Tech Law Journal

Capitol Dome
News, records, and analysis of legislation, litigation, and regulation affecting the computer, internet, communications and information technology sectors

TLJ Links: Home | Calendar | Subscribe | Back Issues | Reference
Other: Thomas | USC | CFR | FR | FCC | USPTO | CO | NTIA | EDGAR


HR 3321 IH, Electronic Privacy Bill of Rights Act of 1999.
Sponsor. Rep. Edward Markey (D-MA).
Date Introduced: November 10, 2000.
Source: Library of Congress.



106th CONGRESS
1st Session
H. R. 3321

To prevent unfair and deceptive practices in the collection and use of personal information, and for other purposes.

IN THE HOUSE OF REPRESENTATIVES

November 10, 1999

Mr. MARKEY (for himself and Mr. LUTHER) introduced the following bill; which was referred to the Committee on Commerce, and in addition to the Committees on Banking and Financial Services, Transportation and Infrastructure, and Agriculture, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned


A BILL

To prevent unfair and deceptive practices in the collection and use of personal information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the `Electronic Privacy Bill of Rights Act of 1999'.

SEC. 2. FINDINGS.

The Congress finds the following:

    (1) As our Nation's communications networks continue to grow and become ever more sophisticated, more individuals and industries will be using such networks to communicate and conduct commercial transactions.

    (2) The ease of gathering and compiling personal information during such communications, both overtly and surreptitiously, is becoming increasingly efficient and almost effortless due to advances in digital telecommunications technology.

    (3) Consumers have an ownership interest in their personal information.

    (4) Consumers must have knowledge that personal information is being collected about them; consumers must be given conspicuous notice if the recipient of that information intends to reuse it for other purposes, or disclose, or sell it; and consumers must have the ability to control the extent to which personal information is collected about them and the right to prohibit or curtail any unauthorized use, reuse, disclosure or sale of their personal information.

    (5) Internet protocols, which continue to evolve, may place decision-making power in the hands of consumers and enable them to effectively and efficiently authorize or deny collection and use of their personal information.

    (6) Fair information practices include providing consumers with knowledge of any data collection, conspicuous consumer notice of an entity's data practices, consumer choice to provide consent or deny authorization for such practices, access to data collected, safeguards to ensure data integrity, and contact information.

    (7) A recent survey of websites conducted by Georgetown Business School found that only 9.5 percent of Web sites surveyed contained a privacy policy embodying fair information practices such as knowledge, notice, choice, access, security, and contact information.

    (8) It is important to establish personal privacy rights and industry obligations now so that consumers have confidence that their personal privacy is fully protected on our Nation's telecommunications networks.

    (9) Industry efforts, with Government encouragement and oversight, to assist consumers through the development of standards and protocols that embody fair information practices for the collection and dissemination of personal information are critical to permit consumers to better control dissemination of their personal information.

    (10) Robust Internet commerce throughout the nation is threatened by consumer concern over privacy and the lack of national rules governing personal privacy rights.

    (11) Adoption of fair information policies, standards, and practices, along with the widespread implementation and utilization of technological tools designed to empower consumers, may limit the scope of Government rules needed to protect consumers.

    (12) A national privacy policy that relies in part upon industry self-regulatory initiatives, technological tools for consumers, and Government-backed protections is needed to foster future development of electronic commerce and to safeguard the essential rights of individuals with respect to collection and use of their personal data.

SEC. 3. TREATMENT OF UNFAIR AND DECEPTIVE ACTS AND PRACTICES IN CONNECTION WITH THE COLLECTION AND USE OF PERSONAL INFORMATION.

(a) Acts Prohibited-

    (1) IN GENERAL- It is unlawful for an operator of a website or online service to collect personal information from an individual in a manner that violates the rules prescribed under subsection (b).

    (2) DISCLOSURE TO PARENT PROTECTED- Notwithstanding paragraph (1), neither an operator of such a website or online service nor the operator's agent shall be held to be liable under any Federal or State law for any disclosure made in good faith and following reasonable procedures in responding to a request for disclosure of personal information under section 1302(b)(1)(B)(iii) of the Children's Online Privacy Protection Act of 1998 to the parent of a child.

