IN THE SENATE OF THE UNITED STATES
April 10, 2018
Mr. Markey (for himself and Mr. Blumenthal) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation
To require the Federal Trade Commission to establish privacy protections for customers of online edge providers, and for other purposes.
This Act may be cited as the
Customer Online Notification for Stopping Edge-provider Network Transgressions or the
Privacy of customers of edge providers
In this section—
the term breach of security means any instance in which a person, without authorization or in violation of any authorization provided to the person, gains access to, uses, or discloses sensitive customer proprietary information;
the term Commission means the Federal Trade Commission;
the term customer means—
an individual who is a customer of an edge provider; and
an individual who is a user of an edge service provided by an edge provider;
the term edge provider means a person that provides an edge service, but only to the extent to which the person provides that service;
the term edge service—
means a service that is provided over the Internet—
for which the edge provider requires the customer to subscribe or establish an account in order to use the service;
that the customer purchases from the edge provider without a subscription or account;
through which a program searches for and identifies items in a database that correspond to keywords or characters specified by the customer; or
through which a customer divulges sensitive customer proprietary information of the customer; and
includes any service that is provided—
through a software program, including a mobile application; or
over the Internet, directly or indirectly, through a connected device;
the term opt-in consent means a method by which an edge provider may obtain from a customer affirmative, express consent to use, disclose, or permit access to the sensitive customer proprietary information of the customer after the customer has received explicit notification of the request of the edge provider with respect to that information;
the term personally identifiable information means any information that is linked, or reasonably may be linked, to a specific individual or device; and
the term sensitive customer proprietary information includes—
information pertaining to children;
Social Security numbers;
precise geolocation information;
content of communications;
call detail information;
web browsing history, application usage history, and the functional equivalents of either; and
any other personally identifiable information that the Commission determines to be sensitive.
Privacy of customers of edge providers
It is unlawful for an edge provider to violate the privacy of a customer in a manner that violates a regulation prescribed under paragraph (2).
In carrying out this Act, the Commission shall—
not later than 1 year after the date of enactment of this Act, promulgate, under section 553 of title 5, United States Code, regulations to protect the privacy of customers of edge providers; and
ensure that the regulations promulgated under clause (i) take effect not later than 180 days after the date on which the regulations are promulgated.
Requirements under regulations
In promulgating regulations under subparagraph (A), the Commission shall—
require an edge provider to notify a customer about the collection, use, and sharing of the sensitive customer proprietary information of the customer, including by—
notifying the customer about the types of sensitive customer proprietary information the edge provider collects;
specifying how and for what purposes the edge provider uses and shares sensitive customer proprietary information; and
identifying the types of entities with which the edge provider shares sensitive customer proprietary information;
require an edge provider to—
supply the information described in clause (i) when a customer initially subscribes to, establishes an account for, purchases, or begins receiving an edge service; and
update a customer when the policies of the edge provider relating to the information described in clause (i) change in a significant way;
require an edge provider to obtain opt-in consent from a customer to use, share, or sell the sensitive customer proprietary information of the customer;
implement strong protection for sensitive customer proprietary information that has been de-identified to prevent the restoration of any personally identifiable information that has been previously removed, including by—
requiring an edge provider to alter the customer information so that the customer information cannot be reasonably linked to a specific individual or device;
requiring an edge provider to publically commit to maintain and use sensitive customer proprietary information in an unidentifiable format and to not attempt to restore any personally identifiable information that has been previously removed from the sensitive customer proprietary information; and
requiring an edge provider to contractually prohibit the practice of restoring any personally identifiable information that has been previously removed from sensitive customer proprietary information;
determine on a case-by-case basis the reasonableness of any program that relates the price of an edge service to the privacy protections afforded to customers, and require an edge provider to fully disclose plans that provide discounts or other incentives in exchange for a express affirmative consent of the customer to the use and sharing of the sensitive customer proprietary information of the customer;
prohibit an edge provider from refusing to serve a customer who does not consent to the use and sharing of the customer proprietary information of the customer for commercial purposes (commonly known as a
take-it-or-leave-it offer) on the basis of that refusal to consent by the customer; and
require an edge provider to—
develop reasonable data security practices; and
notify a customer if a breach of security has occurred if the edge provider determines that an unauthorized disclosure of the sensitive customer proprietary information of the customer has occurred and harm is reasonably likely to occur.
