| HR 4678, the Consumer Privacy Protection Act of
2002. Sponsor: Rep. Cliff Stearns (R-FL). Date Introduced: May 8, 2002. Editor's Notes: |
 |
|
|
|
||
107TH CONGRESS
2D SESSION H. R. _____
To protect and enhance consumer privacy, and for other purposes.
IN THE HOUSE OF REPRESENTATIVES
Mr. STEARNS (for himself, Mr. BOUCHER, Mr. TAUZIN, Mr. TOWNS, Mr. BASS, Mr. BILIRAKIS, Mrs. BONO, Mr. DEAL of Georgia, Ms. ESHOO, Mr. GILLMOR, Mr. GORDON, Mr. GREENWOOD, Mr. KINGSTON, Mr. MORAN of Virginia, Mr. SAWYER, Mr. TERRY, Mr. UPTON, Mr. WALDEN, Mr. WELDON of Florida, and Mr. WELLER) introduced the following bill; which was referred to the Committee on _______
A BILL
To protect and enhance consumer privacy, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ‘‘Consumer Privacy Protection Act of 2002’’.
SEC. 2. TABLE OF CONTENTS.
The table of contents for this Act is as follows:
Sec. 1. Short title.
Sec. 2. Table of contents.
TITLE I—PROTECTION OF INDIVIDUAL PRIVACY IN INTERSTATE COMMERCE
Sec. 101. Privacy notices to consumers.
Sec. 102. Privacy policy statements.
Sec. 103. Consumer opportunity to limit sale or disclosure
of information.
Sec. 104. Consumer opportunity to limit other information
practices.
Sec. 105. Information security obligations.
Sec. 106. Self-regulatory programs.
Sec. 107. Enforcement.
Sec. 108. No private right of action.
Sec. 109. Effect on other laws.
Sec. 110. Effective date.
TITLE II—IDENTITY THEFT PREVENTION AND REMEDIES
Sec. 201. Facilitating electronic identity theft
affidavits.
Sec. 202. Promoting use of common identity theft
affidavit.
Sec. 203. Timely resolution of identity theft disputes.
Sec. 204. Improvements to consumer clearinghouse.
Sec. 205. Improved identity theft data.
Sec. 206. Change of address protections.
Sec. 207. Effective date.
TITLE III—INTERNATIONAL PROVISIONS
Sec. 301. Study by Comptroller General.
Sec. 302. Remediation of discriminatory impact by
Secretary of Commerce.
Sec. 303. Effect of nonremediation.
Sec. 304. Harmonization of international privacy laws,
regulations, and agreements.
TITLE IV—GENERAL PROVISIONS
Sec. 401. Definitions.
TITLE I—PROTECTION OF INDIVIDUAL PRIVACY IN INTERSTATE COMMERCE
SEC. 101. PRIVACY NOTICES TO CONSUMERS.
(a) NOTICE REQUIRED.—A data collection organization shall provide to a consumer a notice containing the information required under subsection (b) as follows:
(1) Upon the first instance of collection from the consumer of personally identifiable information, that may be used for a purpose unrelated to the transaction, by a data collection organization, the organization shall provide the notice at the time personally identifiable information is collected.
(2) Upon a material change in the organization’s privacy policy statement under section 102(5), the organization shall provide the notice, not later than the first time after such change in policy that the organization seeks to collect, sell, disclose for consideration, or use personally identifiable information to the extent practicable, to each consumer from whom the organization has collected such information.
(b) FORM AND CONTENTS OF NOTICE.—A notice required under subsection (a) shall be provided in a clear and concise manner, be prominently displayed or explicitly stated to the consumer, and contain the following information:
(1) A statement that the information privacy practices of the data collection organization raise an issue of privacy for the consumer that may provide the consumer with rights under law.
(2) A description of the manner in which the consumer may obtain a privacy policy statement that meets the requirements of section 102, which may include providing the consumer with an Internet website, a hyperlink to such a website, or a toll-free telephone number from which such a statement may be obtained.
(3) If the notice is required under subsection (a)(2), a statement that there has been a material change in the organization’s privacy policy.
