Order Code RL31408
Report for Congress
Received through the CRS Web
Internet Privacy: Overview
and Pending Legislation
Updated November 27, 2002
Marcia S. Smith
Specialist in Aerospace and Telecommunications Policy
Resources, Science, and Industry Division
Congressional Research Service ˜ The Library of Congress
Internet Privacy: Overview and Pending Legislation
Summary
Internet privacy issues encompass concerns about the collection of personally
identifiable information (PII) from visitors to government and commercial Web sites,
as well as debate over law enforcement or employer monitoring of electronic mail
and Web usage.
In the wake of the September 11 terrorist attacks, debate over the issue of law
enforcement monitoring has intensified, with some advocating increased tools for
law enforcement to track down terrorists, and others cautioning that fundamental
tenets of democracy, such as privacy, not be endangered in that pursuit. The 21st
Century Department of Justice Appropriations Authorization Act (P.L. 107-273)
requires the Justice Department to report to Congress on its use of Internet
monitoring software such as Carnivore/DCS 1000. On the other hand, Congress also
passed the USA PATRIOT Act (P.L. 107-56) that, inter alia, makes it easier for law
enforcement to monitor Internet activities. The Homeland Security Act (P.L. 107-
296) expands upon that Act, loosening restrictions on Internet Service Providers as
to when, and to whom, they can voluntarily release information about subscribers
if they believe there is a danger of death or injury.
The parallel debate over Web site information policies concerns whether
industry self regulation or legislation is the best approach to protecting consumer
privacy. Congress has considered legislation that would require commercial Web
site operators to follow certain fair information practices, but none has passed.
Legislation has passed, however, regarding information practices for federal
government Web sites. For example, in the 107th Congress, the E-Government Act
(H.R. 2458, awaiting signature by the President), sets requirements on how
government agencies assure the privacy of personally identifiable information in
government information systems and establishes guidelines for privacy policies for
federal Web sites.
This report provides a brief overview of Internet privacy issues and describes
legislation that was considered by the 107th Congress, including the four bills that
were enacted (listed above). After the 108th Congress convenes, it will track Internet
privacy legislation introduced into that session of Congress. For more detailed
discussion of the issues, see CRS Report RL30784, Internet Privacy: An Analysis of
Technology and Policy Issues (December 21, 2000), and CRS Report RL31289, The
Internet and the USA PATRIOT Act: Potential Implications for Electronic Privacy,
Security, Commerce, and Government (March 4, 2002).
This report will be updated.
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Internet: Commercial Web Site Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Children’s Online Privacy Protection Act (COPPA), P.L. 105-277 . . . . . . . 1
FTC Activities and Fair Information Practices . . . . . . . . . . . . . . . . . . . . . . . 2
Advocates of Self-Regulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Advocates of Legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Internet: Federal Government Web Site Information Practices . . . . . . . . . . . . . . 4
Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Monitoring E-mail and Web Usage by Law Enforcement or Employers . . . . . . . 6
Identity Theft and Protecting Social Security Numbers . . . . . . . . . . . . . . . . . . . . . 8
Appendix: Brief Comparison of H.R. 4678 and S. 2201 . . . . . . . . . . . . . . . . . . . 12
List of Tables
Table 1. Internet Privacy-Related Legislation Passed by the 107th Congress . . . . 9
Table 2: Internet Privacy-Related Legislation That Did Not Clear
the 107th Congress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Table 3: Brief Comparison of H.R. 4678 and S. 2201 . . . . . . . . . . . . . . . . . . . . . 12
Internet Privacy: Overview
and Pending Legislation
Introduction
Internet privacy issues encompass concerns about the collection of personally
identifiable information (PII) from visitors to government and commercial Web sites,
as well as debate over law enforcement or employer monitoring of electronic mail
and Web usage. This report provides a brief discussion of Internet privacy issues and
tracks pending legislation. More information on Internet privacy issues is available
in CRS Report RL30784, Internet Privacy: An Analysis of Technology and Policy
Issues (December 21, 2000), and CRS Report RL31289, The Internet and the USA
PATRIOT Act: Potential Implications for Electronic Privacy, Security, Commerce,
and Government (March 4, 2002).
Internet: Commercial Web Site Practices
One aspect of the Internet (“online”) privacy debate focuses on whether industry
self regulation or legislation is the best route to assure consumer privacy protection.
In particular, consumers appear concerned about the extent to which Web site
operators collect “personally identifiable information” (PII) and share that data with
third parties without their knowledge. Repeated media stories about privacy
violations by Web site operators have kept the issue in the forefront of public debate
about the Internet. Although many in Congress and the Clinton Administration
preferred industry self regulation, the 105th Congress passed legislation to protect the
privacy of children under 13 as they use commercial Web sites (see below). Many
bills have been introduced since that time regarding protection of those not covered
by COPPA, but the only legislation that has passed concerns federal government, not
commercial, Web sites.
