S. 809, the Online Privacy Protection Act of
1999.
Sponsors: Sen. Conrad Burns (R-MT) and Sen. Ron Wyden (D-OR).
Date introduced: April 15, 1999.
Source: This document was created by Tech Law Journal by scanning a paper copy
distributed at a press conference hosted by Sen. Burns and Sen. Wyden on April
15, 1999, and converting it into HTML. The copy distributed on April 15 was a
printed "STAFF WORKING DRAFT" with handwritten alterations. This
document incorporates all of these handwritten changes.
[STAFF WORKING DRAFT]
MARCH 24, 1999
106TH CONGRESS
1ST SESSION |
S. ________ |
|
To require the Federal Trade Commission to prescribe regulations to protect
the privacy of personal information collected from and about Individuals who are
not covered by the Children's Online Privacy Protection Act of 1998 on the
Internet, to provide greater individual control over the collection and use of
that information, and for other purposes.
IN THE SENATE OF THE UNITED STATES
APRIL 15, 1999
MR. BURNS (for himselft and Mr. WYDEN) introduced the following bill; which
was read twice and referred to the Committee on __________
A BILL
To require the Federal Trade Commission to prescribe regulations to protect
the privacy of personal information collected from and about individuals who are
not covered by the Children's Online Privacy Protection Act of 1998 on the
Internet, to provide greater individual control over the collection and use of
that information, and for other purposes.
Be it enacted by the, Senate and House of Representatives of the United
States of America in Congress assembled,
[begin page 2]
SECTION 1. SHORT TITLE.
This Act may be cited as the "Online Privacy Protection Act of
1999".
SEC. 2. REGULATION OF UNFAIR AND DECEPTIVE ACTS AND PRACTICES IN
CONNECTION WITH TEE COLLECTION, USE AND DISCLOSURE OF PERSONAL INFORMATION.
(a) ACTS PROHIBITED.---
(1) IN GENERAL.---It is unlawful for an operator of a Web site or online
service to collect, use or disclose personal information in a manner that
violates the regulations prescribed under subsection (b).
(2) DISCLOSURE.---Notwithstanding paragraph (1), neither an operator of a
Web site or online service nor the operator's agent shall be held to be liable
under this Act for any disclosure made in good faith and following reasonable
procedures in responding to a request under subsection (b)(1)(B) by an
individual for disclosure of personal information pertaining to such
individual.
(b) REGULATIONS.---
(1) IN GENERAL.---Not later than 1 year after the date of the enactment of
this Act, the Commission shall promulgate under section 553 of title 5, United
States Code, regulations that---
[begin page 3]
(A) require the operator of any Web site or online service---
(i) to provide notice on its Web site, in a clear and conspicuous
manner, of the identity of the operator, what personal information is
collected by the operator, how the operator uses such information, and
what information may be shared with other companies; and
(ii) to provide a meaningful and simple online process for individuals
to consent to or limit the disclosure of personal information for purposes
unrelated to those for which such information was obtained or described in
the notice under clause (i);
(B) require the operator to provide, upon request of an individual under
this subparagraph who has provided personal information to that Web site or
online service, upon proper identification---
(i) a description of the specific types of personal information
collected by that operator that was sold or transferred to an external
company; and
[begin page 4]
(ii) notwithstanding any other provision of law, a means that is
reasonable under the circumstances for the individual to obtain the
personal information described in Paragraph (i) from such individual; and
(C) require the operator of such Web site or online service to establish
and maintain reasonable procedures to protect the confidentiality, security,
and integrity of Personal information it collects or maintains.
(2) WHEN PURPOSE LIMITATION -NOT REQUIRED.---The regulations shall provide
that the purpose limitation required under paragraph (1)(A)(ii) is not
required for---
(A) transactional information where identifiable information is not
removed,
(B) personal information where it is used to render or conduct a
legitimate business activity related to the business of the operator (for
example, the use of an e-mail address to respond to an e-mail
communication); or
(C) the collection, use, or dissemination of such information by the
operator of such a Web site or online service necessary to the extent
permitted under other provisions of law.
