[Congressional Record Volume 146, Number 99 (Wednesday, July 26, 2000)]
[Senate]
[Pages S7668-S7672]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. McCAIN (for himself, Mr. Kerry, Mr. Abraham, and Mrs. 
        Boxer):
  S. 2928. A bill to protect the privacy of consumers who use the 
Internet; to the Committee on Commerce, Science, and Transportation.


             the consumer internet privacy enhancement act

  Mr. McCAIN. Mr. President, I am pleased to join my colleagues from 
Massachusetts, Michigan, and California to introduce the Consumer 
Internet Privacy Enhancement Act. The purpose of this legislation is 
simple. We want to ensure that commercial websites inform consumers 
about how their personal information is treated, and give consumers 
meaningful choices about the use of that information. While the purpose 
of this legislation is simple, the task my colleagues and I are seeking 
to accomplish is complex and difficult.
  The Internet is a tremendous medium spurring the world's economy and 
allowing people to communicate in ways that were unimaginable a few 
short years ago. The Internet revolution is transforming our lives and 
our economy at an incredible pace. Like any other technological 
revolution it promises great opportunities and, it presents new 
concerns and fears.
  Chief among those concerns is the ability of the Internet to further 
erode individual privacy. Since the beginning of commerce, business has 
sought to learn more about consumers. The ability of the internet to 
aid business in the collection, storage, transfer, and analysis of 
information about a consumer's habits is unprecedented. While this 
technology can allow business to better target goods and services, it 
also has increased consumer fears about the collection and use of 
personally identifiable information.
  Since 1998, the Federal Trade Commission has examined this issue in a 
series of reports to Congress. The FTC and privacy organizations formed 
by industry identified ``four fair information practices'' which should 
be utilized by websites that collect personally identifiable 
information. In simple terms, these practices are notice of what 
information is collected and how it is used; choice as to how that 
information is used; access by the user to information collected about 
them; and appropriate measures to ensure the security of the 
information.
  Over the last three years industry has worked diligently to develop 
and implement privacy policies utilizing the four fair information 
practices. While industry has made progress in providing consumers with 
some form of notice of their information practices, there is much work 
to be done to improve the depth and clarity of privacy policies.
  The legislation we introduce today should not be viewed as a failure 
on the part of industry to address privacy. Instead industry's efforts 
over the past few years have driven the development of standards which 
serve as the model for this legislation. Our objective is to provide 
for enforceable standards to ensure that all websites provide consumers 
with clear and conspicuous notice and meaningful choices about how 
their information is used.

  Currently, some websites have privacy policies that are confusing and 
make it difficult for consumers to restrict the use of information. 
During a recent hearing before the Senate Commerce Committee, the 
Chairman of the Federal Trade Commission--a former dean of Georgetown 
Law School--expressed his own difficulties in understanding some 
privacy policies.
  Privacy is harmed not enhanced when consumers are lost in a fog of 
legalese. Some current privacy policies confuse and contradict rather 
than provide clear and conspicuous notice of a consumer's rights.
  The bill my colleagues and I introduce today attempts to end some of 
this confusion by providing for enforceable standards that will both 
protect consumers and allow for the continued growth of e-commerce. 
Specifically, the bill would require websites to provide clear and 
conspicuous notice of their information practices. It also requires 
websites to provide consumers with an easy method to limit the use and 
disclosure of information.
  The provisions of the bill are enforceable by the FTC. States 
Attorneys General could also bring suits in federal court under the Act 
using a mechanism similar to the Telemarketing Sales Rule. We also 
propose a civil penalty of $22,000 per violation with a maximum fine of 
$500,000. Currently, the FTC can only seek civil penalties if an 
individual or business is under an order for past behavior.
  The legislation also preempts state law to ensure that the law 
governing the collection of personally identifiable information is 
uniform. Finally, the bill would direct the National Academy of 
Sciences to conduct a study of privacy to examine the collection of 
personal information in the offline-world as well as methods to provide 
consumers with access to information collected by them.
  Despite our best efforts I recognize this bill does not address all 
of the