(b) Privacy Protections-

    (1) IN GENERAL- Not later than 18 months after the date of the enactment of this Act, the Commission shall promulgate under section 553 of title 5, United States Code, rules that--

      (A) require the operator of any website or online service that collects personal information to provide clear and conspicuous notice on the website of the specific types of personal information collected by the operator, how the operator uses such information, and the operator's disclosure practices for such information;

      (B)(i) require the operator of such a website or online service to provide, whenever such operator collects personal information, a clear and explicit online method by which an individual grants or denies consent to the collection and uses disclosed pursuant to the rules prescribed under subparagraph (A); and

        (ii) permit the operator of such a website or online service to establish, in accordance with self-regulatory guidelines approved under section 5, a method or methods by which an individual can preset protocols for granting or denying such consent in accordance with the individual's choices concerning such collection and use;

      (C) prohibit the operator of such a website or online service to collect and use personal information unless--

        (i) such collection or use has been disclosed in accordance with the rules prescribed under subparagraph (A); and

        (ii) such collection or use has been consented to by the individual by a method that complies with the rules prescribed under clause (i) or (ii) of subparagraph (B);

      (D) require the operator of such a website or online service to provide individuals, upon request--

        (i) access to personal information pertaining to them collected by such operator for correction; and

        (ii) notice of whether any personal information pertaining to such individual has been reused, disclosed, or sold and to whom; and

      (E) require the operator of such a website or online service to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected.

    (2) EXCEPTION- The rules prescribed under paragraph (1) shall not prohibit the collection, use, or dissemination of such information by the operator of such a website or online service necessary--

      (A) to protect the security or integrity of its website;

      (B) to take precautions against liability;

      (C) to respond to judicial process; or

      (D) to the extent permitted under other provisions of law, to provide information to law enforcement agencies.

    (3) TERMINATION OF SERVICE- The rules shall permit the operator of a website or an online service to terminate service provided to an individual who has refused to consent to the collection and use of information pursuant to the rules prescribed under paragraph (1)(B).

(c) ENFORCEMENT- Subject to sections 4 through 7, a violation of a rule prescribed under subsection (a) shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).

(d) INCONSISTENT STATE LAW- No State or local government may impose any liability for commercial activities or actions by operators in interstate or foreign commerce in connection with an activity or action described in this Act that is inconsistent with the treatment of those activities or actions under this section.

SEC. 4. SAFE HARBORS.

(a) GUIDELINES- An operator may satisfy the requirements of rules issued under section 3(b) by following a set of self-regulatory guidelines, issued by representatives of the marketing or online industries, or by other persons, approved under subsection (b).

(b) Incentives-

    (1) SELF-REGULATORY INCENTIVES- In prescribing rules under section 3, the Commission shall provide incentives for self-regulation by operators to implement the protections afforded individuals under the regulatory requirements described in subsection (b) of that section.

    (2) DEEMED COMPLIANCE- Such incentives shall include provisions for ensuring that a person will be deemed to be in compliance with the requirements of the rules under section 3 if that person complies with guidelines that, after notice and comment, are approved by the Commission upon making a determination that the guidelines meet the requirements of the rules issued under section 3.

    (3) EXPEDITED RESPONSE TO REQUESTS- The Commission shall act upon requests for safe harbor treatment within 180 days of the filing of the request, and shall set forth in writing its conclusions with regard to such requests.

(c) APPEALS- Final action by the Commission on a request for approval of guidelines, or the failure to act within 180 days on a request for approval of guidelines, submitted under subsection (b) may be appealed to a district court of the United States of appropriate jurisdiction as provided for in section 706 of title 5, United States Code.

SEC. 5. ACTIONS BY STATES.

(a) IN GENERAL-

    (1) CIVIL ACTIONS- In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that violates any rule of the Commission prescribed under section 3(b), the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction to--

      (A) enjoin that practice;

      (B) enforce compliance with the rule;

      (C) obtain damage, restitution, or other compensation on behalf of residents of the State; or

      (D) obtain such other relief as the court may consider to be appropriate.

    (2) NOTICE-

      (A) IN GENERAL- Before filing an action under paragraph (1), the attorney general of the State involved shall provide to the Commission--

        (i) written notice of that action; and

        (ii) a copy of the complaint for that action.

