Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
United States

Wrangling Over Proposed Privacy Laws Continues 177

zurab writes "USA Today reports several U.S. lawmakers introduced a long-awaited privacy bill Wednesday that would allow U.S. businesses to share information about customers who have not explicitly forbidden them to do so. And one of the supporters of this bill - the beloved Mr. Boucher."
This discussion has been archived. No new comments can be posted.

Wrangling Over Proposed Privacy Laws Continues

Comments Filter:
  • by Nogami_Saeko ( 466595 ) on Thursday May 09, 2002 @06:47AM (#3489667)
    Because they know NOBODY in their right mind would EVER opt-in to something like this, so they have to open the door to big business somehow.

    I mean, otherwise the aforementioned big business would stop paying them campaign contributions and such...
    • by Anonymous Coward
      Okay... I am officially telling ALL businesses, I explicitly forbid them to share information about me. I really mean it, even though I didn't log on with my account.. Furthermore I expect that since I had to read slashdot to find out about this privacy invasion, I expect *all businesses* to read this post. Now all anyone has to do is claim the above message as Their Own(TM), and there is no way a business can say they weren't told.
    • NOBODY in their right mind would EVER opt-in to something like this
      I don't get this. If you ask me for information, make no promises about what you're going to do with it,

      and I willingly give it to you, what reason do I have to expect that you won't propagate the data?
      Isn't one of our Geek Holy Scriptures "Information wants to be free"?
      • Isn't one of our Geek Holy Scriptures "Information wants to be free"?


        I count it as a difference between the personal and professional. Information about things -- software, hardware, science in general, the Law -- is not the same as information about an individual. Things don't vote, raise kids, or have emotions.

        Personal privacy != Corporate secrecy.

      • If you ask me for information, make no promises about what you're going to do with it, and I willingly give it to you

        What if the entity that asks for information does make promises, but buries them in a ten-page document at a college (commonly called 'legalese') reading level rather than in a one-page privacy policy at an eighth-grade (newspaper) reading level?

      • I willingly give it to you,
        That is the sticking point: what is the definition of "willingly"? Sure, you can refuse to sign up for a grocery store discount card. Until all grocery stores have discount cards, all grocery stores require them in order to use checks for payment, all grocery stores start imposing terms and conditions on people who don't use discount cards. Then you have the "choice" of getting a discount card and being tracked, or not eating.

        Sound farfetched? In the last six months all credit card companies have sent out changes to their terms and conditions stating that you can no longer sue them - you must use binding arbitration. Don't like it? Just cancel all your credit cards. Which is a bit difficult for those who must travel, rent a car, get some cash far from home, etc. But you have a "choice".

        sPh

        • Then you have the "choice" of getting a discount card and being tracked, or not eating.

          Or opening up your own store, and only getting tracked in aggregate with all the other people who buy from your store. That is, if the "all stores have discount cards" thing actually happens, which it won't.

          • is, if the "all stores have discount cards" thing actually happens, which it won't.
            Well, opinions on that can differ. As a person who reads the fine print on all the "Terms and Conditions" junk sent to me by organizations with which I do business, I really can't agree. I think we are about 5 years from having every transaction tracked. And cash won't be an out (in the USofA), since the "USA Patriot Act" has greatly ratcheted down the threshhold for tracking and reporting cash transactions to the government.

            And this is without the national ID card which I suspect is coming fairly soon.

            sPh

            • Well, opinions on that can differ

              I vow that if all other stores have discount cards which track your purchases, I will personally open a store which doesn't. So for my lifetime at least, those opinions are wrong.

              As a person who reads the fine print on all the "Terms and Conditions" junk sent to me by organizations with which I do business, I really can't agree.

              Credit card companies have an oligopoly with much fewer members than "stores".

              I think we are about 5 years from having every transaction tracked.

              Guess I'll be dead in 5 years. Killed by the government so that they can track people?

              And cash won't be an out (in the USofA), since the "USA Patriot Act" has greatly ratcheted down the threshhold for tracking and reporting cash transactions to the government.

              What's it down to now? I thought it was still at $10,000.

              And this is without the national ID card which I suspect is coming fairly soon.

              We already have this national ID card. It's called the license. I once had a Wisconsin sherriff track me down (with help from the FBI) from my domain name, which listed an old address, from which I did not have mail forwarding, to my NJ driver's license, linked that to my NY drivers license, and got my unlisted phone number in NY. All this so he could ask me the name of someone who had a website on my system, and he suspected was sending threatening letters through the USPS.

              As an aside, check out this proposal [loc.gov]. Congress wants to make it a crime with a 5 year sentence for lying to your registrar when you register your domain name.

              • I vow that if all other stores have discount cards which track your purchases, I will personally open a store which doesn't. So for my lifetime at least, those opinions are wrong.
                Not trying to get into a flame war here dude - I hope you are right!

                But prey tell, where will you get the stock for your store? From a wholesaler, eh? And when the wholesaler starts requiring a data dump of your customers' purchase habits before he will make a delivery? Or your bank requires same before it will give you a letter of credit, which you will need to be able to import all those exotic beers?

                When "just about everyone" starts capturing data, it really won't be feasible to be the only one who doesn't.

                sPh

    • > Because they know NOBODY in their right mind would EVER opt-in to something like this

      PROBABLY true, but until they pass a law which prevents me from giving BOGUS information on everything I fill out on the internet this doesn't bother me in the least.
    • How will the avoid diluting the quality of the data?

      It would be possible to create interesting correlations by registering the same bogus name across multiple sites, this would be reflected automatically if you generated random details from a set of common tables. I can see Nadine doing a lot of shopping.

      The possibilities are boundless...

      Xix.
  • Coming next (Score:3, Funny)

    by jsse ( 254124 ) on Thursday May 09, 2002 @06:48AM (#3489668) Homepage Journal
    a long-awaited privacy bill Wednesday that would allow U.S. businesses to share information about customers who have not explicitly forbidden them to do so.

    It's long-awaited? You americans are difficult to understand....
    • How about this one:

      "I'll predict a much greater level of Internet usage with these privacy policies in place," Boucher said.

      Ok, so if I wasnt going to use the internet before...I am now going to do so just because companies can trade my personal information? If anything, I'd think it would be deterrent. What's he thinking?
  • The rule (Score:2, Insightful)

    by grung0r ( 538079 )
    "A group of business leaders from high-tech firms said the bill struck the right balance between consumers and businesses"

    I've heard this said about the DMCA too. Ay time businesses talk about balance between themselves and consumers through legislation, I instantly know that it's a terrible idea and I oppose it. They couldn't give a rat's ass about balance or compromise.

    • Everyone needs to understand that the businesses have managed to cock the ear of the legislators, and how??

      Through the vast arrray of lobbying groups.

      Big Business lobbying tends to sound louder than individuals, which is sad, and results in too many irritating bits of legislation (DMCA, I hope not the CBDTPA, et al) getting through.
      • Re:The rule (Score:2, Interesting)

        by grung0r ( 538079 )
        Well, you've hit on the main issue there. I'm sure(at least I hope)that most people do indeed understand that. There is little anyone can do though. The problem being, that almost all politicans are indeed bought to a extent, and if you vote out a bought one, he or she is just replaced by someone who's owned by a diferent set of industrys. Solving this problem will take a sea-change of the general public's outlook on the situation. That is unlikley to happen untill something directly threatens the freedoms the public as a whole hold dear, of which apparently, freedom of speech and freedom of privacy are not.
    • To businesses, the right balance is one which is heavily skewed against the consumer.
    • I think that when big business says they have a good ballance they mean they've found the most rediculous thing they can get away with.
  • should be property rights held by individuals. This allows a more perfect market, because the information would be more closely protected than this bill provides. As Larry Lessig explains in his book Code, Privacy as a property right allows those who don't care about privacy to get what they want, while those who have considerable concerns to seriously protect themselves. Any other scheme will deny the fact that privacy concerns differ between different segments of society.
    • I agree, and more than that, if anyone is going to make money out of selling information about me it should be me. I don't see why anyone else has the right to make money out of my identity in that manner.

    • Privacy is not a property right.
      Nor will it ever, as such inalienably ideas are not, should not, and can not be considered property.
      Besides being vague and unwieldy, considering such humanistic rights property (such humanistic rights as privacy, freewill, thought, etc.) tends to lead to trouble. Look at the patent system.

      Of course, this is all just hyperbole, as redefining privacy as a property changes nothing. It's simply calling X by the name of Y.
      Without suggestions of implementation it's only an interesting experiment in etymology.

      Perhaps "Code" covers such implementation, though. Admittedly I haven't read it.
      • I think he meant that considering personal information a form of property would result in the type of protection everyone is looking for. Privacy is simply one way of handling personal information.