Children’s Online Privacy Protection Act (COPPA), P.L. 105-
277
Congress, the Clinton Administration, and the Federal Trade Commission (FTC)
initially focused their attention on protecting the privacy of children under 13 as they
visit commercial Web sites. Not only are there concerns about information children
might divulge about themselves, but also about their parents. The result was the
Children’s Online Privacy Protection Act (COPPA), Title XIII of Division C of the
FY1999 Omnibus Consolidated and Emergency Supplemental Appropriations Act,
P.L. 105-277. The FTC’s final rule implementing the law became effective April 21,
2000 [http://www.ftc.gov/opa/1999/9910/childfinal.htm]. Commercial Web sites and
CRS-2
online services directed to children under 13 or that knowingly collect information
from them must inform parents of their information practices and obtain verifiable
parental consent before collecting, using, or disclosing personal information from
children. The law also provides for industry groups or others to develop self-
regulatory “safe harbor” guidelines that, if approved by the FTC, can be used by Web
sites to comply with the law. The FTC approved self-regulatory guidelines proposed
by the Better Business Bureau on January 26, 2001. In April 2001, the FTC fined
three companies for violating COPPA.
FTC Activities and Fair Information Practices
The FTC has conducted or sponsored several Web site surveys since 1997 to
determine the extent to which commercial Web site operators abide by four fair
information practices—providing notice to users of their information practices before
collecting personal information, allowing users choice as to whether and how
personal information is used, allowing users access to data collected and the ability
to contest its accuracy, and ensuring security of the information from unauthorized
use. Some include enforcement as a fifth fair information practice. Regarding
choice, the term “opt-in” refers to a requirement that a consumer give affirmative
consent to an information practice, while “opt-out” means that permission is
assumed unless the consumer indicates otherwise. See CRS Report RL30784 for
more information on the FTC surveys and fair information practices. The FTC’s
reports are available on its Web site [http://www.ftc.gov].
Briefly, the first two FTC surveys (December 1997 and June 1998) created
concern about the information practices of Web sites directed at children and led to
the enactment of COPPA (see above). The FTC continued monitoring Web sites to
determine if legislation was needed for those not covered by COPPA. In 1999, the
FTC concluded that more legislation was not needed at that time because of
indications of progress by industry at self-regulation, including creation of “seal”
programs (see below) and by two surveys conducted by Georgetown University.
However, in May 2000, the FTC changed its mind following another survey that
found only 20% of randomly visited Web sites and 42% of the 100 most popular
Web sites had implemented all four fair information practices. The FTC voted to
recommend that Congress pass legislation requiring Web sites to adhere to the four
fair information practices, but the 3-2 vote indicated division within the Commission.
On October 4, 2001, FTC’s new chairman, Timothy Muris, revealed his position on
the issue, saying that he did not see a need for additional legislation now.
Advocates of Self-Regulation
In 1998, members of the online industry formed the Online Privacy Alliance
(OPA) to encourage industry self regulation. OPA developed a set of privacy
guidelines and its members are required to adopt and implement posted privacy
policies. The Better Business Bureau (BBB), TRUSTe, and WebTrust have
established “seals” for Web sites. To display a seal from one of those organizations,
a Web site operator must agree to abide by certain privacy principles (some of which
are based on the OPA guidelines), a complaint resolution process, and to being
CRS-3
monitored for compliance. Advocates of self regulation argue that these seal
programs demonstrate industry’s ability to police itself.
Technological solutions also are being offered. P3P (Platform for Privacy
Preferences) is one often-mentioned technology. It gives individuals the option to
allow their web browser to match the privacy policies of websites they access with
the user’s selected privacy preferences. Its goal is to put privacy in the hands of the
consumer. P3P is one of industry’s attempts to protect privacy for online users. Josh
Freed from the Internet Education Foundation says there is strong private sector
backing for P3P as a first step in creating a common dialogue on privacy, and support
from Congress, the Administration, and the FTC as well (see the IEF web site
[http://www.p3ptoolbox.org/tools/papers/IEFP3POutreachforDMA.ppt]). The
CATO Institute, argues that privacy-protecting technologies are quite effective
[http://www.cato.org/pubs/briefs/bp-065es.html]. However, complaints are arising
from some industry participants as P3P is implemented. One concern is that P3P
requires companies to produce shortened versions of their privacy policies to enable
them to be machine-readable. To some, this raises issues of whether the shortened
policies are legally binding, since they may omit nuances, and “sacrifice accuracy for
brevity.”1
Advocates of Legislation
Consumer, privacy rights and other interest groups believe self regulation is
insufficient. They argue that the seal programs do not carry the weight of law, and
that while a site may disclose its privacy policy, that does not necessarily equate to
having a policy that protects privacy. The Center for Democracy and Technology
(CDT, at [http://www.cdt.org]) and EPIC [http://www.epic.org]) each have released
reports on this topic. TRUSTe and BBBOnline have been criticized for becoming
corporate apologists rather than defenders of privacy. In the case of TRUSTe, for
example, Esther Dyson, who is credited with playing a central role in the
establishment of the seal program, reportedly is disappointed with it. Wired.com
reported in April 2002 that “Dyson agreed that...Truste’s image has slipped from
consumer advocate to corporate apologist. ‘The board ended up being a little too
corporate, and didn’t have any moral courage,’ she said.”
