To require the consent of an individual prior to the sale and marketing of such individual's personally identifiable information, and for other purposes.

January 24, 2005

Mrs. FEINSTEIN introduced the following bill; which was read twice and referred to the Committee on the Judiciary

To require the consent of an individual prior to the sale and marketing of such individual's personally identifiable information, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

(a) Short Title- This Act may be cited as the `Privacy Act of 2005'.

(b) Table of Contents- The table of contents of this Act is as follows:

Sec. 1. Short title; table of contents

TITLE I--COMMERCIAL SALE AND MARKETING OF PERSONALLY IDENTIFIABLE INFORMATION

Sec. 101. Collection and distribution of personally identifiable information

Sec. 102. Enforcement

Sec. 103. Safe harbor

Sec. 104. Definitions

Sec. 105. Preemption

Sec. 106. Effective Date

TITLE II--SOCIAL SECURITY NUMBER MISUSE PREVENTION

Sec. 201. Findings

Sec. 202. Prohibition of the display, sale, or purchase of social security numbers

Sec. 203. Application of prohibition of the display, sale, or purchase of social security numbers to public records

Sec. 204. Rulemaking authority of the Attorney General

Sec. 205. Treatment of social security numbers on government documents

Sec. 206. Limits on personal disclosure of a social security number for consumer transactions

Sec. 207. Extension of civil monetary penalties for misuse of a social security number

Sec. 208. Criminal penalties for the misuse of a social security number

Sec. 209. Civil actions and civil penalties

Sec. 210. Federal injunctive authority

TITLE III--LIMITATIONS ON SALE AND SHARING OF NONPUBLIC PERSONAL FINANCIAL INFORMATION

Sec. 301. Definition of sale

Sec. 302. Rules applicable to sale of nonpublic personal information

Sec. 303. Exceptions to disclosure prohibition

Sec. 304. Conforming amendments

Sec. 305. Regulatory authority

Sec. 306. Effective date

TITLE IV--LIMITATIONS ON THE PROVISION OF PROTECTED HEALTH INFORMATION

Sec. 401. Definitions

Sec. 402. Prohibition against selling protected health information

Sec. 403. Authorization for sale or marketing of protected health information by noncovered entities

Sec. 404. Prohibition against retaliation

Sec. 405. Rule of construction

Sec. 406. Regulations

Sec. 407. Enforcement

TITLE V--DRIVER'S LICENSE PRIVACY

Sec. 501. Driver's license privacy

TITLE VI--MISCELLANEOUS

Sec. 601. Enforcement by State Attorneys General

Sec. 602. Federal injunctive authority

TITLE I--COMMERCIAL SALE AND MARKETING OF PERSONALLY IDENTIFIABLE INFORMATION

SEC. 101. COLLECTION AND DISTRIBUTION OF PERSONALLY IDENTIFIABLE INFORMATION.

(a) Prohibition-

(1) IN GENERAL- It is unlawful for a commercial entity to collect personally identifiable information and disclose such information to any nonaffiliated third party for marketing purposes or sell such information to any nonaffiliated third party, unless the commercial entity provides--

(A) notice to the individual to whom the information relates in accordance with the requirements of subsection (b); and

(B) an opportunity for such individual to restrict the disclosure or sale of such information.

(2) EXCEPTION- A commercial entity may collect personally identifiable information and use such information to market to potential customers such entity's product.

(b) Notice-

(1) IN GENERAL- A notice under subsection (a) shall contain statements describing the following:

(A) The identity of the commercial entity collecting the personally identifiable information.

(B) The types of personally identifiable information that are being collected on the individual.

(C) How the commercial entity may use such information.

(D) A description of the categories of potential recipients of such personally identifiable information.

(E) Whether the individual is required to provide personally identifiable information in order to do business with the commercial entity.

(F) How an individual may decline to have such personally identifiable information used or sold as described in subsection (a).

(2) TIME OF NOTICE- Notice shall be conveyed prior to the sale or use of the personally identifiable information as described in subsection (a) in such a manner as to allow the individual a reasonable period of time to consider the notice and limit such sale or use.

(3) MEDIUM OF NOTICE- The medium for providing notice must be--

(A) the same medium in which the personally identifiable information is or will be collected, or a medium approved by the individual; or

(B) in the case of oral communication, notice may be conveyed orally or in writing.

(4) FORM OF NOTICE- The notice shall be clear and conspicuous.

(c) Opt-Out-

(1) OPPORTUNITY TO OPT-OUT OF SALE OR MARKETING- The opportunity provided to limit the sale of personally identifiable information to nonaffiliated third parties or the disclosure of such information for marketing purposes, shall be easy to use, accessible and available in the medium the information is collected, or in a medium approved by the individual.

(2) DURATION OF LIMITATION- An individual's limitation on the sale or marketing of personally identifiable information shall be considered permanent, unless otherwise specified by the individual.

(3) REVOCATION OF CONSENT- After an individual grants consent to the use of that individual's personally identifiable information, the individual may revoke the consent at any time, except to the extent that the commercial entity has taken action in reliance thereon. The commercial entity shall provide the individual an opportunity to revoke consent that is easy to use, accessible, and available in the medium the information was or is collected.

(4) NOT APPLICABLE- This section shall not apply to disclosure of personally identifiable information--

(A) that is necessary to facilitate a transaction specifically requested by the consumer;

(B) is used for the sole purpose of facilitating this transaction; and

(C) in which the entity receiving or obtaining such information is limited, by contract, to use such formation for the purpose of completing the transaction.

SEC. 102. ENFORCEMENT.

(a) In General- In accordance with the provisions of this section, the Federal Trade Commission shall have the authority to enforce any violation of section 101 of this Act.

(b) Violations- The Federal Trade Commission shall treat a violation of section 101 as a violation of a rule under section 18a(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).

(c) Transfer of Enforcement Authority- The Federal Trade Commission shall promulgate rules in accordance with section 553 of title 5, United States Code, allowing for the transfer of enforcement authority from the Federal Trade Commission to a Federal agency regarding section 101 of this Act. The Federal Trade Commission may permit a Federal agency to enforce any violation of section 101 if such agency submits a written request to the Commission to enforce such violations and includes in such request--

(1) a description of the entities regulated by such agency that will be subject to the provisions of section 101;

(2) an assurance that such agency has sufficient authority over the entities to enforce violations of section 101; and

(3) a list of proposed rules that such agency shall use in regulating such entities and enforcing section 101.

(d) Actions by the Commission- Absent transfer of enforcement authority to a Federal agency under subsection (c), the Federal Trade Commission shall prevent any person from violating section 101 in the same manner, by the same means, and with the same jurisdiction, powers, and duties as provided to such Commission under the Federal Trade Commission Act (15 U.S.C. 41 et seq.). Any entity that violates section 101 is subject to the penalties and entitled to the privileges and immunities provided in such Act in the same manner, by the same means, and with the same jurisdiction, power, and duties under such Act.

(e) Relationship to Other Laws-

(1) COMMISSION AUTHORITY- Nothing contained in this title shall be construed to limit authority provided to the Commission under any other law.

(2) COMMUNICATIONS ACT- Nothing in section 101 requires an operator of a website to take any action that is inconsistent with the requirements of section 222 or 631 of the Communications Act of 1934 (47 U.S.C. 222 and 5551).

(3) OTHER ACTS- Nothing in this title is intended to affect the applicability or the enforceability of any provision of, or any amendment made by--

(A) the Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.);

(B) title V of the Gramm-Leach-Bliley Act;

(C) the Health Insurance Portability and Accountability Act of 1996; or

(D) the Fair Credit Reporting Act.

(f) Public Records- Nothing in this title shall be construed to restrict commercial entities from obtaining or disclosing personally identifying information from public records.

(g) Civil Penalties- In addition to any other penalty applicable to a violation of section 101(a), a penalty of up to $25,000 may be issued for each violation.

(h) Enforcement Regarding Programs-

(1) IN GENERAL- A Federal agency or department providing financial assistance to any entity required to comply with section 101 of this Act shall issue regulations requiring that such entity comply with such section or forfeit some or all of such assistance. Such regulations shall prescribe sanctions for noncompliance, require that such department or agency provide notice of failure to comply with such section prior to any action being taken against such recipient, and require that a determination be made prior to any action being taken against such recipient that compliance cannot be secured by voluntary means.

(2) FEDERAL FINANCIAL ASSISTANCE- The term `Federal financial assistance' means assistance through a grant, cooperative agreement, loan, or contract other than a contract of insurance or guaranty.

SEC. 103. SAFE HARBOR.

A commercial entity may not be held to have violated any provision of this title if such entity complies with self-regulatory guidelines that--

(1) are issued by seal programs or representatives of the marketing or online industries or by any other person; and

(2) are approved by the Federal Trade Commission, after public comment has been received on such guidelines by the Commission, as meeting the requirements of this title.

SEC. 104. DEFINITIONS.

