[Congressional Record Volume 148, Number 44 (Thursday, April 18, 2002)]
[Senate]
[Pages S2957-S2963]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. HOLLINGS (for himself, Mr. Stevens, Mr. Burns, Mr. Inouye, 
        Mr. Rockefeller, Mr. Kerry, Mr. Breaux, Mr. Cleland, Mr. Nelson 
        of Florida, and Mrs. Carnahan):
  S. 2201. A bill to protect the online privacy of individuals who use 
the Internet; to the Committee on Commerce, Science, and 
Transportation.
  Mr. HOLLINGS. Madam President, today I rise to introduce bipartisan 
legislation that will establish baseline requirements for the 
protection of personal information collected from individuals over the 
Internet. This bill, the Online Personal Privacy Act, represents the 
work of many months and important input from consumer groups, affected 
individuals, and most importantly, many Senators on the Commerce 
Committee. The origin of this emerging consensus position began to take 
shape at a Commerce committee hearing last summer that focused 
generally on whether there was a need for online privacy legislation. 
At that time, members of the committee began to articulate the notion 
that not all personal information is created equal. I agree. Some, 
highly sensitive personal information, such as personal financial or 
medical information or a person's religious beliefs are clearly more 
sensitive than other garden-variety types of information, such as a 
pair of slacks that an individual may purchase. Since that hearing, and 
in numerous meetings with members of the Committee, we have worked hard 
to develop a balanced approach to Internet privacy regulation that 
recognizes and builds upon best practices in the online community while 
establishing a federal baseline standard for the protection of 
individuals' privacy on the Internet.
  Let me begin by expressing my gratitude to Senators Rockefeller, 
Inouye, Breaux, and Cleland, who worked closely with me during the last 
Congress to advocate the need for strong online privacy protections and 
who have agreed to be original cosponsors of this legislation. In 
addition, I would also like to particularly thank Senators Kerry, 
Stevens, and Burns for their invaluable contributions throughout this 
process and their willingness to join with us in working to craft a 
workable, bipartisan, consensus position on legislation that will 
provide individuals with better controls over the use of their personal 
information while fueling the growth of e-commerce as consumer 
confidence in the Internet spurs a significant increase in online 
activity.
  Some have argued that Americans' concerns about privacy no loner 
exist in the aftermath of September 11. But poll after poll 
consistently demonstrates that the American people want companies they 
patronize to seek their permission prior to using their personal 
information for commercial profit. These concerns are heightened with 
respect to the Internet, which, in a digital age, enables the seamless 
compilation of highly detailed personal profiles of Internet users. 
Accordingly, fears about privacy have had palpable effects on the 
willingness of consumers to embrace the full potential of the Internet 
and e-commerce.
  Distrust of false privacy promises has sparked a rage of online self-
defense, especially the providing of false information by individuals. 
Industry analysts estimate that between one-fifth to one-third of all 
individuals provide false personal information on the Internet. This 
response is understandable given that consumers have few tools to 
discover whether their personal information is being disclosed. sold, 
or otherwise misused, and they have virtually no recourse.
  Privacy fears are stifling the development and expansion of the 
Internet as an engine of economic growth. Because of consumer distrust, 
online companies and services are losing potential business and 
collecting bad data, blocking the Internet and its wide range of 
services from reaching its full potential. The lack of enforceable 
privacy protections is a significant barrier to the full embrace by 
consumers of the Internet marketplace. According to a recent Harris/
Business Week poll, almost two-thirds of non-Internet users would be 
more likely to use the Net if the privacy of their ``personal 
information and communications were protected.''
  Moreover, according to a recent Forrester study, online businesses 
lost nearly $15 billion, or 27 percent of e-commerce revenues, due to 
consumer privacy concerns. Those numbers are significant in light of 
the economic downturn and its disproportionate impact on the high-tech 
Internet sectors. Good privacy means good business and the Internet 
economy could use a healthy dose of that right now.
  Accordingly, our legislation offers a win-win proposition for 
consumers and business: it will protect the privacy of individuals 
online and provide online businesses with a new market of willing 
customers. While protecting the necessary business certainty of a 
single Federal standard.
  Online companies have long argued that privacy regulations would 
hamper their ability to efficiently conduct business on-line and give 
consumers the tailored buying experience they now expect from the 
Internet. Online

[[Page S2958]]

