The easiest way to email your members of CongressDonate Now
H.R.1528 - Consumer Privacy Protection Act of 2011
To protect and enhance consumer privacy, and for other purposes.
Loading Bill Text
Rollover any line of text to comment and/or link to it.
SECTION 1. SHORT TITLE.
SEC. 3. DEFINITIONS.
(4) COVERED ENTITY- (A) The term ‘covered entity’ means an entity (or an agent or affiliate of the entity) that collects (by any means, through any medium), sells, discloses for consideration, or uses personally identifiable information of more than 5,000 consumers during any consecutive 12-month period, and includes a non-profit organization, including any organization described in section 501(c) of the Internal Revenue Code of 1986 that is exempt from taxation under section 501(a) of such Code, notwithstanding the definition of the term ‘Acts to regulate commerce’ in section 4 of the Federal Trade Commission Act (
(ii) a provider of professional services, or any affiliate thereof, to the extent that such provider is obligated by rules of professional ethics, or by applicable law or regulation, not to voluntarily disclose confidential client information without the consent of the client; orCommentsClose CommentsPermalink
(C) has no right to use the covered entity’s personally identifiable information other than for performing data processing outsourcing services for the covered entity or as required by contract or law.CommentsClose CommentsPermalink
(8) PERSONALLY IDENTIFIABLE INFORMATION- (A) The term ‘personally identifiable information’, with respect to a covered entity means individually identifiable information relating to a living individual who can be identified from that information, and includes:CommentsClose CommentsPermalink
(11) PUBLIC RECORD- The term ‘public record’ means any item, collection, or grouping of information about an individual that is maintained by a Federal, State, or local government entity and that is made available to the public.CommentsClose CommentsPermalink
(13) STATE- The term ‘State’ includes the several States, the District of Columbia, the Commonwealth of Puerto Rico, the Commonwealth of the Northern Mariana Islands, American Samoa, Guam, the Virgin Islands, the Freely Associated States, and any other territory or possession of the United States.CommentsClose CommentsPermalink
(A) any use of information that is necessary to complete the interaction in the course of which information is collected, or to maintain the provisioning of a good or service requested by the consumer, including use--CommentsClose CommentsPermalink
(i) to approve, guarantee, process, administer, complete, enforce, provide, or market a product, service, account, benefit, transaction, or payment method that is requested or approved by the consumer;CommentsClose CommentsPermalink
(D) any use of information to verify personally identifiable information by the consumer, evaluate, detect, or reduce the risk of fraud or other criminal activity, or other risk-management activities; andCommentsClose CommentsPermalink
(E) the collection or use of personally identifiable information for the marketing or advertising of a covered entity’s products or services to its own customers or potential customers.CommentsClose CommentsPermalink
SEC. 4. PRIVACY NOTICES TO CONSUMERS.
(1) The covered entity shall provide the notice before any personally identifiable information that is collected from a consumer is used by the covered entity for a purpose unrelated to a transaction.CommentsClose CommentsPermalink
(b) Form and Contents of Notice- A notice required under subsection (a) shall be provided in a clear and conspicuous manner, be prominently displayed or explicitly stated to the consumer, and contain the following information:CommentsClose CommentsPermalink
(1) A statement that the personally identifiable information collected by the covered entity may be used or disclosed for purposes or transactions unrelated to that for which it was collected, as described in the covered entity’s privacy statement.CommentsClose CommentsPermalink
(2) The statement must be available to all consumers of the covered entity (regardless of the means by which a consumer conducts a transaction with the covered entity)--CommentsClose CommentsPermalink
(B) at the time the covered entity first collects personally identifiable information about the consumer that may be used for a purpose unrelated to a transaction with the consumer and subsequently.CommentsClose CommentsPermalink
(E) The extent to which the information is subject to sale or disclosure for consideration to a covered entity that is not an information-sharing affiliate of the covered entity providing the statement, including--CommentsClose CommentsPermalink
(F) Whether the information security practices of the covered entity meet the security requirements of section 8 in order to prevent unauthorized disclosure or release of personally identifiable information.CommentsClose CommentsPermalink
SEC. 6. CONSUMER OPPORTUNITY TO LIMIT SALE OR DISCLOSURE OF INFORMATION.
