[Congressional Record Volume 157, Number 62 (Monday, May 9, 2011)]
[Senate]
[Pages S2780-S2782]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. ROCKEFELLER:
  S. 913. A bill to require the Federal Trade Commission to prescribe 
regulations regarding the collection and use of personal information 
obtained by tracking the online activity of an individual, and for 
other purposes; to the Committee on Commerce, Science, and 
Transportation.
  Mr. ROCKFELLER. Mr. President, I rise to introduce the Do-Not-Track 
Online Act of 2011; and I ask for unanimous consent that the bill be 
printed for the record. This bill is a first step towards furthering 
consumer privacy by empowering Americans with the ability to control 
their personal information and prevent online companies from collecting 
and using that information, if they so choose.
  Do-Not-Track is a simple concept. It allows consumers, with a simple 
click of the mouse or the press of the button, to tell the entire 
online world, ``Do not collect information about me. I care about my 
privacy. And I do not want my information used in ways I do not expect 
or approve of.'' Under my bill, online companies would have to honor 
that user declaration, and cease the information collection and use 
practices to which consumers have said, ``no.'' My bill would direct 
the Federal Trade Commission to issue regulations that establish 
standards for a do- not-track mechanism and obligate online companies 
to accommodate that consumer preference.
  This bill is necessary because Americans' privacy is increasingly 
under surveillance as they conduct their affairs online. Whether it is 
a mother at home on a computer researching the symptoms of her sick 
child, a man exploring how to change jobs or buy a home, or a teenager 
using her smartphone while riding the subway, online companies are 
collecting vast amounts of information about all of this activity, 
often surreptitiously and with consumers completely unaware. There are 
a vast array of companies collecting this information in numerous ways: 
third-party advertising networks place ``cookies'' on computer web-
browsers to keep track of the websites consumers have visited; analytic 
and marketing companies identify individual computers by recognizing 
the unique configuration, or ``fingerprint,'' of web-browsers; and 
software applications installed on mobile devices, colloquially known 
as ``apps'', that collect, use, and disseminate information about 
consumer location, contact information, and other personal matters. All 
of this information is being stored on computer servers around the 
world and is used for a variety of purposes, ranging

[[Page S2781]]

from online behavioral advertising to internal analytics to the 
creation of personal dossiers by data brokers who build comprehensive 
profiles on individual Americans.
  My bill will empower consumers, if they so choose, to stem the tide. 
It gives them the means to prohibit the collection of their information 
from the start. Consumers will be able to notify companies who are 
collecting their personal information that they want those collection 
practices to stop. If online companies fail to obey this request, they 
will face stiff penalties from the Federal Trade Commission or state 
Attorneys General.
  The strength of this bill is its simplicity. Congress has long 
grappled with consumer privacy through the lens of ``notice and 
consent.'' That is, for over a decade in the Senate Commerce Committee, 
which I chair, we have tried to determine how online companies can 
provide clear and conspicuous notice to consumers about their 
commercial information practices; and once this notice has been given, 
further determine how consumers can either opt-in or opt-out of those 
information collection practices.

