[Congressional Record Volume 159, Number 29 (Thursday, February 28, 2013)]
[Senate]
[Pages S1024-S1026]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. ROCKEFELLER (for himself and Mr. Blumenthal):
  S. 418. A bill to require the Federal Trade Commission to prescribe 
regulations regarding the collection and use of personal information 
obtained by tracking the online activity of an individual, and for 
other purposes; to the Committee on Commerce, Science, and 
Transportation.
  Mr. ROCKEFELLER. Mr. President, I rise to introduce the Do-Not-Track 
Online Act of 2013. This bill is a critical step towards furthering 
consumer privacy. It empowers Americans to control their personal 
information online and provides them with the ability to prevent online 
companies from collecting and using that information for profit.
  Do-not-track is a simple concept. It allows consumers, with a simple 
click of the mouse, to tell every company that participates in the vast 
online ecosystem, ``Do not collect information about me. I care about 
my privacy. My personal information is not for sale. And I do not want 
my information used in ways I do not expect or approve.'' Under this 
bill, online companies would have to honor that user declaration or 
face penalties enforced by the Federal Trade Commission, FTC, or State 
Attorneys General.
  This bill is necessary because the privacy of Americans is 
increasingly under assault as more and more of their daily lives are 
conducted online. Whether it is a person at home searching for a new 
job or home, a parent researching her sick child's symptoms and 
treatments using a health application, or a teenager using her 
smartphone while riding the subway, online companies are collecting 
massive amounts of information, often without consumers' knowledge or 
consent. A vast array of companies that consumers have never heard of 
are surreptitiously collecting this information in numerous ways: 
third-party advertising networks place ``cookies'' on computer web-
browsers to track the websites that consumers have visited; analytic 
and marketing companies identify individual computers by recognizing 
the unique configuration, or ``fingerprint,'' of web-browsers; and 
software applications installed on mobile devices, colloquially known 
as ``apps,'' collect, use, and share information about consumers' 
precise locations, contact lists, photographs, and other personal 
matters. All of this information can be combined and stored on computer 
servers around the world and used for a variety of purposes, ranging 
from website analytics to online behavioral advertising to the creation 
of comprehensive dossiers by data brokers that build and sell personal 
profiles about hundreds of millions of individual Americans.
  My bill would empower consumers, if they so choose, to stem the tide. 
It would give them the means to prohibit the collection of their 
information from the start. Consumers would be able to tell companies 
collecting their personal information that they want those collection 
practices to stop. At the same time, the bill would preserve the 
ability of those online companies to conduct their business and deliver 
the content and services that consumers have come to expect and enjoy. 
The bill would grant the FTC rulemaking authority to use its expertise 
to protect the privacy interests of consumers while addressing the 
legitimate needs of industry.
  The key to this bill is its simplicity. For over a decade in the 
Senate Commerce Committee, which I chair, we have tried to determine 
how online companies can provide clear and conspicuous notice to 
consumers about their information practices and--once this notice has 
been given--further determine how consumers can either opt-in or opt-
out of those information collection practices. Yet today, privacy 
policies are still far too long, too complicated, and too full of 
technical legalese for any reasonable consumer to read, let alone 
understand. The failures of these notices are even clearer when placed 
on the exploding number of mobile devices on which consumers have grown 
to rely. My bill avoids this messy ``rabbit hole'' of policy 
considerations and creates an easy mechanism that gives consumers the 
opportunity to simply say ``no thank you'' to anyone and everyone 
collecting their online information. Period.
  Let me also say a few words about what this bill does not do. My bill 
would not ``break the Internet,'' as I am sure we will hear from 
opponents. The truth is that my bill makes every necessary 
accommodation for online companies to continue providing content and 
services to consumers. For instance, websites and applications would 
still be able collect data to deliver the content and functionality 
that consumers have requested, perform internal analytics, improve 
performance, and prevent fraud. My bill would also allow online 
companies to collect and maintain consumer information when it has been 
voluntarily provided by the consumer. They could also collect data that 
is truly anonymous. Finally, consumers could allow companies they trust 
to collect and use their information by giving specific consent that 
overrides a general do-not-track preference. But, when consumers say 
that they do not want to be tracked, online companies would no longer 
be allowed to ignore this request and collect and use this information 
for any extraneous purpose. Moreover, these companies would be 
obligated to immediately destroy or anonymize the information once it 
is no longer needed to provide the service requested.
  I think it is worth noting that since 2010, the FTC has called for a 
do-not-track solution. The commission has stated that any effective do-
not-track system should be simple, easy to use, and persistent, and 
that, if implemented, it should prevent the collection of consumers' 
online data. The private sector has also taken notice and similarly 
recognized the utility of do-not-track for its users. Nearly every 
popular web browser now allows consumers to affirmatively declare a do-
not-track preference to websites. The problem is that online companies 
have no legal obligation to honor this request and, in fact, many have 
gone so far as to outright refuse to do so. In February 2012, industry 
leaders stood at the White House and publicly declared their commitment 
to honor do-not-track requests from web browsers. Yet since that time, 
industry has failed to live up to those commitments. The online 
advertising industry has articulated huge exemptions to its pledge to 
limit the collection of information--exceptions that undermine the very 
self-regulatory programs the industry has promoted as effective. This 
industry has emphasized consumer choice yet has made statements 
publicly refusing to honor new do-not-track browser features. My bill 
would put an end to this gamesmanship and nonsense.
  My bill is only part of the ongoing discussion on consumer privacy in 
Congress. It is simple, yet powerful. It allows consumers, if they 
choose, and I should emphasize that many will not make such a choice, 
to stop the mind-boggling number of online companies that are 
collecting vast amounts of their information. It gives consumers an 
easy-to-use tool that will implement their choices effectively in a 
complex, rapidly-changing online world. It prohibits those lurking in 
the cyber-shadows from profiting off of the personal, private 
information of ordinary Americans. I look forward to working with my 
colleagues on this and other privacy legislative efforts in the 
Commerce Committee and on the Senate floor.
  Mr. President, I ask unanimous consent that the text of the bill be 
printed in the Record.
  There being no objection, the text of the bill was ordered to be 
printed in the Record, as follows:

                                 S. 418

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Do-Not-Track Online Act of 
     2013''.

     SEC. 2. REGULATIONS RELATING TO ``DO-NOT-TRACK'' MECHANISMS.

       (a) In General.--Not later than 1 year after the date of 
     the enactment of this Act,

[[Page S1025]]

     the Federal Trade Commission shall promulgate--
       (1) regulations that establish standards for the 
     implementation of a mechanism by which an individual can 
     simply and easily indicate whether the individual prefers to 
     have personal information collected by providers of online 
     services, including by providers of mobile applications and 
     services; and
       (2) rules that prohibit, except as provided in subsection 
     (b), such providers from collecting personal information on 
     individuals who have expressed, via a mechanism that meets 
     the standards promulgated under paragraph (1), a preference 
     not to have such information collected.
       (b) Exception.--The rules promulgated under paragraph (2) 
     of subsection (a) shall allow for the collection and use of 
     personal information on an individual described in such 
     paragraph, notwithstanding the expressed preference of the 
     individual via a mechanism that meets the standards 
     promulgated under paragraph (1) of such subsection, to the 
     extent--
       (1) necessary to provide a service requested by the 
     individual, including with respect to such service, basic 
     functionality and effectiveness, so long as such information 
     is anonymized or deleted upon the provision of such service; 
     or
       (2) the individual--
       (A) receives clear, conspicuous, and accurate notice on the 
     collection and use of such information; and
       (B) affirmatively consents to such collection and use.
       (c) Factors.--In promulgating standards and rules under 
     subsection (a), the Federal Trade Commission shall consider 
     and take into account the following:
       (1) The appropriate scope of such standards and rules, 
     including the conduct to which such rules shall apply and the 
     persons required to comply with such rules.
       (2) The technical feasibility and costs of--
       (A) implementing mechanisms that would meet such standards; 
     and
       (B) complying with such rules.
       (3) Mechanisms that--
       (A) have been developed or used before the date of the 
     enactment of this Act; and
       (B) are for individuals to indicate simply and easily 
     whether the individuals prefer to have personal information 
     collected by providers of online services, including by 
     providers of mobile applications and services.
       (4) How mechanisms that meet such standards should be 
     publicized and offered to individuals.
       (5) Whether and how information can be collected and used 
     on an anonymous basis so that the information--
       (A) cannot be reasonably linked or identified with a person 
     or device, both on its own and in combination with other 
     information; and
       (B) does not qualify as personal information subject to the 
     rules promulgated under subsection (a)(2).
       (6) The standards under which personal information may be 
     collected and used, subject to the anonymization or deletion 
     requirements of subsection (b)(1)--
       (A) to fulfill the basic functionality and effectiveness of 
     an online service, including a mobile application or service;
       (B) to provide the content or services requested by 
     individuals who have otherwise expressed, via a mechanism 
     that meets the standards promulgated under subsection (a)(1), 
     a preference not to have personal information collected; and
       (C) for such other purposes as the Commission determines 
     substantially facilitates the functionality and effectiveness 
     of the online service, or mobile application or service, in a 
     manner that does not undermine an individual's preference, 
     expressed via such mechanism, not to collect such 
     information.
       (d) Rulemaking.--The Federal Trade Commission shall 
     promulgate the standards and rules required by subsection (a) 
     in accordance with section 553 of title 5, United States 
     Code.

