Yeah - but can anyone explain why Network Associates wants to orphan their privacy software at a time when online privacy concerns are really coming into focus? Seems like this is a time to be getting into the market, rather than out.
Any chance they're worried about the implications of widely available privacy software for "bad guys"?
Here it is... I wanted to prevent the IANALization of this thread. Now you can say, IANALBIPOOS ("I am not a lawyer but I play one on Slashdot"). I would have posted the direct link to THOMAS, but then everyone would have just/.ed the Library of Congress, and they've probably got more important things to do. If you do go to THOMAS, the bill no. is 2201. Had to cut out the ToC - sorry - it was tripping the lameness filter (how appropriate that legislation tweaks the lameness filter. Ha.)
A BILL To protect the online privacy of individuals who use the Internet.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the `Online Personal Privacy Act'.
The Congress finds the following:
(1) The right to privacy is a personal and fundamental right worthy of protection through appropriate legislation.
(2) Individuals engaging in and interacting with companies engaged in interstate commerce have a significant interest in their personal information, as well as a right to control how that information is collected, used, or transferred.
(3) Absent the recognition of these rights and the establishment of consequent industry responsibilities to safeguard those rights, the privacy of individuals who use the Internet will soon be more gravely threatened.
(4) To extent that States regulate, their efforts to address Internet privacy will lead to a patchwork of inconsistent standards and protections.
(5) Existing State, local, and Federal laws provide minimal privacy protection for Internet users.
(6) With the exception of Federal Trade Commission enforcement of laws against unfair and deceptive practices, the Federal Government thus far has eschewed general Internet privacy laws in favor of industry self-regulation, which has led to several self-policing schemes, none of which are enforceable in any meaningful way or provide sufficient privacy protection to individuals.
(7) State governments have been reluctant to enter the field of Internet privacy regulation because use of the Internet often crosses State, or even national, boundaries.
(8) States are nonetheless interested in providing greater privacy protection to their citizens as evidenced by recent lawsuits brought against offline and online companies by State attorneys general to protect the privacy of individuals using the Internet.
(9) The ease of gathering and compiling personal information on the Internet, both overtly and surreptitiously, is becoming increasingly efficient and effortless due to advances in digital communications technology which have provided information gatherers the ability to compile seamlessly highly detailed personal histories of Internet users.
(10) Personal information flowing over the Internet requires greater privacy protection than is currently available today. Vast amounts of personal information, including sensitive information, about individual Internet users are collected on the Internet and sold or otherwise transferred to third parties.
(11) Poll after poll consistently demonstrates that individual Internet users are highly troubled over their lack of control over their personal information.
(12) Market research demonstrates that tens of billions of dollars in e-commerce are lost due to individual fears about a lack of privacy protection on the Internet.
(13) Market research demonstrates that as many as one-third of all Internet users give false information about themselves to protect their privacy, due to fears about a lack of privacy protection on the Internet.
(14) Notwithstanding these concerns, the Internet is becoming a major part of the personal and commercial lives of millions of Americans, providing increased access to information, as well as communications and commercial opportunities.
(15) It is important to establish personal privacy rights and industry obligations now so that individuals have confidence that their personal privacy is fully protected on the Internet.
(16) The social and economic costs of establishing baseline privacy standards now will be lower than if Congress waits until the Internet becomes more prevalent in our everyday lives in coming years.
(17) Whatever costs may be borne by industry will be significantly offset by the economic benefits to the commercial Internet created by increased consumer confidence occasioned by greater privacy protection.
(18) Toward the close of the 20th Century, as individuals' personal information was increasingly collected, profiled, and shared for commercial purposes, and as technology advanced to facilitate these practices, the Congress enacted numerous statutes to protect privacy.
(19) Those statutes apply to the government, telephones, cable television, e-mail, video tape rentals, and the Internet (but only with respect to children).
(20) Those statutes all provide significant privacy protections, but neither limit technology nor stifle business.
(21) Those statutes ensure that the collection and commercialization of individuals' personal information is fair, transparent, and subject to law.
SEC. 4. PREEMPTION OF STATE LAW OR REGULATIONS.
This Act supersedes any State statute, regulation, or rule regulating Internet privacy to the extent that it relates to the collection, use, or disclosure of personally identifiable information obtained through the Internet.
TITLE I--ONLINE PRIVACY PROTECTION
SEC. 101. COLLECTION, USE, OR DISCLOSURE OF PERSONALLY IDENTIFIABLE INFORMATION.
(a) IN GENERAL- An internet service provider, online service provider, or operator of a commercial website on the Internet may not collect personally identifiable information from a user, or use or disclose personally identifiable information about a user, of that service or website except in accordance with the provisions of this Act.
(b) APPLICATION TO CERTAIN THIRD-PARTY OPERATORS- The provisions of this Act applicable to internet service providers, online service providers, and commercial website operators apply to any third party, including an advertising network, that uses an internet service provider, online service provider, or commercial website operator to collect information about users of that service or website.
SEC. 102. NOTICE AND CONSENT REQUIREMENTS.
(a) NOTICE- Except as provided in section 104, an internet service provider, online service provider, or operator of a commercial website may not collect personally identifiable information from a user of that service or website online unless that provider or operator provides clear and conspicuous notice to the user in the manner required by this section for the kind of personally identifiable information to be collected. The notice shall disclose--
(1) the specific types of information that will be collected;
(2) the methods of collecting and using the information collected; and
(3) all disclosure practices of that provider or operator for personally identifiable information so collected, including whether it will be disclosed to third parties.
(b) SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION REQUIRES OPT-IN CONSENT- An internet service provider, online service provider, or operator of a commercial website may not--
(1) collect sensitive personally identifiable information online, or
(2) disclose or otherwise use such information collected online, from a user of that service or website,
unless the provider or operator obtains that user's affirmative consent to the collection and disclosure or use of that information before, or at the time, the information is collected.
(c) NONSENSITIVE PERSONALLY IDENTIFIABLE INFORMATION REQUIRES ROBUST NOTICE AND OPT-OUT CONSENT- An internet service provider, online service provider, or operator of a commercial website may not--
(1) collect personally identifiable information not described in subsection (b) online, or
(2) disclose or otherwise use such information collected online, from a user of that service or website,
unless the provider or operator provides robust notice to the user, in addition to clear and conspicuous notice, and has given the user an opportunity to decline consent for such collection and use by the provider or operator before, or at the time, the information is collected.
(d) INITIAL NOTICE ONLY FOR ROBUST NOTICE- An internet service provider, online service provider, or operator of a commercial website shall provide robust notice under subsection (c) of this section to a user only upon its first collection of non-sensitive personally identifiable information from that user, except that a subsequent collection of additional or materially different non-sensitive personally identifiable information from that user shall be treated as a first collection of such information from that user.
(e) PERMANENCE OF CONSENT-
(1) IN GENERAL- The consent or denial of consent by a user of permission to an internet service provider, online service provider, or operator of a commercial website to collect, disclose, or otherwise use any information about that user for which consent is required under this Act--
(A) shall remain in effect until changed by the user; and
(B) shall apply to the collection, disclosure, or other use of that information by any entity that is a commercial successor of, or legal successor-in-interest to, that provider or operator, without regard to the legal form in which such succession was accomplished (including any entity that collects, discloses, or uses such information as a result of a proceeding under chapter 7 or chapter 11 of title 11, United States Code, with respect to the provider or operator).
(2) EXCEPTION- The consent by a user to the collection, disclosure, or other use of information about that user for which consent is required under this Act does not apply to the collection, disclosure, or use of that information by a successor entity under paragraph (1)(B) if--
(A) the kind of information collected by the successor entity about the user is materially
different from the kind of information collected by the predecessor entity;
(B) the methods of collecting and using the information employed by the successor entity are materially different from the methods employed by the predecessor entity; or
(C) the disclosure practices of the successor entity are materially different from the practices of the predecessor entity.
SEC. 103. POLICY CHANGES; BREACH OF PRIVACY.
(a) NOTICE OF POLICY CHANGE- Whenever an internet service provider, online service provider, or operator of a commercial website makes a material change in its policy for the collection, use, or disclosure of sensitive or nonsensitive personally identifiable information, it--
(1) shall notify all users of that service or website of the change in policy; and
(2) may not collect, disclose, or otherwise use any sensitive or nonsensitive personally identifiable information in accordance with the changed policy unless the user has been afforded an opportunity to consent, or withhold consent, to its collection, disclosure, or use in accordance with the requirements of section 102 (b) or (c), whichever is applicable.
(b) Notice of Breach of Privacy-
(1) IN GENERAL- If the sensitive or nonsensitive personally identifiable information of a user of an internet service provider, online service provider, or operator of a commercial website--
(A) is collected, disclosed, or otherwise used by the provider or operator in violation of any provision of this Act, or
(B) the security, confidentiality, or integrity of such information is compromised by a hacker or other third party, or by any act or failure to act of the provider or operator,
then the provider or operator shall notify all users whose sensitive or nonsensitive personally identifiable information was affected by the unlawful collection, disclosure, use, or compromise. The notice shall describe the nature of the unlawful collection, disclosure, use, or compromise and the steps taken by the provider or operator to remedy it.
(2) Delay of notification-
(A) ACTION TAKEN BY INDIVIDUALS- If the compromise of the security, confidentiality, or integrity of the information is caused by a hacker or other external interference with the service or website, or by an employee of the service or website, the provider or operator may postpone issuing the notice required by paragraph (1) for a reasonable period of time in order to--
(i) facilitate the detection and apprehension of the person responsible for the compromise; and
(ii) take such measures as may be necessary to restore the integrity of the service or website and prevent any further compromise of the security, confidentiality, and integrity of such information.
(B) SYSTEM FAILURES AND OTHER FUNCTIONAL CAUSES- If the unlawful collection, disclosure, use, or compromise of the security, confidentiality, and integrity of the information is the result of a system failure, a problem with the operating system, software, or program used by the internet service provider, online service provider, or operator of the commercial website, or other non-external interference with the service or website, the provider or operator may postpone issuing the notice required by paragraph (1) for a reasonable period of time in order to--
(i) restore the system's functionality or fix the problem; and
(ii) take such measures as may be necessary to restore the integrity of the service or website and prevent any further compromise of the security, confidentiality, and integrity of the information after the failure or problem has been fixed and the integrity of the service or website has been restored.
SEC. 104. EXCEPTIONS.
