H. R. 1528
To protect and enhance consumer privacy, and for other purposes.
IN THE HOUSE OF REPRESENTATIVES
April 13, 2011
Mr. STEARNS (for himself, Mr. MATHESON, Mr. BILBRAY, and Mr. MANZULLO) introduced
the following bill; which was referred to the Committee on Energy and Commerce
To protect and enhance consumer privacy, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United
States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the `Consumer Privacy Protection Act of 2011'.
SEC. 3. DEFINITIONS.
In this Act, the following definitions apply:
(1) AFFILIATE- The term `affiliate' means any company that controls, is
controlled by, or is under common control with another company.
(2) COMMISSION- The term `Commission' means the Federal Trade Commission.
(3) CONSUMER- The term `consumer' means an individual acting in the individual's
personal, family, or household capacity.
(4) COVERED ENTITY- (A) The term `covered entity' means an entity (or an
agent or affiliate of the entity) that collects (by any means, through any
medium), sells, discloses for consideration, or uses personally identifiable
information of more than 5,000 consumers during any consecutive 12-month
period, and includes a non-profit organization, including any organization
described in section 501(c) of the Internal Revenue Code of 1986 that is
exempt from taxation under section 501(a) of such Code, notwithstanding
the definition of the term `Acts to regulate commerce' in section 4 of the
Federal Trade Commission Act (15 U.S.C. 44) and the exception provided by
section 5(a)(2) of such Act (15 U.S.C. 45(a)(2)) for such organizations.
(B) Such term does not include--
(i) a governmental agency;
(ii) a provider of professional services, or any affiliate thereof, to
the extent that such provider is obligated by rules of professional ethics,
or by applicable law or regulation, not to voluntarily disclose confidential
client information without the consent of the client; or
(iii) a data processing outsourcing entity.
(5) DATA PROCESSING OUTSOURCING ENTITY- The term `data processing outsourcing
entity' means, with respect to a covered entity, a non-affiliated entity
(A) provides information technology processing, Web hosting, or telecommunications
services to the covered entity;
(B) is contractually obligated to comply with security controls specified
by the covered entity; and
(C) has no right to use the covered entity's personally identifiable information
other than for performing data processing outsourcing services for the
covered entity or as required by contract or law.
(6) DISPLAY- The term `display' means intentionally communicating or otherwise
making available (on the Internet or in any other manner) to another person.
(7) INFORMATION-SHARING AFFILIATE- The term `information-sharing affiliate'
means any affiliate that is under common control with a covered entity,
or is contractually obligated to comply with the practices enumerated under
(8) PERSONALLY IDENTIFIABLE INFORMATION- (A) The term `personally identifiable
information', with respect to a covered entity means individually identifiable
information relating to a living individual who can be identified from that
information, and includes:
(i) the combination of a first name (or initial) and last name of an
individual, whether given at birth or time of adoption, or resulting
from a lawful change of name;
(ii) the postal address of a physical place of residence of such individual;
(iii) an e-mail address of such individual;
(iv) a telephone number or mobile device number dedicated to contacting
such individual at any place other than the individual's place of work;
(v) a social security number or other Federal or State government issued
identification number issued to such individual; or
(vi) the complete account number of a credit or debit card issued to
(B) Such term also includes, when disclosed in connection with one or more
of the items of information described in subparagraph (A)--
(i) a birth date, the number of a certificate of birth or adoption, or
a place of birth; or
(ii) an electronic address, including an IP address.
(C) Such term does not include--
(i) anonymous or aggregate data, or any other information that does not
identify a unique living individual;
(ii) information about a consumer inferred from data maintained about
a consumer; or
(iii) information about a consumer that is publicly available or obtained
from a public record.
(9) PROCESS- The term `process', with respect to personally identifiable
information, means any value-added activity performed on data by automated
(10) PUBLICLY AVAILABLE- The term `publicly available', with respect to
information, means information that is lawfully made available to the general
(11) PUBLIC RECORD- The term `public record' means any item, collection,
or grouping of information about an individual that is maintained by a Federal,
State, or local government entity and that is made available to the public.
(12) PURCHASE- The term `purchase' means providing, directly or indirectly,
anything of value in exchange for a good or service.
(13) STATE- The term `State' includes the several States, the District of
Columbia, the Commonwealth of Puerto Rico, the Commonwealth of the Northern
Mariana Islands, American Samoa, Guam, the Virgin Islands, the Freely Associated
States, and any other territory or possession of the United States.