Enforcement by the Commission
Except as otherwise provided, this Act and the regulations prescribed under this Act shall be enforced by the Commission under the Federal Trade Commission Act (15 U.S.C. 41 et seq.).
Unfair or deceptive acts or practices
Subject to subsection (d), a violation of this Act or a regulation prescribed under this Act shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
Actions by the Commission
Subject to subsection (d), and except as provided in subsection (f)(1), the Commission shall prevent any person from violating this Act or a regulation prescribed under this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act, and any person who violates this Act or such regulation shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.).
Enforcement by certain other agencies
Compliance with the requirements imposed under this Act shall be enforced as follows:
Under section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818) by the appropriate Federal banking agency, with respect to an insured depository institution (as those terms are defined in section 3 of that Act (12 U.S.C. 1813)).
Under the Federal Credit Union Act (12 U.S.C. 1751 et seq.) by the National Credit Union Administration Board, with respect to any Federal credit union.
Under part A of subtitle VII of title 49, United States Code, by the Secretary of Transportation, with respect to any air carrier or foreign air carrier subject to that part.
Under the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et seq.) (except as provided in section 406 of that Act (7 U.S.C. 226; 227)) by the Secretary of Agriculture, with respect to any activities subject to that Act.
Under the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by the Farm Credit Administration, with respect to any Federal land bank, Federal land bank association, Federal intermediate credit bank, or production credit association.
Enforcement by State attorneys general
In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that violates this Act or a regulation prescribed under this Act, the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction to—
enjoin that practice;
enforce compliance with this Act or such regulation;
obtain damages, restitution, or other compensation on behalf of residents of the State; or
obtain such other relief as the court may consider to be appropriate.
Before filing an action under subparagraph (A), the attorney general of the State involved shall provide to the Commission—
written notice of that action; and
a copy of the complaint for that action.
Clause (i) shall not apply with respect to the filing of an action by an attorney general of a State under this paragraph if the attorney general determines that it is not feasible to provide the notice described in that clause before the filing of the action.
In an action described in subclause (I), the attorney general of a State shall provide notice and a copy of the complaint to the Commission at the same time as the attorney general files the action.
On receiving notice under paragraph (1)(B), the Commission shall have the right to intervene in the action that is the subject of the notice.
Effect of intervention
If the Commission intervenes in an action under paragraph (1), it shall have the right—
to be heard with respect to any matter that arises in that action; and
to file a petition for appeal.
For purposes of bringing any civil action under paragraph (1), nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to—
administer oaths or affirmations; or
compel the attendance of witnesses or the production of documentary and other evidence.
Actions by the Commission
In any case in which an action is instituted by or on behalf of the Commission for violation of this Act or a regulation prescribed under this Act, no State may, during the pendency of that action, institute an action under paragraph (1) against any defendant named in the complaint in the action instituted by or on behalf of the Commission for that violation.
Venue; service of process
Any action brought under paragraph (1) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.
Service of process
In an action brought under paragraph (1), process may be served in any district in which the defendant—
is an inhabitant; or
may be found.
In this subsection, the term telecommunications carrier has the meaning given the term in section 3 of the Communications Act of 1934 (47 U.S.C. 153).
Enforcement by the commission
Notwithstanding section 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)), compliance with the requirements imposed under this Act shall be enforced by the Commission with respect to any telecommunications carrier, but only to the extent that the telecommunications carrier is operating as an edge provider.
Relationship to other law
To the extent that the applicability of section 222, 338(i), or 631 of the Communications Act of 1934 (47 U.S.C. 222, 338(i), 551) to a telecommunications carrier is inconsistent with this Act, this Act shall supersede those sections only to the extent that the telecommunications carrier is operating as an edge provider.