(a) IN GENERAL- Section 102 does not apply to the collection, disclosure, or use by an internet service provider, online service provider, or operator of a commercial website of information about a user of that service or website necessary--
(1) to protect the security or integrity of the service or website or to ensure the safety of other people or property;
(2) to conduct a transaction, deliver a product or service, or complete an arrangement for which the user provided the information; or
(3) to provide other products and services integrally related to the transaction, service, product, or arrangement for which the user provided the information.
(b) PROTECTED DISCLOSURES- An internet service provider, online service provider, or operator of a commercial website may not be held liable under this Act, any other Federal law, or any State law for any disclosure made in good faith and following reasonable procedures in responding to--
(1) a request for disclosure of personal information under section 1302(b)(1)(B)(iii) of the Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.) to the parent of a child; or
(2) a request for access to, or correction or deletion of, personally identifiable information under section 105 of this Act.
(c) Disclosure to Law Enforcement Agency or Under Court Order-
(1) IN GENERAL- Notwithstanding any other provision of this Act, an internet service provider, online service provider, operator of a commercial website, or third party that uses such a service or website to collect information about users of that service or website may disclose personally identifiable information about a user of that service or website--
(A) to a law enforcement, investigatory, national security, or regulatory agency or department of the United States in response to a request or demand made under authority granted to that agency or department, including a warrant issued under the Federal Rules of Criminal Procedure, an equivalent State warrant, a court order, or a properly executed administrative compulsory process; and
(B) in response to a court order in a civil proceeding granted upon a showing of compelling need for the information that cannot be accommodated by any other means if--
(i) the user to whom the information relates is given reasonable notice by the person seeking the information of the court proceeding at which the order is requested; and
(ii) that user is afforded a reasonable opportunity to appear and contest the issuance of requested order or to narrow its scope.
(2) SAFEGUARDS AGAINST FURTHER DISCLOSURE- A court that issues an order described in paragraph (1) shall impose appropriate safeguards on the use of the information to protect against its unauthorized disclosure.
SEC. 105. ACCESS.
(a) IN GENERAL- An internet service provider, online service provider, or operator of a commercial website shall--
(1) upon request provide reasonable access to a user to personally identifiable information that the provider or operator has collected from the user online, or that the provider or operator has combined with personally identifiable information collected from the user online after the effective date of this Act;
(2) provide a reasonable opportunity for a user to suggest a correction or deletion of any such information maintained by that provider or operator to which the user was granted access; and
(3) make the correction a part of that user's sensitive personally identifiable information or nonsensitive personally identifiable information (whichever is appropriate), or make the deletion, for all future disclosure and other use purposes.
(b) EXCEPTION- An internet service provider, online service provider, or operator of a commercial website may decline to make a suggested correction a part of that user's sensitive personally identifiable information or nonsensitive personally identifiable information (whichever is appropriate), or to make a suggested deletion if the provider or operator--
(1) reasonably believes that the suggested correction or deletion is inaccurate or otherwise inappropriate;
(2) notifies the user in writing, or in digital or other electronic form, of the reasons the provider or operator believes the suggested correction or deletion is inaccurate or otherwise inappropriate; and
(3) provides a reasonable opportunity for the user to refute the reasons given by the provider or operator for declining to make the suggested correction or deletion.
(c) REASONABLENESS TEST- The reasonableness of the access or opportunity provided under subsection (a) or (b) by an internet service provider, online service provider, or operator of a commercial website shall be determined by taking into account such factors as the sensitivity of the information requested and the burden or expense on the provider or operator of complying with the request, correction, or deletion.
(d) Reasonable Access Fee-
(1) IN GENERAL- An internet service provider, online service provider, or operator of a commercial website may impose a reasonable charge for access under subsection (a).
(2) AMOUNT- The amount of the fee shall not exceed $3, except that upon request of a user, a provider or operator shall provide such access without charge to that user if the user certifies in writing that the user--
(A) is unemployed and intends to apply for employment in the 60-day period beginning on the date on which the certification is made;
(B) is a recipient of public welfare assistance; or
(C) has reason to believe that the incorrect information is due to fraud.
SEC. 106. SECURITY.
An internet service provider, online service provider, or operator of a commercial website shall establish and maintain reasonable procedures necessary to protect the security, confidentiality, and integrity of personally identifiable information maintained by that provider or operator.
TITLE II--ENFORCEMENT
SEC. 201. ENFORCEMENT BY FEDERAL TRADE COMMISSION.
Except as provided in section 202(b) of this Act and section 2710(d) of title 18, United States Code, this Act shall be enforced by the Commission.
SEC. 202. VIOLATION IS UNFAIR OR DECEPTIVE ACT OR PRACTICE.
(a) IN GENERAL- The violation of any provision of title I is an unfair or deceptive act or practice proscribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(b) ENFORCEMENT BY CERTAIN OTHER AGENCIES- Compliance with title I of this Act shall be enforced under--
(1) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), in the case of--
(A) national banks, and Federal branches and Federal agencies of foreign banks, by the Office of the Comptroller of the Currency;
(B) member banks of the Federal Reserve System (other than national banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial
lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 and 611), by the Board; and
(C) banks insured by the Federal Deposit Insurance Corporation (other than members of the Federal Reserve System) and insured State branches of foreign banks, by the Board of Directors of the Federal Deposit Insurance Corporation;
(2) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), by the Director of the Office of Thrift Supervision, in the case of a savings association the deposits of which are insured by the Federal Deposit Insurance Corporation;
(3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) by the National Credit Union Administration Board with respect to any Federal credit union;
(4) part A of subtitle VII of title 49, United States Code, by the Secretary of Transportation with respect to any air carrier or foreign air carrier subject to that part;
(5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et seq.) (except as provided in section 406 of that Act (7 U.S.C. 226, 227)), by the Secretary of Agriculture with respect to any activities subject to that Act; and
(6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by the Farm Credit Administration with respect to any Federal land bank, Federal land bank association, Federal intermediate credit bank, or production credit association.
(c) EXERCISE OF CERTAIN POWERS- For the purpose of the exercise by any agency referred to in subsection (b) of its powers under any Act referred to in that subsection, a violation of title I is deemed to be a violation of a requirement imposed under that Act. In addition to its powers under any provision of law specifically referred to in subsection (b), each of the agencies referred to in that subsection may exercise, for the purpose of enforcing compliance with any requirement imposed under title I, any other authority conferred on it by law.
(d) ACTIONS BY THE COMMISSION- The Commission shall prevent any person from violating title I in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any entity that violates any provision of that subtitle is subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act in the same manner, by the same means, and with the same jurisdiction, power, and duties as though all applicable terms and provisions of the Federal Trade Commission Act were incorporated into and made a part of that subtitle.
(e) Disposition of Civil Penalties Obtained by FTC Enforcement Action Involving Nonsensitive Personally Identifiable Information-
(1) IN GENERAL- If a civil penalty is imposed on an internet service provider, online service provider, or commercial website operator in an enforcement action brought by the Commission for a violation of title I with respect to nonsensitive personally identifiable information of users of the service or website, the penalty shall be--
(A) paid to the Commission;
(B) held by the Commission in trust for distribution under paragraph (2); and
(C) distributed in accordance with paragraph (2).
(2) DISTRIBUTION TO USERS- Under procedures to be established by the Commission, the Commission shall hold any amount received as a civil penalty for violation of title I for a period of not less than 180 days for distribution under those procedures to users--
(A) whose nonsensitive personally identifiable information was the subject of the violation; and
(B) who file claims with the Commission for compensation for loss or damage from the violation at such time, in such manner, and containing such information as the Commission may require.
(3) AMOUNT OF PAYMENT- The amount a user may receive under paragraph (2)--
(i) shall not exceed $200; and
(ii) may be limited by the Commission as necessary to afford each such user a reasonable opportunity to secure that user's appropriate portion of the amount available for distribution.
(4) REMAINDER- If the amount of any such penalty held by the Commission exceeds the sum of the amounts distributed under paragraph (2) attributable to that penalty, the excess shall be covered into the Treasury of the United States as miscellaneous receipts no later than 12 months after it was paid to the Commission.
(f) EFFECT ON OTHER LAWS-
(1) PRESERVATION OF COMMISSION AUTHORITY- Nothing contained in this subtitle shall be construed to limit the authority of the Commission under any other provision of law.
(2) RELATION TO TITLE II OF COMMUNICATIONS ACT- Nothing in title I requires an operator of a website or online service to take any action that is inconsistent with the requirements of section 222 of the Communications Act of 1934 (47 U.S.C. 222).
(3) RELATION TO TITLE VI OF COMMUNICATIONS ACT- Section 631 of the Communications Act of 1934 (47 U.S.C. 551) is amended by adding at the end the following:
`(i) To the extent that the application of any provision of this title to a cable operator as an internet service provider, online service provider, or operator of a commercial website (as those terms are defined in section 401 of the Online Personal Privacy Act) with respect to the provision of Internet service or online service, or the operation of a commercial website, conflicts with the application of any provision of that Act to such provision or operation,
the Act shall be applied in lieu of the conflicting provision of this title.'.
SEC. 203. ACTIONS BY USERS.
(a) PRIVATE RIGHT OF ACTION FOR SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION- If an internet service provider, online service provider, or commercial website operator collects, discloses, or uses the sensitive personally identifiable information of any person or fails to provide reasonable access to or reasonable security for such sensitive personally identifiable information in violation of any provision of title I then that person may bring an action in a district court of the United States of appropriate jurisdiction--
(1) to enjoin or restrain a violation of title I or to obtain other appropriate relief; and
(2) upon a showing of actual harm to that person caused by the violation, to recover the greater of--
(A) the actual monetary loss from the violation; or
(B) $5,000.
(b) REPEATED VIOLATIONS- If the court finds, in an action brought under subsection (a) to recover damages, that the defendant repeatedly and knowingly violated title I, the court may, in its discretion, increase the amount of the award available under subsection (a)(2)(B) to an amount not in excess of $100,000.
(c) EXCEPTION- Neither an action to enjoin or restrain a violation, nor an action to recover for loss or damage, may be brought under this section for the accidental disclosure of information if the disclosure was caused by an Act of God, unforeseeable network or systems failure, or other event beyond the control of the Internet service provider, online service provider, or operator of a commercial website.
SEC. 204. ACTIONS BY STATES.
(a) IN GENERAL-
(1) CIVIL ACTIONS- In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that violates title I, the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction--
(A) to enjoin that practice;
(B) to enforce compliance with the rule;
(C) to obtain damage, restitution, or other compensation on behalf of residents of the State; or
(D) to obtain such other relief as the court may consider to be appropriate.
(2) NOTICE-
(A) IN GENERAL- Before filing an action under paragraph (1), the attorney general of the State involved shall provide to the Commission--
(i) written notice of that action; and
(ii) a copy of the complaint for that action.