Some privacy interest groups, such as the Electronic Privacy Information Center
(EPIC), also feel that P3P is insufficient, arguing that it is too complex and confusing
and fails to address many privacy issues. An EPIC report from June 2000 further
explains its findings [http://www.epic.org/reports/prettypoorprivacy.html].
Privacy advocates are particularly concerned about online profiling, where
companies collect data about what Web sites are visited by a particular user and
develop profiles of that user’s preferences and interests for targeted advertising.
Following a one-day workshop on online profiling, FTC issued a two-part report in
the summer of 2000 that also heralded the announcement by a group of companies
that collect such data, the Network Advertising Initiative (NAI), of self-regulatory
1 Clark, Drew. Tech, Banking Firms Criticize Limitations of Privacy Standard.
NationalJournal.com, November 11, 2002.
CRS-4
principles. At that time, the FTC nonetheless called on Congress to enact legislation
to ensure consumer privacy vis a vis online profiling because of concern that “bad
actors” and others might not follow the self-regulatory guidelines. As noted, the
current FTC Chairman’s position is that broad legislation is not needed at this time.
Several bills were introduced in the 107th Congress, but none passed. Four dealt
specifically with commercial Web site practices (H.R. 89, H.R. 237, H.R. 347, and
S. 2201). H.R. 4678 was a broader consumer privacy protection bill. H.R. 4678 and
S. 2201 are discussed in more detail below and in the appendix. The Bankruptcy
Reform bill (H.R. 333/S. 420) would have prohibited (with exceptions) companies,
including Web site operators, that file for bankruptcy from selling or leasing PII
obtained in accordance with a policy that said such information would not be
transferred to third parties, if that policy was in effect at the time of the bankruptcy
filing. H.R. 2135 would have limited the disclosure of personal information (defined
as PII and sensitive personal information) by information recipients in general, and
S. 1055 would have limited the commercial sale and marketing of PII. In a related
measure, S. 2839 (Cleland) sought to protect the privacy of children using elementary
or secondary school or library computers that use “Internet content management
services,” such as filtering software to restrict access to certain Web sites.
During the second session of the 107th Congress, attention focused on S. 2201
and H.R. 4678. A fundamental difference was that H.R. 4678 affected privacy for
both “online” and “offline” data collection entities, while S. 2201’s focus was online
privacy. During markup by the Senate Commerce Committee, a section was added
to S. 2201 directing the FTC to issue recommendations and proposed regulations
regarding entities other than those that are online. Other amendments also were
adopted. The bill was reported on August 1, 2002 (S.Rept. 107-240). A House
Energy and Commerce subcommittee held a hearing on H.R. 4678 on September 24,
2002. There was no further action on either bill. The appendix to this report provides
a brief comparison of H.R. 4678 as introduced and S. 2201 as reported.
Internet: Federal Government Web Site Information
Practices
Under a May 1998 directive from President Clinton and a June 1999 Office of
Management and Budget (OMB) memorandum, federal agencies must ensure that
their information practices adhere to the 1974 Privacy Act. In June 2000, however,
the Clinton White House revealed that contractors for the Office of National Drug
Control Policy (ONDCP) had been using “cookies” (small text files placed on users’
computers when they access a particular Web site) to collect information about those
using an ONDCP site during an anti-drug campaign. ONDCP was directed to cease
using cookies, and OMB issued another memorandum reminding agencies to post
and comply with privacy policies, and detailing the limited circumstances under
which agencies should collect personal information. A September 5, 2000 letter from
OMB to the Department of Commerce further clarified that “persistent”cookies,
which remain on a user’s computer for varying lengths of time (from hours to years),
are not allowed unless four specific conditions are met. “Session” cookies, which
expire when the user exits the browser, are permitted.
CRS-5
At the time, Congress was considering whether commercial Web sites should
be required to abide by FTC’s four fair information practices. The incident sparked
interest in whether federal Web sites should adhere to the same requirements. In the
FY2001 Transportation Appropriations Act (P.L. 106-346), Congress prohibited
funds in the FY2001 Treasury-Postal Appropriations Act from being used to collect,
review, or create aggregate lists that include PII about an individual’s access to or use
of a federal Web site or enter into agreements with third parties to do so, with
exceptions. Similar language is in the FY2002 Treasury-Postal Appropriations Act
(P.L. 107-67). The FY2003 Treasury-Postal appropriations bills (sec. 634 in both
H.R. 5120 and S. 2740) also contained similar language, though the bill did not clear
the 107th Congress.