SEC. 102. PRIVACY POLICY STATEMENTS.
(a) PRIVACY POLICY.—A data collection organization shall establish a privacy policy with respect to the collection, sale, disclosure for consideration, or use of the personally identifiable information of consumers, the principal elements of which shall be embodied in a privacy policy statement (or statements) that meets the requirements of subsection (b).
(b) STATEMENT.—The statement (or statements) required under subsection (a) shall meet the following requirements:
(1) The statement must be clear and conspicuous and written in plain language.
(2) The statement must be accessible to all consumers of the data collection organization (regardless of the means by which a consumer conducts a transaction with the organization)—
(A) at no charge to the consumer; and
(B) at the time the data collection organization first collects personally identifiable information about the consumer that may be used for a purpose unrelated to a transaction with the consumer and subsequently.
(3) With respect to personally identifiable information that may be used for a purpose unrelated to a transaction with the consumer and that is subject to being collected, sold, disclosed for consideration, or used under the statement, the statement must disclose only the following:
(A) The identity of each data collection organization, or a description of each class or type of data collection organization, that may collect or use the information.
(B) The types of information that may be collected, sold, disclosed for consideration, or used.
(C) How the information may be used.
(D) Whether the consumer is required to provide the information in order to do business with the data collection organization.
(E) The extent to which the information is subject to sale or disclosure for consideration to a data collection organization that is not an information-sharing affiliate of the data collection organization providing the statement, including the following:
(i) A clear and prominent statement of the fact that the information is subject to such sale or disclosure for consideration.
(ii) A description of each class or type of data collection organization to which the information may be sold or disclosed for consideration.
(iii) The purpose for which the information may be used.
(F) Whether the information security practices of the data collection organization meet the security requirements of section 105 in order to prevent unauthorized disclosure or release of personally identifiable information.
(c) COMMISSION FACILITATION.—The Commission shall take actions (including conducting industry-wide workshops) to facilitate the development of harmonized, universal wording or logo-based graphics in order to convey the contents of privacy policy statements required under this section.
SEC. 103. CONSUMER OPPORTUNITY TO LIMIT SALE OR DISCLOSURE OF INFORMATION.
(a) PRECLUSION OF SALE OR DISCLOSURE.—
(1) REQUIREMENT.—A data collection organization shall provide to the consumer, without charge, the opportunity to preclude any sale or disclosure for consideration of the consumer’s personally identifiable information, that may be used for a purpose unrelated to a transaction with the consumer, to any data collection organization that is not an information-sharing partner of the data collection organization providing such opportunity.
(2) DURATION.—A preclusion on sale or disclosure for consideration of information established by a consumer under this subsection shall remain in effect for 5 years or until the consumer indicates otherwise, whichever occurs sooner. A data collection organization may not seek reconsideration of a consumer’s preclusion of such sale or disclosure until at least 1 year after such preclusion has been imposed by the consumer.
(b) PERMISSION FOR SALE OR DISCLOSURE.—A data collection organization may provide the consumer an opportunity to permit the sale or disclosure described in subsection (a)(1) in exchange for a benefit to the consumer.
(c) ACCESSIBILITY.—The opportunity to preclude (or if offered, to permit) the sale or disclosure for consideration of information under this section must be both easy to access and use.
SEC. 104. CONSUMER OPPORTUNITY TO LIMIT OTHER INFORMATION PRACTICES.
If a data collection organization provides to a consumer the opportunity to limit other practices of the data collection organization with respect to collection or use of personally identifiable information regarding the consumer, other than that required by section 103—
(1) that opportunity must be easy to access and to use; and
(2) any limitation exercised by the consumer pursuant to the opportunity shall remain in effect, unless—
(A) the limitation is withdrawn by the consumer; or
(B) the data collection organization provides the consumer at least 30 days notice before terminating its compliance with the limitation.
SEC. 105. INFORMATION SECURITY OBLIGATIONS.
(a) INFORMATION SECURITY POLICY.— 8
(1) IMPLEMENTATION.—A data collection organization shall prepare, revise as necessary, and implement an information security policy that is applicable to the information security practices and treatment of personally identifiable information maintained by the data collection organization, in order to prevent the unauthorized disclosure or release of such information.
