) meet the relevant 
standards.'' This record indicates that we should begin to consider 
passing pro-consumer privacy legislation this year. The public is 
clamoring for it, the  studies justify it, and the potential harm from 
inaction is simply too great.

  It is worth noting that advocates of self-regulation often claim that 
the collection and use of consumer information actually enhances the 
consumer experience on the Internet. While there may be some truth to 
that claim, many Internet users do not want companies to target them 
with marketing based on their personal shopping habits. Those 
individuals should be given control over whether and how their personal 
information is used via an ``opt-in'' mechanism. Moreover, even those 
consumers who targeted marketing and want to ``opt-in'' to those 
practices, may not be willing to accept what happens to their 
information after it is used for this allegedly benign purpose.
  For example, should it be acceptable business behavior to sell, rent, 
share, or loan a historical record of a customers tobacco purchasing 
habits to an insurance company. Should an Internet user's surfing 
habits--including frequent visits to AIDS or diabetes, or other 
sensitive health-related websites be revealed to prospective employers 
willing to pay a fee for such information? Should online surfing habits 
that identify consumer shopping activities be merged with offline 
database information already existing on a consumer to form a highly 
detailed, intricate portrait of that individual? The answer to these 
questions most assuredly is no. And yet right now, there is no law, or 
regulation, that would prohibit these objectionable practices.
  We are already seeing evidence of these practices in the marketplace 
today. For example, on February 2, 2000, the New York Times reported on 
a study by the California HealthCare Foundation that concluded that 
``19 of the top 21 health sites had privacy policies but . . . most 
failed to live up to promises not to share information with third 
parties. . . . [N]one of the sites followed guidelines recommended by 
the Federal Trade Commission on collection and use of personal data.'' 
Despite these reports, industry continues to insist that government 
wait and see, and let self-regulation and the marketplace protect 
against these articulable harms. We say that is like letting the fox 
guard the henhouse.
  At the same time, we must not ignore those members of the industry 
who at least place some importance on protecting consumer privacy on 
the Internet. For example, in contrast to most Internet and online 
service providers, American Online does not track its millions of users 
when they venture on the Internet and out of AOL's proprietary network. 
In addition, IBM--while opposing federal legislation--refuses to 
advertise on Internet sites that do not possess and post a clear 
privacy policy. These are the types of practices that government 
welcomes. Unfortunately, they are far and few between.
  As a result, the time has come to permit consumers to decide for 
themselves whether, and to what extent, they desire to permit 
commercial entities access to their personal information. Industry will 
argue that this is an aggressive approach. They will assert that at 
most, Congress should give customers the right to ``opt-in'' only with 
respect to those information practices deemed to be ``sensitive''--such 
as the gathering of information regarding health, financial, ethnic, 
religious, or other particularly private areas. The problem with this 
suggestion is that it leaves it up to Congress and industry lawyers and 
lobbyists to define what is in fact ``sensitive'' for individual 
consumers.
  A better approach is to give consumers an ``opt-in'' right to control 
access to all personally identifiable information that might be 
collected online. This approach allows consumers to make their own, 
personal, and subjective determination as to what they do or don't want 
known about them by the companies with which they interact. If industry 
is right that most people want targeted advertising, then most people 
will opt-in. Indeed, Alta Vista, a commonly used search portal on the 
Internet, employs an ``opt-in'' approach.
  As if this evidence were not enough, we only need to look to the 
February 24, 2000, article in TheStreet.Com entitled, ``DoubleClick 
Exec Says Privacy Legislation Needn't Crimp Results.'' In that article, 
a leading Internet executive from DoubleClick, the Internet's most well 
known banner advertiser, states that his company would not ``face an 
insurmountable problem'' in attempting to operate under strict privacy 
rules. Complying with such rules is ``not rocket science,'' the 
executive stated, ``it's execution.'' He went on to state that his 
company could continue to be successful under an ``opt-in'' regulatory 
regime. This is a phenomenal admission that ``opt-in'' policies would 
not impede the basic functionality and commercial activity on the 
Internet. The admission is particularly stunning given that it comes 
from a company whose business model is to track consumer activities on 
the Internet so as to target them with specific advertising.
  Moreover, evidence in the marketplace demonstrates that ``opt-out'' 
policies will not always lead to full informed consumer choice. First 
of all, ``opt-out'' policies place the burden on the consumer to take 
certain steps to protect the privacy of their personal information. 
Under an ``opt-out'' approach, the incentive exists for industry to 
develop privacy policies that discourage people from opting out. The 
policies will be longer, harder to read, and the actual ``opt-out'' 
option will often be buried under hundreds, if not thousands of words 
of text. Consider the recent article in USA Today on this very issue. 
Entitled, ``Privacy isn't Public Knowledge,'' this May 1, 2000, article 
outlines the difficulty consumers have in opting out of the information 
collection practices of Internet companies. While consumers may be 
informed if they actually locate and read the company's privacy policy 
that they are likely to be ``tracked by name . . . only with [their] 
`permission,' '' they may not be informed up front that it is assumed 
that they have granted such permission unless they ``opt-out.'' 
Moreover, to get through the hundreds of words of required reading to 
find the ``opt-out'' option, it turns out, according to this article, 
that you need a graduate level or college education reading ability to 
simply comprehend the policies in the first place. According to FTC 
Chairman Robert Pitofsky, ``Some sites bury your rights in a long page 
of legal jargon so it's hard to find them hard to understand them once 
you find them. Self-regulation that creates opt-out rights that cannot 
be found [or] understood is really not an acceptable form of consumer 
protection.'' One thing is clear from this article--``self-regulation'' 
is not working.

  We know, however, that some companies do not collect personal 
information on the Internet. For example,

[[Page S4301]]

some banner advertisers target their messages and ads to computers but 
not to people individually. They do this by tracking the Internet 
activity of a particular Internet Protocol address, without ever 
knowing who exactly is behind that address. Thus, they can never share 
personal information about a consumer's preferences, shopping, or 
research habits online, because they don't know who that consumer is. 
According to the chief technology officer of Engage--a prominent banner 
advertiser--``We don't need to know who someone is to make the [online] 
experience relevant. We're trying to strike this balance between the 
consumer's need for privacy and the marketer's need to be effective in 
order to sustain a free Internet.'' Such a business practice is an 
example of marketplace forces providing better privacy protection and 
my legislation recognizes that. Accordingly, if companies are only 
collecting and using non-personal information online they could comply 
with this bill by providing consumers with an ``opt-out,'' rather than 
an opt-in option.
  Under this legislation, companies would be required to provide 
updates to consumers notifying them of changes to their privacy 
policies. Companies would also be prohibited from using information 
that had been collected under a prior privacy policy, if such use did 
not comport with that prior policy and if the consumer had not granted 
consent to the new practices.
  In addition, the bill would provide permanence to a consumer's 
decision to grant or withhold consent, and allow the effect of that 
decision to be altered only by the consumer. Consequently, companies 
would not be permitted to let their customer's privacy preferences 
expire, thereby requiring consumers to reaffirm their prior 
communication as to how they want their personal information handled.
  Unfortunately, many privacy violations are often unknown by the very 
consumers whose privacy has been violated. Therefore, the legislation 
would provide whistleblower protection to employees of companies who 
come forward with evidence of privacy violations.
  In order to enforce these consumer protections, our bill would call 
upon the Federal Trade Commission to implement and enforce the 
provisions of the legislation applicable to the Internet. The FTC is 
the sole federal agency with substantial expertise in this area. Not 
only has the FTC conducted extensive studies on Internet privacy and 
profiling on the Internet in recent years, but it recently concluded a 
comprehensive rulemaking to implement the fair information practice of 
notice, consent, access, and security, as required by the Childrens 
Online Privacy Protection Act (COPPA), which we enacted in 1998.
  In addition, the legislation provides the attorneys general with the 
ability to enforce the bill on behalf of constituents in their 
individual states. And, while the legislation would preempt 
inconsistent state law, citizens would be free to avail themselves of 
other applicable remedies such as fraud, contractual breach, unjust 
enrichment, or emotional distress. Finally, the bill would permit 
individual consumers to bring a private right of action to enjoin 
Internet privacy violations.
  While rules are clearly needed to protect consumer privacy on the 
Internet, we recognize that information is collected and shared in the 
traditional marketplace as well. The rate of collection, however, and 
the intrusiveness of the monitoring is nowhere near as significant as 
it is online. For example, when a consumer shops in a store in a mall 
and browses through items without purchasing anything, no one makes a 
list of his or her every move. To the contrary, on the Internet, every 
browse, observation, and individual click of the mouse may be 
surreptitiously monitored. Notwithstanding this distinction, it may be 
appropriate at some time to develop privacy protections for the general 
marketplace, in addition to those set forth in this bill for 
the Internet. That is why our bill asks the FTC to conduct an 
exhaustive study of privacy issues in the general marketplace and 
report to the Congress as to what rules and regulations, if any, may be 
necessary to protect consumers.

  We are also learning that employers are increasingly monitoring their 
employees--both in and out of the workplace--on the phone, on the 
computer, and in their daily activities on the job. While employees may 
be justified in taking steps to ensure that their workers are 
productive and efficient, such monitoring raises implications for those 
workers' privacy. Accordingly, this legislation directs the Department 
of Labor to conduct a study of privacy issues in the workplace, and 
report to Congress as to what--if any--regulations may be necessary to 
protect worker privacy.
  Additionally, the legislation extends some existing privacy 
protections that we already know are working in the offline 
marketplace. For example, the bill would extend the privacy protections 
consumers enjoy while shopping in video stores to book and record 
stores, as well as to the digital delivery of those products. The bill 
would also extend the privacy protections we put forth in the Cable Act 
of 1984 to customers who subscribe to multichannel video programming 
services via satellite. And, the legislation would codify the Federal 
Communications Commission's CPNI rules, to provide privacy protection 
to telephone customers. The bill would also ask the Federal 
Communications Commission to harmonize existing privacy rules that 
apply to disparate communications technologies so that the personal 
privacy of subscribers to all communications services are protected 
equally. Finally, the legislation would clarify that personal 
information could not be deemed an asset if the company holding that 
information avails itself of the protection of our bankruptcy laws.
  The development of a strong and comprehensive privacy regime must 
also address the security of Internet-connected computers. This month, 
the world was bitten by the ``love bug,'' a computer virus that 
devastated computer systems in more than 20 countries and caused an 
estimated $10 billion in damages. One of the features of the ``love 
bug'' was an attempt to steal passwords stored on an infected hard 
drive for later use. If successful, the virus-writer could have gained 
access to thousands of Internet access accounts. The spread of the 
virus highlighted the vulnerability of interconnected computer systems 
to malicious persons intent on disrupting or compromising legitimate 
use of these systems.
  The development of technology, policies, and expertise to effectively 
protect a computer system from illegitimate users is a cornerstone of 
privacy protection because a privacy policy is worthless if the company 
cannot adequately secure that information and control its 
dissemination. While it would be impossible for the Federal government 
to protect every web site from every threat, it can help users and 
operators of web sites by researching and developing better computer 
security technologies and practices. Therefore, I have included a title 
on computer security in this bill.
  This title of the bill is an attempt to promote and enhance the 
protection of computers connected to the Internet. First, the bill 
would establish a 25-member computer security partnership council. This 
council would build on the public-private partnership proposed in the 
wake of February's denial of service attacks which shut down leading e-
commerce sites like Yahoo! and E-bay. The council would identify 
threats and help companies share solutions. It would be a major source 
of public information on computer security and could help educate the 
general public and businesses on good computer protection practices. In 
addition, our bill calls on the Council to identify areas in which we 
have not invested adequately in computer security research. This study 
could be a blueprint for future research investments.

