[Congressional Record Volume 147, Number 83 (Thursday, June 14, 2001)]
[Senate]
[Pages S6337-S6347]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mrs. FEINSTEIN:
  S. 1055. A bill to require the consent of an individual prior to the 
sale and marketing of such individual's personally identifiable 
information, and for other purposes; to the Committee on the Judiciary.
  Mrs. FEINSTEIN. Mr. President, I am pleased today to introduce the 
Privacy Act of 2001.
  This legislation combats the growing scourge of identity theft and 
other privacy abuses by setting a national standard for privacy 
protection.
  The bill has a simple goal. It is designed to give back to ordinary 
citizens control over their personal information.
  Under the Privacy Act of 2001, if a company intends to collect and 
sell a customer's address, phone number, or other non-sensitive 
information, the company must give the customer notice and an 
opportunity to opt-out of the sale if they so choose.
  For especially sensitive personal information such as financial, 
health, driver's licenses, and Social Security Numbers, the legislation 
establishes more stringent privacy protections.
  Specifically, the bill requires an individual's opt-in prior to the 
sale, licensing, or renting of their personal financial or health 
information.
  In other words, opt-in means that a person must give their explicit 
and affirmative consent before an entity can use this type of personal 
information.
  The bill would also close loopholes in the Driver's Privacy 
Protection Act, most recently amended last year, so that a State 
Department of Motor Vehicles can no longer disclose the most sensitive 
information on a driver's license, such as the driver's identification 
number or physical characteristics, without the driver's opt-in.
  Finally, the bill would restrict the purchase, sale, and display of 
Social Security numbers to the general public.
  Why do we need a Federal privacy law?
  The new economy has exponentially increased the flow of personal 
information, but the protections for individual privacy have not kept 
pace.
  With access to sensitive data so widely available, often just at the 
touch of a keyboard, identity theft has become one of the country's 
fastest growing crimes.
  Identity theft is when a thief steals your personal information and 
then uses it to run up huge bills on your credit cards, bank accounts 
or other accounts. In some cases, identity theft has also resulted in 
stalking and murder.
  Recent statistics on the growth of identity theft suggest we have no 
time to waste in protecting personal privacy.
  The Federal Bureau of Investigation estimates 350,000 cases of 
identity theft occur each year. That's one case every two minutes.
  Not surprisingly, members of the public have flooded our Federal 
agencies with pleas for assistance. Reports to the Social Security 
Administration of Social Security number misuse have increased from 
7,868 in 1997 to 46,839 in 2000, an astonishing increase of over 500 
percent.
  The Federal Trade Commission, FTC, has experienced a similar 
explosion of cases. If recent trends continue, reports of identity 
theft to the Federal Trade Commission will double between 2000 and 
2001, to over 60,000 cases.
  Fully 40 percent of all consumer fraud complaints received by the FTC 
in the first three months of 2001 involved identity theft.
  Unfortunately, the State most affected by these complaints is 
California. Fully 17 percent of the identity theft complaints the FTC 
received this past winter came from my home state.
  Let me give some real-world examples of privacy abuses:
  Social Security Number Privacy: Amy Boyer, a 20-year-old dental 
assistant from Maine was killed in 1999 by a stalker who bought her 
Social Security number off the Internet for $45, and then used it to 
locate her work address.
  Identity Theft No. 1: Michelle Brown of Los Angeles, California, had 
her Social Security number stolen in 1999, and it was used to charge 
$50,000 including a $32,000 truck, a $5,000 liposuction operation, and 
a year-long residential lease.
  While assuming the victim's name, the perpetrator also became the 
object of an arrest warrant for drug smuggling in Texas.
  Identity Theft No. 2: An identity theft ring in Riverside County 
allegedly bilked eight victims of $700,000. The thieves stole personal 
information of employees at a large phone company and drained their on-
line stock accounts.
  One employee reportedly had $285,000 taken from his account when 
someone was able to access his account by supplying the employee's name 
and Social Security number.
  Financial Privacy: In a September 14, 1999 editorial, the Los Angeles 
Times described how a small San Fernando Valley bank, ``sold 3.7 
million credit card numbers to a felon, who then bilked cardholders out 
of millions of dollars.'' According to the article, the bank was not 
held liable for this action.
  It is also astonishing what some data marketers are now providing to 
their customers.

[[Page S6338]]

  According to the Los Angeles Times, some marketing companies have 
started selling lists of as many as 120 million households which 
include names, addresses, and phone numbers, estimated income, marital 
status, buying habits and hobbies.
  Similarly, a medical information service has made databases available 
to its customers which contain the phone number, gender and address of: 
3.3 million people with allergies, 3.0 million people with heartburn, 
850,000 with yeast infections, 450,000 people with incontinence, and 
368,000 people who suffer clinical depression.
  As a result, we have seen privacy become the top consumer protection 
issue.
  The bill I am introducing today, the Privacy Act of 2001, contains 
two bedrock principles.
  Privacy legislation should not discriminate against any system of 
communication.
  If personal information deserves protection, it deserves protection 
however it is collected. It should not matter whether personal data is 
collected in person, over the phone, or on the Internet.
  Nevertheless, some privacy bills have exclusively targeted Internet 
transactions. There is no justification for discriminating against high 
technology companies by imposing Internet-specific privacy rules.
  Companies operating on the Internet should not have any more duties 
to protect privacy than businesses extracting information from warranty 
cards or mail catalogues.
  Not all personal information deserves the same level of privacy 
protection.
  Some information like Social Security numbers, motor vehicle records, 
personal financial information, and medical information deserve higher 
levels of privacy protection.
  With regard to the first principle, the Privacy Act of 2001 protects 
the privacy of information regardless of the medium through which it is 
collected.
  Other privacy proposals have tried to confine privacy legislation to 
the Internet.
  These proposals unfairly discriminate against high technology users. 
Put simply, companies and other entities can misuse personal 
information from off-line sources just as easily as with on-line 
sources.
  Why should a company extracting data from a warranty card have any 
less of a duty to protect personal privacy than a company collecting 
personal data on-line?
  For example, telemarketers who besiege consumers with phone calls 
during the dinner hour get much of their personal information used from 
consumers filling out and mailing back warranty and registration cards. 
But these warranty cards give consumers no notice about how their 
personal information will be used.
  Consider the case of Anne Marie Levine, a Virginia resident, who 
entered a raffle to win a new car.
  The sponsor of the raffle, unbeknownst to Ms. Levine, sold the 
personal information on her raffle ticket. In the next two weeks, she 
received calls from a host of jeep dealers in the area.
  While some may consider unsolicited marketing calls a mere annoyance, 
Ms. Levine was outraged, as I'm sure many Americans would be, that the 
auto dealer sold her personal information without her permission.
  Moreover, with the advent of digital scanners, digital photography, 
and data processing, the distinctions between on-line and off-line 
transactions are already blurring.
  With regard to the second principle, the Privacy Act of 2001 
recognizes that not all categories of personal information merit the 
same level of protection.
  The bill requires businesses intending to collect and sell 
nonsensitive personal information, eg. name, phone number, address, to 
nonaffiliated third parties to give customers notice and the 
opportunity to opt-out of the sale.
  The opt-out standard for non-sensitive information ensures that if a 
person fills out a warranty card, sign-up for a computer service, or 
submit an entry for a sweepstakes, the business must notify him before 
it sells his personal information to other businesses or marketers.
  This framework guarantees basic privacy protections for consumers 
without unduly impacting commerce.
  To eliminate unnecessary burdens on businesses, the legislation sets 
up a safe harbor for businesses which appropriately use nonsensitive 
personal information. Industries and industry-sponsored seal programs 
which have already adopted Notice-and-Opt Out information policies will 
be exempt.
  The bill also sets a national standard for the sale or marketing of 
nonsensitive personal information.
  Federal preemption is needed because a jumbled patchwork of State 
privacy laws helps neither businesses nor consumers. Conflicting State 
laws lead to consumer confusion about privacy rights.
  For example, if one logs onto an Internet site, which State law 
governs: the law of the State of the computer user, the law where the 
website is being operated, or the law of the State of the manufacturer 
of a product?
  Similarly, a patchwork of 50 State privacy laws, would pose a 
logistical nightmare for corporate America.
  Without Federal preemption, businesses will face the unsavory choice 
of either adopting, for consistency's sake, privacy guidelines that 
comply with the strictest state privacy law, or dealing with the costs 
and paperwork imposed by 50 different state privacy laws.
  For especially sensitive personal data, like financial data, medical 
data, or a driver's license, the bill pushes for an opt-in model of 
consent.
  I believe people should have control over how their most sensitive 
information is used. In the absence of a customer's express permission, 
company's should not market or sell sensitive personal data.
  To create this opt-in standard, this legislation builds upon the 
existing lattice-work of Federal privacy laws.
  For example, the bill modifies the recently enacted Gramm-Leach-
Bliley Financial Services Modernization Act by requiring an opt-in for 
the sale of personal financial information.
  Presently, under the Gramm-Leach-Bliley Act, a bank must give a 
customer notice and the opportunity to opt-out before the bank can 
disclose private financial information to non-affiliated third parties.
  This legislation would impose a stricter standard if the bank tries 
to sell the information. Any bank that sells personal financial 
information to non-affiliated third parties would have to get the prior 
consent of the customer, OPT-in.
  Similarly, this bill strengthens the privacy protections for personal 
health data.
  The newly enacted Department of Health and Human Services privacy 
regulations set a basic opt-in framework for disclosure of health 
information. I recognize that the rules are being revised by the Bush 
administration, so any discussion of health privacy must necessarily 
contemplate a moving target.
  Nevertheless, the current version of the regulation has loopholes 
that limit patient privacy.
  The regulations only prohibit ``covered entities, namely health 
insurers, health providers, and health care clearinghouses, from 
selling a patient's health information without that patient's prior 
consent, an Opt-in Model.
  Meanwhile, non-covered entities such as business associates, health 
researchers, schools or universities, and life insurers are not subject 
to this opt-in requirement, except through contractual arrangements.
  My bill would preserve the privacy of health information wherever the 
information is sold. Any life insurer, school or non-covered entity 
trying to sell protected health information would have to get the 
patient's consent.
  In addition, the bill would require entities to obtain a patient's 
approval before using ``protected health information'' for marketing 
purposes.
  This legislation builds on existing law to protect the information on 
our drivers' licenses.
  With its recent amendments, the Driver's Privacy Protection Act, 
DPPA, offers some meaningful protections for drivers privacy.
  For example, under the DPPA, a State Department of Motor Vehicles 
must obtain the prior consent, Opt-in of the driver before ``highly 
restricted personal information, defined as the driver's photograph, 
image, Social Security number, medical or disability information, can 
be disclosed to a third party.

