HR 4678, the Consumer Privacy Protection Act of 2002.
Sponsor: Rep. Cliff Stearns (R-FL).
Date Introduced: May 8, 2002.

Editor's Notes:
  • The office of Rep. Stearns kindly provided Tech Law Journal with a PDF copy of this bill.
  • TLJ converted the PDF version into HTML.
  • Several features were eliminated during the conversion, including double spacing, line numbering and pagination.
  • TLJ added hyperlinks.


107TH CONGRESS
2D SESSION H. R. _____

To protect and enhance consumer privacy, and for other purposes.

IN THE HOUSE OF REPRESENTATIVES

Mr. STEARNS (for himself, Mr. BOUCHER, Mr. TAUZIN, Mr. TOWNS, Mr. BASS, Mr. BILIRAKIS, Mrs. BONO, Mr. DEAL of Georgia, Ms. ESHOO, Mr. GILLMOR, Mr. GORDON, Mr. GREENWOOD, Mr. KINGSTON, Mr. MORAN of Virginia, Mr. SAWYER, Mr. TERRY, Mr. UPTON, Mr. WALDEN, Mr. WELDON of Florida, and Mr. WELLER) introduced the following bill; which was referred to the Committee on _______

A BILL

To protect and enhance consumer privacy, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the ‘‘Consumer Privacy Protection Act of 2002’’.

SEC. 2. TABLE OF CONTENTS.

The table of contents for this Act is as follows:

Sec. 1. Short title.
Sec. 2. Table of contents.

TITLE I—PROTECTION OF INDIVIDUAL PRIVACY IN INTERSTATE COMMERCE

Sec. 101. Privacy notices to consumers.
Sec. 102. Privacy policy statements.
Sec. 103. Consumer opportunity to limit sale or disclosure of information.
Sec. 104. Consumer opportunity to limit other information practices.
Sec. 105. Information security obligations.
Sec. 106. Self-regulatory programs.
Sec. 107. Enforcement.
Sec. 108. No private right of action.
Sec. 109. Effect on other laws.
Sec. 110. Effective date.

TITLE II—IDENTITY THEFT PREVENTION AND REMEDIES

Sec. 201. Facilitating electronic identity theft affidavits.
Sec. 202. Promoting use of common identity theft affidavit.
Sec. 203. Timely resolution of identity theft disputes.
Sec. 204. Improvements to consumer clearinghouse.
Sec. 205. Improved identity theft data.
Sec. 206. Change of address protections.
Sec. 207. Effective date.

TITLE III—INTERNATIONAL PROVISIONS

Sec. 301. Study by Comptroller General.
Sec. 302. Remediation of discriminatory impact by Secretary of Commerce.
Sec. 303. Effect of nonremediation.
Sec. 304. Harmonization of international privacy laws, regulations, and agreements.

TITLE IV—GENERAL PROVISIONS

Sec. 401. Definitions.

TITLE I—PROTECTION OF INDIVIDUAL PRIVACY IN INTERSTATE COMMERCE

SEC. 101. PRIVACY NOTICES TO CONSUMERS.

(a) NOTICE REQUIRED.—A data collection organization shall provide to a consumer a notice containing the information required under subsection (b) as follows:

(b) FORM AND CONTENTS OF NOTICE.—A notice required under subsection (a) shall be provided in a clear and concise manner, be prominently displayed or explicitly stated to the consumer, and contain the following information:

SEC. 102. PRIVACY POLICY STATEMENTS.

(a) PRIVACY POLICY.—A data collection organization shall establish a privacy policy with respect to the collection, sale, disclosure for consideration, or use of the personally identifiable information of consumers, the principal elements of which shall be embodied in a privacy policy statement (or statements) that meets the requirements of subsection (b).

(b) STATEMENT.—The statement (or statements) required under subsection (a) shall meet the following requirements:

(c) COMMISSION FACILITATION.—The Commission shall take actions (including conducting industry-wide workshops) to facilitate the development of harmonized, universal wording or logo-based graphics in order to convey the contents of privacy policy statements required under this section.

SEC. 103. CONSUMER OPPORTUNITY TO LIMIT SALE OR DISCLOSURE OF INFORMATION.

(a) PRECLUSION OF SALE OR DISCLOSURE.—

(b) PERMISSION FOR SALE OR DISCLOSURE.—A data collection organization may provide the consumer an opportunity to permit the sale or disclosure described in subsection (a)(1) in exchange for a benefit to the consumer.

(c) ACCESSIBILITY.—The opportunity to preclude (or if offered, to permit) the sale or disclosure for consideration of information under this section must be both easy to access and use.