  While the private sector has put significant resources into computer 
security research, the President's Information Technology Advisory 
Council has noted that current information technology research is often 
focused on the short-term and neglects long-term fundamental problems. 
This bill would authorize appropriations for the National Institute of 
Standards and Technology to invest in long-term computer security 
research needs. This research would complement private sector, market-
driven research and could be conducted at NIST or through grants to

[[Page S4302]]

academic or private-sector researchers. The results of these 
investigations could power the next generation of advanced computer 
security technologies.
  Of course those technologies will not protect government, or 
companies and their customers, unless there are well-trained 
professionals to operate and secure computer systems. The problem is 
particularly acute for the Federal government. According to a May 10th 
Washington Post article, the Federal government will need to replace or 
hire more than 35,000 high-tech workers by the year 2006. The last time 
I checked, the same people who could fill those government positions 
are in high demand from Silicon Valley and the Dulles Corridor 
companies, among other. Until the government is able to offer stock 
options, we will continue to struggle to fill these positions. Our bill 
would establish an ROTC-like program to train computer security 
professionals for government service. In exchange for loans or grants 
to complete an undergraduate or graduate degree in computer security, a 
student would be required to work for the government for a certain 
number of years. This would allow students to get high-quality computer 
security training, to serve as a Federal employee for a short time, and 
then, if they desire, to enter the private sector job market.
  This legislation would also push the government to get its house in 
order and become an example for good computer security practices. It 
proposes increased scrutiny of government security practices and would 
establish an Award for Quality of Government Security Practices to 
recognize agencies and departments which have excellent policies and 
processes to protect their computer systems. The criteria for this 
award will be published by the National Institute of Standards and 
Technology (NIST) and should encourage government to improve security 
on its systems. In addition, these criteria could become a model for 
computer security professionals inside and outside the government.
  Finally, the bill would tie research and theory to meaningful, on-
the-ground protections for Internet users. The bill calls on NIST to 
encourage and support the development of software standards that would 
allow users to set up an individual privacy regime at the outset and 
have those preferences follow them--without further intervention--as 
they surf the web.
  This bill asks a lot of private companies in protecting the 
personally-identifiable information of American citizens. It would be 
wrong for the Congress not to apply the same standard to itself as 
well. Title IX of the bill calls for the development of Senate and 
House rules on protecting the privacy of information obtained through 
official web sites.
  Mr. President, I ask unanimous consent that the text of the Consumer 
Privacy Protection Act be printed in the Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                S. 2606

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Consumer Privacy Protection 
     Act''.

     SEC. 2. FINDINGS.

       The Congress makes the following findings:
       (1) The right to privacy is a personal and fundamental 
     right worthy of protection through appropriate legislation.
       (2) Consumers engaging in and interacting with companies 
     engaged in interstate commerce have an ownership interest in 
     their personal information, as well as a right to control how 
     that information is collected, used, or transferred.
       (3) Existing State, local, and Federal laws provide 
     virtually no privacy protection for Internet users.
       (4) Moreover, existing privacy regulation of the general, 
     or offline, marketplace provides inadequate consumer 
     protections in light of the significant data collection and 
     dissemination practices employed today.
       (5) The Federal government thus far has eschewed general 
     Internet privacy laws in favor of industry self-regulation, 
     which has led to several self-policing schemes, none of which 
     are enforceable in any meaningful way or provide sufficient 
     consumer protection.
       (6) State governments have been reluctant to enter the 
     field of Internet privacy regulation because use of the 
     Internet often crosses State, or even national, boundaries.
       (7) States are nonetheless interested in providing greater 
     privacy protection to their citizens as evidenced by recent 
     lawsuits brought against offline and online companies by 
     State attorneys general to protect consumer privacy.
       (8) Personal information flowing over the Internet requires 
     greater privacy protection than is currently available today. 
     Vast amounts of personal information about individual 
     Internet users are collected on the Internet and sold or 
     otherwise transferred to third parties.
       (9) Poll after poll consistently demonstrates that 
     individual Internet users are highly troubled over their lack 
     of control over their personal information.
       (10) Research on the Internet industry demonstrates that 
     consumer concerns about their privacy on the Internet has a 
     correlative negative impact on the development of e-commerce.
       (11) Notwithstanding these concerns, the Internet is 
     becoming a major part of the personal and commercial lives of 
     millions of Americans, providing increased access to 
     information, as well as communications and commercial 
     opportunities.
       (12) It is important to establish personal privacy rights 
     and industry obligations now so that consumers have 
     confidence that their personal privacy is fully protected on 
     our Nation's telecommunications networks and on the Internet.
       (13) The social and economic costs of imposing obligations 
     on industry now will be lower than if Congress waits until 
     the Internet becomes more prevalent in our everyday lives in 
     coming years.
       (14) Absent the recognition of these rights and the 
     establishment of consequent industry responsibilities to 
     safeguard those rights, consumer privacy will soon be more 
     gravely threatened.
       (15) The ease of gathering and compiling personal 
     information on the Internet, both overtly and 
     surreptitiously, is becoming increasingly efficient and 
     effortless due to advances in digital communications 
     technology which have provided information gatherers the 
     ability to seamlessly compile highly detailed personal 
     histories of Internet users.
       (16) Consumers must have--
       (A) clear and conspicuous notice that information is being 
     collected about them;
       (B) clear and conspicuous notice as to the information 
     gatherer's intent with respect to that information;
       (C) the ability to control the extent to which information 
     is collected about them; and
       (D) the right to prohibit any unauthorized use, reuse, 
     disclosure, transfer, or sale of their information.
       (17) Fair information practices include providing consumers 
     with knowledge of any data collection clear and conspicuous 
     notice of an entity's information practices, the ability to 
     control whether or not those practices will be applied to 
     them personally, access to information collected about them, 
     and safeguards to ensure the integrity and security of that 
     information.
       (18) Recent surveys of websites conducted by the Federal 
     Trade Commission and Georgetown University found that a small 
     minority of websites surveyed contained a privacy policy 
     embodying fair information practices such as notice, choice, 
     access, and security.
       (19) Americans expect that their purchases of written 
     materials, videos, and music will remain confidential, 
     whether they are shopping online or in the traditional 
     workplace.
       (20) Consumer privacy with respect to written materials, 
     music, and movies should be protected vigilantly to ensure 
     the free exercise of First Amendment rights of expression, 
     regardless of medium.
       (21) Under current law, millions of American cable 
     customers are protected against disclosures of their personal 
     subscriber information without notice and choice, whereas no 
     similar protection is available to subscribers of 
     multichannel video programming via satellite.
       (22) Almost every American is a consumer of some form of 
     communications service, be it wireless, wireline, cable, 
     broadcast, or satellite.
       (23) In light of the convergence of and emerging 
     competition among and between wireless, wireline, satellite, 
     broadcast, and cable companies, privacy safeguards should be 
     applied uniformly across different communications media so as 
     to provide consistent consumer privacy protections as well as 
     a level competitive playing field for industry.
       (24) Notwithstanding the recent focus on Internet privacy, 
     privacy issues abound in the traditional, or offline, 
     marketplace that merit Federal attention.
       (25) The Congress would benefit from an exhaustive analysis 
     of general marketplace privacy issues conducted by the agency 
     with the most expertise in this area, the Federal Trade 
     Commission.
       (26) While American workers are growing increasingly 
     concerned that their employers may be violating their 
     privacy, many workers are unaware that their activities in 
     the workplace may be subject to significant and potentially 
     invasive monitoring.
       (27) While employers may have a legitimate need to maintain 
     an efficient and productive workforce, that need should not 
     improperly impinge on employee privacy rights in the 
     workplace.
       (28) Databases containing personal information about 
     consumers' commercial purchasing, browsing, and shopping 
     habits, as well as their generalized product preferences, 
     represent considerable commercial value.

[[Page S4303]]

       (29) These databases should not be considered an asset with 
     respect to creditors' interests if the asset holder has 
     availed itself of the protection of State or Federal 
     bankruptcy laws.

     SEC. 3. PREEMPTION OF INCONSISTENT STATE LAW OR REGULATIONS.

       (a) In General.--Except as provided in subsection (b), this 
     Act preempts any State law, regulation, or rule that is 
     inconsistent with the provisions of this Act.
       (b) Exceptions.--
       (1) In general.--Nothing in this Act preempts--
       (1) the law of torts in any State;
       (2) the common law in any State; or
       (3) any State law, regulation, or rule that prohibits fraud 
     or provides a remedy for fraud.
       (2) Private right-of-action.--Notwithstanding subsection 
     (a), if a State law provides for a private right-of-action 
     under a statute enacted to provide consumer protection, 
     nothing in this Act precludes a person from bringing such an 
     action under that statute, even if the statute is otherwise 
     preempted in whole or in part under subsection (a).

     SEC. 4. TABLE OF CONTENTS.

       The table of contents of this Act is as follows:

Sec. 1. Short title.
Sec. 2. Findings.
Sec. 3. Preemption of inconsistent State law or regulations.
Sec. 4. Table of contents.
Title I--Online Privacy
Sec. 101. Collection or disclosure of personally identifiable 
              information.
Sec. 102. Notice, consent, access, and security requirements.
Sec. 103. Other kinds of information.
Sec. 104. Exceptions.
Sec. 105. Permanence of consent.
Sec. 106. Disclosure to law enforcement agency or under court order.
Sec. 107. Effective date.
Sec. 108. FTC rulemaking procedure required.
Title II--Privacy Protection for Consumers of Books, Recorded Music, 
              and Videos
Sec. 201. Extension of video rental protections to books and recorded 
              music.
Sec. 202. Effective Date.
Title III--Enforcement and Remedies
Sec. 301. Enforcement.
Sec. 302. Violation is unfair or deceptive act or practice.
Sec. 303. Private right of action.
Sec. 304. Actions by States.
Sec. 305. Whistleblower protection.
Sec. 306. No effect on other remedies.
Sec. 307. FTC Office of Online Privacy.
Title IV--Communications Technology Privacy Protections
Sec. 401. Privacy protection for subscribers of satellite television 
              services for private home viewing.
Sec. 402. Customer proprietary network information.
Title V--Rulemaking and Studies
Sec. 501. Federal Trade Commission examination.
Sec. 502. Federal Communications Commission rulemaking.
Sec. 503. Department of Labor study of privacy issues in the workplace.
Title VI--Protection of Personally Identifiable Information in 
              Bankruptcy
Sec. 601. Personally identifiable information not asset in bankruptcy.
Title VII--Internet Security Initiatives.
Sec. 701. Findings.
Sec. 702. Computer Security Partnership Council.
Sec. 703. Research and development.
Sec. 704. Computer security training programs.
Sec. 705. Government information security standards.
Sec. 706. Recognition of quality in computer security practices.
Sec. 707. Development of automated privacy controls.
Title VIII--Congressional Information Security Standards.
Sec. 801. Exercise of rulemaking power.
Sec. 802. Senate.
Title IX--Definitions
Sec. 901. Definitions.

