Consumer Privacy Protection Act of 2011

I
112TH CONGRESS 1ST SESSION
H. R. 1528
To protect and enhance consumer privacy, and for other purposes.
IN THE HOUSE OF REPRESENTATIVES

APRIL 13, 2011 Mr. STEARNS (for himself, Mr. MATHESON, Mr. BILBRAY, and Mr. MANZULLO) introduced the following bill; which was referred to the Committee on Energy and Commerce
A BILL
To protect and enhance consumer privacy, and for other purposes. 1 Be it enacted by the Senate and House of Representa-
2 tives of the United States of America in Congress assembled, 3 4

SECTION 1. SHORT TITLE.
This Act may be cited as the Consumer Privacy Pro-
5 tection Act of 2011. 6 7 8

mstockstill on DSKH9S0YB1PROD with BILLS
SEC. 3. DEFINITIONS.
In this Act, the following definitions apply: (1) AFFILIATE.The term affiliate means any company that controls, is controlled by, or is under common control with another company.
9 10
VerDate Mar 15 2010
20:12 Apr 18, 2011
Jkt 099200
PO 00000
Frm 00001
Fmt 6652
Sfmt 6201
E:\BILLS\H1528.IH
H1528
2 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(2) COMMISSION.The term Commission means the Federal Trade Commission. (3) CONSUMER.The term consumer means an individual acting in the individuals personal, family, or household capacity. (4) COVERED
ENTITY.(A)
The term covered
entity means an entity (or an agent or affiliate of the entity) that collects (by any means, through any medium), sells, discloses for consideration, or uses personally identifiable information of more than 5,000 consumers during any consecutive 12-month period, and includes a non-profit organization, including any organization described in section 501(c) of the Internal Revenue Code of 1986 that is exempt from taxation under section 501(a) of such Code, notwithstanding the definition of the term Acts to regulate commerce in section 4 of the Federal Trade Commission Act (15 U.S.C. 44) and the exception provided by section 5(a)(2) of such Act (15 U.S.C. 45(a)(2)) for such organizations. (B) Such term does not include (i) a governmental agency; (ii) a provider of professional services, or any affiliate thereof, to the extent that such provider is obligated by rules of professional
24 25
HR 1528 IH
VerDate Mar 15 2010 20:12 Apr 18, 2011 Jkt 099200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\H1528.IH H1528
3 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
ethics, or by applicable law or regulation, not to voluntarily disclose confidential client information without the consent of the client; or (iii) a data processing outsourcing entity. (5) DATA
TY.The PROCESSING OUTSOURCING ENTI-
term data processing outsourcing entity
means, with respect to a covered entity, a non-affiliated entity that (A) provides information technology processing, Web hosting, or telecommunications services to the covered entity; (B) is contractually obligated to comply with security controls specified by the covered entity; and (C) has no right to use the covered entitys personally identifiable information other than for performing data processing outsourcing services for the covered entity or as required by contract or law. (6) DISPLAY.The term display means intentionally communicating or otherwise making available (on the Internet or in any other manner) to another person. (7) INFORMATION-SHARING
AFFILIATE.The
24 25
term information-sharing affiliate means any affil-
HR 1528 IH
4 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
iate that is under common control with a covered entity, or is contractually obligated to comply with the practices enumerated under the privacy policy statement of the covered entity required under section 5. (8) PERSONALLY
IDENTIFIABLE INFORMA-
TION.(A)
The term personally identifiable infor-
mation, with respect to a covered entity means individually identifiable information relating to a living individual who can be identified from that information, and includes: (i) the combination of a first name (or initial) and last name of an individual, whether given at birth or time of adoption, or resulting from a lawful change of name; (ii) the postal address of a physical place of residence of such individual; (iii) an e-mail address of such individual; (iv) a telephone number or mobile device number dedicated to contacting such individual at any place other than the individuals place of work; (v) a social security number or other Federal or State government issued identi-
24
HR 1528 IH
5 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
fication number issued to such individual; or (vi) the complete account number of a credit or debit card issued to such individual. (B) Such term also includes, when disclosed in connection with one or more of the items of information described in subparagraph (A) (i) a birth date, the number of a certificate of birth or adoption, or a place of birth; or (ii) an electronic address, including an IP address. (C) Such term does not include (i) anonymous or aggregate data, or any other information that does not identify a unique living individual; (ii) information about a consumer inferred from data maintained about a consumer; or (iii) information about a consumer that is publicly available or obtained from a public record. (9) PROCESS.The term process, with respect to personally identifiable information, means any value-added activity performed on data by automated means.