[begin page 5]
(3) WHEN ACCESS NOT REQUIRED.---The regulations, shall provide that access
as required under paragraph (1)(B)(ii) is not required
(A) to transactional information where identifiable information is not
removed;
(B) to information that is commercially confidential to the operator and
is obtained from sources outside of the individual's contact with the
operator's web site;
(C) to information that is used solely for internal company processes and
is neither sold, transferred, nor used for activities external to the web
site's operator;
(D) to information that is discarded upon the conclusion of the process
that generates it; or
(E) to information that has no impact upon an individual.
(4) TERMINATION OF SERVICE.---The regulations shall permit the operator of
a Web site or an online service to terminate service provided to an individual
who has refused, under the regulations prescribed under paragraph (1)(B)(ii),
to permit the operator's further use or maintenance in retrievable form, or
future collection, of personal information.
(c) ENFORCEMENT.---Subject to sections 3 and 5, a violation of a regulation
prescribed under subsection (a) shall be treated as a violation of a rule
defining an unfair or deceptive act or practice prescribed under section [begin page 6] 18(a)(1)(B) of the Federal Trade
Commission Act (15 U.S.C. 57a(a)(1)(B)).
(d) No Requirement to Collect or Maintain Data.---Nothing in this Act shall
be interpreted to require an operator to collect or maintain any data that would
not otherwise be collected or maintained.
SEC. 3. SAFE HARBORS.
(a) Guidelines.---An operator may satisfy the requirements of regulations
issued under section 2(b) by following a set of self-regulatory guidelines,
issued by representatives of the marketing or online industries, or by other
persons, approved under subsection (b).
(b) Incentives.---
(1) Self-regulatory incentives.---In prescribing regulations under section
2, the Commission shall provide incentives for self-regulation by operators to
implement the protections afforded under the regulatory requirements described
in subsection (b) of that section.
(2) Deemed compliance.---Such incentives shall include provisions for
ensuring that a person will be deemed to be in compliance with the
requirements of the regulations under section 2 if that person complies with
guidelines that, after notice and comment, are approved by the Commission upon
[begin page 7] making a determination that the
guidelines meet the requirements of the regulations issued under section 2.
(3) EXPEDITED RESPONSE TO REQUESTS.---The Commission shall act upon
requests for safe harbor treatment within 180 days of the filing of the
request, and shall set forth in writing its conclusions with regard to such
requests.
(c) APPEALS.---Final action by the Commission on a request for approval of
guidelines, or the failure to act within 180 days on a request for approval of
guidelines, submitted under subsection (b) may be appealed to a district court
of the United States of appropriate jurisdiction as provided for in section 706
of title 5, United States Code.
SEC. 4. ACTIONS BY STATES.
(a) IN GENERAL.---
(1) CIVIL ACTIONS.---In any case in which the attorney general of a State
has reason to believe that an interest of the residents of that State has been
or is threatened or adversely affected by the engagement of any person in a
practice that violates any regulation of the Commission prescribed under
section 2(b) of this Act, the State may bring a civil action on behalf of the
residents of the State in a [begin page 8] district
court of the United States of appropriate jurisdiction to---
(A) enjoin that practice;
(B) enforce compliance with the regulation;
(C) obtain damage, restitution, or other compensation on behalf of
residents of the State; or
(D) obtain such other relief as the court may consider to be appropriate.
(2) NOTICE.---
(A) IN GENERAL.---Before filing an action under paragraph (1), the
attorney general of the State involved shall provide to the Commission---
(i) written notice of that action; and
(ii) a copy of the complaint for that action.
(B) EXEMPTION.---
(i) IN GENERAL.--Subparagraph (A) shall not apply with respect to the
filing of an action by an attorney general of a State under this
subsection, if the attorney general determines that it is not feasible to
provide the notice described in that subparagraph before the filing of the
action.