(2) MANAGEMENT APPROVAL.—An information security policy created pursuant to paragraph (1) shall be considered and approved by the senior management officials of the data collection organization.
(3) CONTENTS.—An information security policy required under paragraph (1) shall include—
(A) a process for taking corrective action pursuant to subsection (b); and
(B) identifying an officer of the data collection organization as the point of contact with responsibility for information security issues for the organization.
(b) CORRECTIVE ACTIONS.—
(1) NOTIFICATION AND ACTION.—Except as provided in paragraph (2), upon the joint issuance of an information security notification by a Federal Government agency and the CERT Coordination Center, a data collection organization shall take appropriate action, within a reasonable period of time after being informed and pursuant to its information security policy, to implement any necessary changes to its security practices and the architecture, installation, or implementation of its network or operating software (including corrective patches) in response to such a notification.
(2) EXCEPTIONS.—A data collection organization shall not be required to take the action specified in a notification under paragraph (1) if—
(A) the corrective action required would cause harm to, or weaken, the organization’s existing information security for personally identifiable information or the procedures or systems of the organization;
(B) the organization takes, or has taken, other appropriate steps or corrective action to mitigate the vulnerabilities and exposure risks identified in the notification; or
(C) the specified corrective action is not necessary.
(3) CERT COORDINATION CENTER DESCRIBED.—For purposes of this section, the CERT Coordination Center is the Computer Emergency Response Team Coordination Center of the Software Engineering Institute operated by Carnegie Mellon University in Pittsburgh, Pennsylvania, or if such center is unavailable, an equivalent center designated by the Commission.
(c) EFFECT OF RELEASE OF PERSONALLY IDENTIFIABLE INFORMATION.—If the security of a data collection organization has been compromised, resulting in the unauthorized release of a consumer’s personally identifiable information, the Commission shall treat the failure of the data collection organization to comply with its own security policy or respond to a Federal agency information security notification in accordance with subsection (b)(1) as one factor in determining whether that data collection organization has violated this section.
SEC. 106. SELF-REGULATORY PROGRAMS.
(a) SELF-REGULATORY PROGRAM.—
(1) PRESUMPTION OF COMPLIANCE.—The Commission shall presume that a data collection organization is in compliance with the provisions of sections 101 through 105 if that organization—
(A) participates in a self-regulatory program approved under subsection (b); and
(B) complies with the guidelines, procedures, requirements, and restrictions of the program (including a remedial process under subsection (c)(7)).
(2) EFFECT OF WILLFUL NONCOMPLIANCE.—A data collection organization that participates in a self-regulatory program under this section shall not be liable for a civil penalty arising out of a violation of any provision of sections 101 through 105 unless such violation results from willful noncompliance with the guidelines, procedures, requirements, or restrictions of the program.
(b) APPROVAL BY COMMISSION.—
(1) APPROVAL.—The Commission shall, within 90 days after submission of an application for approval of a self-regulatory program under this section (or of a material change in a program previously approved by the Commission), approve such program (or change) if the Commission finds that the program (or change) complies with the requirements of subsection (c).
(2) FORM OF APPLICATION.—The Commission shall accept an application for approval under paragraph (1) in any reasonable form the applicant may submit.
(3) DURATION UNTIL RENEWAL.—A self-regulatory program approved by the Commission under paragraph (1) shall be approved for a period of 8 years.
(4) REVOCATION OF APPROVAL.—The Commission may, after notice and opportunity for a hearing, revoke approval granted under paragraph (1), if the Commission finds that a self-regulatory program fails to meet the requirements of subsection (c).