                        TITLE I--ONLINE PRIVACY

     SEC. 101. COLLECTION OR DISCLOSURE OF PERSONALLY IDENTIFIABLE 
                   INFORMATION.

       An Internet service provider, online service provider, or 
     operator of a commercial website on the Internet may not 
     collect, use, or disclose personally identifiable information 
     about a user of that service or website except in accordance 
     with the provisions of this title.

     SEC. 102. NOTICE, CONSENT, ACCESS, AND SECURITY REQUIREMENTS.

       (a) Notice.--An Internet service provider, online service 
     provider, or operator of a commercial website may not collect 
     personally identifiable information from a user of that 
     service or website unless that provider or operator gives 
     clear and conspicuous notice in a manner reasonably 
     calculated to provide actual notice to any user or 
     prospective user that personally identifiable information may 
     be collected from that user. The notice shall disclose--
       (1) the specific information that will be collected;
       (2) the methods of collecting and using the information 
     collected; and
       (3) all disclosure practices of that provider or operator 
     for personally identifiable information so collected, 
     including whether it will be disclosed to third parties.
       (b) Consent.--An Internet service provider, online service 
     provider, or operator of a commercial website may not--
       (1) collect personally identifiable information from a user 
     of that service or website, or
       (2) except as provided in section 107, disclose or 
     otherwise use such information about a user of that service 
     or website,
     unless the provider or operator obtains that user's 
     affirmative consent, in advance, to the collection and 
     disclosure or use of that information.
       (c) Access.--An Internet service provider, online service 
     provider, or operator of a commercial website shall--
       (1) upon request provide reasonable access to a user to 
     personally identifiable information that the provider or 
     operator has collected after the effective date of this title 
     relating to that user;
       (2) provide a reasonable opportunity for a user to correct, 
     delete, or supplement any such information maintained by that 
     provider or operator; and
       (3) make the correction or supplementary information a part 
     of that user's personally identifiable information for all 
     future disclosure and other use purposes.
       (d) Security.--An Internet service provider, online service 
     provider, or operator of a commercial website shall establish 
     and maintain reasonable procedures necessary to protect the 
     security, confidentiality, and integrity of personally 
     identifiable information maintained by that provider or 
     operator.
       (e) Notice of Policy Change.--Whenever an Internet service 
     provider, online service provider, or operator of a 
     commercial website makes a material change in its policy for 
     the collection, use, or disclosure of personally identifiable 
     information, it--
       (1) shall notify all users of that service or website of 
     the change in policy; and
       (2) may not collect, disclose, or otherwise use any 
     personally identifiable information in accordance with the 
     changed policy unless the user has affirmatively consented, 
     under subsection (b), to its collection, disclosure, or use 
     in accordance with the changed policy.
       (f) Notice of Privacy Breach.--
       (1) In general.--If an Internet service provider, online 
     service provider, or operator of a commercial website commits 
     a breach of privacy with respect to the personally 
     identifiable information of a user, then it shall, as soon as 
     reasonably possible, notify all users whose personally 
     identifiable information was affected by that breach. The 
     notice shall describe the nature of the breach and the steps 
     taken by the provider or operator to remedy it.
       (2) Breach of privacy.--For purposes of paragraph (1), an 
     Internet service provider, online service provider, or 
     operator of a commercial website commits a breach of privacy 
     with respect to personally identifiable information of a user 
     if--
       (A) it collects, discloses, or otherwise uses personally 
     identifiable information in violation of any provision of 
     this title; or
       (B) it knows that the security, confidentiality, or 
     integrity of personally identifiable information is 
     compromised by any act or failure to act on the part of the 
     provider or operator or by any function of the Internet 
     service or online service provided, or commercial website 
     operated, by that provider or operator that resulted in a 
     disclosure, or possible disclosure, of that information.
       (g) Application to Certain Third-Party Operators.--The 
     provisions of this section applicable to Internet service 
     providers, online service providers, and commercial website 
     operators apply to any third party, including an advertiser, 
     that uses that service or website to collect information 
     about users of that service or website.

     SEC. 103. OTHER KINDS OF INFORMATION.

       (a) In General.--Except as provided in subsection (b), the 
     provisions of sections 101 and 102 (except for subsections 
     (b), (c), and (e)(2)) that apply to personally identifiable 
     information apply also to the collection and disclosure or 
     other use of information about users of an Internet service, 
     online service, or commercial website that is not personally 
     identifiable information.
       (b) Consent Rule.--An Internet service provider, online 
     service provider, or operator of a commercial website may 
     not--
       (1) collect information described in subsection (a) from a 
     user of that service or website, or
       (2) except as provided in section 107, disclose or 
     otherwise use such information about a user of that service 
     or website,
     unless the provider or operator obtains that user's consent 
     to the collection and disclosure or other use of that 
     information. For purposes of this subsection, the user will 
     be deemed to have consented unless the user objects to the 
     collection and disclosure or other use of the information.
       (c) Application to Certain Third-Party Operators.--The 
     provisions of this section applicable to Internet service 
     providers, online service providers, and commercial website 
     operators apply to any third party, including an advertiser, 
     that uses that service or website to collect information 
     about users of that service or website.

[[Page S4304]]

     SEC. 104. EXCEPTIONS.

       (a) In General.--Sections 102 and 103 do not apply to the 
     collection, disclosure, or use by an Internet service 
     provider, online service provider, or operator of a 
     commercial website of information about a user of that 
     service or website--
       (1) to protect the security or integrity of the service or 
     website; or
       (2) to conduct a transaction, deliver a product or service, 
     or complete an arrangement for which the user provided the 
     information.
       (b) Disclosure to Parent Protected.--An Internet service 
     provider, online service provider, or operator of a 
     commercial website may not be held liable under this title, 
     any other Federal law, or any State law for any disclosure 
     made in good faith and following reasonable procedures in 
     responding to a request for disclosure of personal 
     information under section 1302(b)(1)(B)(iii) of the 
     Children's Online Privacy Protection Act of 1998 to the 
     parent of a child.

     SEC. 105. PERMANENCE OF CONSENT.

       The consent or denial of consent by a user of permission to 
     an Internet service provider, online service provider, or 
     operator of a commercial website to collect, disclose, or 
     otherwise use any information about that user for which 
     consent is required under this title--
       (1) shall remain in effect until changed by the user;
       (2) except as provided in section 102(e), shall apply to 
     any revised, modified, new, or improved service provided by 
     that provider or operator to that user; and
       (3) except as provided in section 102(e), shall apply to 
     the collection, disclosure, or other use of that information 
     by any entity that is a commercial successor of that provider 
     or operator, without regard to the legal form in which such 
     succession was accomplished.

     SEC. 106. DISCLOSURE TO LAW ENFORCEMENT AGENCY OR UNDER COURT 
                   ORDER.

       (a) In General.--Notwithstanding any other provision of 
     this title, an Internet service provider, online service 
     provider, operator of a commercial website, or third party 
     that uses such a service or website to collect information 
     about users of that service or website may disclose 
     personally identifiable information about a user of that 
     service or website--
       (1) to a law enforcement agency in response to a warrant 
     issued under the Federal Rules of Criminal Procedure, an 
     equivalent State warrant, or a court order issued in 
     accordance with subsection (c); and
       (2) in response to a court order in a civil proceeding 
     granted upon a showing of compelling need for the information 
     that cannot be accommodated by any other means if--
       (A) the user to whom the information relates is given 
     reasonable notice by the person seeking the information of 
     the court proceeding at which the order is requested; and
       (B) that user is afforded a reasonable opportunity to 
     appear and contest the issuance of requested order or to 
     narrow its scope.
       (b) Safeguards Against Further Disclosure.--A court that 
     issues an order described in subsection (a) shall impose 
     appropriate safeguards on the use of the information to 
     protect against its unauthorized disclosure.
       (c) Court Orders.--A court order authorizing disclosure 
     under subsection (a)(1) may issue only with prior notice to 
     the user and only if the law enforcement agency shows that 
     there is probable cause to believe that the user has engaged, 
     is engaging, or is about to engage in criminal activity and 
     that the records or other information sought are material to 
     the investigation of such activity. In the case of a State 
     government authority, such a court order shall not issue if 
     prohibited by the law of such State. A court issuing an order 
     pursuant to this subsection, on a motion made promptly by the 
     Internet service provider, online service provider, or 
     operator of the commercial website, may quash or modify such 
     order if the information or records requested are 
     unreasonably voluminous in nature or if compliance with such 
     order otherwise would cause an unreasonable burden on the 
     provider or operator.

     SEC. 107. EFFECTIVE DATE.

       (a) In General.--This title takes effect after the Federal 
     Trade Commission completes the rulemaking procedure under 
     section 109.
       (b) Application to Pre-existing Data.--
       (1) In general.--After the effective date of this title, 
     and except as provided in paragraphs (2) and (3), sections 
     101, 102, and 103 apply to information collected before the 
     date of enactment of this Act.
       (2) Collection of both kinds of information.--Section 
     102(b)(1) and 103(b)(1) do not apply to information collected 
     before the effective date of this title.
       (3) Access to personally identifiable information.--Section 
     102(c) applies to personally identifiable information 
     collected before the effective date of this title unless it 
     is economically unfeasible for the Internet service provider, 
     online service provider, or commercial website operator to 
     comply with that section for the information.

     SEC. 108. FTC RULEMAKING PROCEDURE REQUIRED.

       The Federal Trade Commission shall initiate a rulemaking 
     procedure within 90 days after the date of enactment of this 
     Act to implement the provisions of this title. 
     Notwithstanding any requirement of chapter 5 of title 5, 
     United States Code, the Commission shall complete the 
     rulemaking procedure not later than 270 days after it is 
     commenced.

 TITLE II--PRIVACY PROTECTION FOR CONSUMERS OF BOOKS, RECORDED MUSIC, 
                               AND VIDEOS

     SEC. 201. EXTENSION OF VIDEO RENTAL PROTECTIONS TO BOOKS AND 
                   RECORDED MUSIC.