      (B) EXEMPTION-

        (i) IN GENERAL- Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general determines that it is not feasible to provide the notice described in that subparagraph before the filing of the action.

        (ii) NOTIFICATION- In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Commission at the same time as the attorney general files the action.

(b) INTERVENTION-

    (1) IN GENERAL- On receiving notice under subsection (a)(2), the Commission shall have the right to intervene in the action that is the subject of the notice.

    (2) EFFECT OF INTERVENTION- If the Commission intervenes in an action under subsection (a), it shall have the right--

      (A) to be heard with respect to any matter that arises in that action; and

      (B) to file a petition for appeal.

    (3) AMICUS CURIAE- Upon application to the court, a person whose self-regulatory guidelines have been approved by the Commission and are relied upon as a defense by any defendant to a proceeding under this section may file amicus curiae in that proceeding.

(c) CONSTRUCTION- For purposes of bringing any civil action under subsection (a), nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to--

    (1) conduct investigations;

    (2) administer oaths or affirmations; or

    (3) compel the attendance of witnesses or the production of documentary and other evidence.

(d) ACTIONS BY THE COMMISSION- In any case in which an action is instituted by or on behalf of the Commission for violation of any rule prescribed under section 3, no State may, during the pendency of that action, institute an action under subsection (a) against any defendant named in the complaint in that action for violation of that rule.

(e) VENUE; SERVICE OF PROCESS-

    (1) VENUE- Any action brought under subsection (a) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.

    (2) SERVICE OF PROCESS- In an action brought under subsection (a), process may be served in any district in which the defendant--

      (A) is an inhabitant; or

      (B) may be found.

SEC. 6. ADMINISTRATION AND APPLICABILITY OF ACT.

(a) IN GENERAL- Except as otherwise provided, this Act shall be enforced by the Commission under the Federal Trade Commission Act (15 U.S.C. 41 et seq.).

(b) PROVISIONS- Compliance with the requirements imposed under this Act shall be enforced under--

    (1) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), in the case of--

      (A) national banks, and Federal branches and Federal agencies of foreign banks, by the Office of the Comptroller of the Currency;

      (B) member banks of the Federal Reserve System (other than national banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25(a) of the Federal Reserve Act (12 U.S.C. 601 et seq. and 611 et seq.), by the Board; and

      (C) banks insured by the Federal Deposit Insurance Corporation (other than members of the Federal Reserve System) and insured State branches of foreign banks, by the Board of Directors of the Federal Deposit Insurance Corporation;

    (2) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), by the Director of the Office of Thrift Supervision, in the case of a savings association the deposits of which are insured by the Federal Deposit Insurance Corporation;

    (3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) by the National Credit Union Administration Board with respect to any Federal credit union;

    (4) part A of subtitle VII of title 49, United States Code, by the Secretary of Transportation with respect to any air carrier or foreign air carrier subject to that part;

    (5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et seq.) (except as provided in section 406 of that Act (7 U.S.C. 226, 227)), by the Secretary of Agriculture with respect to any activities subject to that Act; and

    (6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by the Farm Credit Administration with respect to any Federal land bank, Federal land bank association, Federal intermediate credit bank, or production credit association.

(c) EXERCISE OF CERTAIN POWERS- For the purpose of the exercise by any agency referred to in subsection (a) of its powers under any Act referred to in that subsection, a violation of any requirement imposed under this Act shall be deemed to be a violation of a requirement imposed under that Act. In addition to its powers under any provision of law specifically referred to in subsection (a), each of the agencies referred to in that subsection may exercise, for the purpose of enforcing compliance with any requirement imposed under this Act, any other authority conferred on it by law.

(d) ACTIONS BY THE COMMISSION- The Commission shall prevent any person from violating a rule of the Commission under section 3 in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any entity that violates such rule shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act in the same manner, by the same means, and with the same jurisdiction, power, and duties as though all applicable terms and provisions of the Federal Trade Commission Act were incorporated into and made a part of this Act.

(e) EFFECT ON OTHER LAWS-

    (1) PRESERVATION OF COMMISSION AUTHORITY- Nothing contained in the Act shall be construed to limit the authority of the Commission under any other provisions of law.

