How It Works

Find out how our solution helps you turn browsers into buyers.

Integrations

From Shopify to Klaviyo, explore over 80 integrations.

Support

Access guides, troubleshooting, and expert assistance.

About Us

Hear our origin story and meet our team.

Partnership

Become an official Retention.com Partner.

Affiliate Program

Learn more about our Affiliate Program.

Careers

Explore career opportunities with Retention.com.

Events

See upcoming events we’re hosting or attending.

Referrals

Got a referral? Let us know here.

Advance Use Case: Qualifying Your Audience

Target only your best, highest intent customer to grow your audience using Retention.com's Identity Resolution

What Does Qualified Traffic Look Like?

In a somewhat basic but general explanation, qualified traffic is the type of traffic that produces tangible business results. While the definition of “qualified traffic” varies from company to company and industry to industry, across companies and industries it is the type of traffic that has the potential to produce ROI from your marketing efforts.

Since the definition of “qualified traffic” will vary by industry, company, and business objectives, the best place to start is to know what qualified looks like for you. What does the typical buying journey to find your product or service look like? Knowing your buyer journey will help reveal the types of keywords, questions, and intent qualified traffic uses when searching for your solutions.

Measuring Qualified Traffic

It is important to understand how to measure whether or not traffic is qualified. With the help of analytics software like Google Analytics, you can gain metrics important to qualifying traffic during the three stages: Visitor, Lead, and Customer. Using these metrics, you can calculate the following:

Ways to Qualify and Segment Your Traffic

Targeting your best users by using Retention.com' Identity Resolution alongside your current marketing is one of the best ways to reduce wasted marketing spend! Segmentation doesn't have to be complex. They don’t have to include multiple criteria, either. They can be very simple and straightforward:

You can always get more advanced with how you segment, but segments allow you to identify strengths, weaknesses, and patterns, find reliable revenue sources, and provide the guidelines to improve where you’re falling short. Anything you can do to better understand your audience behavior and acquisition is time well spent. 

The Top 5 Benefits a Rapidly Growing Email List has for Bloggers

Every blogger knows how important their email list is to their business.

Email is still the highest ROI of any channel. According to a study by Litmus, Email Marketing generates a return on investment (ROI) as high as 42:1.

What bloggers might NOT appreciate quite as much is how much a rapidly growing email list can help a bloggers’ business.

Kim Roach of BuzzBlogger, a blog that teaches bloggers, authors, coaches, and thought leaders how to grow their blog traffic, increased her daily email acquisition from 100/day to 600-800/day overnight with Retention.com. 

I asked her to explain some of the benefits of a rapidly growing email list for bloggers so that I could share them with you here.

1. You can charge more for direct email newsletter advertisements.

Not only do the prices of your ads and JV newsletter takeovers increase, but a big, rapidly growing email list opens the door to newer, bigger advertising partners who also have bigger budgets.

2. You increase overall traffic and social media shares.

Each time you send out a newsletter to an increasingly large audience, some percentage of that audience shares a piece of content, and some percentage of that audience follows you. According to Kim, this sharing effect increases the value of each subscriber every time an email is sent.

3. You can launch products and create quick cash windfalls.

The larger your audience, the easier it is to get products off the ground, because within that audience, there’s a percentage of people who love you and will buy your products. 

4. Having a large email list gives you the ability to run viral giveaways.

Kim has been successful in the past using Gleam.io for giveaways, but it’s critically important to have a large email list as a starting point.

5. You increase the underlying financial value of the blog itself.

Kim finds this reason to be the most exciting of all. She makes long-term plays with all of her blogs, and sees every subscriber and every piece of content they publish as something that adds to the ultimate value that a buyer would pay for the website at some point, maybe 10 years down the road. 

Want to increase the value of your blog? 

Retention.com can 10x your list growth speed with targeted, engaged contacts that are up to 80% cheaper than social.

You can sign up here for free

5 Steps to Properly Test Retention.com

Retention.com works for most e-commerce businesses, but it’s important that appropriate expectations are in place going into the test, and that the test is executed properly for success.

Here are 5 things to keep in mind when you are testing Retention.com for your brand.

1. Customer Acquisition Cost (CAC) generally comes in close to Facebook


Under our current setup, we’ve generally seen people achieve $20 to $40 CAC with Email-Based Retargeting.

While that’s not a Christmas Miracle (I’m writing this in December), it’s another high-quality source of traffic that you can monetize at a comparable price to your other channels.

2. Give it 60 days; this is COLD traffic


Unlike the rest of your e-commerce email marketing list, Retention.com’s email addresses didn’t purchase from you or raise their hand to be contacted. They are further up the funnel than your current list members are, so you’ll need to warm them up before they will buy.

The rules of marketing and sales funnels apply.

Once you’ve installed Retention.com, take your first day’s volume and multiply it by 20. That should give you an approximate monthly estimate for your lead count.

This will help you determine which plan is best for your brand. Put yourself on that plan and run the test.

3. Put them in an e-commerce welcome series IMMEDIATELY


From what we’ve observed so far, sending to these recipients as quickly as possible is the goal. Most e-comm brands add their Retention.com leads into an existing welcome series, which seems to work just fine.

The only problems we’ve seen are when people wait to email these contacts — over a week or so — then blast them with a normal newsletter.

