Slashdot Mirror
Wrangling Over Proposed Privacy Laws Continues
zurab writes "USA Today reports several U.S. lawmakers introduced a long-awaited privacy bill Wednesday that would allow U.S. businesses to share information about customers who have not explicitly forbidden them to do so. And one of the supporters of this bill - the beloved Mr. Boucher."
Because they know NOBODY in their right mind would EVER opt-in to something like this, so they have to open the door to big business somehow.
I mean, otherwise the aforementioned big business would stop paying them campaign contributions and such...
"Nothing strengthens authority so much as silence." - Charles de Gaulle
a long-awaited privacy bill Wednesday that would allow U.S. businesses to share information about customers who have not explicitly forbidden them to do so.
It's long-awaited? You americans are difficult to understand....
I tried looking up the bill but I don't have a number handy. Does anybody know what it is (and would it kill the newspaper to print it along with a story once in a while?) I was curious to see whether Boucher was really behind this or if this was one of those tradeoff things.
I did find a link about this from back in February when he was talking about planning to support this bill when it finally showed up. I'd like to see them move anti-spam legislation through the system this fast (only about seven years and counting on that, right?)
I've heard this said about the DMCA too. Ay time businesses talk about balance between themselves and consumers through legislation, I instantly know that it's a terrible idea and I oppose it. They couldn't give a rat's ass about balance or compromise.
should be property rights held by individuals. This allows a more perfect market, because the information would be more closely protected than this bill provides. As Larry Lessig explains in his book Code, Privacy as a property right allows those who don't care about privacy to get what they want, while those who have considerable concerns to seriously protect themselves. Any other scheme will deny the fact that privacy concerns differ between different segments of society.
"In order to make an apple pie from scratch, you must first create the universe." -- Carl Sagan, Cosmos
Shouldn't it be the 'Lack of Privacy Bill' rather than 'Privacy Bill'?
Or do they?
Look at your average computer user. He (or she) doesn't use PGP, has insecure passwords, will gladly install spyware in exchange for a P2P client, and is all too willing to help email worms propogate. Now, don't try to tell me that this hypothetical (but all too real) user wouldn't give up his entire purchasing habits to save himself 7 clicks a month on AOL.
He would be delighted if he could be greeted with "I bet you want the new WWF video: click here to order" when he logged in. That's what this information sharing does. And the public is going to eat it up.
Meanwhile, the fraction of us who actually care about this kind of thing pay the price. The only sensible thing to do? Become what we hate the most. Format /dev/hd* and install Windows and AOL. Your browser votes don't count unless your user agent says MSIE, and your purchases don't count unless they're through AOL or MSN. We have to make a choice between Free Software and privacy. Once we've saved privacy, then maybe Linux will come back...who knows? But for now, we need to put Linux aside as we prepare for the real battle.
Karma: Good (despite my invention of the Karma: sig)
I fail to see how this will work at statistical levels - it might encourage some people who have abstained to return to the 'net, but the vast majority, those simple casual users? The use of the word much is inappropriate here.
Put it this way: if you were to hold a random sampling of U.S. citizens on internet privacy, you would likely get a lot of semi- or un-informed views on it. The reason is simple: it's not considered important enough by society at large. If/when privacy becomes a big thing in the media and in government, only then will the population at large (who are being spoonfed by popular media, remember) feel that it is important enough to become an issue.
Until then, it remains an issue for the interested parties and the various lobby groups. The average internet user doesn't care, so there will be no upswing, no "much greater level", nice as it would be to believe that Mr. Average Midwestern Suburbian spends as much time as we do reading up on issues such as this.
jer
We may be human, but we're still animals
- Steve Vai
Call me a troll, but...
I bet a million bucks someone will spout on and on how this is all George Bush's fault. You know, it's all part of his "secret agenda" to give BIG BUSINESS (but not small... he wouldn't dare help the little guy) anything and everything they want. Hell, he put arsnic in our drinking water for crying out loud.
DOWN WITH THE MAN!
3cx.org - A truly bad website.
Sure, our customers can opt out. It's right there on our web site. Just click on the little tiny smiley face in the bottom left corner, then follow the 4 subsequent links to the opt out policy page. Be sure to find the little "I refuse this offer" check box, then hit submit. "Oh" the submit button is broke?? Now how did that happen? We'll have our help desk take a look at it. (The web site will be down for a few days while they reboot the system.)
If you have Store A and Store B, both selling the same product, both selling for the same price, both with equally great customer service, but Store A promises never to disclose your information under any circumstances and Store B doesn't have such a policy...where will you shop? Eventually, a lot of other people will shop at Store A, and when they do shop there, it'll be because of guaranteed privacy, thus making it a selling point.
This might work out for the best--getting Joe Public caring about privacy issues, even if it is a small start. I can just see the news story now:
Reporter: Mister Manager of Wal-Mart, how do you explain losing some of your business to Target?
Mister Wal-Mart: Well, they don't offer our customers the opportunity to receive special offers from our sister stores.
Reporter: So you're losing sales because you sell information about your customers?
Mister Wal-Mart: Uhhhhhh
sig--we don't need no goddamn sig
No one would ever choose to opt-in on such a thing. And chances are the companies who would share such information in the first place would not make it very obvious you could opt-out. My guess is that the choice to opt-out will be hidden in a 1,000 word legal disclaimer or an EULA that no one reads anyway.
Yet another law that helps corporations at our expense, because they apparantely have more rights than we do. At least certain congressmen (Mr. Boucher, Mr. Hollings, anyone?) think that's true.
-Evan
So what if they want to share information. Isn't that what the whole Free Software Revolution is about? Information wants to be free, right?
Or do they have to encode your personal information into MP3 form before it's okay to distribute it?
"You're just scared like a little white pussy. I'll fuck you till you love me, you faggot!"
Where is this cornucopia of absurd legislation coming from? Let me guess... corrupt legislators. Now... Is it to fair to assume stupid people voted for these corrupt legislators? If stupidity is the majority, isn't the democratic thing to do to legislate stupidity? After all, common sense would go against stupidity and therefore, against these legislators' constituents. Hence, we're shit out of luck...
Compare and contrast that travesty with UK Data Protection Act 1998. To summarise
(source: http://www.dataprotection.gov.uk/principl.htm)
Note that last point - the US at present does not have 'adequate protection' (ie protection to an equivalent level). This proposed bill takes it further away.
Something else to note - the enforcement of this will only get stricter when the new Data Protection Commissioner takes office.
The only thing you can accurately describe as "Scotch" is a sticky tape made by 3M. And it's
It would at least require companies to obey their own privacy policies. Right now, it doesn't seem to matter if I uncheck every box with words like "Subscribe me to electronic news", "Share my contact information with other companies", etc. when registering on a site. The majority of companies don't honor your preferences to not receive all their junk mail. With this proposed bill, it would be illegal not to do so.
That said, I still prefer the competing bill overall.
Jason
"FORMAT C:" - Kills bugs dead!
In tiny letters.
I take it in the US at the moment it is:
Privacy is not a property right.
Nor will it ever, as such inalienably ideas are not, should not, and can not be considered property.
Besides being vague and unwieldy, considering such humanistic rights property (such humanistic rights as privacy, freewill, thought, etc.) tends to lead to trouble. Look at the patent system.
Of course, this is all just hyperbole, as redefining privacy as a property changes nothing. It's simply calling X by the name of Y.
Without suggestions of implementation it's only an interesting experiment in etymology.
Perhaps "Code" covers such implementation, though. Admittedly I haven't read it.
Privacy issues really get on my nerves. Not so much because I feel the need for my privacy to be protected, but because there is nothing I can do to stop it. Sure, there are petitions and writing to my local representatives, but I don't have the time to read the fine lines of every law that every polititican puts up for a vote.