24 25
HR 1528 IH
6 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(10) PUBLICLY
AVAILABLE.The
term pub-
licly available, with respect to information, means information that is lawfully made available to the general public. (11) PUBLIC
RECORD.The
term
public
record means any item, collection, or grouping of information about an individual that is maintained by a Federal, State, or local government entity and that is made available to the public. (12) PURCHASE.The term purchase means providing, directly or indirectly, anything of value in exchange for a good or service. (13) STATE.The term State includes the several States, the District of Columbia, the Commonwealth of Puerto Rico, the Commonwealth of the Northern Mariana Islands, American Samoa, Guam, the Virgin Islands, the Freely Associated States, and any other territory or possession of the United States. (14) TRANSACTION.The term transaction means an interaction between a consumer and a covered entity resulting in (A) any use of information that is necessary to complete the interaction in the course of which information is collected, or to maintain
24 25
HR 1528 IH
7 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
the provisioning of a good or service requested by the consumer, including use (i) to approve, guarantee, process, administer, complete, enforce, provide, or market a product, service, account, benefit, transaction, or payment method that is requested or approved by the consumer; (ii) to deliver goods, services, funds, or other consideration to, or on behalf of, the consumer; (iii) to protect the health and safety of the consumer; and (iv) related to website analytics methods or measurements for improving or enhancing products or services. (B) any disclosure of information that is necessary for the consumer to enforce any right of the consumer; (C) any disclosure of information that is required by law or by a court order; (D) any use of information to verify personally identifiable information by the consumer, evaluate, detect, or reduce the risk of fraud or other criminal activity, or other riskmanagement activities; and
24 25
HR 1528 IH
8 1 2 3 4 5 6 (E) the collection or use of personally identifiable information for the marketing or advertising of a covered entitys products or services to its own customers or potential customers.
SEC. 4. PRIVACY NOTICES TO CONSUMERS.
(a) NOTICE REQUIRED.A covered entity shall pro-
7 vide to a consumer a notice containing the information 8 required under subsection (b) as follows: 9 10 11 12 13 14 15 16 17 18 19 20 21 (1) The covered entity shall provide the notice before any personally identifiable information that is collected from a consumer is used by the covered entity for a purpose unrelated to a transaction. (2) Upon a material change in the covered entitys privacy policy under section 5(a), the covered entity shall provide the notice, not later than the first time after such change in policy that the covered entity seeks to sell, disclose for consideration, or use personally identifiable information to the extent practicable, to each consumer from whom the covered entity has collected such information. (b) FORM
AND
CONTENTS
OF
NOTICE.A notice re-
22 quired under subsection (a) shall be provided in a clear 23 and conspicuous manner, be prominently displayed or exmstockstill on DSKH9S0YB1PROD with BILLS
24 plicitly stated to the consumer, and contain the following 25 information:
HR 1528 IH
9 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 (1) A statement that the personally identifiable information collected by the covered entity may be used or disclosed for purposes or transactions unrelated to that for which it was collected, as described in the covered entitys privacy statement. (2) A description, appropriate to the applicable medium, of the manner in which the consumer may obtain a privacy policy statement that meets the requirements of section 5, which may include providing the consumer with an Internet website, a hyperlink to such a website, or a toll-free telephone number from which such a statement may be obtained. If the notice required under subsection (a) is provided to the consumer by means of an Internet website, one manner in which the consumer may obtain the privacy policy statement must be by means of an Internet website. (3) If the notice is required under subsection (a)(2), a statement that there has been a material change in the covered entitys privacy policy.
SEC. 5. PRIVACY POLICY STATEMENTS.
(a) PRIVACY POLICY.A covered entity shall estab-
23 lish a privacy policy with respect to the collection, sale,

