AN ACT CONCERNING INTERNET WEB SITE TRACKING OF CONSUMER DATA.

Be it enacted by the Senate and House of Representatives in General Assembly convened:

Section 1. (NEW) (Effective January 1, 2009) As used in this act:

(1) "Commercial web site operator" means any business entity that sells, leases, or offers to sell or lease goods or services intended primarily for personal, family or household use and such business entity operates a web site with such entity's commercial name, whether or not such web site is operated by another person pursuant to a contract with the business entity.

(2) "Direct marketing purposes" means the use of personal information to solicit or induce a purchase, rental, lease or exchange of products, goods, property or services directly to individuals by means of the mail, telephone or electronic mail for their personal, family or household purposes. The sale, rental, exchange or lease of personal information for consideration to businesses is a direct marketing purpose of the business that sells, rents, exchanges or obtains consideration for the personal information. Direct marketing purposes does not include the use of personal information: (A) By bona fide tax exempt charitable or religious organizations to solicit charitable contributions, (B) to raise funds from and communicate with individuals regarding politics and government, (C) by a third party when the third party receives personal information solely as a consequence of having obtained for consideration permanent ownership of accounts that might contain personal information, or (D) by a third party when the third party receives personal information solely as a consequence of a single transaction where, as a part of the transaction, personal information had to be disclosed in order to effectuate the transaction.

(3) "Disclose" means to disclose, release, transfer, disseminate or otherwise communicate orally, in writing, or by electronic or any other means to a third party.

(4) "Established business relationship" means a relationship formed by a voluntary, two-way communication between a business and a consumer, with or without an exchange of consideration, for the purpose of purchasing, renting or leasing real or personal property or any interest therein, or obtaining a product or service from the business, if the relationship is ongoing and has not been expressly terminated by the business or the consumer or if the relationship is not ongoing, but is solely established by the purchase, rental or lease of real or personal property from a business or the purchase of a product or service and no more than eighteen months have elapsed from the date of the purchase, rental or lease.

(5) "Personal information" means any information that, when it was disclosed, identified, described or was able to be associated with an individual, including, but not limited to: (A) An individual's name and address, (B) an electronic mail address, (C) a date of birth or age, (D) names or numbers of children, (E) real property purchased, leased or rented, (F) a Social Security number, bank account or credit or debit card number, and (G) payment history.

(6) "Third party" or "third parties" means one or more of the following: (A) A business that is a separate legal entity from the business that has an established business relationship with a consumer, (B) a business that has access to a database that is shared among businesses, if the business is authorized to use the database for direct marketing purposes, unless the use of the database is exempt from being considered a disclosure for direct marketing purposes, or (C) a business not affiliated by a common ownership or common corporate control with the web site operator.

Sec. 2. (NEW) (Effective January 1, 2009) (a) Any commercial web site operator, with whom a consumer residing in this state has an established business relationship on such web site with such consumer, shall, upon written request by such consumer, clearly and conspicuously disclose to the consumer whether or not, within the calendar year immediately preceding such request, the operator has disclosed personal information to third parties, and whether or not the operator knows or reasonably should know that the third parties used the personal information for the direct marketing purposes of a third party. A request pursuant to this section may be mailed to the headquarters of such commercial web site operator or to an electronic mail address provided by the operator. A complete response pursuant to this section shall be provided to the consumer within thirty days of such request.

(b) If the commercial web site operator has disclosed personal information to third parties, the person shall include in its response: (1) The name and addresses of the third parties and the general business of such third parties, and (2) the type of personal information provided to such third parties. If the operator discloses that such third party is an affiliated company, the operator shall describe the affiliation in clear and conspicuous terms.

(c) A commercial web site operator that is required to comply with this section is not obligated to provide information associated with specific individuals and may provide the information required by this section in a standardized format.

(d) A commercial web site operator that is required to comply with this section is not obligated to do so in response to a request from a customer more than once during the course of any calendar year.

(e) If a commercial web site operator has adopted in its privacy policy a policy of not disclosing personal information of consumers to third parties for the direct marketing purposes of a third party unless the customer first affirmatively agrees to that disclosure, or of not disclosing the personal information of customers to third parties for the third parties' direct marketing purposes if the customer has exercised an option that prevents that information from being disclosed to third parties for those purposes, a response to a request pursuant to this section shall also include a notice to the consumer of the right to prevent such disclosure in accordance with the privacy policy and the process for exercising such right.