(c) REQUIREMENTS OF SELF-REGULATORY PROGRAM.—A self-regulatory program complies with the requirements of this subsection if the program provides each of the following:
(1) Guidelines and procedures requiring a program participant to provide equivalent or greater protections for consumers and their personally identifiable information as are provided under sections 101 through 105
(2) Procedures and requirements to provide for—
(A) an initial self-review and self-certification of a participant’s privacy policy and practices to ensure compliance with the guidelines, procedures, requirements, and restrictions of the program established under this subsection;
(B) subsequent periodic self-reviews and self-certifications, which shall occur at least annually, of the participant’s privacy policy and practices to ensure continued compliance with such guidelines, procedures, requirements, and restrictions;
(C) submission of self-reviews and self-certifications under this paragraph to any administrator of the program;
(D) random compliance testing of participants, and compliance testing of participants with a high number of complaints against them, to determine the tested participant’s compliance with the program; and
(E) regular compliance testing of a participant, which shall take place not less frequently than every 4 years, with respect to the privacy policy and practices of the participant, to ensure that the self-reviews and self-certifications of the participant are accurate and comply with the program.
(3) Procedures and requirements that ensure that a program participant provides a process for resolving disputes with consumers relating to the privacy policy and practices of the participant. Such dispute resolution process—
(A) must be available without charge to a consumer;
(B) must be available at a cost to the participant that is reasonable and does not discourage participation by the participant in such process;
(C) must ensure that consumers are informed of how to utilize the process;
(D) may include, as one choice among others, binding arbitration; and
(E)(i) must be completed within 30 days after submission of the dispute by the consumer; or
(ii) must be completed within 60 days after submission of the dispute by the consumer, if the participant—
(I) determines that additional time is required to obtain information to make an informed decision with respect to the dispute; and
(II) notifies the consumer that such additional time is required.
(4) Provisions for the use by participants in the program of a means (including the use of a seal) to represent the participant’s participation in the program.
(5) With respect to any nonvoluntary suspension or termination of participation in the program because of the participant’s failure to comply with the program, procedures or requirements to provide for the following:
(A) Publication of notice and the reasons for any such suspension or termination, except that no personally identifiable information related to such suspension or termination may be published.
(B) Notice to the Commission of any such termination.
(6) Requirements and restrictions that assure independence with respect to program eligibility, compliance, and dispute resolution mechanisms and decisions from improper interference by management or ownership of the self-regulatory program participant.
(7) A process for a noncompliant participant to take timely remedial action in order to come back into compliance with the program before suspension or termination of participation in the program.
(d) CONSUMER DISPUTE RESOLUTION.—
(1) SELF-REGULATORY DISPUTE PROCESS.—If a consumer has a dispute with a participant in a self-regulatory program under this section, the consumer shall initially seek resolution through the participant’s dispute resolution process (established in accordance with subsection (c)(3)). The Commission shall promptly refer to the participant involved any dispute submitted to the Commission for which resolution has not been initially sought through such process.
(2) RESOLUTION BY COMMISSION.—A consumer may submit to the Commission for resolution a dispute with a participant in a self-regulatory program under this section, if the following requirements are met:
(A) The dispute was initially submitted under paragraph (1) for resolution through the participant’s dispute resolution process.
(B) The dispute submitted under paragraph (1) is not resolved—
(i) within 30 days after submission of the dispute by the consumer; or
(ii) to the satisfaction of the consumer.
(C) Notice of the facts of the dispute is submitted to the Commission not later than 30 days after the date on which the consumer is notified of the resolution through the participant’s dispute resolution process.
(D) The consumer has not voluntarily accepted a resolution of the dispute under paragraph (1).
(E) The dispute was not resolved through binding arbitration.
(e) NONRELEASE OF CERTAIN INFORMATION.—The Commission may not compel a participant in a self-regulatory program approved under subsection (b) (or an administrator of such a program) to provide proprietary information or personally identifiable information of consumers to the Commission unless the Commission provides assurances that such information will not be released to the public.
(f) MISREPRESENTATION OF SELF-REGULATORY PROGRAM PARTICIPATION.—It is unlawful for a data collection organization to misrepresent that it is a participant in a self-regulatory program (including through any mechanism provided under subsection (c)(4)) when such organization is not, in fact, such a participant.
(g) EXEMPTED ENTITY PARTICIPATION.—An entity that is not a data collection organization and that voluntarily participates in a self-regulatory program under this section shall enjoy the rights and benefits provided under this section.
