ONLINE PRIVACY LEGISLATION TO BE CONSIDERED BY CONGRESS

URGENT ACTION REQUESTED [13534] May 22, 2001 TO: ELECTRONIC COMMERCE ADVISORY COMMITTEE No. 12-01 TECHNOLOGY ADVISORY COMMITTEE No. 6-01 RE: ONLINE PRIVACY LEGISLATION TO BE CONSIDERED BY CONGRESS The Institute has learned that Senator McCain plans to schedule a hearing (to be followed closely by a mark-up) in the near future on online privacy legislation. While he has not yet introduced a bill, in the last session of Congress he introduced S.2928, the “Consumer Internet Privacy Enhancement Act.” It is our current understanding that he intends to introduce an identical bill in the current Congress. Accordingly, a copy of S.2928 is attached for your review and it is briefly summarized below. In anticipation of the upcoming hearing, we would appreciate your reviewing the attached copy of S.2928 and providing any comments on issues or concerns it raises for the mutual fund industry. Please provide your comments to me by e-mail (frances@ici.org), no later than Tuesday, May 29th. Alternatively, you may call me at (202) 326-5822 with your comments. S.2928 would apply certain notice and opt out requirements to “commercial website operators,” a term that is broadly defined. The bill has certain similarities to the privacy provisions of the Gramm-Leach-Bliley Act (GLB Act). For example, S.2928 would allow website users to opt out of the use of their personally identifiable information for marketing purposes, or the sharing of that information with third parties (which includes affiliates), except for information that is related to the product or service provided by the website or information required to be disclosed by law. A violation of the legislation would be treated as a violation of the Federal Trade Commission Act. There are provisions that would authorize other regulators to enforce the bill’s requirements as to entities within their jurisdiction, but these provisions do not expressly mention the SEC. Though S.2928 provides that it is not intended to affect any provision of, or any amendment made by, the GLB Act, it is unclear what this means. (Because S.2928 and the GLB Act overlap but are inconsistent with each other, it is difficult to say what entities that would be subject to both would be expected to do.) There apparently was no intent to carve out entities 2subject to the GLB Act, as evidenced by a provision authorizing federal banking agencies to enforce the requirements of S.2928 with respect to banks. The bill also includes provisions for civil penalties and for enforcement by state attorneys general. A privacy study and related report to Congress would additionally be required. Also of interest: (1) state requirements that are inconsistent with or more restrictive than S.2928 would be preempted; and (2) the bill would provide a safe harbor for website operators that comply with self-regulatory guidelines that are (i) issued by seal programs or representatives of the marketing or online industries or by any other person, and (ii) are approved by the FTC as containing all the requirements set forth in the notice provisions of S.2928. Frances M. Stadler Deputy Senior Counsel Attachment Attachment (in .pdf format)