24 disclosure for consideration, dissemination, use, and secu25 rity of the personally identifiable information of con-
HR 1528 IH
10 1 sumers, the principal elements of which shall be embodied 2 in a privacy policy statement (or statements) that meets 3 the requirements of subsection (b). 4 (b) STATEMENT.The statement (or statements) re-
5 quired under subsection (a) shall meet the following re6 quirements: 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(1) The statement must be brief, concise, clear, and conspicuous and written in plain language. (2) The statement must be available to all consumers of the covered entity (regardless of the means by which a consumer conducts a transaction with the covered entity) (A) at no charge to the consumer; and (B) at the time the covered entity first collects personally identifiable information about the consumer that may be used for a purpose unrelated to a transaction with the consumer and subsequently. (3) The statement must disclose only the following: (A) The identity of each covered entity, or a description of each class or type of covered entity, that may collect or use the information. (B) The types of information that may be collected or used.
24 25
HR 1528 IH
11 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(C) How the information may be used. (D) Whether the consumer is required to provide the information in order to do business with the covered entity. (E) The extent to which the information is subject to sale or disclosure for consideration to a covered entity that is not an informationsharing affiliate of the covered entity providing the statement, including (i) a clear and prominent statement of the fact that the information is subject to such sale or disclosure for consideration; (ii) a description of each class or type of covered entity to which the information may be sold or disclosed for consideration; (iii) to the extent practicable, the purpose for which the information may be used; and (iv) the types of information that may be sold or disclosed for consideration. (F) Whether the information security practices of the covered entity meet the security requirements of section 8 in order to prevent unauthorized disclosure or release of personally identifiable information.
24 25
HR 1528 IH
12 1 (c) COMMISSION FACILITATION.The Commission
2 may take actions (including conducting industry-wide 3 workshops) to facilitate the development of harmonized, 4 universal wording or logo-based graphics in order to con5 vey the contents of privacy policy statements required 6 under this section. 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
SEC. 6. CONSUMER OPPORTUNITY TO LIMIT SALE OR DISCLOSURE OF INFORMATION.
(a) PRECLUSION OF SALE OR DISCLOSURE. (1) REQUIREMENT.A covered entity shall provide to the consumer, without charge, the opportunity to preclude any sale or disclosure for consideration of the consumers personally identifiable information, provided in a particular data collection, that may be used for a purpose other than a transaction with the consumer, to any covered entity that is not an information-sharing affiliate of the covered entity providing such opportunity. (2) DURATION.A preclusion on sale or disclosure for consideration of information established by a consumer under this subsection shall remain in effect for 5 years or until the consumer indicates otherwise, whichever occurs sooner. A covered entity may not seek reconsideration of a consumers preclusion of such sale or disclosure until at least 1
24 25
HR 1528 IH
13 1 2 3 year after such preclusion has been imposed by the consumer. (b) PERMISSION
FOR
SALE
OR
DISCLOSURE.A cov-
4 ered entity may provide the consumer an opportunity to 5 permit the sale or disclosure described in subsection (a)(1) 6 in exchange for a benefit to the consumer. 7 (c) ACCESSIBILITY.The opportunity to preclude (or
8 if offered, to permit) the sale or disclosure for consider9 ation of information under this section must be both easy 10 to access and use, and the notice of the opportunity to 11 preclude must be clear and conspicuous. 12 13 14
SEC. 7. CONSUMER OPPORTUNITY TO LIMIT OTHER INFORMATION PRACTICES.
If a covered entity provides to a consumer the oppor-
15 tunity to limit other practices of the covered entity with 16 respect to a particular collection or use of personally iden17 tifiable information regarding the consumer, other than 18 that required by section 6 19 20 21 22 23
(1) a notice and description of such opportunity must appear in the privacy statement; (2) such opportunity must be easy to access and to use; and (3) any limitation exercised by the consumer pursuant to such opportunity shall remain in effect, unless
24 25
HR 1528 IH
14 1 2 3 4 5 6 7 8 (A) the limitation is withdrawn by the consumer; or (B) the covered entity provides the consumer at least 30 days notice before materially changing the limitation or terminating its compliance with the limitation.
SEC. 8. INFORMATION SECURITY OBLIGATIONS.
(a) IMPLEMENTATION.A covered entity shall pre-
9 pare, revise as necessary, and implement an information 10 security policy that is applicable to the information secu11 rity practices and treatment of personally identifiable in12 formation maintained by the covered entity, that is de13 signed to prevent the unauthorized disclosure or release 14 of such information. 15 (b) MANAGEMENT APPROVAL.An information secu-
16 rity policy created pursuant to paragraph (1) shall be con17 sidered and approved by the senior management officials 18 of the covered entity. 19 (c) CONTENTS.An information security policy re-
20 quired under paragraph (1) shall include 21 22 23