(1) REQUIREMENT- A covered entity shall provide to the consumer, without charge, the opportunity to preclude any sale or disclosure for consideration of the consumer’s personally identifiable information, provided in a particular data collection, that may be used for a purpose other than a transaction with the consumer, to any covered entity that is not an information-sharing affiliate of the covered entity providing such opportunity.CommentsClose CommentsPermalink
(2) DURATION- A preclusion on sale or disclosure for consideration of information established by a consumer under this subsection shall remain in effect for 5 years or until the consumer indicates otherwise, whichever occurs sooner. A covered entity may not seek reconsideration of a consumer’s preclusion of such sale or disclosure until at least 1 year after such preclusion has been imposed by the consumer.CommentsClose CommentsPermalink
(b) Permission for Sale or Disclosure- A covered entity may provide the consumer an opportunity to permit the sale or disclosure described in subsection (a)(1) in exchange for a benefit to the consumer.CommentsClose CommentsPermalink
(c) Accessibility- The opportunity to preclude (or if offered, to permit) the sale or disclosure for consideration of information under this section must be both easy to access and use, and the notice of the opportunity to preclude must be clear and conspicuous.CommentsClose CommentsPermalink
SEC. 7. CONSUMER OPPORTUNITY TO LIMIT OTHER INFORMATION PRACTICES.
If a covered entity provides to a consumer the opportunity to limit other practices of the covered entity with respect to a particular collection or use of personally identifiable information regarding the consumer, other than that required by section 6--CommentsClose CommentsPermalink
SEC. 8. INFORMATION SECURITY OBLIGATIONS.
(a) Implementation- A covered entity shall prepare, revise as necessary, and implement an information security policy that is applicable to the information security practices and treatment of personally identifiable information maintained by the covered entity, that is designed to prevent the unauthorized disclosure or release of such information.CommentsClose CommentsPermalink
(b) Management Approval- An information security policy created pursuant to paragraph (1) shall be considered and approved by the senior management officials of the covered entity.CommentsClose CommentsPermalink
SEC. 9. SELF-REGULATORY PROGRAMS.
(B) is subject to enforcement under a self-regulatory program’s guidelines, procedures, requirements, and restrictions (including a remedial process under subsection (c)(7)).CommentsClose CommentsPermalink
(2) EFFECT OF WILLFUL NONCOMPLIANCE- A covered entity that participates in a self-regulatory program under this section shall not be liable for a civil penalty arising out of a violation of any provision of sections 4 through 8 unless such violation results from willful noncompliance with the guidelines, procedures, requirements, or restrictions of the program.CommentsClose CommentsPermalink
(1) APPROVAL- The Commission shall, within 90 days after submission of an application for approval of a self-regulatory program under this section (or of a material change in a program previously approved by the Commission), approve such program (or change) if the Commission finds that the program (or change) complies with the requirements of subsection (c).CommentsClose CommentsPermalink
(4) REVOCATION OF APPROVAL- The Commission may, after notice and opportunity for a hearing, revoke approval granted under paragraph (1), if the Commission finds that a self-regulatory program fails to meet the requirements of subsection (c).CommentsClose CommentsPermalink
(5) JUDICIAL REVIEW- Any order by the Commission denying approval of a self-regulatory program shall be subject to judicial review, as provided in
(1) Guidelines and procedures requiring a program participant to provide substantially equivalent or greater protections for consumers and their personally identifiable information as are provided under sections 4 through 8.CommentsClose CommentsPermalink
(5) With respect to any nonvoluntary suspension or termination of participation in the program because of the participant’s failure to comply with the program, procedures or requirements to provide for the following:CommentsClose CommentsPermalink
(A) Publication of notice and the reasons for any such suspension or termination, except that no personally identifiable information related to such suspension or termination may be published.CommentsClose CommentsPermalink
(6) Requirements and restrictions that assure independence with respect to program eligibility, compliance, and dispute resolution mechanisms and decisions from improper interference by management or ownership of the self-regulatory program participant.CommentsClose CommentsPermalink