(14) TRANSACTION- The term `transaction' means an interaction between a
consumer and a covered entity resulting in--
(A) any use of information that is necessary to complete the interaction
in the course of which information is collected, or to maintain the provisioning
of a good or service requested by the consumer, including use--
(i) to approve, guarantee, process, administer, complete, enforce, provide,
or market a product, service, account, benefit, transaction, or payment
method that is requested or approved by the consumer;
(ii) to deliver goods, services, funds, or other consideration to, or
on behalf of, the consumer;
(iii) to protect the health and safety of the consumer; and
(iv) related to website analytics methods or measurements for improving
or enhancing products or services.
(B) any disclosure of information that is necessary for the consumer to
enforce any right of the consumer;
(C) any disclosure of information that is required by law or by a court
(D) any use of information to verify personally identifiable information
by the consumer, evaluate, detect, or reduce the risk of fraud or other
criminal activity, or other risk-management activities; and
(E) the collection or use of personally identifiable information for the
marketing or advertising of a covered entity's products or services to
its own customers or potential customers.
SEC. 4. PRIVACY NOTICES TO CONSUMERS.
(a) Notice Required- A covered entity shall provide to a consumer a notice
containing the information required under subsection (b) as follows:
(1) The covered entity shall provide the notice before any personally identifiable
information that is collected from a consumer is used by the covered entity
for a purpose unrelated to a transaction.
section 5(a), the covered entity shall provide the notice, not later than
the first time after such change in policy that the covered entity seeks
to sell, disclose for consideration, or use personally identifiable information
to the extent practicable, to each consumer from whom the covered entity
has collected such information.
(b) Form and Contents of Notice- A notice required under subsection (a) shall
be provided in a clear and conspicuous manner, be prominently displayed or
explicitly stated to the consumer, and contain the following information:
(1) A statement that the personally identifiable information collected by
the covered entity may be used or disclosed for purposes or transactions
unrelated to that for which it was collected, as described in the covered
entity's privacy statement.
(2) A description, appropriate to the applicable medium, of the manner in
requirements of section 5, which may include providing the consumer with
an Internet website, a hyperlink to such a website, or a toll-free telephone
number from which such a statement may be obtained. If the notice required
under subsection (a) is provided to the consumer by means of an Internet
statement must be by means of an Internet website.
(3) If the notice is required under subsection (a)(2), a statement that
respect to the collection, sale, disclosure for consideration, dissemination,
use, and security of the personally identifiable information of consumers,
(or statements) that meets the requirements of subsection (b).
(b) Statement- The statement (or statements) required under subsection (a)
shall meet the following requirements:
(1) The statement must be brief, concise, clear, and conspicuous and written
in plain language.
(2) The statement must be available to all consumers of the covered entity
(regardless of the means by which a consumer conducts a transaction with
the covered entity)--
(A) at no charge to the consumer; and
(B) at the time the covered entity first collects personally identifiable
information about the consumer that may be used for a purpose unrelated
to a transaction with the consumer and subsequently.
(3) The statement must disclose only the following:
(A) The identity of each covered entity, or a description of each class
or type of covered entity, that may collect or use the information.
(B) The types of information that may be collected or used.
(C) How the information may be used.
(D) Whether the consumer is required to provide the information in order
to do business with the covered entity.
(E) The extent to which the information is subject to sale or disclosure
for consideration to a covered entity that is not an information-sharing
affiliate of the covered entity providing the statement, including--
(i) a clear and prominent statement of the fact that the information
is subject to such sale or disclosure for consideration;
(ii) a description of each class or type of covered entity to which
the information may be sold or disclosed for consideration;
(iii) to the extent practicable, the purpose for which the information
may be used; and
(iv) the types of information that may be sold or disclosed for consideration.
(F) Whether the information security practices of the covered entity meet
the security requirements of section 8 in order to prevent unauthorized
disclosure or release of personally identifiable information.
(c) Commission Facilitation- The Commission may take actions (including conducting
industry-wide workshops) to facilitate the development of harmonized, universal
wording or logo-based graphics in order to convey the contents of privacy
policy statements required under this section.
SEC. 6. CONSUMER OPPORTUNITY TO LIMIT SALE OR DISCLOSURE OF INFORMATION.