[[Page S6339]]

  However, loopholes remain. Other sensitive information found on a 
driver's license deserves equal protection.
  This legislation would expand the definition of ``highly restricted 
personal'' to include a physical copy of a driver's license, the driver 
identification number, birth date, information on the driver's physical 
characteristics and any biometric identifiers like a fingerprint that 
are found on the driver's license.
  Thus, this bill would ensure consumers have control over how their 
motor vehicle records and driver's license data are used.
  I would like to take a moment to highlight Title II of this 
legislation, which reflects a compromise with Senator Gregg on the 
privacy of Social Security numbers.
  It is so crucial to protect Social Security Numbers because these are 
the key to unlocking a person's identity.
  Many identity theft cases start with the theft of a Social Security 
number.
  Once a thief has access to a victim's Social Security number, it is 
only a short step to acquiring credit cards, driver's licenses, or 
other crucial identification documents.
  The Feinstein/Gregg compromise bars the sale or display of Social 
Security numbers to the public except in a very narrow set of 
circumstances.
  Display or sale is permitted if the Social Security Number holder 
gives consent or if there are compelling public safety needs.
  For the first time, Federal, State, and local governments will have 
to redact Social Security numbers on government records before these 
records are provided to the public.
  Thus, enterprising identity thieves no longer can scour bankruptcy 
records, liens, marriage certificates, or other public documents to 
steal Social Security Numbers.
  Moreover, State governments will no longer be permitted to use the 
Social Security number as the default driver's license number.
  The legislation, however, recognizes that some industries, like 
banks, rely on Social Security Numbers to exchange information between 
databases and complete identification verification necessary for 
certain transactions.
  It permits the sale or purchase of Social Security Numbers to 
facilitate business-to-business transactions so long as businesses put 
appropriate safeguards in place and do not permit public access to the 
number.
  Some critics of privacy legislation argue it will impede commerce. I 
disagree. A reasonable baseline of privacy laws will stimulate 
commerce. On the Internet, for example, fear of identity theft has 
impeded consumer transactions.
  One study of e-commerce estimates consumer privacy fears prevented up 
to $2.8 billion in online retail sales in 1999. Another study suggests 
that, by 2002, over $18 billion of lost sales can be attributed to 
consumer privacy concerns.
  This legislation codifies steps Congress can take to protect citizens 
from identity thieves and other predators of personal information.
  It restores to individuals more control over their most sensitive 
personal information such as Social Security numbers, driver's license 
information, health information, and financial information.
  The legislation sets reasonable guidelines for businesses that handle 
our personal information every day, like credit card companies, 
hospitals, and banks.
  Our Nation is rushing toward an information economy that will yield 
unprecedented economic efficiencies.
  The commercial benefits of the new economy are unquestionable. But, 
in our rush to embrace the new, we must remember to protect the core 
Democratic values on which our country depends.
  Every American has a fundamental right to privacy, no matter how fast 
our technology grows or changes.
  But our right to privacy only will remain vital, if we take strong 
action to protect it.
  I look forward to working with my colleagues to enact the Privacy Act 
of 2001.
  I ask unanimous consent that the text of the bill be printed in the 
Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                S. 1055

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the ``Privacy 
     Act of 2001''.
       (b) Table of Contents.--The table of contents of this Act 
     is as follows:

Sec. 1. Short title; table of contents.

   TITLE I--COMMERCIAL SALE AND MARKETING OF PERSONALLY IDENTIFIABLE 
                              INFORMATION

Sec. 101. Collection and distribution of personally identifiable 
              information.
Sec. 102. Enforcement.
Sec. 103. Safe harbor.
Sec. 104. Definitions.
Sec. 105. Preemption.
Sec. 106. Effective Date.

        TITLE II--LIMITATIONS ON USE OF SOCIAL SECURITY NUMBERS

Sec. 201. Findings.
Sec. 202. Prohibition of the display, sale, or purchase of social 
              security numbers.
Sec. 203. No prohibition with respect to public records.
Sec. 204. Rulemaking authority of the Attorney General.
Sec. 205. Treatment of social security numbers on government documents.
Sec. 206. Limits on personal disclosure of a social security number for 
              consumer transactions.
Sec. 207. Extension of civil monetary penalties for misuse of a social 
              security number.

   TITLE III--LIMITATIONS ON SALE AND SHARING OF NONPUBLIC PERSONAL 
                         FINANCIAL INFORMATION

Sec. 301. Definition of sale.
Sec. 302. Rules applicable to sale of nonpublic personal information.
Sec. 303. Exceptions to sale prohibition.
Sec. 304. Effective date.

 TITLE IV--LIMITATIONS ON THE PROVISION OF PROTECTED HEALTH INFORMATION

Sec. 401. Definitions.
Sec. 402. Prohibition against selling protected health information.
Sec. 403. Authorization for sale of protected health information.
Sec. 404. Prohibition against retaliation.
Sec. 405. Prohibition against marketing protected health information.
Sec. 406. Rule of construction.
Sec. 407. Regulations.
Sec. 408. Enforcement.

                   TITLE V--DRIVER'S LICENSE PRIVACY

Sec. 501. Driver's license privacy.

                        TITLE VI--MISCELLANEOUS

Sec. 601. Enforcement by State Attorneys General.
Sec. 602. Federal injunctive authority.

   TITLE I--COMMERCIAL SALE AND MARKETING OF PERSONALLY IDENTIFIABLE 
                              INFORMATION

     SEC. 101. COLLECTION AND DISTRIBUTION OF PERSONALLY 
                   IDENTIFIABLE INFORMATION.

       (a) Prohibition.--
       (1) In general.--It is unlawful for a commercial entity to 
     collect personally identifiable information and disclose such 
     information to any nonaffiliated third party for marketing 
     purposes or sell such information to any nonaffiliated third 
     party, unless the commercial entity provides--
       (A) notice to the individual to whom the information 
     relates in accordance with the requirements of subsection 
     (b); and
       (B) an opportunity for such individual to restrict the 
     disclosure or sale of such information.
       (2) Exception.--A commercial entity may collect personally 
     identifiable information and use such information to market 
     to potential customers such entity's product.
       (b) Notice.--
       (1) In general.--A notice under subsection (a) shall 
     contain statements describing the following:
       (A) The identity of the commercial entity collecting the 
     personally identifiable information.
       (B) The types of personally identifiable information that 
     are being collected on the individual.
       (C) How the commercial entity may use such information.
       (D) A description of the categories of potential recipients 
     of such personally identifiable information.
       (E) Whether the individual is required to provide 
     personally identifiable information in order to do business 
     with the commercial entity.
       (F) How an individual may decline to have such personally 
     identifiable information used or sold as described in 
     subsection (a).
       (2) Time of notice.--Notice shall be conveyed prior to the 
     sale or use of the personally identifiable information as 
     described in subsection (a) in such a manner as to allow the 
     individual a reasonable period of time to consider the notice 
     and limit such sale or use.
       (3) Medium of notice.--The medium for providing notice must 
     be--
       (A) the same medium in which the personally identifiable 
     information is or will be collected, or a medium approved by 
     the individual; or
       (B) in the case of oral communication, notice may be 
     conveyed orally or in writing.
       (4) Form of notice.--The notice shall be clear and 
     conspicuous.

[[Page S6340]]

       (c) Opt-Out.--
       (1) Opportunity to opt-out of sale or marketing.--The 
     opportunity provided to limit the sale of personally 
     identifiable information to nonaffiliated third parties or 
     the disclosure of such information for marketing purposes, 
     shall be easy to use, accessible and available in the medium 
     the information is collected, or in a medium approved by the 
     individual.
       (2) Duration of limitation.--An individual's limitation on 
     the sale or marketing of personally identifiable information 
     shall be considered permanent, unless otherwise specified by 
     the individual.
       (3) Revocation of consent.--After an individual grants 
     consent to the use of that individual's personally 
     identifiable information, the individual may revoke the 
     consent at any time, except to the extent that the commercial 
     entity has taken action in reliance thereon. The commercial 
     entity shall provide the individual an opportunity to revoke 
     consent that is easy to use, accessible, and available in the 
     medium the information was or is collected.
       (4) Not applicable.--This section shall not apply to 
     disclosure of personally identifiable information--
       (A) that is necessary to facilitate a transaction 
     specifically requested by the consumer;
       (B) is used for the sole purpose of facilitating this 
     transaction; and
       (C) in which the entity receiving or obtaining such 
     information is limited, by contract, to use such formation 
     for the purpose of completing the transaction.

     SEC. 102. ENFORCEMENT.

       (a) In General.--In accordance with the provisions of this 
     section, the Federal Trade Commission shall have the 
     authority to enforce any violation of section 101 of this 
     Act.
       (b) Violations.--The Federal Trade Commission shall treat a 
     violation of section 101 as a violation of a rule under 
     section 18a(a)(1)(B) of the Federal Trade Commission Act (15 
     U.S.C. 57a(a)(1)(B)).
       (c) Transfer of Enforcement Authority.--The Federal Trade 
     Commission shall promulgate rules in accordance with section 
     553 of title 5, United States Code, allowing for the transfer 
     of enforcement authority from the Federal Trade Commission to 
     a Federal agency regarding section 101 of this Act. The 
     Federal Trade Commission may permit a Federal agency to 
     enforce any violation of section 101 if such agency submits a 
     written request to the Commission to enforce such violations 
     and includes in such request--
       (1) a description of the entities regulated by such agency 
     that will be subject to the provisions of section 101;
       (2) an assurance that such agency has sufficient authority 
     over the entities to enforce violations of section 101; and
       (3) a list of proposed rules that such agency shall use in 
     regulating such entities and enforcing section 101.
       (d) Actions by the Commission.--Absent transfer of 
     enforcement authority to a Federal agency under subsection 
     (c), the Federal Trade Commission shall prevent any person 
     from violating section 101 in the same manner, by the same 
     means, and with the same jurisdiction, powers, and duties as 
     provided to such Commission under the Federal Trade 
     Commission Act (15 U.S.C. 41 et seq.). Any entity that 
     violates section 101 is subject to the penalties and entitled 
     to the privileges and immunities provided in such Act in the 
     same manner, by the same means, and with the same 
     jurisdiction, power, and duties under such Act.
       (e) Relationship to Other Laws.--
       (1) Commission authority.--Nothing contained in this title 
     shall be construed to limit authority provided to the 
     Commission under any other law.
       (2) Communications act.--Nothing in section 101 requires an 
     operator of a website to take any action that is inconsistent 
     with the requirements of section 222 or 631 of the 
     Communications Act of 1934 (47 U.S.C. 222 and 5551).
       (3) Other acts.--Nothing in this title is intended to 
     affect the applicability or the enforceability of any 
     provision of, or any amendment made by--
       (A) the Children's Online Privacy Protection Act of 1998 
     (15 U.S.C. 6501 et seq.);
       (B) title V of the Gramm-Leach-Bliley Act;
       (C) the Health Insurance Portability and Accountability Act 
     of 1996; or
       (D) the Fair Credit Reporting Act.
       (f) Public Records.--Nothing in this title shall be 
     construed to restrict commercial entities from obtaining or 
     disclosing personally identifying information from public 
     records.
       (g) Civil Penalties.--In addition to any other penalty 
     applicable to a violation of section 101(a), a penalty of up 
     to $25,000 may be issued for each violation.
       (h) Enforcement Regarding Programs.--
       (1) In general.--A Federal agency or department providing 
     financial assistance to any entity required to comply with 
     section 101 of this Act shall issue regulations requiring 
     that such entity comply with such section or forfeit some or 
     all of such assistance. Such regulations shall prescribe 
     sanctions for noncompliance, require that such department or 
     agency provide notice of failure to comply with such section 
     prior to any action being taken against such recipient, and 
     require that a determination be made prior to any action 
     being taken against such recipient that compliance cannot be 
     secured by voluntary means.
       (2) Federal financial assistance.--The term ``Federal 
     financial assistance'' means assistance through a grant, 
     cooperative agreement, loan, or contract other than a 
     contract of insurance or guaranty.