SEC. 104. CONSUMER OPPORTUNITY TO LIMIT OTHER INFORMATION PRACTICES.

If a data collection organization provides to a consumer the opportunity to limit other practices of the data collection organization with respect to collection or use of personally identifiable information regarding the consumer, other than that required by section 103—

SEC. 105. INFORMATION SECURITY OBLIGATIONS.

(a) INFORMATION SECURITY POLICY.— 8

(b) CORRECTIVE ACTIONS.—

(c) EFFECT OF RELEASE OF PERSONALLY IDENTIFIABLE INFORMATION.—If the security of a data collection organization has been compromised, resulting in the unauthorized release of a consumer’s personally identifiable information, the Commission shall treat the failure of the data collection organization to comply with its own security policy or respond to a Federal agency information security notification in accordance with subsection (b)(1) as one factor in determining whether that data collection organization has violated this section.

SEC. 106. SELF-REGULATORY PROGRAMS.

(a) SELF-REGULATORY PROGRAM.—

(b) APPROVAL BY COMMISSION.—

(c) REQUIREMENTS OF SELF-REGULATORY PROGRAM.—A self-regulatory program complies with the requirements of this subsection if the program provides each of the following:

(d) CONSUMER DISPUTE RESOLUTION.—

(e) NONRELEASE OF CERTAIN INFORMATION.—The Commission may not compel a participant in a self-regulatory program approved under subsection (b) (or an administrator of such a program) to provide proprietary information or personally identifiable information of consumers to the Commission unless the Commission provides assurances that such information will not be released to the public.

(f) MISREPRESENTATION OF SELF-REGULATORY PROGRAM PARTICIPATION.—It is unlawful for a data collection organization to misrepresent that it is a participant in a self-regulatory program (including through any mechanism provided under subsection (c)(4)) when such organization is not, in fact, such a participant.

(g) EXEMPTED ENTITY PARTICIPATION.—An entity that is not a data collection organization and that voluntarily participates in a self-regulatory program under this section shall enjoy the rights and benefits provided under this section.

SEC. 107. ENFORCEMENT.

(a) UNFAIR OR DECEPTIVE ACT OR PRACTICE.—A violation of any provision of this title is an unfair or deceptive act or practice unlawful under section 5(a)(1) of the Federal Trade Commission Act (15 U.S.C. 45(a)(1)), except that the amount of any civil penalty under such Act shall be doubled for a violation of this title, but may not exceed $500,000 for all related violations by a single violator (without respect to the number of consumers affected or the duration of the related violations).

(b) GUIDELINES AND OPINIONS.—In order to assist in compliance with this title, the Federal Trade Commission may issue generally applicable guidelines and, upon request, advisory opinions with respect specific types of acts or practices that would, or would not, comply with this title, but may not prescribe regulations to carry out this title.

SEC. 108. NO PRIVATE RIGHT OF ACTION.

This title may not be considered or construed to provide any private right of action. No private civil action relating to any act or practice governed under this title may be commenced or maintained in any State court or under State law (including a pendent State claim to an action under Federal law).

SEC. 109. EFFECT ON OTHER LAWS.

(a) QUALIFIED EXEMPTION FOR COMPLIANCE WITH OTHER FEDERAL PRIVACY LAWS.—To the extent that personally identifiable information protected under this title is also protected under a provision of Federal privacy law described in subsection (c), a data collection organization that complies with the relevant provision of such other Federal privacy law shall be deemed to have complied with the corresponding provision of this title.

(b) PROTECTION OF OTHER FEDERAL PRIVACY LAWS.—Nothing in this title may be construed to modify, limit, or supersede the operation of the Federal privacy laws described in subsection (c) or the provision of information permitted or required, expressly or by implication, by such laws, with respect to Federal rights and practices.

(c) OTHER FEDERAL PRIVACY LAWS DESCRIBED.—The provisions of law to which subsections (a) and (b) apply are the following:

(d) PREEMPTION OF STATE PRIVACY LAWS.—This title preempts any statutory law, common law, rule, or regulation of a State, or a political subdivision of a State, to the extent such law, rule, or regulation relates to or affects the collection, use, sale, disclosure, or dissemination of personally identifiable information in commerce. No State, or political subdivision of a State, may take any action to enforce this title.

SEC. 110. EFFECTIVE DATE.

This title shall apply with respect to personally identifiable information collected on or after the date that is 1 year after the date of enactment of this Act.

TITLE II—IDENTITY THEFT PREVENTION AND REMEDIES

SEC. 201. FACILITATING ELECTRONIC IDENTITY THEFT AFFIDAVITS.