In this title:

(1) COMMERCIAL ENTITY- The term `commercial entity'--

(A) means any person offering products or services involving commerce--

(i) among the several States or with 1 or more foreign nations;

(ii) in any territory of the United States or in the District of Columbia, or between any such territory and--

(I) another such territory; or

(II) any State or foreign nation; or

(iii) between the District of Columbia and any State, territory, or foreign nation; and

(B) does not include--

(i) any nonprofit entity that would otherwise be exempt from coverage under section 5 of the Federal Trade Commission Act (15 U.S.C. 45);

(ii) any financial institution that is subject to title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.); or

(iii) any group health plan, health insurance issuer, or other entity that is subject to the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 201 note).

(2) COMMISSION- The term `Commission' means the Federal Trade Commission.

(3) INDIVIDUAL- The term `individual' means a person whose personally identifying information has been, is, or will be collected by a commercial entity.

(4) MARKETING- The term `marketing' means to make a communication about a product or service a purpose of which is to encourage recipients of the communication to purchase or use the product or service.

(5) MEDIUM- The term `medium' means any channel or system of communication including oral, written, and online communication.

(6) NONAFFILIATED THIRD PARTY- The term `nonaffiliated third party' means any entity that is not related by common ownership or affiliated by corporate control with, the commercial entity, but does not include a joint employee of such institution.

(7) PERSONALLY IDENTIFIABLE INFORMATION- The term `personally identifiable information' means individually identifiable information about the individual that is collected including--

(A) a first, middle, or last name, whether given at birth or adoption, assumed, or legally changed;

(B) a home or other physical address, including the street name, zip code, and name of a city or town;

(C) an e-mail address;

(D) a telephone number;

(E) a photograph or other form of visual identification;

(F) a birth date, birth certificate number, or place of birth for that person; or

(G) information concerning the individual that is combined with any other identifier in this paragraph.

(8) SALE; SELL; SOLD- The terms `sale', `sell', and `sold', with respect to personally identifiable information, mean the exchanging of such information for any thing of value, directly or indirectly, including the licensing, bartering, or renting of such information.

(9) WRITING- The term `writing' means writing in either a paper-based or computer-based form, including electronic and digital signatures.

SEC. 105. PREEMPTION.

The provisions of this title shall supersede any statutory and common law of States and their political subdivisions insofar as that law may now or hereafter relate to the--

(1) collection and disclosure of personally identifiable information for marketing purposes; and

(2) collection and sale of personally identifiable information.

SEC. 106. EFFECTIVE DATE.

This title and the amendments made by this title shall take effect 1 year after the date of enactment of this Act.

TITLE II--SOCIAL SECURITY NUMBER MISUSE PREVENTION

SEC. 201. FINDINGS.

Congress makes the following findings:

(1) The inappropriate display, sale, or purchase of social security numbers has contributed to a growing range of illegal activities, including fraud, identity theft, and, in some cases, stalking and other violent crimes.

(2) While financial institutions, health care providers, and other entities have often used social security numbers to confirm the identity of an individual, the general display to the public, sale, or purchase of these numbers has been used to commit crimes, and also can result in serious invasions of individual privacy.

(3) The Federal Government requires virtually every individual in the United States to obtain and maintain a social security number in order to pay taxes, to qualify for social security benefits, or to seek employment. An unintended consequence of these requirements is that social security numbers have become one of the tools that can be used to facilitate crime, fraud, and invasions of the privacy of the individuals to whom the numbers are assigned. Because the Federal Government created and maintains this system, and because the Federal Government does not permit individuals to exempt themselves from those requirements, it is appropriate for the Federal Government to take steps to stem the abuse of social security numbers.

(4) The display, sale, or purchase of social security numbers in no way facilitates uninhibited, robust, and wide-open public debate, and restrictions on such display, sale, or purchase would not affect public debate.

(5) No one should seek to profit from the display, sale, or purchase of social security numbers in circumstances that create a substantial risk of physical, emotional, or financial harm to the individuals to whom those numbers are assigned.

(6) Consequently, this title provides each individual that has been assigned a social security number some degree of protection from the display, sale, and purchase of that number in any circumstance that might facilitate unlawful conduct.

SEC. 202. PROHIBITION OF THE DISPLAY, SALE, OR PURCHASE OF SOCIAL SECURITY NUMBERS.

(a) Prohibition-

(1) IN GENERAL- Chapter 47 of title 18, United States Code, is amended by inserting after section 1028 the following:

`Sec. 1028A. Prohibition of the display, sale, or purchase of social security numbers

`(a) Definitions- In this section:

`(1) DISPLAY- The term `display' means to intentionally communicate or otherwise make available (on the Internet or in any other manner) to the general public an individual's social security number.

`(2) PERSON- The term `person' means any individual, partnership, corporation, trust, estate, cooperative, association, or any other entity.

`(3) PURCHASE- The term `purchase' means providing directly or indirectly, anything of value in exchange for a social security number.

`(4) SALE- The term `sale' means obtaining, directly or indirectly, anything of value in exchange for a social security number.

`(5) STATE- The term `State' means any State of the United States, the District of Columbia, Puerto Rico, the Northern Mariana Islands, the United States Virgin Islands, Guam, American Samoa, and any territory or possession of the United States.

`(b) Limitation on Display- Except as provided in section 1028B, no person may display any individual's social security number to the general public without the affirmatively expressed consent of the individual.

`(c) Limitation on Sale or Purchase- Except as otherwise provided in this section, no person may sell or purchase any individual's social security number without the affirmatively expressed consent of the individual.

`(d) Prerequisites for Consent- In order for consent to exist under subsection (b) or (c), the person displaying or seeking to display, selling or attempting to sell, or purchasing or attempting to purchase, an individual's social security number shall--

`(1) inform the individual of the general purpose for which the number will be used, the types of persons to whom the number may be available, and the scope of transactions permitted by the consent; and

`(2) obtain the affirmatively expressed consent (electronically or in writing) of the individual.

`(e) Exceptions- Nothing in this section shall be construed to prohibit or limit the display, sale, or purchase of a social security number--

`(1) required, authorized, or excepted under any Federal law;

`(2) for a public health purpose, including the protection of the health or safety of an individual in an emergency situation;

`(3) for a national security purpose;

`(4) for a law enforcement purpose, including the investigation of fraud and the enforcement of a child support obligation;

`(5) if the display, sale, or purchase of the number is for a use occurring as a result of an interaction between businesses, governments, or business and government (regardless of which entity initiates the interaction), including, but not limited to--

`(A) the prevention of fraud (including fraud in protecting an employee's right to employment benefits);

`(B) the facilitation of credit checks or the facilitation of background checks of employees, prospective employees, or volunteers;

`(C) the retrieval of other information from other businesses, commercial enterprises, government entities, or private nonprofit organizations; or

`(D) when the transmission of the number is incidental to, and in the course of, the sale, lease, franchising, or merger of all, or a portion of, a business;

`(6) if the transfer of such a number is part of a data matching program involving a Federal, State, or local agency; or

`(7) if such number is required to be submitted as part of the process for applying for any type of Federal, State, or local government benefit or program;

except that, nothing in this subsection shall be construed as permitting a professional or commercial user to display or sell a social security number to the general public.

`(f) Limitation- Nothing in this section shall prohibit or limit the display, sale, or purchase of social security numbers as permitted under title V of the Gramm-Leach-Bliley Act, or for the purpose of affiliate sharing as permitted under the Fair Credit Reporting Act, except that no entity regulated under such Acts may make social security numbers available to the general public, as may be determined by the appropriate regulators under such Acts. For purposes of this subsection, the general public shall not include affiliates or unaffiliated third-party business entities as may be defined by the appropriate regulators.'.

(2) CONFORMING AMENDMENT- The chapter analysis for chapter 47 of title 18, United States Code, is amended by inserting after the item relating to section 1028 the following:

`1028A. Prohibition of the display, sale, or purchase of social security numbers.'.

(b) Study; Report-

(1) IN GENERAL- The Attorney General shall conduct a study and prepare a report on all of the uses of social security numbers permitted, required, authorized, or excepted under any Federal law. The report shall include a detailed description of the uses allowed as of the date of enactment of this Act and shall evaluate whether such uses should be continued or discontinued by appropriate legislative action.

(2) REPORT- Not later than 1 year after the date of enactment of this Act, the Attorney General shall report to Congress findings under this subsection. The report shall include such recommendations for legislation based on criteria the Attorney General determines to be appropriate.

(c) Effective Date- The amendments made by this section shall take effect on the date that is 30 days after the date on which the final regulations promulgated under section 5 are published in the Federal Register.

SEC. 203. APPLICATION OF PROHIBITION OF THE DISPLAY, SALE, OR PURCHASE OF SOCIAL SECURITY NUMBERS TO PUBLIC RECORDS.