     SEC. 103. SAFE HARBOR.

       A commercial entity may not be held to have violated any 
     provision of this title if such entity complies with self-
     regulatory guidelines that--
       ``(1) are issued by seal programs or representatives of the 
     marketing or online industries or by any other person; and
       ``(2) are approved by the Federal Trade Commission, after 
     public comment has been received on such guidelines by the 
     Commission, as meeting the requirements of this title.

     SEC. 104. DEFINITIONS.

       In this title:
       (1) Commercial entity.--The term ``commercial entity''--
       (A) means any person offering products or services 
     involving commerce--
       (i) among the several States or with 1 or more foreign 
     nations;
       (ii) in any territory of the United States or in the 
     District of Columbia, or between any such territory and--

       (I) another such territory; or
       (II) any State or foreign nation; or

       (iii) between the District of Columbia and any State, 
     territory, or foreign nation; and
       (B) does not include--
       (i) any nonprofit entity that would otherwise be exempt 
     from coverage under section 5 of the Federal Trade Commission 
     Act (15 U.S.C. 45);
       (ii) any financial institution that is subject to title V 
     of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.); or
       (iii) any group health plan, health insurance issuer, or 
     other entity that is subject to the Health Insurance 
     Portability and Accountability Act of 1996 (42 U.S.C. 201 
     note).
       (2) Commission.--The term ``Commission'' means the Federal 
     Trade Commission.
       (3) Individual.--The term ``individual'' means a person 
     whose personally identifying information has been, is, or 
     will be collected by a commercial entity.
       (4) Marketing.--The term ``marketing'' means to make a 
     communication about a product or service a purpose of which 
     is to encourage recipients of the communication to purchase 
     or use the product or service.
       (5) Medium.--The term ``medium'' means any channel or 
     system of communication including oral, written, and online 
     communication.
       (6) Nonaffiliated third party.--The term ``nonaffiliated 
     third party'' means any entity that is not related by common 
     ownership or affiliated by corporate control with, the 
     commercial entity, but does not include a joint employee of 
     such institution.
       (7) Personally identifiable information.--The term 
     ``personally identifiable information'' means individually 
     identifiable information about the individual that is 
     collected including--
       (A) a first, middle, or last name, whether given at birth 
     or adoption, assumed, or legally changed;
       (B) a home or other physical address, including the street 
     name, zip code, and name of a city or town;
       (C) an e-mail address;
       (D) a telephone number;
       (E) a photograph or other form of visual identification;
       (F) a birth date, birth certificate number, or place of 
     birth for that person; or
       (G) information concerning the individual that is combined 
     with any other identifier in this paragraph.
       (8) Sale; Sell; Sold.--The terms ``sale'', ``sell'', and 
     ``sold'', with respect to personally identifiable 
     information, mean the exchanging of such information for any 
     thing of value, directly or indirectly, including the 
     licensing, bartering, or renting of such information.
       (9) Writing.--The term ``writing'' means writing in either 
     a paper-based or computer-based form, including electronic 
     and digital signatures.

     SEC. 105. PREEMPTION.

       The provisions of this title shall supersede any statutory 
     and common law of States and their political subdivisions 
     insofar as that law may now or hereafter relate to the--
       (1) collection and disclosure of personally identifiable 
     information for marketing purposes; and
       (2) collection and sale of personally identifiable 
     information.

     SEC. 106. EFFECTIVE DATE.

       This title and the amendments made by this title shall take 
     effect 1 year after the date of enactment of this Act.

        TITLE II--LIMITATIONS ON USE OF SOCIAL SECURITY NUMBERS

     SEC. 201. FINDINGS.

       Congress makes the following findings:
       (1) The inappropriate display, sale, or purchase of social 
     security numbers has contributed to a growing range of 
     illegal activities, including fraud, identity theft, and, in 
     some cases, stalking and other violent crimes.
       (2) While financial institutions, health care providers, 
     and other entities have often used social security numbers to 
     confirm the identity of an individual, the general display to 
     the public, sale, or purchase of these numbers has been used 
     to commit crimes, and also can result in serious invasions of 
     individual privacy.
       (3) The Federal Government requires virtually every 
     individual in the United States to obtain and maintain a 
     social security number in order to pay taxes, to qualify for

[[Page S6341]]

     social security benefits, or to seek employment. An 
     unintended consequence of these requirements is that social 
     security numbers have become tools that can be used to 
     facilitate crime, fraud, and invasions of the privacy of the 
     individuals to whom the numbers are assigned. Because the 
     Federal Government created and maintains this system, and 
     because the Federal Government does not permit individuals to 
     exempt themselves from those requirements, it is appropriate 
     for the Federal Government to take steps to stem the abuse of 
     this system.
       (4) A social security number does not contain, reflect, or 
     convey any publicly significant information or concern any 
     public issue. The display, sale, or purchase of such numbers 
     in no way facilitates uninhibited, robust, and wide-open 
     public debate, and restrictions on such display, sale, or 
     purchase would not affect public debate.
       (5) No one should seek to profit from the display, sale, or 
     purchase of social security numbers in circumstances that 
     create a substantial risk of physical, emotional, or 
     financial harm to the individuals to whom those numbers are 
     assigned.
       (6) Consequently, this Act offers each individual that has 
     been assigned a social security number necessary protection 
     from the display, sale, and purchase of that number in any 
     circumstance that might facilitate unlawful conduct.

     SEC. 202. PROHIBITION OF THE DISPLAY, SALE, OR PURCHASE OF 
                   SOCIAL SECURITY NUMBERS.

       (a) Prohibition.--
       (1) In general.--Chapter 47 of title 18, United States 
     Code, is amended by inserting after section 1028 the 
     following:

     ``Sec. 1028A. Prohibition of the display, sale, or purchase 
       of social security numbers

       ``(a) Definitions.--In this section:
       ``(1) Display.--The term `display' means to intentionally 
     communicate or otherwise make available (on the Internet or 
     in any other manner) to the general public an individual's 
     social security number.
       ``(2) Person.--The term `person' means any individual, 
     partnership, corporation, trust, estate, cooperative, 
     association, or any other entity.
       ``(3) Purchase.--The term `purchase' means providing 
     directly or indirectly, anything of value in exchange for a 
     social security number.
       ``(4) Sale.--The term `sale' means obtaining, directly or 
     indirectly, anything of value in exchange for a social 
     security number.
       ``(5) State.--The term `State' means any State of the 
     United States, the District of Columbia, Puerto Rico, the 
     Northern Mariana Islands, the United States Virgin Islands, 
     Guam, American Samoa, and any territory or possession of the 
     United States.
       ``(b) Limitation on Display.--Except as provided in section 
     1028B, no person may display any individual's social security 
     number to the general public without the affirmatively 
     expressed consent of the individual.
       ``(c) Limitation on Sale or Purchase.--Except as otherwise 
     provided in this section, no person may sell or purchase any 
     individual's social security number without the affirmatively 
     expressed consent of the individual.
       ``(d) Prohibition of Wrongful Use as Personal 
     Identification Number.--No person may obtain any individual's 
     social security number for purposes of locating or 
     identifying an individual with the intent to physically 
     injure, harm, or use the identity of the individual for any 
     illegal purpose.
       ``(e) Prerequisites for Consent.--In order for consent to 
     exist under subsection (b) or (c), the person displaying or 
     seeking to display, selling or attempting to sell, or 
     purchasing or attempting to purchase, an individual's social 
     security number shall--
       ``(1) inform the individual of the general purpose for 
     which the number will be used, the types of persons to whom 
     the number may be available, and the scope of transactions 
     permitted by the consent; and
       ``(2) obtain the affirmatively expressed consent 
     (electronically or in writing) of the individual.
       ``(f) Exceptions.--
       ``(1) In general.--Except as provided in subsection (d), 
     nothing in this section shall be construed to prohibit or 
     limit the display, sale, or purchase of a social security 
     number--
       ``(A) permitted, required, or excepted, expressly or by 
     implication, under section 205(c)(2), 1124A(a)(3), or 1141(c) 
     of the Social Security Act (42 U.S.C. 405(c)(2), 1320a-
     3a(a)(3), and 1320b-11(c)), section 7(a)(2) of the Privacy 
     Act of 1974 (5 U.S.C. 552a note), section 6109(d) of the 
     Internal Revenue Code of 1986, or section 6(b)(1) of the 
     Professional Boxing Safety Act of 1996 (15 U.S.C. 
     6305(b)(1));
       ``(B) for a public health purpose, including the protection 
     of the health or safety of an individual in an emergency 
     situation;
       ``(C) for a national security purpose;
       ``(D) for a law enforcement purpose, including the 
     investigation of fraud, as required under subchapter II of 
     chapter 53 of title 31, United States Code, and chapter 2 of 
     title I of Public Law 91-508 (12 U.S.C. 1951-1959), and the 
     enforcement of a child support obligation;
       ``(E) if the display, sale, or purchase of the number is 
     for a business-to-business use, including, but not limited 
     to--
       ``(i) the prevention of fraud (including fraud in 
     protecting an employee's right to employment benefits);
       ``(ii) the facilitation of credit checks or the 
     facilitation of background checks of employees, prospective 
     employees, and volunteers;
       ``(iii) compliance with any requirement related to the 
     social security program established under title II of the 
     Social Security Act (42 U.S.C. 401 et seq.); or
       ``(iv) the retrieval of other information from, or by, 
     other businesses, commercial enterprises, or private 
     nonprofit organizations,

     except that, nothing in this subparagraph shall be construed 
     as permitting a professional or commercial user to display or 
     sell a social security number to the general public;
       ``(F) if the transfer of such a number is part of a data 
     matching program under the Computer Matching and Privacy 
     Protection Act of 1988 (5 U.S.C. 552a note) or any similar 
     computer data matching program involving a Federal, State, or 
     local agency; or
       ``(G) if such number is required to be submitted as part of 
     the process for applying for any type of Federal, State, or 
     local government benefit or program.
       ``(g) Civil Action in United States District Court; 
     Damages; Attorney's Fees and Costs.--
       ``(1) In general.--Any individual aggrieved by any act of 
     any person in violation of this section may bring a civil 
     action in a United States district court to recover--
       ``(A) such preliminary and equitable relief as the court 
     determines to be appropriate; and
       ``(B) the greater of--
       ``(i) actual damages;
       ``(ii) liquidated damages of $2,500; or
       ``(iii) in the case of a violation that was willful and 
     resulted in profit or monetary gain, liquidated damages of 
     $10,000.
       ``(2) Statute of limitations.--No action may be commenced 
     under this subsection more than 3 years after the date on 
     which the violation was or should reasonably have been 
     discovered by the aggrieved individual.
       ``(3) Nonexclusive remedy.--The remedy provided under this 
     subsection shall be in addition to any other remedy available 
     to the individual.
       ``(h) Civil Penalties.--
       ``(1) In general.--Any person who the Attorney General 
     determines has violated this section shall be subject, in 
     addition to any other penalties that may be prescribed by 
     law--
       ``(A) to a civil penalty of not more than $5,000 for each 
     such violation; and
       ``(B) to a civil penalty of not more than $50,000, if the 
     violations have occurred with such frequency as to constitute 
     a general business practice.
       ``(2) Determination of violations.--Any willful violation 
     committed contemporaneously with respect to the social 
     security numbers of 2 or more individuals by means of mail, 
     telecommunication, or otherwise, shall be treated as a 
     separate violation with respect to each such individual.
       ``(3) Enforcement procedures.--The provisions of section 
     1128A of the Social Security Act (42 U.S.C. 1320a-7a), other 
     than subsections (a), (b), (f), (h), (i), (j), (m), and (n) 
     and the first sentence of subsection (c) of such section, and 
     the provisions of subsections (d) and (e) of section 205 of 
     such Act (42 U.S.C. 405) shall apply to a civil penalty under 
     this subsection in the same manner as such provisions apply 
     to a penalty or proceeding under section 1128A(a) of such Act 
     (42 U.S.C. 1320a-7a(a)), except that, for purposes of this 
     paragraph, any reference in section 1128A of such Act (42 
     U.S.C. 1320a-7a) to the Secretary shall be deemed to be a 
     reference to the Attorney General.''.
       (2) Conforming amendment.--The chapter analysis for chapter 
     47 of title 18, United States Code, is amended by inserting 
     after the item relating to section 1028 the following:

``1028A. Prohibition of the display, sale, or purchase of social 
              security numbers.''.