  • Wrong Name (Score:4, Funny)

    by dreamchaser ( 49529 ) on Thursday May 09, 2002 @06:56AM (#3489691) Homepage Journal
    Shouldn't it be the 'Lack of Privacy Bill' rather than 'Privacy Bill'?
    • ...in the style of MinTruth and MinPeace
    • Ever heard of newspeak [everything2.com]? :)

      Check out newspeakdictionary.com [newspeakdictionary.com] especially The Principles of Newspeak [newspeakdictionary.com] next time you feel bored.
    • Here it is... I wanted to prevent the IANALization of this thread. Now you can say, IANALBIPOOS ("I am not a lawyer but I play one on Slashdot"). I would have posted the direct link to THOMAS, but then everyone would have just /.ed the Library of Congress, and they've probably got more important things to do. If you do go to THOMAS, the bill no. is 2201. Had to cut out the ToC - sorry - it was tripping the lameness filter (how appropriate that legislation tweaks the lameness filter. Ha.)

      A BILL
      To protect the online privacy of individuals who use the Internet.

      Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

      SECTION 1. SHORT TITLE.

      This Act may be cited as the `Online Personal Privacy Act'.

      The Congress finds the following:

      (1) The right to privacy is a personal and fundamental right worthy of protection through appropriate legislation.

      (2) Individuals engaging in and interacting with companies engaged in interstate commerce have a significant interest in their personal information, as well as a right to control how that information is collected, used, or transferred.

      (3) Absent the recognition of these rights and the establishment of consequent industry responsibilities to safeguard those rights, the privacy of individuals who use the Internet will soon be more gravely threatened.

      (4) To extent that States regulate, their efforts to address Internet privacy will lead to a patchwork of inconsistent standards and protections.

      (5) Existing State, local, and Federal laws provide minimal privacy protection for Internet users.

      (6) With the exception of Federal Trade Commission enforcement of laws against unfair and deceptive practices, the Federal Government thus far has eschewed general Internet privacy laws in favor of industry self-regulation, which has led to several self-policing schemes, none of which are enforceable in any meaningful way or provide sufficient privacy protection to individuals.

      (7) State governments have been reluctant to enter the field of Internet privacy regulation because use of the Internet often crosses State, or even national, boundaries.

      (8) States are nonetheless interested in providing greater privacy protection to their citizens as evidenced by recent lawsuits brought against offline and online companies by State attorneys general to protect the privacy of individuals using the Internet.

      (9) The ease of gathering and compiling personal information on the Internet, both overtly and surreptitiously, is becoming increasingly efficient and effortless due to advances in digital communications technology which have provided information gatherers the ability to compile seamlessly highly detailed personal histories of Internet users.

      (10) Personal information flowing over the Internet requires greater privacy protection than is currently available today. Vast amounts of personal information, including sensitive information, about individual Internet users are collected on the Internet and sold or otherwise transferred to third parties.

      (11) Poll after poll consistently demonstrates that individual Internet users are highly troubled over their lack of control over their personal information.

      (12) Market research demonstrates that tens of billions of dollars in e-commerce are lost due to individual fears about a lack of privacy protection on the Internet.

      (13) Market research demonstrates that as many as one-third of all Internet users give false information about themselves to protect their privacy, due to fears about a lack of privacy protection on the Internet.

      (14) Notwithstanding these concerns, the Internet is becoming a major part of the personal and commercial lives of millions of Americans, providing increased access to information, as well as communications and commercial opportunities.

      (15) It is important to establish personal privacy rights and industry obligations now so that individuals have confidence that their personal privacy is fully protected on the Internet.

      (16) The social and economic costs of establishing baseline privacy standards now will be lower than if Congress waits until the Internet becomes more prevalent in our everyday lives in coming years.

      (17) Whatever costs may be borne by industry will be significantly offset by the economic benefits to the commercial Internet created by increased consumer confidence occasioned by greater privacy protection.

      (18) Toward the close of the 20th Century, as individuals' personal information was increasingly collected, profiled, and shared for commercial purposes, and as technology advanced to facilitate these practices, the Congress enacted numerous statutes to protect privacy.

      (19) Those statutes apply to the government, telephones, cable television, e-mail, video tape rentals, and the Internet (but only with respect to children).

      (20) Those statutes all provide significant privacy protections, but neither limit technology nor stifle business.

      (21) Those statutes ensure that the collection and commercialization of individuals' personal information is fair, transparent, and subject to law.

      SEC. 4. PREEMPTION OF STATE LAW OR REGULATIONS.

      This Act supersedes any State statute, regulation, or rule regulating Internet privacy to the extent that it relates to the collection, use, or disclosure of personally identifiable information obtained through the Internet.

      TITLE I--ONLINE PRIVACY PROTECTION

      SEC. 101. COLLECTION, USE, OR DISCLOSURE OF PERSONALLY IDENTIFIABLE INFORMATION.

      (a) IN GENERAL- An internet service provider, online service provider, or operator of a commercial website on the Internet may not collect personally identifiable information from a user, or use or disclose personally identifiable information about a user, of that service or website except in accordance with the provisions of this Act.

      (b) APPLICATION TO CERTAIN THIRD-PARTY OPERATORS- The provisions of this Act applicable to internet service providers, online service providers, and commercial website operators apply to any third party, including an advertising network, that uses an internet service provider, online service provider, or commercial website operator to collect information about users of that service or website.

      SEC. 102. NOTICE AND CONSENT REQUIREMENTS.

      (a) NOTICE- Except as provided in section 104, an internet service provider, online service provider, or operator of a commercial website may not collect personally identifiable information from a user of that service or website online unless that provider or operator provides clear and conspicuous notice to the user in the manner required by this section for the kind of personally identifiable information to be collected. The notice shall disclose--

      (1) the specific types of information that will be collected;

      (2) the methods of collecting and using the information collected; and

      (3) all disclosure practices of that provider or operator for personally identifiable information so collected, including whether it will be disclosed to third parties.

      (b) SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION REQUIRES OPT-IN CONSENT- An internet service provider, online service provider, or operator of a commercial website may not--

      (1) collect sensitive personally identifiable information online, or

      (2) disclose or otherwise use such information collected online, from a user of that service or website,

      unless the provider or operator obtains that user's affirmative consent to the collection and disclosure or use of that information before, or at the time, the information is collected.

      (c) NONSENSITIVE PERSONALLY IDENTIFIABLE INFORMATION REQUIRES ROBUST NOTICE AND OPT-OUT CONSENT- An internet service provider, online service provider, or operator of a commercial website may not--

      (1) collect personally identifiable information not described in subsection (b) online, or

      (2) disclose or otherwise use such information collected online, from a user of that service or website,

      unless the provider or operator provides robust notice to the user, in addition to clear and conspicuous notice, and has given the user an opportunity to decline consent for such collection and use by the provider or operator before, or at the time, the information is collected.

      (d) INITIAL NOTICE ONLY FOR ROBUST NOTICE- An internet service provider, online service provider, or operator of a commercial website shall provide robust notice under subsection (c) of this section to a user only upon its first collection of non-sensitive personally identifiable information from that user, except that a subsequent collection of additional or materially different non-sensitive personally identifiable information from that user shall be treated as a first collection of such information from that user.

      (e) PERMANENCE OF CONSENT-

      (1) IN GENERAL- The consent or denial of consent by a user of permission to an internet service provider, online service provider, or operator of a commercial website to collect, disclose, or otherwise use any information about that user for which consent is required under this Act--

      (A) shall remain in effect until changed by the user; and

      (B) shall apply to the collection, disclosure, or other use of that information by any entity that is a commercial successor of, or legal successor-in-interest to, that provider or operator, without regard to the legal form in which such succession was accomplished (including any entity that collects, discloses, or uses such information as a result of a proceeding under chapter 7 or chapter 11 of title 11, United States Code, with respect to the provider or operator).

      (2) EXCEPTION- The consent by a user to the collection, disclosure, or other use of information about that user for which consent is required under this Act does not apply to the collection, disclosure, or use of that information by a successor entity under paragraph (1)(B) if--

      (A) the kind of information collected by the successor entity about the user is materially different from the kind of information collected by the predecessor entity;

      (B) the methods of collecting and using the information employed by the successor entity are materially different from the methods employed by the predecessor entity; or

      (C) the disclosure practices of the successor entity are materially different from the practices of the predecessor entity.

      SEC. 103. POLICY CHANGES; BREACH OF PRIVACY.

      (a) NOTICE OF POLICY CHANGE- Whenever an internet service provider, online service provider, or operator of a commercial website makes a material change in its policy for the collection, use, or disclosure of sensitive or nonsensitive personally identifiable information, it--

      (1) shall notify all users of that service or website of the change in policy; and

      (2) may not collect, disclose, or otherwise use any sensitive or nonsensitive personally identifiable information in accordance with the changed policy unless the user has been afforded an opportunity to consent, or withhold consent, to its collection, disclosure, or use in accordance with the requirements of section 102 (b) or (c), whichever is applicable.

