U.S. Congress - Text of S.799 as Introduced in Senate Commercial Privacy Bill of Rights Act of 2011
The easiest way to email your members of Congress
Donate NowS.799 - Commercial Privacy Bill of Rights Act of 2011
A bill to establish a regulatory framework for the comprehensive protection of personal data for individuals under the aegis of the Federal Trade Commission, and for other purposes.
Loading Bill Text
Rollover any line of text to comment and/or link to it.
S 799 ISCommentsClose CommentsPermalink
112th CONGRESSCommentsClose CommentsPermalink
1st SessionCommentsClose CommentsPermalink
S. 799CommentsClose CommentsPermalink
To establish a regulatory framework for the comprehensive protection of personal data for individuals under the aegis of the Federal Trade Commission, and for other purposes.CommentsClose CommentsPermalink
IN THE SENATE OF THE UNITED STATESCommentsClose CommentsPermalink
April 12, 2011CommentsClose CommentsPermalink
April 12, 2011CommentsClose CommentsPermalink
Mr. KERRY (for himself and Mr. MCCAIN) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and TransportationCommentsClose CommentsPermalink
A BILLCommentsClose CommentsPermalink
To establish a regulatory framework for the comprehensive protection of personal data for individuals under the aegis of the Federal Trade Commission, and for other purposes.CommentsClose CommentsPermalink
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,CommentsClose CommentsPermalink
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title- This Act may be cited as the ‘Commercial Privacy Bill of Rights Act of 2011’.CommentsClose CommentsPermalink
(b) Table of Contents- The table of contents for this Act is as follows:CommentsClose CommentsPermalink
Sec. 1. Short title; table of contents.CommentsClose CommentsPermalink
Sec. 2. Findings.CommentsClose CommentsPermalink
Sec. 3. Definitions.CommentsClose CommentsPermalink
TITLE I--RIGHT TO SECURITY AND ACCOUNTABILITY
Sec. 101. Security.CommentsClose CommentsPermalink
Sec. 102. Accountability.CommentsClose CommentsPermalink
Sec. 103. Privacy by design.CommentsClose CommentsPermalink
TITLE II--RIGHT TO NOTICE AND INDIVIDUAL PARTICIPATION
Sec. 201. Transparent notice of practices and purposes.CommentsClose CommentsPermalink
Sec. 202. Individual participation.CommentsClose CommentsPermalink
TITLE III--RIGHTS RELATING TO DATA MINIMIZATION, CONSTRAINTS ON DISTRIBUTION, AND DATA INTEGRITY
Sec. 301. Data minimization.CommentsClose CommentsPermalink
Sec. 302. Constraints on distribution of information.CommentsClose CommentsPermalink
Sec. 303. Data integrity.CommentsClose CommentsPermalink
TITLE IV--ENFORCEMENT
Sec. 401. General application.CommentsClose CommentsPermalink
Sec. 402. Enforcement by the Federal Trade Commission.CommentsClose CommentsPermalink
Sec. 403. Enforcement by State attorneys general.CommentsClose CommentsPermalink
Sec. 404. Civil penalties.CommentsClose CommentsPermalink
Sec. 405. Effect on other laws.CommentsClose CommentsPermalink
Sec. 406. No private right of action.CommentsClose CommentsPermalink
TITLE V--CO-REGULATORY SAFE HARBOR PROGRAMS
Sec. 501. Establishment of safe harbor programs.CommentsClose CommentsPermalink
Sec. 502. Participation in safe harbor program.CommentsClose CommentsPermalink
TITLE VI--APPLICATION WITH OTHER FEDERAL LAWS
Sec. 601. Application with other Federal laws.CommentsClose CommentsPermalink
TITLE VII--DEVELOPMENT OF COMMERCIAL DATA PRIVACY POLICY IN THE DEPARTMENT OF COMMERCE
Sec. 701. Direction to develop commercial data privacy policy.CommentsClose CommentsPermalink
SEC. 2. FINDINGS.
The Congress finds the following:CommentsClose CommentsPermalink
(1) Personal privacy is worthy of protection through appropriate legislation.CommentsClose CommentsPermalink
(2) Trust in the treatment of personally identifiable information collected on and off the Internet is essential for businesses to succeed.CommentsClose CommentsPermalink
(3) Persons interacting with others engaged in interstate commerce have a significant interest in their personal information, as well as a right to control how that information is collected, used, stored, or transferred.CommentsClose CommentsPermalink
(4) Persons engaged in interstate commerce and collecting personally identifiable information on individuals have a responsibility to treat that information with respect and in accordance with common standards.CommentsClose CommentsPermalink
(5) To the extent that States regulate the treatment of personally identifiable information, their efforts to address Internet privacy could lead to a patchwork of inconsistent standards and protections.CommentsClose CommentsPermalink
(6) On the day before the date of the enactment of this Act, the laws of the Federal Government and State and local governments provided inadequate privacy protection for individuals engaging in and interacting with persons engaged in interstate commerce.CommentsClose CommentsPermalink
(7) As of the day before the date of the enactment of this Act, with the exception of Federal Trade Commission enforcement of laws against unfair and deceptive practices, the Federal Government has eschewed general commercial privacy laws in favor of industry self-regulation, which has led to several self-policing schemes, some of which are enforceable, and some of which provide insufficient privacy protection to individuals.CommentsClose CommentsPermalink
(8) As of the day before the date of the enactment of this Act, many collectors of personally identifiable information have yet to provide baseline fair information practice protections for individuals.CommentsClose CommentsPermalink
(9) The ease of gathering and compiling personal information on the Internet and off, both overtly and surreptitiously, is becoming increasingly efficient and effortless due to advances in technology which have provided information gatherers the ability to compile seamlessly highly detailed personal histories of individuals.CommentsClose CommentsPermalink
(10) Personal information requires greater privacy protection than is available on the day before the date of the enactment of this Act. Vast amounts of personal information, including sensitive information, about individuals are collected on and off the Internet, often combined and sold or otherwise transferred to third parties, for purposes unknown to an individual to whom the personally identifiable information pertains.CommentsClose CommentsPermalink