[[Page S7669]]

issues affecting online privacy. As I said earlier, this is a complex 
and difficult issue. Other related concerns that should be addressed 
will continue to arise as we consider this measure. For example, the 
sale of data during bankruptcy, the use of software also known as 
spyware that can transfer personal information while online without the 
user's consent or knowledge, and the government's use and dissemination 
of personally identifiable information online.
  Additionally, other new ways to help resolve the issue of online 
privacy will also arise as we consider this measure. These include the 
deployment of technology that will enable consumers to protect their 
privacy is one issue we should expect to address. Another issue is the 
use of verifiable assessment procedures to ensure that websites are 
following their posted privacy policies.
  The discovery of new issues and new solutions as we move through this 
process will serve to highlight the difficulty and complexity of 
dealing with this issue. It is not my intention to rush to judgment on 
these matters. Instead, I firmly believe the best way to protect 
consumers and provide for the continued growth of e-commerce is to give 
privacy careful and thoughtful deliberation before we act.
  Mr. President, it is clear that businesses should inform consumers in 
a clear and conspicuous manner about how they treat personal 
information and give consumers meaningful choices as to how that 
information is used. While some of us may disagree on the manner in 
which we meet this goal, we all agree that it must be done. I look 
forward to working with my colleagues and addressing their concerns as 
we move through the legislative process.
  Mr. President, I ask unanimous consent to print the full text of the 
bill in the Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                S. 2928

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Consumer Internet Privacy 
     Enhancement Act''.

     SEC. 2. COLLECTION OF PERSONALLY IDENTIFIABLE INFORMATION.

       (a) In General.--It is unlawful for a commercial website 
     operator to collect personally identifiable information 
     online from a user of that website unless the operator 
     provides--
       (1) notice to the user on the website in accordance with 
     the requirements of subsection (b); and
       (2) an opportunity to that user to limit the use for 
     marketing purposes, or disclosure to third parties of 
     personally identifiable information collected that is--
       (A) not related to provision of the products or services 
     provided by the website; or
       (B) not required to be disclosed by law.
       (b) Notice.--
       (1) In general.--For purposes of subsection (a), notice 
     consists of a statement that informs a user of a website of 
     the following:
       (A) The identity of the operator of the website and of any 
     third party the operator knowingly permits to collect 
     personally identifiable information from users through the 
     website, including the provision of an electronic means of 
     going to a website operated by any such third party.
       (B) A list of the types of personally identifiable 
     information that may be collected online by the operator and 
     the categories of information the operator may collect in 
     connection with the user's visit to the website.
       (C) A description of how the operator uses such 
     information, including a statement as to whether the 
     information may be sold, distributed, disclosed, or otherwise 
     made available to third parties for marketing purposes.
       (D) A description of the categories of potential recipients 
     of any such personally identifiable information.
       (E) Whether the user is required to provide personally 
     identifiable information in order to use the website and any 
     other consequences of failure to provide that information.
       (F) A general description of what steps the operator takes 
     to protect the security of personally identifiable 
     information collected online by that operator.
       (G) A description of the means by which a user may elect 
     not to have the user's personally identifiable information 
     used by the operator for marketing purposes or sold, 
     distributed, disclosed, or otherwise made available to a 
     third party, except for--
       (i) information related to the provision of the product or 
     service provided by the website; or
       (ii) information required to be disclosed by law.
       (H) The address or telephone number at which the user may 
     contact the website operator about its information practices 
     and also an electronic means of contacting the operator.
       (2) Form of notice.--The notice required by subsection (a) 
     shall be clear, conspicuous, and easily understood.
       (3) Opportunity to limit disclosure.--The opportunity 
     provided to users to limit use and disclosure of personally 
     identifiable information shall be easy to use, easily 
     accessible, and shall be available online.
       (c) Inconsistent State Law.--No State or local government 
     may impose any liability for commercial activities or actions 
     by a commercial website operator in interstate or foreign 
     commerce in connection with an activity or action described 
     in this Act that is inconsistent with, or more restrictive 
     than, the treatment of that activity or action under this 
     section.
       (d) Safe Harbor.--A commercial website operator may not be 
     held to have violated any provision of this Act if it 
     complies with self-regulatory guidelines that--
       (1) are issued by seal programs or representatives of the 
     marketing or online industries or by any other person; and
       (2) are approved by the Commission as containing all the 
     requirements set forth in subsection (b).