Section 646 of the FY2001 Treasury-Postal Appropriations Act (P.L. 106-554)
required Inspectors General (IGs) to report to Congress on activities by those
agencies or departments relating to their own collection of PII, or entering into
agreements with third parties to obtain PII about use of Web sites. Senator
Thompson released two reports in April and June 2001 based on the findings of
agency IGs who discovered unauthorized persistent cookies and other violations of
government privacy guidelines on several agency Web sites. An April 2001 GAO
report (GAO-01-424) concluded that most of the 65 sites it reviewed were following
OMB’s guidance.
The107th Congress passed the E-Government Act (H.R. 2458/S. 803), which
sets requirements on government agencies regarding how they assure the privacy of
personal information in government information systems and establish guidelines for
privacy policies for federal Web sites. S. 803 was reported from the Senate
Governmental Affairs Committee on June 24, 2002 (S.Rept. 107-174) and passed the
Senate June 27. H.R. 2458 was reported from the House Government Reform
Committee on November 13, and passed the House and Senate that day. It was
cleared for the White House November 15. The legislation requires federal Web
sites to include a privacy notice that addresses what information is to be collected,
why, its intended use, what notice or opportunities for consent are available to
individuals regarding what is collected and how it is shared, how the information will
be secured, and the rights of individuals under the 1974 Privacy Act and other
relevant laws. It also requires the federal Web sites to translate their privacy policies
into a standardized machine-readable format, enabling P3P to work (see above
discussion of P3P), for example.
The following bills did not clear the 107th Congress. S. 851 (Thompson) would
have established an 18-month commission to study the collection, use, and
distribution of personal information by federal, state, and local governments. H.R.
583 (Hutchinson) would have created a commission to study privacy issues more
broadly. S. 2846 (Edwards) also would have created a commission, in this case, to
“evaluate investigative and surveillance technologies to meet law enforcement and
national security needs in the manner that best preserves the personal dignity, liberty,
and privacy of individuals within the United States.” S. 2629 (Torricelli) would have
provided a framework for ensuring effective data and privacy management by federal
agencies. S. 2201 would have required federal agencies that are Internet Service
Providers or Online Service Providers, or operate Web sites, to provide notice,
choice, access, and security in a manner similar to what the bill requires for non-
CRS-6
governmental entities, with exceptions. (S. 2201 is discussed in more detail in the
appendix to this report.)
Spyware
Some software products include, as part of the software itself, a method by
which information is collected about the use of the computer on which the software
is installed. When the computer is connected to the Internet, the software
periodically relays the information back to the software manufacturer or a marketing
company. The software that collects and reports is called “spyware.” Software
programs that include spyware can be obtained on a disk or downloaded from the
Internet. They may be sold or provided for free. Typically, users have no
knowledge that the software product they are using includes spyware. Some argue
that users should be notified if the software they are using includes spyware. Two
bills (H.R. 112 and S. 197) in the 107th Congress would have required notification.
There was no action on either bill.
Another use of the term spyware refers to software that can record a person’s
keystrokes. All typed information thus can be obtained by another party, even if the
author modifies or deletes what was written, or if the characters do not appear on the
monitor (such as when entering a password). Commercial products have been
available for some time, but the existence of such “key logging” software was
highlighted in a 2001 case against Mr. Nicodemo Scarfo, Jr. on charges of illegal
gambling and loan sharking. Armed with a search warrant, the FBI installed the
software on Mr. Scarfo’s computer, allowing them to obtain his password for an
encryption program he used, and thereby evidence. Some privacy advocates argue
wiretapping authority should have been obtained, but the judge, after reviewing
classified information about how the software works, ruled in favor of the FBI.
Press reports also indicate that the FBI is developing a “Magic Lantern” program that
performs a similar task, but can be installed on a subject’s computer remotely by
surreptitiously including it in an e-mail message, for example. Privacy advocates
question what type of legal authorization should be required.
Monitoring E-mail and Web Usage by Law
Enforcement or Employers
Another concern is the extent to which electronic mail (e-mail) exchanges or
visits to Web sites may be monitored by law enforcement agencies or employers. In
the wake of the September 11 terrorist attacks, the debate over law enforcement
monitoring has intensified. Previously, the issue had focused on the extent to which
the Federal Bureau of Investigation (FBI), with legal authorization, uses a software
program called Carnivore (later renamed DCS 1000) to intercept e-mail and monitor
Web activities of certain suspects. The FBI installs the software on Internet Service
Providers’ (ISP’s) equipment. Privacy advocates are concerned whether Carnivore-
like systems can differentiate between e-mail and Internet usage by a subject of an
investigation and similar usage by other people. The 21st Century Department of
Justice Appropriations Authorization Act (P.L. 107-273) requires the Justice
Department to report to Congress on its use of DCS 1000 or any similar system.