(1) a process for taking corrective action to prevent or mitigate unauthorized disclosure of information; and
HR 1528 IH
15 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(2) identifying an officer of the covered entity as the point of contact with responsibility for information security issues for the covered entity.
SEC. 9. SELF-REGULATORY PROGRAMS.
(a) SELF-REGULATORY PROGRAM. (1) PRESUMPTION

OF COMPLIANCE.The
Com-
mission shall presume that a covered entity is in compliance with the provisions of sections 4 through 8 if that covered entity (A) participates in a self-regulatory program approved under subsection (b); and (B) is subject to enforcement under a selfregulatory programs guidelines, procedures, requirements, and restrictions (including a remedial process under subsection (c)(7)). (2) EFFECT
OF WILLFUL NONCOMPLIANCE.A
covered entity that participates in a self-regulatory program under this section shall not be liable for a civil penalty arising out of a violation of any provision of sections 4 through 8 unless such violation results from willful noncompliance with the guidelines, procedures, requirements, or restrictions of the program. (b) APPROVAL BY COMMISSION.
24
HR 1528 IH
16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(1) APPROVAL.The Commission shall, within 90 days after submission of an application for approval of a self-regulatory program under this section (or of a material change in a program previously approved by the Commission), approve such program (or change) if the Commission finds that the program (or change) complies with the requirements of subsection (c). (2) FORM
OF APPLICATION.The
Commission
shall accept an application for approval under paragraph (1) in any reasonable form the applicant may submit. (3) DURATION
UNTIL RENEWAL.A
self-regu-
latory program approved by the Commission under paragraph (1) shall be approved for a period of 5 years. (4) REVOCATION
OF APPROVAL.The
Commis-
sion may, after notice and opportunity for a hearing, revoke approval granted under paragraph (1), if the Commission finds that a self-regulatory program fails to meet the requirements of subsection (c). (5) JUDICIAL
REVIEW.Any
order by the Com-
mission denying approval of a self-regulatory program shall be subject to judicial review, as provided in section 706 of title 5, United States Code.
24 25
HR 1528 IH
17 1 2 (c) REQUIREMENTS
GRAM.A OF
SELF-REGULATORY PRO-
self-regulatory program complies with the re-
3 quirements of this subsection if the program provides each 4 of the following: 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