(11) Toward the close of the 20th Century, as individuals’ personal information was increasingly collected, profiled, and shared for commercial purposes, and as technology advanced to facilitate these practices, Congress enacted numerous statutes to protect privacy.CommentsClose CommentsPermalink
(12) Those statutes apply to the government, telephones, cable television, e-mail, video tape rentals, and the Internet (but only with respect to children and law enforcement requests).CommentsClose CommentsPermalink
(13) As in those instances, the Federal Government has a substantial interest in creating a level playing field of protection across all collectors of personally identifiable information, both in the United States and abroad.CommentsClose CommentsPermalink
(14) The Federal Trade Commission has called private self regulation efforts as of the day before the date of the introduction of this Act inadequate. The Commission has also distinguished publishers’ first-party data collection practices from third-party practices related specifically to behavioral advertising. The Commission has noted that when dealing directly with an Internet website, consumers are likely to understand why they receive a recommendation or advertisement from that entity and may expect it.CommentsClose CommentsPermalink
(15) Enhancing individual privacy protection in a balanced way that establishes clear, consistent rules, both domestically and internationally, will stimulate commerce by instilling greater consumer confidence at home and greater confidence abroad as more and more entities digitize personally identifiable information, whether collected, stored, or used online or offline.CommentsClose CommentsPermalink
SEC. 3. DEFINITIONS.
In this Act:CommentsClose CommentsPermalink
(1) COMMISSION- The term ‘Commission’ means the Federal Trade Commission.CommentsClose CommentsPermalink
(2) COVERED ENTITY- The term ‘covered entity’ means any person to whom this Act applies under section 401.CommentsClose CommentsPermalink
(3) COVERED INFORMATION-CommentsClose CommentsPermalink
(A) IN GENERAL- Except as provided in subparagraph (B), the term ‘covered information’ means only the following:CommentsClose CommentsPermalink
(i) Personally identifiable information.CommentsClose CommentsPermalink
(ii) Unique identifier information.CommentsClose CommentsPermalink
(iii) Any information that is collected, used, or stored in connection with personally identifiable information or unique identifier information in a manner that may reasonably be used by the party collecting the information to identify a specific individual.CommentsClose CommentsPermalink
(B) EXCEPTION- The term ‘covered information’ does not include the following:CommentsClose CommentsPermalink
(i) Personally identifiable information obtained from public records that is not merged with covered information gathered elsewhere.CommentsClose CommentsPermalink
(ii) Personally identifiable information that is obtained from a forum--CommentsClose CommentsPermalink
(I) where the individual voluntarily shared the information or authorized the information to be shared; andCommentsClose CommentsPermalink
(II) that--CommentsClose CommentsPermalink
(aa) is widely and publicly available; andCommentsClose CommentsPermalink
(bb) contains no restrictions on who can access and view such information.CommentsClose CommentsPermalink
(iii) Personally identifiable information reported in public media.CommentsClose CommentsPermalink
(iv) Personally identifiable information dedicated to contacting an individual at the individual’s place of work.CommentsClose CommentsPermalink
(4) ESTABLISHED BUSINESS RELATIONSHIP- The term ‘established business relationship’ means, with respect to a covered entity and a person, a relationship formed with or without the exchange of consideration, involving the establishment of an account by the person with the covered entity for the receipt of products or services offered by the covered entity.CommentsClose CommentsPermalink
(5) PERSONALLY IDENTIFIABLE INFORMATION- The term ‘personally identifiable information’ means only the following:CommentsClose CommentsPermalink
(A) Any of the following information about an individual:CommentsClose CommentsPermalink
(i) The first name (or initial) and last name of an individual, whether given at birth or time of adoption, or resulting from a lawful change of name.CommentsClose CommentsPermalink
(ii) The postal address of a physical place of residence of such individual.CommentsClose CommentsPermalink
(iii) An e-mail address.CommentsClose CommentsPermalink
(iv) A telephone number or mobile device number.CommentsClose CommentsPermalink
(v) A social security number or other government issued identification number issued to such individual.CommentsClose CommentsPermalink
(vi) The account number of a credit card issued to such individual.CommentsClose CommentsPermalink
(vii) Unique identifier information that alone can be used to identify a specific individual.CommentsClose CommentsPermalink
(viii) Biometric data about such individual, including fingerprints and retina scans.CommentsClose CommentsPermalink
(B) If used, transferred, or stored in connection with 1 or more of the items of information described in subparagraph (A), any of the following:CommentsClose CommentsPermalink
(i) A date of birth.CommentsClose CommentsPermalink
(ii) The number of a certificate of birth or adoption.CommentsClose CommentsPermalink
(iii) A place of birth.CommentsClose CommentsPermalink
(iv) Unique identifier information that alone cannot be used to identify a specific individual.CommentsClose CommentsPermalink
(v) Precise geographic location, at the same degree of specificity as a global positioning system or equivalent system, and not including any general geographic information that may be derived from an Internet Protocol address.CommentsClose CommentsPermalink
(vi) Information about an individual’s quantity, technical configuration, type, destination, location, and amount of uses of voice services, regardless of technology used.CommentsClose CommentsPermalink
(vii) Any other information concerning an individual that may reasonably be used by the party using, collecting, or storing that information to identify that individual.CommentsClose CommentsPermalink