(a) UNFAIR OR DECEPTIVE ACT OR PRACTICE.—A violation of any provision of this title is an unfair or deceptive act or practice unlawful under section 5(a)(1) of the Federal Trade Commission Act (15 U.S.C. 45(a)(1)), except that the amount of any civil penalty under such Act shall be doubled for a violation of this title, but may not exceed $500,000 for all related violations by a single violator (without respect to the number of consumers affected or the duration of the related violations).
(b) GUIDELINES AND OPINIONS.—In order to assist in compliance with this title, the Federal Trade Commission may issue generally applicable guidelines and, upon request, advisory opinions with respect specific types of acts or practices that would, or would not, comply with this title, but may not prescribe regulations to carry out this title.
SEC. 108. NO PRIVATE RIGHT OF ACTION.
This title may not be considered or construed to provide any private right of action. No private civil action relating to any act or practice governed under this title may be commenced or maintained in any State court or under State law (including a pendent State claim to an action under Federal law).
SEC. 109. EFFECT ON OTHER LAWS.
(a) QUALIFIED EXEMPTION FOR COMPLIANCE WITH OTHER FEDERAL PRIVACY LAWS.—To the extent that personally identifiable information protected under this title is also protected under a provision of Federal privacy law described in subsection (c), a data collection organization that complies with the relevant provision of such other Federal privacy law shall be deemed to have complied with the corresponding provision of this title.
(b) PROTECTION OF OTHER FEDERAL PRIVACY LAWS.—Nothing in this title may be construed to modify, limit, or supersede the operation of the Federal privacy laws described in subsection (c) or the provision of information permitted or required, expressly or by implication, by such laws, with respect to Federal rights and practices.
(c) OTHER FEDERAL PRIVACY LAWS DESCRIBED.—The provisions of law to which subsections (a) and (b) apply are the following:
(1) Section 552a of title 5, United States Code (commonly known as the Privacy Act of 1974).
(2) The Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.).
(3) The Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).
(4) The Fair Debt Collection Practices Act (15 U.S.C. 1692 et seq.).
(5) The Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.).
(6) Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 et seq.).
(7) The Electronic Communications Privacy Act of 1986 (Public Law 99–508).
(8) The Driver’s Privacy Protection Act of 1994 (18 U.S.C. 2721 et seq.).
(9) The Family Educational Rights and Privacy Act of 1974 (20 U.S.C. 1221 note, 1232g).
(10) Section 445 of the General Education Provisions Act (20 U.S.C. 1232h).
(11) The Privacy Protection Act of 1980 (42 U.S.C. 2000aa et seq.).
(12) Section 222 of the Communications Act of 1934 (47 U.S.C. 222) relating to the Customer Proprietary Network Information.
(13) The Cable Communications Policy Act of 1984 (47 U.S.C. 521 et seq.).
(14) The Communications Assistance for Law Enforcement Act (47 U.S.C. 1001 et seq.).
(15) The Video Privacy Protection Act of 1988 (Public Law 100–618).
(16) The Telephone Consumer Protection Act of 1991 (Public Law 102–243).
(17) The Health Insurance Portability and Accountability Act of 1996 (Public Law 104–191), as it relates to an entity described in section 1172(a) of the Social Security Act (42 U.S.C. 1320d–1(a)) or to activities regulated under section 1173 of such Act (42 U.S.C. 1320d–2).
(d) PREEMPTION OF STATE PRIVACY LAWS.—This title preempts any statutory law, common law, rule, or regulation of a State, or a political subdivision of a State, to the extent such law, rule, or regulation relates to or affects the collection, use, sale, disclosure, or dissemination of personally identifiable information in commerce. No State, or political subdivision of a State, may take any action to enforce this title.
This title shall apply with respect to personally identifiable information collected on or after the date that is 1 year after the date of enactment of this Act.
TITLE II—IDENTITY THEFT PREVENTION AND REMEDIES
SEC. 201. FACILITATING ELECTRONIC IDENTITY THEFT AFFIDAVITS.
The Commission shall take such action as necessary to permit (including by electronic means) consumers that have a reasonable belief that they are a victim of identity theft—
(1) to enter required consumer information in the commission-developed document entitled ‘‘Identity Theft Affidavit’’; and
(2) to submit completed forms and other supplemental information to the Commission and other entities.