(a) Public Records Exception-

(1) IN GENERAL- Chapter 47 of title 18, United States Code (as amended by section 3(a)(1)), is amended by inserting after section 1028A the following:

`Sec. 1028B. Display, sale, or purchase of public records containing social security numbers

`(a) Definition- In this section, the term `public record' means any governmental record that is made available to the general public.

`(b) In General- Except as provided in subsections (c), (d), and (e), section 1028A shall not apply to a public record.

`(c) Public Records on the Internet or in an Electronic Medium-

`(1) IN GENERAL- Section 1028A shall apply to any public record first posted onto the Internet or provided in an electronic medium by, or on behalf of a government entity after the date of enactment of this section, except as limited by the Attorney General in accordance with paragraph (2).

`(2) EXCEPTION FOR GOVERNMENT ENTITIES ALREADY PLACING PUBLIC RECORDS ON THE INTERNET OR IN ELECTRONIC FORM- Not later than 60 days after the date of enactment of this section, the Attorney General shall issue regulations regarding the applicability of section 1028A to any record of a category of public records first posted onto the Internet or provided in an electronic medium by, or on behalf of a government entity prior to the date of enactment of this section. The regulations will determine which individual records within categories of records of these government entities, if any, may continue to be posted on the Internet or in electronic form after the effective date of this section. In promulgating these regulations, the Attorney General may include in the regulations a set of procedures for implementing the regulations and shall consider the following:

`(A) The cost and availability of technology available to a governmental entity to redact social security numbers from public records first provided in electronic form after the effective date of this section.

`(B) The cost or burden to the general public, businesses, commercial enterprises, non-profit organizations, and to Federal, State, and local governments of complying with section 1028A with respect to such records.

`(C) The benefit to the general public, businesses, commercial enterprises, non-profit organizations, and to Federal, State, and local governments if the Attorney General were to determine that section 1028A should apply to such records.

Nothing in the regulation shall permit a public entity to post a category of public records on the Internet or in electronic form after the effective date of this section if such category had not been placed on the Internet or in electronic form prior to such effective date.

`(d) Harvested Social Security Numbers- Section 1028A shall apply to any public record of a government entity which contains social security numbers extracted from other public records for the purpose of displaying or selling such numbers to the general public.

`(e) Attorney General Rulemaking on Paper Records-

`(1) IN GENERAL- Not later than 60 days after the date of enactment of this section, the Attorney General shall determine the feasibility and advisability of applying section 1028A to the records listed in paragraph (2) when they appear on paper or on another nonelectronic medium. If the Attorney General deems it appropriate, the Attorney General may issue regulations applying section 1028A to such records.

`(2) LIST OF PAPER AND OTHER NONELECTRONIC RECORDS- The records listed in this paragraph are as follows:

`(A) Professional or occupational licenses.

`(B) Marriage licenses.

`(C) Birth certificates.

`(D) Death certificates.

`(E) Other short public documents that display a social security number in a routine and consistent manner on the face of the document.

`(3) CRITERIA FOR ATTORNEY GENERAL REVIEW- In determining whether section 1028A should apply to the records listed in paragraph (2), the Attorney General shall consider the following:

`(A) The cost or burden to the general public, businesses, commercial enterprises, non-profit organizations, and to Federal, State, and local governments of complying with section 1028A.

`(B) The benefit to the general public, businesses, commercial enterprises, non-profit organizations, and to Federal, State, and local governments if the Attorney General were to determine that section 1028A should apply to such records.'.

(2) CONFORMING AMENDMENT- The chapter analysis for chapter 47 of title 18, United States Code (as amended by section 202(a)(2)), is amended by inserting after the item relating to section 1028A the following:

`1028B. Display, sale, or purchase of public records containing social security numbers.'.

(b) Study and Report on Social Security Numbers in Public Records-

(1) STUDY- The Comptroller General of the United States shall conduct a study and prepare a report on social security numbers in public records. In developing the report, the Comptroller General shall consult with the Administrative Office of the United States Courts, State and local governments that store, maintain, or disseminate public records, and other stakeholders, including members of the private sector who routinely use public records that contain social security numbers.

(2) REPORT- Not later than 1 year after the date of enactment of this Act, the Comptroller General of the United States shall submit to Congress a report on the study conducted under paragraph (1). The report shall include a detailed description of the activities and results of the study and recommendations for such legislative action as the Comptroller General considers appropriate. The report, at a minimum, shall include--

(A) a review of the uses of social security numbers in non-federal public records;

(B) a review of the manner in which public records are stored (with separate reviews for both paper records and electronic records);

(C) a review of the advantages or utility of public records that contain social security numbers, including the utility for law enforcement, and for the promotion of homeland security;

(D) a review of the disadvantages or drawbacks of public records that contain social security numbers, including criminal activity, compromised personal privacy, or threats to homeland security;

(E) the costs and benefits for State and local governments of removing social security numbers from public records, including a review of current technologies and procedures for removing social security numbers from public records; and

(F) an assessment of the benefits and costs to businesses, their customers, and the general public of prohibiting the display of social security numbers on public records (with separate assessments for both paper records and electronic records).

(c) Effective Date- The prohibition with respect to electronic versions of new classes of public records under section 1028B(b) of title 18, United States Code (as added by subsection (a)(1)) shall not take effect until the date that is 60 days after the date of enactment of this Act.

SEC. 204. RULEMAKING AUTHORITY OF THE ATTORNEY GENERAL.

(a) In General- Except as provided in subsection (b), the Attorney General may prescribe such rules and regulations as the Attorney General deems necessary to carry out the provisions of section 1028A(e)(5) of title 18, United States Code (as added by section 202(a)(1)).

(b) Display, Sale, or Purchase Rulemaking With Respect to Interactions Between Businesses, Governments, or Business and Government-

(1) IN GENERAL- Not later than 1 year after the date of enactment of this Act, the Attorney General, in consultation with the Commissioner of Social Security, the Chairman of the Federal Trade Commission, and such other heads of Federal agencies as the Attorney General determines appropriate, shall conduct such rulemaking procedures in accordance with subchapter II of chapter 5 of title 5, United States Code, as are necessary to promulgate regulations to implement and clarify the uses occurring as a result of an interaction between businesses, governments, or business and government (regardless of which entity initiates the interaction) permitted under section 1028A(e)(5) of title 18, United States Code (as added by section 202(a)(1)).

(2) FACTORS TO BE CONSIDERED- In promulgating the regulations required under paragraph (1), the Attorney General shall, at a minimum, consider the following:

(A) The benefit to a particular business, to customers of the business, and to the general public of the display, sale, or purchase of an individual's social security number.

(B) The costs that businesses, customers of businesses, and the general public may incur as a result of prohibitions on the display, sale, or purchase of social security numbers.

(C) The risk that a particular business practice will promote the use of a social security number to commit fraud, deception, or crime.

(D) The presence of adequate safeguards and procedures to prevent--

(i) misuse of social security numbers by employees within a business; and

(ii) misappropriation of social security numbers by the general public, while permitting internal business uses of such numbers.

(E) The presence of procedures to prevent identity thieves, stalkers, and other individuals with ill intent from posing as legitimate businesses to obtain social security numbers.

SEC. 205. TREATMENT OF SOCIAL SECURITY NUMBERS ON GOVERNMENT DOCUMENTS.

(a) Prohibition of Use of Social Security Account Numbers on Checks Issued for Payment by Governmental Agencies-

(1) IN GENERAL- Section 205(c)(2)(C) of the Social Security Act (42 U.S.C. 405(c)(2)(C)) is amended by adding at the end the following:

`(x) No Federal, State, or local agency may display the social security account number of any individual, or any derivative of such number, on any check issued for any payment by the Federal, State, or local agency.'.

(2) EFFECTIVE DATE- The amendment made by this subsection shall apply with respect to violations of section 205(c)(2)(C)(x) of the Social Security Act (42 U.S.C. 405(c)(2)(C)(x)), as added by paragraph (1), occurring after the date that is 3 years after the date of enactment of this Act.

(b) Prohibition of Appearance of Social Security Account Numbers on Driver's Licenses or Motor Vehicle Registration-

(1) IN GENERAL- Section 205(c)(2)(C)(vi) of the Social Security Act (42 U.S.C. 405(c)(2)(C)(vi)) is amended--

(A) by inserting `(I)' after `(vi)'; and

(B) by adding at the end the following:

`(II)(aa) An agency of a State (or political subdivision thereof), in the administration of any driver's license or motor vehicle registration law within its jurisdiction, may not display the social security account numbers issued by the Commissioner of Social Security, or any derivative of such numbers, on the face of any driver's license or motor vehicle registration or any other document issued by such State (or political subdivision thereof) to an individual for purposes of identification of such individual.

`(bb) Nothing in this subclause shall be construed as precluding an agency of a State (or political subdivision thereof), in the administration of any driver's license or motor vehicle registration law within its jurisdiction, from using a social security account number for an internal use or to link with the database of an agency of another State that is responsible for the administration of any driver's license or motor vehicle registration law.'.