(6) SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION- The term ‘sensitive personally identifiable information’ means--CommentsClose CommentsPermalink
(A) personally identifiable information which, if lost, compromised, or disclosed without authorization either alone or with other information, carries a significant risk of economic or physical harm; orCommentsClose CommentsPermalink
(B) information related to--CommentsClose CommentsPermalink
(i) a particular medical condition or a health record; orCommentsClose CommentsPermalink
(ii) the religious affiliation of an individual.CommentsClose CommentsPermalink
(7) THIRD PARTY- The term ‘third party’ means, with respect to a covered entity, a person that--CommentsClose CommentsPermalink
(A) is not related to the covered entity by common ownership or corporate control;CommentsClose CommentsPermalink
(B) is not a service provider used by the covered entity to receive personally identifiable information or sensitive personally identifiable information in performing services or functions on behalf of and under the instruction of the covered entity; andCommentsClose CommentsPermalink
(C) does not have an established business relationship with the individual and does not identify itself to the individual at the time of collection of covered information in a clear and conspicuous manner that is visible to the individual.CommentsClose CommentsPermalink
(8) UNAUTHORIZED USE-CommentsClose CommentsPermalink
(A) IN GENERAL- The term ‘unauthorized use’ means the use of covered information by a covered entity or its service provider for any purpose not authorized by the individual to whom such information relates.CommentsClose CommentsPermalink
(B) EXCEPTIONS- Except as provided in subparagraph (C), the term ‘unauthorized use’ does not include use of covered information relating to an individual by a covered entity or its service provider as follows:CommentsClose CommentsPermalink
(i) To process and enforce a transaction or deliver a service requested by that individual.CommentsClose CommentsPermalink
(ii) To operate the covered entity that is providing a transaction or delivering a service requested by that individual, such as inventory management, financial reporting and accounting, planning, and product or service improvement or forecasting.CommentsClose CommentsPermalink
(iii) To prevent or detect fraud or to provide for a physically or virtually secure environment.CommentsClose CommentsPermalink
(iv) To investigate a possible crime.CommentsClose CommentsPermalink
(v) That is required by a provision of law or legal process.CommentsClose CommentsPermalink
(vi) To market or advertise to an individual from a covered entity within the context of a covered entity’s own Internet website, services, or products if the covered information used for such marketing or advertising was--CommentsClose CommentsPermalink
(I) collected directly by the covered entity; orCommentsClose CommentsPermalink
(II) shared with the covered entity--CommentsClose CommentsPermalink
(aa) at the affirmative request of the individual; orCommentsClose CommentsPermalink
(bb) by an entity with which the individual has an established business relationship.CommentsClose CommentsPermalink
(vii) Use that is necessary for the improvement of transaction or service delivery through research, testing, analysis, and development.CommentsClose CommentsPermalink
(viii) Use that is necessary for internal operations, including the following:CommentsClose CommentsPermalink
(I) Collecting customer satisfaction surveys and conducting customer research to improve customer service information.CommentsClose CommentsPermalink
(II) Information collected by an Internet website about the visits to such website and the click-through rates at such website--CommentsClose CommentsPermalink
(aa) to improve website navigation and performance; orCommentsClose CommentsPermalink
(bb) to understand and improve the interaction of an individual with the advertising of a covered entity.CommentsClose CommentsPermalink
(ix) Use--CommentsClose CommentsPermalink
(I) by a covered entity with which an individual has an established business relationship;CommentsClose CommentsPermalink
(II) which the individual could have reasonably expected, at the time such relationship was established, was related to a service provided pursuant to such relationship; andCommentsClose CommentsPermalink
(III) which does not constitute a material change in use or practice from what could have reasonably been expected.CommentsClose CommentsPermalink
(C) SAVINGS- A use of covered information regarding an individual by a covered entity or its service provider may only be excluded under subparagraph (B) from the definition of ‘unauthorized use’ under subparagraph (A) if the use is reasonable and consistent with the practices and purposes described in the notice given the individual in accordance with section 201(a)(1).CommentsClose CommentsPermalink
(9) UNIQUE IDENTIFIER INFORMATION- The term ‘unique identifier information’ means a unique persistent identifier associated with an individual or a networked device, including a customer number held in a cookie, a user ID, a processor serial number, or a device serial number.CommentsClose CommentsPermalink
TITLE I--RIGHT TO SECURITY AND ACCOUNTABILITYCommentsClose CommentsPermalink
TITLE I--RIGHT TO SECURITY AND ACCOUNTABILITYCommentsClose CommentsPermalink
SEC. 101. SECURITY.
(a) Rulemaking Required- Not later than 180 days after the date of the enactment of this Act, the Commission shall initiate a rulemaking proceeding to require each covered entity to carry out security measures to protect the covered information it collects and maintains.CommentsClose CommentsPermalink
(b) Proportion- The requirements prescribed under subsection (a) shall provide for security measures that are proportional to the size, type, and nature of the covered information a covered entity collects.CommentsClose CommentsPermalink
(c) Consistency- The requirements prescribed under subsection (a) shall be consistent with guidance provided by the Commission and recognized industry practices for safety and security on the day before the date of the enactment of this Act.CommentsClose CommentsPermalink
(d) Technological Means- In a rule prescribed under subsection (a), the Commission may not require a specific technological means of meeting a requirement.CommentsClose CommentsPermalink
SEC. 102. ACCOUNTABILITY.