(a) Preclusion of Sale or Disclosure-
(1) REQUIREMENT- A covered entity shall provide to the consumer, without
charge, the opportunity to preclude any sale or disclosure for consideration
of the consumer's personally identifiable information, provided in a particular
data collection, that may be used for a purpose other than a transaction
with the consumer, to any covered entity that is not an information-sharing
affiliate of the covered entity providing such opportunity.
(2) DURATION- A preclusion on sale or disclosure for consideration of information
established by a consumer under this subsection shall remain in effect for
5 years or until the consumer indicates otherwise, whichever occurs sooner.
A covered entity may not seek reconsideration of a consumer's preclusion
of such sale or disclosure until at least 1 year after such preclusion has
been imposed by the consumer.
(b) Permission for Sale or Disclosure- A covered entity may provide the consumer
an opportunity to permit the sale or disclosure described in subsection (a)(1)
in exchange for a benefit to the consumer.
(c) Accessibility- The opportunity to preclude (or if offered, to permit)
the sale or disclosure for consideration of information under this section
must be both easy to access and use, and the notice of the opportunity to
preclude must be clear and conspicuous.
SEC. 7. CONSUMER OPPORTUNITY TO LIMIT OTHER INFORMATION PRACTICES.
If a covered entity provides to a consumer the opportunity to limit other
practices of the covered entity with respect to a particular collection or
use of personally identifiable information regarding the consumer, other than
that required by section 6--
(1) a notice and description of such opportunity must appear in the privacy
(2) such opportunity must be easy to access and to use; and
(3) any limitation exercised by the consumer pursuant to such opportunity
shall remain in effect, unless--
(A) the limitation is withdrawn by the consumer; or
(B) the covered entity provides the consumer at least 30 days notice before
materially changing the limitation or terminating its compliance with
SEC. 8. INFORMATION SECURITY OBLIGATIONS.
(a) Implementation- A covered entity shall prepare, revise as necessary, and
implement an information security policy that is applicable to the information
security practices and treatment of personally identifiable information maintained
by the covered entity, that is designed to prevent the unauthorized disclosure
or release of such information.
(b) Management Approval- An information security policy created pursuant to
paragraph (1) shall be considered and approved by the senior management officials
of the covered entity.
(c) Contents- An information security policy required under paragraph (1)
(1) a process for taking corrective action to prevent or mitigate unauthorized
disclosure of information; and
(2) identifying an officer of the covered entity as the point of contact
with responsibility for information security issues for the covered entity.
SEC. 9. SELF-REGULATORY PROGRAMS.
(a) Self-Regulatory Program-
(1) PRESUMPTION OF COMPLIANCE- The Commission shall presume that a covered
entity is in compliance with the provisions of sections 4 through 8 if that
(A) participates in a self-regulatory program approved under subsection
(B) is subject to enforcement under a self-regulatory program's guidelines,
procedures, requirements, and restrictions (including a remedial process
under subsection (c)(7)).
(2) EFFECT OF WILLFUL NONCOMPLIANCE- A covered entity that participates
in a self-regulatory program under this section shall not be liable for
a civil penalty arising out of a violation of any provision of sections
4 through 8 unless such violation results from willful noncompliance with
the guidelines, procedures, requirements, or restrictions of the program.
(b) Approval by Commission-
(1) APPROVAL- The Commission shall, within 90 days after submission of an
application for approval of a self-regulatory program under this section
(or of a material change in a program previously approved by the Commission),
approve such program (or change) if the Commission finds that the program
(or change) complies with the requirements of subsection (c).
(2) FORM OF APPLICATION- The Commission shall accept an application for
approval under paragraph (1) in any reasonable form the applicant may submit.
(3) DURATION UNTIL RENEWAL- A self-regulatory program approved by the Commission
under paragraph (1) shall be approved for a period of 5 years.
(4) REVOCATION OF APPROVAL- The Commission may, after notice and opportunity
for a hearing, revoke approval granted under paragraph (1), if the Commission
finds that a self-regulatory program fails to meet the requirements of subsection
(5) JUDICIAL REVIEW- Any order by the Commission denying approval of a self-regulatory
program shall be subject to judicial review, as provided in section 706
of title 5, United States Code.
