Sen. Ernest Hollings' (D-SC)
Summary of Amendment in the Nature of a Substitute to S 2201,
the Online Personal Privacy Act 2002. Editor's Note: the Senate Commerce Committee amended and approved this amendment at its May 16, 2002, mark up meeting. |
||
|
Online Personal Privacy Protection Act
Committee Substitute – Summary
Like S. 2201, the committee substitute builds upon the recognized, 5 core privacy principles – notice, consent, access, security, and enforcement – to create a strong, federal standard for the protection of personal information collected online.
1. Required Notice and Consent: The bill identifies two categories of personal information: sensitive information and non-sensitive information. The definition of sensitive information includes several specific categories of personal information (financial, medical, social security number, ethnicity, religious affiliation, sexual orientation, political party affiliation). All other personal information is deemed non-sensitive information. Under the substitute, Internet service providers, online service providers, and commercial website operators (hereinafter collectively, “operators”) would be required to notify persons of how an individual’s personal information will be used. “Opt-in” consent would be required before operators could collect or otherwise use a person’s sensitive information. For non-sensitive information, operators would have to provide consumers with “robust notice” defined as “actual notice at the point of collection” that briefly describes the operators intent to use or disclose such information. In addition, the operator would be required to provide persons with a mechanism to “opt-out” of such uses or disclosures.
2. Access and Security Obligations: The substitute contains provisions requiring that operators provide reasonable access to and reasonable security for a user’s personal information. Like the approach taken in the EU Safe Harbor, whether a request for access would be “reasonable” depends upon a balancing test weighing factors such as the sensitivity of such information against the cost to the operator of providing such access. In addition, the substitute permits operators to charge a reasonable fee for access not to exceed $3 and does not require operators to make changes suggested by a user if the operator believes that such change is inaccurate or inappropriate.
3. Enforcement- Private Right of Action for Sensitive Information Only: The substitute creates a private right of action only for violations involving a person’s sensitive information. Moreover, only where violations involve fraudulent notice with respect to sensitive personal information or the disclosure of sensitive personal information in violation of the Act would an individual be permitted to receive statutory damages (of up to $500 per violation). In all other cases, individuals seeking relief for misuse of their sensitive personal information would be limited to suits for actual damages and/or injunctive relief.
4. Enforcement- FTC and State AG Enforcement. As in S. 2201, all violations of Title I are enforceable by the FTC and by state AGs. In addition, while violations related to non-sensitive information would be exclusively enforced by the FTC and state AG’s, the substitute creates a mechanism whereby, in the event that the FTC seeks and collects civil penalties from any violator, individuals can petition the FTC for monetary relief (not to exceed $200) that would be paid out of any such award.
5. Exceptions/Permitted Disclosures. The substitute recognizes that when a consumer purchases of a product or service online, implicit in that purchase is the consumer’s consent to disclose his personal information as necessary to deliver such product or service. For example, when a consumer purchases a book online, he implicitly consents that the company disclose his personal information as necessary to ensure delivery of the book. In recognition of these circumstances, the bill wholly exempts uses or disclosure to deliver a product or service requested by the user, as well as to provide products or services integrally related to the transaction service product or arrangement (such as a software security patch or a recall notice) from the notice and consent requirements of the Act.
6. Preemption: The substitute would preempt all state statutes, rules, and regulations regulating Internet privacy.
7. Safe Harbor: The Substitute includes a safe harbor scheme to allow “self-regulatory organizations” and “independent third party verifiers” to certify that companies are in compliance with the Act. Self-regulatory organizations will be certified by the FTC and will review the information practices of Internet companies to ensure that they comply with the law. This oversight includes random audits of those companies and an obligation to alert the FTC of any violations. To avoid conflicts of interest, the self regulatory program’s review will itself be reviewed by an independent third party verifier (that will also be certified by the FTC) that has no relationship with the company being examined for compliance. The self-regulatory organizations, independent third party verifiers, and the FTC will keep publicly available lists of non- compliant companies. Companies participating in the safe harbor will be entitled to an affirmative defense in any private litigation brought by individuals under this Act.
8. FTC to Establish Proposed Rules for Conforming Offline Privacy Protections. The substitute would require that the FTC propose rules within six months of the enactment that provide similar standards and protections that would govern personal information collected offline. These rules would not become law unless Congress, within 18 months of enactment, failed to enact legislation creating equivalent protections for personal information collected offline.
9. Prospective Application Only: In this substitute, the obligations imposed on operators apply only to their practices with respect to personal information and apply only prospectively.
10. Other Provisions: The substitute also includes provisions that would apply the requirements of the legislation to federal agencies and the Senate.