    (2) RELATION TO COMMUNICATIONS ACT- Nothing in this Act or the rules prescribed thereunder shall require an operator of a website or online service to take any action that is inconsistent with the requirements of section 222 or 631 of the Communications Act of 1934 (47 U.S.C. 222, 551).

SEC. 7. PRIVATE RIGHT OF ACTION.

(a) PRIVATE RIGHT OF ACTION- A person or entity may, if otherwise permitted by the laws or rules of court of a State, bring in an appropriate court of that State--

    (1) an action based on a violation of any rule prescribed under section 3 to enjoin such violation;

    (2) an action to recover for actual monetary loss from such a violation, or to receive $1,000 in damages for each such violation, whichever is greater; or

    (3) both such actions.

(b) WILLFUL AND KNOWING VIOLATIONS- If the court finds that the defendant willfully or knowingly violated any rule prescribed under section 3, the court may, in its discretion, increase the amount of the award available under subsection (a)(2) to $10,000.

SEC. 8. REVIEW.

Not later than 5 years after the effective date of the rules initially issued under section 3, the Commission shall--

    (1) review the implementation of this Act, including the effect of the implementation of this Act on practices relating to the collection and disclosure of information relating to children, children's ability to obtain access to information of their choice online, and on the availability of websites directed to children; and

    (2) prepare and submit to Congress a report on the results of the review under paragraph (1).

SEC. 9. DEFINITIONS.

In this Act:

    (1) OPERATOR- The term `operator'--

      (A) means any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce--

        (i) among the several States or with 1 or more foreign nations;

        (ii) in any territory of the United States or in the District of Columbia, or between any such territory and--

          (I) another such territory; or

          (II) any State or foreign nation; or

        (iii) between the District of Columbia and any State, territory, or foreign nation; but

      (B) does not include any nonprofit entity that would otherwise be exempt from coverage under section 5 of the Federal Trade Commission Act (15 U.S.C. 45).

    (2) COMMISSION- The term `Commission' means the Federal Trade Commission.

    (3) DISCLOSURE- The term `disclosure' means, with respect to personal information--

      (A) the release of personal information collected from an individual in identifiable form by an operator for any purpose, except where such information is provided to a person other than the operator who provides support for the internal operations of the website and does not disclose or use that information for any other purpose; and

      (B) making personal information collected from an individual by a website or online service publicly available in identifiable form, by any means including by a public posting, through the Internet, or through--

        (i) a home page of a website;

        (ii) a pen pal service;

        (iii) an electronic mail service;

        (iv) a message board; or

        (v) a chat room.

    (4) FEDERAL AGENCY- The term `Federal agency' means an agency, as that term is defined in section 551(1) of title 5, United States Code.

    (5) INTERNET- The term `Internet' means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire or radio.

    (6) PERSONAL INFORMATION- The term `personal information' means individually identifiable information about an individual collected online, including--

      (A) a first and last name;

      (B) a home or other physical address including street name and name of a city or town;

      (C) an e-mail address;

      (D) a telephone number;

      (E) a Social Security number;

      (F) any other identifier that the Commission determines permits the physical or online contacting of a specific individual; or

      (G) unique identifying information that the website collects online and combines with an identifier described in this paragraph.

    (7) PERSON- The term `person' means any individual, partnership, corporation, trust, estate, cooperative, association, or other entity.

    (8) WEBSITE; ONLINE SERVICE- The Commission shall by rule define the terms `website' and `online service' in a manner consistent with the purposes of this Act, and shall revise or amend such rule to take into account changes in technology, practice, or procedure with respect to the collection of personal information over the Internet.

SEC. 10. EFFECTIVE DATE.

Sections 3(a), 5, and 6 of this Act take effect on the later of--

    (1) the date that is 18 months after the date of enactment of this Act; or

    (2) the date on which the Commission rules on the first application filed for safe harbor treatment under section 4 if the Commission does not rule on the first such application within one year after the date of enactment of this Act, but in no case later than the date that is 30 months after the date of enactment of this Act.

   


Subscriptions | FAQ | Notices & Disclaimers | Privacy Policy
Copyright 1998-2008 David Carney, dba Tech Law Journal. All rights reserved.
Phone: 202-364-8882. P.O. Box 4851, Washington DC, 20008.