(7) A process for a noncompliant participant to take timely remedial action in order to come back into compliance with the program before suspension or termination of participation in the program.CommentsClose CommentsPermalink
(1) SELF-REGULATORY DISPUTE PROCESS- If a consumer has a dispute with a participant in a self-regulatory program under this section or under section 5 of the Federal Trade Commission Act (
(2) RESOLUTION BY COMMISSION- A consumer may submit to the Commission for resolution a dispute with a participant in a self-regulatory program under this section, if the following requirements are met:CommentsClose CommentsPermalink
(C) Notice of the facts of the dispute is submitted to the Commission not later than 30 days after the date on which the consumer is notified of the resolution through the participant’s dispute resolution process.CommentsClose CommentsPermalink
(3) LIMITATION- Nothing in this Act shall prevent the Commission from investigating compliance with this Act by a participant in a self-regulatory covered entity based upon a complaint from an individual or covered entity other than a consumer with a dispute with such participant, or on its own initiative, except that prior to instituting any such investigation the Commission shall afford the self-regulatory covered entity a reasonable opportunity to invoke its own remedial procedures and assure compliance by the participant.CommentsClose CommentsPermalink
(e) Nonrelease of Certain Information- The Commission may not compel a participant in a self-regulatory program approved under subsection (b) (or an administrator of such a program) to provide proprietary information or personally identifiable information of consumers to the Commission unless the Commission provides assurances that such information will not be released to the public.CommentsClose CommentsPermalink
(f) Misrepresentation of Self-Regulatory Program Participation- It is unlawful for a covered entity to misrepresent that it is a participant in a self-regulatory program (including through any mechanism provided under subsection (c)(4)) when such covered entity is not, in fact, such a participant.CommentsClose CommentsPermalink
(g) Exempted Entity Participation- An entity that is not a covered entity and that voluntarily participates in a self-regulatory program under this section shall enjoy the rights and benefits provided under this section in any action or investigation under section 5 of the Federal Trade Commission Act (
SEC. 10. ENFORCEMENT.
(a) Unfair or Deceptive Act or Practice- A violation of any provision of this Act by a covered entity is an unfair or deceptive act or practice unlawful under section 5(a)(1) of the Federal Trade Commission Act (
(b) Guidelines and Opinions- In order to assist in compliance with this Act, the Federal Trade Commission may promulgate regulations and interpretive rules under section 18 of the Federal Trade Commission Act (
SEC. 11. NO PRIVATE RIGHT OF ACTION.
This Act may not be considered or construed to provide any private right of action. No private civil action relating to any act or practice governed under this Act may be commenced or maintained in any State court or under State law (including a pendent State claim to an action under Federal law).CommentsClose CommentsPermalink
SEC. 12. EFFECT ON OTHER LAWS.
(a) Qualified Exemption for Compliance With Other Federal Privacy Laws- To the extent that personally identifiable information protected under this Act is also protected under a provision of Federal privacy law described in subsection (c), a covered entity that complies with the relevant provision of such other Federal privacy law shall be deemed to have complied with the corresponding provision of this Act.CommentsClose CommentsPermalink
(b) Protection of Other Federal Privacy Laws- Nothing in this Act may be construed to modify, limit, supersede, or interfere with the operation of the Federal privacy laws described in subsection (c) or the provision of information permitted or required, expressly or by implication, by such laws, with respect to Federal rights and practices.CommentsClose CommentsPermalink
(17) The Health Insurance Portability and Accountability Act of 1996 (
(d) Preemption of State Privacy Laws- This Act preempts any statutory law, common law, rule, or regulation of a State, or a political subdivision of a State, to the extent such law, rule, or regulation relates to or affects the collection, use, sale, disclosure, retention, or dissemination of personally identifiable information in commerce. No State, or political subdivision of a State, may take any action to enforce this Act.CommentsClose CommentsPermalink