     SEC. 3. ENFORCEMENT.

       (a) In General.--The violation of section 2(a) or (b) shall 
     be treated as a violation of a rule defining an unfair or 
     deceptive act or practice in or affecting commerce proscribed 
     by section 18(a)(1)(B) of the Federal Trade Commission Act 
     (15 U.S.C. 57(a)(1)(B)).
       (b) Enforcement by Certain Other Agencies.-- Compliance 
     with section 2(a) or (b) shall be enforced under--
       (1) section 8 of the Federal Deposit Insurance Act (12 
     U.S.C. 1818), in the case of--
       (A) national banks, and Federal branches and Federal 
     agencies of foreign banks, by the Office of the Comptroller 
     of the Currency;
       (B) member banks of the Federal Reserve System (other than 
     national banks), branches and agencies of foreign banks 
     (other than Federal branches, Federal agencies, and insured 
     State branches of foreign banks), commercial lending 
     companies owned or controlled by foreign banks, and 
     organizations operating under section 25 or 25(a) of the 
     Federal Reserve Act (12 U.S.C. 601 et seq. and 611 et seq.), 
     by the Board; and
       (C) banks insured by the Federal Deposit Insurance 
     Corporation (other than members of the Federal Reserve 
     System) and insured State branches of foreign banks, by the 
     Board of Directors of the Federal Deposit Insurance 
     Corporation;
       (2) section 8 of the Federal Deposit Insurance Act (12 
     U.S.C. 1818), by the Director of the Office of Thrift 
     Supervision, in the case of a savings association the 
     deposits of which are insured by the Federal Deposit 
     Insurance Corporation;
       (3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) 
     by the National Credit Union Administration Board with 
     respect to any Federal credit union;
       (4) part A of subtitle VII of title 49, United States Code, 
     by the Secretary of Transportation with respect to any air 
     carrier or foreign air carrier subject to that part;
       (5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et 
     seq.) (except as provided in section 406 of that Act (7 
     U.S.C. 226, 227)), by the Secretary of Agriculture with 
     respect to any activities subject to that Act; and
       (6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by 
     the Farm Credit Administration with respect to any Federal 
     land bank, Federal land bank association, Federal 
     intermediate credit bank, or production credit association.
       (c) Exercise of Certain Powers.--For the purpose of the 
     exercise by any agency referred to in subsection (b) of its 
     powers under any Act referred to in that subsection, a 
     violation of section 2(a) or (b) is deemed to be a violation 
     of a requirement imposed under that Act. In addition to its 
     powers under any provision of law specifically referred to in 
     subsection (b), each of the agencies referred to in that 
     subsection may exercise, for the purpose of enforcing 
     compliance with any requirement imposed under section 2(a) or 
     (b), any other authority conferred on it by law.
       (d) Actions by the Commission.--The Commission shall 
     prevent any person from violating section 2(a) or (b) in the 
     same manner, by the same means, and with the same 
     jurisdiction, powers, and duties as though all applicable 
     terms and provisions of the Federal Trade Commission Act (15 
     U.S.C. 41 et seq.) were incorporated into and made a part of 
     this Act. Any entity that violates any provision of that 
     title is subject to the penalties and entitled to the 
     privileges and immunities provided in the Federal Trade 
     Commission Act in the same manner, by the same means, and 
     with the same jurisdiction, power, and duties as though all 
     applicable terms and provisions of the Federal Trade 
     Commission Act were incorporated into and made a part of that 
     title.
       (e) Relationship to Other Laws.--
       (1) Commission authority.--Nothing contained in this Act 
     shall be construed to limit the authority of the Commission 
     under any other provision of law.
       (2) Communications act.--Nothing in section 2(a) or (b) 
     requires an operator of a website to take any action that is 
     inconsistent with the requirements of section 222 or 631 of 
     the Communications Act of 1934 (47 U.S.C. 222 or 551, 
     respectively).
       (3) Other acts.--Nothing in this Act is intended to affect 
     any provision of, or any amendment made by--
       (A) the Children's Online Privacy Protection Act of 1998;