Then there are the laws that I even take the time to sign petitions for and write to my representatives, like CARP ( http://www.live365.com/carp/ if you've been living in a box ). Hordes of people objected to this law, yet it still was passed.
The government is not listening. You might be able to get someone to listen to you during an election year, if you're lucky. Maybe you could claim to have to pick up can along the highway to pay your CARP royalty fees and Gore could talk about you. But otherwise, it's a sad waste of time.
Then there's the hypocracy of the people that call for these petitions. Example: Right here in Milwaukee, we had a controversy about with our City Pension Plan and a million dollar lump sum payout. The elected offical that signed the bill was forced to resign amidst a recall campaign. Sound like the population taking on their civic duty, right? Well, in the emergency election to fill his position, only 1 in 5 of the people that signed the recall petition actual voted. 4 of 5 just wanted to kick the government were ever they could get a shot in.
In the end, you might catch one bill, you might get someone important to object to it, you might even get enough people on your side to oppose the law, but unless you can give a senator a better hand job than the lobbist, they'll get their way eventually.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
I could sponsor legislation to grind up kittens and baby seals to pave our highways, and as long as I named the bill something like the "Privacy Bill", every legislator would vote in favor. No one wants to go on record as being against a "Privacy Bill".
This is one of the flaws in our short-attention-span news coverage. No one investigates in depth. Everyone assumes the name of the bill represents the contents. (PATRIOT Act anyone?) And so we get politicos voting on the name of the bill, rather than the content.
If you ask me for information, make no promises about what you're going to do with it, and I willingly give it to you
What if the entity that asks for information does make promises, but buries them in a ten-page document at a college (commonly called 'legalese') reading level rather than in a one-page privacy policy at an eighth-grade (newspaper) reading level?
Will I retire or break 10K?
This is the part of the bill that I find particularly noxious and annoying. I can (with regret) swallow the rest of the bill, as long as the company gives me the explicit choice, whenever they collect the information, about whether I want to prevent them from selling the information to other people.
But this... When a company breaks the law, and they violate my privacy, I have a right to sue their asses off! I have a right (a moral right, not a legal one, IANAL) to publicly punish them and make damn sure they never do this again and get appropriate compensation for violating my privacy. This bill specifically would take away this right from me.
"Oh, I'm sorry, we didn't realize we were violating your privacy! All those magazine companies now know your income level? Whoops, our bad! But we're just going to do it again, because we have no incentive to obey the law!"
Laws don't mean anything without teeth. Remove the teeth, might as well not even have the law.
modern choral music...
"Mr. Boucher, if you don't play ball with us at least once in a while, you might have a fatal car accident." *CLICK*
--
Power to the Peaceful
a long-awaited privacy bill Wednesday that would allow U.S. businesses to share information about customers
Would this qualify as an oxymoron? Exactly how does releasing my private information qualify as privacy? Have these people ever opened a dictionary? Mr. & Mrs. Public would be up in arms if then knew they leaders were voting to allow their credit card companies access to their medical records. If you are sick isn't there a good chance you may miss a payment? Further, if you have a genetic pre-disposition to a disease, regardless of whether you have it, your employer should know, shouldn't they?
A group of business leaders from high-tech firms said the bill struck the right balance between consumers and businesses
A "group of business leaders". Would this be the same group being paid to collate and distribute this data? Or perhaps, the people that want the data? In either case, at least they are honest enough to admit the public is either in the dark or against it. [Okay, that is my spin... ]
I'll predict a much greater level of Internet usage with these privacy policies in place," Boucher said.
Amazing is that as a republican, who should be for more local government and smaller federal government, we have instead the rider that states this will override more restrictive local laws. Even more amusing (frightening?) is his biography which lists him as "a leading architect of federal policy for the Internet." I am really pressed to put some type of sarcasm here, but nothing I could say would be more foolish than his statement.
I know I make this pitch every time one of these things get started, but contact your representatives.
House of Representatives
Senators
And please remember: Be concise, polite, and on paper (fax may even be better as it is not double processed through the mail). In addition, CC the letter to your local newspaper's letter to the editor and you may as well try their email address. (But remember the study done last year, most representatives do not read emails)
How about Delawenians? Or Delawarites?
(for more options, see the original _Taxi_ episode)
Here are a few quotes from the article for those who haven't read it.
"Sponsors said the bill would establish basic privacy protections for consumers while minimizing the impact on business."
OK, this seems reasonable at face value. Now let's see what protections consumers will in fact get from this bill.
More than a year in the making, the privacy bill unveiled in the House differs from a competing bill making its way through the Senate that would require businesses to get consumers' explicit permission before sharing sensitive information such as income level, religious affiliation or political interests.
Not that I think the Senate bill goes quite far enough for my liking, this opt-out policy essentially states that businesses will be free to do whatever they please with my information, especially if it turns out that businesses can reset their customers' privacy preferences (cough...Yahoo...cough) at any time. So I think the word negligible best describes our privacy rights under this bill.
Let's assume that this bill does give us Americans a few crumbs of privacy. Here's what will happen to businesses that violate these rights:
Consumers would have no right to sue if their privacy was violated. Enforcement would be left in the hands of the Federal Trade Commission, which usually does not impose fines on a first offense.
Companies submitting to a self-regulatory privacy regime such as TRUSTe or BBBonline would enjoy protection from FTC actions.
We all know how valiantly TRUSTe fights for consumers' privacy rights and how fiercely they punish businesses that violate their privacy policies, right. Give me an effing break! Not only do we end up with very few privacy protections, but the maximum punishment for violating the few rights (at least the first time around) that we have is a rebuke from a government bureau or an industry organization? Sounds like a great bill to me.
It seems like the Senate bill is going to be the best case scenario for privacy advocates in this country, and the more likely scenario is a compromise between the House bill and Senate bill. In other words, we Americans will be lucky if the few basic protections we have regarding the privacy of bank and medical records we have still exist when the President signs whatever comes out from Congress. If only there was a "Control-Alt-Delete" option on ballots that indicated a desire for all 535 members of Congress and the President to be removed at the same time instead of having a voice over at most 4 of these officials' futures...
One last thought: if this bill were to pass, maybe we could boomerang it back onto Big Business. The Supreme Court has decided that corporations are people, right? Corporations purchase services from people (e.g. developing software, fixing cars, making purchasing decisions), and often give those employees access to proprietary data in the process. Could the courts conclude that businesses have no right to privacy as well, claiming that the employees can reset the company's "privacy policy" (NDA) at any time, like businesses do to customers? Then, maybe, just maybe, things might not be so bad after all...
As noted on the Smithsonian Institution's site, the first official American flag had thirteen stars and thirteen stripes, each representing one of the thirteen original states.
The flag icon for Slashdot's 'United States' section is missing its first stripe - the stripe that represents Delaware, the first state admitted to the Union. While a simple oversight could be forgiven, it should be known from here on out that Slashdot is in fact aware of the missing stripe, and even worse, refuses to do anything about it!
This vulgar flag desecration and rabid anti-Delawarism must be put to a stop. Let the Slashdot crew know that we will not accept a knowingly mutilated flag or the insinuation that Delawarians deserve to be cut out of the union. I ask you, what has Delaware done to deserve this insolence, this wanton disregard, this bigotry?
This bill has basically no powers opt out systems always have less people opting out however if it had teeth then every one would just ignore it.
Just move payment / data store to another country even a seeland. All you do is allow somone to clooect things on your us website then when it comes to payments say payments are handled by our truested corp xyz
xyz then collects all the infomation out of the duristiction of us and pays no us tax it can then sell the details to anyone it likes.
Privacy bills have to allow corps enough freedom to do what the hell they like or they will just leave your country
A problem with ruling:
The right thing to for your people isn't always the best thing for your people.
In this case, the right thing to do, obviously, is to protect privacy and require opt-in, not opt-out.
Opt-out begs for spam, while opt-in will simply result in illegal spam. Illegal means it cannot fund a big business. The reason this is bad, is because a fair part of the *tech* economy revolves around advertising distribution.