(f) For purposes of this section, the following disclosures shall not be deemed to be disclosures of personal information by a web site operator for a third party's direct marketing:

(1) Disclosures between the operator and a third party pursuant to contracts or arrangements pertaining to any of the following: (A) The processing, storage, management or organization of personal information, or the performance of services on behalf of the web site operator during which personal information is disclosed, if the third party that processes, stores, manages or organizes the personal information does not use the information for a third party's direct marketing purposes and does not disclose the information to additional third parties for their direct marketing purposes, (B) marketing products or services to consumers with whom the business has an established business relationship where, as a part of the marketing, the business does not disclose personal information to third parties for the third parties' direct marketing purposes, (C) maintaining or servicing accounts, including credit accounts and disclosures pertaining to the denial of applications for credit or the status of applications for credit and processing bills or insurance claims for payment, (D) public record information relating to the right, title, or interest in real property or information relating to property characteristics, obtained from a governmental agency or entity or from a real estate multiple listing service and not provided directly by the consumer to a business in the course of an established business relationship, and (E) jointly offering a product or service pursuant to a written agreement with the third party that receives the personal information, provided all of the following requirements are met: (i) The product or service offered is a product or service of, and is provided by at least one of the businesses that is a party to the written agreement, (ii) the product or service is jointly offered, endorsed or sponsored by, and clearly and conspicuously identifies for the consumer, the businesses that disclose and receive the disclosed personal information, and (iii) the written agreement provides that the third party that receives the personal information is required to maintain the confidentiality of the information and is prohibited from disclosing or using the information other than to carry out the joint offering or servicing of a product or service that is the subject of the written agreement.

(2) Disclosures to or from a consumer reporting agency of a consumer's payment history or other information pertaining to transactions or experiences between the business and a customer, if that information is to be reported in or used to generate a consumer report as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code and use of that information is limited by the federal Fair Credit Reporting Act, 15 USC Section 1681, et seq.

(3) Disclosures of personal information by a business to a third party financial institution solely for the purpose of the business obtaining payment for a transaction in which the consumer paid the business for goods or services with a check, credit card, charge card or debit card, if the consumer seeks the information required by subdivision (a) of this act from the business obtaining payment, whether or not the business obtaining payment knows or reasonably should know that the third party financial institution has used the personal information for its direct marketing purposes.

(4) Disclosures of personal information between a licensed agent and its principal, if the personal information disclosed is necessary to complete, effectuate, administer or enforce transactions between the principal and the agent, whether or not the licensed agent or principal also uses the personal information for direct marketing purposes, if that personal information is used by each of them solely to market products and services directly to customers with whom both have established business relationships as a result of the principal and agent relationship.

(5) Disclosures of personal information between a financial institution and a business that has a private label credit card, affinity card, retail installment contract or cobranded card program with the financial institution, if the personal information disclosed is necessary for the financial institution to maintain or service accounts on behalf of the business with which it has a private label credit card, affinity card, retail installment contract or cobranded card program, or to complete, effectuate, administer or enforce customer transactions or transactions between the institution and the business, whether or not the institution or the business also uses the personal information for direct marketing purposes, if that personal information is used solely to market products and services directly to customers with whom both the business and the financial institution have established business relationships as a result of the private label credit card, affinity card, retail installment contract or cobranded card program.

(g) If a list, description or grouping of consumer names or addresses is disclosed to a third party sharing the same brand name for direct marketing purposes in a manner that permits the third party to identify, determine or extrapolate the personal information from which the list was derived and that personal information, when it was disclosed, identified, described or was associated with a consumer, any other personal information shall be considered personal information for purposes of this act.

(h) If a list, description or grouping of customer names or addresses is derived using any of these categories specified in this act and is disclosed to a third party for direct marketing purposes in a manner that permits the third party to identify, determine or extrapolate any other personal information from which the list was derived, and that personal information when it was disclosed identified, described or was associated with an individual, the categories set forth in this act that correspond to the personal information used to derive the list, description or grouping shall be considered personal information for purposes of this act.

Statement of Purpose:

To require Internet web site operators to provide consumers, upon request, with information on whether the web site operator gathers data on the consumer and whether that data is sold to third parties.

[Proposed deletions are enclosed in brackets. Proposed additions are indicated by underline, except that when the entire text of a bill or resolution or a section of a bill or resolution is new, it is not underlined.]