(B) EXEMPTION-
(i) IN GENERAL- Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general determines that it is not feasible to provide the notice described in that subparagraph before the filing of the action.
(ii) NOTIFICATION- In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Commission at the same time as the attorney general files the action.
(b) INTERVENTION-
(1) IN GENERAL- On receiving notice under subsection (a)(2), the Commission shall have the right to intervene in the action that is the subject of the notice.
(2) EFFECT OF INTERVENTION- If the Commission intervenes in an action under subsection (a), it shall have the right--
(A) to be heard with respect to any matter that arises in that action; and
(B) to file a petition for appeal.
(c) CONSTRUCTION- For purposes of bringing any civil action under subsection (a), nothing in this subtitle shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to--
(1) conduct investigations;
(2) administer oaths or affirmations; or
(3) compel the attendance of witnesses or the production of documentary and other evidence.
(d) ACTIONS BY THE COMMISSION- In any case in which an action is instituted by or on behalf of the Commission for violation of title I, no State may, during the pendency of that action, institute an action under subsection (a) against any defendant named in the complaint in that action for violation of that rule.
(e) VENUE; SERVICE OF PROCESS-
(1) VENUE- Any action brought under subsection (a) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.
(2) SERVICE OF PROCESS- In an action brought under subsection (a), process may be served in any district in which the defendant--
(A) is an inhabitant; or
(B) may be found.
SEC. 205. WHISTLEBLOWER PROTECTION.
(a) IN GENERAL- No internet service provider, online service provider, or commercial website operator may discharge or otherwise discriminate against any employee with respect to compensation, terms, conditions, or privileges of employment because the employee (or any person acting pursuant to the request of the employee) provided information to any Federal or State agency or to the Attorney General of the United States or of any State regarding a violation of any provision of title I.
(b) ENFORCEMENT- Any employee or former employee who believes he has been discharged or discriminated against in violation of subsection (a) may file a civil action in the appropriate United States district court before the close of the 2-year period beginning on the date of such discharge or discrimination. The complainant shall also file a copy of the complaint initiating such action with the appropriate Federal agency.
(c) REMEDIES- If the district court determines that a violation of subsection (a) has occurred, it may order the Internet service provider, online service provider, or commercial website operator that committed the violation--
(1) to reinstate the employee to his former position;
(2) to pay compensatory damages; or
(3) to take other appropriate actions to remedy any past discrimination.
(d) LIMITATION- The protections of this section shall not apply to any employee who--
(1) deliberately causes or participates in the alleged violation; or
(2) knowingly or recklessly provides substantially false information to such an agency or the Attorney General.
(e) BURDENS OF PROOF- The legal burdens of proof that prevail under subchapter III of chapter 12 of title 5, United States Code (5 U.S.C. 1221 et seq.) shall govern adjudication of protected activities under this section.
SEC. 206. NO EFFECT ON OTHER REMEDIES.
The remedies provided by sections 203 and 204 are in addition to any other remedy available under any provision of law.
TITLE III--APPLICATION TO CONGRESS AND FEDERAL AGENCIES
SEC. 301. SENATE.
The Sergeant at Arms of the United States Senate shall develop regulations setting forth an information security and electronic privacy policy governing use of the Internet by officers and employees of the Senate that meets the requirements of title I.
SEC. 302. APPLICATION TO FEDERAL AGENCIES.
(a) IN GENERAL- Except as provided in subsection (b), this Act applies to each Federal agency that is an internet service provider or an online service provider, or that operates a website, to the extent provided by section 2674 of title 28, United States Code.
(b) EXCEPTIONS- This Act does not apply to any Federal agency to the extent that the application of this Act would compromise law enforcement activities or the administration of any investigative, security, or safety operation conducted in accordance with Federal law.
TITLE IV--MISCELLANEOUS
SEC. 401. DEFINITIONS.
In this Act:
(1) COLLECT- The term `collect' means the gathering of personally identifiable information about a user of an Internal service, online service, or commercial website by or on behalf of the provider or operator of that service or website by any means, direct or indirect, active or passive, including--
(A) an online request for such information by the provider or operator, regardless of how the information is transmitted to the provider or operator;
(B) the use of a chat room, message board, or other online service to gather the information; or
(C) tracking or use of any identifying code linked to a user of such a service or website, including the use of cookies or other tracking technology.
(2) COMMISSION- The term `Commission' means the Federal Trade Commission.
(3) COOKIE- The term `cookie' means any program, function, or device, commonly known as a `cookie', that makes a record on the user's computer (or other electronic device) of that user's access to an internet service, online service, or commercial website.
(4) DISCLOSE- The term `disclose' means the release of personally identifiable information about a user of an Internet service, online service, or commercial website by an internet service provider, online service provider, or operator of a commercial website for any purpose, except where such information is provided to a person who provides support for the internal operations of the service or website and who does not disclose or use that information for any other purpose.
(5) FEDERAL AGENCY- The term `Federal agency' means an agency, as that term is defined in section 551(1) of title 5, United States Code.
(6) INTERNAL OPERATIONS SUPPORT- The term `support for the internal operations of a service or website' means any activity necessary to maintain the technical functionality of that service or website.
(7) INTERNET- The term `Internet' means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire or radio.
(8) INTERNET SERVICE PROVIDER; ONLINE SERVICE PROVIDER; WEBSITE- The Commission shall by rule define the terms `internet service provider', `online service provider', and `website', and shall revise or amend such rule to take into account changes in technology, practice, or procedure with respect to the collection of personal information over the Internet.
(9) ONLINE- The term `online' refers to any activity regulated by this Act or by section 2710 of title 18, United States Code, that is effected by active or passive use of an Internet connection, regardless of the medium by or through which that connection is established.
(10) OPERATOR OF A COMMERCIAL WEBSITE- The term `operator of a commercial website'--
(A) means any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce--
(i) among the several States or with 1 or more foreign nations;
(ii) in any territory of the United States or in the District of Columbia, or between any such territory and--
(I) another such territory; or
(II) any State or foreign nation; or
(iii) between the District of Columbia and any State, territory, or foreign nation; but
(B) does not include any nonprofit entity that would otherwise be exempt from coverage
under section 5 of the Federal Trade Commission Act (15 U.S.C. 45).
(11) PERSONALLY IDENTIFIABLE INFORMATION-
(A) IN GENERAL- The term `personally identifiable information' means individually identifiable information about an individual collected online, including--
(i) a first and last name, whether given at birth or adoption, assumed, or legally changed;
(ii) a home or other physical address including street name and name of a city or town;
(iii) an e-mail address;
(iv) a telephone number;
(v) a birth certificate number;
(vi) any other identifier for which the Commission finds there is a substantial likelihood that the identifier would permit the physical or online contacting of a specific individual; or
(vii) information that an Internet service provider, online service provider, or operator of a commercial website collects and combines with an identifier described in clauses (i) through (vi) of this subparagraph.
(B) INFERENTIAL INFORMATION EXCLUDED- Information about an individual derived or inferred from data collected online but not actually collected online is not personally identifiable information.
(12) RELEASE- The term `release of personally identifiable information' means the direct or indirect, sharing, selling, renting, or other provision of personally identifiable information of a user of an internet service, online service, or commercial website to any other person other than the user.
(13) ROBUST NOTICE- The term `robust notice' means actual notice at the point of collection of the personally identifiable information describing briefly and succinctly the intent of the Internet service provider, online service provider, or operator of a commercial website to use or disclose that information for marketing or other purposes.
(14) SENSITIVE FINANCIAL INFORMATION- The term `sensitive financial information' means--
(A) the amount of income earned or losses suffered by an individual;
(B) an individual's account number or balance information for a savings, checking, money market, credit card, brokerage, or other financial services account;
(C) the access code, security password, or similar mechanism that permits access to an individual's financial services account;
(D) an individual's insurance policy information, including the existence, premium, face amount, or coverage limits of an insurance policy held by or for the benefit of an individual; or
(E) an individual's outstanding credit card, debt, or loan obligations.
(15) SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION- The term `sensitive personally identifiable information' means personally identifiable information about an individual's--
(A) individually identifiable health information (as defined in section 164.501 of title 45, Code of Federal Regulations);
(B) race or ethnicity;
(C) political party affiliation;
(D) religious beliefs;
(E) sexual orientation;
(F) a Social Security number; or
(G) sensitive financial information.
SEC. 402. EFFECTIVE DATE OF TITLE I.
Title I of this Act takes effect on the day after the date on which the Commission publishes a final rule under section 403.
SEC. 403. FTC RULEMAKING.
The Commission shall--
(1) initiate a rulemaking within 90 days after the date of enactment of this Act for regulations to implement the provisions of title I; and
(2) complete that rulemaking within 270 days after initiating it.
SEC. 404. FTC REPORT.
(a) REPORT- The Commission shall submit a report to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Commerce 18 months after the effective date of title I, and annually thereafter, on--
(1) whether this Act is accomplishing the purposes for which it was enacted;
(2) whether technology that protects privacy is being utilized in the marketplace in such a manner as to facilitate administration of and compliance with title I;
(3) whether additional legislation is required to accomplish those purposes or improve the administrability or effectiveness of this Act;
(4) whether legislation is appropriate or necessary to regulate the collection, use, and distribution of personally identifiable information collected other than via the Internet;
(5) whether and how the government might assist industry in developing standard online privacy notices that substantially comply with the requirements of section 102(a);
(6) whether and how the creation of a set of self-regulatory guidelines established by independent safe harbor organizations and approved by the Commission would facilitate administration of and compliance with title I; and
(7) whether additional legislation is necessary or appropriate to regulate the collection, use, and disclosure of personally identifiable information collected online before the effective date of title I.
(b) FTC NOTICE OF INQUIRY- The Commission shall initiate a notice of inquiry within 90 days after the date of enactment of this Act to request comment on the matter described in paragraphs (1) through (7) of subsection (a).
SEC. 405. DEVELOPMENT OF AUTOMATED PRIVACY CONTROLS.
Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) is amended--
(1) by redesignating subsection (d) as subsection (e); and
(2) by inserting after subsection (c) the following:
`(d) DEVELOPMENT OF INTERNET PRIVACY PROGRAM- The Institute shall encourage and support the development of one or more computer programs, protocols, or other software, such as the World Wide Web Consortium's P3P program, capable of being installed on computers, or computer networks, with Internet access that would reflect the user's preferences for protecting personally-identifiable or other sensitive, privacy-related information, and automatically execute the program, once activated, without requiring user intervention.'.
I actually drove over my Jornada 545 at one point. It continued to function for 2 years after that.