merchants also touted self-regulation as sufficient privacy protection. 
We know otherwise.
  Privacy violations continue to make headlines: a major outcry erupted 
last year after Eli Lilly disclosed a list of hundreds of customers 
suffering from depression, bulimia, and obsessive compulsive disorder 
over the Internet. Moreover, just last week, a New York Times article, 
``Seeking Profits, Internet Companies Alter Privacy Policy,'' recounted 
how Internet companies such as Yahoo had changed their privacy policies 
in order to require consumers to restate their privacy preferences even 
if they had previously withheld consent for the use and 
commercialization of their personal information. Accordingly, these 
companies expanded their ability to use an individual's personal 
information for online and offline marketing purposes notwithstanding 
that individual's prior policy preferences. Still other businesses 
confound consumers with opaque privacy policies that begin with, ``Your 
privacy is important to us,'' but in the subsequent legalese, outline a 
series of exceptions crafted with double-negative verbs that allow 
virtually any use of a consumer's information. Still other commercial 
web sites fail to pass any privacy policy at all, safe in the knowledge 
that they face virtually no legal jeopardy for selling personal 
information.
  To be fair, some companies have taken consumer privacy seriously. 
Earthink launched a national television advertising campaign touting 
its policy of not selling customer information. U-Haul's web site 
simply says: ``We will never sell or share our information with anyone, 
or send you junk mail, we hate that stuff, too.'' Companies like 
Hewlett Packard, Intel, and Microsoft, giants of the high tech 
industry, already provide individuals opt-in protection with respect to 
their personal information. But, in the final analysis, despite the 
best of intentions and some successful efforts, reliance on self-
regulation alone has not proven to provide sufficient protection. In 
its May 2000 Report to Congress, the Federal Trade Commission clearly 
recognized this shortcoming having studied this issue diligently for 5 
years: ``Because self-regulatory initiatives to date fall short of 
broad-based implementation of effective self-regulatory programs, the 
Commission has concluded that such efforts alone cannot ensure that the 
online marketplace as a whole will emulate the standards adopted by 
industry leaders. The Commission recommends that Congress enact 
legislation that, in conjunction with continuing self-regulatory 
programs, will ensure adequate protection of consumer privacy online.''
  Our legislation aims to do just that.
  Fundamentally, our legislation is built upon the five core principles 
of privacy protection identified by the Federal Trade Commission in its 
1995 report to Congress regarding online privacy: 1. Notice, 2. 
Consent, 3. Access, 4. Security and 5. Enforcement. Those principles 
are tried and true and formed the framework for the bipartisan 
Children's Online Privacy Protection Act of 1998. Which was hailed by 
industry far and wide as a template for protecting children's personal 
information that is collected on the Internet.
  The bill we introduce today takes a singular approach. It divides 
online personal information into two categories: sensitive information 
and nonsensitive information. Sensitive information is narrowly 
tailored to include actual information about specific financial data, 
health information, ethnicity, religious affiliation, sexual 
orientation, and political affiliation, or someone's social security 
number. Non-sensitive information is all other personally identifiable 
information collected online.
  In this respect, the legislation is also similar to the two-tiered 
approach taken by the European Union in which companies are required to 
provide baseline protections governing the use of nonsensitive 
information, and stronger consent protections governing the use of 
sensitive data. More than 180 American companies, including Staples, 
Marriott, Microsoft, Intel, Hewlett Packard, DoubleClick Kodak, and 
Acxiom, doing business in Europe have agreed to provide such 
protections with respect to the personal data of European citizens. 
They have signed up for the EU Safe Harbor and their names are listed 
on the Department of Commerce's web site. Our bill simply asks these 
and other companies to provide similar protections for U.S. citizens.
  First, with respect to notice and consent, the bill would require web 
sites and online services to post clear and conspicuous notice of its 
information practices. In other words, plainly state to individuals 
what you plan to do with their personal information. To the extent that 
a web site collects sensitive information, it would also be required to 
obtain a consumer's affirmative consent, so-called ``opt-in'' consent, 
prior to the collection of such data. To the extent that a web site 
collects only non-sensitive personal data, it would be able to collect 
such data for other uses as long as it provides individuals with an 
ability to ``opt out'' of such uses and provides the consumer with 
actual notice at the point of collection, so-called ``robust notice'', 
which briefly and succinctly describes how the information may be used 
or disclosed.
  Many Internet companies are doing this already. For example, on the 
same page where an individual provides his or her personal information, 
the web site for 1-800 Flowers states: ``You will be receiving 
promotional offers and materials from our sites and companies we own. 
Please check the box below if you do not want to receive such materials 
in the future and do not wish us to provide personal information 
collected from you to third parties.'' Similarly, NBC's website says 
the following on the webpage where individuals register their personal 
information: ``As our customer, you will occasionally receive email 
from shopnbc.com about new services, features, and special offers we 
believe would interest you. If you'd rather not receive these updates, 
please uncheck this box.'' It's as simple as that. And it provides the 
individual the ability to make an informed choice at the critical point 
at which he or she is providing a company with personally identifiable 
information.
  Next, our legislation requires companies to provide individuals with 
the ability to find out what personal information a web site has 
collected about them. While important, this right of reasonable access 
is not unqualified. Rather, it considers a variety of factors including 
the sensitivity of the information sought by the consumer and the 
burden and expense on the provider in giving consumers access to their 
personal information. In addition, the bill would permit online 
companies to charge individuals a reasonable fee to access their 
personal data, as is similarly provided under the Fair Credit Reporting 
Act.
  In addition, our bill requires that web sites adopt reasonable 
security procedures to protect the security, confidentiality, and 
integrity of personally identifiable information, just as Congress 
required in the Children's privacy legislation.
  Moreover, the bill grants consumers important rights of redress. 
First, the Federal Trade Commission and state attorneys general are 
empowered to take action. If the FTC collects civil penalties, the bill 
creates a mechanism whereby those injured can petition to receive up to 
$200 of the award. For more serious violations involving sensitive 
information, the bill would additionally permit individuals on their 
own to pursue redress for damages in federal court.
  Finally, in addition to following these fair information principles, 
the legislation also takes the critical step of establishing a uniform 
federal standard for online privacy protection by preempting State 
Internet laws. Inconsistent state regulation of privacy is already 
causing problems for online businesses. Vermont has adopted ``opt-in 
laws'' governing financial and medical privacy. In Minnesota, the state 
Senate has adopted ``opt-in'' online privacy legislation by a vote of 
96-0. In California, state privacy legislation is again moving through 
the state legislature, offering the very real possibility that online 
businesses will sooner rather than later face the prospect of trying to 
bring their online operation into compliance with inconsistent state 
laws.
  Because new technologies make privacy protection a constantly 
evolving issue, the bill requires the FTC not only to implement the 
requirements of the law, but further, to issue periodic reports about 
how the law is working;

[[Page S2959]]

whether similar privacy protections should apply offline or to pre-
existing data; whether standardized online privacy notices should be 
developed; if a meaningful safe harbor should be constructed; and 
whether privacy protection technologies in the marketplace such as P3P 
can help facilitate the administration of the Act.
  Consumer participation in cyberspace should not be conditioned on a 
willingness to relinquish control over one's personal information. 
Rather, for the medium to truly flourish, we must establish baseline 
consumer protections that will eliminate the tyranny of convenience in 
which consumers are forced to choose between disclosing private, 
personal information, or not using the Internet at all. Congress has a 
moral obligation to protect American individual liberties, including 
the right to better control the commercialization of one's own 
personal, private information.
  This bill is an important first step. The privacy protections in this 
legislation will instill more confidence in people to use the Internet 
and create a consistent legal framework for online businesses. It will 
provide better online privacy protections for consumers, better 
commercial opportunities for businesses who respond to consumer privacy 
concerns, and a better future for Americans who will embrace the 
Internet rather than fear it.
  Madam President, I ask unanimous consent that the text of the bill be 
printed in the Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                S. 2201

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Online Personal Privacy 
     Act''.

     SEC. 2. TABLE OF CONTENTS.

       The table of contents of this Act is as follows:

Sec. 1. Short title.
Sec. 2. Table of contents.
Sec. 3. Findings.
Sec. 4. Preemption of State law or regulations.

                   Title I--Online Privacy Protection

Sec. 101. Collection, use, or disclosure of personally identifiable 
              information.
Sec. 102. Notice and consent requirements.
Sec. 103. Policy changes; privacy breach.
Sec. 104. Exceptions.
Sec. 105. Access.
Sec. 106. Security.

                         Title II--Enforcement

Sec. 201. Enforcement by Federal Trade Commission.
Sec. 202. Violation is unfair or deceptive act or practice.
Sec. 203. Private right of action.
Sec. 204. Actions by States.
Sec. 205. Whistleblower protection.
Sec. 206. No effect on other remedies.

        Title III--Application to Congress and Federal Agencies

Sec. 301. Exercise of rulemaking power.
Sec. 302. Senate.
Sec. 303. Application to Federal agencies.