      (b) Notice of Breach of Privacy-

      (1) IN GENERAL- If the sensitive or nonsensitive personally identifiable information of a user of an internet service provider, online service provider, or operator of a commercial website--

      (A) is collected, disclosed, or otherwise used by the provider or operator in violation of any provision of this Act, or

      (B) the security, confidentiality, or integrity of such information is compromised by a hacker or other third party, or by any act or failure to act of the provider or operator,

      then the provider or operator shall notify all users whose sensitive or nonsensitive personally identifiable information was affected by the unlawful collection, disclosure, use, or compromise. The notice shall describe the nature of the unlawful collection, disclosure, use, or compromise and the steps taken by the provider or operator to remedy it.

      (2) Delay of notification-

      (A) ACTION TAKEN BY INDIVIDUALS- If the compromise of the security, confidentiality, or integrity of the information is caused by a hacker or other external interference with the service or website, or by an employee of the service or website, the provider or operator may postpone issuing the notice required by paragraph (1) for a reasonable period of time in order to--

      (i) facilitate the detection and apprehension of the person responsible for the compromise; and

      (ii) take such measures as may be necessary to restore the integrity of the service or website and prevent any further compromise of the security, confidentiality, and integrity of such information.

      (B) SYSTEM FAILURES AND OTHER FUNCTIONAL CAUSES- If the unlawful collection, disclosure, use, or compromise of the security, confidentiality, and integrity of the information is the result of a system failure, a problem with the operating system, software, or program used by the internet service provider, online service provider, or operator of the commercial website, or other non-external interference with the service or website, the provider or operator may postpone issuing the notice required by paragraph (1) for a reasonable period of time in order to--

      (i) restore the system's functionality or fix the problem; and

      (ii) take such measures as may be necessary to restore the integrity of the service or website and prevent any further compromise of the security, confidentiality, and integrity of the information after the failure or problem has been fixed and the integrity of the service or website has been restored.

      SEC. 104. EXCEPTIONS.

      (a) IN GENERAL- Section 102 does not apply to the collection, disclosure, or use by an internet service provider, online service provider, or operator of a commercial website of information about a user of that service or website necessary--

      (1) to protect the security or integrity of the service or website or to ensure the safety of other people or property;

      (2) to conduct a transaction, deliver a product or service, or complete an arrangement for which the user provided the information; or

      (3) to provide other products and services integrally related to the transaction, service, product, or arrangement for which the user provided the information.

      (b) PROTECTED DISCLOSURES- An internet service provider, online service provider, or operator of a commercial website may not be held liable under this Act, any other Federal law, or any State law for any disclosure made in good faith and following reasonable procedures in responding to--

      (1) a request for disclosure of personal information under section 1302(b)(1)(B)(iii) of the Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.) to the parent of a child; or

      (2) a request for access to, or correction or deletion of, personally identifiable information under section 105 of this Act.

      (c) Disclosure to Law Enforcement Agency or Under Court Order-

      (1) IN GENERAL- Notwithstanding any other provision of this Act, an internet service provider, online service provider, operator of a commercial website, or third party that uses such a service or website to collect information about users of that service or website may disclose personally identifiable information about a user of that service or website--

      (A) to a law enforcement, investigatory, national security, or regulatory agency or department of the United States in response to a request or demand made under authority granted to that agency or department, including a warrant issued under the Federal Rules of Criminal Procedure, an equivalent State warrant, a court order, or a properly executed administrative compulsory process; and

      (B) in response to a court order in a civil proceeding granted upon a showing of compelling need for the information that cannot be accommodated by any other means if--

      (i) the user to whom the information relates is given reasonable notice by the person seeking the information of the court proceeding at which the order is requested; and

      (ii) that user is afforded a reasonable opportunity to appear and contest the issuance of requested order or to narrow its scope.

      (2) SAFEGUARDS AGAINST FURTHER DISCLOSURE- A court that issues an order described in paragraph (1) shall impose appropriate safeguards on the use of the information to protect against its unauthorized disclosure.

      SEC. 105. ACCESS.

      (a) IN GENERAL- An internet service provider, online service provider, or operator of a commercial website shall--

      (1) upon request provide reasonable access to a user to personally identifiable information that the provider or operator has collected from the user online, or that the provider or operator has combined with personally identifiable information collected from the user online after the effective date of this Act;

      (2) provide a reasonable opportunity for a user to suggest a correction or deletion of any such information maintained by that provider or operator to which the user was granted access; and

      (3) make the correction a part of that user's sensitive personally identifiable information or nonsensitive personally identifiable information (whichever is appropriate), or make the deletion, for all future disclosure and other use purposes.

      (b) EXCEPTION- An internet service provider, online service provider, or operator of a commercial website may decline to make a suggested correction a part of that user's sensitive personally identifiable information or nonsensitive personally identifiable information (whichever is appropriate), or to make a suggested deletion if the provider or operator--

      (1) reasonably believes that the suggested correction or deletion is inaccurate or otherwise inappropriate;

      (2) notifies the user in writing, or in digital or other electronic form, of the reasons the provider or operator believes the suggested correction or deletion is inaccurate or otherwise inappropriate; and

      (3) provides a reasonable opportunity for the user to refute the reasons given by the provider or operator for declining to make the suggested correction or deletion.

      (c) REASONABLENESS TEST- The reasonableness of the access or opportunity provided under subsection (a) or (b) by an internet service provider, online service provider, or operator of a commercial website shall be determined by taking into account such factors as the sensitivity of the information requested and the burden or expense on the provider or operator of complying with the request, correction, or deletion.

      (d) Reasonable Access Fee-

      (1) IN GENERAL- An internet service provider, online service provider, or operator of a commercial website may impose a reasonable charge for access under subsection (a).

      (2) AMOUNT- The amount of the fee shall not exceed $3, except that upon request of a user, a provider or operator shall provide such access without charge to that user if the user certifies in writing that the user--

      (A) is unemployed and intends to apply for employment in the 60-day period beginning on the date on which the certification is made;

      (B) is a recipient of public welfare assistance; or

      (C) has reason to believe that the incorrect information is due to fraud.

      SEC. 106. SECURITY.

      An internet service provider, online service provider, or operator of a commercial website shall establish and maintain reasonable procedures necessary to protect the security, confidentiality, and integrity of personally identifiable information maintained by that provider or operator.

      TITLE II--ENFORCEMENT

      SEC. 201. ENFORCEMENT BY FEDERAL TRADE COMMISSION.

      Except as provided in section 202(b) of this Act and section 2710(d) of title 18, United States Code, this Act shall be enforced by the Commission.

      SEC. 202. VIOLATION IS UNFAIR OR DECEPTIVE ACT OR PRACTICE.

      (a) IN GENERAL- The violation of any provision of title I is an unfair or deceptive act or practice proscribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).

      (b) ENFORCEMENT BY CERTAIN OTHER AGENCIES- Compliance with title I of this Act shall be enforced under--

      (1) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), in the case of--

      (A) national banks, and Federal branches and Federal agencies of foreign banks, by the Office of the Comptroller of the Currency;

      (B) member banks of the Federal Reserve System (other than national banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 and 611), by the Board; and

      (C) banks insured by the Federal Deposit Insurance Corporation (other than members of the Federal Reserve System) and insured State branches of foreign banks, by the Board of Directors of the Federal Deposit Insurance Corporation;

      (2) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), by the Director of the Office of Thrift Supervision, in the case of a savings association the deposits of which are insured by the Federal Deposit Insurance Corporation;

      (3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) by the National Credit Union Administration Board with respect to any Federal credit union;

      (4) part A of subtitle VII of title 49, United States Code, by the Secretary of Transportation with respect to any air carrier or foreign air carrier subject to that part;

      (5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et seq.) (except as provided in section 406 of that Act (7 U.S.C. 226, 227)), by the Secretary of Agriculture with respect to any activities subject to that Act; and

      (6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by the Farm Credit Administration with respect to any Federal land bank, Federal land bank association, Federal intermediate credit bank, or production credit association.

      (c) EXERCISE OF CERTAIN POWERS- For the purpose of the exercise by any agency referred to in subsection (b) of its powers under any Act referred to in that subsection, a violation of title I is deemed to be a violation of a requirement imposed under that Act. In addition to its powers under any provision of law specifically referred to in subsection (b), each of the agencies referred to in that subsection may exercise, for the purpose of enforcing compliance with any requirement imposed under title I, any other authority conferred on it by law.

      (d) ACTIONS BY THE COMMISSION- The Commission shall prevent any person from violating title I in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any entity that violates any provision of that subtitle is subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act in the same manner, by the same means, and with the same jurisdiction, power, and duties as though all applicable terms and provisions of the Federal Trade Commission Act were incorporated into and made a part of that subtitle.

      (e) Disposition of Civil Penalties Obtained by FTC Enforcement Action Involving Nonsensitive Personally Identifiable Information-

      (1) IN GENERAL- If a civil penalty is imposed on an internet service provider, online service provider, or commercial website operator in an enforcement action brought by the Commission for a violation of title I with respect to nonsensitive personally identifiable information of users of the service or website, the penalty shall be--

      (A) paid to the Commission;

      (B) held by the Commission in trust for distribution under paragraph (2); and

      (C) distributed in accordance with paragraph (2).