Party on. I've got a 545 too, and damned if it isn't a thug of a PDA. Its a hair thicker than the rest, but I have beaten the hell out of mine, and its still ticking. I've really been impressed with its reliability. Umm... except for Windows CE - but that's not really at issue here.
The iPaq, on the other hand, has this vague George Jetson-look to it. I want a PDA, not a sprocket. (whatever the hell those are) Maybe someone could stand up for ipaqs out there? I'd be interested on hearing about their crashworthiness. (inertia crash, not Windows crash)
PDA Clue: My guess is that it was Professor Palm, in the kitchen, with the silver limited-edition stylus.
I have got to hand it to those suggesting the "TCP header length blah blah string theory homeomorphic protocol" whatever. Damn, even made my eyes glaze over.
However- there is another way to achieve that... just look up the school's legal counsel and send him an email saying that you're concerned about the liability implications of all this file sharing, and when he writes a memo to the faculty going on for 50 pages (only lawyers can write a 50-page memo) about "contributory infringement res ipsa loquitur blah blah mutatis muntandis damnum absque injuria" and how he'll want to have the server logs copied to him, your faculty will never wish they knew what a Gnutella client was.
In response to some other comments about what this judgment in Nanterre was about...
Apparently Microsoft bought up this Canadian animiation company called SoftImage, who had previously worked out some licensing side-deal with these French programmers to use some of their code.
One Microsoft had SoftImage, though, it seems they ignored the deal with the French licensees - apparently assuming they owned the licensed software too. Funny, too, because you'd think Microsoft could either code around it or just buy them off. Maybe it was an honest screw-up. (Then again...)
I guess the French programmers sued, and the commercial court in Nanterre slammed SoftImage - then a wholly-owned Microsoft subsidiary - with about a half a mil (US$) in fines for piracy.
As if the French needed another reason to hate Americans. Thanks, Bill. Next time I get flak for trying to order a Big Mac in some Paris bistro, it's all on you, man!
Everytime the letters refer to "the Bill," I thought, "yeah, buddy. I know all about The Bill. The Billmeister. Billinator." And then I thought, "oh no, not that Bill. The proposed law. Duh."
In fact, the PTO generates a profit. Really. Its operating budget is lower than the revenues it generates in fees. (Maybe becuase there's so many boneheads out there trying to patent business methods of picking their nose)
And you know how Congress shows its gratitude? (drum roll) It doesn't. The money vanishes into the Treasury until Sen. Byrd uses it to fund yet another pork barrel project in West Virginia.
Wintersmute: Why is it that Americans aren't persuaded by the voice of reason, but a talking hamburger really helps you see things straight?
Some Smartass AC:Because America doens't like you. Therefore they exhibit "odd" behavior just to piss YOU off.
It appears that though an improvident use of "you" instead of "us" I seem to have cast myself as some beret-wearing Frog who complains about Eurodisney as the vanguard of cultural imperialism.
Sorry, okay? I'm from New York. I like baseball, motherhood, and apple pie. I just think talking cows are weird, okay?
Now, please excuse me while I clean out my inbox from the National Beef Council's hatemail, and Neosporin these karma burn marks. Man, I hope that don't scar.
I'll be the first one to line up against the heavy-handed tactics of the RIAA, but I think we should pick our battles, folks. Does anyone complain when the local sports bar licenses pay-per-view broadcasts, or when the proverbial dance hall pays licensing fees for music?
Yet here, its not even clear that anyone actually bought the damn CDs in the first place. We've reached a point where we're so aggravated about the stranglehold that Hollywood and the labels have that at first utterance of mp3 we're spouting the same old 'information-wants-to-be-free' rhetoric.
Those "antiquated" ideas of copyright ownership were a contract between creators and the public that worked since the Statute of Anne. Calling them "antiquated" just plays into the hands of the content-producers who would just as happily grind us inexorably toward pay-per-use purgatory.
Copyright worked. The DMCA doesn't. Confusing the two is like confusing pedophilia with Catholicism.
Anyone seeking arguments against the general trend of propertization of ideas would do well to familiarize themself with Lawrence Lessig's The Future of Ideas. Coincidentally, it's my understanding that he's speaking on similar topic today at Georgetown Law School.
Specifically, you might start with the EFF's action alert (http://www.eff.org/IP/SSSCA_CBDTPA/20020322_eff_c bdtpa_alert.html) on this topic.
Oh - and talk about economics. Conservatives particularly love that crap. Man, you throw in a little "marginal cost", give 'em some "network effects" and a bit of the old "dead weight loss" and they'll think, "damn, this guy's a frickin' genius."
You know, even if you could get your music out, how the heck are you supposed to know who's on which label? Am I supposed to go out and research all the artists I want to download online, figure out who their label is, and figure out which service supports that label? Are you kidding?!? By the time that's done, its easier to go to the store and buy the damn disc.
If the labels could get around the anti-trust issues of merging their services into one major service - or if they could share artists across services - then consumers might give a damn. Until then, I'm stuck trying to figure out who Yanni signed with...
Now, If That Doesn't Just Get Your Goat
on
Killing Rats with GPS
·
· Score: 3, Funny
You left off the rest of the story.... they paid the Iscariot goat 30 bucks for his troubles, and he tried to turn it down. But they said take it, and he did. Then guilt came to him, and his goat heart was heavy, and he went off and hanged himself. (and became goat jerky)
Okay... for those geeks out there who, like me... get totally lost in this. Sympathize. This is what you sound like when you're trying to explain to your mother-in-law the difference between Linux and Windows.
And on an historical note, the Crusaders didn't go looking for a Holy Grail. Only Monty Python did. (Turns out their research was a little shoddy.)
The chairman of the House Judiciary Subcommittee on Intellectual Property Howard Coble (R-North Carolina) opposes the bill and won't bring it up therefore the bill is DOA.
This might just be the first time a Republican from the ol' Tabacco country actually did something useful.
Oh, and while I suppress my laughter thinking of Hollings' "evil mouse-ear masters" let me point out that even if the SSSCA is enacted, everyone will just buy electronics from overseas non-compliant manufacturers.
Then the USTR will get into the mix, or Customs, and restrict the import of non-compliant devices (if the statute hasn't already...). Then, overseas manufacturers will haul our sorry asses before the WTO becuase our virtual embargoes on non-DRM compliant devices will constituent unreasonable restraints of trade. Bananas, anyone?
Doh... yes, gentlemen, their is a cost of shoehorning open everyone else's markets to our superior goods - and that is that when their goods are superior, they get to shoe-horn them into ours. You can kill the market, but you can't kill the demand. And if you treatied-away your right to kill the market... too bad.
Ricardo strikes (again). Maybe the should have Industry thought that one out before they got us into this whole globalization thing.
I think this is the final evidence that the libertarians have had it wrong for decades. They're always bugging out about the government this, government that. Turns out the CIA was uploading cookies and even they didn't know about it, for Christ's sake. I've worked in government, and I'm not going out on a limb when I say that the government is too damn incompetent to get anything useful out of tracking our M&M consumption habits, as it were.
It's the private sector that poses real risks to privacy. Uncle Sam is not about to track your damned underwear size so they can focus-group test when the ideal time to offer you a rebate on the 10-48 diet drink.
When you say p2p with brains, to me it means somebody has come up with a elegant balance between centralization and search speeds.
Ditto, Holmes. The real question is the scalability issue, and I'm not convinced that the traffic cop features implemented by Gnutella front-ends have really sorted this out.
When that's the case, that will be some p2p with brains. Right now, the networks only seem to be hanging on because the critical mass of crash-inducing traffic hasn't hit the super-peers yet; at least not on the permanent basis.
What would really make my evening interesting is if someone would be kind enough to contradict me.
While this is an obvious knee-jerk reaction to the Candyman fallout - it's also been tried before. Check out PSINet, Inc. v. Chapman, 108 F.Supp.2d 611 (W.D. Va. 2000) (enjoining application of law imposing criminal liability for the commercial display of sexually explicit materials harmful to juveniles).
Oh, but this is narrowly tailored, you say? Whatever. Wait until they start slugging out what gets blocked and what doesn't, then come talk to me. This is just more posturing for the constituents.
STATE REP:"Dum da dum! I will protect your children from pedophiles, voters! Let me just unplug this twisted pair here..."
[GZZOK! Pennsylvania goes black.]
STATE REP: "Oops."
I'm betting on an ISP-obtained injunction by the end of the week. Anyone care to start a pool?
When Wired covered this, they noted that "companies typically start out blocking what filtering firms call the "sinful six" categories: pornography, gambling, illegal activities, hate sites, tasteless material and violent content."
Hell, I understand porn and gambling, but tastelessness and violence pretty much runs out the whole damn Internet. Guess I'll have to get my news about Mid-East turmoil from Zoog Disney...
Please allow me to pile on to idealism attack. While I'll be the first to line up against IP laws that don't produce benefits for the public, the mere fact that two nations prospered without patent statutes doesn't mean nations without patent statutes do better.
Note, for example, that some of the progress came from "borrowing" ideas from nations that *did* have patent statutes.
What's more, the author's argument carries little weight unless he can prove the counterfactual - that these nations would not have done even better if they *had* employed IP laws.
I'm inclined to believe that the late 1800s and early 1900s were fruitful eras in these nations for reasons other than the state of the patent law.
This piece sounds a lot like Lessig. Not the Lessig that went before the DC Circuit on Eldred, either, but right out of the Future of Ideas (a fine read, by the way).
But to my comment: the infinity minus one day, to my recollection, was a suggestion originally propounded by Mary Bono, widow of the last Congressmen.
I think this got canned for two reasons:
1) It was too obviously an end-run around the Constitution's requirement that Congress extend exclusive rights "for a limited time." Obviously, neither Mary Bono's legislative assistant nor Go-Back, Jack, And Say Something Stupid Again Valenti's corp. counsel gave that comment any thought before it wormed its way into the talked points. (Doh! Boston Strangler strikes again...)
2) it would seem to violate the Rule Against Perpetuities. Its probably explained on Findlaw. Anyway, property rights hawks spent a long time struggling to get "intellectual property" called 'property' (think about it - there's nothing "intellectual" about Britney Spears, but damned if her mp3s aren't IP) so it's about time they take the good with the bad.
Slashdot Mirror
Yeah - but can anyone explain why Network Associates wants to orphan their privacy software at a time when online privacy concerns are really coming into focus? Seems like this is a time to be getting into the market, rather than out.
Any chance they're worried about the implications of widely available privacy software for "bad guys"?