                        Title IV--Miscellaneous

Sec. 401. Definitions.
Sec. 402. Effective date.
Sec. 403. FTC rulemaking.
Sec. 404. FTC report.
Sec. 405. Development of automated privacy controls.

     SEC. 3. FINDINGS.

       The Congress finds the following:
       (1) The right to privacy is a personal and fundamental 
     right worthy of protection through appropriate legislation.
       (2) Individuals engaging in and interacting with companies 
     engaged in interstate commerce have a significant interest in 
     their personal information, as well as a right to control how 
     that information is collected, used, or transferred.
       (3) Absent the recognition of these rights and the 
     establishment of consequent industry responsibilities to 
     safeguard those rights, the privacy of individuals who use 
     the Internet will soon be more gravely threatened.
       (4) To extent that States regulate, their efforts to 
     address Internet privacy will lead to a patchwork of 
     inconsistent standards and protections.
       (5) Existing State, local, and Federal laws provide minimal 
     privacy protection for Internet users.
       (6) With the exception of Federal Trade Commission 
     enforcement of laws against unfair and deceptive practices, 
     the Federal Government thus far has eschewed general Internet 
     privacy laws in favor of industry self-regulation, which has 
     led to several self-policing schemes, none of which are 
     enforceable in any meaningful way or provide sufficient 
     privacy protection to individuals.
       (7) State governments have been reluctant to enter the 
     field of Internet privacy regulation because use of the 
     Internet often crosses State, or even national, boundaries.
       (8) States are nonetheless interested in providing greater 
     privacy protection to their citizens as evidenced by recent 
     lawsuits brought against offline and online companies by 
     State attorneys general to protect the privacy of individuals 
     using the Internet.
       (9) The ease of gathering and compiling personal 
     information on the Internet, both overtly and 
     surreptitiously, is becoming increasingly efficient and 
     effortless due to advances in digital communications 
     technology which have provided information gatherers the 
     ability to compile seamlessly highly detailed personal 
     histories of Internet users.
       (10) Personal information flowing over the Internet 
     requires greater privacy protection than is currently 
     available today. Vast amounts of personal information, 
     including sensitive information, about individual Internet 
     users are collected on the Internet and sold or otherwise 
     transferred to third parties.
       (11) Poll after poll consistently demonstrates that 
     individual Internet users are highly troubled over their lack 
     of control over their personal information.
       (12) Market research demonstrates that tens of billions of 
     dollars in e-commerce are lost due to individual fears about 
     a lack of privacy protection on the Internet.
       (13) Market research demonstrates that as many as one-third 
     of all Internet users give false information about themselves 
     to protect their privacy, due to fears about a lack of 
     privacy protection on the Internet.
       (14) Notwithstanding these concerns, the Internet is 
     becoming a major part of the personal and commercial lives of 
     millions of Americans, providing increased access to 
     information, as well as communications and commercial 
     opportunities.
       (15) It is important to establish personal privacy rights 
     and industry obligations now so that individuals have 
     confidence that their personal privacy is fully protected on 
     the Internet.
       (16) The social and economic costs of establishing baseline 
     privacy standards now will be lower than if Congress waits 
     until the Internet becomes more prevalent in our everyday 
     lives in coming years.
       (17) Whatever costs may be borne by industry will be 
     significantly offset by the economic benefits to the 
     commercial Internet created by increased consumer confidence 
     occasioned by greater privacy protection.
       (18) Toward the close of the 20th Century, as individuals' 
     personal information was increasingly collected, profiled, 
     and shared for commercial purposes, and as technology 
     advanced to facilitate these practices, the Congress enacted 
     numerous statutes to protect privacy.
       (19) Those statutes apply to the government, telephones, 
     cable television, e-mail, video tape rentals, and the 
     Internet (but only with respect to children).
       (20) Those statutes all provide significant privacy 
     protections, but neither limit technology nor stifle 
     business.
       (21) Those statutes ensure that the collection and 
     commercialization of individuals' personal information is 
     fair, transparent, and subject to law.

     SEC. 4. PREEMPTION OF STATE LAW OR REGULATIONS.

       This Act supersedes any State statute, regulation, or rule 
     regulating Internet privacy to the extent that it relates to 
     the collection, use, or disclosure of personally identifiable 
     information obtained through the Internet.

                   TITLE I--ONLINE PRIVACY PROTECTION

     SEC. 101. COLLECTION, USE, OR DISCLOSURE OF PERSONALLY 
                   IDENTIFIABLE INFORMATION.

       (a) In General.--An internet service provider, online 
     service provider, or operator of a commercial website on the 
     Internet may not collect personally identifiable information 
     from a user, or use or disclose personally identifiable 
     information about a user, of that service or website except 
     in accordance with the provisions of this Act.
       (b) Application to Certain Third-Party Operators.--The 
     provisions of this Act applicable to internet service 
     providers, online service providers, and commercial website 
     operators apply to any third party, including an advertising 
     network, that uses an internet service provider, online 
     service provider, or commercial website operator to collect 
     information about users of that service or website.

     SEC. 102. NOTICE AND CONSENT REQUIREMENTS.

       (a) Notice.--Except as provided in section 104, an internet 
     service provider, online service provider, or operator of a 
     commercial website may not collect personally identifiable 
     information from a user of that service or website online 
     unless that provider or operator provides clear and 
     conspicuous notice to the user in the manner required by this 
     section for the kind of personally identifiable information 
     to be collected. The notice shall disclose--
       (1) the specific types of information that will be 
     collected;
       (2) the methods of collecting and using the information 
     collected; and
       (3) all disclosure practices of that provider or operator 
     for personally identifiable information so collected, 
     including whether it will be disclosed to third parties.
       (b) Sensitive Personally Identifiable Information Requires 
     Opt-in Consent.--An internet service provider, online service 
     provider, or operator of a commercial website may not--
       (1) collect sensitive personally identifiable information 
     online, or

[[Page S2960]]