Notice the tech economy troubles? Well, the government needs to step in to keep the wonderful tech developments we all take for granted comming. The best thing for the people, clearly, is to keep the mainstream free software and services alive, and thus keep the tech economy going strong.
The annoying deleting of spam pays for things of which we enjoy the use.
This anti-privacy bill is a feeble attempt, methinks, because the tech industry is affected little by spam. Now setting the heartless calculating and decision-making econ people have to do aside, I bloody well hate opt-out. I think if any government measure is taken, it should not be another false inflation of the tech economy.
Many people did vote for Bush 2nd. Not as many as voted for Al Gore of course (about 500,000 less), but the choice of the most number of people was "no particular preference, I can't be arsed to vote". So either candidate could have been appointed; but having a president as dad outranks having a senator as dad, so the better connected person was appointed, as announced by his cousin (at Fox) and helped by his brother (in Florida).
Subscription what?
wars not make one great
Sapere Aude - Homer
where do you live? In London there are speed-cameras, red-light cameras, bus-lane cameras etc. every ten yards. Speeding and other traffic offenses are seen as a major revenue centre for local authorities and enforced accordingly!
When they get connected to face-recognition software this will have major security implications.
Of course, you can opt-out of junk mail and unsolicited phone calls (and treat any offenders as a revenue centre at £500 ($750?) a time yourself).
And one of the supporters of this bill - the beloved Mr. Boucher.
O OOOOOOOOOOOOOOOO!
<VOICE type=luke-skywalker>
NOOOOOOOOOOOOOOOOOOOOOOOOOO
</VOICE>
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
What sort of taxes do corporations pay that allows them to get all the representation in this country? Should corporations who refuse to employ American's be allowed to lobby the government, or make political contributions?
Consider:
1.) They aren't paying taxes in the first place
2.) Aren't employing Americans
How much representation are citizens getting these days? Does the Patriot ACt indicate representation, the DMCA, this silly "Privacy" bill being discussed?
We have a constitutional guarantee to have representation before our government and "Privacy" laws illustrate the issue.
It's opt out, it will kill hundreds of state laws on privacy, it will prevent all private rights of action, it will end common law development of tort law, it will undermine voluntary international agreements to protect privacy. This bill should be called the Prevention of Privacy Act. Congrats to Stearns et al. for being the whores of business.
That any information about me in any form is the sole property of myself and may not be used in any form by any individual or organisation, whether private or public, for any purpose whatsoever.
It is the responsibility of any person wishing to use such information to read the online publication Slashdot, and all it's user postings, to avoid being lible by not knowing that I have made this proclamation.
Consider yourself warned.
My $0.02 will always be worth more than your â0.02, so
So where do I sign up to tell every company that they have no right to share anything about me? How does one put the big red international symbol for "NO WAY IN HELL" on my information?
Does this mean that every company that asks for information from you in any way would have to provide a mechanism for you to explicitly tell them they can't share your information? Does this mean a business can share my information as soon as they get it because I, the little consumer, have to go out on my own and specifically contact someone at the company who gives a rat's ass and tell them they can't share it?
This bill certainly implies there should be a clear way to do this, but we all know that anything a law might imply does hold water, it just becomes another loop hole. I don't think a microscopic check box at the bottom of some long form is going to cut it.
"Reality is a crutch for people who can't handle drugs."
To businesses, the right balance is one which is heavily skewed against the consumer.
Yup. The 'average' consumer doesn't care.
Look at the fawning over new Sony products, or new movies, yet many (most) of the people then spend time bitching about the DMCA.
Simple economics seem beyond the grasp of these people. If you give money to companies like Sony, they will use a part of that to get laws like the DMCA passed. If you don't give them money, they have less to spend on laws like the DMCA.
The same companies that profit by buying these "privacy" laws also have employees...employees with personal information and privacy concerns just like you and me. One could turn the table on these guys. One could write the companies that don't respect one's privacy and inform them that the privacy laws that help thier bottom line also allow one to collect personal, public information on thier employees and use it for any lawful purpose that one sees fit.
I am not proposing that any laws be broken. I would hope that any reasonable person would first seek a less extreme negotiation with any privacy imparied business. Also I would hope that no decent person would use any other persons personal public information in a harmful manner
Yes, most Americans are stupid. Well intentioned, but stupid, like most of humanity. Nevertheless, it is the political system itself that is to blame, not the people. The system doesn't offer true choice and anytime people try to go alone or make a change to the system, it is smacked down.
Watch "Meet John Doe". I also felt like jumping off a bridge by the end.
Here, most data is opt-out, but sensitive data (health, politics, sexual behaviour, financial information) is opt-out. And that's enforced by law.
However, if you want to share it with a third party (even an unrelated arm of the same group of companies), it's all opt-in.
Oh, and if you want to use any data, you have to be registered. The Data Protection Commissioner who runs the register has the power to stop you using your database on suspicion of mis-using data. Which costs a lot if you're British Gas, who had just this happen to them a couple of years back.
It's a powerful dissuader...
The only thing you can accurately describe as "Scotch" is a sticky tape made by 3M. And it's
Stearns, a Florida Republican whose consumer-protection subcommittee held six hearings on privacy last year, said the free flow of consumer data has been a cornerstone of the modern information-based economy.
The free flow of my information is what has been keeping this economy going? What economy is he living in?
"The underlying principle that anchors this bill is, 'do no harm,' " he said.
Do no harm to who? Your representing me and any time my privacy is violated I incur harm.
Really, I know what I'm doing...Ohhhh, look at the shiny buttons!
...you should be fighting against income taxes. There is no bigger threat to privacy that the governemnt knowing where you work, how much you make, who you donate money to, where you invest your money, etc... Isn't that an invasion of privacy? That offends me more than getting a couple of spams a day.
Of course, just the thought eliminating income taxes (versus a consumpion/sales tax only) makes the people at the ACLU or the Center for Democracy and Technology jump out of their skin. So I want to ask people (especially those who lean to the left), "If you care so much about privacy, don't yo uthink we should eliminate income taxes?"
Just because you're paranoid, doesn't mean they're not after you!
dosn't the copyright on information disclosed by an individual belong to that individual. So this bill is a pro piricy bill, to bad we ain't the RIAA.
thank God the internet isn't a human right.
You opt-in by providing your information in the first place. BFD.
Quote: "The underlying principle that anchors this bill is, 'do no harm,' " he said.
If I cannot sue the company when I have been wronged (privacy violated) than this bill will have HARMED me. Simple as that.
There is no innocence in the eyes of an evil man with power. Referring to Judge Roy A. Scoggins 378th District Court
We all love Rick Boucher for his technology initiatives, but surely we're not so conceited as to think he's doing this for us!
Having the support of the technology community is mostly about having the support of millions of pirating, lazy, whiny teenagers and 20-somethings. The Linux community might be made up of can-do type people who don't mind doing work for the good of all, but I'm afraid that this is a solid minority of human beings who use a computer.
So the question is, while he's going on about being on our side (which is worth almost nothing in terms of what we can do for him, since most of us are incurably lazy when it comes to politics), what's he REALLY getting out of it? Why's he willing to anger huge campaign contributors and businessmen and his fellow politicians to support a few million folks who want to pirate mp3s and download movies? Maybe I'm cynical, but that's exactly what I want to know before I give him my unconditional support.
Look, we have in the past emailed/written/called Boucher to say "yay, good job". Why not now call to say "hey, this sucks. we should be able to sue for privacy violations, and we should have to opt in for this shit."
Interestingly enough, I received a letter from my representative in response to one of those charming form letters I had sent electronically re: SPISPOPD or whatever that acronym that scary-ass legislation has been changed to now.
What I noticed most was a) the quality of the paper his response was on, b) the completely mealy-mouthed wishy-washy nature of his response, and c) his request at the end to correspond via e-mail rather than postal mail. Only the latter surprised me.