Each covered entity shall, in a manner proportional to the size, type, and nature of the covered information it collects--CommentsClose CommentsPermalink
(1) have managerial accountability, proportional to the size and structure of the covered entity, for the adoption and implementation of policies consistent with this Act;CommentsClose CommentsPermalink
(2) have a process to respond to non-frivolous inquiries from individuals regarding the collection, use, transfer, or storage of covered information relating to such individuals; andCommentsClose CommentsPermalink
(3) describe the means of compliance of the covered entity with the requirements of this Act upon request from--CommentsClose CommentsPermalink
(A) the Commission; orCommentsClose CommentsPermalink
(B) an appropriate safe harbor program established under section 501.CommentsClose CommentsPermalink
SEC. 103. PRIVACY BY DESIGN.
Each covered entity shall, in a manner proportional to the size, type, and nature of the covered information that it collects, implement a comprehensive information privacy program by--CommentsClose CommentsPermalink
(1) incorporating necessary development processes and practices throughout the product life cycle that are designed to safeguard the personally identifiable information that is covered information of individuals based on--CommentsClose CommentsPermalink
(A) the reasonable expectations of such individuals regarding privacy; andCommentsClose CommentsPermalink
(B) the relevant threats that need to be guarded against in meeting those expectations; andCommentsClose CommentsPermalink
(2) maintaining appropriate management processes and practices throughout the data life cycle that are designed to ensure that information systems comply with--CommentsClose CommentsPermalink
(A) the provisions of this Act;CommentsClose CommentsPermalink
(B) the privacy policies of a covered entity; andCommentsClose CommentsPermalink
(C) the privacy preferences of individuals that are consistent with the consent choices and related mechanisms of individual participation as described in section 202.CommentsClose CommentsPermalink
TITLE II--RIGHT TO NOTICE AND INDIVIDUAL PARTICIPATIONCommentsClose CommentsPermalink
TITLE II--RIGHT TO NOTICE AND INDIVIDUAL PARTICIPATIONCommentsClose CommentsPermalink
SEC. 201. TRANSPARENT NOTICE OF PRACTICES AND PURPOSES.
(a) In General- Not later than 60 days after the date of the enactment of this Act, the Commission shall initiate a rulemaking proceeding to require each covered entity--CommentsClose CommentsPermalink
(1) to provide clear, concise, and timely notice to individuals of--CommentsClose CommentsPermalink
(A) the practices of the covered entity regarding the collection, use, transfer, and storage of covered information; andCommentsClose CommentsPermalink
(B) the specific purposes of those practices;CommentsClose CommentsPermalink
(2) to provide clear, concise, and timely notice to individuals before implementing a material change in such practices; andCommentsClose CommentsPermalink
(3) to maintain the notice required by paragraph (1) in a form that individuals can readily access.CommentsClose CommentsPermalink
(b) Compliance and Other Considerations- In the rulemaking required by subsection (a), the Commission--CommentsClose CommentsPermalink
(1) shall consider the types of devices and methods individuals will use to access the required notice;CommentsClose CommentsPermalink
(2) may provide that a covered entity unable to provide the required notice when information is collected may comply with the requirement of subsection (a)(1) by providing an alternative time and means for an individual to receive the required notice promptly;CommentsClose CommentsPermalink
(3) may draft guidance for covered entities to use in designing their own notice and may include a draft model template for covered entities to use in designing their own notice; andCommentsClose CommentsPermalink
(4) may provide guidance on how to construct computer-readable notices or how to use other technology to deliver the required notice.CommentsClose CommentsPermalink
SEC. 202. INDIVIDUAL PARTICIPATION.
(a) In General- Not later than 180 days after the date of the enactment of this Act, the Commission shall initiate a rulemaking proceeding to require each covered entity--CommentsClose CommentsPermalink
(1) to offer individuals a clear and conspicuous mechanism for opt-out consent for any use of their covered information that would otherwise be unauthorized use, except with respect to any use requiring opt-in consent under paragraph (3);CommentsClose CommentsPermalink
(2) to offer individuals a robust, clear, and conspicuous mechanism for opt-out consent for the use by third parties of the individuals’ covered information for behavioral advertising or marketing;CommentsClose CommentsPermalink
(3) to offer individuals a clear and conspicuous mechanism for opt-in consent for--CommentsClose CommentsPermalink
(A) the collection, use, or transfer of sensitive personally identifiable information other than--CommentsClose CommentsPermalink
(i) to process or enforce a transaction or deliver a service requested by that individual;CommentsClose CommentsPermalink
(ii) for fraud prevention and detection; orCommentsClose CommentsPermalink
(iii) to provide for a secure physical or virtual environment; andCommentsClose CommentsPermalink
(B) the use of previously collected covered information or transfer to a third party for an unauthorized use of previously collected covered information, if--CommentsClose CommentsPermalink
(i) there is a material change in the covered entity’s stated practices that requires notice under section 201(a)(2); andCommentsClose CommentsPermalink
(ii) such use or transfer creates a risk of economic or physical harm to an individual;CommentsClose CommentsPermalink
(4) to provide any individual to whom the personally identifiable information that is covered information pertains, and which the covered entity or its service provider stores, appropriate and reasonable--CommentsClose CommentsPermalink
(A) access to such information; andCommentsClose CommentsPermalink
(B) mechanisms to correct such information to improve the accuracy of such information; andCommentsClose CommentsPermalink
(5) in the case that a covered entity enters bankruptcy or an individual requests the termination of a service provided by the covered entity to the individual or termination of some other relationship with the covered entity, to permit the individual to easily request that--CommentsClose CommentsPermalink
(A) all of the personally identifiable information that is covered information that the covered entity maintains relating to the individual, except for information the individual authorized the sharing of or which the individual shared with the covered entity in a forum that is widely and publicly available, be rendered not personally identifiable; orCommentsClose CommentsPermalink
(B) if rendering such information not personally identifiable is not possible, to cease the unauthorized use or transfer to a third party for an unauthorized use of such information or to cease use of such information for marketing, unless such unauthorized use or transfer is otherwise required by a provision of law.CommentsClose CommentsPermalink