(2) EFFECTIVE DATE- The amendments made by this subsection shall apply with respect to licenses, registrations, and other documents issued or reissued after the date that is 1 year after the date of enactment of this Act.

(c) Prohibition of Inmate Access to Social Security Account Numbers-

(1) IN GENERAL- Section 205(c)(2)(C) of the Social Security Act (42 U.S.C. 405(c)(2)(C)) (as amended by subsection (b)) is amended by adding at the end the following:

`(xi) No Federal, State, or local agency may employ, or enter into a contract for the use or employment of, prisoners in any capacity that would allow such prisoners access to the social security account numbers of other individuals. For purposes of this clause, the term `prisoner' means an individual confined in a jail, prison, or other penal institution or correctional facility pursuant to such individual's conviction of a criminal offense.'.

(2) EFFECTIVE DATE- The amendment made by this subsection shall apply with respect to employment of prisoners, or entry into contract with prisoners, after the date that is 1 year after the date of enactment of this Act.

SEC. 206. LIMITS ON PERSONAL DISCLOSURE OF A SOCIAL SECURITY NUMBER FOR CONSUMER TRANSACTIONS.

(a) In General- Part A of title XI of the Social Security Act (42 U.S.C. 1301 et seq.) is amended by adding at the end the following:

`SEC. 1150A. LIMITS ON PERSONAL DISCLOSURE OF A SOCIAL SECURITY NUMBER FOR CONSUMER TRANSACTIONS.

`(a) In General- A commercial entity may not require an individual to provide the individual's social security number when purchasing a commercial good or service or deny an individual the good or service for refusing to provide that number except--

`(1) for any purpose relating to--

`(A) obtaining a consumer report for any purpose permitted under the Fair Credit Reporting Act;

`(B) a background check of the individual conducted by a landlord, lessor, employer, voluntary service agency, or other entity as determined by the Attorney General;

`(C) law enforcement; or

`(D) a Federal, State, or local law requirement; or

`(2) if the social security number is necessary to verify the identity of the consumer to effect, administer, or enforce the specific transaction requested or authorized by the consumer, or to prevent fraud.

`(b) Application of Civil Money Penalties- A violation of this section shall be deemed to be a violation of section 1129(a)(3)(F).

`(c) Application of Criminal Penalties- A violation of this section shall be deemed to be a violation of section 208(a)(8).

`(d) Limitation on Class Actions- No class action alleging a violation of this section shall be maintained under this section by an individual or any private party in Federal or State court.

`(e) State Attorney General Enforcement-

`(1) IN GENERAL-

`(A) CIVIL ACTIONS- In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that is prohibited under this section, the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction to--

`(i) enjoin that practice;

`(ii) enforce compliance with such section;

`(iii) obtain damages, restitution, or other compensation on behalf of residents of the State; or

`(iv) obtain such other relief as the court may consider appropriate.

`(B) NOTICE-

`(i) IN GENERAL- Before filing an action under subparagraph (A), the attorney general of the State involved shall provide to the Attorney General--

`(I) written notice of the action; and

`(II) a copy of the complaint for the action.

`(ii) EXEMPTION-

`(I) IN GENERAL- Clause (i) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the State attorney general determines that it is not feasible to provide the notice described in such subparagraph before the filing of the action.

`(II) NOTIFICATION- With respect to an action described in subclause (I), the attorney general of a State shall provide notice and a copy of the complaint to the Attorney General at the same time as the State attorney general files the action.

`(2) INTERVENTION-

`(A) IN GENERAL- On receiving notice under paragraph (1)(B), the Attorney General shall have the right to intervene in the action that is the subject of the notice.

`(B) EFFECT OF INTERVENTION- If the Attorney General intervenes in the action under paragraph (1), the Attorney General shall have the right to be heard with respect to any matter that arises in that action.

`(3) CONSTRUCTION- For purposes of bringing any civil action under paragraph (1), nothing in this section shall be construed to prevent an attorney general of a State from exercising the powers conferred on such attorney general by the laws of that State to--

`(A) conduct investigations;

`(B) administer oaths or affirmations; or

`(C) compel the attendance of witnesses or the production of documentary and other evidence.

`(4) ACTIONS BY THE ATTORNEY GENERAL OF THE UNITED STATES- In any case in which an action is instituted by or on behalf of the Attorney General for violation of a practice that is prohibited under this section, no State may, during the pendency of that action, institute an action under paragraph (1) against any defendant named in the complaint in that action for violation of that practice.

`(5) VENUE; SERVICE OF PROCESS-

`(A) VENUE- Any action brought under paragraph (1) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.

`(B) SERVICE OF PROCESS- In an action brought under paragraph (1), process may be served in any district in which the defendant--

`(i) is an inhabitant; or

`(ii) may be found.

`(f) Sunset- This section shall not apply on or after the date that is 6 years after the effective date of this section.'.

(b) Evaluation and Report- Not later than the date that is 6 years and 6 months after the date of enactment of this Act, the Attorney General, in consultation with the chairman of the Federal Trade Commission, shall issue a report evaluating the effectiveness and efficiency of section 1150A of the Social Security Act (as added by subsection (a)) and shall make recommendations to Congress as to any legislative action determined to be necessary or advisable with respect to such section, including a recommendation regarding whether to reauthorize such section.

(c) Effective Date- The amendment made by subsection (a) shall apply to requests to provide a social security number occurring after the date that is 1 year after the date of enactment of this Act.

SEC. 207. EXTENSION OF CIVIL MONETARY PENALTIES FOR MISUSE OF A SOCIAL SECURITY NUMBER.

(a) Treatment of Withholding of Material Facts-

(1) CIVIL PENALTIES- The first sentence of section 1129(a)(1) of the Social Security Act (42 U.S.C. 1320a-8(a)(1)) is amended--

(A) by striking `who' and inserting `who--';

(B) by striking `makes' and all that follows through `shall be subject to' and inserting the following:

`(A) makes, or causes to be made, a statement or representation of a material fact, for use in determining any initial or continuing right to or the amount of monthly insurance benefits under title II or benefits or payments under title VIII or XVI, that the person knows or should know is false or misleading;

`(B) makes such a statement or representation for such use with knowing disregard for the truth; or

`(C) omits from a statement or representation for such use, or otherwise withholds disclosure of, a fact which the individual knows or should know is material to the determination of any initial or continuing right to or the amount of monthly insurance benefits under title II or benefits or payments under title VIII or XVI and the individual knows, or should know, that the statement or representation with such omission is false or misleading or that the withholding of such disclosure is misleading, shall be subject to';

(C) by inserting `or each receipt of such benefits while withholding disclosure of such fact' after `each such statement or representation';

(D) by inserting `or because of such withholding of disclosure of a material fact' after `because of such statement or representation'; and

(E) by inserting `or such a withholding of disclosure' after `such a statement or representation'.

(2) ADMINISTRATIVE PROCEDURE FOR IMPOSING PENALTIES- The first sentence of section 1129A(a) of the Social Security Act (42 U.S.C. 1320a-8a(a)) is amended--

(A) by striking `who' and inserting `who--'; and

(B) by striking `makes' and all that follows through `shall be subject to' and inserting the following:

`(1) makes, or causes to be made, a statement or representation of a material fact, for use in determining any initial or continuing right to or the amount of monthly insurance benefits under title II or benefits or payments under title VIII or XVI, that the person knows or should know is false or misleading;

`(2) makes such a statement or representation for such use with knowing disregard for the truth; or

`(3) omits from a statement or representation for such use, or otherwise withholds disclosure of, a fact which the individual knows or should know is material to the determination of any initial or continuing right to or the amount of monthly insurance benefits under title II or benefits or payments under title VIII or XVI and the individual knows, or should know, that the statement or representation with such omission is false or misleading or that the withholding of such disclosure is misleading, shall be subject to'.

(b) Application of Civil Money Penalties to Elements of Criminal Violations- Section 1129(a) of the Social Security Act (42 U.S.C. 1320a-8(a)), as amended by subsection (a)(1), is amended--

(1) by redesignating paragraph (2) as paragraph (4);

(2) by redesignating the last sentence of paragraph (1) as paragraph (2) and inserting such paragraph after paragraph (1); and

(3) by inserting after paragraph (2) (as so redesignated) the following:

`(3) Any person (including an organization, agency, or other entity) who--

`(A) uses a social security account number that such person knows or should know has been assigned by the Commissioner of Social Security (in an exercise of authority under section 205(c)(2) to establish and maintain records) on the basis of false information furnished to the Commissioner by any person;

`(B) falsely represents a number to be the social security account number assigned by the Commissioner of Social Security to any individual, when such person knows or should know that such number is not the social security account number assigned by the Commissioner to such individual;

`(C) knowingly alters a social security card issued by the Commissioner of Social Security, or possesses such a card with intent to alter it;

`(D) knowingly displays, sells, or purchases a card that is, or purports to be, a card issued by the Commissioner of Social Security, or possesses such a card with intent to display, purchase, or sell it;

`(E) counterfeits a social security card, or possesses a counterfeit social security card with intent to display, sell, or purchase it;

`(F) discloses, uses, compels the disclosure of, or knowingly displays, sells, or purchases the social security account number of any person in violation of the laws of the United States;

`(G) with intent to deceive the Commissioner of Social Security as to such person's true identity (or the true identity of any other person) furnishes or causes to be furnished false information to the Commissioner with respect to any information required by the Commissioner in connection with the establishment and maintenance of the records provided for in section 205(c)(2);

`(H) offers, for a fee, to acquire for any individual, or to assist in acquiring for any individual, an additional social security account number or a number which purports to be a social security account number; or

`(I) being an officer or employee of a Federal, State, or local agency in possession of any individual's social security account number, willfully acts or fails to act so as to cause a violation by such agency of clause (vi)(II) or (x) of section 205(c)(2)(C), shall be subject to, in addition to any other penalties that may be prescribed by law, a civil money penalty of not more than $5,000 for each violation. Such person shall also be subject to an assessment, in lieu of damages sustained by the United States resulting from such violation, of not more than twice the amount of any benefits or payments paid as a result of such violation.'.