Apparently, there have been significant delays in postal processing for legislators in light of the anthrax scare (damn that band). I know not whether this is actually the case, or whether he simply wants to keep the internet kooks from filling up his physical inbox.
I am pretty sure my car has emotion. I have to caress the wheel sensually and say it sweet word to make it start from cold in winter.
Same for my computer under windows. If I am on knee and promise to sell my soul to bill gates I remarked that windows crash a bit less. Try it at home !
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
"It would at least require companies to obey their own privacy policies."
No it wouldn't, because you wouldn't have any legal action against them if they break it. And I never have heard much in the way of the FTC. We would be completly reliant that the FTC bears of this, and actualy doing something.
"Consumers would have no right to sue if their privacy was violated. Enforcement would be left in the hands of the Federal Trade Commission, which usually does not impose fines on a first offense."
The spirit of resistance to government is so valuable on certain occasions that I wish it to be always kept alive
I think in the wake of recent events with CARP, the DMCA, RIAA et al, and now this lovely piece of corporate lobby tripe, it is high time that a larger number of us found our voice and spoke out against the things that are going on around us. It is all well and good to say that "they will see my displeasure in my next vote", but to be perfectly honest with ourselves, how often do you think that legislators actually wonder about "what John Q. Slashdotter is thinking"?
My dad always said, "the squeaky wheel gets the oil" and it is in a large part very true. Those who speak out, repeatedly and loudly, for their rights, their freedoms, those are the people who get what they want. In other words, WRITE your Representatives and your Senators. Call them. Email them. REPEAT. Then repeat again and again and again, until they hear you and do what you want just to shut you the hell up. Make use of the system.
If everyone who reads this article were as persistant and adamant about Privacy Rights as the corporate lobbies are about having NO privacy rights for consumers, then I am sure that those money grubbing pricks would have a fight on their hands. As is now, the public is a push over on the scale of McFly. Time to tell Biff to get his damn hands off my privacy.
So I can call my rep's and tell them just how I feel about my cc company profiling my medical background.
Sometimes people just have to learn and adapt to change, it is one of the requirements of being a living thing.
Easy. Delaware has the weakest corporation laws in the United States so many companys incorporate in Delaware to avoid disclosing their true corporate shenannigans.
Here it is... I wanted to prevent the IANALization of this thread. Now you can say, IANALBIPOOS ("I am not a lawyer but I play one on Slashdot"). I would have posted the direct link to THOMAS, but then everyone would have just /.ed the Library of Congress, and they've probably got more important things to do. If you do go to THOMAS, the bill no. is 2201. Had to cut out the ToC - sorry - it was tripping the lameness filter (how appropriate that legislation tweaks the lameness filter. Ha.)
A BILL
To protect the online privacy of individuals who use the Internet.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the `Online Personal Privacy Act'.
The Congress finds the following:
(1) The right to privacy is a personal and fundamental right worthy of protection through appropriate legislation.
(2) Individuals engaging in and interacting with companies engaged in interstate commerce have a significant interest in their personal information, as well as a right to control how that information is collected, used, or transferred.
(3) Absent the recognition of these rights and the establishment of consequent industry responsibilities to safeguard those rights, the privacy of individuals who use the Internet will soon be more gravely threatened.
(4) To extent that States regulate, their efforts to address Internet privacy will lead to a patchwork of inconsistent standards and protections.
(5) Existing State, local, and Federal laws provide minimal privacy protection for Internet users.
(6) With the exception of Federal Trade Commission enforcement of laws against unfair and deceptive practices, the Federal Government thus far has eschewed general Internet privacy laws in favor of industry self-regulation, which has led to several self-policing schemes, none of which are enforceable in any meaningful way or provide sufficient privacy protection to individuals.
(7) State governments have been reluctant to enter the field of Internet privacy regulation because use of the Internet often crosses State, or even national, boundaries.
(8) States are nonetheless interested in providing greater privacy protection to their citizens as evidenced by recent lawsuits brought against offline and online companies by State attorneys general to protect the privacy of individuals using the Internet.
(9) The ease of gathering and compiling personal information on the Internet, both overtly and surreptitiously, is becoming increasingly efficient and effortless due to advances in digital communications technology which have provided information gatherers the ability to compile seamlessly highly detailed personal histories of Internet users.
(10) Personal information flowing over the Internet requires greater privacy protection than is currently available today. Vast amounts of personal information, including sensitive information, about individual Internet users are collected on the Internet and sold or otherwise transferred to third parties.
(11) Poll after poll consistently demonstrates that individual Internet users are highly troubled over their lack of control over their personal information.
(12) Market research demonstrates that tens of billions of dollars in e-commerce are lost due to individual fears about a lack of privacy protection on the Internet.
(13) Market research demonstrates that as many as one-third of all Internet users give false information about themselves to protect their privacy, due to fears about a lack of privacy protection on the Internet.
(14) Notwithstanding these concerns, the Internet is becoming a major part of the personal and commercial lives of millions of Americans, providing increased access to information, as well as communications and commercial opportunities.
(15) It is important to establish personal privacy rights and industry obligations now so that individuals have confidence that their personal privacy is fully protected on the Internet.
(16) The social and economic costs of establishing baseline privacy standards now will be lower than if Congress waits until the Internet becomes more prevalent in our everyday lives in coming years.
(17) Whatever costs may be borne by industry will be significantly offset by the economic benefits to the commercial Internet created by increased consumer confidence occasioned by greater privacy protection.
(18) Toward the close of the 20th Century, as individuals' personal information was increasingly collected, profiled, and shared for commercial purposes, and as technology advanced to facilitate these practices, the Congress enacted numerous statutes to protect privacy.
(19) Those statutes apply to the government, telephones, cable television, e-mail, video tape rentals, and the Internet (but only with respect to children).
(20) Those statutes all provide significant privacy protections, but neither limit technology nor stifle business.
(21) Those statutes ensure that the collection and commercialization of individuals' personal information is fair, transparent, and subject to law.
SEC. 4. PREEMPTION OF STATE LAW OR REGULATIONS.
This Act supersedes any State statute, regulation, or rule regulating Internet privacy to the extent that it relates to the collection, use, or disclosure of personally identifiable information obtained through the Internet.
TITLE I--ONLINE PRIVACY PROTECTION
SEC. 101. COLLECTION, USE, OR DISCLOSURE OF PERSONALLY IDENTIFIABLE INFORMATION.
(a) IN GENERAL- An internet service provider, online service provider, or operator of a commercial website on the Internet may not collect personally identifiable information from a user, or use or disclose personally identifiable information about a user, of that service or website except in accordance with the provisions of this Act.
(b) APPLICATION TO CERTAIN THIRD-PARTY OPERATORS- The provisions of this Act applicable to internet service providers, online service providers, and commercial website operators apply to any third party, including an advertising network, that uses an internet service provider, online service provider, or commercial website operator to collect information about users of that service or website.
SEC. 102. NOTICE AND CONSENT REQUIREMENTS.
(a) NOTICE- Except as provided in section 104, an internet service provider, online service provider, or operator of a commercial website may not collect personally identifiable information from a user of that service or website online unless that provider or operator provides clear and conspicuous notice to the user in the manner required by this section for the kind of personally identifiable information to be collected. The notice shall disclose--
(1) the specific types of information that will be collected;
(2) the methods of collecting and using the information collected; and
(3) all disclosure practices of that provider or operator for personally identifiable information so collected, including whether it will be disclosed to third parties.
(b) SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION REQUIRES OPT-IN CONSENT- An internet service provider, online service provider, or operator of a commercial website may not--
(1) collect sensitive personally identifiable information online, or
(2) disclose or otherwise use such information collected online, from a user of that service or website,
unless the provider or operator obtains that user's affirmative consent to the collection and disclosure or use of that information before, or at the time, the information is collected.