(1) Guidelines and procedures requiring a program participant to provide substantially equivalent or greater protections for consumers and their personally identifiable information as are provided under sections 4 through 8. (2) Procedures and requirements to provide for (A) an initial review of a participants privacy statement and privacy policy, and subsequent review whenever such statement or policy is substantively changed; (B) a participants self-review and self-certification of its privacy policy and practices to ensure compliance with the guidelines, procedures, requirements, and restrictions of the program established under this subsection; (C) a participants subsequent periodic self-reviews and self-certifications, which shall occur at least annually, of the its privacy policy and practices to ensure continued compliance
24
HR 1528 IH
18 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
with such guidelines, procedures, requirements, and restrictions; (D) submission of self-reviews and self-certifications under this paragraph to any administrator of the program; and (E) random review of participants, which may concentrate on selected compliance issues, if the self-regulatory program conducts (i) random compliance tests with respect to each participant not less frequently than every 3 years; (ii) a full compliance test of a particular participant in any case where noncompliance with any of the selected compliance issues has been identified; and (iii) full compliance tests of participants with a high number of complaints against them. (3) Procedures and requirements that ensure that a program participant provides a process for resolving disputes with consumers relating to the privacy policy and practices of the participant. Such dispute resolution process (A) must be available without charge to a consumer;
24 25
HR 1528 IH
19 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(B) must be available at a cost to the participant that is reasonable and does not discourage participation by the participant in such process; (C) must ensure that consumers are informed of how to utilize the process; (D) may include, as one choice among others, binding arbitration; and (E)(i) must be completed within 60 days after submission of the dispute by the consumer; or (ii) must be completed within 90 days after submission of the dispute by the consumer, if the participant (I) determines that additional time is required to obtain information to make an informed decision with respect to the dispute; and (II) notifies the consumer and the self-regulatory program that such additional time is required. (4) Provisions for the use by participants in the program of a means (including the use of a seal) to represent the participants participation in the program.
24 25
HR 1528 IH
20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(5) With respect to any nonvoluntary suspension or termination of participation in the program because of the participants failure to comply with the program, procedures or requirements to provide for the following: (A) Publication of notice and the reasons for any such suspension or termination, except that no personally identifiable information related to such suspension or termination may be published. (B) Notice to the Commission of any such termination. (6) Requirements and restrictions that assure independence with respect to program eligibility, compliance, and dispute resolution mechanisms and decisions from improper interference by management or ownership of the self-regulatory program participant. (7) A process for a noncompliant participant to take timely remedial action in order to come back into compliance with the program before suspension or termination of participation in the program. (d) CONSUMER DISPUTE RESOLUTION. (1) SELF-REGULATORY
DISPUTE PROCESS.If
24 25
a consumer has a dispute with a participant in a
HR 1528 IH
21 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
self-regulatory program under this section or under section 5 of the Federal Trade Commission Act (15 U.S.C. 45) to the extent that such dispute pertains to the entitys privacy policy or practices required for participation in the self-regulatory program, the consumer shall initially seek resolution through the participants dispute resolution process (established in accordance with subsection (c)(3)). The Commission shall promptly refer to the participant involved any dispute submitted to the Commission for which resolution has not been initially sought through such process. (2) RESOLUTION
BY COMMISSION.A
consumer
may submit to the Commission for resolution a dispute with a participant in a self-regulatory program under this section, if the following requirements are met: (A) The dispute was initially submitted under paragraph (1) for resolution through the participants dispute resolution process. (B) The dispute submitted under paragraph (1) is not resolved (i) within 60 days after submission of the dispute by the consumer; or
24
HR 1528 IH
22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(ii) to the satisfaction of the consumer. (C) Notice of the facts of the dispute is submitted to the Commission not later than 30 days after the date on which the consumer is notified of the resolution through the participants dispute resolution process. (D) The consumer has not voluntarily accepted a resolution of the dispute under paragraph (1). (E) The dispute was not resolved through binding arbitration. (3) LIMITATION.Nothing in this Act shall prevent the Commission from investigating compliance with this Act by a participant in a self-regulatory covered entity based upon a complaint from an individual or covered entity other than a consumer with a dispute with such participant, or on its own initiative, except that prior to instituting any such investigation the Commission shall afford the self-regulatory covered entity a reasonable opportunity to invoke its own remedial procedures and assure compliance by the participant. (4) CLEAR
AND CONVINCING EVIDENCE.The
24 25
presumption established by paragraph (1) of sub-
HR 1528 IH
23 1 2 3 section (a) may be overcome by clear and convincing evidence of non-compliance. (e) NONRELEASE
OF
CERTAIN INFORMATION.The
4 Commission may not compel a participant in a self-regu5 latory program approved under subsection (b) (or an ad6 ministrator of such a program) to provide proprietary in7 formation or personally identifiable information of con8 sumers to the Commission unless the Commission provides 9 assurances that such information will not be released to 10 the public. 11 (f) MISREPRESENTATION
OF
SELF-REGULATORY
12 PROGRAM PARTICIPATION.It is unlawful for a covered 13 entity to misrepresent that it is a participant in a self14 regulatory program (including through any mechanism 15 provided under subsection (c)(4)) when such covered enti16 ty is not, in fact, such a participant. 17 (g) EXEMPTED ENTITY PARTICIPATION.An entity
18 that is not a covered entity and that voluntarily partici19 pates in a self-regulatory program under this section shall 20 enjoy the rights and benefits provided under this section 21 in any action or investigation under section 5 of the Fed22 eral Trade Commission Act (15 U.S.C. 45) to the extent 23 that such action or investigation pertains to the entitys
24 privacy policy or practices required for participation in the 25 self-regulatory program.
HR 1528 IH
24 1 2
SEC. 10. ENFORCEMENT.
(a) UNFAIR
OR
DECEPTIVE ACT
OR
PRACTICE.A
3 violation of any provision of this Act by a covered entity 4 is an unfair or deceptive act or practice unlawful under 5 section 5(a)(1) of the Federal Trade Commission Act (15 6 U.S.C. 45(a)(1)), except that the amount of any civil pen7 alty under such Act shall be doubled for a violation of this 8 Act, but may not exceed $500,000 for all related violations 9 by a single violator (without respect to the number of con10 sumers affected or the duration of the related violations). 11 (b) GUIDELINES
AND
OPINIONS.In order to assist
12 in compliance with this Act, the Federal Trade Commis13 sion may promulgate regulations and interpretive rules 14 under section 18 of the Federal Trade Commission Act 15 (15 U.S.C. 57a), with respect to specific types of acts or 16 practices that would, or would not, comply with this Act. 17 18
SEC. 11. NO PRIVATE RIGHT OF ACTION.
This Act may not be considered or construed to pro-
19 vide any private right of action. No private civil action 20 relating to any act or practice governed under this Act 21 may be commenced or maintained in any State court or 22 under State law (including a pendent State claim to an 23 action under Federal law).
24 25
SEC. 12. EFFECT ON OTHER LAWS.
(a) QUALIFIED EXEMPTION
FOR
COMPLIANCE WITH
26 OTHER FEDERAL PRIVACY LAWS.To the extent that

