[Senate Report 109-253] [From the U.S. Government Publishing Office] 109th Congress Report SENATE 2d Session 109-253 _______________________________________________________________________ Calendar No. 425 PROTECTING CONSUMER PHONE RECORDS ACT __________ R E P O R T of the COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION on S. 2389 together with ADDITIONAL VIEWSMay 9, 2006--Ordered to be printed SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION one hundred ninth congress second session TED STEVENS, Alaska, Chairman DANIEL K. INOUYE, Hawaii, Co-Chairman JOHN McCAIN, Arizona JOHN D. ROCKEFELLER IV, West CONRAD BURNS, Montana Virginia TRENT LOTT, Mississippi JOHN F. KERRY, Massachusetts KAY BAILEY HUTCHISON, Texas BYRON L. DORGAN, North Dakota OLYMPIA J. SNOWE, Maine BARBARA BOXER, California GORDON H. SMITH, Oregon BILL NELSON, Florida JOHN ENSIGN, Nevada MARIA CANTWELL, Washington GEORGE ALLEN, Virginia FRANK LAUTENBERG, New Jersey JOHN E. SUNUNU, New Hampshire E. BENJAMIN NELSON, Nebraska JIM DeMINT, South Carolina MARK PRYOR, Arkansas DAVID VITTER, Louisiana Lisa Sutherland, Staff Director Christine Kurth, Deputy Staff Director Kenneth Nahigian, Chief Counsel Margaret Cummisky, Democratic Staff Director and Chief Counsel Samuel Whitehorn, Democratic Deputy Staff Director and General Counsel Calendar No. 425 109th Congress Report SENATE 2d Session 109-253 ====================================================================== _____ PROTECTING CONSUMER PHONE RECORDS ACT _______ May 9, 2006.--Ordered to be printed _______ Mr. Stevens, from the Committee on Commerce, Science, and Transportation, submitted the following R E P O R T together with ADDITIONAL VIEWS [To accompany S. 2389] The Committee on Commerce, Science, and Transportation, to which was referred the bill (S. 2389) to amend the Communications Act of 1934 to prohibit the unlawful acquisition and use of confidential customer proprietary network information, and for other purposes, having considered the same, reports favorably thereon with an amendment (in the nature of a substitute) and recommends that the bill (as amended) do pass. Purpose of the Bill The purpose of S. 2389 is to make it illegal to acquire, use, sell, or solicit a third party to unlawfully obtain a person's confidential phone records without that person's consent. The Federal Communications Commission (FCC) would be required to enhance the confidentiality procedures of telecommunications carriers and IP-enabled voice providers with access to such information to the extent existing protections are inconsistent with standards set forth in the Gramm-Leach-Bliley Act (P.L. 106-102) (GLBA). The bill also would provide the FCC and the Federal Trade Commission (FTC) with strengthened enforcement authority to ensure that confidential phone records are not accessible by bad actors. Under the bill, a carrier or an IP- enabled voice provider would be required to notify a customer if someone without authorization gains access to a customer's phone records. The bill's provisions would cover wireless, wireline, and IP telephone services. Furthermore, the bill would require the FCC and FTC to educate the public on various protections and enforcement efforts used to prevent unauthorized access of consumers' phone records. Background and Needs Personal phone records are confidential consumer information, but have recently become targets of data brokers who buy and sell customer phone records for a fee over the Internet. Data brokers sometimes use what is called ``pretexting,'' whereby a person impersonates a phone customer to obtain confidential customer phone records from a carrier. The broker then sells the records on a website to anyone willing to pay a small fee. Certain websites, like ``www.locatecell.com,'' have offered for sale to the public a full cell phone record of a consumer's incoming and outgoing calls for $110.00. In a recent stunt by an online blogger, the cell phone records of former Presidential candidate, Wesley Clark, were purchased from ``www.celltolls.com'' for $89.95. The relative ease by which individuals can obtain and sell these records has led to public calls for government action to prevent such personal information from becoming public. Investigations currently are underway by both the FCC and the FTC as to how phone records are being divulged to third party data brokers without a customer's consent. Several methods are possible, but the use of pretexting likely is a primary method through which phone records are obtained by impersonating the authorized user. Pretexting is made even easier if unauthorized third parties obtain personal information such as a customer's password, Social Security number, or identifying information that can be used to convince the carrier that release of the true customer's phone records is legitimate and appropriate. Other methods and means by which unauthorized third parties obtain and sell personal phone records in the public domain include hacking and compromised employees. In addition to recent actions taken by Federal regulators against pretexters, the FCC also issued a Notice of Proposed Rulemaking in February to consider what additional steps, if any, should be taken by the Commission to further protect the confidentiality of customer proprietary network information (CPNI). Telecommunications carriers are already under an affirmative obligation to protect and safeguard a customer's proprietary information, and to refrain from distributing this information to a third party without the customer's consent or as permitted by law (e.g., emergency purposes, law enforcement purposes) (47 U.S.C. Sec. 1A222). CPNI includes such data as quantity of phone calls by a customer, destination of the phone call, location, and amount of use of a telecommunications service. For example, if a customer purchases basic local telephone service, the local telephone company and its affiliates do not need the customer's approval to use CPNI to try to sell voice mail or caller ID services to the customer. The local telephone company, however, may not use or share CPNI with an affiliate to try to sell wireless service without the customer's approval, because wireless telephone service is a different category of service than local telephone service. With such an affirmative obligation regime in place, the carrier must still be able to provide a customer with personal account information upon request. Carriers, therefore, are required to balance a customer's expectation of privacy that phone records remain closed to public inquiry, while concurrently providing a level of service that does not impede access for a customer in obtaining the customer's own information. Currently, under rules adopted pursuant to GLBA, specific prohibitions on prextexting are limited to cases where pretexting is used to obtain financial records. Current law does not specifically outlaw pretexting for phone records. (15 U.S.C. Sec. 1A45(a) and Sec. 1A6801-09). The FTC has taken the position that it has the power to pursue actions against phone record pretexters based on its general authority to prevent deceptive and unfair business practices, but without this explicit ban, such practices may be more difficult to prosecute. Even if FTC's authority to pursue actions against pretexters of phone records is assumed, the Federal Trade Commission Act (FTC Act) does not authorize the immediate imposition of civil penalties against third party data brokers. An action filed in a Federal district court against the accused party would be the only way for the FTC to obtain injunctive or equitable relief. Summary of Provisions The bill, S. 2389, would make it illegal to acquire or use a person's phone records without that person's written consent; to acquire a person's phone records by misrepresenting that person's consent to such acquisition; to obtain unauthorized access to data; or to sell or solicit data that was or will be obtained without authorization. The bill would provide exceptions for phone companies using customer information for legitimate uses not currently prohibited by section 222 of the Communications Act. IP-enabled voice providers, which are not currently covered by law, would be specifically treated as phone companies for the purpose of allowing them to benefit from the same course of business exemption. The bill would require the FCC to issue rules enhancing confidentiality procedures for phone companies or IP-enabled voice service providers to the extent the FCC determines that changes in its rules are necessary to bring confidentiality protections in line with these regulations adopted by the FTC under GLBA, taking into consideration the differences between financial information and CPNI. The bill would increase penalties and extend the FCC's statute of limitations under section 509 of the Communications Act from one year to two years. The bill also would extend phone record protection requirements under section 222 of the Communications Act of 1934 (1934 Act) to IP-enabled voice service providers. Within 14 calendar days of a breach, phone companies and IP-enabled service providers would be required to notify a customer whose records were improperly given out. The bill also would provide for service provider enforcement as if the violations of the bill were an unfair or deceptive act or practice, and would give the FCC concurrent jurisdiction with the FTC in that respect to enforce the illegal acquisition provisions of the bill. The bill would provide that venue for any action shall be in the place of business of the service provider rather than the bad actor. It would preempt State laws regulating the treatment of CPNI by telecommunications carriers and IP-enabled voice service providers except those of general applicability, tort or contract law, and other fraud or computer crime laws. It also would require the FTC and the FCC to jointly establish and implement a public education campaign. Legislative History The Protecting Consumer Phone Records Act was introduced by Senator Allen on March 8, 2006, and is cosponsored by Senators Stevens, Inouye, Burns, Dorgan, Hutchison, Bill Nelson, Pryor, Vitter, Coleman, Martinez, Santorum, Talent, Thune, and Warner. On Wednesday, February 8, 2006, the Subcommittee on Consumer Affairs, Product Safety, and Insurance held a hearing to examine privacy implications arising from the distribution of personal phone records without a customer's prior authorization. The subsequent sale of these phone records over the Internet by third party data brokers/website operators was the focus of the hearing. The Subcommittee heard testimony on available methods for preventing third parties from obtaining consumers' phone records without consent. On March 30, 2006, the Committee held an Executive Session during which S. 2389 was considered. Chairman Stevens and Senator Inouye offered an amendment in the nature of a substitute that would clarify that consent to acquire phone records may be granted electronically; clarify that the general prohibitions against the acquisition, use or sale of CPNI do not extend to the current business practices by voice providers (including IP-enabled voice service providers), or third parties that lawfully obtain CPNI from a carrier or provider that are not prohibited by section 222; and maintain the status quo with respect to the acquisition and use of CPNI for law enforcement, homeland security, or similar purposes already authorized by law. The substitute amendment was adopted by voice vote. An amendment to the substitute was offered by Senators Stevens and Burns that would expand the group of entities that may carry out State enforcement to include State Public Utility Commissions or other State agencies in States, which have delegated enforcement of such matters to such officials. The amendment to the substitute was adopted by voice vote. Senator Boxer offered an amendment to the substitute that would preclude wireless telephone companies from including customer numbers in any wireless directory assistance database without providing prior notice to customers of their right not to be listed and without obtaining express prior authorization from the customer to include his or her number in such database. The amendment also would prohibit wireless companies from charging customers for the removal of their number from a wireless directory and would preempt inconsistent State and local laws. The amendment to the substitute was adopted by voice vote. Senator Pryor offered an amendment to the substitute that would allow a consumer harmed by a violation of section 2 to bring a civil action in a Federal district court or other court of competent jurisdiction against the person who caused the harm. The consumer would be able to obtain damages of up to $11,000 per violation or treble damages if it is proven that the defendant knowingly or willfully violated section 2 of this bill. The Court would be permitted to assess against any party the costs of such an action, including reasonable attorney's fees. Although the Committee has not recently adopted a private right of action in other consumer legislation, the amendment was offered in this case because of the special type of physical and psychological harm that potentially could be caused if a consumer's CPNI is inappropriately obtained and used. Senator Pryor's amendment was adopted by a rollcall vote of 11 to 10 (Senator Rockefeller was recorded as necessarily absent). The Committee, without objection, ordered that S. 2389 be reported with amendments. Estimated Costs In accordance with paragraph 11(a) of rule XXVI of the Standing Rules of the Senate and section 403 of the Congressional Budget Act of 1974, the Committee provides the following cost estimate, prepared by the Congressional Budget Office: May 8, 2006. Hon. Ted Stevens, Chairman, Committee on Commerce, Science, and Transportation, U.S. Senate, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for S. 2389, the Protecting Consumer Phone Records Act. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contacts are Melissa Z. Petersen (for federal costs), Sarah Puro (for the impact on state, local, and tribal governments), and Fatimot Ladipo (for the impact on the private sector). Sincerely, Donald B. Marron, Acting Director. Enclosure. S. 2389--Protecting Consumer Phone Records Act Summary: S. 2389 would prohibit obtaining or selling the personal information of telecommunications customers--including phone records--without the consumer's consent. The bill also would require telecommunications carriers to take precautions to safeguard customers' personal information and to notify customers whenever there is a breach in the security of this information. Under S. 2389, the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) would enforce restrictions and requirements related to the security of this information, including assessing and collecting civil penalties for violations of the bill's provisions. Finally, the FCC and the FTC would conduct an outreach campaign to inform consumers of the security issues involving telecommunications information. Assuming appropriation of the necessary amounts, CBO estimates that implementing the bill would cost less than $500,000 in 2006 and about $10 million over the 2007-2011 period. Enacting S. 2389 could increase federal revenues and direct spending as a result of the collection of additional civil, criminal, and forfeiture penalties assessed for violations of the new laws and regulations. Collections of civil penalties and forfeiture penalties are recorded in the budget as revenues. Collections of criminal penalties are recorded in the budget as revenues, deposited in the Crime Victims Fund, and later spent. CBO estimates, however, that any additional revenues and direct spending that would result from enacting the bill would not be significant because of the relatively small number of cases likely to be involved. S. 2389 contains intergovernmental mandates as defined in the Unfunded Mandates Reform Act (UMRA), but CBO estimates costs to state, local, and tribal governments, if any, would be small and would not exceed the threshold established in UMRA ($64 million in 2006, adjusted annually for inflation). S. 2389 would impose new private-sector mandates, as defined in UMRA, on telecommunications carriers and providers of Internet protocol (IP)-enabled voice service. The bill would require the FCC to prescribe more stringent confidentiality requirements for customer proprietary network information and require telecommunications carriers and IP-enabled voice service providers to certify on an annual basis that they are in compliance with those regulations. Additionally, the bill would require such providers to notify customers on a timely basis if their customer information has been disclosed, and prohibit wireless telephone providers from listing subscribers' numbers in any directory assistance database or written directory without prior authorization. The costs of several mandates depend on regulations that have not been established; therefore, CBO cannot determine whether the costs of the mandates in the bill would exceed the annual threshold for private-sector mandates ($128 million in 2006, adjusted annually for inflation). Estimated cost to the Federal Government: The estimated budgetary impact of S. 2389 is shown in the following table. The costs of this legislation fall within budget function 370 (commerce and housing credit). For this estimate, CBO assumes that the bill will be enacted in 2006 and that the necessary amounts will be appropriated for each year. Based on information from the FTC and the FCC, CBO estimates that implementing the bill would cost each agency less than $250,000 in 2006 and about $5 million over the 2007-2011 period. In total, CBO estimates that implementing the bill would cost less than $500,000 in 2006 and about $10 million over the 2007-2011 period for the FCC and the FTC to enforce the bill's provisions regarding the personal information of telecommunications customers. ---------------------------------------------------------------------------------------------------------------- By fiscal year, in millions of dollars-- ----------------------------------------------------------- 2006 2007 2008 2009 2010 2011 ---------------------------------------------------------------------------------------------------------------- CHANGES IN SPENDING SUBJECT TO APPROPRIATION Estimated Authorization Level....................... * 2 2 2 2 2 Estimated Outlays................................... * 2 2 2 2 2 ---------------------------------------------------------------------------------------------------------------- Note: *=Less than $500,000. Estimated impact on State, local, and tribal governments: Provisions in section 7 would require State Attorneys General to notify the FTC and the FCC of any action taken under the bill, allow either federal agency to intervene in those actions, and limit the actions that Attorneys General may take in certain circumstances. Also, provisions in sections 4 and 8 would preempt state laws regarding the protection and disclosure of certain phone records. Those provisions constitute intergovernmental mandates as defined in UMRA. CBO estimates that the aggregate costs, if any, to state, local, and tribal governments of complying with the mandates in the bill would be small and would not exceed the threshold established in UMRA ($64 million in 2006, adjusted for inflation). Estimated impact on the private sector: S. 2389 would impose new private-sector mandates, as defined in UMRA, on telecommunications carriers and IP-enabled voice service providers. As the cost of many of the provisions in the bill depend on the rules to be prescribed by the FCC, CBO cannot determine whether the costs of the mandates in the bill would exceed the annual threshold for private-sector mandates ($128 million in 2006, adjusted annually for inflation). Section 3 of the bill would require the FCC to prescribe regulations adopting more stringent confidentiality procedures for protecting customer proprietary network information. The FCC regulations would require telecommunications carriers and IP-enabled voice service providers to:
Protect the security and confidentiality of customer proprietary network information; Certify annually that they are in compliance with the current FCC regulations on protecting customer proprietary information; and Notify a customer within 14 days if their information was disclosed in violation of FCC regulations. According to government sources, some of the requirements are currently practiced by the telecommunications industry. In addition, according to industry sources the direct cost for carriers to comply with these new notification requirements would be nominal. The cost of providing such additional security would depend on the rules to be prescribed by the FCC. Since the regulations have not been established, CBO cannot estimate the direct cost to comply with those mandates. Additionally, the bill would prohibit wireless communications providers from including their customers' wireless phone numbers in any wireless directory assistance service database or written directory without prior authorization. According to industry sources, wireless communications providers have not made this service available, however, some carriers may be exploring this service for their business subscribers. Those carriers have indicated that the cost of complying with this mandate would be small. Previous CBO estimates: On March 15, 2006, CBO transmitted a cost estimate for H.R. 4943, the Prevention of Fraudulent Access to Phone Records Act, as ordered reported by the House Committee on Energy and Commerce on March 8, 2006. The two bills contain similar provisions related to the security of the personal information of telecommunications customers. CBO estimates that both bills would have similar costs for the FCC, but that S. 2389 would have slightly higher costs for the FTC to enforce the new laws and regulations and to conduct the media campaign in conjunction with the FCC. H.R. 4943 is similar in scope to S. 2389 but does not contain any preemptions of state and local laws. The intergovernmental mandates statements reflect that difference. The private-sector mandates contained in H.R. 4943 are very similar to some of the mandates in S. 2389. Both bills require telecommunications carriers to increase the protection of customer proprietary network information, provide timely notice to each customer upon breach of customer proprietary network information. Because the cost of mandates in both bills depends on rules to be prescribed by the FCC, CBO could not determine whether those costs would exceed UMRA's annual threshold for private-sector mandates. Estimate prepared by: Federal Costs: Melissa Z. Petersen; Impact on State, Local, and Tribal governments: Sarah Puro; Impact on the Private Sector: Fatimot Ladipo. Estimate approved by: Peter H. Fontaine, Deputy Assistant Director for Budget Analysis. Regulatory Impact Statement In accordance with paragraph 11(b) of rule XXVI of the Standing Rules of the Senate, the Committee provides the following evaluation of the regulatory impact of the legislation, as reported: NUMBER OF PERSONS COVERED The FCC may issue regulations to implement the requirement set forth in the reported bill that it be illegal to acquire, use, sell, or solicit a person's confidential phone records without that person's consent. The reported bill also would require the FCC to promulgate rules to the extent it determines necessary, to require regulated entities to enhance their procedures for protecting consumer records and ensure that its rules regarding the security of confidential phone records are consistent with those protections adopted under GLBA, taking into account the differences between financial information and CPNI. The FCC would be required to develop regulations to implement these requirement, so individuals or businesses that handle relevant consumer records subject to the legislation would become subject to new or modified regulations. ECONOMIC IMPACT S. 2389 would not have an adverse economic impact on the nation's economy. The Act would require that the FCC impose additional safeguards and procedures on phone companies if they are determined to be necessary. PRIVACY The reported bill would enhance the personal privacy of U.S. citizens. PAPERWORK The reported bill should not increase paperwork requirements significantly for individuals and businesses. Section-by-Section Analysis Section 1. Short title; Table of contents This section sets forth the short title ``Protecting Consumer Phone Records Act'' and the table of contents. Section 2. Unauthorized acquisition, use, or sale of confidential customer proprietary network telephone information Subsection (a) would make it unlawful for any person to acquire, use, or sell another person's customer proprietary network information or CPNI, which is already defined in section 222(i)(1) of the 1934 Act and includes phone records and certain other information made available to carriers based on the customer's use of the service, without that person's affirmative written consent (which may be given electronically). This subsection would outlaw the sale of CPNI and specifically would outlaw misrepresenting that a person has given authorization to another person to obtain their phone records, often referred to as pretexting. Subsection (b) would ensure that prohibitions under subsection 2(a) do not apply to legitimate business practices currently not prohibited by section 222 of the 1934 Act. This subsection would preserve law enforcement's ability to obtain phone records, require that IP-enabled voice service providers be treated like telecommunications carriers for purposes of section 2 of this bill, and clarify continued legality of using caller ID to identify calls received. Nothing in subsection 2(b)(4) prohibits the use of caller identification services to identify the originator of telephone calls or requirements enabling a person to conceal their telephone number from caller ID devices and services. In addition, the Committee is aware that under current law telecommunications carriers and IP- enabled voice service providers engage third parties in activities that involve CPNI in the normal course of business. For instance, a carrier or provider might contract out its billing functions, which necessarily involves CPNI, or may allow a company that is considering purchasing it to review its books and assets, including CPNI. In other examples, aggregate data containing phone numbers may be provided to third parties in a secure manner. Under each of these sharing scenarios, third parties agree via contract to be bound in their handling of such data by the laws applicable to carriers handling and use of such information. In still other cases, call data may be shared in connection with the provision of in-vehicle emergency communications in order to provide emergency services to consumers. Thus, to the extent that certain disclosures of CPNI data are permitted under current law, the Committee does not intend that anything in this Act would change the permissiveness of such practices. The Committee drafted the exception for legitimate business practices in subsection 2(b) with the intent of preserving such business practices that currently are not prohibited under section 222 of the 1934 Act or under the FCC's rules. The Committee does not intend for the exception to extend beyond normal business practices related to provisioning voice service. For instance, acquiring CPNI from another carrier in violation of section 2 is not intended to be covered by this exception. Subsection (c) would allow phone companies to initiate a private right of action against data brokers or others who illegally acquire, use, sell, or solicit phone records. This subsection would boost enforcement because a carrier may be in a better position than consumers to figure out who is obtaining this information and also may have more resources to litigate such claims. Similar authority has been helpful with respect to enforcing the anti-spam law. This subsection would provide for treble damages and for inflation adjustment. Subsection (d) would allow a consumer who was harmed by a violation of section 2 to bring a civil action in a Federal district court or other court of competent jurisdiction, but would not allow a consumer to bring a civil action against a telecommunications carrier. The consumer would be able to obtain damages of up to $11,000 per violation or treble damages if the defendant is proved to have knowingly or willfully violated section 2. The district court would be permitted to assess against any party the costs of such an action, including reasonable attorney's fees. Subsection (e) would provide for civil penalty of $11,000 for each violation or each day of a continuing violation, but caps penalty for single act or failure to act at $11,000,000. Subsection (f) would clarify that nothing under this Act or section 222 of the 1934 Act authorizes a customer to bring a private right of action against a telecommunications carrier or an IP-enabled voice service provider. Subsection (g) would provide definitions for the terms ``Customer Proprietary Network Information,'' ``IP-enabled voice service,'' and ``Telecommunications Carrier.'' Section 3. Enhanced confidentiality procedures Subsection (a) would require the FCC to review its regulations and revise them, if necessary, to ensure that the regulations meet the three directives set forth in GLBA for financial institutions. To the extent the FCC revises its regulations, the Commission is directed to adopt rules similar in scope and structure to the regulations adopted by the FTC pursuant to GLBA. This is intended to help standardize industry practices for protecting consumer information. Subsection (b) would require phone companies to annually certify that such carriers are in compliance with section 222 of the 1934 Act, as well as any regulations issued pursuant to this section. Section 4. Penalties; Extension of confidentiality requirements to other entities Subsection (a) would establish a $30,000 penalty per violation for any person found to have violated section 2 of this Act, with a limit of $90,000 per day for any continuing violation, and a cap of $3 million for any single act or failure to act. This section also would add additional criminal penalties under the 1934 Act of $30,000 per violation or $90,000 per day for any continuing violation. Subsection (b) would extend FCC's phone record and CPNI rules to IP-enabled voice services. As a result, all wireline, wireless and IP based phone companies would be covered by comparable rights and obligations. Subsection (c) would define IP-enabled voice service. The Committee notes that the definition of IP-enabled voice service provider is different in this bill than the definition used in the context of 911 calls over IP-enabled voice services. This bill would propose a definition that would capture one-way services that only allow calls to or from the public switched telephone network. In the context of 911, the Committee believed that consumers who purchase a voice service with limited capabilities and features would not necessarily expect to be able to call 911, so the definition in that context only included two-way services. However, the Committee believes that consumers still would have an expectation of privacy relative to the records of any phone calls they make or receive even in connection with a one-way service. Subsection (d) would require telecommunications carriers and IP-enabled voice service providers to notify customers within 14 calendar days if they realize that the customers information has been provided to unauthorized third parties. This section also would provide an exception for delay consistent with law enforcement or homeland security determinations. Subsection (e) would provide for a two-year statute of limitations for FCC enforcement under title V of the 1934 Act. Subsection (f) would exempt cable VOIP service from the privacy requirements of title VI to the extent such service is covered by the Protecting Consumer Phone Records Act to provide competitive neutrality and to prevent conflicting regulatory requirements. Subsection (g) prohibits commercial mobile service providers from including the wireless telephone number information of any customer in a wireless directory assistance service database unless the provider first provides notice to the customer of the right not to be listed, and then obtains separate, express authorization from the customer to be included in the directory upon request on a cost-free basis. Finally, this subsection preempts any State or local laws that are inconsistent with its requirements. Section 5. Enforcement by the FTC This section would provide authority for FTC enforcement of section 2 of the Protecting Consumer Phone Records Act as if a violation of that section were a violation of the FTC Act. Section 6. Concurrent enforcement by the FCC This section would give the FCC concurrent jurisdiction with the FTC to enforce section 2, and would provide that for enforcement purposes a violation of section 2 would be deemed a violation of the 1934 Act. Section 7. Enforcement by States Subsection 7(a) would allow States to sue in Federal district court to enforce section 2 or to impose civil penalties if State has reason to believe its citizens are threatened or adversely affected. Subsection 7(b) would require that before initiating a civil action under subsection 7(a), a State must serve written notice on the FTC and the FCC. Subsection 7(c) would allow the FTC and the FCC to intervene in a civil action under subsection 7(a) and to be heard on all matters therein and to file petitions for appeal of a decision in such civil action. Subsection 7(d) would clarify that subsection 7(a) would not prevent a State from conducting investigations or administering oaths or affirmations, or compelling the attendance of witnesses or the production of documentary and other evidence. Subsection 7(e) would provide that venue for an action brought under subsection 7(a) lies in Federal district court pursuant to 28 U.S.C. 1391, and that process may be served without regard to territorial limits of the district or State where the action is instituted. Subsection 7(e) also would provide that a person who participated in an alleged violation may be joined in the civil action without regard to the residence of that person. Subsection 7(f) would provide that if either the FTC or the FCC has instituted a proceeding for violation of section 2, the State in which the violation has occurred may not bring an action under section 2 against the same alleged violator during pendency of such proceeding. Section 8. Preemption of State law Section 8 would provide that sections 2 and any regulations prescribed pursuant to section 3 of this bill and section 222 of the 1934 Act shall preempt (1) any State or local statute, regulation or rule that requires a telecommunications carrier or provider of IP-enabled voice service to develop, implement, maintain, or restrict customer proprietary network information or other individually identifiable customer information held by that telecommunications carrier or provider of IP-enabled voice service, and (2) any such statute, regulation, or rule, or judicial precedent of any State court under which liability is imposed on a telecommunications carrier or provider of IP- enabled voice service for failure to comply with the requirements of section 2 or 3 of this Act, or section 222 of the 1934 Act. The Committee intends that Federal preemption under this section will extend to State laws that are inconsistent with the provisions of sections 2 or 3 of this Act and section 222 of the 1934 Act. Section 9. Consumer outreach and education Section 9 would require that within 180 days after the date of enactment of this Act, the FTC and the FCC shall jointly establish and implement a campaign to educate the public about the protection afforded under this Act as well as under the FTC Act and the 1934 Act. Subsection 9(b) would require such public education campaign to inform the public about the theft and misuse of customer proprietary network information, methods to protect such information, and Federal prevention and enforcement efforts. In carrying out this education requirement, the FTC and FCC must explore the use of various distribution platforms. Rollcall Votes in Committee Senator Pryor offered an amendment to the substitute that would allow a consumer who was harmed by a violation of section 2 to bring a civil action in a Federal district court or other court of competent jurisdiction. By a rollcall vote of 11 yeas and 10 nays as follows (Senator Rockefeller was recorded as necessarily absent), the amendment was adopted. YEAS--11 NAYS--10 Ms. Snowe Mr. McCain \1\ Mr. Smith Mr. Burns \1\ Mr. Inouye Mr. Lott Mr. Kerry \1\ Mrs. Hutchison \1\ Mr. Dorgan\1\ Mr. Ensign\1\ Mrs. Boxer Mr. Allen Mr. Nelson of Florida \1\ Mr. Sununu Ms. Cantwell Mr. DeMint \1\ Mr. Lautenberg Mr. Vitter\1\ Mr. Nelson of Nebraska\1\ Mr. Stevens Mr. Pryor \1\By proxy ADDITIONAL VIEWS OF SENATOR PRYOR PRIVATE RIGHT OF ACTION FOR CONSUMERS As the Committee considered the difficult issue of protecting consumers' private phone records, I felt that it was extremely important that consumers be given the tools they need to protect themselves from fraudulent and unscrupulous behavior. In this legislation, we have provided a litany of enforcement protections for consumers-including enforcement by the Federal Trade Commission, Federal Communications Commission, and State Attorneys General. I believe that these enforcement protections are valuable and necessary to helping end the practice of fraudulently obtaining and selling consumers' phone records without authorization from the consumer. I support them wholeheartedly. However, these enforcement protections do not provide any recourse for the consumer-the person or persons most likely to be harmed by unauthorized disclosures of phone records. Furthermore, FTC, FCC, and State Attorney General enforcement actions do not provide adequate protections for those whose phone records are used for stalking and domestic violence. For this reason, I offered an amendment to the committee bill that would authorize consumers who have been harmed by a person fraudulently obtaining or selling their phone records to file suit against the person who caused the harm through a violation of this act. The Committee also did adopt, as a part of this legislation, a providers' private right of action. Other recent consumer protection legislation has not included a consumers' private right of action. The inclusion of this amendment in this legislation does not lead me to believe that the committee will include a consumer private right of action in every circumstance. In the SPAM legislation, the committee provided Internet service providers a right of action. In S. 1408, the Identity Theft Protection Act, there is no consumer or provider private right of action. I believe that the exclusions of private rights of action in these pieces of legislation are not a good reason to exclude a consumer private right of action in this case. In both cases of identity theft and SPAM, the nature of the harm caused and the entity causing the harm are fundamentally different than is the case with phone records. Harm caused by SPAM is at worst an inconvenience, and legitimate businesses could have a breach due to an honest mistake in the case of identity theft. In those instances, we have not allowed consumers to sue businesses performing legitimate business practices. In the case of phone records, the nature of the harm that can be caused is dramatically different than in SPAM or identity theft because the harm can be physical-it can literally endanger someone's life. Individuals, rogue Internet operators, and fraudsters are deliberately trying to cause harm, and as the committee heard in testimony, this harm can sometimes lead to death. Because of the special type of harm that can be caused by an unauthorized disclosure of phone records, I believe a consumer private right of action is a needed additional protection for consumers. Several of my colleagues are concerned that the inclusion of this amendment will create a precedent for future committee consumer protection legislation. I believe that any future consideration of a private right of action for consumers should be done on a case by case basis. In this case of protecting phone records, I felt that a consumer private right of action was a common sense improvement to the bill, and a majority of my colleagues agreed. I don't expect my colleagues to always agree that this is an additional needed protection. The purpose of this legislation is to protect consumers' phone records. They are the ones most likely to be harmed through an unauthorized release of their phone records, and they have as much of a legally protectable interest as their providers. The intention of my amendment is to provide recourse for consumers who might not have any other place to go for help, especially in the case of domestic violence. I feel they should be allowed to pursue action, independent of the government, against the criminals who intentionally steal their information with the intent to cause harm. The unauthorized disclosure, sale, or use of consumers' phone records are practices we are trying to eliminate through this legislation. I believe that more enforcement is always preferable to less enforcement. My amendment is an attempt to make this bill stronger for consumers. Changes in Existing Law SEC. 222. PRIVACY OF CUSTOMER INFORMATION. [47 U.S.C. 222] (a) In General.--Every telecommunications carrier or IP- enabled voice service provider has a duty to protect the confidentiality of proprietary information of, and relating to, other [telecommunication carriers] telecommunications carriers or IP-enabled voice service providers, equipment manufacturers, and customers, including [telecommunication carriers] telecommunications carriers or IP-enabled voice service providers reselling telecommunications services provided by a telecommunications carrier or IP-enabled voice service provider. (b) Confidentiality of Carrier and IP-enabled Voice Service Provider Information.--A telecommunications carrier or IP- enabled voice service provider that receives or obtains proprietary information from another carrier for purposes of providing any telecommunications service shall use such information only for such purpose, and shall not use such information for its own marketing efforts. (c) Confidentiality of Customer Proprietary Network Information.-- (1) Privacy requirements for telecommunications carriers and ip-enabled voice service providers.-- Except as required by law or with the approval of the customer, a telecommunications carrier or IP-enabled voice service provider that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories. (2) Disclosure on request by customers.--A telecommunications carrier or IP-enabled voice service provider shall disclose customer proprietary network information, upon affirmative written request by the customer, to any person designated by the customer. (3) Aggregate customer information.--A telecommunications carrier or IP-enabled voice service provider that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service may use, disclose, or permit access to aggregate customer information other than for the purposes described in paragraph (1). A local exchange carrier may use, disclose, or permit access to aggregate customer information other than for purposes described in paragraph (1) only if it provides such aggregate information to other carriers or persons on reasonable and nondiscriminatory terms and conditions upon reasonable request therefor. (d) Exceptions.--Nothing in this section prohibits a telecommunications carrier or IP-enabled voice service provider from using, disclosing, or permitting access to customer proprietary network information obtained from its customers, either directly or indirectly through its agents-- (1) to initiate, render, bill, and collect for telecommunications services; (2) to protect the rights or property of the carrier or provider, or to protect users of those services and other carriers or providers from fraudulent, abusive, or unlawful use of, or subscription to, such services; (3) to provide any inbound telemarketing, referral, or administrative services to the customer for the duration of the call, if such call was initiated by the customer and the customer approves of the use of such information to provide such service; and (4) to provide call location information concerning the user of a commercial mobile service (as such term is defined in section 332(d))-- (A) to a public safety answering point, emergency medical service provider or emergency dispatch provider, public safety, fire service, or law enforcement official, or hospital emergency or trauma care facility, in order to respond to the user's call for emergency services; (B) to inform the user's legal guardian or members of the user's immediate family of the user's location in an emergency situation that involves the risk of death or serious physical harm; or (C) to providers of information or database management services solely for purposes of assisting in the delivery of emergency services in response to an emergency. (e) Subscriber List Information.--Notwithstanding subsections (b), (c), and (d), a telecommunications carrier that provides telephone exchange service shall provide subscriber list information gathered in its capacity as a provider of such service on a timely and unbundled basis, under nondiscriminatory and reasonable rates, terms, and conditions, to any person upon request for the purpose of publishing directories in any format. (f) Authority To Use Wireless Location Information.--For purposes of subsection (c)(1), without the express prior authorization of the customer, a customer shall not be considered to have approved the use or disclosure of or access to-- (1) call location information concerning the user of a commercial mobile service (as such term is defined in section 332(d)), other than in accordance with subsection (d)(4); or (2) automatic crash notification information to any person other than for use in the operation of an automatic crash notification system. (g) Subscriber Listed and Unlisted Information for Emergency Services.--Notwithstanding subsections (b), (c), and (d), a telecommunications carrier that provides telephone exchange service or IP-enabled voice service provider shall provide information described in subsection (i)(3)(A) (including information pertaining to subscribers whose information is unlisted or unpublished) that is in its possession or control (including information pertaining to subscribers of other carriers) on a timely and unbundled basis, under nondiscriminatory and reasonable rates, terms, and conditions to providers of emergency services, and providers of emergency support services, solely for purposes of delivering or assisting in the delivery of emergency services. (h) Notice of Violations.-- (1) In general.--The Commission shall by regulation require each telecommunications carrier or IP-enabled voice service provider to notify a customer within 14 calendar days after the carrier or provider is notified of, or becomes aware of, an incident in which customer proprietary network information relating to such customer was disclosed to someone other than the customer in violation of this section or section 2 of the Protecting Consumer Phone Records Act. (2) Law enforcement and homeland security related delays.--Notwithstanding paragraph (1), a telecommunications carrier or IP-enabled voice service provider may delay the required notification for a reasonable period of time if-- (A) a Federal or State law enforcement agency determines that giving notice within the 14-day period would materially impede a civil or criminal investigation; or (B) a Federal national security agency or the Department of Homeland Security determines that giving notice within the 14-day period would threaten national or homeland security. [(h)] (i) Definitions.--As used in this section: (1) Customer proprietary network information.--The term ``customer proprietary network information'' means-- (A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service or IP-enabled voice service subscribed to by any customer of a telecommunications carrier or IP-enabled voice service provider, and that is made available to the carrier or provider by the customer solely by virtue of the carrier-customer or provider- customer relationship; and (B) information contained in the bills pertaining to [telephone exchange service or telephone toll service] telephone exchange service, telephone toll service, or IP-enabled voice service received by a customer of a carrier or provider; except that such term does not include subscriber list [information.] information nor does it include information that is related to non-voice service features bundled with IP-enabled voice service. (2) Aggregate information.--The term ``aggregate customer information'' means collective data that relates to a group or category of services or customers, from which individual customer identities and characteristics have been removed. (3) Subscriber list information.--The term ``subscriber list information'' means any information-- (A) identifying the listed names of subscribers of a carrier or provider and such subscribers' telephone numbers, addresses, or primary advertising classifications (as such classifications are assigned at the time of the establishment of such service), or any combination of such listed names, numbers, addresses, or classifications; and (B) that the carrier or provider or an affiliate has published, caused to be published, or accepted for publication in any directory format. (4) Public safety answering point.--The term ``public safety answering point'' means a facility that has been designated to receive emergency calls and route them to emergency service personnel. (5) Emergency services.--The term ``emergency services'' means 9-1-1 emergency services and emergency notification services. (6) Emergency notification services.--The term ``emergency notification services'' means services that notify the public of an emergency. (7) Emergency support services.--The term ``emergency support services'' means information or data base management services used in support of emergency services. (8) IP-enabled voice service.--The term ``IP-enabled voice service'' means the provision of real-time 2-way voice communications offered to the public, or such classes of users as to be effectively available to the public, transmitted through customer premises equipment using TCP/IP protocol, or a successor protocol, for a fee (whether part of a bundle of services or separately) with interconnection capability such that the service can originate traffic to, or terminate traffic from, the public switched telephone network. (j) Wireless Consumer Privacy Protection.-- (1) In general.--A provider of commercial mobile services, or any direct or indirect affiliate or agent of such a provider, may not include the wireless telephone number information of any subscriber in any wireless directory assistance service database unless the mobile service provider-- (A) provides a conspicuous, separate notice to the subscriber informing the subscriber of the right not to be listed in any wireless directory assistance service; and (B) obtains express prior authorization for listing from such subscriber, separate from any authorization obtained to provide such subscriber with commercial mobile service, or any calling plan or service associated with such commercial mobile service, and such authorization has not been subsequently withdrawn. (2) Cost-free de-listing.--A provider of commercial mobile services, or any direct or indirect affiliate or agent of such a provider, shall remove the wireless telephone number information of any subscriber from any wireless directory assistance service database upon request by that subscriber and without any cost to the subscriber. (3) Publication of directories prohibited.--A provider of commercial mobile services, or any direct or indirect affiliate or agent of such a provider, may not publish, in printed, electronic, or other form, or sell or otherwise disseminate, the contents of any wireless directory assistance service database, or any portion or segment thereof unless the mobile service provider-- (A) provides a conspicuous, separate notice to the subscriber informing the subscriber of the right not to be listed; and (B) obtains express prior authorization for listing from such subscriber, separate from any authorization obtained to provide such subscriber with commercial mobile service, or any calling plan or service associated with such commercial mobile service, and such authorization has not been subsequently withdrawn. (4) No consumer fee for retaining privacy.--A provider of commercial mobile services may not charge any subscriber for exercising any of the rights described under this subsection. (5) State and local laws pre-empted.--To the extent that any State or local government imposes requirements on providers of commercial mobile services, or any direct or indirect affiliate or agent of such providers, that are inconsistent with the requirements of this subsection, this subsection preempts such State or local requirements. (6) Definitions.--In this subsection: (A) Wireless telephone number information.-- The term ``wireless telephone number information'' means the telephone number, electronic address, and any other identifying information by which a calling party may reach a subscriber to commercial mobile services, and which is assigned by a commercial mobile service provider to such subscriber, and includes the name and address of such subscriber. (B) Wireless directory assistance service.-- The term ``wireless directory assistance service'' means any service for connecting calling parties to a subscriber of commercial mobile service when such calling parties themselves do not possess the wireless telephone number information of such subscriber. * * * * * * * SEC. 503. FORFEITURES IN CASES OF REBATES AND OFFSETS. [47 U.S.C. 503] (a) Any person who shall deliver messages for interstate or foreign transmission to any carrier, or for whom as sender or receiver, any such carrier shall transmit any interstate or foreign wire or radio communication, who shall knowingly by employee, agent, officer, or otherwise, directly or indirectly, by or through any means or device whatsoever, receive or accept from such common carrier any sum of money or any other valuable consideration as a rebate or offset against the regular charges for transmission of such messages as fixed by the schedules of charges provided for in this Act, shall in addition to any other penalty provided by this Act forfeit to the United States a sum of money three times the amount of money so received or accepted and three times the value of any other consideration so received or accepted, to be ascertained by the trial court; and in the trial of said action all such rebates or other considerations so received or accepted for a period of six years prior to the commencement of the action, may be included therein, and the amount recovered shall be three times the total amount of money, or three times the total value of such consideration, so received or accepted, or both, as the case may be. (b)(1) Any person who is determined by the Commission, in accordance with paragraph (3) or (4) of this subsection, to have-- (A) willfully or repeatedly failed to comply substantially with the terms and conditions of any license, permit, certificate, or other instrument or authorization issued by the Commission; (B) willfully or repeatedly failed to comply with any of the provisions of this Act or of any rule, regulation, or order issued by the Commission under this Act or under any treaty, convention, or other agreement to which the United States is a party and which is binding upon the United States; (C) violated any provision of section 317(c) or 508(a) of this Act; or (D) violated any provision of section 1304, 1343, or 1464 of title 18, United States Code; shall be liable to the United States for a forfeiture penalty. A forfeiture penalty under this subsection shall be in addition to any other penalty provided for by this Act; except that this subsection shall not apply to any conduct which is subject to forfeiture under title II, part II or III of title III, or section 506 of this Act. (2)(A) If the violator is (i) a broadcast station licensee or permittee, (ii) a cable television operator, or (iii) an applicant for any broadcast or cable television operator license, permit, certificate, or other instrument or authorization issued by the Commission, the amount of any forfeiture penalty determined under this section shall not exceed $25,000 for each violation or each day of a continuing violation, except that the amount assessed for any continuing violation shall not exceed a total of $250,000 for any single act or failure to act described in paragraph (1) of this subsection. (B) If the violator is a common carrier subject to the provisions of this Act or an applicant for any common carrier license, permit, certificate, or other instrument of authorization issued by the Commission, the amount of any forfeiture penalty determined under this subsection shall not exceed $100,000 for each violation or each day of a continuing violation, except that the amount assessed for any continuing violation shall not exceed a total of $1,000,000 for any single act or failure to act described in paragraph (1) of this subsection. (C) In any case not covered in subparagraph (A) or (B), the amount of any forfeiture penalty determined under this subsection shall not exceed $10,000 for each violation or each day of a continuing violation, except that the amount assessed for any continuing violation shall not exceed a total of $75,000 for any single act or failure to act described in paragraph (1) of this subsection. (D) The amount of such forfeiture penalty shall be assessed by the Commission, or its designee, by written notice. In determining the amount of such a forfeiture penalty, the Commission or its designee shall take into account the nature, circumstances, extent, and gravity of the violation and, with respect to the violator, the degree of culpability, any history of prior offenses, ability to pay, and such other matters as justice may require. (3)(A) At the discretion of the Commission, a forfeiture penalty may be determined against a person under this subsection after notice and an opportunity for a hearing before the Commission or an administrative law judge thereof in accordance with section 554 of title 5, United States Code. Any person against whom a forfeiture penalty is determined under this paragraph may obtain review thereof pursuant to section 402(a). (B) If any person fails to pay an assessment of a forfeiture penalty determined under subparagraph (A) of this paragraph, after it has become a final and unappealable order or after the appropriate court has entered final judgment in favor of the Commission, the Commission shall refer the matter to the Attorney General of the United States, who shall recover the amount assessed in any appropriate district court of the United States. In such action, the validity and appropriateness of the final order imposing the forfeiture penalty shall not be subject to review. (4) Except as provided in paragraph (3) of this subsection, no forfeiture penalty shall be imposed under this subsection against any person unless and until-- (A) the Commission issues a notice of apparent liability, in writing, with respect to such person; (B) such notice has been received by such person, or until the Commission has sent such notice to the last known address of such person, by registered or certified mail; and (C) such person is granted an opportunity to show, in writing, within such reasonable period of time as the Commission prescribes by rule or regulation, why no such forfeiture penalty should be imposed. Such a notice shall (i) identify each specific provision, term, and condition of any Act, rule, regulation, order, treaty, convention, or other agreement, license, permit, certificate, instrument, or authorization which such person apparently violated or with which such person apparently failed to comply; (ii) set forth the nature of the act or omission charged against such person and the facts upon which such charge is based; and (iii) state the date on which such conduct occurred. Any forfeiture penalty determined under this paragraph shall be recoverable pursuant to section 504(a) of this Act. (5) No forfeiture liability shall be determined under this subsection against any person, if such person does not hold a license, permit, certificate, or other authorization issued by the Commission, and if such person is not an applicant for a license, permit, certificate, or other authorization issued by the Commission, unless, prior to the notice required by paragraph (3) of this subsection or the notice of apparent liability required by paragraph (4) of this subsection, such person (A) is sent a citation of the violation charged; (B) is given a reasonable opportunity for a personal interview with an official of the Commission, at the field office of the Commission which is nearest to such person's place of residence; and (C) subsequently engages in conduct of the type described in such citation. The provisions of this paragraph shall not apply, however, if the person involved is engaging in activities for which a license, permit, certificate, or other authorization is required, or is a cable television system operator, if the person involved is transmitting on frequencies assigned for use in a service in which individual station operation is authorized by rule pursuant to section 307(e), or in the case of violations of section 303(q), if the person involved is a nonlicensee tower owner who has previously received notice of the obligations imposed by section 303(q) from the Commission or the permittee or licensee who uses that tower. Whenever the requirements of this paragraph are satisfied with respect to a paricular person, such person shall not be entitled to receive any additional citation of the violation charged, with respect to any conduct of the type described in the citation sent under this paragraph. (6) No forfeiture penalty shall be determined or imposed against any person under this subsection if-- (A) such person holds a broadcast station license issued under title III of this Act and if the violation charged occurred-- (i) more than 1 year prior to the date of issuance of the required notice or notice of apparent liability; or (ii) prior to the date of commencement of the current term of such license, whichever is earlier; or [(B) such person does not hold a broadcast station license issued under title III of this Act and if the violation charged occurred more than 1 year prior to the date of issuance of the required notice or notice of apparent liability.] (B) such person does not hold a broadcast station license issued under title III of this Act and-- (i) the person is charged with violating section 222 and the violation occurred more than 2 years prior to the date of issuance of the required notice or notice of apparent liability; or (ii) the person is charged with violating any other provision of this Act and the violation occurred more than 1 year prior to the date of issuance of the required notice or notice of apparent liability. For purposes of this paragraph, ``date of commencement of the current term of such license'' means the date of commencement of the last term of license for which the licensee has been granted a license by the Commission. A separate license term shall not be deemed to have commenced as a result of continuing a license in effect under section 307(c) pending decision on an application for renewal of the license. SEC. 509. PENALTIES FOR CONFIDENTIAL CUSTOMER PROPRIETARY NETWORK INFORMATION VIOLATIONS. (a) Civil Forfeiture.