(c) Clarification of Treatment of Recovered Amounts- Section 1129(e)(2)(B) of the Social Security Act (42 U.S.C. 1320a-8(e)(2)(B)) is amended by striking `In the case of amounts recovered arising out of a determination relating to title VIII or XVI,' and inserting `In the case of any other amounts recovered under this section,'.

(d) Conforming Amendments-

(1) Section 1129(b)(3)(A) of the Social Security Act (42 U.S.C. 1320a-8(b)(3)(A)) is amended by striking `charging fraud or false statements'.

(2) Section 1129(c)(1) of the Social Security Act (42 U.S.C. 1320a-8(c)(1)) is amended by striking `and representations' and inserting `, representations, or actions'.

(3) Section 1129(e)(1)(A) of the Social Security Act (42 U.S.C. 1320a-8(e)(1)(A)) is amended by striking `statement or representation referred to in subsection (a) was made' and inserting `violation occurred'.

(e) Effective Dates-

(1) IN GENERAL- Except as provided in paragraph (2), the amendments made by this section shall apply with respect to violations of sections 1129 and 1129A of the Social Security Act (42 U.S.C. 1320-8 and 1320a-8a), as amended by this section, committed after the date of enactment of this Act.

(2) VIOLATIONS BY GOVERNMENT AGENTS IN POSSESSION OF SOCIAL SECURITY NUMBERS- Section 1129(a)(3)(I) of the Social Security Act (42 U.S.C. 1320a-8(a)(3)(I)), as added by subsection (b), shall apply with respect to violations of that section occurring on or after the effective date described in section 202(c).

SEC. 208. CRIMINAL PENALTIES FOR THE MISUSE OF A SOCIAL SECURITY NUMBER.

(a) Prohibition of Wrongful Use as Personal Identification Number- No person may obtain any individual's social security number for purposes of locating or identifying an individual with the intent to physically injure, harm, or use the identity of the individual for any illegal purpose.

(b) Criminal Sanctions- Section 208(a) of the Social Security Act (42 U.S.C. 408(a)) is amended--

(1) in paragraph (8), by inserting `or' after the semicolon; and

(2) by inserting after paragraph (8) the following:

`(9) except as provided in subsections (e) and (f) of section 1028A of title 18, United States Code, knowingly and willfully displays, sells, or purchases (as those terms are defined in section 1028A(a) of title 18, United States Code) any individual's social security account number without having met the prerequisites for consent under section 1028A(d) of title 18, United States Code; or

`(10) obtains any individual's social security number for the purpose of locating or identifying the individual with the intent to injure or to harm that individual, or to use the identity of that individual for an illegal purpose;'.

SEC. 209. CIVIL ACTIONS AND CIVIL PENALTIES.

(a) Civil Action in State Courts-

(1) IN GENERAL- Any individual aggrieved by an act of any person in violation of this title or any amendments made by this title may, if otherwise permitted by the laws or rules of the court of a State, bring in an appropriate court of that State--

(A) an action to enjoin such violation;

(B) an action to recover for actual monetary loss from such a violation, or to receive up to $500 in damages for each such violation, whichever is greater; or

(C) both such actions.

It shall be an affirmative defense in any action brought under this paragraph that the defendant has established and implemented, with due care, reasonable practices and procedures to effectively prevent violations of the regulations prescribed under this title. If the court finds that the defendant willfully or knowingly violated the regulations prescribed under this subsection, the court may, in its discretion, increase the amount of the award to an amount equal to not more than 3 times the amount available under subparagraph (B).

(2) STATUTE OF LIMITATIONS- An action may be commenced under this subsection not later than the earlier of--

(A) 5 years after the date on which the alleged violation occurred; or

(B) 3 years after the date on which the alleged violation was or should have been reasonably discovered by the aggrieved individual.

(3) NONEXCLUSIVE REMEDY- The remedy provided under this subsection shall be in addition to any other remedies available to the individual.

(b) Civil Penalties-

(1) IN GENERAL- Any person who the Attorney General determines has violated any section of this title or of any amendments made by this title shall be subject, in addition to any other penalties that may be prescribed by law--

(A) to a civil penalty of not more than $5,000 for each such violation; and

(B) to a civil penalty of not more than $50,000, if the violations have occurred with such frequency as to constitute a general business practice.

(2) DETERMINATION OF VIOLATIONS- Any willful violation committed contemporaneously with respect to the social security numbers of 2 or more individuals by means of mail, telecommunication, or otherwise, shall be treated as a separate violation with respect to each such individual.

(3) ENFORCEMENT PROCEDURES- The provisions of section 1128A of the Social Security Act (42 U.S.C. 1320a-7a), other than subsections (a), (b), (f), (h), (i), (j), (m), and (n) and the first sentence of subsection (c) of such section, and the provisions of subsections (d) and (e) of section 205 of such Act (42 U.S.C. 405) shall apply to a civil penalty action under this subsection in the same manner as such provisions apply to a penalty or proceeding under section 1128A(a) of such Act (42 U.S.C. 1320a-7a(a)), except that, for purposes of this paragraph, any reference in section 1128A of such Act (42 U.S.C. 1320a-7a) to the Secretary shall be deemed to be a reference to the Attorney General.

SEC. 210. FEDERAL INJUNCTIVE AUTHORITY.

In addition to any other enforcement authority conferred under this title or the amendments made by this title, the Federal Government shall have injunctive authority with respect to any violation by a public entity of any provision of this title or of any amendments made by this title.

TITLE III--LIMITATIONS ON SALE AND SHARING OF NONPUBLIC PERSONAL FINANCIAL INFORMATION

SEC. 301. DEFINITION OF SALE.

Section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809) is amended by adding at the end the following:

`(12) SALE- The terms `sale', `sell', and `sold', with respect to nonpublic personal information, mean the exchange of such information for any thing of value, directly or indirectly, including the licensing, bartering, or renting of such information.'.

SEC. 302. RULES APPLICABLE TO SALE OF NONPUBLIC PERSONAL INFORMATION.

Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802) is amended--

(1) in the section heading, by inserting `SALES, AND OTHER SHARING' after `DISCLOSURES';

(2) in subsection (a), by striking `disclose to' and inserting `sell or otherwise disclose to an affiliate or';

(3) in subsection (b)--

(A) in the subsection heading, by inserting `FOR DISCLOSURES TO AFFILIATES' before the period;

(B) by striking `a nonaffiliated third party' each place that term appears and inserting `an affiliate';

(C) by striking `such third party' each place that term appears and inserting `such affiliate';

(D) by striking `may not disclose' and inserting `may not sell or otherwise disclose'; and

(E) by striking paragraph (2) and inserting the following:

`(2) EXCEPTION- This subsection shall not prevent a financial institution from providing nonpublic personal information to an affiliated third party to perform services for or functions on behalf of the financial institution, including marketing of the financial institution's own products or services, if the financial institution fully discloses the provision of such information and requires the affiliate to maintain the confidentiality of such information.';

(4) in subsection (d), by striking `disclose' and inserting `sell or otherwise disclose';

(5) by striking subsection (e);

(6) by redesignating subsections (c) and (d) as subsections (e) and (f), respectively; and

(7) by inserting after subsection (b) the following:

`(c) Opt in for Disclosures to Nonaffiliated Third Parties-

`(1) AFFIRMATIVE CONSENT REQUIRED- A financial institution may not sell or otherwise disclose nonpublic personal information to any nonaffiliated third party, unless the consumer to whom the information pertains--

`(A) has affirmatively consented to the sale or disclosure of such information; and

`(B) has not withdrawn the consent.

`(2) EXCEPTION- This subsection shall not prevent a financial institution from providing nonpublic personal information to a nonaffiliated third party to perform services for or functions on behalf of the financial institution, including marketing of the financial institution's own products or services (subject to subsection (d) with respect to joint agreements between 2 or more financial institutions), if the financial institution fully discloses the provision of such information and enters into a contractual agreement with the nonaffiliated third party that requires that third party to maintain the confidentiality of such information.