SEC. 202. PROMOTING USE OF COMMON IDENTITY THEFT AFFIDAVIT.
The Commission shall take such action as necessary to solicit the acceptance and acknowledgement of standardized Identity Theft Affidavit by entities that receive disputes regarding the unauthorized use of accounts of such entities from consumers that have reason to believe that they are a victim of identity theft.
SEC. 203. TIMELY RESOLUTION OF IDENTITY THEFT DISPUTES.
The Commission shall require entities that receive disputes regarding the unauthorized use of accounts of such entities from consumers that have reason to believe that they are a victim of identity theft to conduct any necessary investigation and decide an outcome of a claim within 90 days from the date on which all necessary information to investigate the claim has been submitted to the entity.
SEC. 204. IMPROVEMENTS TO CONSUMER CLEARINGHOUSE.
The Commission shall utilize the Identity Theft Clearinghouse to permit consumers that have a reasonable belief that they are victim of identity theft to submit any information relevant to such identity theft to the Clearinghouse (including by means of an Identity Theft Affidavit), so that such information may be transmitted by the Clearinghouse to appropriate entities for necessary protective action and to mitigate losses resulting from such identity theft.
SEC. 205. IMPROVED IDENTITY THEFT DATA.
(a) IN GENERAL.—The Commission shall—
(1) establish a process to contact, not less than annually, public and private entities that receive and process complaints from consumers that have a reasonable belief that they are a victim of identity theft; and
(2) obtain accurate data on the incidences and nature of complaints from such entitles.
(b) INCLUSION IN DATABASE.—Such information shall be made part of the Commission’s Identity Theft Clearinghouse database.
SEC. 206. CHANGE OF ADDRESS PROTECTIONS.
The Commission shall require appropriate entities to take reasonable steps to verify the accuracy of a consumer’s address, including by confirming a consumer’s change of address by sending a confirmation of such change to the old and the new address of the consumer.
This title shall take effect 180 days after the date of enactment of this Act. 21
TITLE III—INTERNATIONAL PROVISIONS
SEC. 301. STUDY BY COMPTROLLER GENERAL.
The Comptroller General of the United States shall conduct a study and issue a report analyzing the impact on the interstate and foreign commerce of the United States of information privacy laws, regulations, or agreements enacted, promulgated, or adopted by other nations, including regional or international agreements between nations, and whether the enforcement mechanisms or procedures of those laws, regulations, or agreements result in discriminatory treatment of United States entities. The first report under this section shall be issued not later than 120 days after the date of enactment of this Act and subsequent reports shall be issued every 3 years thereafter.
SEC. 302. REMEDIATION OF DISCRIMINATORY IMPACT BY SECRETARY OF COMMERCE.
If the Comptroller General of the United States finds, in the study and report under subsection (a), that such information privacy laws, regulations, or agreements substantially impede interstate and foreign commerce of the United States and that the enforcement mechanisms or procedures of the information privacy laws, regulations, or agreements described in such subsection result in discriminatory treatment of United States entities, the Secretary of Commerce shall, to the extent permitted by law take all steps necessary to mitigate against such discriminatory impact within 180 days after the report making such findings is issued.
SEC. 303. EFFECT OF NONREMEDIATION.
(a) RECOMMENDATIONS.—If by the end of the 180-day period described in section 302, the Secretary of Commerce has not attained complete relief from the discriminatory impact described in such subsection, the Secretary shall report to the Congress and the President recommendations on action to relieve any such remaining discriminatory impact.
(b) FEDERAL AGENCY ACTION AFTER CONSIDERATION BY CONGRESS.—During the period after the Secretary reports recommendations under subsection (b) for mitigation of discriminatory impact and before the Congress acts with respect to such recommendations, no officer or employee of any Federal agency may take or continue any action to enjoin, or impose any penalty on, a United States entity, or a citizen or legal resident of the United States, for the purpose of fulfilling an international obligation of the United States under an international privacy agreement (other than such an obligation under a ratified treaty) that resulted in such discriminatory impact.