     SEC. 3. ENFORCEMENT OF ``DO-NOT-TRACK'' MECHANISMS.

       (a) Enforcement by Federal Trade Commission.--
       (1) Unfair or deceptive acts or practices.--A violation of 
     a rule promulgated under section 2(a)(2) shall be treated as 
     an unfair and deceptive act or practice in violation of a 
     regulation under section 18(a)(1)(B) of the Federal Trade 
     Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or 
     deceptive acts or practices.
       (2) Powers of commission.--
       (A) In general.--Except as provided in subparagraph (C), 
     the Federal Trade Commission shall enforce this Act in the 
     same manner, by the same means, and with the same 
     jurisdiction, powers, and duties as though all applicable 
     terms and provisions of the Federal Trade Commission Act (15 
     U.S.C. 41 et seq.) were incorporated into and made a part of 
     this Act.
       (B) Privileges and immunities.--Except as provided in 
     subparagraph (C), any person who violates this Act shall be 
     subject to the penalties and entitled to the privileges and 
     immunities provided in the Federal Trade Commission Act (15 
     U.S.C. 41 et seq.).
       (C) Nonprofit organizations.--The Federal Trade Commission 
     shall enforce this Act with respect to an organization that 
     is not organized to carry on business for its own profit or 
     that of its members as if such organization were a person 
     over which the Commission has authority pursuant to section 
     5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 
     45(a)(2)).
       (b) Enforcement by States.--
       (1) In general.--In any case in which the attorney general 
     of a State has reason to believe that an interest of the 
     residents of the State has been or is threatened or adversely 
     affected by the engagement of any person subject to a rule 
     promulgated under section 2(a)(2) in a practice that violates 
     the rule, the attorney general of the State may, as parens 
     patriae, bring a civil action on behalf of the residents of 
     the State in an appropriate district court of the United 
     States--
       (A) to enjoin further violation of such rule by such 
     person;
       (B) to compel compliance with such rule;
       (C) to obtain damages, restitution, or other compensation 
     on behalf of such residents;
       (D) to obtain such other relief as the court considers 
     appropriate; or
       (E) to obtain civil penalties in the amount determined 
     under paragraph (2).
       (2) Civil penalties.--
       (A) Calculation.--Subject to subparagraph (B), for purposes 
     of imposing a civil penalty under paragraph (1)(E) with 
     respect to a person that violates a rule promulgated under 
     section 2(a)(2), the amount determined under this paragraph 
     is the amount calculated by multiplying the number of days 
     that the person is not in compliance with the rule by an 
     amount not greater than $16,000.
       (B) Maximum total liability.--The total amount of civil 
     penalties that may be imposed with respect to a person that 
     violates a rule promulgated under section 2(a)(2) shall not 
     exceed $15,000,000 for all civil actions brought against such 
     person under paragraph (1) for such violation.
       (C) Adjustment for inflation.--Beginning on the date on 
     which the Bureau of Labor Statistics first publishes the 
     Consumer Price Index after the date that is 1 year after the 
     date of the enactment of this Act, and annually thereafter, 
     the amounts specified in subparagraphs (A) and (B) shall be 
     increased by the percentage increase in the Consumer Price 
     Index published on that date from the Consumer Price Index 
     published the previous year.
       (3) Rights of federal trade commission.--
       (A) Notice to federal trade commission.--
       (i) In general.--Except as provided in clause (iii), the 
     attorney general of a State shall notify the Federal Trade 
     Commission in writing that the attorney general intends to 
     bring a civil action under paragraph (1) before initiating 
     the civil action.
       (ii) Contents.--The notification required by clause (i) 
     with respect to a civil action shall include a copy of the 
     complaint to be filed to initiate the civil action.
       (iii) Exception.--If it is not feasible for the attorney 
     general of a State to provide the notification required by 
     clause (i) before initiating a civil action under paragraph 
     (1), the attorney general shall notify the Federal Trade 
     Commission immediately upon instituting the civil action.
       (B) Intervention by federal trade commission.--The Federal 
     Trade Commission may--
       (i) intervene in any civil action brought by the attorney 
     general of a State under paragraph (1); and
       (ii) upon intervening--