(c) Requirements of Self-Regulatory Program- A self-regulatory program complies
with the requirements of this subsection if the program provides each of the
(1) Guidelines and procedures requiring a program participant to provide
substantially equivalent or greater protections for consumers and their
personally identifiable information as are provided under sections 4 through
(2) Procedures and requirements to provide for--
(A) an initial review of a participant's privacy statement and privacy
policy, and subsequent review whenever such statement or policy is substantively
(B) a participant's self-review and self-certification of its privacy
policy and practices to ensure compliance with the guidelines, procedures,
requirements, and restrictions of the program established under this subsection;
(C) a participant's subsequent periodic self-reviews and self-certifications,
to ensure continued compliance with such guidelines, procedures, requirements,
(D) submission of self-reviews and self-certifications under this paragraph
to any administrator of the program; and
(E) random review of participants, which may concentrate on selected compliance
issues, if the self-regulatory program conducts--
(i) random compliance tests with respect to each participant not less
frequently than every 3 years;
(ii) a full compliance test of a particular participant in any case
where non-compliance with any of the selected compliance issues has
been identified; and
(iii) full compliance tests of participants with a high number of complaints
(3) Procedures and requirements that ensure that a program participant provides
a process for resolving disputes with consumers relating to the privacy
policy and practices of the participant. Such dispute resolution process--
(A) must be available without charge to a consumer;
(B) must be available at a cost to the participant that is reasonable
and does not discourage participation by the participant in such process;
(C) must ensure that consumers are informed of how to utilize the process;
(D) may include, as one choice among others, binding arbitration; and
(E)(i) must be completed within 60 days after submission of the dispute
by the consumer; or
(ii) must be completed within 90 days after submission of the dispute
by the consumer, if the participant--
(I) determines that additional time is required to obtain information
to make an informed decision with respect to the dispute; and
(II) notifies the consumer and the self-regulatory program that such
additional time is required.
(4) Provisions for the use by participants in the program of a means (including
the use of a seal) to represent the participant's participation in the program.
(5) With respect to any nonvoluntary suspension or termination of participation
in the program because of the participant's failure to comply with the program,
procedures or requirements to provide for the following:
(A) Publication of notice and the reasons for any such suspension or termination,
except that no personally identifiable information related to such suspension
or termination may be published.
(B) Notice to the Commission of any such termination.
(6) Requirements and restrictions that assure independence with respect
to program eligibility, compliance, and dispute resolution mechanisms and
decisions from improper interference by management or ownership of the self-regulatory
(7) A process for a noncompliant participant to take timely remedial action
in order to come back into compliance with the program before suspension
or termination of participation in the program.
(d) Consumer Dispute Resolution-
(1) SELF-REGULATORY DISPUTE PROCESS- If a consumer has a dispute with a
participant in a self-regulatory program under this section or under section
5 of the Federal Trade Commission Act (15 U.S.C. 45) to the extent that
for participation in the self-regulatory program, the consumer shall initially
seek resolution through the participant's dispute resolution process (established
in accordance with subsection (c)(3)). The Commission shall promptly refer
to the participant involved any dispute submitted to the Commission for
which resolution has not been initially sought through such process.
(2) RESOLUTION BY COMMISSION- A consumer may submit to the Commission for
resolution a dispute with a participant in a self-regulatory program under
this section, if the following requirements are met:
(A) The dispute was initially submitted under paragraph (1) for resolution
through the participant's dispute resolution process.
(B) The dispute submitted under paragraph (1) is not resolved--
(i) within 60 days after submission of the dispute by the consumer;
(ii) to the satisfaction of the consumer.
(C) Notice of the facts of the dispute is submitted to the Commission
not later than 30 days after the date on which the consumer is notified
of the resolution through the participant's dispute resolution process.
(D) The consumer has not voluntarily accepted a resolution of the dispute
under paragraph (1).
(E) The dispute was not resolved through binding arbitration.
(3) LIMITATION- Nothing in this Act shall prevent the Commission from investigating
compliance with this Act by a participant in a self-regulatory covered entity
based upon a complaint from an individual or covered entity other than a
consumer with a dispute with such participant, or on its own initiative,
except that prior to instituting any such investigation the Commission shall
afford the self-regulatory covered entity a reasonable opportunity to invoke
its own remedial procedures and assure compliance by the participant.
(4) CLEAR AND CONVINCING EVIDENCE- The presumption established by paragraph
(1) of subsection (a) may be overcome by clear and convincing evidence of
(e) Nonrelease of Certain Information- The Commission may not compel a participant
in a self-regulatory program approved under subsection (b) (or an administrator
of such a program) to provide proprietary information or personally identifiable
information of consumers to the Commission unless the Commission provides
assurances that such information will not be released to the public.