SEC. 304. HARMONIZATION OF INTERNATIONAL PRIVACY LAWS, REGULATIONS, AND AGREEMENTS.
Beginning on the date of enactment of this Act, the Secretary of Commerce shall provide notice of the provisions of this Act to other nations, individually, or as members of international organizations or unions that have enacted, promulgated, or adopted information privacy laws, regulations, or agreements, and shall seek recognition of this Act by such nations, organizations, or unions. The Secretary shall seek the harmonization of this Act with such information privacy laws, regulations, or agreements, to the extent such harmonization is necessary for the advancement of transnational commerce, including electronic commerce.
In this Act:
(1) The term ‘‘Commission’’ means the Federal Trade Commission.
(2) The term ‘‘consumer’’ means an individual acting in the individual’s personal, family, or household capacity.
(3)(A) The term ‘‘data collection organization’’ means an entity (or an agent or affiliate of the entity) that collects (by any means, through any medium), sells, discloses for consideration, or uses personally identifiable information of the consumer.
(B) Such term does not include—
(i) a governmental agency; or
(ii) a not-for-profit entity, to the extent that personally identifiable information is not used for a commercial purpose; or
(iii) an entity that—
(I) has annual gross revenue under $1,000,000 (based on the value of such amount in fiscal year 2000, adjusted for current dollars);
(II) has fewer than 25 employees;
(III) collects or uses personally identifiable information from fewer than 1,000 consumers for a purpose unrelated to a transaction with the consumer;
(IV) does not process personally identifiable information of consumers; and
(V) does not sell or disclose for consideration such information to another person.
(4)(A) The term ‘‘personally identifiable information’’, with respect to a data collection organization means individually identifiable information relating to a living individual who can be identified from that information.
(B) Such term includes—
(i) first and last name, whether given at birth or adoption, assumed, or legally changed;
(ii) home or other physical address including street name and name of a city or town;
(iii) electronic mail address;
(iv) telephone number;
(v) social security number; or
(vi) any other unique identifying information that a data collector and processor collects and combines with any information described in the preceding subparagraphs of this paragraph.
(C) Such term does not include—
(i) anonymous or aggregate data, or any other information that does not identify a unique living individual;
(ii) information about a consumer inferred from data maintained about a consumer; or
(iii) information about a consumer obtained from a public record.
(5) The term ‘‘affiliate’’ means any company that controls, is controlled by, or is under common control with another company.
(6) The term ‘‘information-sharing partner’’ means, with respect to a data collection organization, an entity that is contractually obligated to comply with the practices enumerated under the privacy policy statement of the organization required under section 102.
(7) The term ‘‘process’’, with respect to personally identifiable information, means any value-added activity performed on data by automated means.
(8) The term ‘‘transaction’’ means an interaction between a consumer and a data collection organization resulting in—
(A) any use of information that is necessary to complete the interaction in the course of which information is collected, or to maintain the provisioning of a good or service requested by the consumer, including use—
(i) to approve, guarantee, process, administer, complete, enforce, provide, or market a product, service, account, benefit, transaction, or payment method that is requested or approved by the consumer; or
(ii) to deliver goods, services, funds, or other consideration to, or on behalf of, the consumer;
(B) any disclosure of information that is necessary for the consumer to enforce any right of the consumer;
(C) any disclosure of information that is required by law or by a court order; and
(D) any use of information to evaluate, detect, or reduce the risk of fraud or other criminal activity, or other risk-management activities.
(9) The term ‘‘display’’ means intentionally communicating or otherwise making available (on the Internet or in any other manner) to another person.
(10) The term ‘‘public record’’ means any item, collection, or grouping of information about an individual that is maintained by a Federal, State, or local government entity and that is made available to the public.
(11) The term ‘‘purchase’’ means providing, directly or indirectly, anything of value in exchange for a benefit.
(12) The term ‘‘State’’ includes the several States, the District of Columbia, the Commonwealth of Puerto Rico, the Commonwealth of the Northern Mariana Islands, American Samoa, Guam, the Virgin Islands, the Freely Associated States, and any other territory or possession of the United States.