To protect the privacy of consumers who use the Internet.

January 20, 2001

Ms. ESHOO (for herself and Mr. CANNON) introduced the following bill; which was referred to the Committee on Energy and Commerce

To protect the privacy of consumers who use the Internet.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the `Consumer Internet Privacy Enhancement Act'.

SEC. 2. COLLECTION OF PERSONALLY IDENTIFIABLE INFORMATION.

(a) IN GENERAL- It is unlawful for a commercial website operator to collect personally identifiable information online from a user of that website unless the operator provides--

(1) notice to the user on the website in accordance with the requirements of subsection (b); and

(2) an opportunity to that user to limit the use for marketing purposes, or disclosure to third parties of personally identifiable information collected that is--

(A) not related to provision of the products or services provided by the website; or

(B) not required to be disclosed by law.

(b) NOTICE-

(1) IN GENERAL- For purposes of subsection (a), notice consists of a statement that informs a user of a website of the following:

(A) The identity of the operator of the website and of any third party the operator knowingly permits to collect personally identifiable information from users through the website, including the provision of an electronic means of going to a website operated by any such third party.

(B) A list of the types of personally identifiable information that may be collected online by the operator and the categories of information the operator may collect in connection with the user's visit to the website.

(C) A description of how the operator uses such information, including a statement as to whether the information may be sold, distributed, disclosed, or otherwise made available to third parties for marketing purposes.

(D) A description of the categories of potential recipients of any such personally identifiable information.

(E) Whether the user is required to provide personally identifiable information in order to use the website and any other consequences of failure to provide that information.

(F) A general description of what steps the operator takes to protect the security of personally identifiable information collected online by that operator.

(G) A description of the means by which a user may elect not to have the user's personally identifiable information used by the operator for marketing purposes or sold, distributed, disclosed, or otherwise made available to a third party, except for--

(i) information related to the provision of the product or service provided by the website; or

(ii) information required to be disclosed by law.

(H) The address or telephone number at which the user may contact the website operator about its information practices and also an electronic means of contacting the operator.

(2) FORM OF NOTICE- The notice required by subsection (a) shall be clear, conspicuous, and easily understood.

(3) OPPORTUNITY TO LIMIT DISCLOSURE- The opportunity provided to users to limit use and disclosure of personally identifiable information shall be easy to use, easily accessible, and shall be available online.

(c) INCONSISTENT STATE LAW- No State or local government may impose any liability for commercial activities or actions by a commercial website operator in interstate or foreign commerce in connection with an activity or action described in this Act that is inconsistent with, or more restrictive than, the treatment of that activity or action under this section.

(d) SAFE HARBOR- A commercial website operator may not be held to have violated any provision of this Act if it complies with self-regulatory guidelines that--

(1) are issued by seal programs or representatives of the marketing or online industries or by any other person; and

(2) are approved by the Commission as containing all the requirements set forth in subsection (b).

SEC. 3. ENFORCEMENT.

(a) IN GENERAL- The violation of section 2(a) or (b) shall be treated as a violation of a rule defining an unfair or deceptive act or practice in or affecting commerce proscribed by section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57(a)(1)(B)).

(b) ENFORCEMENT BY CERTAIN OTHER AGENCIES- Compliance with section 2(a) or (b) shall be enforced under--

(1) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), in the case of--

(A) national banks, and Federal branches and Federal agencies of foreign banks, by the Office of the Comptroller of the Currency;

(B) member banks of the Federal Reserve System (other than national banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25(a) of the Federal Reserve Act (12 U.S.C. 601 et seq. and 611 et seq.), by the Board; and

(C) banks insured by the Federal Deposit Insurance Corporation (other than members of the Federal Reserve System) and insured State branches of foreign banks, by the Board of Directors of the Federal Deposit Insurance Corporation;

(2) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), by the Director of the Office of Thrift Supervision, in the case of a savings association the deposits of which are insured by the Federal Deposit Insurance Corporation;

(3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) by the National Credit Union Administration Board with respect to any Federal credit union;

(4) part A of subtitle VII of title 49, United States Code, by the Secretary of Transportation with respect to any air carrier or foreign air carrier subject to that part;

(5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et seq.) (except as provided in section 406 of that Act (7 U.S.C. 226, 227)), by the Secretary of Agriculture with respect to any activities subject to that Act; and

(6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by the Farm Credit Administration with respect to any Federal land bank, Federal land bank association, Federal intermediate credit bank, or production credit association.

(c) EXERCISE OF CERTAIN POWERS- For the purpose of the exercise by any agency referred to in subsection (b) of its powers under any Act referred to in that subsection, a violation of section 2(a) or (b) is deemed to be a violation of a requirement imposed under that Act. In addition to its powers under any provision of law specifically referred to in subsection (b), each of the agencies referred to in that subsection may exercise, for the purpose of enforcing compliance with any requirement imposed under section 2(a) or (b), any other authority conferred on it by law.

(d) ACTIONS BY THE COMMISSION- The Commission shall prevent any person from violating section 2(a) or (b) in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any entity that violates any provision of that title is subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act in the same manner, by the same means, and with the same jurisdiction, power, and duties as though all applicable terms and provisions of the Federal Trade Commission Act were incorporated into and made a part of that title.

(e) RELATIONSHIP TO OTHER LAWS-

(1) COMMISSION AUTHORITY- Nothing contained in this Act shall be construed to limit the authority of the Commission under any other provision of law.

(2) COMMUNICATIONS ACT- Nothing in section 2(a) or (b) requires an operator of a website to take any action that is inconsistent with the requirements of section 222 or 631 of the Communications Act of 1934 (47 U.S.C. 222 or 551, respectively).

(3) OTHER ACTS- Nothing in this Act is intended to affect any provision of, or any amendment made by--

(A) the Children's Online Privacy Protection Act of 1998;

(B) the Gramm-Leach-Bliley Act; or

(C) the Health Insurance Portability and Accountability Act of 1996.

(f) CIVIL PENALTY- In addition to any other penalty applicable to a violation of section 2(a), there is hereby imposed a civil penalty of $22,000 for each such violation. In the event of a continuing violation, each day on which the violation continues shall be considered as a separate violation for purposes of this subsection. The maximum penalty under this subsection for a related series of violations is $500,000. For purposes of this subsection, the violation of an order issued by the Commission under this Act shall not be considered to be a violation of section 2(a) of this Act.

SEC. 4. ACTIONS BY STATES.

(a) IN GENERAL-

(1) CIVIL ACTIONS- In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that violates section 2(a) or (b), the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction to--

(A) enjoin that practice;

(B) obtain damage, restitution, or other compensation on behalf of residents of the State; or

(C) obtain such other relief as the court may consider to be appropriate.

(2) NOTICE-

(A) IN GENERAL- Before filing an action under paragraph (1), the attorney general of the State involved shall provide to the Commission--

(i) written notice of that action; and

(ii) a copy of the complaint for that action.

(B) EXEMPTION-

(i) IN GENERAL- Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general determines that it is not feasible to

provide the notice described in that subparagraph before the filing of the action.

(ii) NOTIFICATION- In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Commission at the same time as the attorney general files the action.

(b) INTERVENTION-

(1) IN GENERAL- On receiving notice under subsection (a)(2), the Commission shall have the right to intervene in the action that is the subject of the notice.

(2) EFFECT OF INTERVENTION- If the Commission intervenes in an action under subsection (a), it shall have the right--

(A) to be heard with respect to any matter that arises in that action; and

(B) to file a petition for appeal.

(3) AMICUS CURIAE- Upon application to the court, a person whose self-regulatory guidelines have been approved by the Commission and are relied upon as a defense by any defendant to a proceeding under this section may file amicus curiae in that proceeding.

(c) CONSTRUCTION- For purposes of bringing any civil action under subsection (a), nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to--

(1) conduct investigations;

(2) administer oaths or affirmations; or

(3) compel the attendance of witnesses or the production of documentary and other evidence.