[[Page S7670]]

       (B) the Gramm-Leach-Bliley Act; or
       (C) the Health Insurance Portability and Accountability Act 
     of 1996.
       (f) Civil Penalty.--In addition to any other penalty 
     applicable to a violation of section 2(a), there is hereby 
     imposed a civil penalty of $22,000 for each such violation. 
     In the event of a continuing violation, each day on which the 
     violation continues shall be considered as a separate 
     violation for purposes of this subsection. The maximum 
     penalty under this subsection for a related series of 
     violations is $500,000. For purposes of this subsection, the 
     violation of an order issued by the Commission under this Act 
     shall not be considered to be a violation of section 2(a) of 
     this Act.

     SEC. 4. ACTIONS BY STATES.

       (a) In General.--
       (1) Civil actions.--In any case in which the attorney 
     general of a State has reason to believe that an interest of 
     the residents of that State has been or is threatened or 
     adversely affected by the engagement of any person in a 
     practice that violates section 2(a) or (b), the State, as 
     parens patriae, may bring a civil action on behalf of the 
     residents of the State in a district court of the United 
     States of appropriate jurisdiction to--
       (A) enjoin that practice;
       (B) obtain damage, restitution, or other compensation on 
     behalf of residents of the State; or
       (C) obtain such other relief as the court may consider to 
     be appropriate.
       (2) Notice.--
       (A) In general.--Before filing an action under paragraph 
     (1), the attorney general of the State involved shall provide 
     to the Commission--
       (i) written notice of that action; and
       (ii) a copy of the complaint for that action.
       (B) Exemption.--
       (i) In general.--Subparagraph (A) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this subsection, if the attorney general 
     determines that it is not feasible to provide the notice 
     described in that subparagraph before the filing of the 
     action.
       (ii) Notification.--In an action described in clause (i), 
     the attorney general of a State shall provide notice and a 
     copy of the complaint to the Commission at the same time as 
     the attorney general files the action.
       (b) Intervention.--
       (1) In general.--On receiving notice under subsection 
     (a)(2), the Commission shall have the right to intervene in 
     the action that is the subject of the notice.
       (2) Effect of intervention.--If the Commission intervenes 
     in an action under subsection (a), it shall have the right--
       (A) to be heard with respect to any matter that arises in 
     that action; and
       (B) to file a petition for appeal.
       (3) Amicus curiae.--Upon application to the court, a person 
     whose self-regulatory guidelines have been approved by the 
     Commission and are relied upon as a defense by any defendant 
     to a proceeding under this section may file amicus curiae in 
     that proceeding.
       (c) Construction.--For purposes of bringing any civil 
     action under subsection (a), nothing in this Act shall be 
     construed to prevent an attorney general of a State from 
     exercising the powers conferred on the attorney general by 
     the laws of that State to--
       (1) conduct investigations;
       (2) administer oaths or affirmations; or
       (3) compel the attendance of witnesses or the production of 
     documentary and other evidence.
       (d) Actions by the Commission.--In any case in which an 
     action is instituted by or on behalf of the Commission for 
     violation of section 2(a) or (b) no State may, during the 
     pendency of that action, institute an action under subsection 
     (a) against any defendant named in the complaint in that 
     action for violation of that rule.
       (e) Venue; Service of Process.--
       (1) Venue.--Any action brought under subsection (a) may be 
     brought in the district court of the United States that meets 
     applicable requirements relating to venue under section 1391 
     of title 28, United States Code.
       (2) Service of process.--In an action brought under 
     subsection (a), process may be served in any district in 
     which the defendant--
       (A) is an inhabitant; or
       (B) may be found.

     SEC. 5. STUDY OF ONLINE PRIVACY.

