Tech Law Journal

 Capitol Dome
News, records, and analysis of legislation, litigation, and regulation affecting the computer, internet, communications and information technology sectors
TLJ Links: Home | Calendar | Subscribe | Back Issues | Reference
Other: Thomas | USC | CFR | FR | FCC | USPTO | CO | NTIA | EDGAR


S ____. "Online Privacy Protection Act of 1999."
Staff Discussion Draft.
Date: February 12, 1999.
Source: Office of Sen. Conrad Burns (R-MT).

STAFF DISCUSSION DRAFT

SEC. 1. SHORT TITLE.

This Act may be cited as the "Online Privacy Protection Act of 1999."

SEC. 2. REGULATION OF UNFAIR AND DECEPTIVE ACTS AND PRACTICES IN CONNECTION WITH THE COLLECTION, USE AND DISCLOSURE OF PERSONAL INFORMATION.

(a) Acts Prohibited-

(1) IN GENERAL- It is unlawful for an operator of a Web site or online service to collect, use or disclose personal information in a manner that violates the regulations prescribed under subsection (b).

(2) DISCLOSURE- Notwithstanding paragraph (1), neither an operator of a Web site or online service nor the operator's agent shall be held to be liable under this Act for any disclosure made in good faith and following reasonable procedures in responding to a request under subsection (b)(1)(B) by an individual for disclosure of personal information pertaining to such individual.

(b) Regulations-

(1) IN GENERAL- Not later than 1 year after the date of the enactment of this Act , the Commission shall promulgate under section 553 of title 5, United States Code, regulations that--

(A) require the operator of any Web site or online service --

(i) to provide notice on the Web site of what personal information is collected by the operator, how the operator uses such information, and the operator's disclosure practices for such information;

(ii) to obtain consent for the collection, use, or disclosure of personal information; and

(iii) to provide a meaningful and simple online process for individuals to consent to or limit the disclosure of personal information for purposes unrelated to those for which such information was obtained.

(B) require the operator to provide, upon request of an individual under this subparagraph who has provided personal information to that Web site or online service, upon proper identification --

(i) a description of the specific types of personal information collected by that operator;

(ii) the opportunity at any time to refuse to permit the operator's further use or maintenance in retrievable form, or future collection, of personal information; and

(iii) notwithstanding any other provision of law, a means that is reasonable under the circumstances for the individual to obtain any personal information collected from such individual;

(C) prohibit conditioning an individual's participation in an activity on the disclosure of more personal information than is reasonably necessary to participate in such activity, or on the subsequent use of such personal information; and

(D) require the operator of such Web site or online service to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information it collects or maintains.

(2) WHEN CONSENT NOT REQUIRED - The regulations shall provide that consent under paragraph (1)(A)(ii) is not required in the case of ÿ

(A) transactional information where identifiable information is not collected;

(B) identifiable information where it is used only for the purpose obvious to the individual (for example, the use of an email address to respond to an email); and

(C) the collection, use, or dissemination of such information by the operator of such a Web site or online service necessary to the extent permitted under other provisions of law.

(3) WHEN ACCESS NOT REQUIRED - The regulations shall provide that access as required under paragraph (1)(B)(iii) is not required --

(i) to transactional information where identifiable information is not collected;

(ii) to information that is discarded upon the conclusion of the process that generates it;

(iii) to pseudonymous data.

(4) TERMINATION OF SERVICE- The regulations shall permit the operator of a Web site or an online service to terminate service provided to an individual who has refused, under the regulations prescribed under paragraph (1)(B)(ii), to permit the operator's further use or maintenance in retrievable form, or future collection, of personal information.

(c) ENFORCEMENT- Subject to sections 4 and 6, a violation of a regulation prescribed under subsection (a) shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).

(d) NO REQUIREMENT TO COLLECT OR MAINTAIN DATA. ÿ Nothing in this Act shall be interpreted to require an operator to collect or maintain any data that would not otherwise be collected.

SEC. 3. SAFE HARBORS.

(a) GUIDELINES- An operator may satisfy the requirements of regulations issued under section 3(b) by following a set of self-regulatory guidelines, issued by representatives of the marketing or online industries, or by other persons, approved under subsection (b).