       (2) disclose or otherwise use such information collected 
     online, from a user of that service or website,

     unless the provider or operator obtains that user's 
     affirmative consent to the collection and disclosure or use 
     of that information before, or at the time, the information 
     is collected.
       (c) Nonsensitive Personally Identifiable Information 
     Requires Robust Notice and Opt-out Consent.--An internet 
     service provider, online service provider, or operator of a 
     commercial website may not--
       (1) collect personally identifiable information not 
     described in subsection (b) online, or
       (2) disclose or otherwise use such information collected 
     online, from a user of that service or website,

     unless the provider or operator provides robust 
     notice to the user, in addition to clear and conspicuous 
     notice, and has given the user an opportunity to decline 
     consent for such collection and use by the provider or 
     operator before, or at the time, the information is 
     collected.
       (d) Initial Notice Only for Robust Notice.--An internet 
     service provider, online service provider, or operator of a 
     commercial website shall provide robust notice under 
     subsection (c) of this section to a user only upon its first 
     collection of non-sensitive personally identifiable 
     information from that user, except that a subsequent 
     collection of additional or materially different non-
     sensitive personally identifiable information from that user 
     shall be treated as a first collection of such information 
     from that user.
       (e) Permanence of Consent.--
       (1) In general.--The consent or denial of consent by a user 
     of permission to an internet service provider, online service 
     provider, or operator of a commercial website to collect, 
     disclose, or otherwise use any information about that user 
     for which consent is required under this Act--
       (A) shall remain in effect until changed by the user; and
       (B) shall apply to the collection, disclosure, or other use 
     of that information by any entity that is a commercial 
     successor of, or legal successor-in-interest to, that 
     provider or operator, without regard to the legal form in 
     which such succession was accomplished (including any entity 
     that collects, discloses, or uses such information as a 
     result of a proceeding under chapter 7 or chapter 11 of title 
     11, United States Code, with respect to the provider or 
     operator).
       (2) Exception.--The consent by a user to the collection, 
     disclosure, or other use of information about that user for 
     which consent is required under this Act does not apply to 
     the collection, disclosure, or use of that information by a 
     successor entity under paragraph (1)(B) if--
       (A) the kind of information collected by the successor 
     entity about the user is materially different from the kind 
     of information collected by the predecessor entity;
       (B) the methods of collecting and using the information 
     employed by the successor entity are materially different 
     from the methods employed by the predecessor entity; or
       (C) the disclosure practices of the successor entity are 
     materially different from the practices of the predecessor 
     entity.

     SEC. 103. POLICY CHANGES; BREACH OF PRIVACY.

       (a) Notice of Policy Change.--Whenever an internet service 
     provider, online service provider, or operator of a 
     commercial website makes a material change in its policy for 
     the collection, use, or disclosure of sensitive or 
     nonsensitive personally identifiable information, it--
       (1) shall notify all users of that service or website of 
     the change in policy; and
       (2) may not collect, disclose, or otherwise use any 
     sensitive or nonsensitive personally identifiable information 
     in accordance with the changed policy unless the user has 
     been afforded an opportunity to consent, or withhold consent, 
     to its collection, disclosure, or use in accordance with the 
     requirements of section 102(b) or (c), whichever is 
     applicable.
       (b) Notice of Breach of Privacy.--
       (1) In general.--If the sensitive or nonsensitive 
     personally identifiable information of a user of an internet 
     service provider, online service provider, or operator of a 
     commercial website--
       (A) is collected, disclosed, or otherwise used by the 
     provider or operator in violation of any provision of this 
     Act, or
       (B) the security, confidentiality, or integrity of such 
     information is compromised by a hacker or other third party, 
     or by any act or failure to act of the provider or operator,

     then the provider or operator shall notify all users whose 
     sensitive or nonsensitive personally identifiable information 
     was affected by the unlawful collection, disclosure, use, or 
     compromise. The notice shall describe the nature of the 
     unlawful collection, disclosure, use, or compromise and the 
     steps taken by the provider or operator to remedy it.
       (2) Delay of notification.--
       (A) Action taken by individuals.--If the compromise of the 
     security, confidentiality, or integrity of the information is 
     caused by a hacker or other external interference with the 
     service or website, or by an employee of the service or 
     website, the provider or operator may postpone issuing the 
     notice required by paragraph (1) for a reasonable period of 
     time in order to--
       (i) facilitate the detection and apprehension of the person 
     responsible for the compromise; and
       (ii) take such measures as may be necessary to restore the 
     integrity of the service or website and prevent any further 
     compromise of the security, confidentiality, and integrity of 
     such information.
       (B) System failures and other functional causes.--If the 
     unlawful collection, disclosure, use, or compromise of the 
     security, confidentiality, and integrity of the information 
     is the result of a system failure, a problem with the 
     operating system, software, or program used by the internet 
     service provider, online service provider, or operator of the 
     commercial website, or other non-external interference with 
     the service or website, the provider or operator may postpone 
     issuing the notice required by paragraph (1) for a reasonable 
     period of time in order to--
       (i) restore the system's functionality or fix the problem; 
     and
       (ii) take such measures as may be necessary to restore the 
     integrity of the service or website and prevent any further 
     compromise of the security, confidentiality, and integrity of 
     the information after the failure or problem has been fixed 
     and the integrity of the service or website has been 
     restored.

     SEC. 104. EXCEPTIONS.

       (a) In General.--Section 102 does not apply to the 
     collection, disclosure, or use by an internet service 
     provider, online service provider, or operator of a 
     commercial website of information about a user of that 
     service or website necessary--
       (1) to protect the security or integrity of the service or 
     website or to ensure the safety of other people or property;
       (2) to conduct a transaction, deliver a product or service, 
     or complete an arrangement for which the user provided the 
     information; or
       (3) to provide other products and services integrally 
     related to the transaction, service, product, or arrangement 
     for which the user provided the information.
       (b) Protected Disclosures.--An internet service provider, 
     online service provider, or operator of a commercial website 
     may not be held liable under this Act, any other Federal law, 
     or any State law for any disclosure made in good faith and 
     following reasonable procedures in responding to--
       (1) a request for disclosure of personal information under 
     section 1302(b)(1)(B)(iii) of the Children's Online Privacy 
     Protection Act of 1998 (15 U.S.C. 6501 et seq.) to the parent 
     of a child; or
       (2) a request for access to, or correction or deletion of, 
     personally identifiable information under section 105 of this 
     Act.
       (c) Disclosure to Law Enforcement Agency or under Court 
     Order.--
       (1) In general.--Notwithstanding any other provision of 
     this Act, an internet service provider, online service 
     provider, operator of a commercial website, or third party 
     that uses such a service or website to collect information 
     about users of that service or website may disclose 
     personally identifiable information about a user of that 
     service or website--
       (A) to a law enforcement, investigatory, national security, 
     or regulatory agency or department of the United States in 
     response to a request or demand made under authority granted 
     to that agency or department, including a warrant issued 
     under the Federal Rules of Criminal Procedure, an equivalent 
     State warrant, a court order, or a properly executed 
     administrative compulsory process; and
       (B) in response to a court order in a civil proceeding 
     granted upon a showing of compelling need for the information 
     that cannot be accommodated by any other means if--
       (i) the user to whom the information relates is given 
     reasonable notice by the person seeking the information of 
     the court proceeding at which the order is requested; and
       (ii) that user is afforded a reasonable opportunity to 
     appear and contest the issuance of requested order or to 
     narrow its scope.
       (2) Safeguards against further disclosure.--A court that 
     issues an order described in paragraph (1) shall impose 
     appropriate safeguards on the use of the information to 
     protect against its unauthorized disclosure.