`(d) Opt Out for Joint Agreements- A financial institution may not sell or otherwise disclose nonpublic personal information to a nonaffiliated third party for the purpose of offering financial products or services pursuant to a joint agreement between 2 or more financial institutions, unless--

`(1) the financial institution clearly and conspicuously discloses to the consumer to whom the information pertains, in writing or in electronic form or other form permitted by the regulations prescribed under section 504, that such information may be disclosed to such nonaffiliated third party;

`(2) the consumer is given the opportunity, before the time that such information is initially disclosed, to direct that such information not be disclosed to such nonaffiliated third party;

`(3) the consumer is given an explanation of how the consumer can exercise that nondisclosure option; and

`(4) the financial institution receiving the nonpublic personal information signs a written agreement obliging it--

`(A) to maintain the confidentiality of the information; and

`(B) to refrain from using, selling, or otherwise disclosing the information other than to carry out the joint offering or servicing of the financial product or financial service that is the subject of the written agreement.'.

SEC. 303. EXCEPTIONS TO DISCLOSURE PROHIBITION.

(a) In General- Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802), as amended by this title, is amended by adding at the end the following:

`(g) General Exceptions- Notwithstanding any other provision of this section, this section does not prohibit--

`(1) the sale or other disclosure of nonpublic personal information to an affiliate or a nonaffiliated third party--

`(A) as necessary to effect, administer, or enforce a transaction requested or authorized by the consumer to whom the information pertains, or in connection with--

`(i) servicing or processing a financial product or service requested or authorized by the consumer;

`(ii) maintaining or servicing the account of the consumer with the financial institution, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity; or

`(iii) a proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to a transaction of the consumer;

`(B) with the consent or at the direction of the consumer, in accordance with applicable rules prescribed under this subtitle;

`(C) to the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978; or

`(D) to law enforcement agencies (including a Federal functional regulator, the Secretary of the Treasury, with respect to subchapter II of chapter 53 of title 31, United States Code, and chapter 2 of title I of Public Law 91-508 (12 U.S.C. 1951-1959), a State insurance authority, or the Federal Trade Commission), self-regulatory organizations, or for an investigation on a matter related to public safety;

`(2) the disclosure, other than the sale, of nonpublic personal information to identify or locate missing and abducted children, witnesses, criminals, and fugitives, parties to lawsuits, parents, delinquents in child support payments, organ and bone marrow donors, pension fund beneficiaries, and missing heirs; or

`(3) the disclosure, other than the sale, of nonpublic personal information--

`(A) to protect the confidentiality or security of the records of the financial institution pertaining to the consumer, the service or product, or the transaction therein;

`(B) to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability;

`(C) for required institutional risk control, or for resolving customer disputes or inquiries;

`(D) to persons holding a legal or beneficial interest relating to the consumer;

`(E) to persons acting in a fiduciary or representative capacity on behalf of the consumer;

`(F) to provide information to insurance rate advisory organizations, guaranty funds or agencies, applicable rating agencies of the financial institution, persons assessing the compliance of the institution with industry standards, or the attorneys, accountants, or auditors of the institution;

`(G) to a consumer reporting agency, in accordance with the Fair Credit Reporting Act or from a consumer report reported by a consumer reporting agency, as those terms are defined in that Act;

`(H) in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of such business or unit;

`(I) to comply with Federal, State, or local laws, rules, or other applicable legal requirements, or with a properly authorized civil, criminal, or regulatory investigation or subpoena or summons by Federal, State, or local authorities; or

`(J) to respond to judicial process or government regulatory authorities having jurisdiction over the financial institution for examination, compliance, or other purposes, as authorized by law.

`(h) Denial of Service Prohibited- A financial institution may not deny any consumer a financial product or a financial service as a result of the refusal by the consumer to grant consent to disclosure under this section or the exercise by the consumer of a nondisclosure option under this section, except that nothing in this subsection may be construed to prohibit a financial institution from offering incentives to elicit consumer consent to the use of his or her nonpublic personal information.'.

(b) Repeal of Regulatory Exemption Authority- Section 504 of the Gramm-Leach-Bliley Act (15 U.S.C. 6804) is amended--

(1) by striking subsection (b);

(2) by striking `(a) REGULATORY AUTHORITY- ';

(3) by redesignating paragraphs (1), (2), and (3) as subsections (a), (b), and (c), respectively, and moving the margins 2 ems to the left; and

(4) by striking `paragraph (1)' and inserting `subsection (a)'.

SEC. 304. CONFORMING AMENDMENTS.

Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) is amended--

(1) in section 503(b)(1) (15 U.S.C. 6803(b)(1))--

(A) by inserting `affiliates and' before `nonaffiliated'; and

(B) in subparagraph (A), by striking `502(e)' and inserting `502(g)'; and

(2) in section 509(3)(D) (15 U.S.C. 6809(3)(D)), by striking `502(e)(1)(C)' and inserting `502(g)(1)(A)(iii)'.

SEC. 305. REGULATORY AUTHORITY.

Not later than 6 months after the date of enactment of this Act, the agencies referred to in section 504(a)(1) of the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)(1)) shall promulgate final regulations in accordance with that section 504 to carry out the amendments made by this Act.

SEC. 306. EFFECTIVE DATE.

This title and the amendments made by this title shall take effect 6 months after the date of enactment of this Act.

TITLE IV--LIMITATIONS ON THE PROVISION OF PROTECTED HEALTH INFORMATION

SEC. 401. DEFINITIONS.

In this title:

(1) BUSINESS ASSOCIATE-

(A) IN GENERAL- Except as provided in subparagraph (B), the term `business associate' means, with respect to a covered entity, a person who--

(i) on behalf of such covered entity or of an organized health care arrangement in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of--

(I) a function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or

(II) any other function or activity regulated under subchapter C of title 45, Code of Federal Regulations; or

(ii) provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in section 164.501 of title 45, Code of Federal Regulations), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

(B) LIMITATIONS-

(i) IN GENERAL- A covered entity participating in an organized health care arrangement that performs a function or activity as described by subparagraph (A)(i) for or on behalf of such organized health care arrangement, or that provides a service as described in subparagraph (A)(ii) to or for such organized health care arrangement, does not, simply through the performance of such function or activity or the provision of such service, become a business associate of other covered entities participating in such organized health care arrangement.

(ii) LIMITATION- A covered entity may be a business associate of another covered entity.

(2) COVERED ENTITY- The term `covered entity' means--

(A) a health plan;

(B) a health care clearinghouse; and

(C) a health care provider who transmits any health information in electronic form in connection with a transaction covered by parts 160 through 164 of title 45, Code of Federal Regulations.

(3) DISCLOSURE- The term `disclosure' means the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.

(4) EMPLOYER- The term `employer' has the meaning given that term in section 3401(d) of the Internal Revenue Code of 1986.

(5) GROUP HEALTH PLAN- The term `group health plan' means an employee welfare benefit plan (as defined in section 3(1) of the Employee Retirement Income and Security Act of 1974 (29 U.S.C. 1002(1)), including insured and self-insured plans, to the extent that the plan provides medical care (as defined in section 2791(a)(2) of the Public Health Service Act, 42 U.S.C. 300gg-91(a)(2)), including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise, that--

(A) has 50 or more participants (as defined in section 3(7) of Employee Retirement Income and Security Act of 1974, 29 U.S.C. 1002(7)); or

(B) is administered by an entity other than the employer that established and maintains the plan.

(6) HEALTH CARE- The term `health care' includes, but is not limited to, the following:

(A) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body.

(B) The sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

(7) HEALTH CARE CLEARINGHOUSE- The term `health care clearinghouse' means a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and value-added networks and switches, that--

(A) processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction; or

(B) receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

(8) HEALTH CARE PROVIDER- The term `health care provider' has the meaning given the terms `provider of services' and `provider of medical or health services' in subsections (u) and (s) of section 1861 of the Social Security Act (42 U.S.C. 1395x), respectively, and includes any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.

(9) HEALTH INFORMATION- The term `health information' means any information, whether oral or recorded in any form or medium, that--

(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

(B) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

(10) HEALTH INSURANCE ISSUER- The term `health insurance issuer' means a health insurance issuer (as defined in section 2791(b)(2) of the Public Health Service Act, 42 U.S.C. 300gg-91(b)(2)) and used in the definition of health plan in this section and includes an insurance company, insurance service, or insurance organization (including an HMO) that is licensed to engage in the business of insurance in a State and is subject to State law that regulates insurance. Such term does not include a group health plan.

(11) HEALTH MAINTENANCE ORGANIZATION- The term `health maintenance organization' (HMO) (as defined in section 2791(b)(3) of the Public Health Service Act, 42 U.S.C. 300gg-91 (b)(3)) and used in the definition of health plan in this section, means a federally qualified HMO, an organization recognized as an HMO under State law, or a similar organization regulated for solvency under State law in the same manner and to the same extent as such an HMO.