CRS-7
On the other hand, following the terrorist attacks, Congress passed the USA
PATRIOT Act (P.L. 107-56), which expands law enforcement’s ability to monitor
Internet activities. Inter alia, the law modifies the definitions of “pen registers” and
“trap and trace devices” to include devices that monitor addressing and routing
information for Internet communications. Carnivore-like programs may now fit
within the new definitions. The potential implications for Internet privacy of the new
law are discussed in CRS Report RL31289. Privacy advocates complain that it is
extremely difficult to monitor how the USA PATRIOT Act is being implemented
because the Justice Department refuses to make information available either through
Freedom of Information (FOAI) requests or to Congress. The American Civil
Liberties Union (ACLU), EPIC, and others filed a complaint for injunctive relief in
U.S. District Court for the District of Columbia on October 24, 2002, to force the
Justice Department to state which records it will disclose in response to the FOIA
requests, and to disclose those records.
As part of the Homeland Security Act (P.L. 107-296), Congress incorporated
(as section 225) the text of H.R. 3482, which passed the House on June 15, 2002.
The language amends the USA PATRIOT Act, lowering the threshold for when ISPs
may divulge the content of communications, and to whom. Under H.R. 3482, the
ISPs need only a “good faith” belief (instead of a “reasonable” belief), that there is
an emergency involving danger (instead of “immediate” danger) of death or serious
physical injury. The contents can be disclosed to “a Federal, state, or local
governmental entity” (instead of a “law enforcement agency”). Privacy advocates are
concerned about the language for a number of reasons. For example, EPIC notes that
allowing such information to be disclosed to any governmental entity not only poses
increased risk to personal privacy, but also is a poor security strategy; and that the
language does not provide for judicial oversight of the use of these procedures.2
There also is concern about the extent to which employers monitor the e-mail
and other computer activities of employees. The public policy concern appears to
be not whether companies should be able to monitor activity, but whether they should
notify their employees of that monitoring. A 2001 survey by the American
Management Association [http://www.amanet.org/press/amanews/ems2001.htm]
found that 62.8% of the companies surveyed monitor Internet connections, 46.5%
store and review e-mail, and 36.1% store and review computer files. A September
2002 General Accounting Office report (GAO-02-717) found that, of the 14 Fortune
1,000 companies it surveyed, all had computer-use policies, and all stored
employee’s electronic transactions, e-mail, information on Web sites visited, and
computer file activity. Eight of the companies said they would read and review those
transactions if they received other information than an individual might have violated
company policies, and six said they routinely analyze employee’s transactions to find
possible inappropriate uses.
2 [http://www.epic.org/security/infowar/csea.html]
CRS-8
Identity Theft and Protecting Social Security
Numbers
Identity theft is not an Internet privacy issue, but the perception that the Internet
makes identity theft easier means that it is often discussed in the Internet privacy
context. The concern is that the widespread use of computers for storing and
transmitting information is contributing to the rising rates of identity theft, where one
individual assumes the identity of another using personal information such as credit
card and Social Security numbers (SSNs). A March 2002 GAO report (GAO-02-363)
discusses the prevalence and cost of identify theft. The FTC has a toll free number
(877-ID-THEFT) to help victims. (See also CRS Reports RS21162, Remedies
Available to Victims of Identity Theft; and RS21083, Identity Theft and the Fair
Credit Reporting Act: an Analysis of TRW v. Andrews and Current Legislation).
Whether the Internet is responsible for the increase in cases is debatable. Some
attribute the rise instead to carelessness by businesses in handling personally
identifiable information, and by credit issuers that grant credit without proper checks.
In 2001, the FTC found that less than 1% of identity theft cases are linked to the
Internet (Computerworld, February 12, 2001, p. 7). Several laws already exist
regarding identity theft (P.L. 105-318, P.L. 106-433, and P.L. 106-578). A number
of bills were introduced in the 107th Congress. One, S. 1742 (Cantwell), was
reported, amended (no written report), from the Senate Judiciary Committee on May
21 and passed the Senate November 14. There was no further action, however. S.
848 (Feinstein) was reported, amended (no written report), from the Senate Judiciary
Committee on May 16, 2002, and referred to the Senate Finance Committee, which
held a hearing on July 11. A new bill, S. 3100, was introduced by Senator Feinstein
on October 10, 2002, and placed on the Senate calendar. There was no further action.
Senator Feinstein also introduced S. 2541, which would have created a separate
crime of aggravated identity theft, and provided for additional penalties for certain
crimes involving identity theft. The bill was reported from the Senate Judiciary
Committee (no written report) on November 14, 2002, but there was no further
action. Other related 107th Congress bills, on which there was no action, were: H.R.