       (b) Criminal Sanctions.--Section 208(a) of the Social 
     Security Act (42 U.S.C. 408(a)) is amended--
       (1) in paragraph (8), by inserting ``or'' after the 
     semicolon; and
       (2) by inserting after paragraph (8) the following new 
     paragraphs:
       ``(9) except as provided in paragraph (5) of section 
     1028A(a) of title 18, United States Code, knowingly and 
     willfully displays, sells, or purchases (as those terms are 
     defined in paragraph (1) of such section) any individual's 
     social security number (as defined in such paragraph) without 
     the affirmatively expressed consent of that individual after 
     having met the prerequisites for consent under paragraph (4) 
     of such section, electronically or in writing, with respect 
     to that individual; or
       ``(10) obtains any individual's social security number for 
     the purpose of locating or identifying the individual with 
     the intent to injure or to harm that individual, or to use 
     the identity of that individual for an illegal purpose;''.
       (c) Effective Date.--Section 1028A of title 18, United 
     States Code (as added by subsection (a)), and section 208 of 
     the Social Security Act (42 U.S.C. 408) (as amended by 
     subsection (b)) shall take effect 30 days after the date on 
     which the final regulations promulgated under section 204(b) 
     are published in the Federal Register.

     SEC. 203. NO PROHIBITION WITH RESPECT TO PUBLIC RECORDS.

       (a) Public Records Exception.--
       (1) In general.--Chapter 47 of title 18, United States Code 
     (as amended by section

[[Page S6342]]

     202(a)(1)), is amended by inserting after section 1028A the 
     following:

     ``Sec. 1028B. No prohibition of the display, sale, or 
       purchase of social security numbers included in public 
       records

       ``(a) In General.--Nothing in section 1028A shall be 
     construed to prohibit or limit the display, sale, or purchase 
     of any public record which includes a social security number 
     that--
       ``(1) is incidentally included in a public record, as 
     defined in subsection (d);
       ``(2) is intended to be purchased, sold, or displayed 
     pursuant to an exception contained in section 1028A(f);
       ``(3) is intended to be purchased, sold, or displayed 
     pursuant to the consent provisions of subsections (b), (c), 
     and (e) of section 1028A; or
       ``(4) includes a redaction of the nonincidental occurrences 
     of the social security numbers when sold or displayed to 
     members of the general public.
       ``(b) Agency Requirements.--Each agency in possession of 
     documents that contain social security numbers which are 
     nonincidental, shall, with respect to such documents--
       ``(1) ensure that access to such numbers is restricted to 
     persons who may obtain them in accordance with applicable 
     law;
       ``(2) require an individual who is not exempt under section 
     1028A(f) to provide the social security number of the person 
     who is the subject of the document before making such 
     document available; or
       ``(3) redact the social security number from the document 
     prior to providing a copy of the requested document to an 
     individual who is not exempt under section 1028A(f) and who 
     is unable to provide the social security number of the person 
     who is the subject of the document.
       ``(c) Rule of Construction.--Nothing in this section shall 
     be used as a basis for permitting or requiring a State or 
     local government entity or other repository of public 
     documents to expand or to limit access to documents 
     containing social security numbers to entities covered by the 
     exception in section 1028A(f).
       ``(d) Definitions.--In this section:
       ``(1) Incidental.--The term `incidental' means that the 
     social security number is not routinely displayed in a 
     consistent and predictable manner on the public record by a 
     government entity, such as on the face of a document.
       ``(2) Public record.--The term `public record' means any 
     item, collection, or grouping of information about an 
     individual that is maintained by a Federal, State, or local 
     government entity and that is made available to the 
     public.''.
       (2) Conforming amendment.--The chapter analysis for chapter 
     47 of title 18, United States Code (as amended by section 
     202(a)(2)), is amended by inserting after the item relating 
     to section 1028A the following:

``1028B. No prohibition of the display, sale, or purchase of social 
              security numbers included in public records.''.

     SEC. 204. RULEMAKING AUTHORITY OF THE ATTORNEY GENERAL.

       (a) In General.--Except as provided in subsection (b), the 
     Attorney General may prescribe such rules and regulations as 
     the Attorney General deems necessary to carry out the 
     provisions of section 202.
       (b) Business-to-Business Commercial Display, Sale, or 
     Purchase Rulemaking.--
       (1) In general.--Not later than 1 year after the date of 
     enactment of this Act, the Attorney General, in consultation 
     with the Commissioner of Social Security, the Federal Trade 
     Commission, and such other Federal agencies as the Attorney 
     General determines appropriate, may conduct such rulemaking 
     procedures in accordance with subchapter II of chapter 5 of 
     title 5, United States Code, as are necessary to promulgate 
     regulations to implement and clarify the business-to-business 
     provisions pertaining to section 1028A(f)(1)(E) of title 18, 
     United States Code (as added by section 202(a)(1)). The 
     Attorney General shall consult with other agencies to ensure, 
     where possible, that these provisions are consistent with 
     other privacy laws, including title V of the Gramm-Leach-
     Bliley Act (15 U.S.C. 6801 et seq.).
       (2) Factors to be considered.--In promulgating the 
     regulations required under paragraph (1), the Attorney 
     General shall, at a minimum, consider the following factors:
       (A) The benefit to a particular business practice and to 
     the general public of the sale or purchase of an individual's 
     social security number.
       (B) The risk that a particular business practice will 
     promote the use of the social security number to commit 
     fraud, deception, or crime.
       (C) The presence of adequate safeguards to prevent the 
     misappropriation of social security numbers by the general 
     public, while permitting internal business uses of such 
     numbers.
       (D) The implementation of procedures to prevent identity 
     thieves, stalkers, and others with ill intent from posing as 
     legitimate businesses to obtain social security numbers.

     SEC. 205. TREATMENT OF SOCIAL SECURITY NUMBERS ON GOVERNMENT 
                   DOCUMENTS.

       (a) Prohibition of Use of Social Security Account Numbers 
     on Checks Issued for Payment by Governmental Agencies.--
       (1) In general.--Section 205(c)(2)(C) of the Social 
     Security Act (42 U.S.C. 405(c)(2)(C)) is amended by adding at 
     the end the following new clause:
       ``(x) No Federal, State, or local agency may display the 
     social security account number of any individual, or any 
     derivative of such number, on any check issued for any 
     payment by the Federal, State, or local agency.''.
       (2) Effective date.--The amendment made by this subsection 
     shall apply with respect to violations of section 
     205(c)(2)(C)(x) of the Social Security Act (42 U.S.C. 
     405(c)(2)(C)(x)), as added by paragraph (1), occurring after 
     the date that is 3 years after the date of enactment of this 
     Act.
       (b) Prohibition of Appearance of Social Security Account 
     Numbers on Driver's Licenses or Motor Vehicle Registration.--
       (1) In general.--Section 205(c)(2)(C)(vi) of the Social 
     Security Act (42 U.S.C. 405(c)(2)(C)(vi)) is amended--
       (A) by inserting ``(I)'' after ``(vi)''; and
       (B) by adding at the end the following new subclause:
       ``(II)(aa) An agency of a State (or political subdivision 
     thereof), in the administration of any driver's license or 
     motor vehicle registration law within its jurisdiction, may 
     not disclose the social security account numbers issued by 
     the Commissioner of Social Security, or any derivative of 
     such numbers, on any driver's license or motor vehicle 
     registration or any other document issued by such State (or 
     political subdivision thereof) to an individual for purposes 
     of identification of such individual.
       ``(bb) Nothing in this subclause shall be construed as 
     precluding an agency of a State (or political subdivision 
     thereof), in the administration of any driver's license or 
     motor vehicle registration law within its jurisdiction, from 
     using a social security account number for an internal use or 
     to link with the database of an agency of another State that 
     is responsible for the administration of any driver's license 
     or motor vehicle registration law.''.
       (2) Effective date.--The amendment made by this subsection 
     shall apply with respect to licenses, registrations, and 
     other documents issued or reissued after the date that is 1 
     year after the date of enactment of this Act.
       (c) Prohibition of Inmate Access to Social Security Account 
     Numbers.--
       (1) In general.--Section 205(c)(2)(C) of the Social 
     Security Act (42 U.S.C. 405(c)(2)(C)) (as amended by 
     subsection (b)) is amended by adding at the end the following 
     new clause:
       ``(xi) No Federal, State, or local agency may employ, or 
     enter into a contract for the use or employment of, prisoners 
     in any capacity that would allow such prisoners access to the 
     social security account numbers of other individuals. For 
     purposes of this clause, the term `prisoner' means an 
     individual confined in a jail, prison, or other penal 
     institution or correctional facility pursuant to such 
     individual's conviction of a criminal offense.''.
       (2) Effective date.--The amendment made by this subsection 
     shall apply with respect to employment of prisoners, or entry 
     into contract with prisoners, after the date that is 1 year 
     after the date of enactment of this Act.

     SEC. 206. LIMITS ON PERSONAL DISCLOSURE OF A SOCIAL SECURITY 
                   NUMBER FOR CONSUMER TRANSACTIONS.

       (a) In General.--Part A of title XI of the Social Security 
     Act (42 U.S.C. 1301 et seq.) is amended by adding at the end 
     the following new section:

     ``SEC. 1150A. LIMITS ON PERSONAL DISCLOSURE OF A SOCIAL 
                   SECURITY NUMBER FOR CONSUMER TRANSACTIONS.