(d) ACTIONS BY THE COMMISSION- In any case in which an action is instituted by or on behalf of the Commission for violation of section 2(a) or (b) no State may, during the pendency of that action, institute an action under subsection (a) against any defendant named in the complaint in that action for violation of that rule.

(e) VENUE; SERVICE OF PROCESS-

(1) VENUE- Any action brought under subsection (a) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.

(2) SERVICE OF PROCESS- In an action brought under subsection (a), process may be served in any district in which the defendant--

(A) is an inhabitant; or

(B) may be found.

SEC. 5. STUDY OF ONLINE PRIVACY.

(a) IN GENERAL- Within 90 days after the date of enactment of this Act, the Commission shall execute a contract with the National Research Council of the National Academy of Sciences for a study of privacy that will examine causes for concern about privacy in the information age and tools and strategies for responding to those concerns.

(b) SCOPE- The study required by subsection (a) shall--

(1) survey the risks to, and benefits associated with the use of, personal information associated with information technology, including actual and potential issues related to trends in technology;

(2) examine the costs and benefits involved in the collection and use of personal information;

(3) examine the differences, if any, between the collection and use of personal information by the online industry and the collection and use of personal information by other businesses;

(4) examine the costs, risks, and benefits of providing consumer access to information collected online, and examine approaches to providing such access;

(5) examine the security of personal information collected online;

(6) examine such other matters relating to the collection, use, and protection of personal information online as the Council and the Commission consider appropriate; and

(7) examine efforts being made by industry to provide notice, choice, access, and security.

(c) RECOMMENDATIONS- Within 12 months after the Commission's request under subsection (a), the Council shall complete the study and submit a report to the Congress, including recommendations for private and public sector actions including self-regulation, laws, regulations, or special agreements.

(d) AGENCY COOPERATION- The head of each Federal department or agency shall, at the request of the Commission or the Council, cooperate as fully as possible with the Council in its activities in carrying out the study.

(e) FUNDING- The Commission is authorized to obligate not more than $1,000,000 to carry out this section from funds appropriated to the Commission.

SEC. 6. DEFINITIONS.

In this Act:

(1) COMMISSION- The term `Commission' means the Federal Trade Commission.

(2) COMMERCIAL WEBSITE OPERATOR- The term `operator of a commercial website'--

(A) means any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce--

(i) among the several States or with 1 or more foreign nations;

(ii) in any territory of the United States or in the District of Columbia, or between any such territory and--

(I) another such territory; or

(II) any State or foreign nation; or

(iii) between the District of Columbia and any State, territory, or foreign nation; but

(B) does not include any nonprofit entity that would otherwise be exempt from coverage under section 5 of the Federal Trade Commission Act (15 U.S.C. 45).

(3) COLLECT- The term `collect' means the gathering of personally identifiable information about a user of an Internet service, online service, or commercial website by or on behalf of the provider or operator of that service or website by any means, direct or indirect, active or passive, including--

(A) an online request for such information by the provider or operator, regardless of how the information is transmitted to the provider or operator;

(B) the use of an online service to gather the information; or

(C) tracking or use of any identifying code linked to a user of such a service or website, including the use of cookies.

(4) INTERNET- The term `Internet' means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire or radio.

(5) PERSONALLY IDENTIFIABLE INFORMATION- The term `personally identifiable information' means individually identifiable information about an individual collected online, including--

(A) a first and last name, whether given at birth or adoption, assumed, or legally changed;

(B) a home or other physical address including street name and name of a city or town;

(C) an e-mail address;

(D) a telephone number;

(E) a Social Security number; or

(F) unique identifying information that an Internet service provider or operator of a commercial website collects and combines with any information described in the preceding subparagraphs of this paragraph.

(6) ONLINE- The term `online' refers to any activity regulated by this Act or by section 2710 of title 18, United States Code, that is effected by active or passive use of an Internet connection, regardless of the medium by or through which that connection is established.

(7) THIRD PARTY- The term `third party', when used in reference to a commercial website operator, means any person other than the operator.

END