-- (1) In general.--Any person determined by the Commission, in accordance with paragraphs (3) and (4) of section 503(b), to have violated section 2 of the Protecting Consumer Phone Records Act shall be liable to the United States for a forfeiture penalty. A forfeiture penalty under this subsection shall be in addition to any other penalty provided for by this Act. The amount of the forfeiture penalty determined under this subsection shall not exceed $30,000 for each violation, or 3 times that amount for each day of a continuing violation, except that the amount assessed for any continuing violation shall not exceed a total of $3,000,000 for any single act or failure to act. (2) Recovery.--Any forfeiture penalty determined under paragraph (1) shall be recoverable pursuant to section 504(a) of this Act. (3) Procedure.--No forfeiture liability shall be determined under paragraph (1) against any person unless such person receives the notice required by section 503(b)(3) or section 503(b)(4) of this Act. (4) 2-year statute of limitations.--No forfeiture penalty shall be determined or imposed against any person under paragraph (1) if the violation charged occurred more than 2 years prior to the date of issuance of the required notice or notice or apparent liability. (b) Criminal Fine.--Any person who willfully and knowingly violates section 2 of the Protecting Consumer Phone Records Act shall upon conviction thereof be fined not more than $30,000 for each violation, or 3 times that amount for each day of a continuing violation, in lieu of the fine provided by section 501 for such a violation. This subsection does not supersede the provisions of section 501 relating to imprisonment or the imposition of a penalty of both fine and imprisonment. * * * * * * * PART IV--MISCELLANEOUS PROVISIONS SEC. 631. PROTECTION OF SUBSCRIBER PRIVACY. [47 U.S.C. 551] (a)(1) At the time of entering into an agreement to provide any cable service or other service to a subscriber and at least once a year thereafter, a cable operator shall provide notice in the form of a separate, written statement to such subscriber which clearly and conspicuously informs the subscriber of-- (A) the nature of personally identifiable information collected or to be collected with respect to the subscriber and the nature of the use of such information; (B) the nature, frequency, and purpose of any disclosure which may be made of such information, including an identification of the types of persons to whom the disclosure may be made; (C) the period during which such information will be maintained by the cable operator; (D) the times and place at which the subscriber may have access to such information in accordance with subsection (d); and (E) the limitations provided by this section with respect to the collection and disclosure of information by a cable operator and the right of the subscriber under subsections (f) and (h) to enforce such limitations. In the case of subscribers who have entered into such an agreement before the effective date of this section, such notice shall be provided within 180 days of such date and at least once a year thereafter. (2) For purposes of this section, other than subsection (h)-- (A) the term ``personally identifiable information'' does not include any record of aggregate data which does not identify particular persons; (B) the term ``other service'' includes any wire or radio communications service provided using any of the facilities of a cable operator that are used in the provision of cable service; and (C) the term ``cable operator'' includes, in addition to persons within the definition of cable operator in section 602, any person who (i) is owned or controlled by, or under common ownership or control with, a cable operator, and (ii) provides any wire or radio communications service. (b)(1) Except as provided in paragraph (2), a cable operator shall not use the cable system to collect personally identifiable information concerning any subscriber without the prior written or electronic consent of the subscriber concerned. (2) A cable operator may use the cable system to collect such information in order to-- (A) obtain information necessary to render a cable service or other service provided by the cable operator to the subscriber; or (B) detect unauthorized reception of cable communications. (c)(1) Except as provided in paragraph (2), a cable operator shall not disclose personally identifiable information concerning any subscriber without the prior written or electronic consent of the subscriber concerned and shall take such actions as are necessary to prevent unauthorized access to such information by a person other than the subscriber or cable operator. (2) A cable operator may disclose such information if the disclosure is-- (A) necessary to render, or conduct a legitimate business activity related to, a cable service or other service provided by the cable operator to the subscriber; (B) subject to subsection (h), made pursuant to a court order authorizing such disclosure, if the subscriber is notified of such order by the person to whom the order is directed; (C) a disclosure of the names and addresses of subscribers to any cable service or other service, if-- (i) the cable operator has provided the subscriber the opportunity to prohibit or limit such disclosure, and (ii) the disclosure does not reveal, directly or indirectly, the-- (I) extent of any viewing or other use by the subscriber of a cable service or other service provided by the cable operator, or (II) the nature of any transaction made by the subscriber over the cable system of the cable operator; or (D) to a government entity as authorized under chapters 119, 121, or 206 of title 18, United States Code, except that such disclosure shall not include records revealing cable subscriber selection of video programming from a cable operator. (d) A cable subscriber shall be provided access to all personally identifiable information regarding that subscriber which is collected and maintained by a cable operator. Such information shall be made available to the subscriber at reasonable times and at a convenient place designated by such cable operator. A cable subscriber shall be provided reasonable opportunity to correct any error in such information. (e) A cable operator shall destroy personally identifiable information if the information is no longer necessary for the purpose for which it was collected and there are no pending requests or orders for access to such information under subsection (d) or pursuant to a court order. (f)(1) Any person aggrieved by any act of a cable operator in violation of this section may bring a civil action in a United States district court. (2) The court may award-- (A) actual damages but not less than liquidated damages computed at the rate of $100 a day for each day of violation or $1,000, whichever is higher; (B) punitive damages; and (C) reasonable attorneys' fees and other litigation costs reasonably incurred. (3) The remedy provided by this section shall be in addition to any other lawful remedy available to a cable subscriber. (g) Nothing in this title shall be construed to prohibit any State or any franchising authority from enacting or enforcing laws consistent with this section for the protection of subscriber privacy. (h) Except as provided in subsection (c)(2)(D), a governmental entity may obtain personally identifiable information concerning a cable subscriber pursuant to a court order only if, in the court proceeding relevant to such court order-- (1) such entity offers clear and convincing evidence that the subject of the information is reasonably suspected of engaging in criminal activity and that the information sought would be material evidence in the case; and (2) the subject of the information is afforded the opportunity to appear and contest such entity's claim. (i) Customer Proprietary Network Information.--This section does not apply to customer proprietary network information (as defined in section 222(i)(1) of this Act) as it relates to the provision of IP-enabled voice service (as defined in section 222(i)(8) of this Act) by a cable operator to the extent that section 222 of this Act and section 2 of the Protecting Consumer Phone Records Act applies to such information.