     SEC. 105. ACCESS.

       (a) In General.--An internet service provider, online 
     service provider, or operator of a commercial website shall--
       (1) upon request provide reasonable access to a user to 
     personally identifiable information that the provider or 
     operator has collected from the user online, or that the 
     provider or operator has combined with personally 
     identifiable information collected from the user online after 
     the effective date of this Act;
       (2) provide a reasonable opportunity for a user to suggest 
     a correction or deletion of any such information maintained 
     by that provider or operator to which the user was granted 
     access; and
       (3) make the correction a part of that user's sensitive 
     personally identifiable information or nonsensitive 
     personally identifiable information (whichever is 
     appropriate), or make the deletion, for all future disclosure 
     and other use purposes.
       (b) Exception.--An internet service provider, online 
     service provider, or operator of a commercial website may 
     decline to make a suggested correction a part of that user's 
     sensitive personally identifiable information or nonsensitive 
     personally identifiable information (whichever is 
     appropriate), or to make a suggested deletion if the provider 
     or operator--
       (1) reasonably believes that the suggested correction or 
     deletion is inaccurate or otherwise inappropriate;

[[Page S2961]]

       (2) notifies the user in writing, or in digital or other 
     electronic form, of the reasons the provider or operator 
     believes the suggested correction or deletion is inaccurate 
     or otherwise inappropriate; and
       (3) provides a reasonable opportunity for the user to 
     refute the reasons given by the provider or operator for 
     declining to make the suggested correction or deletion.
       (c) Reasonableness Test.--The reasonableness of the access 
     or opportunity provided under subsection (a) or (b) by an 
     internet service provider, online service provider, or 
     operator of a commercial website shall be determined by 
     taking into account such factors as the sensitivity of the 
     information requested and the burden or expense on the 
     provider or operator of complying with the request, 
     correction, or deletion.
       (d) Reasonable Access Fee.--
       (1) In general.--An internet service provider, online 
     service provider, or operator of a commercial website may 
     impose a reasonable charge for access under subsection (a).
       (2) Amount.--The amount of the fee shall not exceed $3, 
     except that upon request of a user, a provider or operator 
     shall provide such access without charge to that user if the 
     user certifies in writing that the user--
       (A) is unemployed and intends to apply for employment in 
     the 60-day period beginning on the date on which the 
     certification is made;
       (B) is a recipient of public welfare assistance; or
       (C) has reason to believe that the incorrect information is 
     due to fraud.

     SEC. 106. SECURITY.

       An internet service provider, online service provider, or 
     operator of a commercial website shall establish and maintain 
     reasonable procedures necessary to protect the security, 
     confidentiality, and integrity of personally identifiable 
     information maintained by that provider or operator.

                         TITLE II--ENFORCEMENT

     SEC. 201. ENFORCEMENT BY FEDERAL TRADE COMMISSION.

       Except as provided in section 202(b) of this Act and 
     section 2710(d) of title 18, United States Code, this Act 
     shall be enforced by the Commission.

     SEC. 202. VIOLATION IS UNFAIR OR DECEPTIVE ACT OR PRACTICE.

       (a) In General.--The violation of any provision of title I 
     is an unfair or deceptive act or practice proscribed under 
     section 18(a)(1)(B) of the Federal Trade Commission Act (15 
     U.S.C. 57a(a)(1)(B)).
       (b) Enforcement by Certain Other Agencies.--Compliance with 
     title I of this Act shall be enforced under--
       (1) section 8 of the Federal Deposit Insurance Act (12 
     U.S.C. 1818), in the case of--
       (A) national banks, and Federal branches and Federal 
     agencies of foreign banks, by the Office of the Comptroller 
     of the Currency;
       (B) member banks of the Federal Reserve System (other than 
     national banks), branches and agencies of foreign banks 
     (other than Federal branches, Federal agencies, and insured 
     State branches of foreign banks), commercial lending 
     companies owned or controlled by foreign banks, and 
     organizations operating under section 25 or 25A of the 
     Federal Reserve Act (12 U.S.C. 601 and 611), by the Board; 
     and
       (C) banks insured by the Federal Deposit Insurance 
     Corporation (other than members of the Federal Reserve 
     System) and insured State branches of foreign banks, by the 
     Board of Directors of the Federal Deposit Insurance 
     Corporation;
       (2) section 8 of the Federal Deposit Insurance Act (12 
     U.S.C. 1818), by the Director of the Office of Thrift 
     Supervision, in the case of a savings association the 
     deposits of which are insured by the Federal Deposit 
     Insurance Corporation;
       (3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) 
     by the National Credit Union Administration Board with 
     respect to any Federal credit union;
       (4) part A of subtitle VII of title 49, United States Code, 
     by the Secretary of Transportation with respect to any air 
     carrier or foreign air carrier subject to that part;
       (5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et 
     seq.) (except as provided in section 406 of that Act (7 
     U.S.C. 226, 227)), by the Secretary of Agriculture with 
     respect to any activities subject to that Act; and
       (6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by 
     the Farm Credit Administration with respect to any Federal 
     land bank, Federal land bank association, Federal 
     intermediate credit bank, or production credit association.
       (c) Exercise of Certain Powers.--For the purpose of the 
     exercise by any agency referred to in subsection (b) of its 
     powers under any Act referred to in that subsection, a 
     violation of title I is deemed to be a violation of a 
     requirement imposed under that Act. In addition to its powers 
     under any provision of law specifically referred to in 
     subsection (b), each of the agencies referred to in that 
     subsection may exercise, for the purpose of enforcing 
     compliance with any requirement imposed under title I, any 
     other authority conferred on it by law.
       (d) Actions by the Commission.--The Commission shall 
     prevent any person from violating title I in the same manner, 
     by the same means, and with the same jurisdiction, powers, 
     and duties as though all applicable terms and provisions of 
     the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were 
     incorporated into and made a part of this Act. Any entity 
     that violates any provision of that subtitle is subject to 
     the penalties and entitled to the privileges and immunities 
     provided in the Federal Trade Commission Act in the same 
     manner, by the same means, and with the same jurisdiction, 
     power, and duties as though all applicable terms and 
     provisions of the Federal Trade Commission Act were 
     incorporated into and made a part of that subtitle.
       (e) Disposition of Civil Penalties Obtained by FTC 
     Enforcement Action Involving Nonsensitive Personally 
     Identifiable Information.--
       (1) In general.--If a civil penalty is imposed on an 
     internet service provider, online service provider, or 
     commercial website operator in an enforcement action brought 
     by the Commission for a violation of title I with respect to 
     nonsensitive personally identifiable information of users of 
     the service or website, the penalty shall be--
       (A) paid to the Commission;
       (B) held by the Commission in trust for distribution under 
     paragraph (2); and
       (C) distributed in accordance with paragraph (2).
       (2) Distribution to users.--Under procedures to be 
     established by the Commission, the Commission shall hold any 
     amount received as a civil penalty for violation of title I 
     for a period of not less than 180 days for distribution under 
     those procedures to users--
       (A) whose nonsensitive personally identifiable information 
     was the subject of the violation; and
       (B) who file claims with the Commission for compensation 
     for loss or damage from the violation at such time, in such 
     manner, and containing such information as the Commission may 
     require.
       (3) Amount of payment.--The amount a user may receive under 
     paragraph (2)--
       (i) shall not exceed $200; and
       (ii) may be limited by the Commission as necessary to 
     afford each such user a reasonable opportunity to secure that 
     user's appropriate portion of the amount available for 
     distribution.
       (4) Remainder.--If the amount of any such penalty held by 
     the Commission exceeds the sum of the amounts distributed 
     under paragraph (2) attributable to that penalty, the excess 
     shall be covered into the Treasury of the United States as 
     miscellaneous receipts no later than 12 months after it was 
     paid to the Commission.
       (f) Effect on Other Laws.--
       (1) Preservation of commission authority.--Nothing 
     contained in this subtitle shall be construed to limit the 
     authority of the Commission under any other provision of law.
       (2) Relation to title ii of communications act.--Nothing in 
     title I requires an operator of a website or online service 
     to take any action that is inconsistent with the requirements 
     of section 222 of the Communications Act of 1934 (47 U.S.C. 
     222).
       (3) Relation to title vi of communications act.--Section 
     631 of the Communications Act of 1934 (47 U.S.C. 551) is 
     amended by adding at the end the following:
       ``(i) To the extent that the application of any provision 
     of this title to a cable operator as an internet service 
     provider, online service provider, or operator of a 
     commercial website (as those terms are defined in section 401 
     of the Online Personal Privacy Act) with respect to the 
     provision of Internet service or online service, or the 
     operation of a commercial website, conflicts with the 
     application of any provision of that Act to such provision or 
     operation, the Act shall be applied in lieu of the 
     conflicting provision of this title.''.