Here it is... I wanted to prevent the IANALization of this thread. Now you can say, IANALBIPOOS ("I am not a lawyer but I play one on Slashdot"). I would have posted the direct link to THOMAS, but then everyone would have just /.ed the Library of Congress, and they've probably got more important things to do. If you do go to THOMAS, the bill no. is 2201. Had to cut out the ToC - sorry - it was tripping the lameness filter (how appropriate that legislation tweaks the lameness filter. Ha.)
A BILL
To protect the online privacy of individuals who use the Internet.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the `Online Personal Privacy Act'.
The Congress finds the following:
(1) The right to privacy is a personal and fundamental right worthy of protection through appropriate legislation.
(2) Individuals engaging in and interacting with companies engaged in interstate commerce have a significant interest in their personal information, as well as a right to control how that information is collected, used, or transferred.
(3) Absent the recognition of these rights and the establishment of consequent industry responsibilities to safeguard those rights, the privacy of individuals who use the Internet will soon be more gravely threatened.
(4) To extent that States regulate, their efforts to address Internet privacy will lead to a patchwork of inconsistent standards and protections.
(5) Existing State, local, and Federal laws provide minimal privacy protection for Internet users.
(6) With the exception of Federal Trade Commission enforcement of laws against unfair and deceptive practices, the Federal Government thus far has eschewed general Internet privacy laws in favor of industry self-regulation, which has led to several self-policing schemes, none of which are enforceable in any meaningful way or provide sufficient privacy protection to individuals.
(7) State governments have been reluctant to enter the field of Internet privacy regulation because use of the Internet often crosses State, or even national, boundaries.
(8) States are nonetheless interested in providing greater privacy protection to their citizens as evidenced by recent lawsuits brought against offline and online companies by State attorneys general to protect the privacy of individuals using the Internet.
(9) The ease of gathering and compiling personal information on the Internet, both overtly and surreptitiously, is becoming increasingly efficient and effortless due to advances in digital communications technology which have provided information gatherers the ability to compile seamlessly highly detailed personal histories of Internet users.
(10) Personal information flowing over the Internet requires greater privacy protection than is currently available today. Vast amounts of personal information, including sensitive information, about individual Internet users are collected on the Internet and sold or otherwise transferred to third parties.
(11) Poll after poll consistently demonstrates that individual Internet users are highly troubled over their lack of control over their personal information.
(12) Market research demonstrates that tens of billions of dollars in e-commerce are lost due to individual fears about a lack of privacy protection on the Internet.
(13) Market research demonstrates that as many as one-third of all Internet users give false information about themselves to protect their privacy, due to fears about a lack of privacy protection on the Internet.
(14) Notwithstanding these concerns, the Internet is becoming a major part of the personal and commercial lives of millions of Americans, providing increased access to information, as well as communications and commercial opportunities.
(15) It is important to establish personal privacy rights and industry obligations now so that individuals have confidence that their personal privacy is fully protected on the Internet.
(16) The social and economic costs of establishing baseline privacy standards now will be lower than if Congress waits until the Internet becomes more prevalent in our everyday lives in coming years.
(17) Whatever costs may be borne by industry will be significantly offset by the economic benefits to the commercial Internet created by increased consumer confidence occasioned by greater privacy protection.
(18) Toward the close of the 20th Century, as individuals' personal information was increasingly collected, profiled, and shared for commercial purposes, and as technology advanced to facilitate these practices, the Congress enacted numerous statutes to protect privacy.
(19) Those statutes apply to the government, telephones, cable television, e-mail, video tape rentals, and the Internet (but only with respect to children).
(20) Those statutes all provide significant privacy protections, but neither limit technology nor stifle business.
(21) Those statutes ensure that the collection and commercialization of individuals' personal information is fair, transparent, and subject to law.
SEC. 4. PREEMPTION OF STATE LAW OR REGULATIONS.
This Act supersedes any State statute, regulation, or rule regulating Internet privacy to the extent that it relates to the collection, use, or disclosure of personally identifiable information obtained through the Internet.
TITLE I--ONLINE PRIVACY PROTECTION
SEC. 101. COLLECTION, USE, OR DISCLOSURE OF PERSONALLY IDENTIFIABLE INFORMATION.
(a) IN GENERAL- An internet service provider, online service provider, or operator of a commercial website on the Internet may not collect personally identifiable information from a user, or use or disclose personally identifiable information about a user, of that service or website except in accordance with the provisions of this Act.
(b) APPLICATION TO CERTAIN THIRD-PARTY OPERATORS- The provisions of this Act applicable to internet service providers, online service providers, and commercial website operators apply to any third party, including an advertising network, that uses an internet service provider, online service provider, or commercial website operator to collect information about users of that service or website.
SEC. 102. NOTICE AND CONSENT REQUIREMENTS.
(a) NOTICE- Except as provided in section 104, an internet service provider, online service provider, or operator of a commercial website may not collect personally identifiable information from a user of that service or website online unless that provider or operator provides clear and conspicuous notice to the user in the manner required by this section for the kind of personally identifiable information to be collected. The notice shall disclose--
(1) the specific types of information that will be collected;
(2) the methods of collecting and using the information collected; and
(3) all disclosure practices of that provider or operator for personally identifiable information so collected, including whether it will be disclosed to third parties.
(b) SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION REQUIRES OPT-IN CONSENT- An internet service provider, online service provider, or operator of a commercial website may not--
(1) collect sensitive personally identifiable information online, or
(2) disclose or otherwise use such information collected online, from a user of that service or website,
unless the provider or operator obtains that user's affirmative consent to the collection and disclosure or use of that information before, or at the time, the information is collected.
(c) NONSENSITIVE PERSONALLY IDENTIFIABLE INFORMATION REQUIRES ROBUST NOTICE AND OPT-OUT CONSENT- An internet service provider, online service provider, or operator of a commercial website may not--
(1) collect personally identifiable information not described in subsection (b) online, or
(2) disclose or otherwise use such information collected online, from a user of that service or website,
unless the provider or operator provides robust notice to the user, in addition to clear and conspicuous notice, and has given the user an opportunity to decline consent for such collection and use by the provider or operator before, or at the time, the information is collected.
(d) INITIAL NOTICE ONLY FOR ROBUST NOTICE- An internet service provider, online service provider, or operator of a commercial website shall provide robust notice under subsection (c) of this section to a user only upon its first collection of non-sensitive personally identifiable information from that user, except that a subsequent collection of additional or materially different non-sensitive personally identifiable information from that user shall be treated as a first collection of such information from that user.
(e) PERMANENCE OF CONSENT-
(1) IN GENERAL- The consent or denial of consent by a user of permission to an internet service provider, online service provider, or operator of a commercial website to collect, disclose, or otherwise use any information about that user for which consent is required under this Act--
(A) shall remain in effect until changed by the user; and
(B) shall apply to the collection, disclosure, or other use of that information by any entity that is a commercial successor of, or legal successor-in-interest to, that provider or operator, without regard to the legal form in which such succession was accomplished (including any entity that collects, discloses, or uses such information as a result of a proceeding under chapter 7 or chapter 11 of title 11, United States Code, with respect to the provider or operator).
(2) EXCEPTION- The consent by a user to the collection, disclosure, or other use of information about that user for which consent is required under this Act does not apply to the collection, disclosure, or use of that information by a successor entity under paragraph (1)(B) if--
(A) the kind of information collected by the successor entity about the user is materially different from the kind of information collected by the predecessor entity;
(B) the methods of collecting and using the information employed by the successor entity are materially different from the methods employed by the predecessor entity; or
(C) the disclosure practices of the successor entity are materially different from the practices of the predecessor entity.
SEC. 103. POLICY CHANGES; BREACH OF PRIVACY.
(a) NOTICE OF POLICY CHANGE- Whenever an internet service provider, online service provider, or operator of a commercial website makes a material change in its policy for the collection, use, or disclosure of sensitive or nonsensitive personally identifiable information, it--
(1) shall notify all users of that service or website of the change in policy; and
(2) may not collect, disclose, or otherwise use any sensitive or nonsensitive personally identifiable information in accordance with the changed policy unless the user has been afforded an opportunity to consent, or withhold consent, to its collection, disclosure, or use in accordance with the requirements of section 102 (b) or (c), whichever is applicable.
(b) Notice of Breach of Privacy-
(1) IN GENERAL- If the sensitive or nonsensitive personally identifiable information of a user of an internet service provider, online service provider, or operator of a commercial website--
(A) is collected, disclosed, or otherwise used by the provider or operator in violation of any provision of this Act, or
(B) the security, confidentiality, or integrity of such information is compromised by a hacker or other third party, or by any act or failure to act of the provider or operator,
then the provider or operator shall notify all users whose sensitive or nonsensitive personally identifiable information was affected by the unlawful collection, disclosure, use, or compromise. The notice shall describe the nature of the unlawful collection, disclosure, use, or compromise and the steps taken by the provider or operator to remedy it.
(2) Delay of notification-
(A) ACTION TAKEN BY INDIVIDUALS- If the compromise of the security, confidentiality, or integrity of the information is caused by a hacker or other external interference with the service or website, or by an employee of the service or website, the provider or operator may postpone issuing the notice required by paragraph (1) for a reasonable period of time in order to--
(i) facilitate the detection and apprehension of the person responsible for the compromise; and
(ii) take such measures as may be necessary to restore the integrity of the service or website and prevent any further compromise of the security, confidentiality, and integrity of such information.
(B) SYSTEM FAILURES AND OTHER FUNCTIONAL CAUSES- If the unlawful collection, disclosure, use, or compromise of the security, confidentiality, and integrity of the information is the result of a system failure, a problem with the operating system, software, or program used by the internet service provider, online service provider, or operator of the commercial website, or other non-external interference with the service or website, the provider or operator may postpone issuing the notice required by paragraph (1) for a reasonable period of time in order to--
(i) restore the system's functionality or fix the problem; and
(ii) take such measures as may be necessary to restore the integrity of the service or website and prevent any further compromise of the security, confidentiality, and integrity of the information after the failure or problem has been fixed and the integrity of the service or website has been restored.
SEC. 104. EXCEPTIONS.
(a) IN GENERAL- Section 102 does not apply to the collection, disclosure, or use by an internet service provider, online service provider, or operator of a commercial website of information about a user of that service or website necessary--
(1) to protect the security or integrity of the service or website or to ensure the safety of other people or property;
(2) to conduct a transaction, deliver a product or service, or complete an arrangement for which the user provided the information; or
(3) to provide other products and services integrally related to the transaction, service, product, or arrangement for which the user provided the information.