  The endeavor has proven complicated and often unworkable: privacy 
policies are often long and tedious, replete with technical legalese. 
These notices don't work well on a full screen computer, much less on a 
small hand-held mobile device, and consumers often ignore them. 
Further, consumer consent has been dependent on the type of information 
that is being collected and who is doing the collection. For instance, 
should a third-party advertising network be subject to the same 
restrictions as the Washington Post website that hosts the ad network? 
Should Apple be allowed to collect information about a person's iPhone, 
but an application be prohibited? Should companies differentiate 
between particularly sensitive information--such as health or political 
activities--and more innocuous information such as which sports teams 
someone may like?
  My Do-Not-Track bill avoids all of these messy policy considerations 
and provides consumers with the opportunity to take advantage of an 
easy mechanism that says ``no'' to anyone and everyone collecting their 
information. Period.
  I think it is worth noting that the FTC has recognized the utility of 
do-not-track in its December 2010 report on consumer privacy. The 
report states: ``Such a mechanism would ensure that consumers would not 
have to exercise choices on a company-by-company or industry-by-
industry basis, and that such choices would be persistent. It should 
also address some of the concerns with the existing browser mechanisms, 
by being more clear, easy-to-locate, and effective, and by conveying 
directly to websites the user's choice to opt out of tracking.'' 
Indeed, the private sector has similarly recognized the utility of do-
not-track. Mozilla's popular web browser, Firefox, and Apple's web 
browser, Safari, already allow consumers to affirmatively declare a do-
not-track preference to websites. The problem is that online companies 
have no legal obligation to honor this request. My bill fixes that.
  Let me say a few words about what this bill does not do. My bill 
would not ``break the Internet.'' I am sure that we will hear such 
hyperbole in opposition to the bill. The truth is that my bill makes 
all of the necessary accommodations for online companies to use 
information as is necessary to allow companies to provide the content 
and services consumers have grown to expect and enjoy. For instance, 
websites will still be able to use IP addresses to deliver content, and 
will be allowed to collect data to perform internal analytics and 
improve performance. Applications will still be able to use a phone's 
Unique Device Identifier--also known as UDID--to perform their 
functions as they are supposed to. However, when consumers state that 
they do not want to be tracked, online services will no longer be 
allowed to collect and use this information for any extraneous purpose, 
and they will be obligated to immediately destroy or anonymize the 
information once it is no longer needed to provide the service 
requested. Furthermore, my bill allows online companies to collect and 
maintain consumer information when it has been voluntarily provided by 
the consumer. Consumers also can allow companies they trust to collect 
and use their information by providing specific consent that overrides 
a general do-not-track preference.
  As such, my bill empowers consumers to stop online companies from 
collecting and using their information, but also preserves the ability 
of those online companies to conduct their business and deliver the 
content and services that consumers expect. The bill provides the FTC 
with rulemaking authority to use its expertise to protect the privacy 
interests of consumers while addressing the legitimate needs of 
industry.
  To be clear, my bill is not a comprehensive consumer privacy bill, 
nor is it meant to be. Do-not-track is just one aspect to consumer 
privacy albeit an important one. Other Members of the Commerce 
Committee are actively engaged in protecting consumer privacy 
interests. I want to commend Senator Kerry, who is a senior Member of 
the Commerce Committee, and Senator McCain for their efforts and for 
introducing legislation designed to establish a broad privacy 
framework. I also commend Senator Pryor's dedication to privacy 
protection and the vigorous oversight of his Subcommittee. I expect 
consumer privacy to remain a focus of the Congress and the Members of 
the Commerce Committee with more legislation being introduced in the 
coming weeks and months.
  In the end, my Do-Not-Track bill is a part of the ongoing discussion 
on consumer privacy in Congress. It is simple, yet powerful. It allows 
consumers, if they choose--and I should emphasize that many will not 
make such a choice--to stop the constant, almost mind-boggling sweep of 
online companies that are collecting vast amounts of consumer 
information. It prohibits those lurking in the cyber-shadows from 
surreptitiously profiting off of the personal, private information of 
ordinary Americans. I look forward to working with my colleagues on 
this and other privacy legislative efforts in the Commerce Committee 
and on the Senate floor.
  There being no objection, the text of the bill was ordered to be 
printed in the Record, as follows:

                                 S. 913

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Do-Not-Track Online Act of 
     2011''.

     SEC. 2. REGULATIONS RELATING TO ``DO-NOT-TRACK'' MECHANISMS.

       (a) In General.--Not later than 1 year after the date of 
     the enactment of this Act, the Federal Trade Commission shall 
     promulgate--
       (1) regulations that establish standards for the 
     implementation of a mechanism by which an individual can 
     simply and easily indicate whether the individual prefers to 
     have personal information collected by providers of online 
     services, including by providers of mobile applications and 
     services; and
       (2) rules that prohibit, except as provided in subsection 
     (b), such providers from collecting personal information on 
     individuals who have expressed, via a mechanism that meets 
     the standards promulgated under paragraph (1), a preference 
     not to have such information collected.
       (b) Exception.--The rules promulgated under paragraph (2) 
     of subsection (a) shall allow for the collection and use of 
     personal information on an individual described in such 
     paragraph, notwithstanding the expressed preference of the 
     individual via a mechanism that meets the standards 
     promulgated under paragraph (1) of such subsection, to the 
     extent--
       (1) necessary to provide a service requested by the 
     individual, including with respect to such service, basic 
     functionality and effectiveness, so long as such information 
     is anonymized or deleted upon the provision of such service; 
     or
       (2) the individual--
       (A) receives clear, conspicuous, and accurate notice on the 
     collection and use of such information; and
       (B) affirmatively consents to such collection and use.
       (c) Factors.--In promulgating standards and rules under 
     subsection (a), the Federal Trade Commission shall consider 
     and take into account the following:
       (1) The appropriate scope of such standards and rules, 
     including the conduct to which such rules shall apply and the 
     persons required to comply with such rules.
       (2) The technical feasibility and costs of--
       (A) implementing mechanisms that would meet such standards; 
     and
       (B) complying with such rules.
       (3) Mechanisms that--
       (A) have been developed or used before the date of the 
     enactment of this Act; and
       (B) are for individuals to indicate simply and easily 
     whether the individuals prefer to