[begin page 9]
(ii) NOTIFICATION.---In an action described in clause (i), the attorney
general of a State shall provide notice and a copy of the complaint to the
Commission at the same time as the attorney general files the action.
(b) INTERVENTION.---
(1) IN GENERAL.---On receiving notice under subsection (a)(2), the
Commission shall have the right to intervene in the action that is the subject
of the notice.
(2) EFFECT OF INTERVENTION.---If the Commission intervenes in an action
under subsection (a), it shall have the right---
(A) to be heard with respect to any matter that arises in that action;
and
(B) to file a petition for appeal.
(3) AMICUS CURIAE.---Upon application to the court, a person whose
self-regulatory guidelines have been approved by the Commission and are relied
upon as a defense by any defendant to a proceeding under this section may file
amicus curiae in that proceeding.
(c) CONSTRUCTION.---For purposes of bringing any civil action under
subsection (a), nothing in this Act shall [begin page 10] be
construed to prevent an attorney general of a State from exercising the powers
conferred on the attorney general by the laws of that State to---
(1) conduct investigations;
(2) administer oaths or affirmations; or
(3) compel the attendance of witnesses or the production of documentary and
other evidence.
(d) VENUE; SERVICE OF PROCESS.---
(1) VENUE.---Any action brought under subsection (a) may be brought in the
district court of the United States that meets applicable requirements
relating to venue -under section 1391 of title 28, United States Code.
(2) SERVICE OF PROCESS.---In an action brought under subsection (a),
process may be served in any district in which the defendant
(A) is an inhabitant; or
(B) may be found.
SEC. 6. ADMINISTRATION AND APPLICABILITY OF ACT.
(a) IN GENERAL.---Except as otherwise provided, this Act shall be enforced by
the Commission under the Federal Trade Commission Act (15 U.S.C. 41 et seq.).
(b) PROVISIONS.---Compliance with the requirements imposed under this Act
shall be enforced under---
(1) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), in the
case of---
(A) national banks, and Federal branches and Federal agencies of foreign
banks, by the Office of the Comptroller of the Currency;
(B) member banks of the Federal Reserve System (other than national
banks), branches and agencies of foreign banks (other than Federal branches,
Federal agencies, and insured State branches of foreign banks), commercial
lending companies owned or controlled by foreign banks, and organizations
operating under section 25 or 25(a) of the Federal Reserve Act (12 U.S.C.
601 et seq. and 611 et. seq.), by the Board; and
(C) banks insured by the Federal Deposit Insurance Corporation (other
than members of the Federal Reserve System) and insured State branches of
foreign banks, by the Board of Directors of the Federal Deposit Insurance
Corporation;
(2) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), by the
Director of the Office of Thrift Supervision, in the case of a savings
association [begin page 12] the deposits of
-which are insured by the Federal Deposit Insurance Corporation;
(3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) by the National
Credit Union Administration Board with respect to any Federal credit union;
(4) part A of subtitle VII of title 49, United States Code, by the
Secretary of Transportation with respect to any air carrier or foreign air
carrier subject to that part;
(5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et. seq.) (except as
provided in section 406 of that Act (7 U.S.C. 226, 227)), by the Secretary of
Agriculture with respect to any, activities subject to that Act; and
(6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by the Farm Credit
Administration with respect to any Federal land bank, Federal land bank
association, Federal intermediate credit bank, or production credit
association.
(c) EXERCISE OF CERTAIN POWERS.---For the purpose of the exercise by any
agency referred to in subsection (b) of its powers under any other Act referred
to in that subsection, a violation of any requirement imposed under this Act
shall be deemed to be a violation of a requirement [begin
page 13] imposed under that other Act. In addition to its powers under
any provision of law specifically referred to in subsection (b), each of the
agencies referred to in that subsection may exercise, for the purpose of
enforcing compliance with any requirement imposed under this Act, any other
authority conferred on such agency by law.