      (2) DISTRIBUTION TO USERS- Under procedures to be established by the Commission, the Commission shall hold any amount received as a civil penalty for violation of title I for a period of not less than 180 days for distribution under those procedures to users--

      (A) whose nonsensitive personally identifiable information was the subject of the violation; and

      (B) who file claims with the Commission for compensation for loss or damage from the violation at such time, in such manner, and containing such information as the Commission may require.

      (3) AMOUNT OF PAYMENT- The amount a user may receive under paragraph (2)--

      (i) shall not exceed $200; and

      (ii) may be limited by the Commission as necessary to afford each such user a reasonable opportunity to secure that user's appropriate portion of the amount available for distribution.

      (4) REMAINDER- If the amount of any such penalty held by the Commission exceeds the sum of the amounts distributed under paragraph (2) attributable to that penalty, the excess shall be covered into the Treasury of the United States as miscellaneous receipts no later than 12 months after it was paid to the Commission.

      (f) EFFECT ON OTHER LAWS-

      (1) PRESERVATION OF COMMISSION AUTHORITY- Nothing contained in this subtitle shall be construed to limit the authority of the Commission under any other provision of law.

      (2) RELATION TO TITLE II OF COMMUNICATIONS ACT- Nothing in title I requires an operator of a website or online service to take any action that is inconsistent with the requirements of section 222 of the Communications Act of 1934 (47 U.S.C. 222).

      (3) RELATION TO TITLE VI OF COMMUNICATIONS ACT- Section 631 of the Communications Act of 1934 (47 U.S.C. 551) is amended by adding at the end the following:

      `(i) To the extent that the application of any provision of this title to a cable operator as an internet service provider, online service provider, or operator of a commercial website (as those terms are defined in section 401 of the Online Personal Privacy Act) with respect to the provision of Internet service or online service, or the operation of a commercial website, conflicts with the application of any provision of that Act to such provision or operation, the Act shall be applied in lieu of the conflicting provision of this title.'.

      SEC. 203. ACTIONS BY USERS.

      (a) PRIVATE RIGHT OF ACTION FOR SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION- If an internet service provider, online service provider, or commercial website operator collects, discloses, or uses the sensitive personally identifiable information of any person or fails to provide reasonable access to or reasonable security for such sensitive personally identifiable information in violation of any provision of title I then that person may bring an action in a district court of the United States of appropriate jurisdiction--

      (1) to enjoin or restrain a violation of title I or to obtain other appropriate relief; and

      (2) upon a showing of actual harm to that person caused by the violation, to recover the greater of--

      (A) the actual monetary loss from the violation; or

      (B) $5,000.

      (b) REPEATED VIOLATIONS- If the court finds, in an action brought under subsection (a) to recover damages, that the defendant repeatedly and knowingly violated title I, the court may, in its discretion, increase the amount of the award available under subsection (a)(2)(B) to an amount not in excess of $100,000.

      (c) EXCEPTION- Neither an action to enjoin or restrain a violation, nor an action to recover for loss or damage, may be brought under this section for the accidental disclosure of information if the disclosure was caused by an Act of God, unforeseeable network or systems failure, or other event beyond the control of the Internet service provider, online service provider, or operator of a commercial website.

      SEC. 204. ACTIONS BY STATES. (a) IN GENERAL-

      (1) CIVIL ACTIONS- In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that violates title I, the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction--

      (A) to enjoin that practice;

      (B) to enforce compliance with the rule;

      (C) to obtain damage, restitution, or other compensation on behalf of residents of the State; or

      (D) to obtain such other relief as the court may consider to be appropriate.

      (2) NOTICE-

      (A) IN GENERAL- Before filing an action under paragraph (1), the attorney general of the State involved shall provide to the Commission--

      (i) written notice of that action; and

      (ii) a copy of the complaint for that action.

      (B) EXEMPTION-

      (i) IN GENERAL- Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general determines that it is not feasible to provide the notice described in that subparagraph before the filing of the action.

      (ii) NOTIFICATION- In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Commission at the same time as the attorney general files the action.

      (b) INTERVENTION-

      (1) IN GENERAL- On receiving notice under subsection (a)(2), the Commission shall have the right to intervene in the action that is the subject of the notice.

      (2) EFFECT OF INTERVENTION- If the Commission intervenes in an action under subsection (a), it shall have the right--

      (A) to be heard with respect to any matter that arises in that action; and

      (B) to file a petition for appeal.

      (c) CONSTRUCTION- For purposes of bringing any civil action under subsection (a), nothing in this subtitle shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to--

      (1) conduct investigations;

      (2) administer oaths or affirmations; or

      (3) compel the attendance of witnesses or the production of documentary and other evidence.

      (d) ACTIONS BY THE COMMISSION- In any case in which an action is instituted by or on behalf of the Commission for violation of title I, no State may, during the pendency of that action, institute an action under subsection (a) against any defendant named in the complaint in that action for violation of that rule.

      (e) VENUE; SERVICE OF PROCESS-

      (1) VENUE- Any action brought under subsection (a) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.

      (2) SERVICE OF PROCESS- In an action brought under subsection (a), process may be served in any district in which the defendant--

      (A) is an inhabitant; or

      (B) may be found.

      SEC. 205. WHISTLEBLOWER PROTECTION.

      (a) IN GENERAL- No internet service provider, online service provider, or commercial website operator may discharge or otherwise discriminate against any employee with respect to compensation, terms, conditions, or privileges of employment because the employee (or any person acting pursuant to the request of the employee) provided information to any Federal or State agency or to the Attorney General of the United States or of any State regarding a violation of any provision of title I.

      (b) ENFORCEMENT- Any employee or former employee who believes he has been discharged or discriminated against in violation of subsection (a) may file a civil action in the appropriate United States district court before the close of the 2-year period beginning on the date of such discharge or discrimination. The complainant shall also file a copy of the complaint initiating such action with the appropriate Federal agency.

      (c) REMEDIES- If the district court determines that a violation of subsection (a) has occurred, it may order the Internet service provider, online service provider, or commercial website operator that committed the violation--

      (1) to reinstate the employee to his former position;

      (2) to pay compensatory damages; or

      (3) to take other appropriate actions to remedy any past discrimination.

      (d) LIMITATION- The protections of this section shall not apply to any employee who--

      (1) deliberately causes or participates in the alleged violation; or

      (2) knowingly or recklessly provides substantially false information to such an agency or the Attorney General.

      (e) BURDENS OF PROOF- The legal burdens of proof that prevail under subchapter III of chapter 12 of title 5, United States Code (5 U.S.C. 1221 et seq.) shall govern adjudication of protected activities under this section.

      SEC. 206. NO EFFECT ON OTHER REMEDIES.

      The remedies provided by sections 203 and 204 are in addition to any other remedy available under any provision of law.

      TITLE III--APPLICATION TO CONGRESS AND FEDERAL AGENCIES

      SEC. 301. SENATE.

      The Sergeant at Arms of the United States Senate shall develop regulations setting forth an information security and electronic privacy policy governing use of the Internet by officers and employees of the Senate that meets the requirements of title I.

      SEC. 302. APPLICATION TO FEDERAL AGENCIES.

      (a) IN GENERAL- Except as provided in subsection (b), this Act applies to each Federal agency that is an internet service provider or an online service provider, or that operates a website, to the extent provided by section 2674 of title 28, United States Code.

      (b) EXCEPTIONS- This Act does not apply to any Federal agency to the extent that the application of this Act would compromise law enforcement activities or the administration of any investigative, security, or safety operation conducted in accordance with Federal law.

      TITLE IV--MISCELLANEOUS

      SEC. 401. DEFINITIONS.

      In this Act:

      (1) COLLECT- The term `collect' means the gathering of personally identifiable information about a user of an Internal service, online service, or commercial website by or on behalf of the provider or operator of that service or website by any means, direct or indirect, active or passive, including--

      (A) an online request for such information by the provider or operator, regardless of how the information is transmitted to the provider or operator;

      (B) the use of a chat room, message board, or other online service to gather the information; or

      (C) tracking or use of any identifying code linked to a user of such a service or website, including the use of cookies or other tracking technology.

      (2) COMMISSION- The term `Commission' means the Federal Trade Commission.

      (3) COOKIE- The term `cookie' means any program, function, or device, commonly known as a `cookie', that makes a record on the user's computer (or other electronic device) of that user's access to an internet service, online service, or commercial website.

      (4) DISCLOSE- The term `disclose' means the release of personally identifiable information about a user of an Internet service, online service, or commercial website by an internet service provider, online service provider, or operator of a commercial website for any purpose, except where such information is provided to a person who provides support for the internal operations of the service or website and who does not disclose or use that information for any other purpose.

      (5) FEDERAL AGENCY- The term `Federal agency' means an agency, as that term is defined in section 551(1) of title 5, United States Code.

      (6) INTERNAL OPERATIONS SUPPORT- The term `support for the internal operations of a service or website' means any activity necessary to maintain the technical functionality of that service or website.

      (7) INTERNET- The term `Internet' means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire or radio.