(12) HEALTH OVERSIGHT AGENCY- The term `health oversight agency' means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.

(13) HEALTH PLAN- The term `health plan' means an individual or group plan that provides, or pays the cost of, medical care, as defined in section 2791(a)(2) of the Public Health Service Act (42 U.S.C. 300gg-91(a)(2))--

(A) including, singly or in combination--

(i) a group health plan;

(ii) a health insurance issuer;

(iii) an HMO;

(iv) part A or B of the medicare program under title XVIII of the Social Security Act (42 U.S.C. 1395 et seq.);

(v) the medicaid program under title XIX of the Social Security Act (42 U.S.C. 1396 et seq.);

(vi) an issuer of a medicare supplemental policy (as defined in section 1882(g)(1) of the Social Security Act, 42 U.S.C. 1395ss(g)(1));

(vii) an issuer of a long-term care policy, excluding a nursing home fixed-indemnity policy;

(viii) an employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of 2 or more employers;

(ix) the health care program for active military personnel under title 10, United States Code;

(x) the veterans health care program under chapter 17 of title 38, United States Code;

(xi) the Civilian Health and Medical Program of the Uniformed Services (CHAMPUS) (as defined in section 1072(4) of title 10, United States Code);

(xii) the Indian Health Service program under the Indian Health Care Improvement Act (25 U.S.C. 1601 et seq.);

(xiii) the Federal Employees Health Benefits Program under chapter 89 of title 5, United States Code;

(xiv) an approved State child health plan under title XXI of the Social Security Act (42 U.S.C. 1397aa et seq.), providing benefits for child health assistance that meet the requirements of section 2103 of such Act (42 U.S.C. 1397cc);

(xv) the Medicare+Choice program under part C of title XVIII of the Social Security Act (42 U.S.C. 1395w-21 et seq.);

(xvi) a high risk pool that is a mechanism established under State law to provide health insurance coverage or comparable coverage to eligible individuals; and

(xvii) any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care (as defined in section 2791(a)(2) of the Public Health Service Act (42 U.S.C. 300gg-91(a)(2)); and

(B) excluding--

(i) any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits that are listed in section 2791(c)(1) of the Public Health Service Act (42 U.S.C. 300gg-91(c)(1)); and

(ii) a government-funded program (other than 1 listed in clause (i) through (xvi) of subparagraph (A)), whose principal purpose is other than providing, or paying the cost of, health care, or whose principal activity is the direct provision of health care to persons, or the making of grants to fund the direct provision of health care to persons.

(14) INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION- The term `individually identifiable health information' means information that is a subset of health information, including demographic information collected from an individual, that--

(A) is created or received by a covered entity or employer; and

(B)(i) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and

(ii)(I) identifies an individual; or

(II) with respect to which there is a reasonable basis to believe that the information can be used to identify an individual.

(15) LAW ENFORCEMENT OFFICIAL- The term `law enforcement official' means an officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to--

(A) investigate or conduct an official inquiry into a potential violation of law; or

(B) prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.

(16) LIFE INSURER- The term `life insurer' means a life insurance company (as defined in section 816 of the Internal Revenue Code of 1986), including the employees and agents of such company.

(17) MARKETING- The term `marketing' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.

(18) NONCOVERED ENTITY- The term `noncovered entity' means any person or public or private entity that is not a covered entity, including but not limited to a business associate of a covered entity, a covered entity if such covered entity is acting as a business associate, a health researcher, school or university, life insurer, employer, public health authority, health oversight agency, or law enforcement official, or any person acting as an agent of such entities or persons.

(19) ORGANIZED HEALTH CARE ARRANGEMENT- The term `organized health care arrangement' means--

(A) a clinically integrated care setting in which individuals typically receive health care from more than 1 health care provider;

(B) an organized system of health care in which more than 1 covered entity participates, and in which the participating covered entities--

(i) hold themselves out to the public as participating in a joint arrangement; and

(ii) participate in joint activities including at least--

(I) utilization review, in which health care decisions by participating covered entities are reviewed by other participating covered entities or by a third party on their behalf;

(II) quality assessment and improvement activities, in which treatment provided by participating covered entities is assessed by other participating covered entities or by a third party on their behalf; or

(III) payment activities, if the financial risk for delivering health care is shared, in part or in whole, by participating covered entities through the joint arrangement and if protected health information created or received by a covered entity is reviewed by other participating covered entities or by a third party on their behalf for the purpose of administering the sharing of financial risk;

(C) a group health plan and a health insurance issuer or HMO with respect to such group health plan, but only with respect to protected health information created or received by such health insurance issuer or HMO that relates to individuals who are or who have been participants or beneficiaries in such group health plan;

(D) a group health plan and 1 or more other group health plans each of which are maintained by the same plan sponsor; or

(E) the group health plans described in subparagraph (D) and health insurance issuers or HMOs with respect to such group health plans, but only with respect to protected health information created or received by such health insurance issuers or HMOs that relates to individuals who are or have been participants or beneficiaries in any of such group health plans.

(20) PROTECTED HEALTH INFORMATION-

(A) IN GENERAL- The term `protected health information' means individually identifiable health information that, except as provided in subparagraph (B), is--

(i) transmitted by electronic media;

(ii) maintained in any medium described in the definition of electronic media in section 162.103 of title 45, Code of Federal Regulations; or

(iii) transmitted or maintained in any other form or medium.

(B) EXCLUSIONS- Such term does not include individually identifiable health information in--

(i) education records covered by the Family Educational Rights and Privacy Act of 1974 (section 444 of the General Education Provisions Act (20 U.S.C. 1232g));

(ii) records described in subsection (a)(4)(B)(iv) of that Act; or

(iii) employment records held by a covered entity in its role as an employer.

(21) PUBLIC HEALTH AUTHORITY- The term `public health authority' means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.

(22) SCHOOL OR UNIVERSITY- The term `school or university' means an institution or place for instruction or education, including an elementary school, secondary school, or institution of higher learning, a college, or an assemblage of colleges united under 1 corporate organization or government.

(23) SECRETARY- The term `Secretary' means the Secretary of Health and Human Services.

(24) SALE; SELL; SOLD- The terms `sale', `sell', and `sold', with respect to protected health information, mean the exchange of such information for anything of value, directly or indirectly, including the licensing, bartering, or renting of such information.

(25) USE- The term `use' means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.

(26) WRITING- The term `writing' means writing in either a paper-based or computer-based form, including electronic and digital signatures.

SEC. 402. PROHIBITION AGAINST SELLING PROTECTED HEALTH INFORMATION.

(a) Valid Authorization Required-

(1) IN GENERAL- A noncovered entity shall not sell the protected health information of an individual or use such information for marketing purposes without an authorization that is valid under section 403. When a noncovered entity obtains or receives authorization to sell such information, such sale must be consistent with such authorization.

(2) NO DUPLICATE AUTHORIZATION REQUIRED- Nothing in paragraph (1) shall be construed as requiring a noncovered entity that receives from a covered entity an authorization that is valid under section 403 to obtain a separate authorization from an individual before the sale or use of the individual's protected health information so long as the sale or use of the information is consistent with the terms of the authorization.

(b) Scope- A sale of protected health information as described under subsection (a) shall be limited to the minimum amount of information necessary to accomplish the purpose for which the sale is made.

(c) Purpose- A recipient of information sold pursuant to this title may use or disclose such information solely to carry out the purpose for which the information was sold.

(d) Not Required- Nothing in this title permitting the sale of protected health information shall be construed to require such sale.

(e) Identification of Information as Protected Health Information- Information sold pursuant to this title shall be clearly identified as protected health information.

(f) No Waiver- Except as provided in this title, an individual's authorization to sell protected health information shall not be construed as a waiver of any rights that the individual has under other Federal or State laws, the rules of evidence, or common law.

SEC. 403. AUTHORIZATION FOR SALE OR MARKETING OF PROTECTED HEALTH INFORMATION BY NONCOVERED ENTITIES.

(a) Valid Authorization- A valid authorization is a document that complies with all requirements of this section. Such authorization may include additional information not required under this section, provided that such information is not inconsistent with the requirements of this section.

(b) Defective Authorization- An authorization is not valid, if the document submitted has any of the following defects:

(1) The expiration date has passed or the expiration event is known by the noncovered entity to have occurred.

(2) The authorization has not been filled out completely, with respect to an element described in subsections (e) and (f).

(3) The authorization is known by the noncovered entity to have been revoked.

(4) The authorization lacks an element required by subsections (e) and (f).

(5) Any material information in the authorization is known by the noncovered entity to be false.

(c) Revocation of Authorization- An individual may revoke an authorization provided under this section at any time provided that the revocation is in writing, except to the extent that the noncovered entity has taken action in reliance thereon.