       (a) In General.--Section 2710 of title 18, United States 
     Code, is amended by striking the section designation and all 
     that follows through the end of subsection (b) and inserting 
     the following:

     ``Sec. 2710. Wrongful disclosure of information about video, 
       book, or recorded music rental, sale, or delivery

       ``(a) Definitions.--In this section:
       ``(1) The term `book dealer' means any person engaged in 
     the business, in or affecting interstate or foreign commerce, 
     of renting, selling, or delivering books, magazines, or other 
     written or printed material (regardless of the format or 
     medium), or any person or other entity to whom a disclosure 
     is made under subparagraph (D) or (E) of subsection (b)(2), 
     but only with respect to the information contained in the 
     disclosure.
       ``(2) The term `recorded music dealer' means any person, 
     engaged in the business, in or affecting interstate or 
     foreign commerce, of selling, renting, or delivering recorded 
     music, regardless of the format in which or medium on which 
     it is recorded, or any person or other entity to whom a 
     disclosure is made under subparagraph (D) or (E) of 
     subsection (b)(2), but only with respect to the information 
     contained in the disclosure.
       ``(3) The term `consumer' means any renter, purchaser, or 
     user of goods or services from a video provider, book dealer, 
     or recorded music dealer.
       ``(4) The term `ordinary course of business' means only 
     debt-collection activities, order fulfillment, request 
     processing, and the transfer of ownership.
       ``(5) The term `personally identifiable information' means 
     information that identifies a person as having requested or 
     obtained specific video materials or services, specific 
     books, magazines, or other written or printed materials, or 
     specific recorded music.
       ``(6) The term `video provider' means any person engaged in 
     the business, in or affecting interstate or foreign commerce, 
     of rental, sale, or delivery of recorded videos, regardless 
     of the format in which, or medium on which they are recorded, 
     or similar audio-visual materials, or any person or other 
     entity to whom a disclosure is made under subparagraph (D) or 
     (E) of subsection (b)(2), but only with respect to the 
     information contained in the disclosure.
       ``(b) Video, Book, or Recorded Music Rental, Sale, or 
     Delivery.--
       ``(1) In general.--A video provider, book dealer, or 
     recorded music dealer who knowingly discloses, to any person, 
     personally identifiable information concerning any consumer 
     of such provider or seller, as the case may be, shall be 
     liable to the aggrieved person for the relief provided in 
     subsection (d).
       ``(2) Disclosure.--A video provider, book dealer, or 
     recorded music dealer may disclose personally identifiable 
     information concerning any consumer--
       ``(A) to the consumer;
       ``(B) to any person with the informed, written consent of 
     the consumer given at the time the disclosure is sought;
       ``(C) to a law enforcement agency pursuant to a warrant 
     issued under the Federal Rules of Criminal Procedure, an 
     equivalent State warrant, or a court order issued in 
     accordance with paragraph (4);
       ``(D) to any person if the disclosure is solely of the 
     names and addresses of consumers and if--
       ``(i) the video provider, book dealer, or recorded music 
     dealer, as the case may be, has provided the consumer, in a 
     clear and conspicuous manner, with the opportunity to 
     prohibit such disclosure; and
       ``(ii) the disclosure does not identify the title, 
     description, or subject matter of any video or other audio-
     visual material, books, magazines, or other printed material, 
     or recorded music;
       ``(E) to any person if the disclosure is incident to the 
     ordinary course of business of the video provider, book 
     dealer, or recorded music dealer; or
       ``(F) pursuant to a court order, in a civil proceeding upon 
     a showing of compelling need for the information that cannot 
     be accommodated by any other means, if--
       ``(i) the consumer is given reasonable notice, by the 
     person seeking the disclosure, of the court proceeding 
     relevant to the issuance of the court order; and
       ``(ii) the consumer is afforded the opportunity to appear 
     and contest the claim of the person seeking the disclosure.
       ``(3) Safeguards.--If an order is granted pursuant to 
     subparagraph (C) or (F) of paragraph (2), the court shall 
     impose appropriate safeguards against unauthorized 
     disclosure.
       ``(4) Court orders.--A court order authorizing disclosure 
     under paragraph (2)(C) shall issue only with prior notice to 
     the consumer and only if the law enforcement agency shows 
     that there is probable cause to believe that a person has 
     engaged, is engaging, or is about to engage in criminal 
     activity and that the records or other information sought are 
     material to the investigation of such activity. In the case 
     of a State government authority, such a court order shall not 
     issue if prohibited by the law of such State. A court issuing 
     an order pursuant to this subsection, on a motion made 
     promptly by the video provider, book dealer, or recorded 
     music dealer, may quash or modify such order if the 
     information or records requested are unreasonably voluminous 
     in nature or if compliance with such order otherwise would 
     cause an

[[Page S4305]]

     unreasonable burden on such video provider, book dealer, or 
     recorded music dealer, as the case may be.''.
       (b) Conforming Amendments.--
       (1) Subsections (c) through (f) of section 2701 of title 
     18, United States Code, are amended by striking ``video tape 
     service provider'' each place it appears and inserting 
     ``video provider''.
       (2) The item relating to section 2701 in the analysis for 
     chapter 121 of title 18, United States Code, is amended to 
     read as follows:

``2710. Wrongful disclosure of information about video, book, or 
              recorded music rental or sales.''.

     SEC. 202. EFFECTIVE DATE.

       The amendments made by section 201 take effect 12 months 
     after the date of enactment of this Act.

                  TITLE III--ENFORCEMENT AND REMEDIES

     SEC. 301. ENFORCEMENT.

       Except as provided in section 302(b) and section 2710(d) of 
     title 18, United States Code, this Act shall be enforced by 
     the Federal Trade Commission. Except as otherwise provided in 
     this Act, a violation of this Act may be punished in the same 
     manner as a violation of a regulation of the Federal Trade 
     Commission.

     SEC. 302. VIOLATION IS UNFAIR OR DECEPTIVE ACT OR PRACTICE.

       (a) In General.--The violation of any provision of title I 
     is an unfair or deceptive act or practice proscribed by 
     section 18(a)(1)(B) of the Federal Trade Commission Act (15 
     U.S.C. 57a(a)(1)(B)).
       (b) Enforcement by Certain Other Agencies.--Compliance with 
     title I of this Act shall be enforced under--
       (1) section 8 of the Federal Deposit Insurance Act (12 
     U.S.C. 1818), in the case of--
       (A) national banks, and Federal branches and Federal 
     agencies of foreign banks, by the Office of the Comptroller 
     of the Currency;
       (B) member banks of the Federal Reserve System (other than 
     national banks), branches and agencies of foreign banks 
     (other than Federal branches, Federal agencies, and insured 
     State branches of foreign banks), commercial lending 
     companies owned or controlled by foreign banks, and 
     organizations operating under section 25 or 25(a) of the 
     Federal Reserve Act (12 U.S.C. 601 et seq. and 611 et seq.), 
     by the Board; and
       (C) banks insured by the Federal Deposit Insurance 
     Corporation (other than members of the Federal Reserve 
     System) and insured State branches of foreign banks, by the 
     Board of Directors of the Federal Deposit Insurance 
     Corporation;
       (2) section 8 of the Federal Deposit Insurance Act (12 
     U.S.C. 1818), by the Director of the Office of Thrift 
     Supervision, in the case of a savings association the 
     deposits of which are insured by the Federal Deposit 
     Insurance Corporation;
       (3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) 
     by the National Credit Union Administration Board with 
     respect to any Federal credit union;
       (4) part A of subtitle VII of title 49, United States Code, 
     by the Secretary of Transportation with respect to any air 
     carrier or foreign air carrier subject to that part;
       (5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et 
     seq.) (except as provided in section 406 of that Act (7 
     U.S.C. 226, 227)), by the Secretary of Agriculture with 
     respect to any activities subject to that Act; and
       (6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by 
     the Farm Credit Administration with respect to any Federal 
     land bank, Federal land bank association, Federal 
     intermediate credit bank, or production credit association.
       (c) Exercise of Certain Powers.--For the purpose of the 
     exercise by any agency referred to in subsection (b) of its 
     powers under any Act referred to in that subsection, a 
     violation of title I is deemed to be a violation of a 
     requirement imposed under that Act. In addition to its powers 
     under any provision of law specifically referred to in 
     subsection (b), each of the agencies referred to in that 
     subsection may exercise, for the purpose of enforcing 
     compliance with any requirement imposed under title I of this 
     Act, any other authority conferred on it by law.
       (d) Actions by the Commission.--The Commission shall 
     prevent any person from violating title I in the same manner, 
     by the same means, and with the same jurisdiction, powers, 
     and duties as though all applicable terms and provisions of 
     the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were 
     incorporated into and made a part of this Act. Any entity 
     that violates any provision of that title is subject to the 
     penalties and entitled to the privileges and immunities 
     provided in the Federal Trade Commission Act in the same 
     manner, by the same means, and with the same jurisdiction, 
     power, and duties as though all applicable terms and 
     provisions of the Federal Trade Commission Act were 
     incorporated into and made a part of that title.
       (e) Effect on Other Laws.--
       (1) Preservation of commission authority.--Nothing 
     contained in this title shall be construed to limit the 
     authority of the Commission under any other provision of law.
       (2) Relation to communications act.--Nothing in title I 
     requires an operator of a website or online service to take 
     any action that is inconsistent with the requirements of 
     section 222 or 631 of the Communications Act of 1934 (47 
     U.S.C. 222 or 551, respectively).

     SEC. 303. PRIVATE RIGHT OF ACTION.

       (a) Private Right of Action.--A person whose personally 
     identifiable information is collected, disclosed or used, or 
     is likely to be disclosed or used, in violation of title I 
     may, if otherwise permitted by the laws or rules of court of 
     a State, bring in an appropriate court of that State--
       (1) an action to enjoin or restrain such violation;
       (2) an action to recover for actual monetary loss from such 
     a violation, or to receive $5,000 in damages for each such 
     violation, whichever is greater; or
       (3) both such actions.
       (b) Willful and Knowing Violations.--If the court finds 
     that the defendant willfully or knowingly violated title I, 
     the court may, in its discretion, increase the amount of the 
     award available under subsection (a)(2) to $50,000.
       (c) Exception.--Neither an action to enjoin or restrain a 
     violation, nor an action to recover for loss or damage, may 
     be brought under this section for the accidental disclosure 
     of information if the disclosure was caused by an Act of God, 
     network or systems failure, or other event beyond the control 
     of the Internet service provider, online service provider, or 
     operator of a commercial website if the provider or operator 
     took reasonable precautions to prevent such disclosure in the 
     event of such a failure or other event.
       (d) Attorneys Fees; Punitive Damages.--Notwithstanding 
     subsection (a)(2), the court in an action brought under this 
     section, may award reasonable attorneys fees and punitive 
     damages to the prevailing party.

     SEC. 304. ACTIONS BY STATES.