       ``(a) In General.--A commercial entity may not require an 
     individual to provide the individual's social security number 
     when purchasing a commercial good or service or deny an 
     individual the good or service for refusing to provide that 
     number except--
       ``(1) for any purpose relating to--
       ``(A) obtaining a consumer report for any purpose permitted 
     under the Fair Credit Reporting Act;
       ``(B) a background check of the individual conducted by a 
     landlord, lessor, employer, voluntary service agency, or 
     other entity as determined by the Attorney General;
       ``(C) law enforcement; or
       ``(D) a Federal or State law requirement; or
       ``(2) if the social security number is necessary to verify 
     identity and to prevent fraud with respect to the specific 
     transaction requested by the consumer and no other form of 
     identification can produce comparable information.
       ``(b) Other Forms of Identification.--Nothing in this 
     section shall be construed to prohibit a commercial entity 
     from--
       ``(1) requiring an individual to provide 2 forms of 
     identification that do not contain the social security number 
     of the individual; or
       ``(2) denying an individual a good or service for refusing 
     to provide 2 forms of identification that do not contain such 
     number.
       ``(c) Application of Civil Money Penalties.--A violation of 
     this section shall be deemed to be a violation of section 
     1129(a)(3)(F).
       ``(d) Application of Criminal Penalties.--A violation of 
     this section shall be deemed to be a violation of section 
     208(a)(8).''.
       (b) Effective Date.--The amendment made by subsection (a) 
     shall apply to requests to provide a social security number 
     made on or after the date of enactment of this Act.

[[Page S6343]]

     SEC. 207. EXTENSION OF CIVIL MONETARY PENALTIES FOR MISUSE OF 
                   A SOCIAL SECURITY NUMBER.

       (a) Treatment of Withholding of Material Facts.--
       (1) Civil penalties.--The first sentence of section 
     1129(a)(1) of the Social Security Act (42 U.S.C. 1320a-
     8(a)(1)) is amended--
       (A) by striking ``who'' and inserting ``who--'';
       (B) by striking ``makes'' and all that follows through 
     ``shall be subject to'' and inserting the following:
       ``(A) makes, or causes to be made, a statement or 
     representation of a material fact, for use in determining any 
     initial or continuing right to or the amount of monthly 
     insurance benefits under title II or benefits or payments 
     under title VIII or XVI, that the person knows or should know 
     is false or misleading;
       ``(B) makes such a statement or representation for such use 
     with knowing disregard for the truth; or
       ``(C) omits from a statement or representation for such 
     use, or otherwise withholds disclosure of, a fact which the 
     individual knows or should know is material to the 
     determination of any initial or continuing right to or the 
     amount of monthly insurance benefits under title II or 
     benefits or payments under title VIII or XVI and the 
     individual knows, or should know, that the statement or 
     representation with such omission is false or misleading or 
     that the withholding of such disclosure is misleading,

     shall be subject to'';
       (C) by inserting ``or each receipt of such benefits while 
     withholding disclosure of such fact'' after ``each such 
     statement or representation'';
       (D) by inserting ``or because of such withholding of 
     disclosure of a material fact'' after ``because of such 
     statement or representation''; and
       (E) by inserting ``or such a withholding of disclosure'' 
     after ``such a statement or representation''.
       (2) Administrative procedure for imposing penalties.--The 
     first sentence of section 1129A(a) of the Social Security Act 
     (42 U.S.C. 1320a-8a(a)) is amended--
       (A) by striking ``who'' and inserting ``who--''; and
       (B) by striking ``makes'' and all that follows through 
     ``shall be subject to'' and inserting the following new 
     paragraphs:
       ``(1) makes, or causes to be made, a statement or 
     representation of a material fact, for use in determining any 
     initial or continuing right to or the amount of monthly 
     insurance benefits under title II or benefits or payments 
     under title VIII or XVI, that the person knows or should know 
     is false or misleading;
       ``(2) makes such a statement or representation for such use 
     with knowing disregard for the truth; or
       ``(3) omits from a statement or representation for such 
     use, or otherwise withholds disclosure of, a fact which the 
     individual knows or should know is material to the 
     determination of any initial or continuing right to or the 
     amount of monthly insurance benefits under title II or 
     benefits or payments under title VIII or XVI and the 
     individual knows, or should know, that the statement or 
     representation with such omission is false or misleading or 
     that the withholding of such disclosure is misleading,

     shall be subject to''.
       (b) Application of Civil Money Penalties to Elements of 
     Criminal Violations.--Section 1129(a) of the Social Security 
     Act (42 U.S.C. 1320a-8(a)), as amended by subsection (a)(1), 
     is amended--
       (1) by redesignating paragraph (2) as paragraph (4);
       (2) by redesignating the last sentence of paragraph (1) as 
     paragraph (2) and inserting such paragraph after paragraph 
     (1); and
       (3) by inserting after paragraph (2) (as so redesignated) 
     the following new paragraph:
       ``(3) Any person (including an organization, agency, or 
     other entity) who--
       ``(A) uses a social security account number that such 
     person knows or should know has been assigned by the 
     Commissioner of Social Security (in an exercise of authority 
     under section 205(c)(2) to establish and maintain records) on 
     the basis of false information furnished to the Commissioner 
     by any person;
       ``(B) falsely represents a number to be the social security 
     account number assigned by the Commissioner of Social 
     Security to any individual, when such person knows or should 
     know that such number is not the social security account 
     number assigned by the Commissioner to such individual;
       ``(C) knowingly alters a social security card issued by the 
     Commissioner of Social Security, or possesses such a card 
     with intent to alter it;
       ``(D) knowingly displays, sells, or purchases a card that 
     is, or purports to be, a card issued by the Commissioner of 
     Social Security, or possesses such a card with intent to 
     display, purchase, or sell it;
       ``(E) counterfeits a social security card, or possesses a 
     counterfeit social security card with intent to display, 
     sell, or purchase it;
       ``(F) discloses, uses, compels the disclosure of, or 
     knowingly displays, sells, or purchases the social security 
     account number of any person in violation of the laws of the 
     United States;
       ``(G) with intent to deceive the Commissioner of Social 
     Security as to such person's true identity (or the true 
     identity of any other person) furnishes or causes to be 
     furnished false information to the Commissioner with respect 
     to any information required by the Commissioner in connection 
     with the establishment and maintenance of the records 
     provided for in section 205(c)(2);
       ``(H) offers, for a fee, to acquire for any individual, or 
     to assist in acquiring for any individual, an additional 
     social security account number or a number which purports to 
     be a social security account number; or
       ``(I) being an officer or employee of a Federal, State, or 
     local agency in possession of any individual's social 
     security account number, willfully acts or fails to act so as 
     to cause a violation by such agency of clause (vi)(II) or (x) 
     of section 205(c)(2)(C)

     shall be subject to, in addition to any other penalties that 
     may be prescribed by law, a civil money penalty of not more 
     than $5,000 for each violation. Such person shall also be 
     subject to an assessment, in lieu of damages sustained by the 
     United States resulting from such violation, of not more than 
     twice the amount of any benefits or payments paid as a result 
     of such violation.''.
       (c) Clarification of Treatment of Recovered Amounts.--
     Section 1129(e)(2)(B) of the Social Security Act (42 U.S.C. 
     1320a-8(e)(2)(B)) is amended by striking ``In the case of 
     amounts recovered arising out of a determination relating to 
     title VIII or XVI,'' and inserting ``In the case of any other 
     amounts recovered under this section,''.
       (d) Conforming Amendments.--
       (1) Section 1129(b)(3)(A) of the Social Security Act (42 
     U.S.C. 1320a-8(b)(3)(A)) is amended by striking ``charging 
     fraud or false statements''.
       (2) Section 1129(c)(1) of the Social Security Act (42 
     U.S.C. 1320a-8(c)(1)) is amended by striking ``and 
     representations'' and inserting ``, representations, or 
     actions''.
       (3) Section 1129(e)(1)(A) of the Social Security Act (42 
     U.S.C. 1320a-8(e)(1)(A)) is amended by striking ``statement 
     or representation referred to in subsection (a) was made'' 
     and inserting ``violation occurred''.
       (e) Effective Dates.--
       (1) In general.--Except as provided in paragraph (2), the 
     amendments made by this section shall apply with respect to 
     violations of sections 1129 and 1129A of the Social Security 
     Act (42 U.S.C. 1320-8 and 1320a-8a), as amended by this 
     section, committed after the date of enactment of this Act.
       (2) Violations by government agents in possession of social 
     security numbers.--Section 1129(a)(3)(I) of the Social 
     Security Act (42 U.S.C. 1320a-8(a)(3)(I)), as added by 
     subsection (b), shall apply with respect to violations of 
     that section occurring on or after the effective date under 
     section 202(c).

   TITLE III--LIMITATIONS ON SALE AND SHARING OF NONPUBLIC PERSONAL 
                         FINANCIAL INFORMATION

     SEC. 301. DEFINITION OF SALE.

       Section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809) 
     is amended by adding at the end the following:
       ``(12) Sale.--The terms `sale', `sell', and `sold', with 
     respect to nonpublic personal information, mean the exchange 
     of such information for any thing of value, directly or 
     indirectly, including the licensing, bartering, or renting of 
     such information.''.

     SEC. 302. RULES APPLICABLE TO SALE OF NONPUBLIC PERSONAL 
                   INFORMATION.

       Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802) 
     is amended--
       (1) in the section heading, by inserting ``and sales'' 
     after ``disclosures'';
       (2) in subsection (a), by inserting ``or sell'' after 
     ``disclose'';
       (3) in subsection (b)--
       (A) in the heading, by inserting ``for Certain 
     Disclosures'' before the period; and
       (B) by adding at the end the following:
       ``(3) Limitation.--Paragraphs (1) and (2) do not apply to 
     the sale of nonpublic personal information.'';
       (4) by striking subsection (e);
       (5) by redesignating subsections (c) and (d) as subsections 
     (d) and (e), respectively; and
       (6) by inserting after subsection (b) the following:
       ``(c) Opt-In for Sale of Information.--
       ``(1) Affirmative consent required.--Each agency or 
     authority described in section 504(a) shall, by rule 
     prescribed under that section, prohibit a financial 
     institution that is subject to its jurisdiction from selling 
     any nonpublic personal information to any nonaffiliated third 
     party, unless the consumer to whom the information pertains--
       ``(A) has affirmatively consented in accordance with such 
     rule to the sale of such information; and
       ``(B) has not withdrawn the consent.
       ``(2) Denial of service prohibited.--The rule prescribed 
     pursuant to paragraph (1) shall prohibit a financial 
     institution from denying any consumer a financial product or 
     a financial service for the refusal by the consumer to grant 
     the consent required by such rule.''.

     SEC. 303. EXCEPTIONS TO SALE PROHIBITION.

       Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802), 
     as amended by this title, is amended by adding at the end the 
     following:
       ``(f) General Exceptions.--This section does not prohibit--
       ``(1) the sale or other disclosure of nonpublic personal 
     information to a nonaffiliated third party--
       ``(A) as necessary to effect, administer, or enforce a 
     transaction requested or authorized by the consumer to whom 
     the information pertains, or in connection with--
       ``(i) servicing or processing a financial product or 
     service requested or authorized by the consumer;

[[Page S6344]]

       ``(ii) maintaining or servicing the account of the consumer 
     with the financial institution, or with another entity as 
     part of a private label credit card program or other 
     extension of credit on behalf of such entity; or
       ``(iii) a proposed or actual securitization, secondary 
     market sale (including sales of servicing rights), or similar 
     transaction related to a transaction of the consumer;
       ``(B) with the consent or at the direction of the consumer, 
     in accordance with applicable rules prescribed under this 
     subtitle;
       ``(C) to the extent specifically permitted or required 
     under other provisions of law and in accordance with the 
     Right to Financial Privacy Act of 1978; or
       ``(D) to law enforcement agencies (including a Federal 
     functional regulator, the Secretary of the Treasury, with 
     respect to subchapter II of chapter 53 of title 31, United 
     States Code, and chapter 2 of title I of Public Law 91-508 
     (12 U.S.C. 1951-1959), a State insurance authority, or the 
     Federal Trade Commission), self-regulatory organizations, or 
     for an investigation on a matter related to public safety; or
       ``(2) the disclosure, other than the sale, of nonpublic 
     personal information--
       ``(A) to protect the confidentiality or security of the 
     records of the financial institution pertaining to the 
     consumer, the service or product, or the transaction therein;
       ``(B) to protect against or prevent actual or potential 
     fraud, unauthorized transactions, claims, or other liability;
       ``(C) for required institutional risk control, or for 
     resolving customer disputes or inquiries;
       ``(D) to persons holding a legal or beneficial interest 
     relating to the consumer;
       ``(E) to persons acting in a fiduciary or representative 
     capacity on behalf of the consumer;
       ``(F) to provide information to insurance rate advisory 
     organizations, guaranty funds or agencies, applicable rating 
     agencies of the financial institution, persons assessing the 
     compliance of the institution with industry standards, or the 
     attorneys, accountants, or auditors of the institution;
       ``(G) to a consumer reporting agency, in accordance with 
     the Fair Credit Reporting Act or from a consumer report 
     reported by a consumer reporting agency, as those terms are 
     defined in that Act;
       ``(H) in connection with a proposed or actual sale, merger, 
     transfer, or exchange of all or a portion of a business or 
     operating unit if the disclosure of nonpublic personal 
     information concerns solely consumers of such business or 
     unit;
       ``(I) to comply with Federal, State, or local laws, rules, 
     or other applicable legal requirements, or with a properly 
     authorized civil, criminal, or regulatory investigation or 
     subpoena or summons by Federal, State, or local authorities; 
     or
       ``(J) to respond to judicial process or government 
     regulatory authorities having jurisdiction over the financial 
     institution for examination, compliance, or other purposes, 
     as authorized by law.''.

     SEC. 304. EFFECTIVE DATE.

       This title shall take effect 6 months after the date on 
     which the rules are required to be prescribed under section 
     504(a)(3).

 TITLE IV--LIMITATIONS ON THE PROVISION OF PROTECTED HEALTH INFORMATION

     SEC. 401. DEFINITIONS.

       In this title:
       (1) Business associate.--
       (A) In general.--Except as provided in subparagraph (B), 
     the term ``business associate'' means, with respect to a 
     covered entity, a person who--
       (i) on behalf of such covered entity or of an organized 
     health care arrangement in which the covered entity 
     participates, but other than in the capacity of a member of 
     the workforce of such covered entity or arrangement, 
     performs, or assists in the performance of--

       (I) a function or activity involving the use or disclosure 
     of individually identifiable health information, including 
     claims processing or administration, data analysis, 
     processing or administration, utilization review, quality 
     assurance, billing, benefit management, practice management, 
     and repricing; or
       (II) any other function or activity regulated under parts 
     160 through 164 of title 45, Code of Federal Regulations; or

       (ii) provides, other than in the capacity of a member of 
     the workforce of such covered entity, legal, actuarial, 
     accounting, consulting, data aggregation, management, 
     administrative, accreditation, or financial services to or 
     for such covered entity, or to or for an organized health 
     care arrangement in which the covered entity participates, 
     where the provision of the service involves the disclosure of 
     individually identifiable health information from such 
     covered entity or arrangement, or from another business 
     associate of such covered entity or arrangement, to the 
     person.
       (B) Limitations.--
       (i) In general.--A covered entity participating in an 
     organized health care arrangement that performs a function or 
     activity as described by subparagraph (A)(i) for or on behalf 
     of such organized health care arrangement, or that provides a 
     service as described in subparagraph (A)(ii) to or for such 
     organized health care arrangement, does not, simply through 
     the performance of such function or activity or the provision 
     of such service, become a business associate of other covered 
     entities participating in such organized health care 
     arrangement.
       (ii) Limitation.--A covered entity may be a business 
     associate of another covered entity.
       (2) Covered entity.--The term ``covered entity'' means--
       (A) a health plan;
       (B) a health care clearinghouse; and
       (C) a health care provider who transmits any health 
     information in electronic form in connection with a 
     transaction covered by parts 160 through 164 of title 45, 
     Code of Federal Regulations.
       (3) Disclosure.--The term ``disclosure'' means the release, 
     transfer, provision of access to, or divulging in any other 
     manner of information outside the entity holding the 
     information.
       (4) Employer.--The term ``employer'' means a person or 
     organization for whom an individual performs or has performed 
     any service, of whatever nature, as the employee of that 
     person or organization, except that--
       (A) if the person for whom the individual performs or has 
     performed the service does not have control of the payment of 
     wages for such service, the term ``employer'' means the 
     person having control of the payment of those wages; and
       (B) in the case of a person paying wages on behalf of a 
     nonresident alien individual, foreign partnership, or foreign 
     corporation, not engaged in trade or business within the 
     United States, the term ``employer'' means that person.
       (5) Group health plan.--The term ``group health plan'' 
     means an employee welfare benefit plan (as defined in section 
     3(1) of the Employee Retirement Income and Security Act of 
     1974 (29 U.S.C. 1002(1)), including insured and self-insured 
     plans, to the extent that the plan provides medical care (as 
     defined in section 2791(a)(2) of the Public Health Service 
     Act, 42 U.S.C. 300gg-91(a)(2)), including items and services 
     paid for as medical care, to employees or their dependents 
     directly or through insurance, reimbursement, or otherwise, 
     that--
       (A) has 50 or more participants (as defined in section 3(7) 
     of Employee Retirement Income and Security Act of 1974, 29 
     U.S.C. 1002(7)); or
       (B) is administered by an entity other than the employer 
     that established and maintains the plan.
       (6) Health care.--The term ``health care'' means care, 
     services, or supplies related to the health of an individual, 
     including--
       (A) preventive, diagnostic, therapeutic, rehabilitative, 
     maintenance, or palliative care and counseling services, 
     assessment, or procedure with respect to the physical or 
     mental condition, or functional status, of an individual or 
     that affects the structure or function of the body; and
       (B) a sale or dispensing of a drug, device, equipment, or 
     other item in accordance with a prescription.
       (7) Health care clearinghouse.--The term ``health care 
     clearinghouse'' means a public or private entity, including a 
     billing service, repricing company, community health 
     management information system or community health information 
     system, and value-added networks and switches, that--
       (A) processes or facilitates the processing of health 
     information received from another entity in a nonstandard 
     format or containing nonstandard data content into standard 
     data elements or a standard transaction; or
       (B) receives a standard transaction from another entity and 
     processes or facilitates the processing of health information 
     into nonstandard format or nonstandard data content for the 
     receiving entity.
       (8) Health care provider.--The term ``health care 
     provider'' has the same meaning given the terms ``provider of 
     services'' and ``provider of medical or health services'' in 
     subsections (u) and (s) of section 1861 of the Social 
     Security Act (42 U.S.C. 1395x), and includes any other person 
     or organization who furnishes, bills, or is paid for health 
     care in the normal course of business.
       (9) Health information.--The term ``health information'' 
     means any information, whether oral or recorded in any form 
     or medium, that--
       (A) is created or received by a health care provider, 
     health plan, public health authority, employer, life insurer, 
     school or university, or health care clearinghouse; and
       (B) relates to the past, present, or future physical or 
     mental health or condition of an individual; the provision of 
     health care to an individual; or the past, present, or future 
     payment for the provision of health care to an individual.
       (10) Health insurance issuer.--The term ``health insurance 
     issuer'' means a health insurance issuer (as defined in 
     section 2791(b)(2) of the Public Health Service Act, 42 
     U.S.C. 300gg-91(b)(2)) and used in the definition of health 
     plan in this section and includes an insurance company, 
     insurance service, or insurance organization (including an 
     HMO) that is licensed to engage in the business of insurance 
     in a State and is subject to State law that regulates 
     insurance. Such term does not include a group health plan.
       (11) Health maintenance organization.--The term ``health 
     maintenance organization'' (HMO) (as defined in section 
     2791(b)(3) of the Public Health Service Act, 42 U.S.C. 300gg-
     91 (b)(3)) and used in the definition of health plan in this 
     section, means a federally qualified HMO, an organization 
     recognized as an HMO under State law, or a similar 
     organization regulated for solvency under State law in the 
     same manner and to the same extent as such an HMO.

[[Page S6345]]

       (12) Health oversight agency.--The term ``health oversight 
     agency'' means an agency or authority of the United States, a 
     State, a territory, a political subdivision of a State or 
     territory, or an Indian tribe, or a person or entity acting 
     under a grant of authority from or contract with such public 
     agency, including the employees or agents of such public 
     agency or its contractors or persons or entities to whom it 
     has granted authority, that is authorized by law to oversee 
     the health care system (whether public or private) or 
     government programs in which health information is necessary 
     to determine eligibility or compliance, or to enforce civil 
     rights laws for which health information is relevant.
       (13) Health plan.--The term ``health plan'' means an 
     individual or group plan that provides, or pays the cost of, 
     medical care, as defined in section 2791(a)(2) of the Public 
     Health Service Act (42 U.S.C. 300gg-91(a)(2))--
       (A) including, singly or in combination--
       (i) a group health plan;
       (ii) a health insurance issuer;
       (iii) an HMO;
       (iv) part A or B of the medicare program under title XVIII 
     of the Social Security Act (42 U.S.C. 1395 et seq.);
       (v) the medicaid program under title XIX of the Social 
     Security Act (42 U.S.C. 1396 et seq.);
       (vi) an issuer of a medicare supplemental policy (as 
     defined in section 1882(g)(1) of the Social Security Act, 42 
     U.S.C. 1395ss(g)(1));
       (vii) an issuer of a long-term care policy, excluding a 
     nursing home fixed-indemnity policy;
       (viii) an employee welfare benefit plan or any other 
     arrangement that is established or maintained for the purpose 
     of offering or providing health benefits to the employees of 
     2 or more employers;
       (ix) the health care program for active military personnel 
     under title 10, United States Code;
       (x) the veterans health care program under chapter 17 of 
     title 38, United States Code;
       (xi) the Civilian Health and Medical Program of the 
     Uniformed Services (CHAMPUS) (as defined in section 1072(4) 
     of title 10, United States Code);
       (xii) the Indian Health Service program under the Indian 
     Health Care Improvement Act (25 U.S.C. 1601 et seq.);
       (xiii) the Federal Employees Health Benefits Program under 
     chapter 89 of title 5, United States Code;
       (xiv) an approved State child health plan under title XXI 
     of the Social Security Act (42 U.S.C. 1397aa et seq.), 
     providing benefits for child health assistance that meet the 
     requirements of section 2103 of such Act (42 U.S.C. 1397cc);
       (xv) the Medicare+Choice program under part C of title 
     XVIII of the Social Security Act (42 U.S.C. 1395w-21 et 
     seq.);
       (xvi) a high risk pool that is a mechanism established 
     under State law to provide health insurance coverage or 
     comparable coverage to eligible individuals; and
       (xvii) any other individual or group plan, or combination 
     of individual or group plans, that provides or pays for the 
     cost of medical care (as defined in section 2791(a)(2) of the 
     Public Health Service Act (42 U.S.C. 300gg-91(a)(2)); and
       (B) excluding--
       (i) any policy, plan, or program to the extent that it 
     provides, or pays for the cost of, excepted benefits that are 
     listed in section 2791(c)(1) of the Public Health Service Act 
     (42 U.S.C. 300gg-91(c)(1); and
       (ii) a government-funded program (other than 1 listed in 
     clause (i) through (xvi) of paragraph (1)), whose principal 
     purpose is other than providing, or paying the cost of, 
     health care, or whose principal activity is the direct 
     provision of health care to persons, or the making of grants 
     to fund the direct provision of health care to persons.
       (14) Individually identifiable health information.--The 
     term ``individually identifiable health information'' means 
     information that is a subset of health information, including 
     demographic information collected from an individual, that--
       (A) is created or received by a covered entity or employer; 
     and
       (B)(i) relates to the past, present, or future physical or 
     mental health or condition of an individual, the provision of 
     health care to an individual, or the past, present, or future 
     payment for the provision of health care to an individual; 
     and
       (ii)(I) identifies an individual; or
       (II) with respect to which there is a reasonable basis to 
     believe that the information can be used to identify an 
     individual.
       (15) Law enforcement official.--The term ``law enforcement 
     official'' means an officer or employee of any agency or 
     authority of the United States, a State, a territory, a 
     political subdivision of a State or territory, or an Indian 
     tribe, who is empowered by law to--
       (A) investigate or conduct an official inquiry into a 
     potential violation of law; or
       (B) prosecute or otherwise conduct a criminal, civil, or 
     administrative proceeding arising from an alleged violation 
     of law.
       (16) Life insurer.--The term ``life insurer'' means a life 
     insurance company (as defined in section 816 of the Internal 
     Revenue Code of 1986), including the employees and agents of 
     such company.
       (17) Marketing.--
       (A) In general.--The term ``marketing'' means to make a 
     communication about a product or service a purpose of which 
     is to encourage recipients of the communication to purchase 
     or use the product or service.
       (B) Limitation.--Such term does not include communications 
     that meet the requirements of subparagraph (C) and that are 
     made by a covered entity--
       (i) for the purpose of describing the entities 
     participating in a health care provider network or health 
     plan network, or for the purpose of describing if and the 
     extent to which a product or service (or payment for such 
     product or service) is provided by a covered entity or 
     included in a plan of benefits; or
       (ii) that are tailored to the circumstances of a particular 
     individual and the communications are--