       (a) In General.--Within 90 days after the date of enactment 
     of this Act, the Commission shall execute a contract with the 
     National Research Council of the National Academy of Sciences 
     for a study of privacy that will examine causes for concern 
     about privacy in the information age and tools and strategies 
     for responding to those concerns.
       (b) Scope.--The study required by subsection (a) shall--
       (1) survey the risks to, and benefits associated with the 
     use of, personal information associated with information 
     technology, including actual and potential issues related to 
     trends in technology;
       (2) examine the costs and benefits involved in the 
     collection and use of personal information;
       (3) examine the differences, if any, between the collection 
     and use of personal information by the online industry and 
     the collection and use of personal information by other 
     businesses;
       (4) examine the costs, risks, and benefits of providing 
     consumer access to information collected online, and examine 
     approaches to providing such access;
       (5) examine the security of personal information collected 
     online;
       (6) examine such other matters relating to the collection, 
     use, and protection of personal information online as the 
     Council and the Commission consider appropriate; and
       (7) examine efforts being made by industry to provide 
     notice, choice, access, and security.
       (c) Recommendations.--Within 12 months after the 
     Commission's request under subsection (a), the Council shall 
     complete the study and submit a report to the Congress, 
     including recommendations for private and public sector 
     actions including self-regulation, laws, regulations, or 
     special agreements.
       (d) Agency Cooperation.--The head of each Federal 
     department or agency shall, at the request of the Commission 
     or the Council, cooperate as fully as possible with the 
     Council in its activities in carrying out the study.
       (e) Funding.--The Commission is authorized to be obligate 
     not more than $1,000,000 to carry out this section from funds 
     appropriated to the Commission.

     SEC. 6. DEFINITIONS.

       In this Act:
       (1) Commission.--The term ``Commission'' means the Federal 
     Trade Commission.
       (2) Commercial website operator.--The term ``operator of a 
     commercial website''--
       (A) means any person who operates a website located on the 
     Internet or an online service and who collects or maintains 
     personal information from or about the users of or visitors 
     to such website or online service, or on whose behalf such 
     information is collected or maintained, where such website or 
     online service is operated for commercial purposes, including 
     any person offering products or services for sale through 
     that website or online service, involving commerce--
       (i) among the several States or with 1 or more foreign 
     nations;
       (ii) in any territory of the United States or in the 
     District of Columbia, or between any such territory and--

       (I) another such territory; or
       (II) any State or foreign nation; or

       (iii) between the District of Columbia and any State, 
     territory, or foreign nation; but
       (B) does not include any nonprofit entity that would 
     otherwise be exempt from coverage under section 5 of the 
     Federal Trade Commission Act (15 U.S.C. 45).
       (3) Collect.--The term ``collect'' means the gathering of 
     personally identifiable information about a user of an 
     Internet service, online service, or commercial website by or 
     on behalf of the provider or operator of that service or 
     website by any means, direct or indirect, active or passive, 
     including--
       (A) an online request for such information by the provider 
     or operator, regardless of how the information is transmitted 
     to the provider or operator;
       (B) the use of an online service to gather the information; 
     or
       (C) tracking or use of any identifying code linked to a 
     user of such a service or website, including the use of 
     cookies.
       (4) Internet.--The term ``Internet'' means collectively the 
     myriad of computer and telecommunications facilities, 
     including equipment and operating software, which comprise 
     the interconnected world-wide network of networks that employ 
     the Transmission Control Protocol/Internet Protocol, or any 
     predecessor or successor protocols to such protocol, to 
     communicate information of all kinds by wire or radio.
       (5) Personally identifiable information.--The term 
     ``personally identifiable information'' means individually 
     identifiable information about an individual collected 
     online, including--
       (A) a first and last name, whether given at birth or 
     adoption, assumed, or legally changed;
       (B) a home or other physical address including street name 
     and name of a city or town;
       (C) an e-mail address;
       (D) a telephone number;
       (E) a Social Security number; or
       (F) unique identifying information that an Internet service 
     provider or operator of a commercial website collects and 
     combines with any information described in the preceding 
     subparagraphs of this paragraph.
       (6) Online.--The term ``online'' refers to any activity 
     regulated by this Act or by section 2710 of title 18, United 
     States Code, that is effected by active or passive use of an 
     Internet connection, regardless of the medium by or through 
     which that connection is established.
       (7) Third party.--The term ``third party'', when used in 
     reference to a commercial website operator, means any person 
     other than the operator.