       (a) In General.--
       (1) Civil actions.--In any case in which the attorney 
     general of a State has reason to believe that an interest of 
     the residents of that State has been or is threatened or 
     adversely affected by the engagement of any person in a 
     practice that violates title I, the State, as parens patriae, 
     may bring a civil action on behalf of the residents of the 
     State in a district court of the United States of appropriate 
     jurisdiction to--
       (A) enjoin that practice;
       (B) enforce compliance with the rule;
       (C) obtain damage, restitution, or other compensation on 
     behalf of residents of the State; or
       (D) obtain such other relief as the court may consider to 
     be appropriate.
       (2) Notice.--
       (A) In general.--Before filing an action under paragraph 
     (1), the attorney general of the State involved shall provide 
     to the Commission--
       (i) written notice of that action; and
       (ii) a copy of the complaint for that action.
       (B) Exemption.--
       (i) In general.--Subparagraph (A) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this subsection, if the attorney general 
     determines that it is not feasible to provide the notice 
     described in that subparagraph before the filing of the 
     action.
       (ii) Notification.--In an action described in clause (i), 
     the attorney general of a State shall provide notice and a 
     copy of the complaint to the Commission at the same time as 
     the attorney general files the action.
       (b) Intervention.--
       (1) In general.--On receiving notice under subsection 
     (a)(2), the Commission shall have the right to intervene in 
     the action that is the subject of the notice.
       (2) Effect of intervention.--If the Commission intervenes 
     in an action under subsection (a), it shall have the right--
       (A) to be heard with respect to any matter that arises in 
     that action; and
       (B) to file a petition for appeal.
       (c) Construction.--For purposes of bringing any civil 
     action under subsection (a), nothing in this Act shall be 
     construed to prevent an attorney general of a State from 
     exercising the powers conferred on the attorney general by 
     the laws of that State to--
       (1) conduct investigations;
       (2) administer oaths or affirmations; or
       (3) compel the attendance of witnesses or the production of 
     documentary and other evidence.
       (d) Actions by the Commission.--In any case in which an 
     action is instituted by or on behalf of the Commission for 
     violation of title I, no State may, during the pendency of 
     that action, institute an action under subsection (a) against 
     any defendant named in the complaint in that action for 
     violation of that rule.
       (e) Venue; Service of Process.--
       (1) Venue.--Any action brought under subsection (a) may be 
     brought in the district court of the United States that meets 
     applicable requirements relating to venue under section 1391 
     of title 28, United States Code.
       (2) Service of process.--In an action brought under 
     subsection (a), process may be served in any district in 
     which the defendant--
       (A) is an inhabitant; or
       (B) may be found.

     SEC. 305. WHISTLEBLOWER PROTECTION.

       (a) In General.--No Internet service provider, online 
     service provider, or commercial website operator may 
     discharge or otherwise discriminate against any employee with 
     respect to compensation, terms, conditions, or privileges of 
     employment because the employee (or any person acting 
     pursuant to the request of the employee) provided information 
     to any Federal or State agency or to the Attorney General of 
     the United States or of any State regarding a possible 
     violation of any provision of title I.
       (b) Enforcement.--Any employee or former employee who 
     believes he has been

[[Page S4306]]

     discharged or discriminated against in violation of 
     subsection (a) may file a civil action in the appropriate 
     United States district court before the close of the 2-year 
     period beginning on the date of such discharge or 
     discrimination. The complainant shall also file a copy of the 
     complaint initiating such action with the appropriate Federal 
     agency.
       (c) Remedies.--If the district court determines that a 
     violation of subsection (a) has occurred, it may order the 
     Internet service provider, online service provider, or 
     commercial website operator that committed the violation--
       (1) to reinstate the employee to his former position;
       (2) to pay compensatory damages; or
       (3) take other appropriate actions to remedy any past 
     discrimination.
       (d) Attorneys Fees; Punitive Damages.--Notwithstanding 
     subsection (c)(2), the court in an action brought under this 
     section, may award reasonable attorneys fees and punitive 
     damages to the prevailing party.
       (e) Limitation.--The protections of this section shall not 
     apply to any employee who--
       (1) deliberately causes or participates in the alleged 
     violation; or
       (2) knowingly or recklessly provides substantially false 
     information to such an agency or the Attorney General.
       (f) Burdens of Proof.--The legal burdens of proof that 
     prevail under subchapter III of chapter 12 of title 5, United 
     States Code (5 U.S.C. 1221 et seq.) shall govern adjudication 
     of protected activities under this section.

     SEC. 306. NO EFFECT ON OTHER REMEDIES.

       The remedies provided by this sections 303 and 304 are in 
     addition to any other remedy available under any provision of 
     law.

     SEC. 307. FTC OFFICE OF ONLINE PRIVACY.

       The Federal Trade Commission shall establish an Office of 
     Online Privacy headed by a senior level position officer who 
     reports directly to the Commission and its General Counsel. 
     The Office shall study privacy issues associated with 
     electronic commerce and the Internet, the operation of this 
     Act and the effectiveness of the privacy protections provided 
     by title I. The Office shall report its findings and 
     recommendations from time to time to the Commission, and, 
     notwithstanding any law, regulation, or executive order to 
     the contrary, shall submit an annual report directly to the 
     Senate Committee on Commerce, Science, and Transportation and 
     the House of Representatives Committee on Commerce on the 
     status of online and Internet privacy issues, together with 
     any recommendations for additional legislation relating to 
     those issues.

        TITLE IV--COMMUNICATIONS TECHNOLOGY PRIVACY PROTECTIONS

     SEC. 401. PRIVACY PROTECTION FOR SUBSCRIBERS OF SATELLITE 
                   TELEVISION SERVICES FOR PRIVATE HOME VIEWING.

       (a) In General.--Section 631 of the Communications Act of 
     1934 (47 U.S.C. 551) is amended to read as follows:

     ``SEC. 631. PRIVACY OF SUBSCRIBER INFORMATION FOR SUBSCRIBERS 
                   OF CABLE SERVICE AND SATELLITE TELEVISION 
                   SERVICE.

       ``(a) Notice to Subscribers Regarding Personally 
     Identifiable Information.--At the time of entering into an 
     agreement to provide any cable service, satellite home 
     viewing service, or other service to a subscriber, and not 
     less often than annually thereafter, a cable operator, 
     satellite carrier, or distributor shall provide notice in the 
     form of a separate, written statement to such subscriber that 
     clearly and conspicuously informs the subscriber of--
       ``(1) the nature of personally identifiable information 
     collected or to be collected with respect to the subscriber 
     as a result of the provision of such service and the nature 
     of the use of such information;
       ``(2) the nature, frequency, and purpose of any disclosure 
     that may be made of such information, including an 
     identification of the types of persons to whom the disclosure 
     may be made;
       ``(3) the period during which such information will be 
     maintained by the cable operator, satellite carrier, or 
     distributor;
       ``(4) the times and place at which the subscriber may have 
     access to such information in accordance with subsection (d); 
     and
       ``(5) the limitations provided by this section with respect 
     to the collection and disclosure of information by the cable 
     operator, satellite carrier, or distributor and the right of 
     the subscriber under this section to enforce such 
     limitations.
       ``(b) Collection of Personally Identifiable Information.--
       ``(1) In general.--Except as provided in paragraph (2), a 
     cable operator, satellite carrier, or distributor shall not 
     use its cable or satellite system to collect personally 
     identifiable information concerning any subscriber without 
     the prior written or electronic consent of the subscriber.
       ``(2) Exception.--A cable operator, satellite carrier, or 
     distributor may use its cable or satellite system to collect 
     information described in paragraph (1) in order to--
       ``(A) obtain information necessary to render a cable or 
     satellite service or other service provided by the cable 
     operator, satellite carrier, or distributor to the 
     subscriber; or
       ``(B) detect unauthorized reception of cable or satellite 
     communications.
       ``(c) Disclosure of Personally Identifiable Information.--
       ``(1) In general.--Except as provided in paragraph (2), a 
     cable operator, satellite carrier, or distributor may not 
     disclose personally identifiable information concerning any 
     subscriber without the prior written or electronic consent of 
     the subscriber and shall take such actions as are necessary 
     to prevent unauthorized access to such information by a 
     person other than the subscriber or the cable operator, 
     satellite carrier, or distributor.
       ``(2) Exceptions.--A cable operator, satellite carrier, or 
     distributor may disclose information described in paragraph 
     (1) if the disclosure is--
       ``(A) necessary to render, or conduct a legitimate business 
     activity related to, a cable or satellite service or other 
     service provided by the cable operator, satellite carrier, or 
     distributor to the subscriber;
       ``(B) subject to paragraph (3), made pursuant to a court 
     order authorizing such disclosure, if the subscriber is 
     notified of such order by the person to whom the order is 
     directed; or
       ``(C) a disclosure of the names and addresses of 
     subscribers to any other provider of cable or satellite 
     service or other service, if--
       ``(i) the cable operator, satellite carrier, or distributor 
     has provided the subscriber the opportunity to prohibit or 
     limit such disclosure; and
       ``(ii) the disclosure does not reveal, directly or 
     indirectly--

       ``(I) the extent of any viewing or other use by the 
     subscriber of a cable or satellite service or other service 
     provided by the cable operator, satellite carrier, or 
     distributor; or
       ``(II) the nature of any transaction made by the subscriber 
     over the cable or satellite system of the cable operator, 
     satellite carrier, or distributor.

       ``(3) Court orders.--A governmental entity may obtain 
     personally identifiable information concerning a cable or 
     satellite subscriber pursuant to a court order only if, in 
     the court proceeding relevant to such court order--
       ``(A) such entity offers clear and convincing evidence that 
     the subject of the information is reasonably suspected of 
     engaging in criminal activity and that the information sought 
     would be material evidence in the case; and
       ``(B) the subject of the information is afforded the 
     opportunity to appear and contest such entity's claim.
       ``(d) Subscriber Access to Information.--A cable or 
     satellite subscriber shall be provided access to all 
     personally identifiable information regarding that subscriber 
     that is collected and maintained by a cable operator, 
     satellite carrier, or distributor. Such information shall be 
     made available to the subscriber at reasonable times and at a 
     convenient place designated by such cable operator, satellite 
     carrier, or distributor. A cable or satellite subscriber 
     shall be provided reasonable opportunity to correct any error 
     in such information.
       ``(e) Destruction of Information.--A cable operator, 
     satellite carrier, or distributor shall destroy personally 
     identifiable information if the information is no longer 
     necessary for the purpose for which it was collected and 
     there are no pending requests or orders for access to such 
     information under subsection (d) or pursuant to a court 
     order.
       ``(f) Relief.--
       ``(1) In general.--Any person aggrieved by any act of a 
     cable operator, satellite carrier, or distributor in 
     violation of this section may bring a civil action in a 
     district court of the United States.
       ``(2) Damages and costs.--In any action brought under 
     paragraph (1), the court may award a prevailing plaintiff--
       ``(A) actual damages but not less than liquidated damages 
     computed at the rate of $100 a day for each day of violation 
     or $1,000, whichever is greater;
       ``(B) punitive damages; and
       ``(C) reasonable attorneys' fees and other litigation costs 
     reasonably incurred.
       ``(3) No effect on other remedies.--The remedy provided by 
     this subsection shall be in addition to any other remedy 
     available under any provision of law to a cable or satellite 
     subscriber.
       ``(g) Definitions.--In this section:
       ``(1) Distributor.--The term `distributor' means an entity 
     that contracts to distribute secondary transmissions from a 
     satellite carrier and, either as a single channel or in a 
     package with other programming, provides the secondary 
     transmission either directly to individual subscribers for 
     private home viewing or indirectly through other program 
     distribution entities.
       ``(2) Cable operator.--
       ``(A) In general.--The term `cable operator' has the 
     meaning given that term in section 602.
       ``(B) Inclusion.--The term includes any person who--
       ``(i) is owned or controlled by, or under common ownership 
     or control with, a cable operator; and
       ``(ii) provides any wire or radio communications service.
       ``(3) Other service.--The term `other service' includes any 
     wire, electronic, or radio communications service provided 
     using any of the facilities of a cable operator, satellite 
     carrier, or distributor that are used in the provision of 
     cable service or satellite home viewing service.
       ``(4) Personally identifiable information.--The term 
     `personally identifiable information' does not include any 
     record of aggregate data that does not identify particular 
     persons.

