The Senate Commerce Committee approved Bill S.2201 "Online Personal Privacy Act," which would prevent entities from collecting personal information from users unless the users specifically opt-in to such information collection. After a user agrees to opt-in, the agreement remains in effect until the user changes his or her consent.
According to the bill, any entity wishing to collect personal information must post "clear and conspicuous" notice to users stating the specific types of information that the entity will collect, the collection methods, how the collecting entity will use the information, and the collector's disclosure practices, including whether the entity will disclose the information to third-parties. Information collectors also must provide "robust" notice to users once before collecting any personal information. If an information collector significantly changes the type of information collected or the way the collector uses that information, then the collector must provide the notice again before implementing the changes. If an entity's collection and disclosure policy changes then the entity must notify all users and obtain their consent before using any collected personal information in accordance with the policy changes.
The bill also carries provisions in the event that an intruder breaches an information collector's security or that collected information is used unlawfully. In such instances, the collector must notify all users whose information has been comprised. The notice must describe the nature of the unlawful collection, disclosure, use, or compromise, and the steps the collector has taken to remedy the situation. Notice might be delayed while intrusion-detection is taking place to apprehend the person responsible, and while the collector restores the integrity and security of the service or Web site it uses for collection.
The opt-in requirement wouldn't apply to situations that require information collection to protect the security or integrity of a Web site or to ensure the safety of people or property. The requirement also doesn't apply to transactions where information collection is necessary for conducting transactions or delivering products and services.
After a collecting entity has collected a user's information, the user can request changes to the information or request that the entity delete the information. However, the entity that collected the information may decline to change or delete such records if that entity feels that the suggested correction or deletion is inaccurate or otherwise inappropriate. The user may refute the decline of change or deletion. Entities can charge a fee of up to $3 to perform such changes and deletions, although some users could be exempt from such fees. Exemptions include persons who are on or will be on unemployment within 60 days and persons who are on welfare, or if the information collected needs to be changed or deleted due to fraud.
The Federal Trade Commission (FTC) would enforce the provisions, if they become law. The S.2201 bill now goes before the full Senate for consideration of passing it into law. Entities found in violation of the law could be fined, and fines would be awarded by the FTC to users whose information was compromised or misused. Awards would not exceed $200 per user, and any excess money collected from fines and not distributed to users would be deposited into the United States Treasury as miscellaneous receipts. Affected users would also be entitled to sue violators in district court and collect significant monetary damages.
You can obtain a copy of the bill in PDF format at the Electronic Privacy Information Center's (EPIC) Web site.