The Commission shall take such action as necessary to permit (including by electronic means) consumers that have a reasonable belief that they are a victim of identity theft—

SEC. 202. PROMOTING USE OF COMMON IDENTITY THEFT AFFIDAVIT.

The Commission shall take such action as necessary to solicit the acceptance and acknowledgement of standardized Identity Theft Affidavit by entities that receive disputes regarding the unauthorized use of accounts of such entities from consumers that have reason to believe that they are a victim of identity theft.

SEC. 203. TIMELY RESOLUTION OF IDENTITY THEFT DISPUTES.

The Commission shall require entities that receive disputes regarding the unauthorized use of accounts of such entities from consumers that have reason to believe that they are a victim of identity theft to conduct any necessary investigation and decide an outcome of a claim within 90 days from the date on which all necessary information to investigate the claim has been submitted to the entity.

SEC. 204. IMPROVEMENTS TO CONSUMER CLEARINGHOUSE.

The Commission shall utilize the Identity Theft Clearinghouse to permit consumers that have a reasonable belief that they are victim of identity theft to submit any information relevant to such identity theft to the Clearinghouse (including by means of an Identity Theft Affidavit), so that such information may be transmitted by the Clearinghouse to appropriate entities for necessary protective action and to mitigate losses resulting from such identity theft.

SEC. 205. IMPROVED IDENTITY THEFT DATA.

(a) IN GENERAL.—The Commission shall—

(b) INCLUSION IN DATABASE.—Such information shall be made part of the Commission’s Identity Theft Clearinghouse database.

SEC. 206. CHANGE OF ADDRESS PROTECTIONS.

The Commission shall require appropriate entities to take reasonable steps to verify the accuracy of a consumer’s address, including by confirming a consumer’s change of address by sending a confirmation of such change to the old and the new address of the consumer.

SEC. 207. EFFECTIVE DATE.

This title shall take effect 180 days after the date of enactment of this Act. 21

TITLE III—INTERNATIONAL PROVISIONS

SEC. 301. STUDY BY COMPTROLLER GENERAL.

The Comptroller General of the United States shall conduct a study and issue a report analyzing the impact on the interstate and foreign commerce of the United States of information privacy laws, regulations, or agreements enacted, promulgated, or adopted by other nations, including regional or international agreements between nations, and whether the enforcement mechanisms or procedures of those laws, regulations, or agreements result in discriminatory treatment of United States entities. The first report under this section shall be issued not later than 120 days after the date of enactment of this Act and subsequent reports shall be issued every 3 years thereafter.

SEC. 302. REMEDIATION OF DISCRIMINATORY IMPACT BY SECRETARY OF COMMERCE.

If the Comptroller General of the United States finds, in the study and report under subsection (a), that such information privacy laws, regulations, or agreements substantially impede interstate and foreign commerce of the United States and that the enforcement mechanisms or procedures of the information privacy laws, regulations, or agreements described in such subsection result in discriminatory treatment of United States entities, the Secretary of Commerce shall, to the extent permitted by law take all steps necessary to mitigate against such discriminatory impact within 180 days after the report making such findings is issued.

SEC. 303. EFFECT OF NONREMEDIATION.

(a) RECOMMENDATIONS.—If by the end of the 180-day period described in section 302, the Secretary of Commerce has not attained complete relief from the discriminatory impact described in such subsection, the Secretary shall report to the Congress and the President recommendations on action to relieve any such remaining discriminatory impact.

(b) FEDERAL AGENCY ACTION AFTER CONSIDERATION BY CONGRESS.—During the period after the Secretary reports recommendations under subsection (b) for mitigation of discriminatory impact and before the Congress acts with respect to such recommendations, no officer or employee of any Federal agency may take or continue any action to enjoin, or impose any penalty on, a United States entity, or a citizen or legal resident of the United States, for the purpose of fulfilling an international obligation of the United States under an international privacy agreement (other than such an obligation under a ratified treaty) that resulted in such discriminatory impact.

SEC. 304. HARMONIZATION OF INTERNATIONAL PRIVACY LAWS, REGULATIONS, AND AGREEMENTS.

Beginning on the date of enactment of this Act, the Secretary of Commerce shall provide notice of the provisions of this Act to other nations, individually, or as members of international organizations or unions that have enacted, promulgated, or adopted information privacy laws, regulations, or agreements, and shall seek recognition of this Act by such nations, organizations, or unions. The Secretary shall seek the harmonization of this Act with such information privacy laws, regulations, or agreements, to the extent such harmonization is necessary for the advancement of transnational commerce, including electronic commerce.

TITLE IV—GENERAL PROVISIONS

SEC. 401. DEFINITIONS.

In this Act: