[Senate Report 109-253]
[From the U.S. Government Publishing Office]
109th Congress Report
SENATE
2d Session 109-253
_______________________________________________________________________
Calendar No. 425
PROTECTING CONSUMER PHONE RECORDS ACT
__________
R E P O R T
of the
COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
on
S. 2389
together with
ADDITIONAL VIEWS
May 9, 2006--Ordered to be printed
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
one hundred ninth congress
second session
TED STEVENS, Alaska, Chairman
DANIEL K. INOUYE, Hawaii, Co-Chairman
JOHN McCAIN, Arizona JOHN D. ROCKEFELLER IV, West
CONRAD BURNS, Montana Virginia
TRENT LOTT, Mississippi JOHN F. KERRY, Massachusetts
KAY BAILEY HUTCHISON, Texas BYRON L. DORGAN, North Dakota
OLYMPIA J. SNOWE, Maine BARBARA BOXER, California
GORDON H. SMITH, Oregon BILL NELSON, Florida
JOHN ENSIGN, Nevada MARIA CANTWELL, Washington
GEORGE ALLEN, Virginia FRANK LAUTENBERG, New Jersey
JOHN E. SUNUNU, New Hampshire E. BENJAMIN NELSON, Nebraska
JIM DeMINT, South Carolina MARK PRYOR, Arkansas
DAVID VITTER, Louisiana
Lisa Sutherland, Staff Director
Christine Kurth, Deputy Staff Director
Kenneth Nahigian, Chief Counsel
Margaret Cummisky, Democratic Staff Director and Chief Counsel
Samuel Whitehorn, Democratic Deputy Staff Director and General Counsel
Calendar No. 425
109th Congress Report
SENATE
2d Session 109-253
======================================================================
_____
PROTECTING CONSUMER PHONE RECORDS ACT
_______
May 9, 2006.--Ordered to be printed
_______
Mr. Stevens, from the Committee on Commerce, Science, and
Transportation, submitted the following
R E P O R T
together with
ADDITIONAL VIEWS
[To accompany S. 2389]
The Committee on Commerce, Science, and Transportation, to
which was referred the bill (S. 2389) to amend the
Communications Act of 1934 to prohibit the unlawful acquisition
and use of confidential customer proprietary network
information, and for other purposes, having considered the
same, reports favorably thereon with an amendment (in the
nature of a substitute) and recommends that the bill (as
amended) do pass.
Purpose of the Bill
The purpose of S. 2389 is to make it illegal to acquire, use,
sell, or solicit a third party to unlawfully obtain a person's
confidential phone records without that person's consent. The
Federal Communications Commission (FCC) would be required to
enhance the confidentiality procedures of telecommunications
carriers and IP-enabled voice providers with access to such
information to the extent existing protections are inconsistent
with standards set forth in the Gramm-Leach-Bliley Act (P.L.
106-102) (GLBA). The bill also would provide the FCC and the
Federal Trade Commission (FTC) with strengthened enforcement
authority to ensure that confidential phone records are not
accessible by bad actors. Under the bill, a carrier or an IP-
enabled voice provider would be required to notify a customer
if someone without authorization gains access to a customer's
phone records. The bill's provisions would cover wireless,
wireline, and IP telephone services. Furthermore, the bill
would require the FCC and FTC to educate the public on various
protections and enforcement efforts used to prevent
unauthorized access of consumers' phone records.
Background and Needs
Personal phone records are confidential consumer information,
but have recently become targets of data brokers who buy and
sell customer phone records for a fee over the Internet. Data
brokers sometimes use what is called ``pretexting,'' whereby a
person impersonates a phone customer to obtain confidential
customer phone records from a carrier. The broker then sells
the records on a website to anyone willing to pay a small fee.
Certain websites, like ``www.locatecell.com,'' have offered for
sale to the public a full cell phone record of a consumer's
incoming and outgoing calls for $110.00. In a recent stunt by
an online blogger, the cell phone records of former
Presidential candidate, Wesley Clark, were purchased from
``www.celltolls.com'' for $89.95. The relative ease by which
individuals can obtain and sell these records has led to public
calls for government action to prevent such personal
information from becoming public.
Investigations currently are underway by both the FCC and the
FTC as to how phone records are being divulged to third party
data brokers without a customer's consent. Several methods are
possible, but the use of pretexting likely is a primary method
through which phone records are obtained by impersonating the
authorized user. Pretexting is made even easier if unauthorized
third parties obtain personal information such as a customer's
password, Social Security number, or identifying information
that can be used to convince the carrier that release of the
true customer's phone records is legitimate and appropriate.
Other methods and means by which unauthorized third parties
obtain and sell personal phone records in the public domain
include hacking and compromised employees.
In addition to recent actions taken by Federal regulators
against pretexters, the FCC also issued a Notice of Proposed
Rulemaking in February to consider what additional steps, if
any, should be taken by the Commission to further protect the
confidentiality of customer proprietary network information
(CPNI).
Telecommunications carriers are already under an affirmative
obligation to protect and safeguard a customer's proprietary
information, and to refrain from distributing this information
to a third party without the customer's consent or as permitted
by law (e.g., emergency purposes, law enforcement purposes) (47
U.S.C. Sec. 1A222). CPNI includes such data as quantity of
phone calls by a customer, destination of the phone call,
location, and amount of use of a telecommunications service.
For example, if a customer purchases basic local telephone
service, the local telephone company and its affiliates do not
need the customer's approval to use CPNI to try to sell voice
mail or caller ID services to the customer. The local telephone
company, however, may not use or share CPNI with an affiliate
to try to sell wireless service without the customer's
approval, because wireless telephone service is a different
category of service than local telephone service.
With such an affirmative obligation regime in place, the
carrier must still be able to provide a customer with personal
account information upon request. Carriers, therefore, are
required to balance a customer's expectation of privacy that
phone records remain closed to public inquiry, while
concurrently providing a level of service that does not impede
access for a customer in obtaining the customer's own
information.
Currently, under rules adopted pursuant to GLBA, specific
prohibitions on prextexting are limited to cases where
pretexting is used to obtain financial records. Current law
does not specifically outlaw pretexting for phone records. (15
U.S.C. Sec. 1A45(a) and Sec. 1A6801-09). The FTC has taken the
position that it has the power to pursue actions against phone
record pretexters based on its general authority to prevent
deceptive and unfair business practices, but without this
explicit ban, such practices may be more difficult to
prosecute. Even if FTC's authority to pursue actions against
pretexters of phone records is assumed, the Federal Trade
Commission Act (FTC Act) does not authorize the immediate
imposition of civil penalties against third party data brokers.
An action filed in a Federal district court against the accused
party would be the only way for the FTC to obtain injunctive or
equitable relief.
Summary of Provisions
The bill, S. 2389, would make it illegal to acquire or use a
person's phone records without that person's written consent;
to acquire a person's phone records by misrepresenting that
person's consent to such acquisition; to obtain unauthorized
access to data; or to sell or solicit data that was or will be
obtained without authorization. The bill would provide
exceptions for phone companies using customer information for
legitimate uses not currently prohibited by section 222 of the
Communications Act. IP-enabled voice providers, which are not
currently covered by law, would be specifically treated as
phone companies for the purpose of allowing them to benefit
from the same course of business exemption.
The bill would require the FCC to issue rules enhancing
confidentiality procedures for phone companies or IP-enabled
voice service providers to the extent the FCC determines that
changes in its rules are necessary to bring confidentiality
protections in line with these regulations adopted by the FTC
under GLBA, taking into consideration the differences between
financial information and CPNI.
The bill would increase penalties and extend the FCC's
statute of limitations under section 509 of the Communications
Act from one year to two years. The bill also would extend
phone record protection requirements under section 222 of the
Communications Act of 1934 (1934 Act) to IP-enabled voice
service providers. Within 14 calendar days of a breach, phone
companies and IP-enabled service providers would be required to
notify a customer whose records were improperly given out.
The bill also would provide for service provider enforcement
as if the violations of the bill were an unfair or deceptive
act or practice, and would give the FCC concurrent jurisdiction
with the FTC in that respect to enforce the illegal acquisition
provisions of the bill. The bill would provide that venue for
any action shall be in the place of business of the service
provider rather than the bad actor. It would preempt State laws
regulating the treatment of CPNI by telecommunications carriers
and IP-enabled voice service providers except those of general
applicability, tort or contract law, and other fraud or
computer crime laws. It also would require the FTC and the FCC
to jointly establish and implement a public education campaign.
Legislative History
The Protecting Consumer Phone Records Act was introduced by
Senator Allen on March 8, 2006, and is cosponsored by Senators
Stevens, Inouye, Burns, Dorgan, Hutchison, Bill Nelson, Pryor,
Vitter, Coleman, Martinez, Santorum, Talent, Thune, and Warner.
On Wednesday, February 8, 2006, the Subcommittee on Consumer
Affairs, Product Safety, and Insurance held a hearing to
examine privacy implications arising from the distribution of
personal phone records without a customer's prior
authorization. The subsequent sale of these phone records over
the Internet by third party data brokers/website operators was
the focus of the hearing. The Subcommittee heard testimony on
available methods for preventing third parties from obtaining
consumers' phone records without consent.
On March 30, 2006, the Committee held an Executive Session
during which S. 2389 was considered. Chairman Stevens and
Senator Inouye offered an amendment in the nature of a
substitute that would clarify that consent to acquire phone
records may be granted electronically; clarify that the general
prohibitions against the acquisition, use or sale of CPNI do
not extend to the current business practices by voice providers
(including IP-enabled voice service providers), or third
parties that lawfully obtain CPNI from a carrier or provider
that are not prohibited by section 222; and maintain the status
quo with respect to the acquisition and use of CPNI for law
enforcement, homeland security, or similar purposes already
authorized by law. The substitute amendment was adopted by
voice vote.
An amendment to the substitute was offered by Senators
Stevens and Burns that would expand the group of entities that
may carry out State enforcement to include State Public Utility
Commissions or other State agencies in States, which have
delegated enforcement of such matters to such officials. The
amendment to the substitute was adopted by voice vote.
Senator Boxer offered an amendment to the substitute that
would preclude wireless telephone companies from including
customer numbers in any wireless directory assistance database
without providing prior notice to customers of their right not
to be listed and without obtaining express prior authorization
from the customer to include his or her number in such
database. The amendment also would prohibit wireless companies
from charging customers for the removal of their number from a
wireless directory and would preempt inconsistent State and
local laws. The amendment to the substitute was adopted by
voice vote.
Senator Pryor offered an amendment to the substitute that
would allow a consumer harmed by a violation of section 2 to
bring a civil action in a Federal district court or other court
of competent jurisdiction against the person who caused the
harm. The consumer would be able to obtain damages of up to
$11,000 per violation or treble damages if it is proven that
the defendant knowingly or willfully violated section 2 of this
bill. The Court would be permitted to assess against any party
the costs of such an action, including reasonable attorney's
fees. Although the Committee has not recently adopted a private
right of action in other consumer legislation, the amendment
was offered in this case because of the special type of
physical and psychological harm that potentially could be
caused if a consumer's CPNI is inappropriately obtained and
used. Senator Pryor's amendment was adopted by a rollcall vote
of 11 to 10 (Senator Rockefeller was recorded as necessarily
absent).
The Committee, without objection, ordered that S. 2389 be
reported with amendments.
Estimated Costs
In accordance with paragraph 11(a) of rule XXVI of the
Standing Rules of the Senate and section 403 of the
Congressional Budget Act of 1974, the Committee provides the
following cost estimate, prepared by the Congressional Budget
Office:
May 8, 2006.
Hon. Ted Stevens,
Chairman, Committee on Commerce, Science, and Transportation,
U.S. Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 2389, the Protecting
Consumer Phone Records Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contacts are Melissa Z.
Petersen (for federal costs), Sarah Puro (for the impact on
state, local, and tribal governments), and Fatimot Ladipo (for
the impact on the private sector).
Sincerely,
Donald B. Marron,
Acting Director.
Enclosure.
S. 2389--Protecting Consumer Phone Records Act
Summary: S. 2389 would prohibit obtaining or selling the
personal information of telecommunications customers--including
phone records--without the consumer's consent. The bill also
would require telecommunications carriers to take precautions
to safeguard customers' personal information and to notify
customers whenever there is a breach in the security of this
information. Under S. 2389, the Federal Communications
Commission (FCC) and the Federal Trade Commission (FTC) would
enforce restrictions and requirements related to the security
of this information, including assessing and collecting civil
penalties for violations of the bill's provisions. Finally, the
FCC and the FTC would conduct an outreach campaign to inform
consumers of the security issues involving telecommunications
information. Assuming appropriation of the necessary amounts,
CBO estimates that implementing the bill would cost less than
$500,000 in 2006 and about $10 million over the 2007-2011
period.
Enacting S. 2389 could increase federal revenues and direct
spending as a result of the collection of additional civil,
criminal, and forfeiture penalties assessed for violations of
the new laws and regulations. Collections of civil penalties
and forfeiture penalties are recorded in the budget as
revenues. Collections of criminal penalties are recorded in the
budget as revenues, deposited in the Crime Victims Fund, and
later spent. CBO estimates, however, that any additional
revenues and direct spending that would result from enacting
the bill would not be significant because of the relatively
small number of cases likely to be involved.
S. 2389 contains intergovernmental mandates as defined in
the Unfunded Mandates Reform Act (UMRA), but CBO estimates
costs to state, local, and tribal governments, if any, would be
small and would not exceed the threshold established in UMRA
($64 million in 2006, adjusted annually for inflation).
S. 2389 would impose new private-sector mandates, as
defined in UMRA, on telecommunications carriers and providers
of Internet protocol (IP)-enabled voice service. The bill would
require the FCC to prescribe more stringent confidentiality
requirements for customer proprietary network information and
require telecommunications carriers and IP-enabled voice
service providers to certify on an annual basis that they are
in compliance with those regulations. Additionally, the bill
would require such providers to notify customers on a timely
basis if their customer information has been disclosed, and
prohibit wireless telephone providers from listing subscribers'
numbers in any directory assistance database or written
directory without prior authorization. The costs of several
mandates depend on regulations that have not been established;
therefore, CBO cannot determine whether the costs of the
mandates in the bill would exceed the annual threshold for
private-sector mandates ($128 million in 2006, adjusted
annually for inflation).
Estimated cost to the Federal Government: The estimated
budgetary impact of S. 2389 is shown in the following table.
