| | | S 2201 As Passed by Committe (Hollings) | HR 4678 As Introduced (Stearns) |
|---|
| Scope | Online | yes | Yes |
| Scope | Offline | Congress must pass a separate act dealing with collection and distribution of personal information offline within 19 months of this billŐs enactment or FTC final rulemaking. | Yes (the same standards apply to online and offline information) |
| Notice | | Service provider must indicate: -types of data being collected -methods of collection -disclosure practices | Service Providers are required to provide the user with notice of privacy policy and use of PII both at the time of data collection and upon policy change. |
| Consent | Sensitive Information | Sensitive information, defined as information related to finance, health, religion, etc., requires that users opt-in to data sharing. | Service Providers must give users an opportunity to opt-out when information is collected. Opt-out must be both easy to access and use. |
| Consent | Non-Sensitive Information | Sharing of non-sensitive information requires service providers give robust notice and provide an opportunity to opt-out | No distinction is made between types of information. [However, 17 federal laws (including laws governing financial and medical institutions) are exempt.] |
| Access | | Service Providers must allow access to personal information, and opportunity to correct information.
Access fee not to exceed $3. | No |
| Security | | reasonable security procedures defined in rulemaking | Security policy must take appropriate action after security breech. |
| Safe Harbor | | FTC must approve safe harbors. Detailed requirements. Separate safe harbor for small businesses provided that they not process PII. | FTC must approve self-regulatory orgs. Detailed requirements |
| Enforcement | FTC | FTC is given rulemaking and enforcement power. The FTC is also given the power to intervene in State actions. | FTC is granted sole power to enforce the regulations set forth, but is not given rulemaking power. |
| Enforcement | Attorneys General | Attorneys General of states may bring civil action on behalf of the residents of the state. They are required to give notice to the FTC upon filling of an action. | No Role |
| Enforcement | Private Right of Action | Maintains private right of action if any service provider fails to abide by the terms of the law.
Limits action to $500. Gives an affirmative defense to companies | No private civil action. |
| Preemption | | Preempts any State statute, regulation, or rule specifically regulating Internet privacy | Preempts any statutory law, common law, rule or regulation of a State... [Intent is not to preempt state financial or medical laws.] |