     SEC. 203. ACTIONS BY USERS.

       (a) Private Right of Action for Sensitive Personally 
     Identifiable Information.--If an internet service provider, 
     online service provider, or commercial website operator 
     collects, discloses, or uses the sensitive personally 
     identifiable information of any person or fails to provide 
     reasonable access to or reasonable security for such 
     sensitive personally identifiable information in violation of 
     any provision of title I then that person may bring an action 
     in a district court of the United States of appropriate 
     jurisdiction--
       (1) to enjoin or restrain a violation of title I or to 
     obtain other appropriate relief; and
       (2) upon a showing of actual harm to that person caused by 
     the violation, to recover the greater of--
       (A) the actual monetary loss from the violation; or
       (B) $5,000.
       (b) Repeated Violations.--If the court finds, in an action 
     brought under subsection (a) to recover damages, that the 
     defendant repeatedly and knowingly violated title I, the 
     court may, in its discretion, increase the amount of the 
     award available under subsection (a)(2)(B) to an amount not 
     in excess of $100,000.
       (c) Exception.--Neither an action to enjoin or restrain a 
     violation, nor an action to recover for loss or damage, may 
     be brought under this section for the accidental disclosure 
     of information if the disclosure was caused by an Act of God, 
     unforeseeable network or systems failure, or other event 
     beyond the control of the Internet service provider, online 
     service provider, or operator of a commercial website.

     SEC. 204. ACTIONS BY STATES.

       (a) In General.--
       (1) Civil actions.--In any case in which the attorney 
     general of a State has reason to believe that an interest of 
     the residents of that State has been or is threatened or 
     adversely affected by the engagement of any person in a 
     practice that violates title I, the State, as

[[Page S2962]]

     parens patriae, may bring a civil action on behalf of the 
     residents of the State in a district court of the United 
     States of appropriate jurisdiction--
       (A) to enjoin that practice;
       (B) to enforce compliance with the rule;
       (C) to obtain damage, restitution, or other compensation on 
     behalf of residents of the State; or
       (D) to obtain such other relief as the court may consider 
     to be appropriate.
       (2) Notice.--
       (A) In general.--Before filing an action under paragraph 
     (1), the attorney general of the State involved shall provide 
     to the Commission--
       (i) written notice of that action; and
       (ii) a copy of the complaint for that action.
       (B) Exemption.--
       (i) In general.--Subparagraph (A) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this subsection, if the attorney general 
     determines that it is not feasible to provide the notice 
     described in that subparagraph before the filing of the 
     action.
       (ii) Notification.--In an action described in clause (i), 
     the attorney general of a State shall provide notice and a 
     copy of the complaint to the Commission at the same time as 
     the attorney general files the action.
       (b) Intervention.--
       (1) In general.--On receiving notice under subsection 
     (a)(2), the Commission shall have the right to intervene in 
     the action that is the subject of the notice.
       (2) Effect of intervention.--If the Commission intervenes 
     in an action under subsection (a), it shall have the right--
       (A) to be heard with respect to any matter that arises in 
     that action; and
       (B) to file a petition for appeal.
       (c) Construction.--For purposes of bringing any civil 
     action under subsection (a), nothing in this subtitle shall 
     be construed to prevent an attorney general of a State from 
     exercising the powers conferred on the attorney general by 
     the laws of that State to--
       (1) conduct investigations;
       (2) administer oaths or affirmations; or
       (3) compel the attendance of witnesses or the production of 
     documentary and other evidence.
         (d) Actions by the Commission.--In any case in which an 
     action is instituted by or on behalf of the Commission for 
     violation of title I, no State may, during the pendency of 
     that action, institute an action under subsection (a) against 
     any defendant named in the complaint in that action for 
     violation of that rule.
         (e) Venue; Service of Process.--
       (1) Venue.--Any action brought under subsection (a) may be 
     brought in the district court of the United States that meets 
     applicable requirements relating to venue under section 1391 
     of title 28, United States Code.
       (2) Service of process.--In an action brought under 
     subsection (a), process may be served in any district in 
     which the defendant--
       (A) is an inhabitant; or
       (B) may be found.

     SEC. 205. WHISTLEBLOWER PROTECTION.