(b) PROTECTED DISCLOSURES- An internet service provider, online service provider, or operator of a commercial website may not be held liable under this Act, any other Federal law, or any State law for any disclosure made in good faith and following reasonable procedures in responding to--
(1) a request for disclosure of personal information under section 1302(b)(1)(B)(iii) of the Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.) to the parent of a child; or
(2) a request for access to, or correction or deletion of, personally identifiable information under section 105 of this Act.
(c) Disclosure to Law Enforcement Agency or Under Court Order-
(1) IN GENERAL- Notwithstanding any other provision of this Act, an internet service provider, online service provider, operator of a commercial website, or third party that uses such a service or website to collect information about users of that service or website may disclose personally identifiable information about a user of that service or website--
(A) to a law enforcement, investigatory, national security, or regulatory agency or department of the United States in response to a request or demand made under authority granted to that agency or department, including a warrant issued under the Federal Rules of Criminal Procedure, an equivalent State warrant, a court order, or a properly executed administrative compulsory process; and
(B) in response to a court order in a civil proceeding granted upon a showing of compelling need for the information that cannot be accommodated by any other means if--
(i) the user to whom the information relates is given reasonable notice by the person seeking the information of the court proceeding at which the order is requested; and
(ii) that user is afforded a reasonable opportunity to appear and contest the issuance of requested order or to narrow its scope.
(2) SAFEGUARDS AGAINST FURTHER DISCLOSURE- A court that issues an order described in paragraph (1) shall impose appropriate safeguards on the use of the information to protect against its unauthorized disclosure.
SEC. 105. ACCESS.
(a) IN GENERAL- An internet service provider, online service provider, or operator of a commercial website shall--
(1) upon request provide reasonable access to a user to personally identifiable information that the provider or operator has collected from the user online, or that the provider or operator has combined with personally identifiable information collected from the user online after the effective date of this Act;
(2) provide a reasonable opportunity for a user to suggest a correction or deletion of any such information maintained by that provider or operator to which the user was granted access; and
(3) make the correction a part of that user's sensitive personally identifiable information or nonsensitive personally identifiable information (whichever is appropriate), or make the deletion, for all future disclosure and other use purposes.
(b) EXCEPTION- An internet service provider, online service provider, or operator of a commercial website may decline to make a suggested correction a part of that user's sensitive personally identifiable information or nonsensitive personally identifiable information (whichever is appropriate), or to make a suggested deletion if the provider or operator--
(1) reasonably believes that the suggested correction or deletion is inaccurate or otherwise inappropriate;
(2) notifies the user in writing, or in digital or other electronic form, of the reasons the provider or operator believes the suggested correction or deletion is inaccurate or otherwise inappropriate; and
(3) provides a reasonable opportunity for the user to refute the reasons given by the provider or operator for declining to make the suggested correction or deletion.
(c) REASONABLENESS TEST- The reasonableness of the access or opportunity provided under subsection (a) or (b) by an internet service provider, online service provider, or operator of a commercial website shall be determined by taking into account such factors as the sensitivity of the information requested and the burden or expense on the provider or operator of complying with the request, correction, or deletion.
(d) Reasonable Access Fee-
(1) IN GENERAL- An internet service provider, online service provider, or operator of a commercial website may impose a reasonable charge for access under subsection (a).
(2) AMOUNT- The amount of the fee shall not exceed $3, except that upon request of a user, a provider or operator shall provide such access without charge to that user if the user certifies in writing that the user--
(A) is unemployed and intends to apply for employment in the 60-day period beginning on the date on which the certification is made;
(B) is a recipient of public welfare assistance; or
(C) has reason to believe that the incorrect information is due to fraud.
SEC. 106. SECURITY.
An internet service provider, online service provider, or operator of a commercial website shall establish and maintain reasonable procedures necessary to protect the security, confidentiality, and integrity of personally identifiable information maintained by that provider or operator.
TITLE II--ENFORCEMENT
SEC. 201. ENFORCEMENT BY FEDERAL TRADE COMMISSION.
Except as provided in section 202(b) of this Act and section 2710(d) of title 18, United States Code, this Act shall be enforced by the Commission.
SEC. 202. VIOLATION IS UNFAIR OR DECEPTIVE ACT OR PRACTICE.
(a) IN GENERAL- The violation of any provision of title I is an unfair or deceptive act or practice proscribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(b) ENFORCEMENT BY CERTAIN OTHER AGENCIES- Compliance with title I of this Act shall be enforced under--
(1) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), in the case of--
(A) national banks, and Federal branches and Federal agencies of foreign banks, by the Office of the Comptroller of the Currency;
(B) member banks of the Federal Reserve System (other than national banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 and 611), by the Board; and
(C) banks insured by the Federal Deposit Insurance Corporation (other than members of the Federal Reserve System) and insured State branches of foreign banks, by the Board of Directors of the Federal Deposit Insurance Corporation;
(2) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), by the Director of the Office of Thrift Supervision, in the case of a savings association the deposits of which are insured by the Federal Deposit Insurance Corporation;
(3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) by the National Credit Union Administration Board with respect to any Federal credit union;
(4) part A of subtitle VII of title 49, United States Code, by the Secretary of Transportation with respect to any air carrier or foreign air carrier subject to that part;
(5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et seq.) (except as provided in section 406 of that Act (7 U.S.C. 226, 227)), by the Secretary of Agriculture with respect to any activities subject to that Act; and
(6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by the Farm Credit Administration with respect to any Federal land bank, Federal land bank association, Federal intermediate credit bank, or production credit association.
(c) EXERCISE OF CERTAIN POWERS- For the purpose of the exercise by any agency referred to in subsection (b) of its powers under any Act referred to in that subsection, a violation of title I is deemed to be a violation of a requirement imposed under that Act. In addition to its powers under any provision of law specifically referred to in subsection (b), each of the agencies referred to in that subsection may exercise, for the purpose of enforcing compliance with any requirement imposed under title I, any other authority conferred on it by law.
(d) ACTIONS BY THE COMMISSION- The Commission shall prevent any person from violating title I in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any entity that violates any provision of that subtitle is subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act in the same manner, by the same means, and with the same jurisdiction, power, and duties as though all applicable terms and provisions of the Federal Trade Commission Act were incorporated into and made a part of that subtitle.
(e) Disposition of Civil Penalties Obtained by FTC Enforcement Action Involving Nonsensitive Personally Identifiable Information-
(1) IN GENERAL- If a civil penalty is imposed on an internet service provider, online service provider, or commercial website operator in an enforcement action brought by the Commission for a violation of title I with respect to nonsensitive personally identifiable information of users of the service or website, the penalty shall be--
(A) paid to the Commission;
(B) held by the Commission in trust for distribution under paragraph (2); and
(C) distributed in accordance with paragraph (2).
(2) DISTRIBUTION TO USERS- Under procedures to be established by the Commission, the Commission shall hold any amount received as a civil penalty for violation of title I for a period of not less than 180 days for distribution under those procedures to users--
(A) whose nonsensitive personally identifiable information was the subject of the violation; and
(B) who file claims with the Commission for compensation for loss or damage from the violation at such time, in such manner, and containing such information as the Commission may require.
(3) AMOUNT OF PAYMENT- The amount a user may receive under paragraph (2)--
(i) shall not exceed $200; and
(ii) may be limited by the Commission as necessary to afford each such user a reasonable opportunity to secure that user's appropriate portion of the amount available for distribution.
(4) REMAINDER- If the amount of any such penalty held by the Commission exceeds the sum of the amounts distributed under paragraph (2) attributable to that penalty, the excess shall be covered into the Treasury of the United States as miscellaneous receipts no later than 12 months after it was paid to the Commission.
(f) EFFECT ON OTHER LAWS-
(1) PRESERVATION OF COMMISSION AUTHORITY- Nothing contained in this subtitle shall be construed to limit the authority of the Commission under any other provision of law.
(2) RELATION TO TITLE II OF COMMUNICATIONS ACT- Nothing in title I requires an operator of a website or online service to take any action that is inconsistent with the requirements of section 222 of the Communications Act of 1934 (47 U.S.C. 222).
(3) RELATION TO TITLE VI OF COMMUNICATIONS ACT- Section 631 of the Communications Act of 1934 (47 U.S.C. 551) is amended by adding at the end the following:
`(i) To the extent that the application of any provision of this title to a cable operator as an internet service provider, online service provider, or operator of a commercial website (as those terms are defined in section 401 of the Online Personal Privacy Act) with respect to the provision of Internet service or online service, or the operation of a commercial website, conflicts with the application of any provision of that Act to such provision or operation, the Act shall be applied in lieu of the conflicting provision of this title.'.
SEC. 203. ACTIONS BY USERS.
(a) PRIVATE RIGHT OF ACTION FOR SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION- If an internet service provider, online service provider, or commercial website operator collects, discloses, or uses the sensitive personally identifiable information of any person or fails to provide reasonable access to or reasonable security for such sensitive personally identifiable information in violation of any provision of title I then that person may bring an action in a district court of the United States of appropriate jurisdiction--
(1) to enjoin or restrain a violation of title I or to obtain other appropriate relief; and
(2) upon a showing of actual harm to that person caused by the violation, to recover the greater of--
(A) the actual monetary loss from the violation; or
(B) $5,000.
(b) REPEATED VIOLATIONS- If the court finds, in an action brought under subsection (a) to recover damages, that the defendant repeatedly and knowingly violated title I, the court may, in its discretion, increase the amount of the award available under subsection (a)(2)(B) to an amount not in excess of $100,000.
(c) EXCEPTION- Neither an action to enjoin or restrain a violation, nor an action to recover for loss or damage, may be brought under this section for the accidental disclosure of information if the disclosure was caused by an Act of God, unforeseeable network or systems failure, or other event beyond the control of the Internet service provider, online service provider, or operator of a commercial website.
SEC. 204. ACTIONS BY STATES. (a) IN GENERAL-
(1) CIVIL ACTIONS- In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that violates title I, the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction--
(A) to enjoin that practice;
(B) to enforce compliance with the rule;
(C) to obtain damage, restitution, or other compensation on behalf of residents of the State; or
(D) to obtain such other relief as the court may consider to be appropriate.
(2) NOTICE-
(A) IN GENERAL- Before filing an action under paragraph (1), the attorney general of the State involved shall provide to the Commission--
(i) written notice of that action; and
(ii) a copy of the complaint for that action.
(B) EXEMPTION-
(i) IN GENERAL- Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general determines that it is not feasible to provide the notice described in that subparagraph before the filing of the action.
(ii) NOTIFICATION- In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Commission at the same time as the attorney general files the action.
(b) INTERVENTION-
(1) IN GENERAL- On receiving notice under subsection (a)(2), the Commission shall have the right to intervene in the action that is the subject of the notice.
(2) EFFECT OF INTERVENTION- If the Commission intervenes in an action under subsection (a), it shall have the right--
(A) to be heard with respect to any matter that arises in that action; and
(B) to file a petition for appeal.
(c) CONSTRUCTION- For purposes of bringing any civil action under subsection (a), nothing in this subtitle shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to--
(1) conduct investigations;
(2) administer oaths or affirmations; or
(3) compel the attendance of witnesses or the production of documentary and other evidence.
(d) ACTIONS BY THE COMMISSION- In any case in which an action is instituted by or on behalf of the Commission for violation of title I, no State may, during the pendency of that action, institute an action under subsection (a) against any defendant named in the complaint in that action for violation of that rule.
(e) VENUE; SERVICE OF PROCESS-
(1) VENUE- Any action brought under subsection (a) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.
(2) SERVICE OF PROCESS- In an action brought under subsection (a), process may be served in any district in which the defendant--
(A) is an inhabitant; or
(B) may be found.
SEC. 205. WHISTLEBLOWER PROTECTION.
(a) IN GENERAL- No internet service provider, online service provider, or commercial website operator may discharge or otherwise discriminate against any employee with respect to compensation, terms, conditions, or privileges of employment because the employee (or any person acting pursuant to the request of the employee) provided information to any Federal or State agency or to the Attorney General of the United States or of any State regarding a violation of any provision of title I.
(b) ENFORCEMENT- Any employee or former employee who believes he has been discharged or discriminated against in violation of subsection (a) may file a civil action in the appropriate United States district court before the close of the 2-year period beginning on the date of such discharge or discrimination. The complainant shall also file a copy of the complaint initiating such action with the appropriate Federal agency.
(c) REMEDIES- If the district court determines that a violation of subsection (a) has occurred, it may order the Internet service provider, online service provider, or commercial website operator that committed the violation--
(1) to reinstate the employee to his former position;
(2) to pay compensatory damages; or
(3) to take other appropriate actions to remedy any past discrimination.
(d) LIMITATION- The protections of this section shall not apply to any employee who--
(1) deliberately causes or participates in the alleged violation; or
(2) knowingly or recklessly provides substantially false information to such an agency or the Attorney General.
(e) BURDENS OF PROOF- The legal burdens of proof that prevail under subchapter III of chapter 12 of title 5, United States Code (5 U.S.C. 1221 et seq.) shall govern adjudication of protected activities under this section.
SEC. 206. NO EFFECT ON OTHER REMEDIES.
The remedies provided by sections 203 and 204 are in addition to any other remedy available under any provision of law.
TITLE III--APPLICATION TO CONGRESS AND FEDERAL AGENCIES
SEC. 301. SENATE.
The Sergeant at Arms of the United States Senate shall develop regulations setting forth an information security and electronic privacy policy governing use of the Internet by officers and employees of the Senate that meets the requirements of title I.
SEC. 302. APPLICATION TO FEDERAL AGENCIES.
(a) IN GENERAL- Except as provided in subsection (b), this Act applies to each Federal agency that is an internet service provider or an online service provider, or that operates a website, to the extent provided by section 2674 of title 28, United States Code.
(b) EXCEPTIONS- This Act does not apply to any Federal agency to the extent that the application of this Act would compromise law enforcement activities or the administration of any investigative, security, or safety operation conducted in accordance with Federal law.
TITLE IV--MISCELLANEOUS
SEC. 401. DEFINITIONS.
In this Act:
(1) COLLECT- The term `collect' means the gathering of personally identifiable information about a user of an Internal service, online service, or commercial website by or on behalf of the provider or operator of that service or website by any means, direct or indirect, active or passive, including--
(A) an online request for such information by the provider or operator, regardless of how the information is transmitted to the provider or operator;
(B) the use of a chat room, message board, or other online service to gather the information; or
(C) tracking or use of any identifying code linked to a user of such a service or website, including the use of cookies or other tracking technology.
(2) COMMISSION- The term `Commission' means the Federal Trade Commission.
(3) COOKIE- The term `cookie' means any program, function, or device, commonly known as a `cookie', that makes a record on the user's computer (or other electronic device) of that user's access to an internet service, online service, or commercial website.
(4) DISCLOSE- The term `disclose' means the release of personally identifiable information about a user of an Internet service, online service, or commercial website by an internet service provider, online service provider, or operator of a commercial website for any purpose, except where such information is provided to a person who provides support for the internal operations of the service or website and who does not disclose or use that information for any other purpose.
(5) FEDERAL AGENCY- The term `Federal agency' means an agency, as that term is defined in section 551(1) of title 5, United States Code.
(6) INTERNAL OPERATIONS SUPPORT- The term `support for the internal operations of a service or website' means any activity necessary to maintain the technical functionality of that service or website.
(7) INTERNET- The term `Internet' means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire or radio.
(8) INTERNET SERVICE PROVIDER; ONLINE SERVICE PROVIDER; WEBSITE- The Commission shall by rule define the terms `internet service provider', `online service provider', and `website', and shall revise or amend such rule to take into account changes in technology, practice, or procedure with respect to the collection of personal information over the Internet.
(9) ONLINE- The term `online' refers to any activity regulated by this Act or by section 2710 of title 18, United States Code, that is effected by active or passive use of an Internet connection, regardless of the medium by or through which that connection is established.
(10) OPERATOR OF A COMMERCIAL WEBSITE- The term `operator of a commercial website'--
(A) means any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce--
(i) among the several States or with 1 or more foreign nations;
(ii) in any territory of the United States or in the District of Columbia, or between any such territory and--
(I) another such territory; or
(II) any State or foreign nation; or
(iii) between the District of Columbia and any State, territory, or foreign nation; but
(B) does not include any nonprofit entity that would otherwise be exempt from coverage under section 5 of the Federal Trade Commission Act (15 U.S.C. 45).
(11) PERSONALLY IDENTIFIABLE INFORMATION-
(A) IN GENERAL- The term `personally identifiable information' means individually identifiable information about an individual collected online, including--
(i) a first and last name, whether given at birth or adoption, assumed, or legally changed;
(ii) a home or other physical address including street name and name of a city or town;
(iii) an e-mail address;
(iv) a telephone number;
(v) a birth certificate number;
(vi) any other identifier for which the Commission finds there is a substantial likelihood that the identifier would permit the physical or online contacting of a specific individual; or
(vii) information that an Internet service provider, online service provider, or operator of a commercial website collects and combines with an identifier described in clauses (i) through (vi) of this subparagraph.
(B) INFERENTIAL INFORMATION EXCLUDED- Information about an individual derived or inferred from data collected online but not actually collected online is not personally identifiable information.
(12) RELEASE- The term `release of personally identifiable information' means the direct or indirect, sharing, selling, renting, or other provision of personally identifiable information of a user of an internet service, online service, or commercial website to any other person other than the user.
(13) ROBUST NOTICE- The term `robust notice' means actual notice at the point of collection of the personally identifiable information describing briefly and succinctly the intent of the Internet service provider, online service provider, or operator of a commercial website to use or disclose that information for marketing or other purposes.
(14) SENSITIVE FINANCIAL INFORMATION- The term `sensitive financial information' means--
(A) the amount of income earned or losses suffered by an individual;
(B) an individual's account number or balance information for a savings, checking, money market, credit card, brokerage, or other financial services account;
(C) the access code, security password, or similar mechanism that permits access to an individual's financial services account;
(D) an individual's insurance policy information, including the existence, premium, face amount, or coverage limits of an insurance policy held by or for the benefit of an individual; or
(E) an individual's outstanding credit card, debt, or loan obligations.
(15) SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION- The term `sensitive personally identifiable information' means personally identifiable information about an individual's--
(A) individually identifiable health information (as defined in section 164.501 of title 45, Code of Federal Regulations);
(B) race or ethnicity;
(C) political party affiliation;
(D) religious beliefs;
(E) sexual orientation;
(F) a Social Security number; or
(G) sensitive financial information.
SEC. 402. EFFECTIVE DATE OF TITLE I.
Title I of this Act takes effect on the day after the date on which the Commission publishes a final rule under section 403.
SEC. 403. FTC RULEMAKING.
The Commission shall--
(1) initiate a rulemaking within 90 days after the date of enactment of this Act for regulations to implement the provisions of title I; and
(2) complete that rulemaking within 270 days after initiating it.
SEC. 404. FTC REPORT.
(a) REPORT- The Commission shall submit a report to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Commerce 18 months after the effective date of title I, and annually thereafter, on--
(1) whether this Act is accomplishing the purposes for which it was enacted;
(2) whether technology that protects privacy is being utilized in the marketplace in such a manner as to facilitate administration of and compliance with title I;
(3) whether additional legislation is required to accomplish those purposes or improve the administrability or effectiveness of this Act;
(4) whether legislation is appropriate or necessary to regulate the collection, use, and distribution of personally identifiable information collected other than via the Internet;
(5) whether and how the government might assist industry in developing standard online privacy notices that substantially comply with the requirements of section 102(a);
(6) whether and how the creation of a set of self-regulatory guidelines established by independent safe harbor organizations and approved by the Commission would facilitate administration of and compliance with title I; and
(7) whether additional legislation is necessary or appropriate to regulate the collection, use, and disclosure of personally identifiable information collected online before the effective date of title I.
(b) FTC NOTICE OF INQUIRY- The Commission shall initiate a notice of inquiry within 90 days after the date of enactment of this Act to request comment on the matter described in paragraphs (1) through (7) of subsection (a).
SEC. 405. DEVELOPMENT OF AUTOMATED PRIVACY CONTROLS.
Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) is amended--
(1) by redesignating subsection (d) as subsection (e); and
(2) by inserting after subsection (c) the following:
`(d) DEVELOPMENT OF INTERNET PRIVACY PROGRAM- The Institute shall encourage and support the development of one or more computer programs, protocols, or other software, such as the World Wide Web Consortium's P3P program, capable of being installed on computers, or computer networks, with Internet access that would reflect the user's preferences for protecting personally-identifiable or other sensitive, privacy-related information, and automatically execute the program, once activated, without requiring user intervention.'.
END
I actually drove over my Jornada 545 at one point. It continued to function for 2 years after that.
Party on. I've got a 545 too, and damned if it isn't a thug of a PDA. Its a hair thicker than the rest, but I have beaten the hell out of mine, and its still ticking. I've really been impressed with its reliability. Umm... except for Windows CE - but that's not really at issue here.
The iPaq, on the other hand, has this vague George Jetson-look to it. I want a PDA, not a sprocket. (whatever the hell those are) Maybe someone could stand up for ipaqs out there? I'd be interested on hearing about their crashworthiness. (inertia crash, not Windows crash)
PDA Clue: My guess is that it was Professor Palm, in the kitchen, with the silver limited-edition stylus.
I have got to hand it to those suggesting the "TCP header length blah blah string theory homeomorphic protocol" whatever. Damn, even made my eyes glaze over.
However- there is another way to achieve that... just look up the school's legal counsel and send him an email saying that you're concerned about the liability implications of all this file sharing, and when he writes a memo to the faculty going on for 50 pages (only lawyers can write a 50-page memo) about "contributory infringement res ipsa loquitur blah blah mutatis muntandis damnum absque injuria" and how he'll want to have the server logs copied to him, your faculty will never wish they knew what a Gnutella client was.
See, lawyers can be technocrats too.
In response to some other comments about what this judgment in Nanterre was about...
Apparently Microsoft bought up this Canadian animiation company called SoftImage, who had previously worked out some licensing side-deal with these French programmers to use some of their code.
One Microsoft had SoftImage, though, it seems they ignored the deal with the French licensees - apparently assuming they owned the licensed software too. Funny, too, because you'd think Microsoft could either code around it or just buy them off. Maybe it was an honest screw-up. (Then again...)
I guess the French programmers sued, and the commercial court in Nanterre slammed SoftImage - then a wholly-owned Microsoft subsidiary - with about a half a mil (US$) in fines for piracy.
As if the French needed another reason to hate Americans. Thanks, Bill. Next time I get flak for trying to order a Big Mac in some Paris bistro, it's all on you, man!
Everytime the letters refer to "the Bill," I thought, "yeah, buddy. I know all about The Bill. The Billmeister. Billinator." And then I thought, "oh no, not that Bill. The proposed law. Duh."
Hard to keep straight.
slashdot's entire cultural coverge is pretty weak and needs an overhaul
Am I the only one who thinks that cultural coverage for nerds is like visual arts coverage for the blind?
In fact, the PTO generates a profit. Really. Its operating budget is lower than the revenues it generates in fees. (Maybe becuase there's so many boneheads out there trying to patent business methods of picking their nose)
And you know how Congress shows its gratitude? (drum roll) It doesn't. The money vanishes into the Treasury until Sen. Byrd uses it to fund yet another pork barrel project in West Virginia.
Wintersmute: Why is it that Americans aren't persuaded by the voice of reason, but a talking hamburger really helps you see things straight?
Some Smartass AC: Because America doens't like you. Therefore they exhibit "odd" behavior just to piss YOU off.
It appears that though an improvident use of "you" instead of "us" I seem to have cast myself as some beret-wearing Frog who complains about Eurodisney as the vanguard of cultural imperialism.
Sorry, okay? I'm from New York. I like baseball, motherhood, and apple pie. I just think talking cows are weird, okay?
Now, please excuse me while I clean out my inbox from the National Beef Council's hatemail, and Neosporin these karma burn marks. Man, I hope that don't scar.
Because surely, there's nothing more persuasive that some good clean, bovine thinking.
Why is it that Americans aren't persuaded by the voice of reason, but a talking hamburger really helps you see things straight?
I'll be the first one to line up against the heavy-handed tactics of the RIAA, but I think we should pick our battles, folks. Does anyone complain when the local sports bar licenses pay-per-view broadcasts, or when the proverbial dance hall pays licensing fees for music?
Yet here, its not even clear that anyone actually bought the damn CDs in the first place. We've reached a point where we're so aggravated about the stranglehold that Hollywood and the labels have that at first utterance of mp3 we're spouting the same old 'information-wants-to-be-free' rhetoric.
Those "antiquated" ideas of copyright ownership were a contract between creators and the public that worked since the Statute of Anne. Calling them "antiquated" just plays into the hands of the content-producers who would just as happily grind us inexorably toward pay-per-use purgatory.
Copyright worked. The DMCA doesn't. Confusing the two is like confusing pedophilia with Catholicism.
Anyone seeking arguments against the general trend of propertization of ideas would do well to familiarize themself with Lawrence Lessig's The Future of Ideas. Coincidentally, it's my understanding that he's speaking on similar topic today at Georgetown Law School.
c bdtpa_alert.html) on this topic.
Oh - and talk about economics. Conservatives particularly love that crap. Man, you throw in a little "marginal cost", give 'em some "network effects" and a bit of the old "dead weight loss" and they'll think, "damn, this guy's a frickin' genius."
Specifically, you might start with the EFF's action alert (http://www.eff.org/IP/SSSCA_CBDTPA/20020322_eff_
You know, even if you could get your music out, how the heck are you supposed to know who's on which label? Am I supposed to go out and research all the artists I want to download online, figure out who their label is, and figure out which service supports that label? Are you kidding?!? By the time that's done, its easier to go to the store and buy the damn disc.
If the labels could get around the anti-trust issues of merging their services into one major service - or if they could share artists across services - then consumers might give a damn. Until then, I'm stuck trying to figure out who Yanni signed with...
You left off the rest of the story.... they paid the Iscariot goat 30 bucks for his troubles, and he tried to turn it down. But they said take it, and he did. Then guilt came to him, and his goat heart was heavy, and he went off and hanged himself. (and became goat jerky)
Okay... for those geeks out there who, like me... get totally lost in this. Sympathize. This is what you sound like when you're trying to explain to your mother-in-law the difference between Linux and Windows.
And on an historical note, the Crusaders didn't go looking for a Holy Grail. Only Monty Python did. (Turns out their research was a little shoddy.)
Re:Million Geek March 2002?
Wouldn't calling it the Million User March get more people? Hey... since its in DC, maybe Marion Barry would show up.
I think the theory is that if the give the damn thing a clumsy enough acronym, it will fool everyone into voting for it.
The chairman of the House Judiciary Subcommittee on Intellectual Property Howard Coble (R-North Carolina) opposes the bill and won't bring it up therefore the bill is DOA.
This might just be the first time a Republican from the ol' Tabacco country actually did something useful.
Oh, and while I suppress my laughter thinking of Hollings' "evil mouse-ear masters" let me point out that even if the SSSCA is enacted, everyone will just buy electronics from overseas non-compliant manufacturers.
Then the USTR will get into the mix, or Customs, and restrict the import of non-compliant devices (if the statute hasn't already...). Then, overseas manufacturers will haul our sorry asses before the WTO becuase our virtual embargoes on non-DRM compliant devices will constituent unreasonable restraints of trade. Bananas, anyone?
Doh... yes, gentlemen, their is a cost of shoehorning open everyone else's markets to our superior goods - and that is that when their goods are superior, they get to shoe-horn them into ours. You can kill the market, but you can't kill the demand. And if you treatied-away your right to kill the market... too bad.
Ricardo strikes (again). Maybe the should have Industry thought that one out before they got us into this whole globalization thing.
I think this is the final evidence that the libertarians have had it wrong for decades. They're always bugging out about the government this, government that. Turns out the CIA was uploading cookies and even they didn't know about it, for Christ's sake. I've worked in government, and I'm not going out on a limb when I say that the government is too damn incompetent to get anything useful out of tracking our M&M consumption habits, as it were.
It's the private sector that poses real risks to privacy. Uncle Sam is not about to track your damned underwear size so they can focus-group test when the ideal time to offer you a rebate on the 10-48 diet drink.
When you say p2p with brains, to me it means somebody has come up with a elegant balance between centralization and search speeds.
Ditto, Holmes. The real question is the scalability issue, and I'm not convinced that the traffic cop features implemented by Gnutella front-ends have really sorted this out.
When that's the case, that will be some p2p with brains. Right now, the networks only seem to be hanging on because the critical mass of crash-inducing traffic hasn't hit the super-peers yet; at least not on the permanent basis.
What would really make my evening interesting is if someone would be kind enough to contradict me.
While this is an obvious knee-jerk reaction to the Candyman fallout - it's also been tried before. Check out PSINet, Inc. v. Chapman, 108 F.Supp.2d 611 (W.D. Va. 2000) (enjoining application of law imposing criminal liability for the commercial display of sexually explicit materials harmful to juveniles).
Oh, but this is narrowly tailored, you say? Whatever. Wait until they start slugging out what gets blocked and what doesn't, then come talk to me. This is just more posturing for the constituents.
STATE REP:"Dum da dum! I will protect your children from pedophiles, voters! Let me just unplug this twisted pair here..."
[GZZOK! Pennsylvania goes black.]
STATE REP: "Oops."
I'm betting on an ISP-obtained injunction by the end of the week. Anyone care to start a pool?
When Wired covered this, they noted that "companies typically start out blocking what filtering firms call the "sinful six" categories: pornography, gambling, illegal activities, hate sites, tasteless material and violent content."
Hell, I understand porn and gambling, but tastelessness and violence pretty much runs out the whole damn Internet. Guess I'll have to get my news about Mid-East turmoil from Zoog Disney...
Please allow me to pile on to idealism attack. While I'll be the first to line up against IP laws that don't produce benefits for the public, the mere fact that two nations prospered without patent statutes doesn't mean nations without patent statutes do better.
Note, for example, that some of the progress came from "borrowing" ideas from nations that *did* have patent statutes.
What's more, the author's argument carries little weight unless he can prove the counterfactual - that these nations would not have done even better if they *had* employed IP laws.
I'm inclined to believe that the late 1800s and early 1900s were fruitful eras in these nations for reasons other than the state of the patent law.
Just adding my inflation-adjusted $.02.
This piece sounds a lot like Lessig. Not the Lessig that went before the DC Circuit on Eldred, either, but right out of the Future of Ideas (a fine read, by the way).
.02...
But to my comment: the infinity minus one day, to my recollection, was a suggestion originally propounded by Mary Bono, widow of the last Congressmen.
I think this got canned for two reasons:
1) It was too obviously an end-run around the Constitution's requirement that Congress extend exclusive rights "for a limited time." Obviously, neither Mary Bono's legislative assistant nor Go-Back, Jack, And Say Something Stupid Again Valenti's corp. counsel gave that comment any thought before it wormed its way into the talked points. (Doh! Boston Strangler strikes again...)
2) it would seem to violate the Rule Against Perpetuities. Its probably explained on Findlaw. Anyway, property rights hawks spent a long time struggling to get "intellectual property" called 'property' (think about it - there's nothing "intellectual" about Britney Spears, but damned if her mp3s aren't IP) so it's about time they take the good with the bad.
Just my inflation-adjusted $
On whether you think the warm-n-fuzzy jog dial or the jot language is more the bane of mankind.