91, H.R. 220, H.R. 1478, H.R. 2036/S. 1014, H.R. 3053/S. 1399, and H.R. 5424.
Table 2 includes brief synopses of these bills.
CRS-9
Table 1. Internet Privacy-Related Legislation Passed by the
107th Congress
H.R. 2458 (Turner)/
E-Government Act. Inter alia, sets requirements on government agencies in
S. 803 (Lieberman)
how they assure the privacy of personal information in government
Awaiting Signature
information systems and establish guidelines for privacy policies for federal
Web sites.
H.R. 5505 (Armey)
Homeland Security Act. Incorporates H.R. 3482, Cyber Security
P.L. 107-296
Enhancement Act, as Sec. 225. Loosens restrictions on ISPs, set in the USA
PATRIOT Act, as to when, and to whom, they can voluntarily release
information about subscribers.
H.R. 2215 (Sensenbrenner)
21st Century Department of Justice Authorization Act. Requires the
P.L. 107-273
Justice Department to notify Congress about its use of Carnivore (DCS 1000)
or similar Internet monitoring systems.
H.R. 3162
USA PATRIOT Act. Expands law enforcement’s authority to monitor
(Sensenbrenner)
Internet activities. See CRS Report RL31289 for how the Act affects use of
P.L. 107-56
the Internet. Amended by the Homeland Security Act (see P.L. 107-296).
Table 2: Internet Privacy-Related Legislation That Did Not Clear the
107th Congress
H.R. 89
Online Privacy Protection Act. Requires FTC to prescribe regulations to protect
(Frelinghuysen)
privacy of personal information collected from and about individuals not covered by
COPPA. (Energy & Commerce)
H.R. 91
Social Security Online Privacy Protection Act. Regulates use by interactive
(Frelinghuysen)
computer services of SSNs and related personally identifiable information. (Energy &
Commerce)
H.R. 112
Electronic Privacy Protection Act. Makes it unlawful for any person to knowingly
(Holt)
make, import, export, distribute, sell, offer for sale, install or use “spyware” without
disclosure or notice. (Energy & Commerce)
H.R. 220
Identity Theft Prevention Act. Protects integrity and confidentiality of SSNs,
(Paul)
prohibits establishment of a uniform national identifying number by federal
governments, and prohibits federal agencies from imposing standards for identification
of individuals on other agencies or persons. (Ways & Means, Government Reform)
H.R. 237
Consumer Internet Privacy Enhancement Act. Requires Web site operators to
(Eshoo)
provide clear and conspicuous notice of their information practices and provide
consumers with easy method to limit use and disclosure of their information. Preempts
state and local laws if they are inconsistent with or more restrictive than this one.
Directs FTC to enforce the law. State Attorneys General can bring suits in federal
courts. Sets penalties. (Energy & Commerce).
H.R. 333
Bankruptcy Reform Act. Sections 231 and 232 of conference version of bill limit
(Gekas)/
when companies can sell or lease PII collected in accordance with a policy in effect at
S. 420
the time of the bankruptcy filing. Conference Report filed July 26, 2002 (H.Rept. 107-
(Grassley)
617). No further action.
H.R. 347
Consumer Online Privacy and Disclosure Act. Requires FTC to promulgate
(Green)
regulations requiring Web site or online service operators about notice, choice, and
contact information for the operator. (Energy & Commerce)
H.R. 583
Privacy Commission Act. Creates a Commission for the Comprehensive Study of
(Hutchinson)
Privacy Protection. (Government Reform)
CRS-10
H.R. 1478
Personal Information Privacy Act. Prohibits use of SSNs for commercial purposes
(Kleczka)
without consent; prohibits sale or transfer of transaction or experience information
without consent; and repeals certain provisions relating to distribution of consumer
reports re certain transmissions not initiated by the consumer. (Ways & Means,
Financial Services)
H.R. 2036
Social Security Number Privacy and Identity Theft Protection Act. Restricts sale
(Shaw)/
and display of SSNs by government agencies, with exceptions; and restrict sale,
S. 1014
purchase, and display of SSNs in the private sector, with exceptions. (House Ways &
(Bunning)
Means, Energy & Commerce, Financial Services; Senate Finance)
H.R. 2135
Consumer Privacy Protection Act. Limits disclosure of personally identifiable
(Sawyer)
information and sensitive personal information by information recipients. (Energy &
Commerce)
H.R. 3053
Identity Theft Protection Act. Establishes certain requirements for credit card
(Hooley)/
issuers and consumer reporting agencies. (House Financial Services; Senate Banking)
S. 1399
(Feinstein)
H.R. 4678
Consumer Privacy Protection Act. Requires data collection organizations to provide
(Stearns)
notice, choice, and security; and have privacy policies. (Bill is not Internet-specific).