      (8) INTERNET SERVICE PROVIDER; ONLINE SERVICE PROVIDER; WEBSITE- The Commission shall by rule define the terms `internet service provider', `online service provider', and `website', and shall revise or amend such rule to take into account changes in technology, practice, or procedure with respect to the collection of personal information over the Internet.

      (9) ONLINE- The term `online' refers to any activity regulated by this Act or by section 2710 of title 18, United States Code, that is effected by active or passive use of an Internet connection, regardless of the medium by or through which that connection is established.

      (10) OPERATOR OF A COMMERCIAL WEBSITE- The term `operator of a commercial website'--

      (A) means any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce--

      (i) among the several States or with 1 or more foreign nations;

      (ii) in any territory of the United States or in the District of Columbia, or between any such territory and--

      (I) another such territory; or

      (II) any State or foreign nation; or

      (iii) between the District of Columbia and any State, territory, or foreign nation; but

      (B) does not include any nonprofit entity that would otherwise be exempt from coverage under section 5 of the Federal Trade Commission Act (15 U.S.C. 45).

      (11) PERSONALLY IDENTIFIABLE INFORMATION-

      (A) IN GENERAL- The term `personally identifiable information' means individually identifiable information about an individual collected online, including--

      (i) a first and last name, whether given at birth or adoption, assumed, or legally changed;

      (ii) a home or other physical address including street name and name of a city or town;

      (iii) an e-mail address;

      (iv) a telephone number;

      (v) a birth certificate number;

      (vi) any other identifier for which the Commission finds there is a substantial likelihood that the identifier would permit the physical or online contacting of a specific individual; or

      (vii) information that an Internet service provider, online service provider, or operator of a commercial website collects and combines with an identifier described in clauses (i) through (vi) of this subparagraph.

      (B) INFERENTIAL INFORMATION EXCLUDED- Information about an individual derived or inferred from data collected online but not actually collected online is not personally identifiable information.

      (12) RELEASE- The term `release of personally identifiable information' means the direct or indirect, sharing, selling, renting, or other provision of personally identifiable information of a user of an internet service, online service, or commercial website to any other person other than the user.

      (13) ROBUST NOTICE- The term `robust notice' means actual notice at the point of collection of the personally identifiable information describing briefly and succinctly the intent of the Internet service provider, online service provider, or operator of a commercial website to use or disclose that information for marketing or other purposes.

      (14) SENSITIVE FINANCIAL INFORMATION- The term `sensitive financial information' means--

      (A) the amount of income earned or losses suffered by an individual;

      (B) an individual's account number or balance information for a savings, checking, money market, credit card, brokerage, or other financial services account;

      (C) the access code, security password, or similar mechanism that permits access to an individual's financial services account;

      (D) an individual's insurance policy information, including the existence, premium, face amount, or coverage limits of an insurance policy held by or for the benefit of an individual; or

      (E) an individual's outstanding credit card, debt, or loan obligations.

      (15) SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION- The term `sensitive personally identifiable information' means personally identifiable information about an individual's--

      (A) individually identifiable health information (as defined in section 164.501 of title 45, Code of Federal Regulations);

      (B) race or ethnicity;

      (C) political party affiliation;

      (D) religious beliefs;

      (E) sexual orientation;

      (F) a Social Security number; or

      (G) sensitive financial information.

      SEC. 402. EFFECTIVE DATE OF TITLE I.

      Title I of this Act takes effect on the day after the date on which the Commission publishes a final rule under section 403.

      SEC. 403. FTC RULEMAKING.

      The Commission shall--

      (1) initiate a rulemaking within 90 days after the date of enactment of this Act for regulations to implement the provisions of title I; and

      (2) complete that rulemaking within 270 days after initiating it.

      SEC. 404. FTC REPORT.

      (a) REPORT- The Commission shall submit a report to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Commerce 18 months after the effective date of title I, and annually thereafter, on--

      (1) whether this Act is accomplishing the purposes for which it was enacted;

      (2) whether technology that protects privacy is being utilized in the marketplace in such a manner as to facilitate administration of and compliance with title I;

      (3) whether additional legislation is required to accomplish those purposes or improve the administrability or effectiveness of this Act;

      (4) whether legislation is appropriate or necessary to regulate the collection, use, and distribution of personally identifiable information collected other than via the Internet;

      (5) whether and how the government might assist industry in developing standard online privacy notices that substantially comply with the requirements of section 102(a);

      (6) whether and how the creation of a set of self-regulatory guidelines established by independent safe harbor organizations and approved by the Commission would facilitate administration of and compliance with title I; and

      (7) whether additional legislation is necessary or appropriate to regulate the collection, use, and disclosure of personally identifiable information collected online before the effective date of title I.

      (b) FTC NOTICE OF INQUIRY- The Commission shall initiate a notice of inquiry within 90 days after the date of enactment of this Act to request comment on the matter described in paragraphs (1) through (7) of subsection (a).

      SEC. 405. DEVELOPMENT OF AUTOMATED PRIVACY CONTROLS.

      Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) is amended--

      (1) by redesignating subsection (d) as subsection (e); and

      (2) by inserting after subsection (c) the following:

      `(d) DEVELOPMENT OF INTERNET PRIVACY PROGRAM- The Institute shall encourage and support the development of one or more computer programs, protocols, or other software, such as the World Wide Web Consortium's P3P program, capable of being installed on computers, or computer networks, with Internet access that would reflect the user's preferences for protecting personally-identifiable or other sensitive, privacy-related information, and automatically execute the program, once activated, without requiring user intervention.'.

      END
  • reaction? (Score:4, Insightful)

    by tps12 ( 105590 ) on Thursday May 09, 2002 @06:58AM (#3489697) Homepage Journal
    My first impression to this is disbelief: citizens have repeatedly sent Congress a strong message of concern over privacy, especially on the Information Superhighway. Businesses have, mostly, elected to create their own privacy policies in the absence of legislation. Everyone supports privacy.

    Or do they?

    Look at your average computer user. He (or she) doesn't use PGP, has insecure passwords, will gladly install spyware in exchange for a P2P client, and is all too willing to help email worms propogate. Now, don't try to tell me that this hypothetical (but all too real) user wouldn't give up his entire purchasing habits to save himself 7 clicks a month on AOL.

    He would be delighted if he could be greeted with "I bet you want the new WWF video: click here to order" when he logged in. That's what this information sharing does. And the public is going to eat it up.

    Meanwhile, the fraction of us who actually care about this kind of thing pay the price. The only sensible thing to do? Become what we hate the most. Format /dev/hd* and install Windows and AOL. Your browser votes don't count unless your user agent says MSIE, and your purchases don't count unless they're through AOL or MSN. We have to make a choice between Free Software and privacy. Once we've saved privacy, then maybe Linux will come back...who knows? But for now, we need to put Linux aside as we prepare for the real battle.

    • Everyone supports privacy.

      Or do they?


      Reading through the privacy policy of every site I visit is not worth my time. Paying the extra taxes in order to enforce a law requiring opt-in would require much less of my time and might be worth it.

      That said, I don't really care whether companies share information, as long as there are reasonable restrictions on how they advertise. Ads at the bottom of newsletters are ok, but spam is not. Banner and text ads are fine, and I can just leave your site if I find your interstitials annoying, but pop-up ads should not be legal. Bulk snail-mail is ok, but print it on recycled paper. Don't use the word "free" inappropriately -- "Get 12 CDs for the price of 1" is ok, but "Get 11 CDs free*!" is not.

      By the way, the kind of targeted advertising you mention doesn't require companies to share information about specific customers. AOL can target the ads itself without giving your personal information to WWE.

      Regarding spyware, I don't see that as a privacy issue, but rather a breaking-and-entering issue. It's illegal, and it would be nice if the government enforced its existing laws, but I don't think it needs to be part of the debate over whether companies should be able to share personal information.
    • Interesting.

      I'd bet your Congresscritters too would be delighted if he could be greeted with "I bet you want the new WWF video: click here to order" when he logged in.

      I'd bet that his secretary who reads all his emails appreciates that information too.

      He may have to hire more secretaries when he realises just the wealth of information out there in his mailbox waiting to be read.

      He's probably just too busy to sign up for these himself.

      Maybe some enterprising individual can assist their representative?

      (Disclaimer: I am not in the US, and am only guessing your rep likes WWF, since we don't get it here. It is your own responsibility to find out your rep's interests.)
  • by jsmyth ( 517568 ) <{moc.liamg} {ta} {htymsrej}> on Thursday May 09, 2002 @07:00AM (#3489701) Homepage
    "I'll predict a much greater level of Internet usage with these privacy policies in place," Boucher said.

    I fail to see how this will work at statistical levels - it might encourage some people who have abstained to return to the 'net, but the vast majority, those simple casual users? The use of the word much is inappropriate here.

    Put it this way: if you were to hold a random sampling of U.S. citizens on internet privacy, you would likely get a lot of semi- or un-informed views on it. The reason is simple: it's not considered important enough by society at large. If/when privacy becomes a big thing in the media and in government, only then will the population at large (who are being spoonfed by popular media, remember) feel that it is important enough to become an issue.