HR 1528 IH
25 1 personally identifiable information protected under this 2 Act is also protected under a provision of Federal privacy 3 law described in subsection (c), a covered entity that com4 plies with the relevant provision of such other Federal pri5 vacy law shall be deemed to have complied with the cor6 responding provision of this Act. 7 (b) PROTECTION
OF
OTHER FEDERAL PRIVACY
8 LAWS.Nothing in this Act may be construed to modify, 9 limit, supersede, or interfere with the operation of the 10 Federal privacy laws described in subsection (c) or the 11 provision of information permitted or required, expressly 12 or by implication, by such laws, with respect to Federal 13 rights and practices. 14 (c) OTHER FEDERAL PRIVACY LAWS DESCRIBED.
15 The provisions of law to which subsections (a) and (b) 16 apply are the following: 17 18 19 20 21 22 23
(1) Section 552a of title 5, United States Code (commonly known as the Privacy Act of 1974). (2) The Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.). (3) The Fair Credit Reporting Act (15 U.S.C. 1681 et seq.). (4) The Fair Debt Collection Practices Act (15 U.S.C. 1692 et seq.).
24
HR 1528 IH
26 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(5) The Childrens Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.). (6) Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 et seq.). (7) The Electronic Communications Privacy Act of 1986 (Public Law 99508). (8) The Drivers Privacy Protection Act of 1994 (18 U.S.C. 2721 et seq.). (9) The Family Educational Rights and Privacy Act of 1974 (20 U.S.C. 1221 note, 1232g). (10) Section 445 of the General Education Provisions Act (20 U.S.C. 1232h). (11) The Privacy Protection Act of 1980 (42 U.S.C. 2000aa et seq.). (12) Section 222 of the Communications Act of 1934 (47 U.S.C. 222) relating to the Customer Proprietary Network Information. (13) The Cable Communications Policy Act of 1984 (47 U.S.C. 521 et seq.). (14) The Communications Assistance for Law Enforcement Act (47 U.S.C. 1001 et seq.). (15) The Video Privacy Protection Act of 1988 (Public Law 100618). (16) The Telephone Consumer Protection Act of 1991 (Public Law 102243).
24 25
HR 1528 IH
27 1 2 3 4 5 6 7 8 9 (17) The Health Insurance Portability and Accountability Act of 1996 (Public Law 104191), as it relates to an entity described in section 1172(a) of the Social Security Act (42 U.S.C. 1320d1(a)) or to activities regulated under section 1173 of such Act (42 U.S.C. 1320d2). (18) The CANSPAM Act of 2003 (15 U.S.C. 7701 et seq.). (d) PREEMPTION
OF
STATE PRIVACY LAWS.This
10 Act preempts any statutory law, common law, rule, or reg11 ulation of a State, or a political subdivision of a State, 12 to the extent such law, rule, or regulation relates to or 13 affects the collection, use, sale, disclosure, retention, or 14 dissemination of personally identifiable information in 15 commerce. No State, or political subdivision of a State, 16 may take any action to enforce this Act. 17 18
SEC. 13. EFFECTIVE DATE.
This Act shall apply with respect to personally identi-
19 fiable information collected on or after the date that is 20 1 year after the date of enactment of this Act.
HR 1528 IH

