Section by section summary of S 2201, the Online Personal Privacy Act 2002. Sponsor: Sen. Ernest Hollings (D-SC). Date: April 18, 2002. Source: Office of Sen. Hollings.

SECTION BY SECTION:
The Online Personal Privacy Protection Act of 2002

This section preempts any state statute, regulation or rule regulating Internet privacy to the extent that it relates to the collection, use, or disclosure of personally identifiable information obtained through the Internet.

An Internet service provider, online service provider or commercial website operator (herein after "Internet Companies") may not collect, use, or disclose personally identifiable information without complying with this Act. This requirement also applies to any third party, including advertising networks, that use an Internet service provider, online service provider, or commercial website operator to collect information about users of that service or website.

Notice: Generally, Internet companies may not collect Pii online unless they provide clear and conspicuous notice as to what information will be collected, how that information may be collected and/or used, and what the disclosure practices are for that information (including whether it will be disclosed to third parties).

Opt-in Consent for Sensitive Pii: Internet companies must obtain affirmative consent from the consumer ("Opt-in") before collecting and using or disclosing sensitive Pii.

Robust Notice and Opt-out for Non-sensitive Pii: IC must provide individuals ‘robust notice’ and provide opportunity to opt-out prior to collection and use or disclosure of non-sensitive Pii. Such notice must only be provided initially, at first collection of non-sensitive pii, unless there is future collection of materially different non-sensitive Pii, at which point additional notice is required.

Permanence of Consent: A user’s consent or denial of consent to information practices shall remain in effect until changed by the user, and applies to successor entities to the provider or operator that originally collected the user’s Pii.

Notice of Privacy Policy Change: Internet companies must provide notice of a material change in privacy policy and may not collect, disclose or use Pii unless user has been afforded an opportunity to consent or withhold consent, depending on the sensitivity of the Pii in question.

Notice of Privacy Breach: Internet companies must provide notice of a privacy breach relating to Pii; such notice may be delayed so as to catch a hacker, or restore integrity or security of the website and/or information, or prevent any further compromise of the security or integrity of the Pii.

For the Purposes for which the Pii was supplied: Section 102 does not apply to collection disclosure or use of Pii to:

protect the security and integrity of the service or website; conduct a transaction, deliver a product or service, or complete an arrangement for which the user provided the information; or provide other products or services integrally related to the transaction, service, product, or arrangement for which the user provided the information.

For Disclosures permitted pursuant to COPPA or in response to Access request: Section 102 does not apply to:

COPPA disclosure – disclosures made in good faith following reasonable procedures in responding to a request for Pii disclosure to a parent under the Children’s Online Privacy Protection Act of 1998.

Access disclosure – disclosures made in good faith following reasonable procedures in responding to a request for access to Pii.

Disclosure for Law Enforcement or national security: Pii may be disclosed–

to a law enforcement, investigatory, national security, or regulatory agency or department of the federal government pursuant to a request or demand made pursuant to authorities granted to that agency or department, including a warrant or court order, or properly executed administrative compulsory process; in response to a court order in a civil proceeding upon a showing of compelling need for the information that cannot be accommodated by any other means, provided there is notice to the user and an opportunity afforded to the user to appear and contest the order or try and narrow its scope.

Internet companies must provide reasonable access to a user to Pii collected online; must provide reasonable opportunity for a user to suggest a correction or deletion or Pii maintained by the company; and must make the correction a part of the user’s profile. Internet companies may decline a suggested correction or deletion if they reasonably believe it is inaccurate or inappropriate and they notify the user in writing of their decision and reasoning, and provide the user an opportunity to refute the reasons.

Reasonableness of access shall be determined by taking into account such factors as the sensitivity of the information requested and the burden or expense on the provider or operator of complying with the request.

Internet companies may impose a reasonable charge for access not to exceed $3.

Internet companies must establish and maintain reasonable procedures to protect security, confidentiality, and integrity or Pii they maintain.

Unfair or Deceptive Act or Practice – A violation of the statute will constitute an unfair or deceptive act or practice as proscribed under the Federal Trade Commission Act. Other agencies will enforce the legislation if they possess jurisdiction under existing law over certain business entities.