    Until then, it remains an issue for the interested parties and the various lobby groups. The average internet user doesn't care, so there will be no upswing, no "much greater level", nice as it would be to believe that Mr. Average Midwestern Suburbian spends as much time as we do reading up on issues such as this.

    • I would qualify my agreement with jsmyth that the issue of privacy isn't regarded as important enough by society at large. I would say that people as consumers have come to expect little privacy in society in general but as residents they value privacy very much.

      Except for a few situations, the idea of privacy is largely left to the savvy of the consumer. In the real world it is largely your burden to learn how to navigate it. Many times you can negotiate terms of a contract, be it employments, car purchase, rental agreement, home purchase, asking for special rates (e.g., airlines tickets, car rentals); etc. Businesses are not going to endorse the idea of begin required to inform you of your right to negotiate price because you would, and they want you to pay as much as you are willing to. That's capitalism. Teh details are left to the consumer as an exercise.

      By contrast, there is a law in place to protect civil rights and help prevent abuse by law enforcement. That is, when the police arrest you (or so I have heard (grin)), they read you your Miranda rights (You have the right to remain silent; have your attorney present; etc.). And people like a fence around their yard, caller ID, and no government installed spycams in their dwellings, etc.

      People don't see privacy as an all-around fundamental human right. The default case is one of no privacy unless enforced either by law or individual action.
    • "I'll predict a much greater level of Internet usage with these privacy policies in place," Boucher said.

      Oh boy, I just can't wait to get a lot more spam messages for herbal Viagra in my mailbox.

      And they thought that increased Internet usage would automatically be a good thing...

    • "I'll predict a much greater level of Internet usage with these privacy policies in place," Boucher said.

      Boucher went on to predict that, after these privacy policies are in place, world population would increase, the Earth would rotate about its axis roughly once a day, and we would progress towards the heat death of the universe at an ever-increasing pace.
  • Opt out policy (Score:4, Insightful)

    by ivrcti ( 535150 ) on Thursday May 09, 2002 @07:06AM (#3489714)
    Sure, our customers can opt out. It's right there on our web site. Just click on the little tiny smiley face in the bottom left corner, then follow the 4 subsequent links to the opt out policy page. Be sure to find the little "I refuse this offer" check box, then hit submit. "Oh" the submit button is broke?? Now how did that happen? We'll have our help desk take a look at it. (The web site will be down for a few days while they reboot the system.)
    • Re:Opt out policy (Score:4, Interesting)

      by jsmyth ( 517568 ) <{moc.liamg} {ta} {htymsrej}> on Thursday May 09, 2002 @07:21AM (#3489749) Homepage
      You might think this is funny, but the doubleclick opt-out was exactly this. You had to click through several layers, including one page which solely consisted of a rant on how it is actually in your benefit to allow them to track your usage, and then you have to confusingly click to disagree with their policy, get to the last page, which made a tiny little change to a cookie. Would've been much quicker to print the instruction: Change the number in our cookie to OPT-OUT and it'll be fine.

      Look what happened to doubleclick...

      • You had to click through several layers, including one page which solely consisted of a rant on how it is actually in your benefit to allow them to track your usage

        Ok, all this going through hoops of fire to opt out is too much. I agree 100% there.

        But...say I'm using a hotmail or yahoo email account. I'm definitely sick of all those x10 banners and pop[up,under] windows. And what's with all the match.com banner ads? I'm married! I dont need a date.

        Since most of the free web services are advertiser supported, it'd be great if I could just see ads that actually interested me. Computers, tech stuff, whatever. Not how to lose 40 lbs.
      • Look what happened to doubleclick...

        I can't, that was the first bogus entry I added to my Squid/DNS. :o)

        If this thing flies, we'll have to populate participant's DBs with spurious and junk data. Just like how I subscribed several pets to Reader's Digest junkmail.

        Xix.

  • by SplendidIsolatn ( 468434 ) <splendidisolatnNO@SPAMyahoo.com> on Thursday May 09, 2002 @07:15AM (#3489736)
    If you have Store A and Store B, both selling the same product, both selling for the same price, both with equally great customer service, but Store A promises never to disclose your information under any circumstances and Store B doesn't have such a policy...where will you shop? Eventually, a lot of other people will shop at Store A, and when they do shop there, it'll be because of guaranteed privacy, thus making it a selling point.

    This might work out for the best--getting Joe Public caring about privacy issues, even if it is a small start. I can just see the news story now:

    Reporter: Mister Manager of Wal-Mart, how do you explain losing some of your business to Target?
    Mister Wal-Mart: Well, they don't offer our customers the opportunity to receive special offers from our sister stores.
    Reporter: So you're losing sales because you sell information about your customers?
    Mister Wal-Mart: Uhhhhhh
    • Except when store A turns around and says "Oh, by the way, we're changing our privacy policy. Oh, we know you agreed to something entirely different when you created your account, so we're giving you until to opt out."

      This actually happened to me. They sent me something saying the policy would change, and go to some page to opt out. So I did. Then a day after their final date, they sent me another saying the exact same thing, just like a funny previous post about the "submit" button not working, strangely - "Oh, we'll have it fixed within 24 hours after the deadline".
    • ...and then, when Store A gets bought out by Mega-Corp Inc., all the new owners will have to do is send out a 'our terms of service have changed' e-mail. Those that don't read the new terms, much less follow the 10 links to the opt-out screen, get turned into revenue.

      We have no leverage to keep the terms from changing. Resistance is futile.
    • Or, Store B is a big national or international company, able to operate massive economies of scale. Store A isn't. Store B undercuts Store A until Store A goes out of business, then raises prices to the point where they can make a profit. If competition springs up, repeat, until

      a) everybody is discouraged

      b) no sane person would provide backing.
    • Why make a law for opt-out by default? It is already the assumed default. I think aggregate data should be allowed, but attaching a name to the data should not.

      On the other hand, your example will apply very well to the next elections. Candidates who did not care about my privacy will not get my vote.
    • Then Store B has additional revenue from selling your info. They use that revenue to buy annoying advertizing space to convince the ignorant public that anyone who is anyone shops at Store B, and that Store A is for the people who buy clothes that were in style 2 years ago from discount stores. And then Store A goes down the tubes.
    • Why even bother passing the law then? It doesn't seem to change the situation any.
    • Until Store A declares bankruptcy and a judge declares that all of your information valuable property and can be autctioned off to pay the creditors.

      Face it. This gives the user no on going protection. The protection is only available to the terms of the transaction. Most of those have a clause that allows the store to change the conditions of the transaction at any time. And in the case of bankruptcy the contract is considered null and void.
      • Until Store A declares bankruptcy and a judge declares that all of your information valuable property and can be autctioned off to pay the creditors.


        If the store doesn't COLLECT the information, then it can't be declared valuable property because it doesn't exist. I think that was the entire point. Not the creation of a store that doesn't use your information for bad things, but a store that doesn't collect your information at all.

        Kintanon
    • It'd be great if this worked, but in practice it's usually not so simple.

      The main problem of course, is that most people are downright awful at assessing future risk, especially when compared to immediate gain. So Store B might be violating privacy left and right -- but then they offer prices a penny lower, and the consumer says `hmmmm, maybe store B will forget to sell my information, and hey, a penny!' [and then subsequently loses all he owns in a blood-frenzy of con-men]

      [Now I'll just step back for the chorus of `let them screw themselves! I'm elite, I'd never fall for it!']

  • No one would ever choose to opt-in on such a thing. And chances are the companies who would share such information in the first place would not make it very obvious you could opt-out. My guess is that the choice to opt-out will be hidden in a 1,000 word legal disclaimer or an EULA that no one reads anyway.

    Yet another law that helps corporations at our expense, because they apparantely have more rights than we do. At least certain congressmen (Mr. Boucher, Mr. Hollings, anyone?) think that's true.

    -Evan
  • So what if they want to share information. Isn't that what the whole Free Software Revolution is about? Information wants to be free, right?

    Or do they have to encode your personal information into MP3 form before it's okay to distribute it?
  • Where is this cornucopia of absurd legislation coming from? Let me guess... corrupt legislators. Now... Is it to fair to assume stupid people voted for these corrupt legislators? If stupidity is the majority, isn't the democratic thing to do to legislate stupidity? After all, common sense would go against stupidity and therefore, against these legislators' constituents. Hence, we're shit out of luck...
    • Yes, most Americans are stupid. Well intentioned, but stupid, like most of humanity. Nevertheless, it is the political system itself that is to blame, not the people. The system doesn't offer true choice and anytime people try to go alone or make a change to the system, it is smacked down.

      Watch "Meet John Doe". I also felt like jumping off a bridge by the end.
  • by MartinB ( 51897 ) on Thursday May 09, 2002 @07:23AM (#3489754) Homepage

    Compare and contrast that travesty with UK Data Protection Act 1998 [hmso.gov.uk]. To summarise

    Anyone processing personal data must comply with the eight enforceable principles of good practice. They say that data must be:

    • fairly and lawfully processed;
    • processed for limited purposes;
    • adequate, relevant and not excessive;
    • accurate;
    • not kept longer than necessary;
    • processed in accordance with the data subject's rights;
    • secure;
    • not transferred to countries without adequate protection.

    Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the data controller towards the individual, although in some limited circumstances exemptions will apply. With processing, the definition is far wider than before. For example, it incorporates the concepts of 'obtaining', holding' and 'disclosing'.

    The Full explanation of the principles can be found here [dataprotection.gov.uk]

    (source: http://www.dataprotection.gov.uk/principl.htm [dataprotection.gov.uk])

    Note that last point - the US at present does not have 'adequate protection' (ie protection to an equivalent level). This proposed bill takes it further away.

    Something else to note - the enforcement of this will only get stricter when the new Data Protection Commissioner takes office.

    • thing is, i still end up with junkmail and random crap from everybody under the sun *sigh*
      Just because the legistate it dosent mean anyone pays any attention, it's a bit like speeding laws.

      • where do you live? In London there are speed-cameras, red-light cameras, bus-lane cameras etc. every ten yards. Speeding and other traffic offenses are seen as a major revenue centre for local authorities and enforced accordingly!

        When they get connected to face-recognition software this will have major security implications.

        Of course, you can opt-out of junk mail and unsolicited phone calls (and treat any offenders as a revenue centre at £500 ($750?) a time yourself).

      • You'll get precious little of it from countries with real Data Protection legislation (the EU, Switzerland, New Zealand). The legislation is enforced.

  • It would at least require companies to obey their own privacy policies. Right now, it doesn't seem to matter if I uncheck every box with words like "Subscribe me to electronic news", "Share my contact information with other companies", etc. when registering on a site. The majority of companies don't honor your preferences to not receive all their junk mail. With this proposed bill, it would be illegal not to do so.

    That said, I still prefer the competing bill overall.

    Jason
    • "It would at least require companies to obey their own privacy policies."

      No it wouldn't, because you wouldn't have any legal action against them if they break it. And I never have heard much in the way of the FTC. We would be completly reliant that the FTC bears of this, and actualy doing something.

      "Consumers would have no right to sue if their privacy was violated. Enforcement would be left in the hands of the Federal Trade Commission, which usually does not impose fines on a first offense."
  • by Anonymous Coward
    Privacy issues really get on my nerves. Not so much because I feel the need for my privacy to be protected, but because there is nothing I can do to stop it. Sure, there are petitions and writing to my local representatives, but I don't have the time to read the fine lines of every law that every polititican puts up for a vote.

    Then there are the laws that I even take the time to sign petitions for and write to my representatives, like CARP ( http://www.live365.com/carp/ if you've been living in a box ). Hordes of people objected to this law, yet it still was passed.

    The government is not listening. You might be able to get someone to listen to you during an election year, if you're lucky. Maybe you could claim to have to pick up can along the highway to pay your CARP royalty fees and Gore could talk about you. But otherwise, it's a sad waste of time.

    Then there's the hypocracy of the people that call for these petitions. Example: Right here in Milwaukee, we had a controversy about with our City Pension Plan and a million dollar lump sum payout. The elected offical that signed the bill was forced to resign amidst a recall campaign. Sound like the population taking on their civic duty, right? Well, in the emergency election to fill his position, only 1 in 5 of the people that signed the recall petition actual voted. 4 of 5 just wanted to kick the government were ever they could get a shot in.

    In the end, you might catch one bill, you might get someone important to object to it, you might even get enough people on your side to oppose the law, but unless you can give a senator a better hand job than the lobbist, they'll get their way eventually.
  • What politician who wants to be re-elected would ever vote against a "Privacy Bill"?

    I could sponsor legislation to grind up kittens and baby seals to pave our highways, and as long as I named the bill something like the "Privacy Bill", every legislator would vote in favor. No one wants to go on record as being against a "Privacy Bill".

    This is one of the flaws in our short-attention-span news coverage. No one investigates in depth. Everyone assumes the name of the bill represents the contents. (PATRIOT Act anyone?) And so we get politicos voting on the name of the bill, rather than the content.

  • No right to sue (Score:5, Insightful)

    by EReidJ ( 551124 ) on Thursday May 09, 2002 @07:55AM (#3489865) Homepage
    Consumers would have no right to sue if their privacy was violated. Enforcement would be left in the hands of the Federal Trade Commission, which usually does not impose fines on a first offense.

    This is the part of the bill that I find particularly noxious and annoying. I can (with regret) swallow the rest of the bill, as long as the company gives me the explicit choice, whenever they collect the information, about whether I want to prevent them from selling the information to other people.

    But this... When a company breaks the law, and they violate my privacy, I have a right to sue their asses off! I have a right (a moral right, not a legal one, IANAL) to publicly punish them and make damn sure they never do this again and get appropriate compensation for violating my privacy. This bill specifically would take away this right from me.

    "Oh, I'm sorry, we didn't realize we were violating your privacy! All those magazine companies now know your income level? Whoops, our bad! But we're just going to do it again, because we have no incentive to obey the law!"

    Laws don't mean anything without teeth. Remove the teeth, might as well not even have the law.

  • "Mr. Boucher, if you don't play ball with us at least once in a while, you might have a fatal car accident." *CLICK*
    --
    • Bad juju man.

      Even if it was a joke, even if it was a reference to something famous, never, ever even imply anything about assassination of a policitcal representative. This is doubly true in today's climate.

      I hope you don't get in shit for a stupid joke on Slashdot, but at least one guy got harassed by the feds over a post on kuro5hin, that discussed methods of terrorism in an acedemic way.

      Besides, Boucher is a fairly cool guy. Just remember who he represents, high tech internet companies. This is why he is against the DMCA, and this is also why he is in favor of this bill. I think he is misguided on this one, but I think that's his ultimate motivation.
      • If it wasn't obvious, I was joking - it was supposed to be implied that this fictional call was placed by "MIBs" in order to stop his geek winning streak.

        Anyway, my comment isn't even close to approaching Jim Bell [jya.com] levels, or that dude on Howard Stern who wouldn't back down in seriousness and got a visit from the NSA.

        Besides, I don't think many people could argue that things are bad enough yet to warrant fixing corruption with murder. Voting still works... sortof.

        (I think I've prolly set off more echelon red flags in this post than the previous :)
        --

  • a long-awaited privacy bill Wednesday that would allow U.S. businesses to share information about customers

    Would this qualify as an oxymoron? Exactly how does releasing my private information qualify as privacy? Have these people ever opened a dictionary? Mr. & Mrs. Public would be up in arms if then knew they leaders were voting to allow their credit card companies access to their medical records. If you are sick isn't there a good chance you may miss a payment? Further, if you have a genetic pre-disposition to a disease, regardless of whether you have it, your employer should know, shouldn't they?

    A group of business leaders from high-tech firms said the bill struck the right balance between consumers and businesses

    A "group of business leaders". Would this be the same group being paid to collate and distribute this data? Or perhaps, the people that want the data? In either case, at least they are honest enough to admit the public is either in the dark or against it. [Okay, that is my spin... ]

    I'll predict a much greater level of Internet usage with these privacy policies in place," Boucher said.
    Amazing is that as a republican, who should be for more local government and smaller federal government, we have instead the rider that states this will override more restrictive local laws. Even more amusing (frightening?) is his biography which lists him as "a leading architect of federal policy for the Internet." I am really pressed to put some type of sarcasm here, but nothing I could say would be more foolish than his statement.

    I know I make this pitch every time one of these things get started, but contact your representatives.
    House of Representatives [house.gov]
    Senators [senate.gov]

    And please remember: Be concise, polite, and on paper (fax may even be better as it is not double processed through the mail). In addition, CC the letter to your local newspaper's letter to the editor and you may as well try their email address. (But remember the study done last year, most representatives do not read emails)
    • Exactly; speak up and do something about it. Boucher is up for election come 5 November. How about you readers in VA join in a movement to have this bung-hole removed from office. You've elected him 10 times so of course he believes he's untouchable. How about taking the time to reasure him that he still represents somebody other than Disney. signed, f-ing Penguindung
    • You state in your post the following:

      "Amazing is that as a republican, who should be for more local government and smaller federal government, we have instead the rider that states this will override more restrictive local laws..."

      FYI - Rep. Boucher is a Democrat.

  • Here are a few quotes from the article for those who haven't read it.

    "Sponsors said the bill would establish basic privacy protections for consumers while minimizing the impact on business."

    OK, this seems reasonable at face value. Now let's see what protections consumers will in fact get from this bill.

    More than a year in the making, the privacy bill unveiled in the House differs from a competing bill making its way through the Senate that would require businesses to get consumers' explicit permission before sharing sensitive information such as income level, religious affiliation or political interests.

    Not that I think the Senate bill goes quite far enough for my liking, this opt-out policy essentially states that businesses will be free to do whatever they please with my information, especially if it turns out that businesses can reset their customers' privacy preferences (cough...Yahoo...cough) at any time. So I think the word negligible best describes our privacy rights under this bill.