       (I) made by a health care provider to an individual as part 
     of the treatment of the individual, and for the purpose of 
     furthering the treatment of that individual; or
       (II) made by a health care provider to an individual in the 
     course of managing the treatment of that individual, or for 
     the purpose of directing or recommending to that individual 
     alternative treatments, therapies, health care providers, or 
     settings of care.

       (C) Not included.--A communication described in 
     subparagraph (B) is not included in marketing if--
       (i) the communication is made orally; or
       (ii) the communication is in writing and the covered entity 
     does not receive direct or indirect remuneration from a third 
     party for making the communication.
       (18) Noncovered entity.--
       (A) In general.--The term ``noncovered entity'' means any 
     person or public or private entity, including but not limited 
     to a health researcher, school or university, life insurer, 
     employer, public health authority, health oversight agency, 
     or law enforcement official, or any person acting as an agent 
     of such entities or persons, that is not a covered entity.
       (B) Limitation.--The term ``noncovered entity'' includes a 
     covered entity if such covered entity is acting as a business 
     associate.
       (19) Organized health care arrangement.--The term 
     ``organized health care arrangement'' means--
       (A) a clinically integrated care setting in which 
     individuals typically receive health care from more than 1 
     health care provider;
       (B) an organized system of health care in which more than 1 
     covered entity participates, and in which the participating 
     covered entities--
       (i) hold themselves out to the public as participating in a 
     joint arrangement; and
       (ii) participate in joint activities including at least--

       (I) utilization review, in which health care decisions by 
     participating covered entities are reviewed by other 
     participating covered entities or by a third party on their 
     behalf;
       (II) quality assessment and improvement activities, in 
     which treatment provided by participating covered entities is 
     assessed by other participating covered entities or by a 
     third party on their behalf; or
       (III) payment activities, if the financial risk for 
     delivering health care is shared, in part or in whole, by 
     participating covered entities through the joint arrangement 
     and if protected health information created or received by a 
     covered entity is reviewed by other participating covered 
     entities or by a third party on their behalf for the purpose 
     of administering the sharing of financial risk;

       (C) a group health plan and a health insurance issuer or 
     HMO with respect to such group health plan, but only with 
     respect to protected health information created or received 
     by such health insurance issuer or HMO that relates to 
     individuals who are or who have been participants or 
     beneficiaries in such group health plan;
       (D) a group health plan and 1 or more other group health 
     plans each of which are maintained by the same plan sponsor; 
     or
       (E) the group health plans described in subparagraph (D) 
     and health insurance issuers or HMOs with respect to such 
     group health plans, but only with respect to protected health 
     information created or received by such health insurance 
     issuers or HMOs that relates to individuals who are or have 
     been participants or beneficiaries in any of such group 
     health plans.
       (20) Protected health information.--The term ``protected 
     health information'' means individually identifiable health 
     information that is in any form or medium. The term does not 
     include individually identifiable health information in 
     education records covered by section 444 of the General 
     Education Provisions Act (20 U.S.C. 1232g).
       (21) Public health authority.--The term ``public health 
     authority'' means an agency or authority of the United 
     States, a State, a territory, a political subdivision of a 
     State or territory, or an Indian tribe, or a person or entity 
     acting under a grant of authority from or contract with such 
     public agency, including employees or agents of such public 
     agency or its contractors or persons or entities to whom it 
     has granted authority, that is responsible for public health 
     matters as part of its official mandate.
       (22) School or university.--The term ``school or 
     university'' means an institution or place for instruction or 
     education, including an elementary school, secondary school, 
     or institution of higher learning, a college, or an 
     assemblage of colleges united under 1 corporate organization 
     or government.
       (23) Secretary.--The term ``Secretary'' means the Secretary 
     of Health and Human Services.
       (24) Sale; sell; sold.--The terms ``sale'', ``sell'', and 
     ``sold'', with respect to protected health information, mean 
     the exchange of

[[Page S6346]]

     such information for anything of value, directly or 
     indirectly, including the licensing, bartering, or renting of 
     such information.
       (25) Use.--The term ``use'' means, with respect to 
     individually identifiable health information, the sharing, 
     employment, application, utilization, examination, or 
     analysis of such information within an entity that maintains 
     such information.
       (26) Writing.--The term ``writing'' means writing in either 
     a paper-based or computer-based form, including electronic 
     and digital signatures.

     SEC. 402. PROHIBITION AGAINST SELLING PROTECTED HEALTH 
                   INFORMATION.

       (a) In General.--A noncovered entity shall not sell the 
     protected health information of an individual without an 
     authorization that is valid under section 403. When a 
     noncovered entity obtains or receives authorization to sell 
     such information, such sale must be consistent with such 
     authorization.
       (b) Scope.--A sale of protected health information as 
     described under subsection (a) shall be limited to the 
     minimum amount of information necessary to accomplish the 
     purpose for which the sale is made.
       (c) Purpose.--A recipient of information sold pursuant to 
     this title may use or disclose such information solely to 
     carry out the purpose for which the information was sold.
       (d) Not Required.--Nothing in this title permitting the 
     sale of protected health information shall be construed to 
     require such sale.
       (e) Identification of Information as Protected Health 
     Information.--Information sold pursuant to this title shall 
     be clearly identified as protected health information.
       (f) No Waiver.--Except as provided in this title, an 
     individual's authorization to sell protected health 
     information shall not be construed as a waiver of any rights 
     that the individual has under other Federal or State laws, 
     the rules of evidence, or common law.

     SEC. 403. AUTHORIZATION FOR SALE OF PROTECTED HEALTH 
                   INFORMATION.

       (a) Valid Authorization.--A valid authorization is a 
     document that complies with all requirements of this section. 
     Such authorization may include additional information not 
     required under this section, provided that such information 
     is not inconsistent with the requirements of this section.
       (b) Defective Authorization.--An authorization is not 
     valid, if the document submitted has any of the following 
     defects:
       (1) The expiration date has passed or the expiration event 
     is known by the noncovered entity to have occurred.
       (2) The authorization has not been filled out completely, 
     with respect to an element described in subsections (e) and 
     (f).
       (3) The authorization is known by the noncovered entity to 
     have been revoked.
       (4) The authorization lacks an element required by 
     subsections (e) and (f).
       (5) Any material information in the authorization is known 
     by the noncovered entity to be false.
       (c) Revocation of Authorization.--An individual may revoke 
     an authorization provided under this section at any time 
     provided that the revocation is in writing, except to the 
     extent that the noncovered entity has taken action in 
     reliance thereon.
       (d) Documentation.--
       (1) In general.--A noncovered entity must document and 
     retain any signed authorization under this section as 
     required under paragraph (2).
       (2) Standard.--A noncovered entity shall, if a 
     communication is required by this title to be in writing, 
     maintain such writing, or an electronic copy, as 
     documentation.
       (3) Retention period.--A noncovered entity shall retain the 
     documentation required by this section for 6 years from the 
     date of its creation or the date when it last was in effect, 
     whichever is later.
       (e) Content of Authorization.--
       (1) Content.--An authorization described in subsection (a) 
     shall--
       (A) contain a description of the information to be sold 
     that identifies such information in a specific and meaningful 
     manner;
       (B) contain the name or other specific identification of 
     the person, or class of persons, authorized to sell the 
     information;
       (C) contain the name or other specific identification of 
     the person, or class of persons, to whom the information is 
     to be sold;
       (D) include an expiration date or an expiration event 
     relating to the selling of such information that signifies 
     that the authorization is valid until such date or event;
       (E) include a statement that the individual has a right to 
     revoke the authorization in writing and the exceptions to the 
     right to revoke, and a description of the procedure involved 
     in such revocation;
       (F) be in writing and include the signature of the 
     individual and the date, or if the authorization is signed by 
     a personal representative of the individual, a description of 
     such representative's authority to act for the individual; 
     and
       (G) include a statement explaining the purpose for which 
     such information is sold.
       (2) Plain language.--The authorization shall be written in 
     plain language.
       (f) Notice.--
       (1) In general.--The authorization shall include a 
     statement that the individual may--
       (A) inspect or copy the protected health information to be 
     sold; and
       (B) refuse to sign the authorization.
       (2) Copy to the individual.--A noncovered entity shall 
     provide the individual with a copy of the signed 
     authorization.
       (g) Model Authorizations.--The Secretary, after notice and 
     opportunity for public comment, shall develop and disseminate 
     model written authorizations of the type described in this 
     section and model statements of the limitations on such 
     authorizations. Any authorization obtained on a model 
     authorization form developed by the Secretary pursuant to the 
     preceding sentence shall be deemed to satisfy the 
     requirements of this section.
       (h) Noncoercion.--A covered entity or noncovered entity 
     shall not condition the purchase of a product or the 
     provision of a service to an individual based on whether such 
     individual provides an authorization to such entity as 
     described in this section.