       (a) In General.--No internet service provider, online 
     service provider, or commercial website operator may 
     discharge or otherwise discriminate against any employee with 
     respect to compensation, terms, conditions, or privileges of 
     employment because the employee (or any person acting 
     pursuant to the request of the employee) provided information 
     to any Federal or State agency or to the Attorney General of 
     the United States or of any State regarding a violation of 
     any provision of title I.
       (b) Enforcement.--Any employee or former employee who 
     believes he has been discharged or discriminated against in 
     violation of subsection (a) may file a civil action in the 
     appropriate United States district court before the close of 
     the 2-year period beginning on the date of such discharge or 
     discrimination. The complainant shall also file a copy of the 
     complaint initiating such action with the appropriate Federal 
     agency.
       (c) Remedies.--If the district court determines that a 
     violation of subsection (a) has occurred, it may order the 
     Internet service provider, online service provider, or 
     commercial website operator that committed the violation--
       (1) to reinstate the employee to his former position;
       (2) to pay compensatory damages; or
       (3) to take other appropriate actions to remedy any past 
     discrimination.
       (d) Limitation.--The protections of this section shall not 
     apply to any employee who--
       (1) deliberately causes or participates in the alleged 
     violation; or
       (2) knowingly or recklessly provides substantially false 
     information to such an agency or the Attorney General.
       (e) Burdens of Proof.--The legal burdens of proof that 
     prevail under subchapter III of chapter 12 of title 5, United 
     States Code (5 U.S.C. 1221 et seq.) shall govern adjudication 
     of protected activities under this section.

     SEC. 206. NO EFFECT ON OTHER REMEDIES.

       The remedies provided by sections 203 and 204 are in 
     addition to any other remedy available under any provision of 
     law.

        TITLE III--APPLICATION TO CONGRESS AND FEDERAL AGENCIES

     SEC. 301. SENATE.

       The Sergeant at Arms of the United States Senate shall 
     develop regulations setting forth an information security and 
     electronic privacy policy governing use of the Internet by 
     officers and employees of the Senate that meets the 
     requirements of title I.

     SEC. 302. APPLICATION TO FEDERAL AGENCIES.

       (a) In General.--Except as provided in subsection (b), this 
     Act applies to each Federal agency that is an internet 
     service provider or an online service provider, or that 
     operates a website, to the extent provided by section 2674 of 
     title 28, United States Code.
       (b) Exceptions.--This Act does not apply to any Federal 
     agency to the extent that the application of this Act would 
     compromise law enforcement activities or the administration 
     of any investigative, security, or safety operation conducted 
     in accordance with Federal law.

                        TITLE IV--MISCELLANEOUS

     SEC. 401. DEFINITIONS.

       In this Act:
       (1) Collect.--The term ``collect'' means the gathering of 
     personally identifiable information about a user of an 
     Internal service, online service, or commercial website by or 
     on behalf of the provider or operator of that service or 
     website by any means, direct or indirect, active or passive, 
     including--
       (A) an online request for such information by the provider 
     or operator, regardless of how the information is transmitted 
     to the provider or operator;
       (B) the use of a chat room, message board, or other online 
     service to gather the information; or
       (C) tracking or use of any identifying code linked to a 
     user of such a service or website, including the use of 
     cookies or other tracking technology.
       (2) Commission.--The term ``Commission'' means the Federal 
     Trade Commission.
       (3) Cookie.--The term ``cookie'' means any program, 
     function, or device, commonly known as a ``cookie'', that 
     makes a record on the user's computer (or other electronic 
     device) of that user's access to an internet service, online 
     service, or commercial website.
       (4) Disclose.--The term ``disclose'' means the release of 
     personally identifiable information about a user of an 
     Internet service, online service, or commercial website by an 
     internet service provider, online service provider, or 
     operator of a commercial website for any purpose, except 
     where such information is provided to a person who provides 
     support for the internal operations of the service or website 
     and who does not disclose or use that information for any 
     other purpose.
       (5) Federal agency.--The term ``Federal agency'' means an 
     agency, as that term is defined in section 551(1) of title 5, 
     United States Code.
       (6) Internal operations support.--The term ``support for 
     the internal operations of a service or website'' means any 
     activity necessary to maintain the technical functionality of 
     that service or website.
       (7) Internet.--The term ``Internet'' means collectively the 
     myriad of computer and telecommunications facilities, 
     including equipment and operating software, which comprise 
     the interconnected world-wide network of networks that employ 
     the Transmission Control Protocol/Internet Protocol, or any 
     predecessor or successor protocols to such protocol, to 
     communicate information of all kinds by wire or radio.
       (8) Internet service provider; online service provider; 
     website.--The Commission shall by rule define the terms 
     ``internet service provider'', ``online service provider'', 
     and ``website'', and shall revise or amend such rule to take 
     into account changes in technology, practice, or procedure 
     with respect to the collection of personal information over 
     the Internet.
       (9) Online.--The term ``online'' refers to any activity 
     regulated by this Act or by section 2710 of title 18, United 
     States Code, that is effected by active or passive use of an 
     Internet connection, regardless of the medium by or through 
     which that connection is established.
       (10) Operator of a commercial website.--The term ``operator 
     of a commercial website''--
       (A) means any person who operates a website located on the 
     Internet or an online service and who collects or maintains 
     personal information from or about the users of or visitors 
     to such website or online service, or on whose behalf such 
     information is collected or maintained, where such website or 
     online service is operated for commercial purposes, including 
     any person offering products or services for sale through 
     that website or online service, involving commerce--
       (i) among the several States or with 1 or more foreign 
     nations;
       (ii) in any territory of the United States or in the 
     District of Columbia, or between any such territory and--

       (I) another such territory; or
       (II) any State or foreign nation; or

       (iii) between the District of Columbia and any State, 
     territory, or foreign nation; but
       (B) does not include any nonprofit entity that would 
     otherwise be exempt from coverage under section 5 of the 
     Federal Trade Commission Act (15 U.S.C. 45).
       (11) Personally identifiable information.--
       (A) In general.--The term ``personally identifiable 
     information'' means individually identifiable information 
     about an individual collected online, including--
       (i) a first and last name, whether given at birth or 
     adoption, assumed, or legally changed;

[[Page S2963]]