(c) NONSENSITIVE PERSONALLY IDENTIFIABLE INFORMATION REQUIRES ROBUST NOTICE AND OPT-OUT CONSENT- An internet service provider, online service provider, or operator of a commercial website may not--
(1) collect personally identifiable information not described in subsection (b) online, or
(2) disclose or otherwise use such information collected online, from a user of that service or website,
unless the provider or operator provides robust notice to the user, in addition to clear and conspicuous notice, and has given the user an opportunity to decline consent for such collection and use by the provider or operator before, or at the time, the information is collected.
(d) INITIAL NOTICE ONLY FOR ROBUST NOTICE- An internet service provider, online service provider, or operator of a commercial website shall provide robust notice under subsection (c) of this section to a user only upon its first collection of non-sensitive personally identifiable information from that user, except that a subsequent collection of additional or materially different non-sensitive personally identifiable information from that user shall be treated as a first collection of such information from that user.
(e) PERMANENCE OF CONSENT-
(1) IN GENERAL- The consent or denial of consent by a user of permission to an internet service provider, online service provider, or operator of a commercial website to collect, disclose, or otherwise use any information about that user for which consent is required under this Act--
(A) shall remain in effect until changed by the user; and
(B) shall apply to the collection, disclosure, or other use of that information by any entity that is a commercial successor of, or legal successor-in-interest to, that provider or operator, without regard to the legal form in which such succession was accomplished (including any entity that collects, discloses, or uses such information as a result of a proceeding under chapter 7 or chapter 11 of title 11, United States Code, with respect to the provider or operator).
(2) EXCEPTION- The consent by a user to the collection, disclosure, or other use of information about that user for which consent is required under this Act does not apply to the collection, disclosure, or use of that information by a successor entity under paragraph (1)(B) if--
(A) the kind of information collected by the successor entity about the user is materially different from the kind of information collected by the predecessor entity;
(B) the methods of collecting and using the information employed by the successor entity are materially different from the methods employed by the predecessor entity; or
(C) the disclosure practices of the successor entity are materially different from the practices of the predecessor entity.
SEC. 103. POLICY CHANGES; BREACH OF PRIVACY.
(a) NOTICE OF POLICY CHANGE- Whenever an internet service provider, online service provider, or operator of a commercial website makes a material change in its policy for the collection, use, or disclosure of sensitive or nonsensitive personally identifiable information, it--
(1) shall notify all users of that service or website of the change in policy; and
(2) may not collect, disclose, or otherwise use any sensitive or nonsensitive personally identifiable information in accordance with the changed policy unless the user has been afforded an opportunity to consent, or withhold consent, to its collection, disclosure, or use in accordance with the requirements of section 102 (b) or (c), whichever is applicable.
(b) Notice of Breach of Privacy-
(1) IN GENERAL- If the sensitive or nonsensitive personally identifiable information of a user of an internet service provider, online service provider, or operator of a commercial website--
(A) is collected, disclosed, or otherwise used by the provider or operator in violation of any provision of this Act, or
(B) the security, confidentiality, or integrity of such information is compromised by a hacker or other third party, or by any act or failure to act of the provider or operator,
then the provider or operator shall notify all users whose sensitive or nonsensitive personally identifiable information was affected by the unlawful collection, disclosure, use, or compromise. The notice shall describe the nature of the unlawful collection, disclosure, use, or compromise and the steps taken by the provider or operator to remedy it.
(2) Delay of notification-
(A) ACTION TAKEN BY INDIVIDUALS- If the compromise of the security, confidentiality, or integrity of the information is caused by a hacker or other external interference with the service or website, or by an employee of the service or website, the provider or operator may postpone issuing the notice required by paragraph (1) for a reasonable period of time in order to--
(i) facilitate the detection and apprehension of the person responsible for the compromise; and
(ii) take such measures as may be necessary to restore the integrity of the service or website and prevent any further compromise of the security, confidentiality, and integrity of such information.
(B) SYSTEM FAILURES AND OTHER FUNCTIONAL CAUSES- If the unlawful collection, disclosure, use, or compromise of the security, confidentiality, and integrity of the information is the result of a system failure, a problem with the operating system, software, or program used by the internet service provider, online service provider, or operator of the commercial website, or other non-external interference with the service or website, the provider or operator may postpone issuing the notice required by paragraph (1) for a reasonable period of time in order to--
(i) restore the system's functionality or fix the problem; and
(ii) take such measures as may be necessary to restore the integrity of the service or website and prevent any further compromise of the security, confidentiality, and integrity of the information after the failure or problem has been fixed and the integrity of the service or website has been restored.
SEC. 104. EXCEPTIONS.
(a) IN GENERAL- Section 102 does not apply to the collection, disclosure, or use by an internet service provider, online service provider, or operator of a commercial website of information about a user of that service or website necessary--
(1) to protect the security or integrity of the service or website or to ensure the safety of other people or property;
(2) to conduct a transaction, deliver a product or service, or complete an arrangement for which the user provided the information; or
(3) to provide other products and services integrally related to the transaction, service, product, or arrangement for which the user provided the information.
(b) PROTECTED DISCLOSURES- An internet service provider, online service provider, or operator of a commercial website may not be held liable under this Act, any other Federal law, or any State law for any disclosure made in good faith and following reasonable procedures in responding to--
(1) a request for disclosure of personal information under section 1302(b)(1)(B)(iii) of the Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.) to the parent of a child; or
(2) a request for access to, or correction or deletion of, personally identifiable information under section 105 of this Act.
(c) Disclosure to Law Enforcement Agency or Under Court Order-
(1) IN GENERAL- Notwithstanding any other provision of this Act, an internet service provider, online service provider, operator of a commercial website, or third party that uses such a service or website to collect information about users of that service or website may disclose personally identifiable information about a user of that service or website--
(A) to a law enforcement, investigatory, national security, or regulatory agency or department of the United States in response to a request or demand made under authority granted to that agency or department, including a warrant issued under the Federal Rules of Criminal Procedure, an equivalent State warrant, a court order, or a properly executed administrative compulsory process; and
(B) in response to a court order in a civil proceeding granted upon a showing of compelling need for the information that cannot be accommodated by any other means if--
(i) the user to whom the information relates is given reasonable notice by the person seeking the information of the court proceeding at which the order is requested; and
(ii) that user is afforded a reasonable opportunity to appear and contest the issuance of requested order or to narrow its scope.
(2) SAFEGUARDS AGAINST FURTHER DISCLOSURE- A court that issues an order described in paragraph (1) shall impose appropriate safeguards on the use of the information to protect against its unauthorized disclosure.
SEC. 105. ACCESS.
(a) IN GENERAL- An internet service provider, online service provider, or operator of a commercial website shall--
(1) upon request provide reasonable access to a user to personally identifiable information that the provider or operator has collected from the user online, or that the provider or operator has combined with personally identifiable information collected from the user online after the effective date of this Act;
(2) provide a reasonable opportunity for a user to suggest a correction or deletion of any such information maintained by that provider or operator to which the user was granted access; and
(3) make the correction a part of that user's sensitive personally identifiable information or nonsensitive personally identifiable information (whichever is appropriate), or make the deletion, for all future disclosure and other use purposes.
(b) EXCEPTION- An internet service provider, online service provider, or operator of a commercial website may decline to make a suggested correction a part of that user's sensitive personally identifiable information or nonsensitive personally identifiable information (whichever is appropriate), or to make a suggested deletion if the provider or operator--
(1) reasonably believes that the suggested correction or deletion is inaccurate or otherwise inappropriate;
(2) notifies the user in writing, or in digital or other electronic form, of the reasons the provider or operator believes the suggested correction or deletion is inaccurate or otherwise inappropriate; and
(3) provides a reasonable opportunity for the user to refute the reasons given by the provider or operator for declining to make the suggested correction or deletion.