(b) Unauthorized Use Transfers- In the rulemaking required by subsection (a), the Commission shall provide that with respect to transfers of covered information to a third party for which an individual provides opt-in consent, the third party to which the information is transferred may not use such information for any unauthorized use other than a use--CommentsClose CommentsPermalink
(1) specified pursuant to the purposes stated in the required notice under section 201(a); andCommentsClose CommentsPermalink
(2) authorized by the individual when the individual granted consent for the transfer of the information to the third party.CommentsClose CommentsPermalink
(c) Alternative Means To Terminate Use of Covered Information- In the rulemaking required by subsection (a), the Commission shall allow a covered entity to provide individuals an alternative means, in lieu of the access, consent, and correction requirements, of prohibiting a covered entity from use or transfer of that individual’s covered information.CommentsClose CommentsPermalink
(d) Service Providers-CommentsClose CommentsPermalink
(1) IN GENERAL- The use of a service provider by a covered entity to receive covered information in performing services or functions on behalf of and under the instruction of the covered entity does not constitute an unauthorized use of such information by the covered entity if the covered entity and the service provider execute a contract that requires the service provider to collect, use, and store the information on behalf of the covered entity in a manner consistent with--CommentsClose CommentsPermalink
(A) the requirements of this Act; andCommentsClose CommentsPermalink
(B) the policies and practices related to such information of the covered entity.CommentsClose CommentsPermalink
(2) TRANSFERS BETWEEN SERVICE PROVIDERS FOR A COVERED ENTITY- The disclosure by a service provider of covered information pursuant to a contract with a covered entity to another service provider in order to perform the same service or functions for that covered entity does not constitute an unauthorized use.CommentsClose CommentsPermalink
(3) LIABILITY REMAINS WITH COVERED ENTITY- A covered entity remains responsible and liable for the protection of covered information that has been transferred to a service provider for processing, notwithstanding any agreement to the contrary between a covered entity and the service provider.CommentsClose CommentsPermalink
TITLE III--RIGHTS RELATING TO DATA MINIMIZATION, CONSTRAINTS ON DISTRIBUTION, AND DATA INTEGRITYCommentsClose CommentsPermalink
TITLE III--RIGHTS RELATING TO DATA MINIMIZATION, CONSTRAINTS ON DISTRIBUTION, AND DATA INTEGRITYCommentsClose CommentsPermalink
SEC. 301. DATA MINIMIZATION.
Each covered entity shall--CommentsClose CommentsPermalink
(1) collect only as much covered information relating to an individual as is reasonably necessary--CommentsClose CommentsPermalink
(A) to process or enforce a transaction or deliver a service requested by such individual;CommentsClose CommentsPermalink
(B) for the covered entity to provide a transaction or delivering a service requested by such individual, such as inventory management, financial reporting and accounting, planning, product or service improvement or forecasting, and customer support and service;CommentsClose CommentsPermalink
(C) to prevent or detect fraud or to provide for a secure environment;CommentsClose CommentsPermalink
(D) to investigate a possible crime;CommentsClose CommentsPermalink
(E) to comply with a provision of law;CommentsClose CommentsPermalink
(F) for the covered entity to market or advertise to such individual if the covered information used for such marketing or advertising was collected directly by the covered entity;CommentsClose CommentsPermalink
(G) for research and development conducted for the improvement of carrying out a transaction or delivering a service; orCommentsClose CommentsPermalink
(H) for internal operations, including--CommentsClose CommentsPermalink
(i) collecting customer satisfaction surveys and conducting customer research to improve customer service; andCommentsClose CommentsPermalink
(ii) collection from an Internet website of information about visits and click-through rates relating to such website to improve--CommentsClose CommentsPermalink
(I) website navigation and performance; andCommentsClose CommentsPermalink
(II) the customer’s experience; andCommentsClose CommentsPermalink
(2) retain covered information for only such duration as--CommentsClose CommentsPermalink
(A) with respect to the provision of a transaction or delivery of a service to an individual--CommentsClose CommentsPermalink
(i) is necessary to provide such transaction or deliver such service to such individual; orCommentsClose CommentsPermalink
(ii) if such service is ongoing, is reasonable for the ongoing nature of the service;CommentsClose CommentsPermalink
(B) with respect to research and development described in paragraph (1)(G), is necessary for such research and development; orCommentsClose CommentsPermalink
(C) is required by a provision of law.CommentsClose CommentsPermalink
SEC. 302. CONSTRAINTS ON DISTRIBUTION OF INFORMATION.
(a) In General- Each covered entity shall--CommentsClose CommentsPermalink
(1) require by contract that any third party to which it transfers covered information use the information only for purposes that are consistent with--CommentsClose CommentsPermalink
(A) the provisions of this Act; andCommentsClose CommentsPermalink
(B) as specified in the contract;CommentsClose CommentsPermalink
(2) require by contract that such third party may not combine information that the covered entity has transferred to it, that relates to an individual, and that is not personally identifiable information with other information in order to identify such individual, unless the covered entity has obtained the opt-in consent of such individual for such combination and identification; andCommentsClose CommentsPermalink
(3) before executing a contract with a third party--CommentsClose CommentsPermalink
(A) assure through due diligence that the third party is a legitimate organization; andCommentsClose CommentsPermalink
(B) in the case of a material violation of the contract, at a minimum notify the Commission of such violation.CommentsClose CommentsPermalink
(b) Transfers to Unreliable Third Parties Prohibited- A covered entity may not transfer covered information to a third party that the covered entity knows--CommentsClose CommentsPermalink
(1) has intentionally or willfully violated a contract required by subsection (a); andCommentsClose CommentsPermalink
(2) is reasonably likely to violate such contract.CommentsClose CommentsPermalink
(c) Application of Rules to Third Parties-CommentsClose CommentsPermalink
(1) IN GENERAL- Except as provided in paragraph (2), a third party that receives covered information from a covered entity shall be subject to the provisions of this Act as if it were a covered entity.CommentsClose CommentsPermalink
(2) EXEMPTION- The Commission may, as it determines appropriate, exempt classes of third parties from liability under any provision of title II if the Commission finds that--CommentsClose CommentsPermalink
(A) such class of third parties cannot reasonably comply with such provision; orCommentsClose CommentsPermalink
(B) with respect to covered information relating to individuals that is transferred to such class, compliance by such class with such provision would not sufficiently benefit such individuals.CommentsClose CommentsPermalink
SEC. 303. DATA INTEGRITY.