(d) ACTIONS BY THE COMMISSION.---The Commission shall prevent any person from
violating a rule of the Commission under section 2 in the same manner, by the
same means, and -with the same jurisdiction, powers, and duties as though all
applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C.
41 et seq.) were incorporated into and made a part of this title. Any entity
that violates such rule shall be subject to the penalties and entitled to the
privileges and immunities provided in the Federal Trade Commission Act in the
same manner, by the same means, and with the same jurisdiction, power, and
duties as though all applicable terms and provisions of the Federal Trade
Commission Act were incorporated into and made a part of this title.
(e) EFFECT ON OTHER LAWS.---Nothing contained in this Act shall be construed
to limit the authority of the Commission under any other provisions of law.
[begin page 14]
SEC. 6. REVIEW.
Not later than 5 Years after the effective date of the regulations initially
issued under section 2, the Commission shall---
(1) review the implementation of this Act, including the effect of the
implementation of this title on practices relating to the collection and
disclosure of information; and
(2) prepare and submit to Congress a report on the results of the review
under paragraph (1).
SEC. 7. EFFECTIVE DATE.
Sections 3 (a), 5, and 6 of this Act shall take effect on the later of---
(1) the date that is 18 months after the date or enactment of this Act; or
(2) the date on which the Commission rules on the first application filed
for safe harbor treatment under section 3 if the Commission does not rule on
the first such application within one year after the date of enactment of this
Act, but in no case later than the date that is 30 months after the date of
enactment of this Act.
SEC. 8. DEFINITIONS.
In this Act:
(1) INDIVIDUAL.---The term. "'individual" means a natural person
of age 14 and above.
[begin page 15]
(2) OPERATOR.---The term "operator"---
(A) means any person who operates a Web site located on the Internet or
an online service and who collects or maintains personal information from or
about the users of or visitors to such Web site or online service, or on
whose behalf such information is collected or maintained, where such Web
site or online service is operated for commercial purposes, including any
person offering products or services for sale through that Web site or
online service, involving commerce---
(i) among the several States or with 1 or more foreign nations;
(ii) in any territory of the United States or in the District of
Columbia, or between any such territory and---
(I) another such territory; or
(II) any State or foreign nation; or
(iii) between the District of Columbia and any State, territory or
foreign nation; but
(B) does not include any nonprofit entity that would otherwise be exempt
from coverage [begin page 16] under section 5
of the Federal Trade Commission Act (15 U.S.C. 45).
(3) COMMISSION.---The term "Commission" means the Federal Trade
Commission.
(4) DISCLOSURE.---The term "disclosure" means, with respect to
personal information the release of personal information collected in
identifiable form by an operator for any purpose, except where such
information is provided to a person other than the operator who provides
support for the internal operations of the 'Web site and does not disclose or
use that information for any other purpose.
(5) FEDERAL AGENCY.---The term "Federal agency" means an agency,
as that term is defined in section 551(l) of title 5, United States Code.
(6) INTERNET.---The term "Internet" means collectively the myriad
of computer and telecommunications facilities, including equipment and
operating software, which comprise the interconnected world-wide network of
networks that employ the Transmission Control Protocol/Internet Protocol, or
any predecessor or successor protocols to such protocol, to communicate
information of all kinds by wire or radio.
[begin page 17]
(7) TRANSACTIONAL INFORMATION.---The term "transactional
information" means information generated in connection with the process
of requesting, accessing, or otherwise using, the Internet.
(8) PERSONAL INFORMATION.---The term "personal information" means
information collected on line from an individual that identifies that
individual, including---
(A) first and last name;
(B) home or other physical address;
(C) email address;
(D) social security number;
(E) telephone number;
(F) any other identifier that the Commission determines identifies an
individual; or
(G) information that is maintained with, or can be searched or retrieved
by means of, data described in subparagraphs (A) through (F).
|