(c) REASONABLENESS TEST- The reasonableness of the access or opportunity provided under subsection (a) or (b) by an internet service provider, online service provider, or operator of a commercial website shall be determined by taking into account such factors as the sensitivity of the information requested and the burden or expense on the provider or operator of complying with the request, correction, or deletion.
(d) Reasonable Access Fee-
(1) IN GENERAL- An internet service provider, online service provider, or operator of a commercial website may impose a reasonable charge for access under subsection (a).
(2) AMOUNT- The amount of the fee shall not exceed $3, except that upon request of a user, a provider or operator shall provide such access without charge to that user if the user certifies in writing that the user--
(A) is unemployed and intends to apply for employment in the 60-day period beginning on the date on which the certification is made;
(B) is a recipient of public welfare assistance; or
(C) has reason to believe that the incorrect information is due to fraud.
SEC. 106. SECURITY.
An internet service provider, online service provider, or operator of a commercial website shall establish and maintain reasonable procedures necessary to protect the security, confidentiality, and integrity of personally identifiable information maintained by that provider or operator.
TITLE II--ENFORCEMENT
SEC. 201. ENFORCEMENT BY FEDERAL TRADE COMMISSION.
Except as provided in section 202(b) of this Act and section 2710(d) of title 18, United States Code, this Act shall be enforced by the Commission.
SEC. 202. VIOLATION IS UNFAIR OR DECEPTIVE ACT OR PRACTICE.
(a) IN GENERAL- The violation of any provision of title I is an unfair or deceptive act or practice proscribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(b) ENFORCEMENT BY CERTAIN OTHER AGENCIES- Compliance with title I of this Act shall be enforced under--
(1) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), in the case of--
(A) national banks, and Federal branches and Federal agencies of foreign banks, by the Office of the Comptroller of the Currency;
(B) member banks of the Federal Reserve System (other than national banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 and 611), by the Board; and
(C) banks insured by the Federal Deposit Insurance Corporation (other than members of the Federal Reserve System) and insured State branches of foreign banks, by the Board of Directors of the Federal Deposit Insurance Corporation;
(2) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), by the Director of the Office of Thrift Supervision, in the case of a savings association the deposits of which are insured by the Federal Deposit Insurance Corporation;
(3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) by the National Credit Union Administration Board with respect to any Federal credit union;
(4) part A of subtitle VII of title 49, United States Code, by the Secretary of Transportation with respect to any air carrier or foreign air carrier subject to that part;
(5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et seq.) (except as provided in section 406 of that Act (7 U.S.C. 226, 227)), by the Secretary of Agriculture with respect to any activities subject to that Act; and
(6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by the Farm Credit Administration with respect to any Federal land bank, Federal land bank association, Federal intermediate credit bank, or production credit association.
(c) EXERCISE OF CERTAIN POWERS- For the purpose of the exercise by any agency referred to in subsection (b) of its powers under any Act referred to in that subsection, a violation of title I is deemed to be a violation of a requirement imposed under that Act. In addition to its powers under any provision of law specifically referred to in subsection (b), each of the agencies referred to in that subsection may exercise, for the purpose of enforcing compliance with any requirement imposed under title I, any other authority conferred on it by law.
(d) ACTIONS BY THE COMMISSION- The Commission shall prevent any person from violating title I in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any entity that violates any provision of that subtitle is subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act in the same manner, by the same means, and with the same jurisdiction, power, and duties as though all applicable terms and provisions of the Federal Trade Commission Act were incorporated into and made a part of that subtitle.
(e) Disposition of Civil Penalties Obtained by FTC Enforcement Action Involving Nonsensitive Personally Identifiable Information-
(1) IN GENERAL- If a civil penalty is imposed on an internet service provider, online service provider, or commercial website operator in an enforcement action brought by the Commission for a violation of title I with respect to nonsensitive personally identifiable information of users of the service or website, the penalty shall be--
(A) paid to the Commission;
(B) held by the Commission in trust for distribution under paragraph (2); and
(C) distributed in accordance with paragraph (2).
(2) DISTRIBUTION TO USERS- Under procedures to be established by the Commission, the Commission shall hold any amount received as a civil penalty for violation of title I for a period of not less than 180 days for distribution under those procedures to users--
(A) whose nonsensitive personally identifiable information was the subject of the violation; and
(B) who file claims with the Commission for compensation for loss or damage from the violation at such time, in such manner, and containing such information as the Commission may require.
(3) AMOUNT OF PAYMENT- The amount a user may receive under paragraph (2)--
(i) shall not exceed $200; and
(ii) may be limited by the Commission as necessary to afford each such user a reasonable opportunity to secure that user's appropriate portion of the amount available for distribution.
(4) REMAINDER- If the amount of any such penalty held by the Commission exceeds the sum of the amounts distributed under paragraph (2) attributable to that penalty, the excess shall be covered into the Treasury of the United States as miscellaneous receipts no later than 12 months after it was paid to the Commission.
(f) EFFECT ON OTHER LAWS-
(1) PRESERVATION OF COMMISSION AUTHORITY- Nothing contained in this subtitle shall be construed to limit the authority of the Commission under any other provision of law.
(2) RELATION TO TITLE II OF COMMUNICATIONS ACT- Nothing in title I requires an operator of a website or online service to take any action that is inconsistent with the requirements of section 222 of the Communications Act of 1934 (47 U.S.C. 222).
(3) RELATION TO TITLE VI OF COMMUNICATIONS ACT- Section 631 of the Communications Act of 1934 (47 U.S.C. 551) is amended by adding at the end the following:
`(i) To the extent that the application of any provision of this title to a cable operator as an internet service provider, online service provider, or operator of a commercial website (as those terms are defined in section 401 of the Online Personal Privacy Act) with respect to the provision of Internet service or online service, or the operation of a commercial website, conflicts with the application of any provision of that Act to such provision or operation, the Act shall be applied in lieu of the conflicting provision of this title.'.
SEC. 203. ACTIONS BY USERS.
(a) PRIVATE RIGHT OF ACTION FOR SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION- If an internet service provider, online service provider, or commercial website operator collects, discloses, or uses the sensitive personally identifiable information of any person or fails to provide reasonable access to or reasonable security for such sensitive personally identifiable information in violation of any provision of title I then that person may bring an action in a district court of the United States of appropriate jurisdiction--
(1) to enjoin or restrain a violation of title I or to obtain other appropriate relief; and
(2) upon a showing of actual harm to that person caused by the violation, to recover the greater of--
(A) the actual monetary loss from the violation; or
(B) $5,000.
(b) REPEATED VIOLATIONS- If the court finds, in an action brought under subsection (a) to recover damages, that the defendant repeatedly and knowingly violated title I, the court may, in its discretion, increase the amount of the award available under subsection (a)(2)(B) to an amount not in excess of $100,000.
(c) EXCEPTION- Neither an action to enjoin or restrain a violation, nor an action to recover for loss or damage, may be brought under this section for the accidental disclosure of information if the disclosure was caused by an Act of God, unforeseeable network or systems failure, or other event beyond the control of the Internet service provider, online service provider, or operator of a commercial website.
SEC. 204. ACTIONS BY STATES. (a) IN GENERAL-
(1) CIVIL ACTIONS- In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that violates title I, the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction--
(A) to enjoin that practice;
(B) to enforce compliance with the rule;
(C) to obtain damage, restitution, or other compensation on behalf of residents of the State; or
(D) to obtain such other relief as the court may consider to be appropriate.
(2) NOTICE-
(A) IN GENERAL- Before filing an action under paragraph (1), the attorney general of the State involved shall provide to the Commission--
(i) written notice of that action; and
(ii) a copy of the complaint for that action.
(B) EXEMPTION-
(i) IN GENERAL- Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general determines that it is not feasible to provide the notice described in that subparagraph before the filing of the action.