[[Page S4307]]

       ``(5) Satellite carrier.--The term `satellite carrier' 
     means an entity that uses the facilities of a satellite or 
     satellite service licensed by the Federal Communications 
     Commission and operates in the Fixed-Satellite Service under 
     part 25 of title 47 of the Code of Federal Regulations or the 
     Direct Broadcast Satellite Service under part 100 of title 47 
     of the Code of Federal Regulations, to establish and operate 
     a channel of communications for point-to-multipoint 
     distribution of television station signals, and that owns or 
     leases a capacity or service on a satellite in order to 
     provide such point-to-multipoint distribution, except to the 
     extent that such entity provides such distribution pursuant 
     to tariff under the Communications Act of 1934, other than 
     for private home viewing.''.
       (b) Notice With Respect to Certain Agreements.--
       (1) In general.--Except as provided in paragraph (2), a 
     cable operator, satellite carrier, or distributor who has 
     entered into agreements referred to in section 631(a) of the 
     Communications Act of 1934, as amended by subsection (a), 
     before the date of enactment of this Act, shall provide any 
     notice required under that section, as so amended, to 
     subscribers under such agreements not later than 180 days 
     after that date.
       (2) Exception.--Paragraph (1) shall not apply with respect 
     to any agreement under which a cable operator, satellite 
     carrier, or distributor was providing notice under section 
     631(a) of the Communications Act of 1934, as in effect on the 
     day before the date of enactment of this Act, as of such 
     date.

     SEC. 402. CUSTOMER PROPRIETARY NETWORK INFORMATION.

       Section 222 (c)(1) of the Communications Act of 1934 (47 
     U.S.C. 222 (c)(1)) is amended by striking ``approval'' and 
     inserting ``express prior authorization''.

                    TITLE V--RULEMAKING AND STUDIES

     SEC. 501. FEDERAL TRADE COMMISSION EXAMINATION.

       (a) Proceeding Required.--The Federal Trade Commission 
     shall--
       (1) study consumer privacy issues in the traditional, 
     offline marketplace, including whether--
       (A) consumers are able, and, if not, the methods by which 
     consumers may be enabled--
       (i) to have knowledge that consumer information is being 
     collected about them through their utilization of various 
     offline services and systems;
       (ii) to have clear and conspicuous notice that such 
     information could be used, or is intended to be used, by the 
     entity collecting the data for reasons unrelated to the 
     original communications, or that such information could be 
     sold, rented, shared, or otherwise disclosed (or is intended 
     to be sold rented, shared, or otherwise disclosed) to other 
     companies or entities; and
       (iii) to stop the reuse, disclosure, or sale of that 
     information;
       (B) in the case of consumers who are children, the 
     abilities described in clauses (i), (ii), and (iii) of 
     subparagraph (A) are or can be exercised by their parents; 
     and
       (C) changes in the Commission's regulations could provide 
     greater assurance of the offline privacy rights and remedies 
     of parents and consumers generally;
       (2) review responses and suggestions from affected 
     commercial and nonprofit entities to changes proposed under 
     paragraph (1)(C); and
       (3) make recommendations to the Congress for any 
     legislative changes necessary to ensure such rights and 
     remedies.
       (b) Schedule for Federal Trade Commission Responses.--The 
     Federal Trade Commission shall, within 6 months after the 
     date of enactment of this Act, submit to Congress a report 
     containing the recommendations required by subsection (a)(3).

     SEC. 502. FEDERAL COMMUNICATIONS COMMISSION RULEMAKING.

       (a) Proceeding Required.--The Federal Communications 
     Commission shall initiate a rulemaking proceeding to 
     establish uniform consumer privacy rules for all 
     communications providers. The rulemaking proceeding shall--
       (1) examine the privacy rights and remedies of the 
     consumers of all online and offline technologies, including 
     telecommunications providers, cable, broadcast, satellite, 
     wireless, and telephony services;
       (2) determine whether consumers are able, and, if not, the 
     methods by which consumers may be enabled to exercise such 
     rights and remedies; and
       (3) change the Commission's regulations to coordinate, 
     rationalize, and harmonize laws and regulations administered 
     by the Commission that relate to those rights and remedies.
       (b) Deadline for Changes.--The Federal Communications 
     Commission shall complete the rulemaking within 6 months 
     after the date of enactment of this Act.

     SEC. 503. DEPARTMENT OF LABOR STUDY OF EMPLOYEE-MONITORING 
                   ACTIVITIES.

       The Secretary of Labor shall study the extent and nature of 
     employer practices that involving monitoring employee 
     activities both at the workplace and away from the workplace, 
     by electronic or other remote means, including surveillance 
     of electronic mail and Internet use, to determine whether and 
     to what extent such practices constitute an inappropriate 
     violation of employee privacy. The Secretary shall report the 
     results of the study, including findings and recommendations, 
     if any, for legislation or regulation to the Congress within 
     6 months after the date of enactment of this Act.

    TITLE VI--PROTECTION OF PERSONALLY IDENTIFIABLE INFORMATION IN 
                               BANKRUPTCY

     SEC. 601. PERSONALLY IDENTIFIABLE INFORMATION NOT ASSET IN 
                   BANKRUPTCY.

       Section 541(b) of title 11, United States Code, is 
     amended--
       (1) by striking ``or'' after the semicolon in paragraph 
     (4)(B)(ii);
       (2) by striking ``prohibition.'' in paragraph (5) and 
     inserting ``prohibition; or''; and
       (3) by inserting after paragraph (5) the following:
       ``(6) any personally identifiable information (as defined 
     in section 901(6) of the Consumer Privacy Protection Act), or 
     any compilation, or record (in electronic or any other form) 
     of such information.''.

                TITLE VII--INTERNET SECURITY INITIATIVES

     SEC. 701. FINDINGS.

       The Congress finds the following:
       (1) Good computer security practices are an underpinning of 
     any privacy protection. The operator of a computer system 
     should protect that system from unauthorized use and secure 
     any private, personal information.
       (2) The Federal Government should be a role model in 
     securing its computer systems and should ensure the 
     protection of private, personal information controlled by 
     Federal agencies.
       (3) The National Institute of Standards and Technology has 
     the responsibility for developing standards and guidelines 
     needed to ensure the cost-effective security and privacy of 
     private, personal information in Federal computer systems.
       (4) This Nation faces a shortage of trained, qualified 
     information technology workers, including computer security 
     professionals. As the demand for information technology 
     workers grows, the Federal government will have an 
     increasingly difficult time attracting such workers into the 
     Federal workforce.
       (5) Some commercial off-the-shelf hardware and off-the-
     shelf software components to protect computer systems are 
     widely available. There is still a need for long-term 
     computer security research, particularly in the area of 
     infrastructure protection.
       (6) The Nation's information infrastructures are owned, for 
     the most part, by the private sector, and partnerships and 
     cooperation will be needed for the security of these 
     infrastructures.
       (7) There is little financial incentive for private 
     companies to enhance the security of the Internet and other 
     infrastructures as a whole. The Federal government will need 
     to make investments in this area to address issues and 
     concerns not addressed by the private sector.

     SEC. 702. COMPUTER SECURITY PARTNERSHIP COUNCIL.

       (a) Establishment.--The Secretary of Commerce, in 
     consultation with the President's Information Technology 
     Advisory Committee established by Executive Order No. 13035 
     of February 11, 1997 (62 F.R. 7231), shall establish a 25-
     member Computer Security Partnership Council.
       (b) Chairman; Membership.--The Council shall have a 
     chairman, appointed by the Secretary, and 24 additional 
     members, appointed by the Secretary as follows:
       (1) 5 members, who are not officers or employees of the 
     United States, who are recognized as leaders in the 
     networking and computer security business, at least 1 of whom 
     represents a small or medium-sized company.
       (2) 5 members, who are--
       (A) not officers or employees of the United States, and
       (B) not in the networking and computer security business,
     at least 1 of whom represents a small or medium-sized 
     company.
       (3) 5 members, who are not officers or employees of the 
     United States, who represent public interest groups or State 
     or local governments, of whom at least 2 represent such 
     groups and at least 2 represent such governments.
       (4) 5 members, who are not officers or employees of the 
     United States, affiliated with a college, university, or 
     other academic, research-oriented, or public policy 
     institution, with recognized expertise in the field of 
     networking and computer security, whose primary source of 
     employment is by that college, university, or other 
     institution rather than a business organization involved in 
     the networking and computer security business.
       (5) 4 members, who are officers or employees of the United 
     States, with recognized expertise in computer systems 
     management, including computer and network security.
       (c) Function.--The Council shall collect and share 
     information about, and increase public awareness of, 
     information security practices and programs, threats to 
     information security, and responses to those threats.
       (d) Study.--Within 12 months after the date of enactment of 
     this Act, the Council shall publish a report which evaluates 
     and describes areas of computer security research and 
     development that are not adequately developed or funded.
       (e) Additional Recommendations.--The Council shall 
     periodically make recommendations to appropriate government 
     and private sector entities for enhancing the security of 
     networked computers operated or maintained by those entities.

[[Page S4308]]

     SEC. 703. RESEARCH AND DEVELOPMENT.

       Section 20 of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-3) is amended--
       (1) by redesignating subsections (c) and (d) as subsections 
     (d) and (e), respectively; and
       (2) by inserting after subsection (b) the following:
       ``(c) Research and Development of Protection 
     Technologies.--
       ``(1) In general.--The Institute shall establish a program 
     at the National Institute of Standards and Technology to 
     conduct, or to fund the conduct of, research and development 
     of technology and techniques to provide security for advanced 
     communications and computing systems and networks including 
     the Next Generation Internet, the underlying structure of the 
     Internet, and networked computers.
       ``(2) Purpose.--A purpose of the program established under 
     paragraph (1) is to address issues or problems that are not 
     addressed by market-driven, private-sector information 
     security research. This may include research--
       ``(A) to identify Internet security problems which are not 
     adequately addressed by current security technologies;
       ``(B) to develop interactive tools to analyze security 
     risks in an easy-to-understand manner;
       ``(C) to enhance the security and reliability of the 
     underlying Internet infrastructure while minimizing any 
     adverse operational impacts such as speed; and
       ``(D) to allow networks to become self-healing and provide 
     for better analysis of the state of Internet and 
     infrastructure operations and security.
       ``(3) Matching grants.--A grant awarded by the Institute 
     under the program established under paragraph (1) to a 
     commercial enterprise may not exceed 50 percent of the cost 
     of the project to be funded by the grant.
       ``(4) Authorization of appropriations.--There are 
     authorized to be appropriated to the Institute to carry out 
     this subsection--
       ``(A) $50,000,000 for fiscal year 2001;
       ``(B) $60,000,000 for fiscal year 2002;
       ``(C) $70,000,000 for fiscal year 2003;
       ``(D) $80,000,000 for fiscal year 2004;
       ``(E) $90,000,000 for fiscal year 2005; and
       ``(F) $100,000,000 for fiscal year 2006.''.