(b) Incentives-

(1) SELF-REGULATORY INCENTIVES- In prescribing regulations under section 3, the Commission shall provide incentives for self-regulation by operators to implement the protections afforded under the regulatory requirements described in subsection (b) of that section.

(2) DEEMED COMPLIANCE- Such incentives shall include provisions for ensuring that a person will be deemed to be in compliance with the requirements of the regulations under section 3 if that person complies with guidelines that, after notice and comment, are approved by the Commission upon making a determination that the guidelines meet the requirements of the regulations issued under section 3.

(3) EXPEDITED RESPONSE TO REQUESTS- The Commission shall act upon requests for safe harbor treatment within 180 days of the filing of the request, and shall set forth in writing its conclusions with regard to such requests.

(c) APPEALS- Final action by the Commission on a request for approval of guidelines, or the failure to act within 180 days on a request for approval of guidelines, submitted under subsection (b) may be appealed to a district court of the United States of appropriate jurisdiction as provided for in section 706 of title 5, United States Code.

SEC. 4. ACTIONS BY STATES.

(a) IN GENERAL-

(1) CIVIL ACTIONS- In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that violates any regulation of the Commission prescribed under section 3(b) of this Act, the State may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction to--

(A) enjoin that practice;

(B) enforce compliance with the regulation;

(C) obtain damage, restitution, or other compensation on behalf of residents of the State; or

(D) obtain such other relief as the court may consider to be appropriate.

(2) NOTICE-

(A) IN GENERAL- Before filing an action under paragraph (1), the attorney general of the State involved shall provide to the Commission--

(i) written notice of that action; and

(ii) a copy of the complaint for that action.

(B) EXEMPTION-

(i) IN GENERAL- Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general determines that it is not feasible to provide the notice described in that subparagraph before the filing of the action.

(ii) NOTIFICATION- In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Commission at the same time as the attorney general files the action.

(b) INTERVENTION-

(1) IN GENERAL- On receiving notice under subsection (a)(2), the Commission shall have the right to intervene in the action that is the subject of the notice.

(2) EFFECT OF INTERVENTION- If the Commission intervenes in an action under subsection (a), it shall have the right--

(A) to be heard with respect to any matter that arises in that action; and

(B) to file a petition for appeal.

(3) AMICUS CURIAE- Upon application to the court, a person whose self-regulatory guidelines have been approved by the Commission and are relied upon as a defense by any defendant to a proceeding under this section may file amicus curiae in that proceeding.

(c) CONSTRUCTION- For purposes of bringing any civil action under subsection (a), nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to--

(1) conduct investigations;

(2) administer oaths or affirmations; or

(3) compel the attendance of witnesses or the production of documentary and other evidence.

(d) VENUE; SERVICE OF PROCESS-

(1) VENUE- Any action brought under subsection (a) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.

(2) SERVICE OF PROCESS- In an action brought under subsection (a), process may be served in any district in which the defendant--

(A) is an inhabitant; or

(B) may be found.

SEC. 6. ADMINISTRATION AND APPLICABILITY OF ACT.

(a) IN GENERAL- Except as otherwise provided, this Act shall be enforced by the Commission under the Federal Trade Commission Act (15 U.S.C. 41 et seq.).

(b) PROVISIONS- Compliance with the requirements imposed under this Act shall be enforced under--

(1) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), in the case of--

(A) national banks, and Federal branches and Federal agencies of foreign banks, by the Office of the Comptrolle r of the Currency;

(B) member banks of the Federal Reserve System (other than national banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25(a) of the Federal Reserve Act (12 U.S.C. 601 et seq. and 611 et. seq.), by the Board; and

(C) banks insured by the Federal Deposit Insurance Corporation (other than members of the Federal Reserve System) and insured State branches of foreign banks, by the Board of Directors of the Federal Deposit Insurance Corporation;

(2) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), by the Director of the Office of Thrift Supervision, in the case of a savings association the deposits of which are insured by the Federal Deposit Insurance Corporation;

(3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) by the National Credit Union Administration Board with respect to any Federal credit union;

(4) part A of subtitle VII of title 49, United States Code, by the Secretary of Transportation with respect to any air carrier or foreign air carrier subject to that part;

(5) the Packers and Stockyards Act , 1921 (7 U.S.C. 181 et. seq.) (except as provided in section 406 of that Act (7 U.S.C. 226, 227)), by the Secretary of Agriculture with respect to any activities subject to that Act ; and

(6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by the Farm Credit Administration with respect to any Federal land bank, Federal land bank association, Federal intermediate credit bank, or production credit association.