Participation in an approved self-regulatory program creates presumption of
compliance with the Act. Preempts state privacy laws. Sets time limits for resolution
of identity theft disputes. (Energy & Commerce, International Relations) See
appendix for more detail.
H.R. 5120
FY2003 Treasury-Postal Appropriations Act. Sec. 634 prohibits funds from being
(Istook)/S. 2740
used to collect, review, or create aggregate lists that include PII about an individual’s
(Dorgan)
access to or use of a federal Web site or enter into agreements with third parties to do
so, with exceptions. (Similar to language in FY2001 and FY2002 acts.) Passed House
July 24, 2002; reported from Senate Appropriations July 17, 2002 (S.Rept. 107-212).
No further action.
H.R. 5424
Identity Theft Victims Assistance Act. Requires businesses to provide information
(Smith-WA)
for free to victims of identity theft regarding transactions relating to that theft; requires
consumer reporting agencies to block consumer information resulting from identity
theft. (Judiciary, Financial Services)
S. 197
Spyware Control and Privacy Protection Act. Requires that software made
(Edwards)
available to the public include clear and conspicuous notice if it includes spyware.
Spyware may not be enabled unless the user provides affirmative consent, with
exceptions. Sets restrictions on how information collected by spyware can be used and
allows the user reasonable access to the information. (Commerce)
S. 848
Social Security Number Misuse Prevention Act. Limits display, sale, or purchase of
(Feinstein)
SSNs. Reported from Senate Judiciary May 16, 2002 (no written report); referred to
Finance Committee (hearing held July 11). See S. 3100.
S. 851
Citizen’s Privacy Commission Act. Would study the collection, use, and
(Thompson)
distribution of personal information by federal, state, and local governments.
(Governmental Affairs)
S. 1055
Privacy Act of 2001. Restricts commercial sale and marketing of personally
(Feinstein)
identifiable information, limits the use of SSNs, limits sale and sharing of nonpublic
personal financial information, limits provision of protected health information.
(Judiciary)
S. 1742
Restore Your Identity Act. Requires business entities with knowledge of an identity
(Cantwell)
theft to share information with the victim or law enforcement agencies and requires
consumer reporting agencies to block dissemination of information resulting from an
identity theft, with exceptions. Reported from Senate Judiciary May 21, 2002; no
written report. Passed Senate, amended, November 14, 2002. No further action.
CRS-11
S. 2201
Online Personal Privacy Act. Establishes requirements for ISPs, Online Service
(Hollings)
Providers (OSPs), and commercial Website operators to provide notice, choice,
access, and security to protect PII, which is divided into “sensitive” and “non-
sensitive” information for which different requirements apply. The Act applies to
federal agencies that operate web sites or serve as ISPs and OSPs, with exceptions.
S.Rept. 107-240, August 1, 2002. See appendix for more detail. No further action.
S. 2541
Identity Theft Penalty Enhancement Act. Inter alia, creates a separate crime of
(Feinstein)
“aggravated identity theft” if a person uses another person’s identity to commit certain
federal crimes; provides for additional 2 year penalty for committing certain federal
crimes while using another person’s identity, and additional 5 year penalty for a person
using a stolen identity while committing specified federal terrorism crimes. Increases
maximum penalty for identity theft from 3 years to 5 years. Reported from Senate
Judiciary Committee (no written report) November 14, 2002. No further action..
S. 2629
Federal Privacy and Data Protection Policy Act. Provides a framework for
(Torricelli)
ensuring effective data and privacy management by federal agencies. (Governmental
Affairs)
S. 2839
Children’s Electronic Access Safety Enhancement (CEASE) Act. Requires
(Cleland)
Internet content management service providers to notify schools and libraries that use
their services of their policies regarding collection, use, and dissemination of
information about children, and restricts collection of personal information about
children using computers employing such services. (Commerce)
S. 2846
Security and Liberty Preservation Act. Establishes a commission to evaluate
(Edwards)
investigative and surveillance technologies to meet law enforcement and national
security needs in the manner that best preserves the personal dignity, liberty, and
privacy of individuals within the United States. (Judiciary)
S. 3100
Social Security Number Misuse Prevention Act of 2002. (New version of S. 848)
(Feinstein)
Limits display, sale, or purchase of SSNs. Placed on the Senate calendar.
CRS-12
Appendix: Brief Comparison of H.R. 4678 and S. 2201
Of the many broad Internet privacy bills introduced in the 107th Congress, congressional
attention focused on H.R. 4678 and S. 2201 (reported from the Senate Commerce Committee
on August 1, 2002, S.Rept. 107-240). The following table provides a brief comparison of
the two bills. One fundamental difference is that H.R. 4678 affects privacy for both “online”
and “offline” entities, while S. 2201’s focus is online entities. During markup of S. 2201,
however, a provision was added requiring the FTC to provide recommendations and draft
regulations for entities otherwise not covered by the bill.