  Mr. KERRY. Mr. President, I am pleased to join Senators McCain, Boxer 
and Abraham in announcing that today we will be introducing a bill that 
takes a positive, balanced approach to the issue of Internet privacy. 
There can be no doubt that consumers have a legitimate expectation of 
privacy on the Internet. Our bill protects that interest. At the same 
time, consumers want an Internet that is free. For that to happen, the 
Internet, like television, must be supported by advertising. Our bill 
will allow companies to continue to advertise, ensuring that we

[[Page S7671]]

don't have a subscription-based Internet, which would limit everyone's 
online activities and contribute to a digital divide.
  If we recognize that the economy of the Internet calls for 
advertising, we must also recognize that it won't attract consumers if 
they believe their privacy is being violated. Finding this fine balance 
of permitting enough free flow of information to allow ads to work and 
protecting consumers' privacy is going to be critical if the Internet 
is going to reach its full potential. And I believe this bill strikes 
the right balance.
  I think all of the bill's cosponsors were hopeful that self-
regulation of Internet privacy would work. And I think self-regulation 
still has an important role to play. But it seems that now it is up to 
Congress to establish a floor for Internet privacy. I have no doubt 
that many innovative high tech companies and advertisers will go beyond 
the regulations for notice and choice we provide here. A number of 
companies in my home state of Massachusetts already do, providing 
consumers with anonymity when they go online. I applaud and encourage 
those efforts and am certain that if Congress enacts this bill, they 
will continue.
  But technology and innovation won't address all the concerns people 
have about Internet privacy. Congress has the responsibility to ensure 
that core privacy principles are the norm throughout the online world. 
We need to respond to the consumers who don't shop on the Internet 
because they are concerned about their privacy. This is necessary not 
only for the sake of the consumers, but for every online business that 
wants to grow and attract customers.
  The bill that we are introducing today will encourage those skeptical 
consumers to go online. This legislation will require Web sites to 
clearly and conspicuously disclose their privacy policies. People 
deserve to know what information may be collected and how it may be 
used so that they can make an informed decision before they navigate 
around or shop on a particular Web site. They shouldn't have to click 
five times and need to translate legalese before they know what a site 
will do with their personal information. Requiring disclosure has the 
added benefit of providing the FTC with an enforcement mechanism. If a 
Web site fails to comply with its posted disclosure policy, the FTC can 
bring an action against it for unfair or deceptive acts. This is the 
bare minimum of what I believe consumers deserve and expect, and I 
don't think this would have any unintended or negative consequences on 
e-commerce.
  In addition, this bill addresses the core principle of choice by 
requiring Web sites to offer consumers an easy to use method to prevent 
Web sites from using personally identifiable information for marketing 
purposes and to prevent them from selling that information to third 
parties. This bill empowers consumers and lets them make informed 
decisions that are right for them.
  By ensuring consumers have the right to full disclosure and the right 
to not have their personally identifiable information sold or 
disclosed, this bill addresses the most fundamental concerns many 
people have about online privacy. But I believe there are still a 
number of important questions that we need to answer. The first is 
whether there is a difference between privacy in the offline and online 
worlds.
  Most of us hardly think about it when we go to the supermarket, but 
when Safeway or Giant scans my discount card or my credit card, it has 
a record of exactly who I am and what I bought. Should my preferences 
at the supermarket be any more or less protected than the choices I 
make online?
  Likewise, catalog companies compile and use offline information to 
make marketing decisions. These companies rent lists compiled by list 
brokers. The list brokers obtain marketing data and names from the 
public domain and governments, credit bureaus, financial institutions, 
credit card companies, retail establishments, and other catalogers and 
mass mailers.
  On the other hand, when I go to the shopping mall and look at five 
different sweaters but don't buy any of them, no one has a record of 
that. If I do the same thing online, technology can record how long I 
linger over an item, even if I don't buy it. Likewise, I can pick up 
any book in a book store and pay in cash and no one will ever know my 
reading preferences. That type of anonymity can be completely lost 
online.
  This bill requires the National Research Council to study the issue 
of online versus offline privacy, and make a recommendation if there is 
a need for additional legislation in either area.
  Likewise, this bill requires the Council to study the issue of 
access. While there is general agreement that consumers should have 