[[Page S2782]]

     have personal information collected by providers of online 
     services, including by providers of mobile applications and 
     services.
       (4) How mechanisms that meet such standards should be 
     publicized and offered to individuals.
       (5) Whether and how information can be collected and used 
     on an anonymous basis so that the information--
       (A) cannot be reasonably linked or identified with a person 
     or device, both on its own and in combination with other 
     information; and
       (B) does not qualify as personal information subject to the 
     rules promulgated under subsection (a)(2).
       (6) The standards under which personal information may be 
     collected and used, subject to the anonymization or deletion 
     requirements of subsection (b)(1)--
       (A) to fulfill the basic functionality and effectiveness of 
     an online service, including a mobile application or service;
       (B) to provide the content or services requested by 
     individuals who have otherwise expressed, via a mechanism 
     that meets the standards promulgated under subsection (a)(1), 
     a preference not to have personal information collected; and
       (C) for such other purposes as the Commission determines 
     substantially facilitates the functionality and effectiveness 
     of the online service, or mobile application or service, in a 
     manner that does not undermine an individual's preference, 
     expressed via such mechanism, not to collect such 
     information.
       (d) Rulemaking.--The Federal Trade Commission shall 
     promulgate the standards and rules required by subsection (a) 
     in accordance with section 553 of title 5, United States 
     Code.

     SEC. 3. ENFORCEMENT OF ``DO-NOT-TRACK'' MECHANISMS.

       (a) Enforcement by Federal Trade Commission.--
       (1) Unfair or deceptive acts or practices.--A violation of 
     a rule promulgated under section 2(a)(2) shall be treated as 
     an unfair and deceptive act or practice in violation of a 
     regulation under section 18(a)(1)(B) of the Federal Trade 
     Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or 
     deceptive acts or practices.
       (2) Powers of commission.--
       (A) In general.--Except as provided in subparagraph (C), 
     the Federal Trade Commission shall enforce this Act in the 
     same manner, by the same means, and with the same 
     jurisdiction, powers, and duties as though all applicable 
     terms and provisions of the Federal Trade Commission Act (15 
     U.S.C. 41 et seq.) were incorporated into and made a part of 
     this Act.
       (B) Privileges and immunities.--Except as provided in 
     subparagraph (C), any person who violates this Act shall be 
     subject to the penalties and entitled to the privileges and 
     immunities provided in the Federal Trade Commission Act (15 
     U.S.C. 41 et seq.).
       (C) Nonprofit organizations.--The Federal Trade Commission 
     shall enforce this Act with respect to an organization that 
     is not organized to carry on business for its own profit or 
     that of its members as if such organization were a person 
     over which the Commission has authority pursuant to section 
     5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 
     45(a)(2)).
       (b) Enforcement by States.--
       (1) In general.--In any case in which the attorney general 
     of a State has reason to believe that an interest of the 
     residents of the State has been or is threatened or adversely 
     affected by the engagement of any person subject to a rule 
     promulgated under section 2(a)(2) in a practice that violates 
     the rule, the attorney general of the State may, as parens 
     patriae, bring a civil action on behalf of the residents of 
     the State in an appropriate district court of the United 
     States--
       (A) to enjoin further violation of such rule by such 
     person;
       (B) to compel compliance with such rule;
       (C) to obtain damages, restitution, or other compensation 
     on behalf of such residents;
       (D) to obtain such other relief as the court considers 
     appropriate; or
       (E) to obtain civil penalties in the amount determined 
     under paragraph (2).
       (2) Civil penalties.--
       (A) Calculation.--Subject to subparagraph (B), for purposes 
     of imposing a civil penalty under paragraph (1)(E) with 
     respect to a person that violates a rule promulgated under 
     section 2(a)(2), the amount determined under this paragraph 
     is the amount calculated by multiplying the number of days 
     that the person is not in compliance with the rule by an 
     amount not greater than $16,000.
       (B) Maximum total liability.--The total amount of civil 
     penalties that may be imposed with respect to a person that 
     violates a rule promulgated under section 2(a)(2) shall not 
     exceed $15,000,000 for all civil actions brought against such 
     person under paragraph (1) for such violation.
       (C) Adjustment for inflation.--Beginning on the date on 
     which the Bureau of Labor Statistics first publishes the 
     Consumer Price Index after the date that is 1 year after the 
     date of the enactment of this Act, and annually thereafter, 
     the amounts specified in subparagraphs (A) and (B) shall be 
     increased by the percentage increase in the Consumer Price 
     Index published on that date from the Consumer Price Index 
     published the previous year.
       (3) Rights of federal trade commission.--
       (A) Notice to federal trade commission.--
       (i) In general.--Except as provided in clause (iii), the 
     attorney general of a State shall notify the Federal Trade 
     Commission in writing that the attorney general intends to 
     bring a civil action under paragraph (1) before initiating 
     the civil action.
       (ii) Contents.--The notification required by clause (i) 
     with respect to a civil action shall include a copy of the 
     complaint to be filed to initiate the civil action.
       (iii) Exception.--If it is not feasible for the attorney 
     general of a State to provide the notification required by 
     clause (i) before initiating a civil action under paragraph 
     (1), the attorney general shall notify the Federal Trade 
     Commission immediately upon instituting the civil action.
       (B) Intervention by federal trade commission.--The Federal 
     Trade Commission may--
       (i) intervene in any civil action brought by the attorney 
     general of a State under paragraph (1); and
       (ii) upon intervening--