(d) Documentation-

(1) IN GENERAL- A noncovered entity must document and retain any signed authorization under this section as required under paragraph (2).

(2) STANDARD- A noncovered entity shall, if a communication is required by this title to be in writing, maintain such writing, or an electronic copy, as documentation.

(3) RETENTION PERIOD- A noncovered entity shall retain the documentation required by this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.

(e) Content of Authorization-

(1) CONTENT- An authorization described in subsection (a) shall--

(A) contain a description of the information to be sold that identifies such information in a specific and meaningful manner;

(B) contain the name or other specific identification of the person, or class of persons, authorized to sell the information;

(C) contain the name or other specific identification of the person, or class of persons, to whom the information is to be sold;

(D) include an expiration date or an expiration event relating to the selling of such information that signifies that the authorization is valid until such date or event;

(E) include a statement that the individual has a right to revoke the authorization in writing and the exceptions to the right to revoke, and a description of the procedure involved in such revocation;

(F) be in writing and include the signature of the individual and the date, or if the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual; and

(G) include a statement explaining the purpose for which such information is sold.

(2) PLAIN LANGUAGE- The authorization shall be written in plain language.

(f) Notice-

(1) IN GENERAL- The authorization shall include a statement that the individual may--

(A) inspect or copy the protected health information to be sold; and

(B) refuse to sign the authorization.

(2) COPY TO THE INDIVIDUAL- A noncovered entity shall provide the individual with a copy of the signed authorization.

(g) Model Authorizations- The Secretary, after notice and opportunity for public comment, shall develop and disseminate model written authorizations of the type described in this section and model statements of the limitations on such authorizations. Any authorization obtained on a model authorization form developed by the Secretary pursuant to the preceding sentence shall be deemed to satisfy the requirements of this section.

(h) Noncoercion- A covered entity or noncovered entity shall not condition the purchase of a product or the provision of a service to an individual based on whether such individual provides an authorization to such entity as described in this section.

SEC. 404. PROHIBITION AGAINST RETALIATION.

A noncovered entity that collects protected health information, may not adversely affect another person, directly or indirectly, because such person has exercised a right under this title, disclosed information relating to a possible violation of this title, or associated with, or assisted, a person in the exercise of a right under this title.

SEC. 405. RULE OF CONSTRUCTION.

The requirements of this title shall not be construed to impose any additional requirements or in any way alter the requirements imposed upon covered entities under parts 160 through 164 of title 45, Code of Federal Regulations.

SEC. 406. REGULATIONS.

(a) In General- The Secretary shall promulgate regulations implementing the provisions of this title.

(b) Timeframe- Not later than 1 year after the date of enactment of this Act, the Secretary shall publish proposed regulations in the Federal Register. With regard to such proposed regulations, the Secretary shall provide an opportunity for submission of comments by interested persons during a period of not less than 90 days. Not later than 2 years after the date of enactment of this Act, the Secretary shall publish final regulations in the Federal Register.

SEC. 407. ENFORCEMENT.

(a) In General- A covered entity or noncovered entity that knowingly violates section 402 shall be subject to a civil money penalty under this section.

(b) Amount- The civil money penalty described in subsection (a) shall not exceed $100,000. In determining the amount of any penalty to be assessed, the Secretary shall take into account the previous record of compliance of the entity being assessed with the applicable provisions of this title and the gravity of the violation.

(c) Administrative Review-

(1) OPPORTUNITY FOR HEARING- The entity assessed shall be afforded an opportunity for a hearing by the Secretary upon request made within 30 days after the date of the issuance of a notice of assessment. In such hearing the decision shall be made on the record pursuant to section 554 of title 5, United States Code. If no hearing is requested, the assessment shall constitute a final and unappealable order.

(2) HEARING PROCEDURE- If a hearing is requested, the initial agency decision shall be made by an administrative law judge, and such decision shall become the final order unless the Secretary modifies or vacates the decision. Notice of intent to modify or vacate the decision of the administrative law judge shall be issued to the parties within 30 days after the date of the decision of the judge. A final order which takes effect under this paragraph shall be subject to review only as provided under subsection (d).

(d) Judicial Review-

(1) FILING OF ACTION FOR REVIEW- Any entity against whom an order imposing a civil money penalty has been entered after an agency hearing under this section may obtain review by the United States district court for any district in which such entity is located or the United States District Court for the District of Columbia by filing a notice of appeal in such court within 30 days from the date of such order, and simultaneously sending a copy of such notice by registered mail to the Secretary.

(2) CERTIFICATION OF ADMINISTRATIVE RECORD- The Secretary shall promptly certify and file in such court the record upon which the penalty was imposed.

(3) STANDARD FOR REVIEW- The findings of the Secretary shall be set aside only if found to be unsupported by substantial evidence as provided by section 706(2)(E) of title 5, United States Code.

(4) APPEAL- Any final decision, order, or judgment of the district court concerning such review shall be subject to appeal as provided in chapter 83 of title 28 of such Code.

(e) Failure to Pay Assessment; Maintenance of Action-

(1) FAILURE TO PAY ASSESSMENT- If any entity fails to pay an assessment after it has become a final and unappealable order, or after the court has entered final judgment in favor of the Secretary, the Secretary shall refer the matter to the Attorney General who shall recover the amount assessed by action in the appropriate United States district court.

(2) NONREVIEWABILITY- In such action the validity and appropriateness of the final order imposing the penalty shall not be subject to review.

(f) Payment of Penalties- Except as otherwise provided, penalties collected under this section shall be paid to the Secretary (or other officer) imposing the penalty and shall be available without appropriation and until expended for the purpose of enforcing the provisions with respect to which the penalty was imposed.

TITLE V--DRIVER'S LICENSE PRIVACY

SEC. 501. DRIVER'S LICENSE PRIVACY.

Section 2725 of title 18, United States Code, is amended by striking paragraphs (2) through (4) and adding the following:

`(2) `person' means an individual, organization, or entity, but does not include a State or agency thereof;

`(3) `personal information' means information that identifies an individual, including an individual's photograph, social security number, driver identification number, name, address (but not the 5-digit zip code), telephone number, medical or disability information, any physical copy of a driver's license, birth date, information on physical characteristics, including height, weight, sex or eye color, or any biometric identifiers on a license, including a finger print, but not information on vehicular accidents, driving violations, and driver's status;

`(4) `highly restricted personal information' means an individual's photograph or image, social security number, medical or disability information, any physical copy of a driver's license, driver identification number, birth date, information on physical characteristics, including height, weight, sex, or eye color, or any biometric identifiers on a license, including a finger print; and'.

TITLE VI--MISCELLANEOUS

SEC. 601. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

(a) In General-

(1) CIVIL ACTIONS- In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that is prohibited under title I, II, or IV of this Act or under any amendment made by such a title, the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction to--

(A) enjoin that practice;

(B) enforce compliance with such titles or such amendments;

(C) obtain damage, restitution, or other compensation on behalf of residents of the State; or

(D) obtain such other relief as the court may consider to be appropriate.

(2) NOTICE-

(A) IN GENERAL- Before filing an action under paragraph (1), the attorney general of the State involved shall provide to the Attorney General--

(i) written notice of the action; and

(ii) a copy of the complaint for the action.

(B) EXEMPTION-

(i) IN GENERAL- Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the State attorney general determines that it is not feasible to provide the notice described in such subparagraph before the filing of the action.

(ii) NOTIFICATION- In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Attorney General at the same time as the State attorney general files the action.

(b) Intervention-

(1) IN GENERAL- On receiving notice under subsection (a)(2), the Attorney General shall have the right to intervene in the action that is the subject of the notice.

(2) EFFECT OF INTERVENTION- If the Attorney General intervenes in an action under subsection (a), the Attorney General shall have the right to be heard with respect to any matter that arises in that action.

(c) Construction- For purposes of bringing any civil action under subsection (a), nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on such attorney general by the laws of that State to--

(1) conduct investigations;

(2) administer oaths or affirmations; or

(3) compel the attendance of witnesses or the production of documentary and other evidence.

(d) Actions by the Attorney General of the United States- In any case in which an action is instituted by or on behalf of the Attorney General for violation of a practice that is prohibited under title I, II, IV, or V of this Act or under any amendment made by such a title, no State may, during the pendency of that action, institute an action under subsection (a) against any defendant named in the complaint in that action for violation of that practice.

(e) Venue; Service of Process-

(1) VENUE- Any action brought under subsection (a) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.

(2) SERVICE OF PROCESS- In an action brought under subsection (a), process may be served in any district in which the defendant--

(A) is an inhabitant; or

(B) may be found.

SEC. 602. FEDERAL INJUNCTIVE AUTHORITY.

In addition to any other enforcement authority conferred under this Act or under an amendment made by this Act, the Federal Government shall have injunctive authority with respect to any violation of any provision of title I, II, or IV of this Act or of any amendment made by such a title, without regard to whether a public or private entity violates such provision.

END