(c) EXERCISE OF CERTAIN POWERS- For the purpose of the exercise by any agency referred to in subsection (b) of its powers under any other Act referred to in that subsection, a violation of any requirement imposed under this Act shall be deemed to be a violation of a requirement imposed under that other Act . In addition to its powers under any provision of law specifically referred to in subsection (b), each of the agencies referred to in that subsection may exercise, for the purpose of enforcing compliance with any requirement imposed under this Act, any other authority conferred on such agency by law.

(d) ACTIONS BY THE COMMISSION- The Commission shall prevent any person from violating a rule of the Commission under section 3 in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this title. Any entity that violates such rule shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act in the same manner, by the same means, and with the same jurisdiction, power, and duties as though all applicable terms and provisions of the Federal Trade Commission Act were incorporated into and made a part of this title.

(e) EFFECT ON OTHER LAWS- Nothing contained in this Act shall be construed to limit the authority of the Commission under any other provisions of law.

SEC. 6. REVIEW.

Not later than 5 years after the effective date of the regulations initially issued under section 3, the Commission shall--

(1) review the implementation of this Act, including the effect of the implementation of this title on practices relating to the collection and disclosure of information; and

(2) prepare and submit to Congress a report on the results of the review under paragraph (1).

SEC. 7. EFFECTIVE DATE.

Sections 3(a), 5, and 6 of this Act shall take effect on the later of--

(1) the date that is 18 months after the date of enactment of this Act ; or

(2) the date on which the Commission rules on the first application filed for safe harbor treatment under section 4 if the Commission does not rule on the first such application within one year after the date of enactment of this Act, but in no case later than the date that is 30 months after the date of enactment of this Act .

SEC. 8. DEFINITIONS. -- In this Act:

(1) INDIVIDUAL - The term "individual" means a natural person age 13 and above.

(2) OPERATOR - The term "operator"--

(A) means any person who operates a Web site located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such Web site or online service, or on whose behalf such information is collected or maintained, where such Web site or online service is operated for commercial purposes, including any person offering products or services for sale through that Web site or online service, involving commerce--

(i) among the several States or with 1 or more foreign nations;

(ii) in any territory of the United States or in the District of Columbia, or between any such territory and--

(I) another such territory; or

(II) any State or foreign nation; or

(iii) between the District of Columbia and any State, territory, or foreign nation; but

(B) does not include any nonprofit entity that would otherwise be exempt from coverage under section 5 of the Federal Trade Commission Act (15 U.S.C. 45).

(3) COMMISSION- The term `Commission' means the Federal Trade Commission.

(4) DISCLOSURE- The term `disclosure' means, with respect to personal information

the release of personal information collected in identifiable form by an operator for any purpose, except where such information is provided to a person other than the operator who provides support for the internal operations of the Web site and does not disclose or use that information for any other purpose.

(5) FEDERAL AGENCY- The term `Federal agency' means an agency, as that term is defined in section 551(1) of title 5, United States Code.

(6) INTERNET- The term `Internet' means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire or radio.

(7) PERSONAL INFORMATION- The term `personal information' means information about an individual, including transactional information, pseudonymous information, and identifying information.

(8) PERSON- The term `person' means any individual, partnership, corporation, trust, estate, cooperative, association, or other entity.

(9) TRANSACTIONAL INFORMATION -- The term 'transactional information' means information generated in connection with the process of requesting, accessing, or otherwise using the Internet.

(10) PSEUDONYMOUS DATA -- The term 'pseudonymous data' means information that is maintained but not combined with identifying information.

(11) IDENTIFYING INFORMATION -- The term 'identifying information' means information that identifies an individual, including but not limited to:

(A) first and last name

(B) home or other physical address

(C) email address

(D) social security number

(E) telephone number

(F) other identifier that the Commission determines identifies an individual.

 
Subscriptions | FAQ | Notices & Disclaimers | Privacy Policy
Copyright 1998-2008 David Carney, dba Tech Law Journal. All rights reserved.
Phone: 202-364-8882. P.O. Box 4851, Washington DC, 20008.