       (I) be heard on all matters arising in the civil action; 
     and
       (II) file petitions for appeal of a decision in the civil 
     action.

       (4) Investigatory powers.--Nothing in this subsection may 
     be construed to prevent the attorney general of a State from 
     exercising the powers conferred on the attorney general by 
     the laws of the State to conduct investigations, to 
     administer oaths or affirmations, or to compel the attendance 
     of witnesses or the production of documentary or other 
     evidence.
       (5) Preemptive action by federal trade commission.--If the 
     Federal Trade Commission institutes a civil action or an 
     administrative action with respect to a violation of a rule 
     promulgated under section 2(a)(2), the attorney general of a 
     State may not, during the pendency of such action, bring a 
     civil action under paragraph (1) against any defendant named 
     in the complaint of the Commission for the violation with 
     respect to which the Commission instituted such action.
       (6) Venue; service of process.--
       (A) Venue.--Any action brought under paragraph (1) may be 
     brought in--
       (i) the district court of the United States that meets 
     applicable requirements relating to venue under section 1391 
     of title 28, United States Code; or
       (ii) another court of competent jurisdiction.
       (B) Service of process.--In an action brought under 
     paragraph (1), process may be served in any district in which 
     the defendant--
       (i) is an inhabitant; or
       (ii) may be found.
       (7) Actions by other state officials.--
       (A) In general.--In addition to civil actions brought by 
     attorneys general under paragraph (1), any other officer of a 
     State who is authorized by the State to do so may bring a 
     civil action under paragraph (1), subject to the same 
     requirements and limitations that apply under this subsection 
     to civil actions brought by attorneys general.
       (B) Savings provision.--Nothing in this subsection may be 
     construed to prohibit an authorized official of a State from 
     initiating or continuing any proceeding in a court of the 
     State for a violation of any civil or criminal law of the 
     State.

     SEC. 4. BIENNIAL REVIEW AND ASSESSMENT.

       Not later than 2 years after the effective date of the 
     regulations initially promulgated under section 2, the 
     Federal Trade Commission shall--
       (1) review the implementation of this Act;
       (2) assess the effectiveness of such regulations, including 
     how such regulations define or interpret the term ``personal 
     information'' as such term is used in section 2;
       (3) assess the effect of such regulations on online 
     commerce; and
       (4) submit to Congress a report on the results of the 
     review and assessments required by this section.
                                 ______