Table 3: Brief Comparison of H.R. 4678 and S. 2201
(Explanation of Acronyms at End)
Provision
H.R. 4678 (Stearns)
S. 2201 (Hollings)
As Introduced
As Reported
Title
Consumer Privacy Protection
Online Personal Privacy Act
Act
Entities Covered
Data Collection Organi-
ISPs, OSPs, and commercial
zations, defined as entities
Web Sites; certain third
that collect (by any means,
parties; federal agencies if
through any medium), sell,
they are ISPs, OSPs, or
disclose for consideration, or
operate Web sites (with
use, PII. Excludes govern-
exceptions); and U.S. Senate
mental agencies, certain not-
(Sergeant at Arms shall
for-profit entities, and certain
develop conforming
small businesses.
regulations for Senate).
Excludes certain small
businesses.
FTC Must Submit
No [the Act already covers
Yes
Recommendations and
both “online” and “offline”
Proposed Regulations for
entities]
Entities Not Covered by the
Act
Differentiation Between
No
Yes
Sensitive and Non-Sensitive
PII
Adherence to Fair Infor-
mation Practices
Notice
Yes, with exceptions
Yes, with exceptions
Choice
Yes (Opt-Out)
Yes (Opt-In for sensitive PII;
Opt-Out for non-sensitive
PII)
Access
No
Yes, with exceptions
Security
Yes
Yes
CRS-13
Provision
H.R. 4678 (Stearns)
S. 2201 (Hollings)
As Introduced
As Reported
Enforcement
By FTC
Generally by FTC, but by
other entities in some cases
(e.g., Board of Directors of
FDIC enforces for banks
insured by FDIC under
Federal Deposit Insurance
Act).
Private Right of Action
No
Yes, for sensitive PII only.
Creates affirmative defense if
defendant takes certain steps
to ensure compliance with
Act, or complies with
specified self regulatory
requirements.
Relationship to State Laws
Preempts state privacy laws,
Supersedes state statutes,
regulations, etc. that affect
regulations, or rules
collection, use, sale,
regarding collection, use, or
disclosure, or dissemination
disclosure of PII obtained
of PII in commerce.
through the Internet.
Actions by States
No comparable provision.
A state attorney general may
bring suit on behalf of
residents of that state, but
must notify FTC and FTC
may intervene.
Relationship to Other Federal
Does not modify, limit, or
Amends Communications
Laws
supersede specified federal
Act of 1934 so cable oper-
privacy laws, and compliance
ators of Internet services,
with relevant sections of
online services, or
those laws is deemed
commercial Websites are
compliance with this Act.
governed by this Act if there
is a conflict between it and
the 1934 Act. Remedies
under safe harbor and private
right of action are in addition
to any other remedy under
any provision of law. Certain
disclosures to comply with
FCA, COPPA, Gramm-
Leach-Bliley are protected.
Permitted Disclosures
Consumer’s choice to
In addition to permitted
preclude sale, or disclosure
disclosures under other laws
for consideration, by an
(see above), disclosures also
entity applies only to sale or
permitted to law enforcement
disclosure to another data
agencies under certain
collection organization that is
conditions, under court order,
not an information-sharing
for certain emergencies, or
partner (as defined in the
for professional services
Act) of the entity.
purposes.
CRS-14
Provision
H.R. 4678 (Stearns)
S. 2201 (Hollings)
As Introduced
As Reported
Establishes Self-Regulatory
Yes
Yes
“Safe Harbor”
Requires Notice to Users If
No
Yes
Entity’s Privacy Policy
Changes
Requires Notice to Users if
No
Yes
Privacy is Breached
Whistleblower Protection
No
Yes
Directs NIST to Encourage
No
Yes
and Support Development of
Internet Privacy Computer
Programs, Protocols, or
Other Software, Such as P3P
Identity Theft Prevention and
Yes
No
Remedies
Requires GAO study of
Yes
No
impact on U.S. interstate and
foreign commerce of foreign
information privacy laws,
and rededication by Secretary
of Commerce if GAO finds
discriminatory treatment of
U.S. entities
Requires Secretary of
Yes
No
Commerce to notify other
nations of provisions of the
Act, seek recognition of its
provisions, and seek
harmonization with foreign
information privacy laws,
regulations, or agreements.
COPPA - Children’s Online Privacy Protection Act
FCA = Fair Credit Reporting Act
FDIC = Federal Deposit Insurance Corporation
FTC = Federal Trade Commission
GAO = General Accounting Office
ISP = Internet Service Provider
NIST = National Institute of Standards and Technology (in the Department of Commerce)
OSP = Online Service Provider
PII = Personally Identifiable Information
P3P = Platform for Privacy Preferences (see text for explanation)