(f) Misrepresentation of Self-Regulatory Program Participation- It is unlawful
for a covered entity to misrepresent that it is a participant in a self-regulatory
program (including through any mechanism provided under subsection (c)(4))
when such covered entity is not, in fact, such a participant.
(g) Exempted Entity Participation- An entity that is not a covered entity
and that voluntarily participates in a self-regulatory program under this
section shall enjoy the rights and benefits provided under this section in
any action or investigation under section 5 of the Federal Trade Commission
Act (15 U.S.C. 45) to the extent that such action or investigation pertains
the self-regulatory program.
SEC. 10. ENFORCEMENT.
(a) Unfair or Deceptive Act or Practice- A violation of any provision of this
Act by a covered entity is an unfair or deceptive act or practice unlawful
under section 5(a)(1) of the Federal Trade Commission Act (15 U.S.C. 45(a)(1)),
except that the amount of any civil penalty under such Act shall be doubled
for a violation of this Act, but may not exceed $500,000 for all related violations
by a single violator (without respect to the number of consumers affected
or the duration of the related violations).
(b) Guidelines and Opinions- In order to assist in compliance with this Act,
the Federal Trade Commission may promulgate regulations and interpretive rules
under section 18 of the Federal Trade Commission Act (15 U.S.C. 57a), with
respect to specific types of acts or practices that would, or would not, comply
with this Act.
SEC. 11. NO PRIVATE RIGHT OF ACTION.
This Act may not be considered or construed to provide any private right of
action. No private civil action relating to any act or practice governed under
this Act may be commenced or maintained in any State court or under State
law (including a pendent State claim to an action under Federal law).
SEC. 12. EFFECT ON OTHER LAWS.
(a) Qualified Exemption for Compliance With Other Federal Privacy Laws- To
the extent that personally identifiable information protected under this Act
is also protected under a provision of Federal privacy law described in subsection
(c), a covered entity that complies with the relevant provision of such other
Federal privacy law shall be deemed to have complied with the corresponding
provision of this Act.
(b) Protection of Other Federal Privacy Laws- Nothing in this Act may be construed
to modify, limit, supersede, or interfere with the operation of the Federal
privacy laws described in subsection (c) or the provision of information permitted
or required, expressly or by implication, by such laws, with respect to Federal
rights and practices.
(c) Other Federal Privacy Laws Described- The provisions of law to which subsections
(a) and (b) apply are the following:
(1) Section 552a of title 5, United States Code (commonly known as the Privacy
Act of 1974).
(2) The Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.).
(3) The Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).
(4) The Fair Debt Collection Practices Act (15 U.S.C. 1692 et seq.).
(5) The Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6501
(6) Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 et seq.).
(7) The Electronic Communications Privacy Act of 1986 (Public Law 99-508).
(8) The Driver's Privacy Protection Act of 1994 (18 U.S.C. 2721 et seq.).
(9) The Family Educational Rights and Privacy Act of 1974 (20 U.S.C. 1221
(10) Section 445 of the General Education Provisions Act (20 U.S.C. 1232h).
(11) The Privacy Protection Act of 1980 (42 U.S.C. 2000aa et seq.).
(12) Section 222 of the Communications Act of 1934 (47 U.S.C. 222) relating
to the Customer Proprietary Network Information.
(13) The Cable Communications Policy Act of 1984 (47 U.S.C. 521 et seq.).
(14) The Communications Assistance for Law Enforcement Act (47 U.S.C. 1001
(15) The Video Privacy Protection Act of 1988 (Public Law 100-618).
(16) The Telephone Consumer Protection Act of 1991 (Public Law 102-243).
(17) The Health Insurance Portability and Accountability Act of 1996 (Public
Law 104-191), as it relates to an entity described in section 1172(a) of
the Social Security Act (42 U.S.C. 1320d-1(a)) or to activities regulated
under section 1173 of such Act (42 U.S.C. 1320d-2).
(18) The CAN-SPAM Act of 2003 (15 U.S.C. 7701 et seq.).
(d) Preemption of State Privacy Laws- This Act preempts any statutory law,
common law, rule, or regulation of a State, or a political subdivision of
a State, to the extent such law, rule, or regulation relates to or affects
the collection, use, sale, disclosure, retention, or dissemination of personally
identifiable information in commerce. No State, or political subdivision of
a State, may take any action to enforce this Act.
SEC. 13. EFFECTIVE DATE.
This Act shall apply with respect to personally identifiable information collected
on or after the date that is 1 year after the date of enactment of this Act.