    Let's assume that this bill does give us Americans a few crumbs of privacy. Here's what will happen to businesses that violate these rights:

    Consumers would have no right to sue if their privacy was violated. Enforcement would be left in the hands of the Federal Trade Commission, which usually does not impose fines on a first offense.

    Companies submitting to a self-regulatory privacy regime such as TRUSTe or BBBonline would enjoy protection from FTC actions.


    We all know how valiantly TRUSTe fights for consumers' privacy rights and how fiercely they punish businesses that violate their privacy policies, right. Give me an effing break! Not only do we end up with very few privacy protections, but the maximum punishment for violating the few rights (at least the first time around) that we have is a rebuke from a government bureau or an industry organization? Sounds like a great bill to me.

    It seems like the Senate bill is going to be the best case scenario for privacy advocates in this country, and the more likely scenario is a compromise between the House bill and Senate bill. In other words, we Americans will be lucky if the few basic protections we have regarding the privacy of bank and medical records we have still exist when the President signs whatever comes out from Congress. If only there was a "Control-Alt-Delete" option on ballots that indicated a desire for all 535 members of Congress and the President to be removed at the same time instead of having a voice over at most 4 of these officials' futures...

    One last thought: if this bill were to pass, maybe we could boomerang it back onto Big Business. The Supreme Court has decided that corporations are people, right? Corporations purchase services from people (e.g. developing software, fixing cars, making purchasing decisions), and often give those employees access to proprietary data in the process. Could the courts conclude that businesses have no right to privacy as well, claiming that the employees can reset the company's "privacy policy" (NDA) at any time, like businesses do to customers? Then, maybe, just maybe, things might not be so bad after all...
  • This bill has basically no powers opt out systems always have less people opting out however if it had teeth then every one would just ignore it.
    Just move payment / data store to another country even a seeland. All you do is allow somone to clooect things on your us website then when it comes to payments say payments are handled by our truested corp xyz
    xyz then collects all the infomation out of the duristiction of us and pays no us tax it can then sell the details to anyone it likes.
    Privacy bills have to allow corps enough freedom to do what the hell they like or they will just leave your country
  • A problem with ruling:
    The right thing to for your people isn't always the best thing for your people.

    In this case, the right thing to do, obviously, is to protect privacy and require opt-in, not opt-out.

    Opt-out begs for spam, while opt-in will simply result in illegal spam. Illegal means it cannot fund a big business. The reason this is bad, is because a fair part of the *tech* economy revolves around advertising distribution.

    Notice the tech economy troubles? Well, the government needs to step in to keep the wonderful tech developments we all take for granted comming. The best thing for the people, clearly, is to keep the mainstream free software and services alive, and thus keep the tech economy going strong.

    The annoying deleting of spam pays for things of which we enjoy the use.

    This anti-privacy bill is a feeble attempt, methinks, because the tech industry is affected little by spam. Now setting the heartless calculating and decision-making econ people have to do aside, I bloody well hate opt-out. I think if any government measure is taken, it should not be another false inflation of the tech economy.
  • And one of the supporters of this bill - the beloved Mr. Boucher.

    <VOICE type=luke-skywalker>
    NOOOOOOOOOOOOOOOOOOOOOOOOOOO OOOOOOOOOOOOOOOO!
    </VOICE>
  • That any information about me in any form is the sole property of myself and may not be used in any form by any individual or organisation, whether private or public, for any purpose whatsoever.

    It is the responsibility of any person wishing to use such information to read the online publication Slashdot, and all it's user postings, to avoid being lible by not knowing that I have made this proclamation.

    Consider yourself warned.
  • So where do I sign up to tell every company that they have no right to share anything about me? How does one put the big red international symbol for "NO WAY IN HELL" on my information?
    Does this mean that every company that asks for information from you in any way would have to provide a mechanism for you to explicitly tell them they can't share your information? Does this mean a business can share my information as soon as they get it because I, the little consumer, have to go out on my own and specifically contact someone at the company who gives a rat's ass and tell them they can't share it?

    This bill certainly implies there should be a clear way to do this, but we all know that anything a law might imply does hold water, it just becomes another loop hole. I don't think a microscopic check box at the bottom of some long form is going to cut it.
  • Here, most data is opt-out, but sensitive data (health, politics, sexual behaviour, financial information) is opt-out. And that's enforced by law.

    However, if you want to share it with a third party (even an unrelated arm of the same group of companies), it's all opt-in.

    Oh, and if you want to use any data, you have to be registered. The Data Protection Commissioner who runs the register has the power to stop you using your database on suspicion of mis-using data. Which costs a lot if you're British Gas [house.co.uk], who had just this happen to them a couple of years back.

    It's a powerful dissuader...

  • Stearns, a Florida Republican whose consumer-protection subcommittee held six hearings on privacy last year, said the free flow of consumer data has been a cornerstone of the modern information-based economy.

    The free flow of my information is what has been keeping this economy going? What economy is he living in?

    "The underlying principle that anchors this bill is, 'do no harm,' " he said.

    Do no harm to who? Your representing me and any time my privacy is violated I incur harm.

  • ...you should be fighting against income taxes. There is no bigger threat to privacy that the governemnt knowing where you work, how much you make, who you donate money to, where you invest your money, etc... Isn't that an invasion of privacy? That offends me more than getting a couple of spams a day.

    Of course, just the thought eliminating income taxes (versus a consumpion/sales tax only) makes the people at the ACLU or the Center for Democracy and Technology jump out of their skin. So I want to ask people (especially those who lean to the left), "If you care so much about privacy, don't yo uthink we should eliminate income taxes?"
  • dosn't the copyright on information disclosed by an individual belong to that individual. So this bill is a pro piricy bill, to bad we ain't the RIAA.
  • You opt-in by providing your information in the first place. BFD.
  • Look, we have in the past emailed/written/called Boucher to say "yay, good job". Why not now call to say "hey, this sucks. we should be able to sue for privacy violations, and we should have to opt in for this shit."
  • I Want a Law (Score:3, Insightful)

    by Puk ( 80503 ) on Thursday May 09, 2002 @11:27AM (#3491210)
    I want a law making it illegal to mislead people when naming or describing laws. Putting a little spin on law names is one thing, but calling something a "privacy law" when it's really a "no privacy law" or a "loss of privacy law" is just garbage.

    My law, new style, could be called "No False Advertising in Congress". Old style, it could be called, "Misleading People for a Better America" or "Beef Jerky" or something.

    Blah.

    -Puk
  • ... that government agencies themselves are susceptible to much more stringent privacy laws than corporations. Blockbuster Video can ask for your SSN with ease, but a government agency needs to tell you first exactly what they can (and can't) do with your SSN. An even better example is the USPS. I have yet to see a corporate privacy policy statement that is this stringent:
    "We maintain physical, electronic, and procedural safeguards pursuant to federal regulations to guard your nonpublic personal information. We restrict access to only postal personnel and contracters, who have a need to know the information to provide services to you."
  • "The bill has lined up 22 co-sponsors from both sides of the aisle, among them Rep. Billy Tauzin, the Louisiana Republican who chairs the House Energy and Commerce Committee."

    The same Billy Tauzin that's in BellSouth's back pocket and is currently sponsoring a bill to increase the Baby Bells' monopoly powers? YES INDEED!

    I swear this November just can't come soon enough... maybe I should start writing letters to the local papers now...
  • A group of business leaders from high-tech firms said the bill struck the right balance between consumers and businesses

    It would be interesting to know which tech businesses are behind this. That way I can keep a closer eye on my dealings with them.

    As others have said, I don't see how this is a privacy bill. Its best described as an anti-piracy or piracy removal effort.

    And I definitely don't understand why this would make more people use the internet. Unless I misread the intent, this would make people more wary of giving out information for fear that they would accidentally be releasing a company to use their sensitive info in any way they choose.

    And taking away a person's right to sue? I thought that was in the constitution. : )
  • The bill would cover transactions both on the Internet and in the "offline" world, and would override state laws that place more restrictions on commercial use of personal information. Sponsors said the bill would establish basic privacy protections for consumers while minimizing the impact on business.


    ...

    "Consumers would have no right to sue if their privacy was violated. Enforcement would be left in the hands of the Federal Trade Commission, which usually does not impose fines on a first offense.


    Companies submitting to a self-regulatory privacy regime such as TRUSTe or BBBonline would enjoy protection from FTC actions."


    This is absolutely obscene. It overrides more restrictive state laws (so much for Republicans respecting states' rights), removes consumers' right to sue when they are wronged, and protects companies who enroll in TrustE's BS service to escape FTC punishment when they violate the rules. Sounds like those campaign bribes, er, contributions are paying off big.

  • This is total BULL SHIT. Privacy should damn well be a Default thing to respect, unless given written permission by the individual that it is ok to invade ones privacy.

    The reason for this is really very simple.

    I don't want to fucking spend my time and money on having to respond every gawd damn company tellin them NO!

    I'm a long term US citizen, IS that enough to get respect?!!!

Put not your trust in money, but put your money in trust.

Working...