     SEC. 404. PROHIBITION AGAINST RETALIATION.

       A noncovered entity that collects protected health 
     information, may not adversely affect another person, 
     directly or indirectly, because such person has exercised a 
     right under this title, disclosed information relating to a 
     possible violation of this title, or associated with, or 
     assisted, a person in the exercise of a right under this 
     title.

     SEC. 405. PROHIBITION AGAINST MARKETING PROTECTED HEALTH 
                   INFORMATION.

       (a) In General.--Notwithstanding any other provision of 
     law, a covered entity or noncovered entity shall not use, 
     disclose, or sell protected health information for marketing 
     without an authorization that is valid under subsection (c), 
     except as provided in subsection (b).
       (b) Exception.--A health care provider may use or disclose 
     protected health information for marketing without an 
     authorization when it uses or discloses such information to 
     make a marketing communication to an individual if the 
     communication occurs in a face-to-face encounter between the 
     health care provider and the individual.
       (c) Authorization.--
       (1) In general.--An authorization under subsection (a) 
     shall--
       (A) contain a description of the information to be used, 
     disclosed, or sold that identifies such information in a 
     specific and meaningful manner;
       (B) contain the name or other specific identification of 
     the person, or class of persons, authorized to use, disclose, 
     or sell the information;
       (C) identify persons to whom the information is to be 
     provided or sold;
       (D) include an expiration date or an expiration event 
     relating to the use, disclosure, or sale of such information 
     that signifies that the authorization is valid until such 
     date or event;
       (E) include a statement that the individual has a right to 
     revoke the authorization in writing and that there are 
     exceptions to the right to revoke, and a description of the 
     procedure involved in such revocation;
       (F) be in writing and include the signature of the 
     individual and the date, or if the authorization is signed by 
     a personal representative of the individual, a description of 
     such representative's authority to act for the individual; 
     and
       (G) include a statement explaining the purpose for which 
     such information is used, disclosed, or sold.
       (2) Plain language.--The authorization must be written in 
     plain language.
       (d) Notice.--The authorization shall include a statement 
     that the individual may--
       (1) inspect or copy the protected health information to be 
     marketed as provided under section 164.524 of title 45, Code 
     of Federal Regulations (or a successor regulation); and
       (2) refuse to sign the authorization.
       (e) Documentation.--A covered entity shall retain such 
     documentation as required for any use, disclosure, or sale, 
     as described under section 403(d).
       (f) Rescission of Individually Identifiable Health 
     Information Regulation.--Effective as of December 28, 2000--
       (1) section 164.514(e) of title 45, Code of Federal 
     Regulations (relating to standards for uses and disclosures 
     of protected health information for marketing), promulgated 
     by the Secretary of Health and Human Services in the final 
     rule entitled ``Standards for Privacy of Individually 
     Identifiable Health Information'' (65 Fed. Reg. 82462 
     (December 28, 2000)) is void; and
       (2) section 164.514 shall take effect as if subsection (e) 
     of such section had not been included in the promulgation of 
     the final regulation.
       (g) Noncoercion.--A covered entity or noncovered entity 
     shall not condition the purchase of a product or the 
     provision of a service to an individual based on whether such 
     individual provides an authorization to such entity as 
     described in this section.

     SEC. 406. RULE OF CONSTRUCTION.

       Except for the provisions of section 405, all requirements 
     of this title shall not be construed to impose any additional 
     requirements or in any way alter the requirements imposed 
     upon covered entities under parts 160 through 164 of title 
     45, Code of Federal Regulations.

     SEC. 407. REGULATIONS.

       (a) In General.--The Secretary shall promulgate regulations 
     implementing the provisions of this title.
       (b) Timeframe.--Not later than 1 year after the date of 
     enactment of this Act, the Secretary shall publish proposed 
     regulations in the Federal Register. With regard to such 
     proposed regulations, the Secretary shall provide an 
     opportunity for submission of comments by interested persons 
     during a period of not less than 90 days. Not later than

[[Page S6347]]

     2 years after the date of enactment of this Act, the 
     Secretary shall publish final regulations in the Federal 
     Register.

     SEC. 408. ENFORCEMENT.

       (a) In General.--A covered entity or noncovered entity that 
     knowingly violates section 402 or 405 shall be subject to a 
     civil money penalty under this section.
       (b) Amount.--The civil money penalty described in 
     subsection (a) shall not exceed $100,000. In determining the 
     amount of any penalty to be assessed, the Secretary shall 
     take into account the previous record of compliance of the 
     entity being assessed with the applicable provisions of this 
     title and the gravity of the violation.
       (c) Administrative Review.--
       (1) Opportunity for hearing.--The entity assessed shall be 
     afforded an opportunity for a hearing by the Secretary upon 
     request made within 30 days after the date of the issuance of 
     a notice of assessment. In such hearing the decision shall be 
     made on the record pursuant to section 554 of title 5, United 
     States Code. If no hearing is requested, the assessment shall 
     constitute a final and unappealable order.
       (2) Hearing procedure.--If a hearing is requested, the 
     initial agency decision shall be made by an administrative 
     law judge, and such decision shall become the final order 
     unless the Secretary modifies or vacates the decision. Notice 
     of intent to modify or vacate the decision of the 
     administrative law judge shall be issued to the parties 
     within 30 days after the date of the decision of the judge. A 
     final order which takes effect under this paragraph shall be 
     subject to review only as provided under subsection (d).
       (d) Judicial Review.--
       (1) Filing of action for review.--Any entity against whom 
     an order imposing a civil money penalty has been entered 
     after an agency hearing under this section may obtain review 
     by the United States district court for any district in which 
     such entity is located or the United States District Court 
     for the District of Columbia by filing a notice of appeal in 
     such court within 30 days from the date of such order, and 
     simultaneously sending a copy of such notice by registered 
     mail to the Secretary.
       (2) Certification of administrative record.--The Secretary 
     shall promptly certify and file in such court the record upon 
     which the penalty was imposed.
       (3) Standard for review.--The findings of the Secretary 
     shall be set aside only if found to be unsupported by 
     substantial evidence as provided by section 706(2)(E) of 
     title 5, United States Code.
       (4) Appeal.--Any final decision, order, or judgment of the 
     district court concerning such review shall be subject to 
     appeal as provided in chapter 83 of title 28 of such Code.
       (e) Failure To Pay Assessment; Maintenance of Action.--
       (1) Failure to pay assessment.--If any entity fails to pay 
     an assessment after it has become a final and unappealable 
     order, or after the court has entered final judgment in favor 
     of the Secretary, the Secretary shall refer the matter to the 
     Attorney General who shall recover the amount assessed by 
     action in the appropriate United States district court.
       (2) Nonreviewability.--In such action the validity and 
     appropriateness of the final order imposing the penalty shall 
     not be subject to review.
       (f) Payment of Penalties.--Except as otherwise provided, 
     penalties collected under this section shall be paid to the 
     Secretary (or other officer) imposing the penalty and shall 
     be available without appropriation and until expended for the 
     purpose of enforcing the provisions with respect to which the 
     penalty was imposed.

                   TITLE V--DRIVER'S LICENSE PRIVACY

     SEC. 501. DRIVER'S LICENSE PRIVACY.

       Section 2725 of title 18, United States Code, is amended by 
     striking paragraphs (2) and (3) and adding the following:
       ``(2) `person' means an individual, organization, or 
     entity, but does not include a State or agency thereof;
       ``(3) `personal information' means information that 
     identifies an individual, including an individual's 
     photograph, social security number, driver identification 
     number, name, address (but not the 5-digit zip code), 
     telephone number, medical or disability information, any 
     physical copy of a driver's license, birth date, information 
     on physical characteristics, including height, weight, sex or 
     eye color, or any biometric identifiers on a license, 
     including a finger print, but not information on vehicular 
     accidents, driving violations, and driver's status; and
       ``(4) `highly restricted personal information' means an 
     individual's photograph or image, social security number, 
     medical or disability information, any physical copy of a 
     driver's license, driver identification number, birth date, 
     information on physical characteristics, including height, 
     weight, sex, or eye color, or any biometric identifiers on a 
     license, including a finger print.''.

                        TITLE VI--MISCELLANEOUS

     SEC. 601. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

       (a) In General.--
       (1) Civil actions.--In any case in which the attorney 
     general of a State has reason to believe that an interest of 
     the residents of that State has been or is threatened or 
     adversely affected by the engagement of any person in a 
     practice that is prohibited under title I, II, or IV of this 
     Act or under any amendment made by such a title, the State, 
     as parens patriae, may bring a civil action on behalf of the 
     residents of the State in a district court of the United 
     States of appropriate jurisdiction to--
       (A) enjoin that practice;
       (B) enforce compliance with such titles or such amendments;
       (C) obtain damage, restitution, or other compensation on 
     behalf of residents of the State; or
       (D) obtain such other relief as the court may consider to 
     be appropriate.
       (2) Notice.--
       (A) In general.--Before filing an action under paragraph 
     (1), the attorney general of the State involved shall provide 
     to the Attorney General--
       (i) written notice of the action; and
       (ii) a copy of the complaint for the action.
       (B) Exemption.--
       (i) In general.--Subparagraph (A) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this subsection, if the State attorney general 
     determines that it is not feasible to provide the notice 
     described in such subparagraph before the filing of the 
     action.
       (ii) Notification.--In an action described in clause (i), 
     the attorney general of a State shall provide notice and a 
     copy of the complaint to the Attorney General at the same 
     time as the State attorney general files the action.
       (b) Intervention.--
       (1) In general.--On receiving notice under subsection 
     (a)(2), the Attorney General shall have the right to 
     intervene in the action that is the subject of the notice.
       (2) Effect of intervention.--If the Attorney General 
     intervenes in an action under subsection (a), the Attorney 
     General shall have the right to be heard with respect to any 
     matter that arises in that action.
       (c) Construction.--For purposes of bringing any civil 
     action under subsection (a), nothing in this Act shall be 
     construed to prevent an attorney general of a State from 
     exercising the powers conferred on such attorney general by 
     the laws of that State to--
       (1) conduct investigations;
       (2) administer oaths or affirmations; or
       (3) compel the attendance of witnesses or the production of 
     documentary and other evidence.
       (d) Actions by the Attorney General of the United States.--
     In any case in which an action is instituted by or on behalf 
     of the Attorney General for violation of a practice that is 
     prohibited under title I, II, IV, or V of this Act or under 
     any amendment made by such a title, no State may, during the 
     pendency of that action, institute an action under subsection 
     (a) against any defendant named in the complaint in that 
     action for violation of that practice.
       (e) Venue; Service of Process.--
       (1) Venue.--Any action brought under subsection (a) may be 
     brought in the district court of the United States that meets 
     applicable requirements relating to venue under section 1391 
     of title 28, United States Code.
       (2) Service of process.--In an action brought under 
     subsection (a), process may be served in any district in 
     which the defendant--
       (A) is an inhabitant; or
       (B) may be found.

     SEC. 602. FEDERAL INJUNCTIVE AUTHORITY.

       In addition to any other enforcement authority conferred 
     under this Act or under an amendment made by this Act, the 
     Federal Government shall have injunctive authority with 
     respect to any violation of any provision of title I, II, or 
     IV of this Act or of any amendment made by such a title, 
     without regard to whether a public or private entity violates 
     such provision.
                                 ______