(a) In General- Each covered entity shall attempt to establish and maintain reasonable procedures to ensure that personally identifiable information that is covered information and maintained by the covered entity is accurate in those instances where the covered information could be used to deny consumers benefits or cause significant harm.CommentsClose CommentsPermalink
(b) Exception- Subsection (a) shall not apply to covered information of an individual maintained by a covered entity that is provided--CommentsClose CommentsPermalink
(1) directly to the covered entity by the individual; orCommentsClose CommentsPermalink
(2) to the covered entity by another entity at the request of the individual.CommentsClose CommentsPermalink
TITLE IV--ENFORCEMENTCommentsClose CommentsPermalink
TITLE IV--ENFORCEMENTCommentsClose CommentsPermalink
SEC. 401. GENERAL APPLICATION.
The requirements of this Act shall apply to any person who--CommentsClose CommentsPermalink
(1) collects, uses, transfers, or stores covered information concerning more than 5,000 individuals during any consecutive 12-month period; andCommentsClose CommentsPermalink
(2) is--CommentsClose CommentsPermalink
(A) a person over which the Commission has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act (
(B) a common carrier subject to the Communications Act of 1934 (
(C) a non-profit organization, including any organization described in section 501(c) of the Internal Revenue code of 1986 that is exempt from taxation under section 501(a) of such Code, notwithstanding the definition of the term ‘Acts to regulate commerce’ in section 4 of the Federal Trade Commission Act (
SEC. 402. ENFORCEMENT BY THE FEDERAL TRADE COMMISSION.
(a) Unfair or Deceptive Acts or Practices- A knowing or repetitive violation of a provision of this Act or a regulation promulgated under this Act shall be treated as an unfair or deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (
(b) Powers of Commission-CommentsClose CommentsPermalink
(1) IN GENERAL- The Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (
(2) SPECIAL RULE- The Commission shall enforce this Act under paragraph (1) of this subsection with respect to common carriers and non-profit organizations described in section 401 to the extent necessary to effectuate the purposes of this Act as if such carriers and non-profit organizations were persons over which the Commission has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act (
(c) Rulemaking Authority-CommentsClose CommentsPermalink
(1) LIMITATION- In promulgating rules under this Act, the Commission may not require the deployment or use of any specific products or technologies, including any specific computer software or hardware.CommentsClose CommentsPermalink
(2) ADMINISTRATIVE PROCEDURE- The Commission shall promulgate regulations under this Act in accordance with
SEC. 403. ENFORCEMENT BY STATE ATTORNEYS GENERAL.
(a) Civil Action- In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is adversely affected by a covered entity who violates any part of this Act in a manner that results in economic or physical harm to an individual or engages in a pattern or practice that violates any part of this Act other than title III, the attorney general may, as parens patriae, bring a civil action on behalf of the residents of the State in an appropriate district court of the United States--CommentsClose CommentsPermalink
(1) to enjoin further violation of this Act or a regulation promulgated under this Act by the defendant;CommentsClose CommentsPermalink
(2) to compel compliance with this Act or a regulation promulgated under this Act; orCommentsClose CommentsPermalink
(3) for violations of this Act or a regulation promulgated under this Act to obtain civil penalties in the amount determined under section 404.CommentsClose CommentsPermalink
(b) Rights of Federal Trade Commission-CommentsClose CommentsPermalink
(1) NOTICE TO FEDERAL TRADE COMMISSION-CommentsClose CommentsPermalink
(A) IN GENERAL- Except as provided in subparagraph (C), the attorney general of a State shall notify the Federal Trade Commission in writing of any civil action under subsection (b), prior to initiating such civil action.CommentsClose CommentsPermalink
(B) CONTENTS- The notice required by subparagraph (A) shall include a copy of the complaint to be filed to initiate such civil action.CommentsClose CommentsPermalink
(C) EXCEPTION- If it is not feasible for the attorney general of a State to provide the notice required by subparagraph (A), the State shall provide notice immediately upon instituting a civil action under subsection (b).CommentsClose CommentsPermalink
(2) INTERVENTION BY FEDERAL TRADE COMMISSION- Upon receiving notice required by paragraph (1) with respect to a civil action, the Federal Trade Commission may--CommentsClose CommentsPermalink
(A) intervene in such action; andCommentsClose CommentsPermalink
(B) upon intervening--CommentsClose CommentsPermalink
(i) be heard on all matters arising in such civil action; andCommentsClose CommentsPermalink
(ii) file petitions for appeal of a decision in such action.CommentsClose CommentsPermalink
(c) Preemptive Action by Federal Trade Commission- If the Federal Trade Commission institutes a civil action for violation of this Act or a regulation promulgated under this Act, no attorney general of a State may bring a civil action under subsection (a) against any defendant named in the complaint of the Commission for violation of this Act or a regulation promulgated under this Act that is alleged in such complaint.CommentsClose CommentsPermalink
(d) Investigatory Powers- Nothing in this section may be construed to prevent the attorney general of a State from exercising the powers conferred on such attorney general by the laws of such State to conduct investigations or to administer oaths or affirmations or to compel the attendance of witnesses or the production of documentary and other evidence.CommentsClose CommentsPermalink
SEC. 404. CIVIL PENALTIES.