The costs of this legislation fall within budget function 370
(commerce and housing credit). For this estimate, CBO assumes
that the bill will be enacted in 2006 and that the necessary
amounts will be appropriated for each year. Based on
information from the FTC and the FCC, CBO estimates that
implementing the bill would cost each agency less than $250,000
in 2006 and about $5 million over the 2007-2011 period. In
total, CBO estimates that implementing the bill would cost less
than $500,000 in 2006 and about $10 million over the 2007-2011
period for the FCC and the FTC to enforce the bill's provisions
regarding the personal information of telecommunications
customers.
----------------------------------------------------------------------------------------------------------------
By fiscal year, in millions of dollars--
-----------------------------------------------------------
2006 2007 2008 2009 2010 2011
----------------------------------------------------------------------------------------------------------------
CHANGES IN SPENDING SUBJECT TO APPROPRIATION
Estimated Authorization Level....................... * 2 2 2 2 2
Estimated Outlays................................... * 2 2 2 2 2
----------------------------------------------------------------------------------------------------------------
Note: *=Less than $500,000.
Estimated impact on State, local, and tribal governments:
Provisions in section 7 would require State Attorneys General
to notify the FTC and the FCC of any action taken under the
bill, allow either federal agency to intervene in those
actions, and limit the actions that Attorneys General may take
in certain circumstances. Also, provisions in sections 4 and 8
would preempt state laws regarding the protection and
disclosure of certain phone records. Those provisions
constitute intergovernmental mandates as defined in UMRA. CBO
estimates that the aggregate costs, if any, to state, local,
and tribal governments of complying with the mandates in the
bill would be small and would not exceed the threshold
established in UMRA ($64 million in 2006, adjusted for
inflation).
Estimated impact on the private sector: S. 2389 would
impose new private-sector mandates, as defined in UMRA, on
telecommunications carriers and IP-enabled voice service
providers. As the cost of many of the provisions in the bill
depend on the rules to be prescribed by the FCC, CBO cannot
determine whether the costs of the mandates in the bill would
exceed the annual threshold for private-sector mandates ($128
million in 2006, adjusted annually for inflation).
Section 3 of the bill would require the FCC to prescribe
regulations adopting more stringent confidentiality procedures
for protecting customer proprietary network information. The
FCC regulations would require telecommunications carriers and
IP-enabled voice service providers to:
Protect the security and confidentiality of
customer proprietary network information;
Certify annually that they are in compliance
with the current FCC regulations on protecting customer
proprietary information; and
Notify a customer within 14 days if their
information was disclosed in violation of FCC
regulations.
According to government sources, some of the requirements
are currently practiced by the telecommunications industry. In
addition, according to industry sources the direct cost for
carriers to comply with these new notification requirements
would be nominal. The cost of providing such additional
security would depend on the rules to be prescribed by the FCC.
Since the regulations have not been established, CBO cannot
estimate the direct cost to comply with those mandates.
Additionally, the bill would prohibit wireless
communications providers from including their customers'
wireless phone numbers in any wireless directory assistance
service database or written directory without prior
authorization. According to industry sources, wireless
communications providers have not made this service available,
however, some carriers may be exploring this service for their
business subscribers. Those carriers have indicated that the
cost of complying with this mandate would be small.
Previous CBO estimates: On March 15, 2006, CBO transmitted
a cost estimate for H.R. 4943, the Prevention of Fraudulent
Access to Phone Records Act, as ordered reported by the House
Committee on Energy and Commerce on March 8, 2006. The two
bills contain similar provisions related to the security of the
personal information of telecommunications customers. CBO
estimates that both bills would have similar costs for the FCC,
but that S. 2389 would have slightly higher costs for the FTC
to enforce the new laws and regulations and to conduct the
media campaign in conjunction with the FCC.
H.R. 4943 is similar in scope to S. 2389 but does not
contain any preemptions of state and local laws. The
intergovernmental mandates statements reflect that difference.
The private-sector mandates contained in H.R. 4943 are very
similar to some of the mandates in S. 2389. Both bills require
telecommunications carriers to increase the protection of
customer proprietary network information, provide timely notice
to each customer upon breach of customer proprietary network
information. Because the cost of mandates in both bills depends
on rules to be prescribed by the FCC, CBO could not determine
whether those costs would exceed UMRA's annual threshold for
private-sector mandates.
Estimate prepared by: Federal Costs: Melissa Z. Petersen;
Impact on State, Local, and Tribal governments: Sarah Puro;
Impact on the Private Sector: Fatimot Ladipo.
Estimate approved by: Peter H. Fontaine, Deputy Assistant
Director for Budget Analysis.
Regulatory Impact Statement
In accordance with paragraph 11(b) of rule XXVI of the
Standing Rules of the Senate, the Committee provides the
following evaluation of the regulatory impact of the
legislation, as reported:
NUMBER OF PERSONS COVERED
The FCC may issue regulations to implement the requirement
set forth in the reported bill that it be illegal to acquire,
use, sell, or solicit a person's confidential phone records
without that person's consent. The reported bill also would
require the FCC to promulgate rules to the extent it determines
necessary, to require regulated entities to enhance their
procedures for protecting consumer records and ensure that its
rules regarding the security of confidential phone records are
consistent with those protections adopted under GLBA, taking
into account the differences between financial information and
CPNI. The FCC would be required to develop regulations to
implement these requirement, so individuals or businesses that
handle relevant consumer records subject to the legislation
would become subject to new or modified regulations.
ECONOMIC IMPACT
S. 2389 would not have an adverse economic impact on the
nation's economy. The Act would require that the FCC impose
additional safeguards and procedures on phone companies if they
are determined to be necessary.
PRIVACY
The reported bill would enhance the personal privacy of U.S.
citizens.
PAPERWORK
The reported bill should not increase paperwork requirements
significantly for individuals and businesses.
Section-by-Section Analysis
Section 1. Short title; Table of contents
This section sets forth the short title ``Protecting Consumer
Phone Records Act'' and the table of contents.
Section 2. Unauthorized acquisition, use, or sale of confidential
customer proprietary network telephone information
Subsection (a) would make it unlawful for any person to
acquire, use, or sell another person's customer proprietary
network information or CPNI, which is already defined in
section 222(i)(1) of the 1934 Act and includes phone records
and certain other information made available to carriers based
on the customer's use of the service, without that person's
affirmative written consent (which may be given
electronically). This subsection would outlaw the sale of CPNI
and specifically would outlaw misrepresenting that a person has
given authorization to another person to obtain their phone
records, often referred to as pretexting.
Subsection (b) would ensure that prohibitions under
subsection 2(a) do not apply to legitimate business practices
currently not prohibited by section 222 of the 1934 Act. This
subsection would preserve law enforcement's ability to obtain
phone records, require that IP-enabled voice service providers
be treated like telecommunications carriers for purposes of
section 2 of this bill, and clarify continued legality of using
caller ID to identify calls received. Nothing in subsection
2(b)(4) prohibits the use of caller identification services to
identify the originator of telephone calls or requirements
enabling a person to conceal their telephone number from caller
ID devices and services. In addition, the Committee is aware
that under current law telecommunications carriers and IP-
enabled voice service providers engage third parties in
activities that involve CPNI in the normal course of business.
For instance, a carrier or provider might contract out its
billing functions, which necessarily involves CPNI, or may
allow a company that is considering purchasing it to review its
books and assets, including CPNI. In other examples, aggregate
data containing phone numbers may be provided to third parties
in a secure manner. Under each of these sharing scenarios,
third parties agree via contract to be bound in their handling
of such data by the laws applicable to carriers handling and
use of such information. In still other cases, call data may be
shared in connection with the provision of in-vehicle emergency
communications in order to provide emergency services to
consumers. Thus, to the extent that certain disclosures of CPNI
data are permitted under current law, the Committee does not
intend that anything in this Act would change the
permissiveness of such practices. The Committee drafted the
exception for legitimate business practices in subsection 2(b)
with the intent of preserving such business practices that
currently are not prohibited under section 222 of the 1934 Act
or under the FCC's rules. The Committee does not intend for the
exception to extend beyond normal business practices related to
provisioning voice service. For instance, acquiring CPNI from
another carrier in violation of section 2 is not intended to be
covered by this exception.
Subsection (c) would allow phone companies to initiate a
private right of action against data brokers or others who
illegally acquire, use, sell, or solicit phone records. This
subsection would boost enforcement because a carrier may be in
a better position than consumers to figure out who is obtaining
this information and also may have more resources to litigate
such claims. Similar authority has been helpful with respect to
enforcing the anti-spam law. This subsection would provide for
treble damages and for inflation adjustment.
Subsection (d) would allow a consumer who was harmed by a
violation of section 2 to bring a civil action in a Federal
district court or other court of competent jurisdiction, but
would not allow a consumer to bring a civil action against a
telecommunications carrier. The consumer would be able to
obtain damages of up to $11,000 per violation or treble damages
if the defendant is proved to have knowingly or willfully
violated section 2. The district court would be permitted to
assess against any party the costs of such an action, including
reasonable attorney's fees.
Subsection (e) would provide for civil penalty of $11,000 for
each violation or each day of a continuing violation, but caps
penalty for single act or failure to act at $11,000,000.
Subsection (f) would clarify that nothing under this Act or
section 222 of the 1934 Act authorizes a customer to bring a
private right of action against a telecommunications carrier or
an IP-enabled voice service provider.
Subsection (g) would provide definitions for the terms
``Customer Proprietary Network Information,'' ``IP-enabled
voice service,'' and ``Telecommunications Carrier.''
Section 3. Enhanced confidentiality procedures
Subsection (a) would require the FCC to review its
regulations and revise them, if necessary, to ensure that the
regulations meet the three directives set forth in GLBA for
financial institutions. To the extent the FCC revises its
regulations, the Commission is directed to adopt rules similar
in scope and structure to the regulations adopted by the FTC
pursuant to GLBA. This is intended to help standardize industry
practices for protecting consumer information.
Subsection (b) would require phone companies to annually
certify that such carriers are in compliance with section 222
of the 1934 Act, as well as any regulations issued pursuant to
this section.
Section 4. Penalties; Extension of confidentiality requirements to
other entities
Subsection (a) would establish a $30,000 penalty per
violation for any person found to have violated section 2 of
this Act, with a limit of $90,000 per day for any continuing
violation, and a cap of $3 million for any single act or
failure to act. This section also would add additional criminal
penalties under the 1934 Act of $30,000 per violation or
$90,000 per day for any continuing violation.
Subsection (b) would extend FCC's phone record and CPNI rules
to IP-enabled voice services. As a result, all wireline,
wireless and IP based phone companies would be covered by
comparable rights and obligations.
Subsection (c) would define IP-enabled voice service. The
Committee notes that the definition of IP-enabled voice service
provider is different in this bill than the definition used in
the context of 911 calls over IP-enabled voice services. This
bill would propose a definition that would capture one-way
services that only allow calls to or from the public switched
telephone network. In the context of 911, the Committee
believed that consumers who purchase a voice service with
limited capabilities and features would not necessarily expect
to be able to call 911, so the definition in that context only
included two-way services. However, the Committee believes that
consumers still would have an expectation of privacy relative
to the records of any phone calls they make or receive even in
connection with a one-way service.
Subsection (d) would require telecommunications carriers and
IP-enabled voice service providers to notify customers within
14 calendar days if they realize that the customers information
has been provided to unauthorized third parties. This section
also would provide an exception for delay consistent with law
enforcement or homeland security determinations.
Subsection (e) would provide for a two-year statute of
limitations for FCC enforcement under title V of the 1934 Act.
Subsection (f) would exempt cable VOIP service from the
privacy requirements of title VI to the extent such service is
covered by the Protecting Consumer Phone Records Act to provide
competitive neutrality and to prevent conflicting regulatory
requirements.
Subsection (g) prohibits commercial mobile service providers
from including the wireless telephone number information of any
customer in a wireless directory assistance service database
unless the provider first provides notice to the customer of
the right not to be listed, and then obtains separate, express
authorization from the customer to be included in the directory
upon request on a cost-free basis. Finally, this subsection
preempts any State or local laws that are inconsistent with its
requirements.
Section 5. Enforcement by the FTC
This section would provide authority for FTC enforcement of
section 2 of the Protecting Consumer Phone Records Act as if a
violation of that section were a violation of the FTC Act.
Section 6. Concurrent enforcement by the FCC
This section would give the FCC concurrent jurisdiction with
the FTC to enforce section 2, and would provide that for
enforcement purposes a violation of section 2 would be deemed a
violation of the 1934 Act.
Section 7. Enforcement by States
Subsection 7(a) would allow States to sue in Federal district
court to enforce section 2 or to impose civil penalties if
State has reason to believe its citizens are threatened or
adversely affected.
Subsection 7(b) would require that before initiating a civil
action under subsection 7(a), a State must serve written notice
on the FTC and the FCC.
Subsection 7(c) would allow the FTC and the FCC to intervene
in a civil action under subsection 7(a) and to be heard on all
matters therein and to file petitions for appeal of a decision
in such civil action.
Subsection 7(d) would clarify that subsection 7(a) would not
prevent a State from conducting investigations or administering
oaths or affirmations, or compelling the attendance of
witnesses or the production of documentary and other evidence.
Subsection 7(e) would provide that venue for an action
brought under subsection 7(a) lies in Federal district court
pursuant to 28 U.S.C. 1391, and that process may be served
without regard to territorial limits of the district or State
where the action is instituted. Subsection 7(e) also would
provide that a person who participated in an alleged violation
may be joined in the civil action without regard to the
residence of that person.
Subsection 7(f) would provide that if either the FTC or the
FCC has instituted a proceeding for violation of section 2, the
State in which the violation has occurred may not bring an
action under section 2 against the same alleged violator during
pendency of such proceeding.
Section 8. Preemption of State law
Section 8 would provide that sections 2 and any regulations
prescribed pursuant to section 3 of this bill and section 222
of the 1934 Act shall preempt (1) any State or local statute,
regulation or rule that requires a telecommunications carrier
or provider of IP-enabled voice service to develop, implement,
maintain, or restrict customer proprietary network information
or other individually identifiable customer information held by
that telecommunications carrier or provider of IP-enabled voice
service, and (2) any such statute, regulation, or rule, or
judicial precedent of any State court under which liability is
imposed on a telecommunications carrier or provider of IP-
enabled voice service for failure to comply with the
requirements of section 2 or 3 of this Act, or section 222 of
the 1934 Act. The Committee intends that Federal preemption
under this section will extend to State laws that are
inconsistent with the provisions of sections 2 or 3 of this Act
and section 222 of the 1934 Act.
Section 9. Consumer outreach and education
Section 9 would require that within 180 days after the date
of enactment of this Act, the FTC and the FCC shall jointly
establish and implement a campaign to educate the public about
the protection afforded under this Act as well as under the FTC
Act and the 1934 Act. Subsection 9(b) would require such public
education campaign to inform the public about the theft and
misuse of customer proprietary network information, methods to
protect such information, and Federal prevention and
enforcement efforts. In carrying out this education
requirement, the FTC and FCC must explore the use of various
distribution platforms.
Rollcall Votes in Committee
Senator Pryor offered an amendment to the substitute that
would allow a consumer who was harmed by a violation of section
2 to bring a civil action in a Federal district court or other
court of competent jurisdiction. By a rollcall vote of 11 yeas
and 10 nays as follows (Senator Rockefeller was recorded as
necessarily absent), the amendment was adopted.
YEAS--11 NAYS--10
Ms. Snowe Mr. McCain \1\
Mr. Smith Mr. Burns \1\
Mr. Inouye Mr. Lott
Mr. Kerry \1\ Mrs. Hutchison \1\
Mr. Dorgan\1\ Mr. Ensign\1\
Mrs. Boxer Mr. Allen
Mr. Nelson of Florida \1\ Mr. Sununu
Ms. Cantwell Mr. DeMint \1\
Mr. Lautenberg Mr. Vitter\1\
Mr. Nelson of Nebraska\1\ Mr. Stevens
Mr. Pryor
\1\By proxy
ADDITIONAL VIEWS OF SENATOR PRYOR
PRIVATE RIGHT OF ACTION FOR CONSUMERS
As the Committee considered the difficult issue of protecting
consumers' private phone records, I felt that it was extremely
important that consumers be given the tools they need to
protect themselves from fraudulent and unscrupulous behavior.
In this legislation, we have provided a litany of enforcement
protections for consumers-including enforcement by the Federal
Trade Commission, Federal Communications Commission, and State
Attorneys General. I believe that these enforcement protections
are valuable and necessary to helping end the practice of
fraudulently obtaining and selling consumers' phone records
without authorization from the consumer. I support them
wholeheartedly. However, these enforcement protections do not
provide any recourse for the consumer-the person or persons
most likely to be harmed by unauthorized disclosures of phone
records. Furthermore, FTC, FCC, and State Attorney General
enforcement actions do not provide adequate protections for
those whose phone records are used for stalking and domestic
violence. For this reason, I offered an amendment to the
committee bill that would authorize consumers who have been
harmed by a person fraudulently obtaining or selling their
phone records to file suit against the person who caused the
harm through a violation of this act.
The Committee also did adopt, as a part of this legislation,
a providers' private right of action. Other recent consumer
protection legislation has not included a consumers' private
right of action. The inclusion of this amendment in this
legislation does not lead me to believe that the committee will
include a consumer private right of action in every
circumstance. In the SPAM legislation, the committee provided
Internet service providers a right of action. In S. 1408, the
Identity Theft Protection Act, there is no consumer or provider
private right of action. I believe that the exclusions of
private rights of action in these pieces of legislation are not
a good reason to exclude a consumer private right of action in
this case. In both cases of identity theft and SPAM, the nature
of the harm caused and the entity causing the harm are
fundamentally different than is the case with phone records.
Harm caused by SPAM is at worst an inconvenience, and
legitimate businesses could have a breach due to an honest
mistake in the case of identity theft. In those instances, we
have not allowed consumers to sue businesses performing
legitimate business practices. In the case of phone records,
the nature of the harm that can be caused is dramatically
different than in SPAM or identity theft because the harm can
be physical-it can literally endanger someone's life.
Individuals, rogue Internet operators, and fraudsters are
deliberately trying to cause harm, and as the committee heard
in testimony, this harm can sometimes lead to death. Because of
the special type of harm that can be caused by an unauthorized
disclosure of phone records, I believe a consumer private right
of action is a needed additional protection for consumers.
Several of my colleagues are concerned that the inclusion of
this amendment will create a precedent for future committee
consumer protection legislation. I believe that any future
consideration of a private right of action for consumers should
be done on a case by case basis. In this case of protecting
phone records, I felt that a consumer private right of action
was a common sense improvement to the bill, and a majority of
my colleagues agreed. I don't expect my colleagues to always
agree that this is an additional needed protection.
The purpose of this legislation is to protect consumers'
phone records. They are the ones most likely to be harmed
through an unauthorized release of their phone records, and
they have as much of a legally protectable interest as their
providers. The intention of my amendment is to provide recourse
for consumers who might not have any other place to go for
help, especially in the case of domestic violence. I feel they
should be allowed to pursue action, independent of the
government, against the criminals who intentionally steal their
information with the intent to cause harm. The unauthorized
disclosure, sale, or use of consumers' phone records are
practices we are trying to eliminate through this legislation.
I believe that more enforcement is always preferable to less
enforcement. My amendment is an attempt to make this bill
stronger for consumers.
Changes in Existing Law
SEC. 222. PRIVACY OF CUSTOMER INFORMATION.
[47 U.S.C. 222]
(a) In General.--Every telecommunications carrier or IP-
enabled voice service provider has a duty to protect the
confidentiality of proprietary information of, and relating to,
other [telecommunication carriers] telecommunications carriers
or IP-enabled voice service providers, equipment manufacturers,
and customers, including [telecommunication carriers]
telecommunications carriers or IP-enabled voice service
providers reselling telecommunications services provided by a
telecommunications carrier or IP-enabled voice service
provider.
(b) Confidentiality of Carrier and IP-enabled Voice Service
Provider Information.--A telecommunications carrier or IP-
enabled voice service provider that receives or obtains
proprietary information from another carrier for purposes of
providing any telecommunications service shall use such
information only for such purpose, and shall not use such
information for its own marketing efforts.
(c) Confidentiality of Customer Proprietary Network
Information.--
(1) Privacy requirements for telecommunications
carriers and ip-enabled voice service providers.--
Except as required by law or with the approval of the
customer, a telecommunications carrier or IP-enabled
voice service provider that receives or obtains
customer proprietary network information by virtue of
its provision of a telecommunications service shall
only use, disclose, or permit access to individually
identifiable customer proprietary network information
in its provision of (A) the telecommunications service
from which such information is derived, or (B) services
necessary to, or used in, the provision of such
telecommunications service, including the publishing of
directories.
(2) Disclosure on request by customers.--A
telecommunications carrier or IP-enabled voice service
provider shall disclose customer proprietary network
information, upon affirmative written request by the
customer, to any person designated by the customer.
(3) Aggregate customer information.--A
telecommunications carrier or IP-enabled voice service
provider that receives or obtains customer proprietary
network information by virtue of its provision of a
telecommunications service may use, disclose, or permit
access to aggregate customer information other than for
the purposes described in paragraph (1). A local
exchange carrier may use, disclose, or permit access to
aggregate customer information other than for purposes
described in paragraph (1) only if it provides such
aggregate information to other carriers or persons on
reasonable and nondiscriminatory terms and conditions
upon reasonable request therefor.
(d) Exceptions.--Nothing in this section prohibits a
telecommunications carrier or IP-enabled voice service provider
from using, disclosing, or permitting access to customer
proprietary network information obtained from its customers,
either directly or indirectly through its agents--
(1) to initiate, render, bill, and collect for
telecommunications services;
(2) to protect the rights or property of the carrier
or provider, or to protect users of those services and
other carriers or providers from fraudulent, abusive,
or unlawful use of, or subscription to, such services;
(3) to provide any inbound telemarketing, referral,
or administrative services to the customer for the
duration of the call, if such call was initiated by the
customer and the customer approves of the use of such
information to provide such service; and
(4) to provide call location information concerning
the user of a commercial mobile service (as such term
is defined in section 332(d))--
(A) to a public safety answering point,
emergency medical service provider or emergency
dispatch provider, public safety, fire service,
or law enforcement official, or hospital
emergency or trauma care facility, in order to
respond to the user's call for emergency
services;
(B) to inform the user's legal guardian or
members of the user's immediate family of the
user's location in an emergency situation that
involves the risk of death or serious physical
harm; or
(C) to providers of information or database
management services solely for purposes of
assisting in the delivery of emergency services
in response to an emergency.
(e) Subscriber List Information.--Notwithstanding subsections
(b), (c), and (d), a telecommunications carrier that provides
telephone exchange service shall provide subscriber list
information gathered in its capacity as a provider of such
service on a timely and unbundled basis, under
nondiscriminatory and reasonable rates, terms, and conditions,
to any person upon request for the purpose of publishing
directories in any format.
(f) Authority To Use Wireless Location Information.--For
purposes of subsection (c)(1), without the express prior
authorization of the customer, a customer shall not be
considered to have approved the use or disclosure of or access
to--
(1) call location information concerning the user of
a commercial mobile service (as such term is defined in
section 332(d)), other than in accordance with
subsection (d)(4); or
(2) automatic crash notification information to any
person other than for use in the operation of an
automatic crash notification system.
(g) Subscriber Listed and Unlisted Information for Emergency
Services.--Notwithstanding subsections (b), (c), and (d), a
telecommunications carrier that provides telephone exchange
service or IP-enabled voice service provider shall provide
information described in subsection (i)(3)(A) (including
information pertaining to subscribers whose information is
unlisted or unpublished) that is in its possession or control
(including information pertaining to subscribers of other
carriers) on a timely and unbundled basis, under
nondiscriminatory and reasonable rates, terms, and conditions
to providers of emergency services, and providers of emergency
support services, solely for purposes of delivering or
assisting in the delivery of emergency services.
(h) Notice of Violations.--
(1) In general.--The Commission shall by regulation
require each telecommunications carrier or IP-enabled
voice service provider to notify a customer within 14
calendar days after the carrier or provider is notified
of, or becomes aware of, an incident in which customer
proprietary network information relating to such
customer was disclosed to someone other than the
customer in violation of this section or section 2 of
the Protecting Consumer Phone Records Act.
(2) Law enforcement and homeland security related
delays.--Notwithstanding paragraph (1), a
telecommunications carrier or IP-enabled voice service
provider may delay the required notification for a
reasonable period of time if--
(A) a Federal or State law enforcement agency
determines that giving notice within the 14-day
period would materially impede a civil or
criminal investigation; or
(B) a Federal national security agency or the
Department of Homeland Security determines that
giving notice within the 14-day period would
threaten national or homeland security.
[(h)] (i) Definitions.--As used in this section:
(1) Customer proprietary network information.--The
term ``customer proprietary network information''
means--
(A) information that relates to the quantity,
technical configuration, type, destination,
location, and amount of use of a
telecommunications service or IP-enabled voice
service subscribed to by any customer of a
telecommunications carrier or IP-enabled voice
service provider, and that is made available to
the carrier or provider by the customer solely
by virtue of the carrier-customer or provider-
customer relationship; and
(B) information contained in the bills
pertaining to [telephone exchange service or
telephone toll service] telephone exchange
service, telephone toll service, or IP-enabled
voice service received by a customer of a
carrier or provider;
except that such term does not include subscriber list
[information.] information nor does it include
information that is related to non-voice service
features bundled with IP-enabled voice service.
(2) Aggregate information.--The term ``aggregate
customer information'' means collective data that
relates to a group or category of services or
customers, from which individual customer identities
and characteristics have been removed.
(3) Subscriber list information.--The term
``subscriber list information'' means any information--
(A) identifying the listed names of
subscribers of a carrier or provider and such
subscribers' telephone numbers, addresses, or
primary advertising classifications (as such
classifications are assigned at the time of the
establishment of such service), or any
combination of such listed names, numbers,
addresses, or classifications; and
(B) that the carrier or provider or an
affiliate has published, caused to be
published, or accepted for publication in any
directory format.
(4) Public safety answering point.--The term ``public
safety answering point'' means a facility that has been
designated to receive emergency calls and route them to
emergency service personnel.
(5) Emergency services.--The term ``emergency
services'' means 9-1-1 emergency services and emergency
notification services.
(6) Emergency notification services.--The term
``emergency notification services'' means services that
notify the public of an emergency.
(7) Emergency support services.--The term ``emergency
support services'' means information or data base
management services used in support of emergency
services.
(8) IP-enabled voice service.--The term ``IP-enabled
voice service'' means the provision of real-time 2-way
voice communications offered to the public, or such
classes of users as to be effectively available to the
public, transmitted through customer premises equipment
using TCP/IP protocol, or a successor protocol, for a
fee (whether part of a bundle of services or
separately) with interconnection capability such that
the service can originate traffic to, or terminate
traffic from, the public switched telephone network.
(j) Wireless Consumer Privacy Protection.--
(1) In general.--A provider of commercial mobile
services, or any direct or indirect affiliate or agent
of such a provider, may not include the wireless
telephone number information of any subscriber in any
wireless directory assistance service database unless
the mobile service provider--
(A) provides a conspicuous, separate notice
to the subscriber informing the subscriber of
the right not to be listed in any wireless
directory assistance service; and
(B) obtains express prior authorization for
listing from such subscriber, separate from any
authorization obtained to provide such
subscriber with commercial mobile service, or
any calling plan or service associated with
such commercial mobile service, and such
authorization has not been subsequently
withdrawn.
(2) Cost-free de-listing.--A provider of commercial
mobile services, or any direct or indirect affiliate or
agent of such a provider, shall remove the wireless
telephone number information of any subscriber from any
wireless directory assistance service database upon
request by that subscriber and without any cost to the
subscriber.
(3) Publication of directories prohibited.--A
provider of commercial mobile services, or any direct
or indirect affiliate or agent of such a provider, may
not publish, in printed, electronic, or other form, or
sell or otherwise disseminate, the contents of any
wireless directory assistance service database, or any
portion or segment thereof unless the mobile service
provider--
(A) provides a conspicuous, separate notice
to the subscriber informing the subscriber of
the right not to be listed; and
(B) obtains express prior authorization for
listing from such subscriber, separate from any
authorization obtained to provide such
subscriber with commercial mobile service, or
any calling plan or service associated with
such commercial mobile service, and such
authorization has not been subsequently
withdrawn.
(4) No consumer fee for retaining privacy.--A
provider of commercial mobile services may not charge
any subscriber for exercising any of the rights
described under this subsection.
(5) State and local laws pre-empted.--To the extent
that any State or local government imposes requirements
on providers of commercial mobile services, or any
direct or indirect affiliate or agent of such
providers, that are inconsistent with the requirements
of this subsection, this subsection preempts such State
or local requirements.
(6) Definitions.--In this subsection:
(A) Wireless telephone number information.--
The term ``wireless telephone number
information'' means the telephone number,
electronic address, and any other identifying
information by which a calling party may reach
a subscriber to commercial mobile services, and
which is assigned by a commercial mobile
service provider to such subscriber, and
includes the name and address of such
subscriber.
(B) Wireless directory assistance service.--
The term ``wireless directory assistance
service'' means any service for connecting
calling parties to a subscriber of commercial
mobile service when such calling parties
themselves do not possess the wireless
telephone number information of such
subscriber.
* * * * * * *
SEC. 503. FORFEITURES IN CASES OF REBATES AND OFFSETS.
[47 U.S.C. 503]
(a) Any person who shall deliver messages for interstate or
foreign transmission to any carrier, or for whom as sender or
receiver, any such carrier shall transmit any interstate or
foreign wire or radio communication, who shall knowingly by
employee, agent, officer, or otherwise, directly or indirectly,
by or through any means or device whatsoever, receive or accept
from such common carrier any sum of money or any other valuable
consideration as a rebate or offset against the regular charges
for transmission of such messages as fixed by the schedules of
charges provided for in this Act, shall in addition to any
other penalty provided by this Act forfeit to the United States
a sum of money three times the amount of money so received or
accepted and three times the value of any other consideration
so received or accepted, to be ascertained by the trial court;
and in the trial of said action all such rebates or other
considerations so received or accepted for a period of six
years prior to the commencement of the action, may be included
therein, and the amount recovered shall be three times the
total amount of money, or three times the total value of such
consideration, so received or accepted, or both, as the case
may be.
(b)(1) Any person who is determined by the Commission, in
accordance with paragraph (3) or (4) of this subsection, to
have--
(A) willfully or repeatedly failed to comply
substantially with the terms and conditions of any
license, permit, certificate, or other instrument or
authorization issued by the Commission;
(B) willfully or repeatedly failed to comply with any
of the provisions of this Act or of any rule,
regulation, or order issued by the Commission under
this Act or under any treaty, convention, or other
agreement to which the United States is a party and
which is binding upon the United States;
(C) violated any provision of section 317(c) or
508(a) of this Act; or
(D) violated any provision of section 1304, 1343, or
1464 of title 18, United States Code;
shall be liable to the United States for a forfeiture penalty.
A forfeiture penalty under this subsection shall be in addition
to any other penalty provided for by this Act; except that this
subsection shall not apply to any conduct which is subject to
forfeiture under title II, part II or III of title III, or
section 506 of this Act.
(2)(A) If the violator is (i) a broadcast station licensee or
permittee, (ii) a cable television operator, or (iii) an
applicant for any broadcast or cable television operator
license, permit, certificate, or other instrument or
authorization issued by the Commission, the amount of any
forfeiture penalty determined under this section shall not
exceed $25,000 for each violation or each day of a continuing
violation, except that the amount assessed for any continuing
violation shall not exceed a total of $250,000 for any single
act or failure to act described in paragraph (1) of this
subsection.
(B) If the violator is a common carrier subject to the
provisions of this Act or an applicant for any common carrier
license, permit, certificate, or other instrument of
authorization issued by the Commission, the amount of any
forfeiture penalty determined under this subsection shall not
exceed $100,000 for each violation or each day of a continuing
violation, except that the amount assessed for any continuing
violation shall not exceed a total of $1,000,000 for any single
act or failure to act described in paragraph (1) of this
subsection.
(C) In any case not covered in subparagraph (A) or (B), the
amount of any forfeiture penalty determined under this
subsection shall not exceed $10,000 for each violation or each
day of a continuing violation, except that the amount assessed
for any continuing violation shall not exceed a total of
$75,000 for any single act or failure to act described in
paragraph (1) of this subsection.
(D) The amount of such forfeiture penalty shall be assessed
by the Commission, or its designee, by written notice. In
determining the amount of such a forfeiture penalty, the
Commission or its designee shall take into account the nature,
circumstances, extent, and gravity of the violation and, with
respect to the violator, the degree of culpability, any history
of prior offenses, ability to pay, and such other matters as
justice may require.
(3)(A) At the discretion of the Commission, a forfeiture
penalty may be determined against a person under this
subsection after notice and an opportunity for a hearing before
the Commission or an administrative law judge thereof in
accordance with section 554 of title 5, United States Code. Any
person against whom a forfeiture penalty is determined under
this paragraph may obtain review thereof pursuant to section
402(a).
(B) If any person fails to pay an assessment of a forfeiture
penalty determined under subparagraph (A) of this paragraph,
after it has become a final and unappealable order or after the
appropriate court has entered final judgment in favor of the
Commission, the Commission shall refer the matter to the
Attorney General of the United States, who shall recover the
amount assessed in any appropriate district court of the United
States. In such action, the validity and appropriateness of the
final order imposing the forfeiture penalty shall not be
subject to review.
(4) Except as provided in paragraph (3) of this subsection,
no forfeiture penalty shall be imposed under this subsection
against any person unless and until--
(A) the Commission issues a notice of apparent
liability, in writing, with respect to such person;
(B) such notice has been received by such person, or
until the Commission has sent such notice to the last
known address of such person, by registered or
certified mail; and
(C) such person is granted an opportunity to show, in
writing, within such reasonable period of time as the
Commission prescribes by rule or regulation, why no
such forfeiture penalty should be imposed.
Such a notice shall (i) identify each specific provision, term,
and condition of any Act, rule, regulation, order, treaty,
convention, or other agreement, license, permit, certificate,
instrument, or authorization which such person apparently
violated or with which such person apparently failed to comply;
(ii) set forth the nature of the act or omission charged
against such person and the facts upon which such charge is
based; and (iii) state the date on which such conduct occurred.
Any forfeiture penalty determined under this paragraph shall be
recoverable pursuant to section 504(a) of this Act.
(5) No forfeiture liability shall be determined under this
subsection against any person, if such person does not hold a
license, permit, certificate, or other authorization issued by
the Commission, and if such person is not an applicant for a
license, permit, certificate, or other authorization issued by
the Commission, unless, prior to the notice required by
paragraph (3) of this subsection or the notice of apparent
liability required by paragraph (4) of this subsection, such
person (A) is sent a citation of the violation charged; (B) is
given a reasonable opportunity for a personal interview with an
official of the Commission, at the field office of the
Commission which is nearest to such person's place of
residence; and (C) subsequently engages in conduct of the type
described in such citation. The provisions of this paragraph
shall not apply, however, if the person involved is engaging in
activities for which a license, permit, certificate, or other
authorization is required, or is a cable television system
operator, if the person involved is transmitting on frequencies
assigned for use in a service in which individual station
operation is authorized by rule pursuant to section 307(e), or
in the case of violations of section 303(q), if the person
involved is a nonlicensee tower owner who has previously
received notice of the obligations imposed by section 303(q)
from the Commission or the permittee or licensee who uses that
tower. Whenever the requirements of this paragraph are
satisfied with respect to a paricular person, such person shall
not be entitled to receive any additional citation of the
violation charged, with respect to any conduct of the type
described in the citation sent under this paragraph.
(6) No forfeiture penalty shall be determined or imposed
against any person under this subsection if--
(A) such person holds a broadcast station license
issued under title III of this Act and if the violation
charged occurred--
(i) more than 1 year prior to the date of
issuance of the required notice or notice of
apparent liability; or
(ii) prior to the date of commencement of the
current term of such license,
whichever is earlier; or
[(B) such person does not hold a broadcast station
license issued under title III of this Act and if the
violation charged occurred more than 1 year prior to
the date of issuance of the required notice or notice
of apparent liability.]
(B) such person does not hold a broadcast
station license issued under title III of this
Act and--
(i) the person is charged with
violating section 222 and the violation
occurred more than 2 years prior to the
date of issuance of the required notice
or notice of apparent liability; or
(ii) the person is charged with
violating any other provision of this
Act and the violation occurred more
than 1 year prior to the date of
issuance of the required notice or
notice of apparent liability.
For purposes of this paragraph, ``date of commencement of the
current term of such license'' means the date of commencement
of the last term of license for which the licensee has been
granted a license by the Commission. A separate license term
shall not be deemed to have commenced as a result of continuing
a license in effect under section 307(c) pending decision on an
application for renewal of the license.
SEC. 509. PENALTIES FOR CONFIDENTIAL CUSTOMER PROPRIETARY NETWORK
INFORMATION VIOLATIONS.
(a) Civil Forfeiture.--
(1) In general.--Any person determined by the
Commission, in accordance with paragraphs (3) and (4)
of section 503(b), to have violated section 2 of the
Protecting Consumer Phone Records Act shall be liable
to the United States for a forfeiture penalty. A
forfeiture penalty under this subsection shall be in
addition to any other penalty provided for by this Act.
The amount of the forfeiture penalty determined under
this subsection shall not exceed $30,000 for each
violation, or 3 times that amount for each day of a
continuing violation, except that the amount assessed
for any continuing violation shall not exceed a total
of $3,000,000 for any single act or failure to act.
(2) Recovery.--Any forfeiture penalty determined
under paragraph (1) shall be recoverable pursuant to
section 504(a) of this Act.
(3) Procedure.--No forfeiture liability shall be
determined under paragraph (1) against any person
unless such person receives the notice required by
section 503(b)(3) or section 503(b)(4) of this Act.
(4) 2-year statute of limitations.--No forfeiture
penalty shall be determined or imposed against any
person under paragraph (1) if the violation charged
occurred more than 2 years prior to the date of
issuance of the required notice or notice or apparent
liability.
(b) Criminal Fine.--Any person who willfully and knowingly
violates section 2 of the Protecting Consumer Phone Records Act
shall upon conviction thereof be fined not more than $30,000
for each violation, or 3 times that amount for each day of a
continuing violation, in lieu of the fine provided by section
501 for such a violation. This subsection does not supersede
the provisions of section 501 relating to imprisonment or the
imposition of a penalty of both fine and imprisonment.
* * * * * * *
PART IV--MISCELLANEOUS PROVISIONS
SEC. 631. PROTECTION OF SUBSCRIBER PRIVACY.
[47 U.S.C. 551]
(a)(1) At the time of entering into an agreement to provide
any cable service or other service to a subscriber and at least
once a year thereafter, a cable operator shall provide notice
in the form of a separate, written statement to such subscriber
which clearly and conspicuously informs the subscriber of--
(A) the nature of personally identifiable information
collected or to be collected with respect to the
subscriber and the nature of the use of such
information;
(B) the nature, frequency, and purpose of any
disclosure which may be made of such information,
including an identification of the types of persons to
whom the disclosure may be made;
(C) the period during which such information will be
maintained by the cable operator;
(D) the times and place at which the subscriber may
have access to such information in accordance with
subsection (d); and
(E) the limitations provided by this section with
respect to the collection and disclosure of information
by a cable operator and the right of the subscriber
under subsections (f) and (h) to enforce such
limitations.
In the case of subscribers who have entered into such an
agreement before the effective date of this section, such
notice shall be provided within 180 days of such date and at
least once a year thereafter.
(2) For purposes of this section, other than subsection (h)--
(A) the term ``personally identifiable information''
does not include any record of aggregate data which
does not identify particular persons;
(B) the term ``other service'' includes any wire or
radio communications service provided using any of the
facilities of a cable operator that are used in the
provision of cable service; and
(C) the term ``cable operator'' includes, in addition
to persons within the definition of cable operator in
section 602, any person who (i) is owned or controlled
by, or under common ownership or control with, a cable
operator, and (ii) provides any wire or radio
communications service.
(b)(1) Except as provided in paragraph (2), a cable operator
shall not use the cable system to collect personally
identifiable information concerning any subscriber without the
prior written or electronic consent of the subscriber
concerned.
(2) A cable operator may use the cable system to collect such
information in order to--
(A) obtain information necessary to render a cable
service or other service provided by the cable operator
to the subscriber; or
(B) detect unauthorized reception of cable
communications.
(c)(1) Except as provided in paragraph (2), a cable operator
shall not disclose personally identifiable information
concerning any subscriber without the prior written or
electronic consent of the subscriber concerned and shall take
such actions as are necessary to prevent unauthorized access to
such information by a person other than the subscriber or cable
operator.
(2) A cable operator may disclose such information if the
disclosure is--
(A) necessary to render, or conduct a legitimate
business activity related to, a cable service or other
service provided by the cable operator to the
subscriber;
(B) subject to subsection (h), made pursuant to a
court order authorizing such disclosure, if the
subscriber is notified of such order by the person to
whom the order is directed;
(C) a disclosure of the names and addresses of
subscribers to any cable service or other service, if--
(i) the cable operator has provided the
subscriber the opportunity to prohibit or limit
such disclosure, and
(ii) the disclosure does not reveal, directly
or indirectly, the--
(I) extent of any viewing or other
use by the subscriber of a cable
service or other service provided by
the cable operator, or
(II) the nature of any transaction
made by the subscriber over the cable
system of the cable operator; or
(D) to a government entity as authorized under
chapters 119, 121, or 206 of title 18, United States
Code, except that such disclosure shall not include
records revealing cable subscriber selection of video
programming from a cable operator.
(d) A cable subscriber shall be provided access to all
personally identifiable information regarding that subscriber
which is collected and maintained by a cable operator. Such
information shall be made available to the subscriber at
reasonable times and at a convenient place designated by such
cable operator. A cable subscriber shall be provided reasonable
opportunity to correct any error in such information.
(e) A cable operator shall destroy personally identifiable
information if the information is no longer necessary for the
purpose for which it was collected and there are no pending
requests or orders for access to such information under
subsection (d) or pursuant to a court order.
(f)(1) Any person aggrieved by any act of a cable operator in
violation of this section may bring a civil action in a United
States district court.
(2) The court may award--
(A) actual damages but not less than liquidated
damages computed at the rate of $100 a day for each day
of violation or $1,000, whichever is higher;
(B) punitive damages; and
(C) reasonable attorneys' fees and other litigation
costs reasonably incurred.
(3) The remedy provided by this section shall be in addition
to any other lawful remedy available to a cable subscriber.
(g) Nothing in this title shall be construed to prohibit any
State or any franchising authority from enacting or enforcing
laws consistent with this section for the protection of
subscriber privacy.
(h) Except as provided in subsection (c)(2)(D), a
governmental entity may obtain personally identifiable
information concerning a cable subscriber pursuant to a court
order only if, in the court proceeding relevant to such court
order--
(1) such entity offers clear and convincing evidence
that the subject of the information is reasonably
suspected of engaging in criminal activity and that the
information sought would be material evidence in the
case; and
(2) the subject of the information is afforded the
opportunity to appear and contest such entity's claim.
(i) Customer Proprietary Network Information.--This section
does not apply to customer proprietary network information (as
defined in section 222(i)(1) of this Act) as it relates to the
provision of IP-enabled voice service (as defined in section
222(i)(8) of this Act) by a cable operator to the extent that
section 222 of this Act and section 2 of the Protecting
Consumer Phone Records Act applies to such information.