access to information they provided to a Web site, we still don't know 
whether it's necessary or proper for consumers to have access to all of 
the information gathered about an individual. Should consumers have 
access to click-stream data or so-called derived data by which a 
company uses compiled information to make a marketing decision about 
the consumer? And if we decide consumers need some access to this type 
of information, is it technology feasible? Will there be unforeseen or 
unintended consequences such as an increased risk of security breaches? 
Will there be less, rather than more privacy due to the necessary 
coupling of names and data? I don't we are ready to regulate until we 
have some consensus on this issue.
  Finally, it is important to add that this bill in no way limits what 
Congress has done or hopefully will do with respect to a person's 
health or financial information. When sensitive information is 
collected, it is even more important that stringent privacy protections 
are in place. I have supported a number of legislative efforts that 
would go far to protect this type of information.
  Mr. ABRAHAM. Mr. President, today I rise to join with the Senator 
from Arizona, the Senator from Massachusetts, and the Senator from 
California in introducing the Consumer Privacy Enhancement Act. This 
legislation will provide Americans with some basic--but critically 
important--protections for their personal information when they are 
online.
  Privacy has always been a very serious issue to American citizens. It 
is a concept enshrined in our Bill of Rights. As persons from all walks 
of life become increasingly reliant on computers and the Internet to 
perform everyday tasks, it is incumbent upon policymakers to ensure 
that adequate privacy protections exist for consumers. We must ensure 
that our laws evolve along with technology and continue to provide 
effective privacy protection for consumers surfing the World Wide Web 
and using the Internet for commercial activities.
  The American people are letting it be known that they have mounting 
concerns about their vulnerability in this digital age. They are very 
concerned about the advent of this new high-tech era we've entered and 
the new threats it potentially poses to our personal privacy. And I 
believe there is a consensus building in Congress to begin to tackle 
the question of ensuring adequate privacy protections for individuals 
using the Internet.
  Whether we can find a similar consensus on a particular legislative 
proposal remains to be seen. However, I think it is imperative that we 
begin to address this topic now and not simply wait until Congress 
reconvenes next year before we take the issue up. So I have joined my 
colleagues here in introducing legislation that I think accomplishes 
several important objectives.
  The most important provision, I believe, is its most elemental 
concept: We require that before consumers are asked to provide personal 
information about themselves, they must be given an opportunity to 
review the website's privacy policy in order to learn how their 
information will be utilized. While many websites have privacy 
policies, including the vast majority of those websites receiving the 
most traffic, there are still many websites out there that do not offer 
privacy policies or adequate protections for consumers.
  In addition, many of the privacy policies that do exist are very 
lengthy and often quite confusing to consumers. There are pages and 
pages of ambiguous legalese and often seemingly contradictory claims 
about how protected your information truly is. So our bill also calls 
on the Federal Trade Commission to ensure that privacy policies

[[Page S7672]]

are ``clear, conspicuous, and easily understood,'' and that any consent 
mechanisms shall be ``easy to use, easily accessible, and shall be 
available online.''
  Finally, this legislation recognizes the importance of allowing the 
Internet industry to continue to promote greater self-regulation and to 
develop new technology means for to continue to evolve and to help us 
address legitimate consumer privacy concerns. There have been several 
initiatives undertaken by industry leaders to get websites to develop 
and post privacy policies and to give consumers the option of when to 
provide information and for what uses. This legislation is designed to 
allow such efforts to continue and to provide for technological 
advances in the area of privacy to benefit consumers. For instance, 
Ford and other companies have been participating in the Privacy 
Leadership Initiative whereby companies engaged online are working to 
establish industry guidelines and protocols for protecting consumers 
privacy. Nothing we do here today should inhibit such industry efforts.
  So with those critical features addressed, I believe the legislation 
we introduce today will be an important stepping stone along the path 
of ensuring that Americans can be confident of having their personal 
information will be protected when they go online.
  I urge my colleagues to review this legislation and to support our 
efforts to protect consumers against unwarranted intrusions into their 
personal privacy when they are using their computers and surfing the 
Internet.
  I yield the floor.
                                 ______