Consumer Privacy Protection Act of 2011

Uploaded by

Consumer Privacy Protection Act of 2011

Uploaded by

I

112TH CONGRESS 1ST SESSION

To protect and enhance consumer privacy, and for other purposes.

IN THE HOUSE OF REPRESENTATIVES

2 tives of the United States of America in Congress assembled, 3 4

This Act may be cited as the Consumer Privacy Pro-

5 tection Act of 2011. 6 7 8

VerDate Mar 15 2010

20:12 Apr 18, 2011

The term covered

term data processing outsourcing entity

term information-sharing affiliate means any affil-

The term personally identifiable infor-

(a) NOTICE REQUIRED.A covered entity shall pro-

NOTICE.A notice re-

24 plicitly stated to the consumer, and contain the following 25 information:

(a) PRIVACY POLICY.A covered entity shall estab-

23 lish a privacy policy with respect to the collection, sale,

12 1 (c) COMMISSION FACILITATION.The Commission

SEC. 6. CONSUMER OPPORTUNITY TO LIMIT SALE OR DISCLOSURE OF INFORMATION.

If a covered entity provides to a consumer the oppor-

(a) IMPLEMENTATION.A covered entity shall pre-

20 quired under paragraph (1) shall include 21 22 23

(a) SELF-REGULATORY PROGRAM. (1) PRESUMPTION

order by the Com-

self-regulatory program complies with the re-

3 quirements of this subsection if the program provides each 4 of the following: 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

a consumer has a dispute with a participant in a

presumption established by paragraph (1) of sub-

24 privacy policy or practices required for participation in the 25 self-regulatory program.

OPINIONS.In order to assist

This Act may not be considered or construed to pro-

SEC. 12. EFFECT ON OTHER LAWS.

(a) QUALIFIED EXEMPTION

26 OTHER FEDERAL PRIVACY LAWS.To the extent that

OTHER FEDERAL PRIVACY

STATE PRIVACY LAWS.This

This Act shall apply with respect to personally identi-

mstockstill on DSKH9S0YB1PROD with BILLS

You might also like