     SEC. 704. COMPUTER SECURITY TRAINING PROGRAMS.

       (a) In General.--The Secretary of Commerce, in consultation 
     with appropriate Federal agencies, shall establish a program 
     to support the training of individuals in computer security, 
     Internet security, and related fields at institutions of 
     higher education located in the United States.
       (b) Support Authorized.--Under the program established 
     under subsection (a), the Secretary may provide scholarships, 
     loans, and other forms of financial aid to students at 
     institutions of higher education. The Secretary shall require 
     a recipient of a scholarship under this program to provide a 
     reasonable period of service as an employee of the United 
     States government after graduation as a condition of the 
     scholarship, and may authorize full or partial forgiveness of 
     indebtedness for loans made under this program in exchange 
     for periods of employment by the United States government.
       (c) Authorization of Appropriations.--There are authorized 
     to be appropriated to the Secretary such sums as may be 
     necessary to carry out this section--
       (A) $15,000,000 for fiscal year 2001;
       (B) $17,000,000 for fiscal year 2002;
       (C) $20,000,000 for fiscal year 2003;
       (D) $25,000,000 for fiscal year 2004;
       (E) $30,000,000 for fiscal year 2005; and
       (F) $35,000,000 for fiscal year 2006.

     SEC. 705. GOVERNMENT INFORMATION SECURITY STANDARDS.

       (a) In General.--Section 20(b) of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3(b)) is 
     amended--
       (1) by striking ``and'' after the semicolon in paragraph 
     (4);
       (2) by redesignating paragraph (5) as paragraph (6); and
       (3) by inserting after paragraph (4) the following:
       ``(5) to provide guidance and assistance to Federal 
     agencies in the protection of interconnected computer systems 
     and to coordinate Federal response efforts related to 
     unauthorized access to Federal computer systems; and''.
       (b) Federal Computer System Security Training.--Section 
     5(b) of the Computer Security Act of 1987 (49 U.S.C. 759 
     note) is amended--
       (1) by striking ``and'' at the end of paragraph (1);
       (2) by striking the period at the end of paragraph (2) and 
     inserting in lieu thereof ``; and''; and
       (3) by adding at the end the following new paragraph:
       ``(3) to include emphasis on protecting the availability of 
     Federal electronic citizen services and protecting sensitive 
     information in Federal databases and Federal computer sites 
     that are accessible through public networks.''.

     SEC. 706. RECOGNITION OF QUALITY IN COMPUTER SECURITY 
                   PRACTICES.

       Section 20 of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-3), as amended by section 703, 
     is further amended--
       (1) by redesignating subsections (d) and (e) as subsections 
     (e) and (f), respectively; and
       (2) by inserting after subsection (c), the following:
       ``(d) Award Program.--The Institute may establish a program 
     for the recognition of excellence in Federal computer system 
     security practices, including the development of a seal, 
     symbol, mark, or logo that could be displayed on the website 
     maintained by the operator of such a system recognized under 
     the program. In order to be recognized under the program, the 
     operator--
       ``(1) shall have implemented exemplary processes for the 
     protection of its systems and the information stored on that 
     system;
       ``(2) shall have met any standard established under 
     subsection (a);
       ``(3) shall have a process in place for updating the system 
     security procedures; and
       ``(4) shall meet such other criteria as the Institute may 
     require.''.

     SEC. 707. DEVELOPMENT OF AUTOMATED PRIVACY CONTROLS.

       Section 20 of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-3), as amended by section 706, 
     is further amended--
       (1) by redesignating subsection (f) as subsection (g); and
       (2) by inserting after subsection (e) the following:
       ``(f) Development of Internet Privacy Program.--The 
     Institute shall encourage and support the development of one 
     or more computer programs, protocols, or other software, such 
     as the World Wide Web Consortium's P3P program, capable of 
     being installed on computers, or computer networks, with 
     Internet access that would reflect the user's preferences for 
     protecting personally-identifiable or other sensitive, 
     privacy-related information, and automatically execute the 
     program, once activated, without requiring user 
     intervention.''.

       TITLE VIII--CONGRESSIONAL INFORMATION SECURITY STANDARDS.

     SEC. 801. EXERCISE OF RULEMAKING POWER.

       This title is enacted by the Congress--
       (1) as an exercise of the rulemaking power of the House of 
     Representatives and the Senate, respectively, and as such it 
     is deemed a part of the rules of each House, respectively, 
     but applicable only with respect to that House; and it 
     supersedes other rules only to the extent that it are 
     inconsistent therewith; and
       (2) with full recognition of the constitutional right of 
     either House to change the rules (so far as relating to that 
     House) at any time, in the same manner and to the same extent 
     as in the case of any other rule of that House.

     SEC. 802. SENATE.

       (a) In General.--The Sergeant at Arms of the United States 
     Senate shall develop regulations setting forth an information 
     security and electronic privacy policy governing use of the 
     Internet by officers and employees of the Senate in 
     accordance with the following 4 principles of privacy:
       (1) Notice and awareness.--Websites must provide users 
     notice of their information practices.
       (2) Choices and consent.--Websites must offer users choices 
     as to how personally identifiable information is used beyond 
     the use for which the information was provided.
       (3) Access and participation.--Websites must offer users 
     reasonable access to personally identifiable information and 
     an opportunity to correct inaccuracies.
       (4) Security and integrity.--Websites must take reasonable 
     steps to protect the security and integrity of personally 
     identifiable information.
       (b) Procedure.--
       (1) Proposal.--The Sergeant at Arms shall publish a general 
     notice of proposed rulemaking under section 553(b) of title 
     5, United States Code, but, instead of publication of a 
     general notice of proposed rulemaking in the Federal 
     Register, the Sergeant at Arms shall transmit such notice to 
     the President pro tempore of the Senate for publication in 
     the Congressional Record on the first day on which the Senate 
     is in session following such transmittal. Such notice shall 
     set forth the recommendations of the Sergeant at Arms for 
     regulations under subsection (a).
       (2) Comment.--Before adopting regulations, the Sergeant at 
     Arms shall provide a comment period of at least 30 days after 
     publication of general notice of proposed rulemaking.
       (3) Adoption.--After considering comments, the Sergeant at 
     Arms shall adopt regulations and shall transmit notice of 
     such action together with a copy of such regulations to the 
     President pro tempore of the Senate for publication in the 
     Congressional Record on the first day on which the Senate is 
     in session following such transmittal.
       (c) Approval of Regulations.--
       (1) In general.--The regulations adopted by the Sergeant at 
     Arms may be approved by the Senate by resolution.
       (2) Referral.--Upon receipt of a notice of adoption of 
     regulations under subsection (b)(3), the presiding officers 
     of the Senate shall refer such notice, together with a copy 
     of such regulations, to the Committee on Rules and 
     Administration of the Senate. The purpose of the referral 
     shall be to consider whether such regulations should be 
     approved.
       (3) Joint referral and discharge.--The presiding officer of 
     the Senate may refer the notice of issuance of regulations, 
     or any resolution of approval of regulations, to one 
     committee or jointly to more than one committee. If a 
     committee of the Senate acts to

[[Page S4309]]

     report a jointly referred measure, any other committee of the 
     Senate must act within 30 calendar days of continuous 
     session, or be automatically discharged.
       (4) Resolution of approval.--In the case of a resolution of 
     the Senate, the matter after the resolving clause shall be 
     the following: ``the following regulations issued by the 
     Sergeant at Arms on ---------- ----, 2------ are hereby 
     approved:'' (the blank spaces being appropriately filled in 
     and the text of the regulations being set forth).
       (d) Issuance and Effective Date.--
       (1) Publication.--After approval of the regulations under 
     subsection (c), the Sergeant at Arms shall submit the 
     regulations to the President pro tempore of the Senate for 
     publication in the Congressional Record on the first day on 
     which the Senate is in session following such transmittal.
       (2) Date of issuance.--The date of issuance of the 
     regulations shall be the date on which they are published in 
     the Congressional Record under paragraph (1).
       (3) Effective date.--The regulations shall become effective 
     not less than 60 days after the regulations are issued, 
     except that the Sergeant at Arms may provide for an earlier 
     effective date for good cause found (within the meaning of 
     section 553(d)(3) of title 5, United States Code) and 
     published with the regulation.
       (e) Amendment of Regulations.--Regulations may be amended 
     in the same manner as is described in this section for the 
     adoption, approval, and issuance of regulations, except that 
     the Sergeant at Arms may dispense with publication of a 
     general notice of proposed rulemaking of minor, technical, or 
     urgent amendments that satisfy the criteria for dispensing 
     with publication of such notice pursuant to section 553(b)(B) 
     of title 5, United States Code.
       (f) Right to Petition for Rulemaking.--Any interested party 
     may petition to the Sergeant at Arms for the issuance, 
     amendment, or repeal of a regulation.

                         TITLE IX--DEFINITIONS

     SEC. 901. DEFINITIONS.

       In this Act:
       (1) Operator of a commercial website.--The term ``operator 
     of a commercial website''--
       (A) means any person who operates a website located on the 
     Internet or an online service and who collects or maintains 
     personal information from or about the users of or visitors 
     to such website or online service, or on whose behalf such 
     information is collected or maintained, where such website or 
     online service is operated for commercial purposes, including 
     any person offering products or services for sale through 
     that website or online service, involving commerce--
       (i) among the several States or with 1 or more foreign 
     nations;
       (ii) in any territory of the United States or in the 
     District of Columbia, or between any such territory and--