       (ii) a home or other physical address including street name 
     and name of a city or town;
       (iii) an e-mail address;
       (iv) a telephone number;
       (v) a birth certificate number;
       (vi) any other identifier for which the Commission finds 
     there is a substantial likelihood that the identifier would 
     permit the physical or online contacting of a specific 
     individual; or
       (vii) information that an Internet service provider, online 
     service provider, or operator of a commercial website 
     collects and combines with an identifier described in clauses 
     (i) through (vi) of this subparagraph.
       (B) Inferential information excluded.--Information about an 
     individual derived or inferred from data collected online but 
     not actually collected online is not personally identifiable 
     information.
       (12) Release.--The term ``release of personally 
     identifiable information'' means the direct or indirect, 
     sharing, selling, renting, or other provision of personally 
     identifiable information of a user of an internet service, 
     online service, or commercial website to any other person 
     other than the user.
       (13) Robust notice.--The term ``robust notice'' means 
     actual notice at the point of collection of the personally 
     identifiable information describing briefly and succinctly 
     the intent of the Internet service provider, online service 
     provider, or operator of a commercial website to use or 
     disclose that information for marketing or other purposes.
       (14) Sensitive financial information.--The term ``sensitive 
     financial information'' means--
       (A) the amount of income earned or losses suffered by an 
     individual;
       (B) an individual's account number or balance information 
     for a savings, checking, money market, credit card, 
     brokerage, or other financial services account;
       (C) the access code, security password, or similar 
     mechanism that permits access to an individual's financial 
     services account;
       (D) an individual's insurance policy information, including 
     the existence, premium, face amount, or coverage limits of an 
     insurance policy held by or for the benefit of an individual; 
     or
       (E) an individual's outstanding credit card, debt, or loan 
     obligations.
       (15) Sensitive personally identifiable information.--The 
     term ``sensitive personally identifiable information'' means 
     personally identifiable information about an individual's--
       (A) individually identifiable health information (as 
     defined in section 164.501 of title 45, Code of Federal 
     Regulations);
       (B) race or ethnicity;
       (C) political party affiliation;
       (D) religious beliefs;
       (E) sexual orientation;
       (F) a Social Security number; or
       (G) sensitive financial information.

     SEC. 402. EFFECTIVE DATE OF TITLE I.

       Title I of this Act takes effect on the day after the date 
     on which the Commission publishes a final rule under section 
     403.

     SEC. 403. FTC RULEMAKING.

       The Commission shall--
       (1) initiate a rulemaking within 90 days after the date of 
     enactment of this Act for regulations to implement the 
     provisions of title I; and
       (2) complete that rulemaking within 270 days after 
     initiating it.

     SEC. 404. FTC REPORT.

       (a) Report.--The Commission shall submit a report to the 
     Senate Committee on Commerce, Science, and Transportation and 
     the House of Representatives Committee on Commerce 18 months 
     after the effective date of title I, and annually thereafter, 
     on--
       (1) whether this Act is accomplishing the purposes for 
     which it was enacted;
       (2) whether technology that protects privacy is being 
     utilized in the marketplace in such a manner as to facilitate 
     administration of and compliance with title I;
       (3) whether additional legislation is required to 
     accomplish those purposes or improve the administrability or 
     effectiveness of this Act;
       (4) whether legislation is appropriate or necessary to 
     regulate the collection, use, and distribution of personally 
     identifiable information collected other than via the 
     Internet;
       (5) whether and how the government might assist industry in 
     developing standard online privacy notices that substantially 
     comply with the requirements of section 102(a);
       (6) whether and how the creation of a set of self-
     regulatory guidelines established by independent safe harbor 
     organizations and approved by the Commission would facilitate 
     administration of and compliance with title I; and
       (7) whether additional legislation is necessary or 
     appropriate to regulate the collection, use, and disclosure 
     of personally identifiable information collected online 
     before the effective date of title I.
       (b) FTC Notice of Inquiry.--The Commission shall initiate a 
     notice of inquiry within 90 days after the date of enactment 
     of this Act to request comment on the matter described in 
     paragraphs (1) through (7) of subsection (a).

     SEC. 405. DEVELOPMENT OF AUTOMATED PRIVACY CONTROLS.

       Section 20 of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-3) is amended--
       (1) by redesignating subsection (d) as subsection (e); and
       (2) by inserting after subsection (c) the following:
       ``(d) Development of Internet Privacy Program.--The 
     Institute shall encourage and support the development of one 
     or more computer programs, protocols, or other software, such 
     as the World Wide Web Consortium's P3P program, capable of 
     being installed on computers, or computer networks, with 
     Internet access that would reflect the user's preferences for 
     protecting personally-identifiable or other sensitive, 
     privacy-related information, and automatically execute the 
     program, once activated, without requiring user 
     intervention.''.

  Mr. CLELAND. Madam President, just last week I read an article that 
described the practice of online companies placing prices on people's 
personal information in order to raise revenue. When the Internet 
revolution began, I do not believe anyone thought the buying and 
selling of our personal information would be where these companies 
would turn when they began to experience difficulties in the financial 
markets. My constituents have expressed to me their concerns over such 
practices, and I have responded by co-sponsoring Senator Hollings' bi-
partisan legislation to enact reasonable privacy standards on personal 
information gathered on-line.
  In May 2000, the Federal Trade Commission, FTC, issued its third 
report to Congress on the state of online privacy. Due to the fact that 
there remained a great deal of concern by consumers over how their 
information is used by online companies, so much so that some consumers 
provided false information or did not utilize the commercial aspects of 
the Internet altogether, the FTC recommended legislation to establish 
online privacy guidelines. Introduction of this legislation is a step 
in the right direction, and a step closer to the FTC's recommendation.
  This bill calls for sensitive, personally identifiable information, 
such as health information, race, religion, and social security number, 
to be protected by requiring consumers to provide affirmative consent 
for this information to be shared; in other words, they must ``opt 
in.'' Under our proposal, the treatment of non-sensitive, personally 
identifiable information must be described through strict, robust 
notice in plain English. After some consumers received their privacy 
policies required by the Gramm-Leach-Bliley Act, they thought it would 
be easier to understand the tax code.
  An important provision in the Hollings measure modeled on allowing 
consumers to access their credit report information would allow online 
consumers to access and correct any incorrect information companies may 
be listing. Additionally, to monitor the effectiveness of this 
legislation, the bill calls for the FTC to report to Congress on this 
matter and to recommend any needed changes in its provisions.
  I am pleased to be an original cosponsor of this legislation which I 
believe moves us in the right direction to actually grow the Internet 
and its capability for commerce by easing people's fears over how their 
names, addresses, social security numbers and other important 
information will be secured. The Internet's possibilities are only 
beginning to be realized. In the business world, it creates an easy way 
to share information and conduct transactions. However, if the 
information is personal in nature, I, along with many of my colleagues, 
believe people deserve and are indeed entitled to expect the 
opportunity to elect whether to have that information shared or not, 
and in all cases for it to be securely monitored. I am proud to lend my 
support to this important bill.
                                 ______