Civil Penalties and distribution of monies to users – If the FTC imposes civil penalties for a violation of the Act involving nonsensitive information, it shall hold those monies in trust to be distributed to users whose nonsensitive Pii was the subject of the violation and who file claims at the FTC seeking such a distribution. The distribution shall not exceed $200, and may be limited by the FTC to ensure an equitable distribution among all users seeking such a distribution.

Effect on Other Laws – The FTC is not limited by this statute with respect to its authority under other laws. Nothing in this Act requires a company to take an action inconsistent with Section 222 of the Communications Act (CPNI rules). With respect to the provision of Internet services by cable operators, and the operation of commercial websites by cable operators, the provisions of this Act apply in lieu of Section 631 of the Communications Act (Cable Act Privacy rules).

A person whose sensitive Pii is collected, used, or disclosed in violation of this legislation can bring an action in federal district court to: enjoin that activity and, upon a showing of actual harm, recover statutory damages of $5,000, or actual damages, whichever is greater. Users can recover up to $100,000 for a repeated and knowing violation, if the Court in its discretion, increases the amount.

Companies are insulated from liability in the event of Acts of god, unforeseeable network breakdowns or systems failures, or other uncontrollable events.

Attorneys general may bring a civil action on behalf of residents to enforce the statute. The FTC may intervene in such an action. If the FTC brings an action first, states cannot bring an action under the statute against the same defendant.

This section prohibits an Internet companies from discharging or discriminating against an employee who provided information to authorities as to a violation of the statute. An employee who has been subject to such unlawful conduct may file a civil action in federal district court, to seek remedies for the discrimination including reinstatement, compensatory damages, or other appropriate remedies, to be awarded in the court’s discretion.

The remedies provided by sections 203 and 204 are in addition to any other remedy available under any provision of law.

The Sergeant at Arms of the U.S. Senate shall develop regulations governing use of the Internet that complies with title I of this Act.

Makes the statute applicable to federal agencies acting as ISPs, OSPs, or website operators, except to the extent that such application would compromise law enforcement activities or investigative, security, or safety operations conducted in accordance with federal law.

Provides definitions pertinent to the legislation.

Personally identifiable information includes –

first and last names (whether given at birth or adoption, assumed, or legally changed); home or other physical address; e-mail address; telephone number; birth certificate number; any other identifier for which the FTC finds there is a substantial likelihood that the identifier would permit the physical or online contacting of an individual; or information that an Internet service provider, online service provider, or operator of a commercial website collects and combines with an identifier described in this paragraph.

Information about an individual derived or inferred from data collected online but not actually collected is not Pii.

Sensitive personally identifiable information –

Health information as defined in the HIPPA regulations; race or ethnicity; political party affiliation; religious beliefs; sexual orientation; social security number; or sensitive financial information (income earned or lost; account number or balance information for savings, checking, money market, credit card, brokerage, or other financial services accounts; access code, security password, or similar mechanism to access a financial services account; insurance policy information; or credit card, debt, or loan obligations).

Robust Notice –

Actual notice at the point of collection of the personally identifiable information describing briefly and succinctly the intent of the Internet service provider, online service provider, or operator of a commercial website to use or disclose that information for marketing or other purposes.

The FTC is required to initiate a rulemaking within 90 days to implement Title I. The rulemaking shall be completed within 270 days after its commencement.

Requires the FTC to report to the Senate and House Commerce Committees 18 months after the effective date of the statute, and annually thereafter as to – whether the Act is accomplishing the purposes for which it was enacted; whether additional legislation is necessary to improve on the Act; whether offline legislation is necessary; whether the government may assist industry in developing standard online privacy notices; whether a set of self-regulatory guidelines established by safe harbor organizations would facilitate compliance with the Act; whether technology that provides privacy protection in the marketplace would facilitate compliance with the Act; and legislation is necessary to protect privacy with respect to personally identifiable information collected before the effective date of the Act.

The FTC is required to initiate a notice of inquiry seeking public comment on these issues in preparation of its report.

Requires NIST to encourage and support the development of one or more computer programs, protocols, or other software, such as the P3P program, capable of being installed on computers or computer networks with Internet access that would reflect the user’s privacy preferences for protecting personally identifiable information, without requiring user intervention once activated.