(a) In General- In an action brought under section 403, in addition to any other penalty otherwise applicable to a violation of this Act or any regulation promulgated under this Act, the following civil penalties shall apply:CommentsClose CommentsPermalink
(1) TITLE I VIOLATIONS- A covered entity that knowingly or repeatedly violates title I is liable for a civil penalty equal to the amount calculated by multiplying the number of days that the entity is not in compliance with such title by an amount not to exceed $16,500.CommentsClose CommentsPermalink
(2) TITLE II VIOLATIONS- A covered entity that knowingly or repeatedly violates title II is liable for a civil penalty equal to the amount calculated by multiplying the number of days that such an entity is not in compliance with such title, or the number of individuals for whom the entity failed to obtain consent as required by such title, whichever is greater, by an amount not to exceed $16,500.CommentsClose CommentsPermalink
(b) Adjustment for Inflation- Beginning on the date that the Consumer Price Index for All Urban Consumers is first published by the Bureau of Labor Statistics that is after 1 year after the date of the enactment of this Act, and each year thereafter, each of the amounts specified in subsection (a) shall be increased by the percentage increase in the Consumer Price Index published on that date from the Consumer Price Index published the previous year.CommentsClose CommentsPermalink
(c) Maximum Total Liability- Notwithstanding the number of actions which may be brought against a covered entity under section 403, the maximum civil penalty for which any covered entity may be liable under this section in such actions shall not exceed--CommentsClose CommentsPermalink
(1) $3,000,000 for any related series of violations of any rule promulgated under title I; andCommentsClose CommentsPermalink
(2) $3,000,000 for any related series of violations of title II.CommentsClose CommentsPermalink
SEC. 405. EFFECT ON OTHER LAWS.
(a) Preemption of State Laws- The provisions of this Act shall supersede any provisions of the law of any State relating to those entities covered by the regulations issued pursuant to this Act, to the extent that such provisions relate to the collection, use, or disclosure of--CommentsClose CommentsPermalink
(1) covered information addressed in this Act; orCommentsClose CommentsPermalink
(2) personally identifiable information or personal identification information addressed in provisions of the law of a State.CommentsClose CommentsPermalink
(b) Unauthorized Civil Actions; Certain State Laws-CommentsClose CommentsPermalink
(1) UNAUTHORIZED ACTIONS- No person other than a person specified in section 403 may bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating this Act or a regulation promulgated under this Act.CommentsClose CommentsPermalink
(2) PROTECTION OF CERTAIN STATE LAWS- This Act shall not be construed to preempt the applicability of--CommentsClose CommentsPermalink
(A) State laws that address the collection, use, or disclosure of health information or financial information;CommentsClose CommentsPermalink
(B) State laws that address notification requirements in the event of a data breach; orCommentsClose CommentsPermalink
(C) other State laws to the extent that those laws relate to acts of fraud.CommentsClose CommentsPermalink
(c) Rule of Construction Relating to Required Disclosures to Government Entities- This Act shall not be construed to expand or limit the duty or authority of a covered entity or third party to disclose personally identifiable information to a government entity under any provision of law.CommentsClose CommentsPermalink
SEC. 406. NO PRIVATE RIGHT OF ACTION.
This Act may not be construed to provide any private right of action.CommentsClose CommentsPermalink
TITLE V--CO-REGULATORY SAFE HARBOR PROGRAMSCommentsClose CommentsPermalink
TITLE V--CO-REGULATORY SAFE HARBOR PROGRAMSCommentsClose CommentsPermalink
SEC. 501. ESTABLISHMENT OF SAFE HARBOR PROGRAMS.