(ii) NOTIFICATION- In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Commission at the same time as the attorney general files the action.
(b) INTERVENTION-
(1) IN GENERAL- On receiving notice under subsection (a)(2), the Commission shall have the right to intervene in the action that is the subject of the notice.
(2) EFFECT OF INTERVENTION- If the Commission intervenes in an action under subsection (a), it shall have the right--
(A) to be heard with respect to any matter that arises in that action; and
(B) to file a petition for appeal.
(c) CONSTRUCTION- For purposes of bringing any civil action under subsection (a), nothing in this subtitle shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to--
(1) conduct investigations;
(2) administer oaths or affirmations; or
(3) compel the attendance of witnesses or the production of documentary and other evidence.
(d) ACTIONS BY THE COMMISSION- In any case in which an action is instituted by or on behalf of the Commission for violation of title I, no State may, during the pendency of that action, institute an action under subsection (a) against any defendant named in the complaint in that action for violation of that rule.
(e) VENUE; SERVICE OF PROCESS-
(1) VENUE- Any action brought under subsection (a) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.
(2) SERVICE OF PROCESS- In an action brought under subsection (a), process may be served in any district in which the defendant--
(A) is an inhabitant; or
(B) may be found.
SEC. 205. WHISTLEBLOWER PROTECTION.
(a) IN GENERAL- No internet service provider, online service provider, or commercial website operator may discharge or otherwise discriminate against any employee with respect to compensation, terms, conditions, or privileges of employment because the employee (or any person acting pursuant to the request of the employee) provided information to any Federal or State agency or to the Attorney General of the United States or of any State regarding a violation of any provision of title I.
(b) ENFORCEMENT- Any employee or former employee who believes he has been discharged or discriminated against in violation of subsection (a) may file a civil action in the appropriate United States district court before the close of the 2-year period beginning on the date of such discharge or discrimination. The complainant shall also file a copy of the complaint initiating such action with the appropriate Federal agency.
(c) REMEDIES- If the district court determines that a violation of subsection (a) has occurred, it may order the Internet service provider, online service provider, or commercial website operator that committed the violation--
(1) to reinstate the employee to his former position;
(2) to pay compensatory damages; or
(3) to take other appropriate actions to remedy any past discrimination.
(d) LIMITATION- The protections of this section shall not apply to any employee who--
(1) deliberately causes or participates in the alleged violation; or
(2) knowingly or recklessly provides substantially false information to such an agency or the Attorney General.
(e) BURDENS OF PROOF- The legal burdens of proof that prevail under subchapter III of chapter 12 of title 5, United States Code (5 U.S.C. 1221 et seq.) shall govern adjudication of protected activities under this section.
SEC. 206. NO EFFECT ON OTHER REMEDIES.
The remedies provided by sections 203 and 204 are in addition to any other remedy available under any provision of law.
TITLE III--APPLICATION TO CONGRESS AND FEDERAL AGENCIES
SEC. 301. SENATE.
The Sergeant at Arms of the United States Senate shall develop regulations setting forth an information security and electronic privacy policy governing use of the Internet by officers and employees of the Senate that meets the requirements of title I.
SEC. 302. APPLICATION TO FEDERAL AGENCIES.
(a) IN GENERAL- Except as provided in subsection (b), this Act applies to each Federal agency that is an internet service provider or an online service provider, or that operates a website, to the extent provided by section 2674 of title 28, United States Code.
(b) EXCEPTIONS- This Act does not apply to any Federal agency to the extent that the application of this Act would compromise law enforcement activities or the administration of any investigative, security, or safety operation conducted in accordance with Federal law.
TITLE IV--MISCELLANEOUS
SEC. 401. DEFINITIONS.
In this Act:
(1) COLLECT- The term `collect' means the gathering of personally identifiable information about a user of an Internal service, online service, or commercial website by or on behalf of the provider or operator of that service or website by any means, direct or indirect, active or passive, including--
(A) an online request for such information by the provider or operator, regardless of how the information is transmitted to the provider or operator;
(B) the use of a chat room, message board, or other online service to gather the information; or
(C) tracking or use of any identifying code linked to a user of such a service or website, including the use of cookies or other tracking technology.
(2) COMMISSION- The term `Commission' means the Federal Trade Commission.
(3) COOKIE- The term `cookie' means any program, function, or device, commonly known as a `cookie', that makes a record on the user's computer (or other electronic device) of that user's access to an internet service, online service, or commercial website.
(4) DISCLOSE- The term `disclose' means the release of personally identifiable information about a user of an Internet service, online service, or commercial website by an internet service provider, online service provider, or operator of a commercial website for any purpose, except where such information is provided to a person who provides support for the internal operations of the service or website and who does not disclose or use that information for any other purpose.
(5) FEDERAL AGENCY- The term `Federal agency' means an agency, as that term is defined in section 551(1) of title 5, United States Code.
(6) INTERNAL OPERATIONS SUPPORT- The term `support for the internal operations of a service or website' means any activity necessary to maintain the technical functionality of that service or website.
(7) INTERNET- The term `Internet' means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire or radio.
(8) INTERNET SERVICE PROVIDER; ONLINE SERVICE PROVIDER; WEBSITE- The Commission shall by rule define the terms `internet service provider', `online service provider', and `website', and shall revise or amend such rule to take into account changes in technology, practice, or procedure with respect to the collection of personal information over the Internet.
(9) ONLINE- The term `online' refers to any activity regulated by this Act or by section 2710 of title 18, United States Code, that is effected by active or passive use of an Internet connection, regardless of the medium by or through which that connection is established.
(10) OPERATOR OF A COMMERCIAL WEBSITE- The term `operator of a commercial website'--
(A) means any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce--
(i) among the several States or with 1 or more foreign nations;
(ii) in any territory of the United States or in the District of Columbia, or between any such territory and--
(I) another such territory; or
(II) any State or foreign nation; or
(iii) between the District of Columbia and any State, territory, or foreign nation; but
(B) does not include any nonprofit entity that would otherwise be exempt from coverage under section 5 of the Federal Trade Commission Act (15 U.S.C. 45).
(11) PERSONALLY IDENTIFIABLE INFORMATION-
(A) IN GENERAL- The term `personally identifiable information' means individually identifiable information about an individual collected online, including--
(i) a first and last name, whether given at birth or adoption, assumed, or legally changed;
(ii) a home or other physical address including street name and name of a city or town;
(iii) an e-mail address;
(iv) a telephone number;
(v) a birth certificate number;
(vi) any other identifier for which the Commission finds there is a substantial likelihood that the identifier would permit the physical or online contacting of a specific individual; or
(vii) information that an Internet service provider, online service provider, or operator of a commercial website collects and combines with an identifier described in clauses (i) through (vi) of this subparagraph.
(B) INFERENTIAL INFORMATION EXCLUDED- Information about an individual derived or inferred from data collected online but not actually collected online is not personally identifiable information.
(12) RELEASE- The term `release of personally identifiable information' means the direct or indirect, sharing, selling, renting, or other provision of personally identifiable information of a user of an internet service, online service, or commercial website to any other person other than the user.
(13) ROBUST NOTICE- The term `robust notice' means actual notice at the point of collection of the personally identifiable information describing briefly and succinctly the intent of the Internet service provider, online service provider, or operator of a commercial website to use or disclose that information for marketing or other purposes.
(14) SENSITIVE FINANCIAL INFORMATION- The term `sensitive financial information' means--
(A) the amount of income earned or losses suffered by an individual;
(B) an individual's account number or balance information for a savings, checking, money market, credit card, brokerage, or other financial services account;
(C) the access code, security password, or similar mechanism that permits access to an individual's financial services account;
(D) an individual's insurance policy information, including the existence, premium, face amount, or coverage limits of an insurance policy held by or for the benefit of an individual; or
(E) an individual's outstanding credit card, debt, or loan obligations.