       (I) be heard on all matters arising in the civil action; 
     and
       (II) file petitions for appeal of a decision in the civil 
     action.

       (4) Investigatory powers.--Nothing in this subsection may 
     be construed to prevent the attorney general of a State from 
     exercising the powers conferred on the attorney general by 
     the laws of the State to conduct investigations, to 
     administer oaths or affirmations, or to compel the attendance 
     of witnesses or the production of documentary or other 
     evidence.
       (5) Preemptive action by federal trade commission.--If the 
     Federal Trade Commission institutes a civil action or an 
     administrative action with respect to a violation of a rule 
     promulgated under section 2(a)(2), the attorney general of a 
     State may not, during the pendency of such action, bring a 
     civil action under paragraph (1) against any defendant named 
     in the complaint of the Commission for the violation with 
     respect to which the Commission instituted such action.
       (6) Venue; service of process.--
       (A) Venue.--Any action brought under paragraph (1) may be 
     brought in--
       (i) the district court of the United States that meets 
     applicable requirements relating to venue under section 1391 
     of title 28, United States Code; or
       (ii) another court of competent jurisdiction.
       (B) Service of process.--In an action brought under 
     paragraph (1), process may be served in any district in which 
     the defendant--
       (i) is an inhabitant; or
       (ii) may be found.
       (7) Actions by other state officials.--
       (A) In general.--In addition to civil actions brought by 
     attorneys general under paragraph (1), any other officer of a 
     State who is authorized by the State to do so may bring a 
     civil action under paragraph (1), subject to the same 
     requirements and limitations that apply under this subsection 
     to civil actions brought by attorneys general.
       (B) Savings provision.--Nothing in this subsection may be 
     construed to prohibit an authorized official of a State from 
     initiating or continuing any proceeding in a court of the 
     State for a violation of any civil or criminal law of the 
     State.

[[Page S1026]]

     SEC. 4. BIENNIAL REVIEW AND ASSESSMENT.

       Not later than 2 years after the effective date of the 
     regulations initially promulgated under section 2, the 
     Federal Trade Commission shall--
       (1) review the implementation of this Act;
       (2) assess the effectiveness of such regulations, including 
     how such regulations define or interpret the term ``personal 
     information'' as such term is used in section 2;
       (3) assess the effect of such regulations on online 
     commerce; and
       (4) submit to Congress a report on the results of the 
     review and assessments required by this section.
                                 ______