(a) In General- Not later than 365 days after the date of the enactment of this Act, the Commission shall initiate a rulemaking proceeding to establish requirements for the establishment and administration of safe harbor programs under which a nongovernmental organization will administer a program that--CommentsClose CommentsPermalink
(1) establishes a mechanism for participants to implement the requirements of this Act with regards to--CommentsClose CommentsPermalink
(A) certain types of unauthorized uses of covered information as described in paragraph (2); orCommentsClose CommentsPermalink
(B) any unauthorized use of covered information; andCommentsClose CommentsPermalink
(2) offers consumers a clear, conspicuous, persistent, and effective means of opting out of the transfer of covered information by a covered entity participating in the safe harbor program to a third party for--CommentsClose CommentsPermalink
(A) behavioral advertising purposes;CommentsClose CommentsPermalink
(B) location-based advertising purposes;CommentsClose CommentsPermalink
(C) other specific types of unauthorized use; orCommentsClose CommentsPermalink
(D) any unauthorized use.CommentsClose CommentsPermalink
(b) Selection of Nongovernmental Organizations To Administer Program-CommentsClose CommentsPermalink
(1) SUBMITTAL OF APPLICATIONS- An applicant seeking to administer a program under the requirements established pursuant to subsection (a) shall submit to the Commission an application therefor at such time, in such manner, and containing such information as the Commission may require.CommentsClose CommentsPermalink
(2) NOTICE AND RECEIPT OF APPLICATIONS- Upon completion of the rulemaking proceedings required by subsection (a), the Commission shall--CommentsClose CommentsPermalink
(A) publish a notice in the Federal Register that it will receive applications for approval of safe harbor programs under this title; andCommentsClose CommentsPermalink
(B) begin receiving applications under paragraph (1).CommentsClose CommentsPermalink
(3) SELECTION- Not later than 270 days after the date on which the Commission receives a completed application under this subsection, the Commission shall grant or deny the application on the basis of the Commission’s evaluation of the applicant’s capacity to provide protection of individuals’ covered information with regard to specific types of unauthorized uses of covered information as described in subsection (a)(2) that is substantially equivalent to or superior to the protection otherwise provided under this Act.CommentsClose CommentsPermalink
(4) WRITTEN FINDINGS- Any decision reached by the Commission under this subsection shall be accompanied by written findings setting forth the basis for and reasons supporting such decision.CommentsClose CommentsPermalink
(c) Scope of Safe Harbor Protection- The scope of protection offered by safe harbor programs approved by the Commission that establish mechanisms for participants to implement the requirements of the Act only for certain uses of covered information as described in subsection (a)(2) shall be limited to participating entities’ use of those particular types of covered information.CommentsClose CommentsPermalink
(d) Supervision by Federal Trade Commission-CommentsClose CommentsPermalink
(1) IN GENERAL- The Commission shall exercise oversight and supervisory authority of a safe harbor program approved under this section through--CommentsClose CommentsPermalink
(A) ongoing review of the practices of the nongovernmental organization administering the program;CommentsClose CommentsPermalink
(B) the imposition of civil penalties on the nongovernmental organization if it is not compliant with the requirements established under subsection (a); andCommentsClose CommentsPermalink
(C) withdrawal of authorization to administer the safe harbor program under this title.CommentsClose CommentsPermalink
(2) ANNUAL REPORTS BY NONGOVERNMENTAL ORGANIZATIONS- Each year, each nongovernmental organization administering a safe harbor program under this section shall submit to the Commission a report on its activities under this title during the preceding year.CommentsClose CommentsPermalink
SEC. 502. PARTICIPATION IN SAFE HARBOR PROGRAM.
(a) Exemption- Any covered entity that participates in, and demonstrates compliance with, a safe harbor program administered under section 501 shall be exempt any provision of title II or title III if the Commission finds that the requirements of the safe harbor program are substantially the same as or more protective of privacy of individuals than the requirements of the provision from which the exemption is granted.CommentsClose CommentsPermalink
(b) Limitation- Nothing in this title shall be construed to exempt any covered entity participating in a safe harbor program from compliance with any other requirement of the regulations promulgated under this Act for which the safe harbor does not provide an exception.CommentsClose CommentsPermalink
TITLE VI--APPLICATION WITH OTHER FEDERAL LAWSCommentsClose CommentsPermalink
TITLE VI--APPLICATION WITH OTHER FEDERAL LAWSCommentsClose CommentsPermalink
SEC. 601. APPLICATION WITH OTHER FEDERAL LAWS.
(a) Qualified Exemption for Persons Subject to Other Federal Privacy Laws- If a person is subject to a provision of this Act and a provision of a Federal privacy law described in subsection (d), such provision of this Act shall not apply to such person to the extent that such provision of Federal privacy law applies to such person.CommentsClose CommentsPermalink
(b) Protection of Other Federal Privacy Laws- Nothing in this Act may be construed to modify, limit, or supersede the operation of the Federal privacy laws described in subsection (d) or the provision of information permitted or required, expressly or by implication, by such laws, with respect to Federal rights and practices.CommentsClose CommentsPermalink
(c) Communications Infrastructure and Privacy- If a person is subject to a provision of section 222 or 631 of the Communications Act of 1934 (
(d) Other Federal Privacy Laws Described- The Federal privacy laws described in this subsection are as follows:CommentsClose CommentsPermalink
(1)
(2) The Right to Financial Privacy Act of 1978 (
(3) The Fair Credit Reporting Act (
(4) The Fair Debt Collection Practices Act (
(5) The Children’s Online Privacy Protection Act of 1998 (
(6) Title V of the Gramm-Leach-Bliley Act of 1999 (
(7) Chapters 119, 123, and 206 of title 18, United States Code.CommentsClose CommentsPermalink
(8)
(9) Section 444 of the General Education Provisions Act (
(10) Section 445 of the General Education Provisions Act (
(11) The Privacy Protection Act of 1980 (
(12) The regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (
(13) The Communications Assistance for Law Enforcement Act (
(14) Section 227 of the Communications Act of 1934 (
TITLE VII--DEVELOPMENT OF COMMERCIAL DATA PRIVACY POLICY IN THE DEPARTMENT OF COMMERCECommentsClose CommentsPermalink
TITLE VII--DEVELOPMENT OF COMMERCIAL DATA PRIVACY POLICY IN THE DEPARTMENT OF COMMERCECommentsClose CommentsPermalink
SEC. 701. DIRECTION TO DEVELOP COMMERCIAL DATA PRIVACY POLICY.
The Secretary of Commerce shall contribute to the development of commercial data privacy policy by--CommentsClose CommentsPermalink
(1) convening private sector stakeholders, including members of industry, civil society groups, academia, in open forums, to develop codes of conduct in support of applications for safe harbor programs under title V;CommentsClose CommentsPermalink
(2) expanding interoperability between the United States commercial data privacy framework and other national and regional privacy frameworks;CommentsClose CommentsPermalink
(3) conducting research related to improving privacy protection under this Act; andCommentsClose CommentsPermalink
(4) conducting research related to improving data sharing practices, including the use of anonymised data, and growing the information economy.CommentsClose CommentsPermalink
Vote on This Bill
-
Share This Bill
More Share via Email