(15) SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION- The term `sensitive personally identifiable information' means personally identifiable information about an individual's--
(A) individually identifiable health information (as defined in section 164.501 of title 45, Code of Federal Regulations);
(B) race or ethnicity;
(C) political party affiliation;
(D) religious beliefs;
(E) sexual orientation;
(F) a Social Security number; or
(G) sensitive financial information.
SEC. 402. EFFECTIVE DATE OF TITLE I.
Title I of this Act takes effect on the day after the date on which the Commission publishes a final rule under section 403.
SEC. 403. FTC RULEMAKING.
The Commission shall--
(1) initiate a rulemaking within 90 days after the date of enactment of this Act for regulations to implement the provisions of title I; and
(2) complete that rulemaking within 270 days after initiating it.
SEC. 404. FTC REPORT.
(a) REPORT- The Commission shall submit a report to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Commerce 18 months after the effective date of title I, and annually thereafter, on--
(1) whether this Act is accomplishing the purposes for which it was enacted;
(2) whether technology that protects privacy is being utilized in the marketplace in such a manner as to facilitate administration of and compliance with title I;
(3) whether additional legislation is required to accomplish those purposes or improve the administrability or effectiveness of this Act;
(4) whether legislation is appropriate or necessary to regulate the collection, use, and distribution of personally identifiable information collected other than via the Internet;
(5) whether and how the government might assist industry in developing standard online privacy notices that substantially comply with the requirements of section 102(a);
(6) whether and how the creation of a set of self-regulatory guidelines established by independent safe harbor organizations and approved by the Commission would facilitate administration of and compliance with title I; and
(7) whether additional legislation is necessary or appropriate to regulate the collection, use, and disclosure of personally identifiable information collected online before the effective date of title I.
(b) FTC NOTICE OF INQUIRY- The Commission shall initiate a notice of inquiry within 90 days after the date of enactment of this Act to request comment on the matter described in paragraphs (1) through (7) of subsection (a).
SEC. 405. DEVELOPMENT OF AUTOMATED PRIVACY CONTROLS.
Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) is amended--
(1) by redesignating subsection (d) as subsection (e); and
(2) by inserting after subsection (c) the following:
`(d) DEVELOPMENT OF INTERNET PRIVACY PROGRAM- The Institute shall encourage and support the development of one or more computer programs, protocols, or other software, such as the World Wide Web Consortium's P3P program, capable of being installed on computers, or computer networks, with Internet access that would reflect the user's preferences for protecting personally-identifiable or other sensitive, privacy-related information, and automatically execute the program, once activated, without requiring user intervention.'.
END
It may be cold, but at least it's clear.
I want a law making it illegal to mislead people when naming or describing laws. Putting a little spin on law names is one thing, but calling something a "privacy law" when it's really a "no privacy law" or a "loss of privacy law" is just garbage.
My law, new style, could be called "No False Advertising in Congress". Old style, it could be called, "Misleading People for a Better America" or "Beef Jerky" or something.
Blah.
-Puk
"The bill has lined up 22 co-sponsors from both sides of the aisle, among them Rep. Billy Tauzin, the Louisiana Republican who chairs the House Energy and Commerce Committee."
The same Billy Tauzin that's in BellSouth's back pocket and is currently sponsoring a bill to increase the Baby Bells' monopoly powers? YES INDEED!
I swear this November just can't come soon enough... maybe I should start writing letters to the local papers now...
NUMBER:
: H.R.467 8:
H.R.4678
OFFICIAL TITLE AS INTRODUCED:
To protect and enhance consumer privacy, and for other purposes.
SEE THE BILL HERE:
http://thomas.loc.gov/cgi-bin/query/z?c107
Simple people talk of people, better people talk of events, great people talk of ideas.
A group of business leaders from high-tech firms said the bill struck the right balance between consumers and businesses
It would be interesting to know which tech businesses are behind this. That way I can keep a closer eye on my dealings with them.
As others have said, I don't see how this is a privacy bill. Its best described as an anti-piracy or piracy removal effort.
And I definitely don't understand why this would make more people use the internet. Unless I misread the intent, this would make people more wary of giving out information for fear that they would accidentally be releasing a company to use their sensitive info in any way they choose.
And taking away a person's right to sue? I thought that was in the constitution. : )
Most people would die sooner than think; in fact, they do.
Until US citizens become more aware of privacy concerns, not only will businesses abuse information, but the US government itself. According to the ACLU, census data has been abused in the past, used by the government during WW2 to round up citizens of Japanese ancestry. Considering the local political climate of special interest, and the historical use of private information by the US government, it is clear to see how US policy will unfold.
The bill would cover transactions both on the Internet and in the "offline" world, and would override state laws that place more restrictions on commercial use of personal information. Sponsors said the bill would establish basic privacy protections for consumers while minimizing the impact on business.
...
"Consumers would have no right to sue if their privacy was violated. Enforcement would be left in the hands of the Federal Trade Commission, which usually does not impose fines on a first offense.
Companies submitting to a self-regulatory privacy regime such as TRUSTe or BBBonline would enjoy protection from FTC actions."
This is absolutely obscene. It overrides more restrictive state laws (so much for Republicans respecting states' rights), removes consumers' right to sue when they are wronged, and protects companies who enroll in TrustE's BS service to escape FTC punishment when they violate the rules. Sounds like those campaign bribes, er, contributions are paying off big.
"You done taken a wrong turn."
-Bill McKinney, in Deliverance
As a dual Canadian/American, born in the USA, I have rights as a Canadian citizen resident in the USA.
Congress can propose, but they can't gut a treaty - and Free Trade gave Canada and Mexico the right to sue on behalf of their nationals.
Forcing me to use opt-out when I'm required by the Electronic Privacy Act enacted by Canada in January of 2001 to be given opt-in just won't fly.
Time to use that birthright of mine, the lawsuit, to shame those who would take my other American birthright, privacy.
-
--- Will in Seattle - What are you doing to fight the War?
Birds of prey or what? WWF is a trademark since 1968 of the World Wildlife Foundation.
"Delaware" has the same root as "delete", and means "the state that should be deleted from the US flag" in the Algonquin language.
Imaging a few thousand people standing in a line waiting for their turn to do something to you that you don't like. Say, poking their finger in your eye. You can stop them but you must "opt-out" of the eye poking. Worst yet, you must "opt-out" for each eye poking experience individually. And of course the icing on the cake is that each one of them gets to poke you in the eye at least once before you are allowed to "opt-out."
The race isn't always to the swift... but that's the way to bet!
This is total BULL SHIT. Privacy should damn well be a Default thing to respect, unless given written permission by the individual that it is ok to invade ones privacy.
The reason for this is really very simple.
I don't want to fucking spend my time and money on having to respond every gawd damn company tellin them NO!
I'm a long term US citizen, IS that enough to get respect?!!!
Remember, you have already *lost* privacy. As an individual you can be mapped. this just helps in a large filtering kind of way.
If we all copyright our personal information and any derivative thereof we will be safe from this 'privacy' legislation.
Use the DMCA against business.
If anyone is listening this late in the forum and would be interested in setting up a web portal for posting copyrighted personal info...
I wonder how that would work? If you publicly post your info and in a copyright format, can a business use it without your permission?
A fool throws a stone into a well and a thousand sages can not remove it.
I can't, that was the first bogus entry I added to my Squid/DNS.
If this thing flies, we'll have to populate participant's DBs with spurious and junk data. Just like how I subscribed several pets to Reader's Digest junkmail.
Xix.
"Everything is adjustable, provided you have the right tools"
How will the avoid diluting the quality of the data?
It would be possible to create interesting correlations by registering the same bogus name across multiple sites, this would be reflected automatically if you generated random details from a set of common tables. I can see Nadine doing a lot of shopping.
The possibilities are boundless...
Xix.
"Everything is adjustable, provided you have the right tools"