       (I) another such territory; or
       (II) any State or foreign nation; or

       (iii) between the District of Columbia and any State, 
     territory, or foreign nation; but
       (B) does not include any nonprofit entity that would 
     otherwise be exempt from coverage under section 5 of the 
     Federal Trade Commission Act (15 U.S.C. 45).
       (2) Disclose.--The term ``disclose'' means the release of 
     personally identifiable information about a user of an 
     Internet service, online service, or commercial website by an 
     Internet service provider, online service provider, or 
     operator of a commercial website for any purpose, except 
     where such information is provided to a person who provides 
     support for the internal operations of the service or website 
     and who does not disclose or use that information for any 
     other purpose.
       (3) Release.--The term ``release of personally identifiable 
     information'' means the direct or indirect, active or 
     passive, sharing, selling, renting, or other provision of 
     personally identifiable information of a user of an Internet 
     service, online service, or commercial website to any other 
     person other than the user.
       (4) Internal operations support.--The term ``support for 
     the internal operations of a service or website'' means any 
     activity necessary to maintain the technical functionality of 
     that service or website.
       (5) Collect.--The term ``collect'' means the gathering of 
     personally identifiable information about a user of an 
     Internal service, online service, or commercial website by or 
     on behalf of the provider or operator of that service or 
     website by any means, direct or indirect, active or passive, 
     including--
       (A) an online request for such information by the provider 
     or operator, regardless of how the information is transmitted 
     to the provider or operator;
       (B) the use of a chat room, message board, or other online 
     service to gather the information; or
       (C) tracking or use of any identifying code linked to a 
     user of such a service or website, including the use of 
     cookies.
       (3) Cookie.--The term ``cookie'' means any program, 
     function, or device, commonly known as a ``cookie'', that 
     makes a record on the user's computer (or other electronic 
     device) of that user's access to an Internet service, online 
     service, or commercial website.
       (4) Federal agency.--The term ``Federal agency'' means an 
     agency, as that term is defined in section 551(1) of title 5, 
     United States Code.
       (5) Internet.--The term ``Internet'' means collectively the 
     myriad of computer and telecommunications facilities, 
     including equipment and operating software, which comprise 
     the interconnected world-wide network of networks that employ 
     the Transmission Control Protocol/Internet Protocol, or any 
     predecessor or successor protocols to such protocol, to 
     communicate information of all kinds by wire or radio.
       (6) Personally identifiable information.--The term 
     ``personally identifiable information'' means individually 
     identifiable information about an individual collected 
     online, including--
       (A) a first and last name, whether given at birth or 
     adoption, assumed, or legally changed;
       (B) a home or other physical address including street name 
     and name of a city or town;
       (C) an e-mail address;
       (D) a telephone number;
       (E) a Social Security number;
       (F) a credit card number;
       (G) a birth date, birth certificate number, or place of 
     birth;
       (H) any other identifier that the Commission determines 
     permits the physical or online contacting of a specific 
     individual; or
       (I) unique identifying information that an Internet service 
     provider, online service provider, or operator of a 
     commercial website collects and combines with an identifier 
     described in this paragraph.
       (7) Internet service provider; online service provider; 
     website.--The Commission shall by rule define the terms 
     ``Internet service provider'', ``online service provider'', 
     and ``website'', and shall revise or amend such rule to take 
     into account changes in technology, practice, or procedure 
     with respect to the collection of personal information over 
     the Internet.
       (8) Offline.--The term ``offline'' refers to any activity 
     regulated by this Act or by section 2710 of title 18, United 
     States Code, that occurs other than by or through the active 
     or passive use of an Internet connection, regardless of the 
     medium by or through which that connection is established.
       (9) Online.--The term ``online'' refers to any activity 
     regulated by this Act or by section 2710 of title 18, United 
     States Code, that is effected by active or passive use of an 
     Internet connection, regardless of the medium by or through 
     which that connection is established.

  Mr. EDWARDS. Mr. President, Big Browser is watching you. Almost every 
time, you or I or an American consumer surfs the Internet, someone is 
tracking our movements. And someone is compiling a databank of 
information about our preferences and could even be profiling us.
  Maybe they're doing it to make our experience better. Most of the 
time, they probably are. But too often we are being profiled for 
profit, and at the expense of privacy.
  I am proud to co-sponsor Senator Hollings' legislation, the Consumer 
Privacy Protection Act, that would help consumers gain control of their 
most personal information. I believe that the measure we introduce 
today is a step in the right direction. It strikes the right balance. 
Privacy is protected, while critical elements of the information 
revolution are preserved. Consumer confidence in the Internet is 
bolstered, while businesses will not be overburdened by the 
requirements.
  We can enjoy the convenience of online shopping and allow e-commerce 
to thrive without putting profits over privacy. Consumers, not dot.com 
companies, should control the use of confidential information about 
buying habits, credit card records and other personal information.
  Mr. President, the time to act is now. If not, we may wake up one day 
to find our privacy so thoroughly eroded that recovering it will be 
almost impossible.
  No one denies that the rapid development of modern technology has 
been beneficial. New and improved technologies have enabled us to 
obtain information more quickly and easily than ever before. Students 
can participate in classes that are being taught in other states, or 
even in other countries. Almost no product or piece of information is 
beyond the reach of Americans anymore. A farmer in Sampson County, 
North Carolina can go on the Internet and compare prices for anything 
he needs to run his business. Or he can look up critical weather 
information on the Internet. Or he can just order a hard-to-get book. 
Meanwhile, companies have streamlined their processes for providing 
goods and services.
  But these remarkable developments can have a startling downside. They 
have made it easier to track personal information such as medical and 
financial records and buying habits. They have made it profitable to do 
so. And in turn, our ability to keep our personal information private 
is being eaten away.

[[Page S4310]]

  The impact of this erosion ranges from the merely annoying--having 
your mailbox flooded with junkmail--to the actually frightening--having 
your identity stolen or being turned down for a loan because your bank 
got copies of your medical records. There are thousands of ways that 
the loss of our privacy can impact us. Many of them are intangible--
just the discomfort of knowing that complete strangers can find out 
everything about you: where you shop, what books you buy, whether you 
have allergies, and what your credit rating is. These strangers may not 
do anything bad with the information, but they know all about you. I 
think privacy is a value per se. Our founding fathers recognized it, 
and so too do most Americans.
  ``Liberty in the constitutional sense,'' wrote Justice William O. 
Douglas, ``must mean more than freedom from unlawful governmental 
restraint; it must include privacy as well, if it is to be a repository 
of freedom. The right to be let alone is indeed the beginning of all 
freedom.''
  Recent surveys indicate that the American public is increasingly 
uneasy about the degradation of their privacy. In a recent Business 
Week poll, 92 percent of Internet users expressed discomfort about Web 
sites sharing personal information with other sites. Meanwhile, an FTC 
report issued yesterday indicated that only 42 percent of the most 
popular Internet sites comply with the four key fair information 
practices--notice about what data is collected, consumer choice about 
whether the data will be shared with third-parties, consumer access to 
the data, and security regarding the transmission of data.
  We must be vigilant that our privacy does not become a commodity to 
be bought and sold.
  I would also like to point out one area of privacy protection that I 
have been deeply interested in. Last November, I introduced the 
Telephone Call Privacy Act. My bill would prevent telecommunications 
companies from using an individual's personal phone call records 
without their consent. Most Americans would be stunned to learn that 
the law does not protect them from having their phone records sold to 
third parties. Imagine getting a call one night--during dinner--and 
having a telemarketer try to sell you membership in a travel club 
because your phone calling patterns show frequent calls overseas. My 
legislation would prevent this from occurring without the individuals's 
permission.
  This measure we introduce today also contains a provision relating to 
telephone privacy. It differs in at least one key respect from the 
legislation I previously introduced, but my hope is that as we discuss 
this issue over time, the differences will be resolved.
  Mr. President, let me conclude by thanking Senators Hollings and 
Leahy for their leadership on this vital issue. Senator Hollings has 
crafted the comprehensive and thoughtful proposal that we introduce 
today. Senator Leahy has led a coalition of Senators interested in this 
issue. I look forward to working with them and my other colleagues in 
passing this measure.
  Mr. CLELAND. Mr. President, the information highway began just a few 
years ago as a footpath and is now an unlimited lane expressway with no 
rush hour. People can now use the Internet to shop at virtual stores 
located thousands of miles away, find turn-by-turn directions to far 
away destinations and journey to hamlets, cities and states across the 
country--and indeed around the world--without ever leaving home.
  While the virtual world is available to us with a few key strokes and 
mouse clicks, there is one area of the Internet that many are finding 
troublesome. It is the collection and use of personnel data. All too 
often web surfers are providing personal information about themselves 
at the websites they visit, without their knowledge and consent. There 
is so much information being collected every day that it would take a 
building the size of the Library of Congress to store it all in. That 
is a lot of information, much of which is very personal and I believe 
it must be kept that way.
  Concern about one's privacy on the Internet is keeping people from 
fully enjoying this marvelous technology. According to a recent survey 
by the Center for Democracy & Technology, consumers' most pressing 
privacy issues are the sale of personal information and tracking 
people's use of the Web. In another recent survey, 66.7 percent of 
online ``window shoppers'' state that assurances of privacy will be the 
basis for their making online purchases. These surveys make the same 
point that was made when credit cards were first introduced to the 
American public. Back then, credit cards did not initially enjoy 
widespread usage because of a fear that others could misuse the card. 
From these studies' findings it can be reasoned that the Internet is 
experiencing the same effects because of privacy concerns. These 
concerns are translating into lost opportunity, for consumers as well 
as electronic businesses.
  Most of the Dot Com companies doing business over the Internet today 
are very cognizant of the fact that privacy is a major concern for 
their customers. Many of these firms allow visitors to their web site 
to ``opt out,'' or elect not to provide data they consider private and 
do not wish to give. A Federal Trade Commission May 2000 Report to 
Congress found that 92 percent of a random sampling of websites were 
collecting great amounts of personal information from consumers and 
only 14% disclosed anything about how the information would be used. 
More interesting in this report was the finding that a mere 41% of the 
randomly selected websites notified the visitor of their information 
practices and offered the visitor choices on how their personal 
identifying information would be used. These report findings seem to 
suggest that industry efforts by themselves are not sufficient to 
control the gathering and dissemination of personal data.
  There are some Dot Coms that are not concerned about the privacy of 
their customers. These firms are successfully collecting enormous 
amounts of data about a person and in turn sell it to others or use it 
to intensify the advertising aimed at that person. At one website 
visit, a company can collect some very interesting facts about the 
person who is on the other end. While surfing the web the other day, I 
hit on a website that was designed to provide me with information about 
my PC. The report the site provided opened my eyes about the types of 
information that could be obtained from a website visitor in less one 
minute. In this small amount of time it could tell what other sites I 
had visited, what sites I would likely visit in the future, what plug-
ins are installed on my PC, how my domain is configured and a whole lot 
more information that I did not understand. Many consider this type of 
tracking capability akin to stalking. I believe that the information 
that can be collected by website administrators can create problems for 
people through a violation of trust and an invasion of privacy. Novice 
Internet users are generally unaware, as I was until visiting this 
site, of the extent of the information being collected on them. Even 
those who are aware of the capabilities of firms to collect private 
data are frightened by what can happen with the information once it is 
collected.
  I am proud to be cosponsoring the Consumer Privacy Protection Act of 
2000 that was introduced today by Senator Hollings. This Act will 
legitimize the practices currently being used by many reputable firms 
who are collecting private data. Does it seem unreasonable that firms 
collecting private data should notify consumers of the firm's 
information practices, offer the consumer choices on how the personal 
information will be used, allow consumers to access the information 
that is collected on them and require the firms to take reasonable 
steps to protect the security of the information that is collected? I 
think not. Firms like Georgia-based VerticalOne are already performing 
under standards very similar to these. I believe that all firms should 
be held to the same standard and that a level playing field should be 
established for every firm that is collecting data. Taking these 
actions will translate into greater consumer confidence in the 
Internet.
  Increasing the level of protection for private information to a level 
that the people of our nation can live with should be a welcome relief 
to those firms already providing fair privacy treatment of their site 
visitors. This Act certainly will be a relief to the people who are 
visiting their sites.

[[Page S4311]]

Passing this Consumer Privacy Protection Act will help prevent 
confusion by establishing a common set of standards for all firms to 
follow and all Americans to enjoy.
                                 ______