Based on our years running an ESP (Robly), we believe that the current state of email is shifting. For the most part, if someone hits a website and then receives an email from that business, it’s not weird, infuriating, or altogether unexpected — as long as the brand is recognized by the person.

What is infuriating is when you receive email from a brand that you do not recognize whatsoever.

Email them quickly. Then once the welcome flow has finished, drop them into your regular emailing program.

We give you the landing page they hit, so you can get as sophisticated as you want in terms of targeting. We don’t think that’s necessary though. Just hit them quickly, with something.

4. When real-time collection comes, use it


We don’t have a real-time collection feature yet, but in 2020 we will be able to deliver you the records immediately as they come in.

Since we don’t have the feature yet, we can’t tell you how much it will benefit your e-commerce business. But with marketing and advertising in general, the sooner you can contact someone who’s visited your website or reached out in some way, the better. So intuitively, real-time collection will be beneficial, so you should plan to do it.

We’ll also be lowering the price of a lead to a starting cost of 15¢ (vs 25¢ now) if you don’t need a postal record.

That will lower CAC, and should make Email-Based Retargeting more efficient for you.

5. Tag the email addresses “Retention.com,” and evaluate after 60 days

The last thing you need to make sure you do is label the Retention.com addresses inside your ESP.

You’ll be able to look back over 60 days and see whether Email-Based Retargeting was profitable for you or not.

Feel free to email me any time about your test at adam[at]retention[dot]com.

We launched a month ago, so we’re still in learning mode. Any intel from you really helps.

Email-Based Retargeting is a new category and a new channel. You’re definitely going to have to get the whole C-Suite on board, so we made this guide about how you should explain Email-Based Retargeting to your CEO. 

1. It’s a new channel.

Email-Based Retargeting is a method of acquiring email addresses and postal records from anonymous website visitors who are not on your list yet, then marketing to them in a CAN-SPAM compliant way. 

We identify up to 35% of traffic that bounces from your website without filling out a form, and connects that traffic to real profiles of real people.

We use identification technology that’s similar to BounceX, but the key difference is that we’re handing you NEW prospects who are NOT already on your email list.

Email-Based Retargeting bridges what we call the “Identity Gap."

The Identity Gap is the gap between identification technology like Clearbit Reveal (which identifies IP addresses and connects them to companies that have visited your website), and data enrichment technology like Clearbit Enrich (which tells you company and social profile information when given a list of email addresses).

2. It’s legal in the USA, but not anywhere else.

There are two key points here. 

  1. The first point is that in the USA (but not anywhere else), Email Marketing is actually opt-out, rather than opt-in. Read more about that here. We actually comply with opt-in best practices set by Spamhaus.
  2. We give you profiles of real people that we have identified who have opted-in to a partner network of websites whose opt-in language and privacy policies explicitly say that the data will be shared with related and unrelated entities, and upon filling out the form, the user agrees to receive marketing from those parties, email and otherwise. 

Read more about how Email-Based Retargeting is legal here.

Email-Based Retargeting is NOT GDPR COMPLIANT.

3. It’s probably economic for your business.


We are seeing e-commerce customers, on average, acquire customers in the $15-25 range, which is cost equivalent to what we are seeing through Facebook.

This isn’t true for all eCommerce businesses, but it’s true for most of the businesses we’ve observed.

To lower risk and substantially raise the odds of it being economic, only put Retention.com code on your high-intent pages. 

4. Email-Based Retargeting raises Email Marketing higher up the funnel.

Before Email-Based Retargeting, Email Marketing was a down-the-funnel channel. 

Website traffic shows intent either by opting-in via your website or by purchasing something from you. 

Either way, that’s very high-intent traffic. 

Email-Based Retargeting records show far less intent. They don’t even touch a form before they bounce from your website. 

You will have to treat these leads different from your normal email list, and evaluate conversions and CAC efficiency on a longer horizon.

We recommend implementing a five-part warm-up series with storewide coupons attached, then adding these leads to your main Email Marketing list. 

We recommend evaluating EBR over 60 to 90 days, and we’ve structured our contracts with a 3-month out if it’s not working for you.

If you need help converting, we can connect you with agencies that are pros at EBR.

5. It’s inexpensive, and you own the record forever.

Compared to other sources of email addresses, our 25¢ starting price is very competitive (and much lower at significant scale). 

So long as you have an opt-out link on the email you’re sending, you can email these people as much as you’d like until they opt out.

6. It’s easy to set up, free to start, and integrates with everything.


Our code takes under 60 seconds to put on your website. We offer a one-click, pre-made email that you can send to your tech team that contains the script. 

If you can’t believe this is real and just want a data sample, we’ll give you your first 25 records free. 

We either have or are building integrations with every major Enterprise, Mid-Market, and SMB Email Service Provider (ESP). We are integrated with Zapier and Segment. 

If we don’t have an integration you need, let us know

7. This is not our first rodeo. 

We started an ESP six years ago called Robly. We built this tool for ourselves to bridge the Identity Gap between ID tools and enrichment tools. 

Check out Robly’s reviews here.

The Complete Guide to Retention.com vs BounceX

This is the first question we get when talking to any Enterprise customer, so I decided to create a blog post about it.

For the best and most comprehensive results, use both BounceX and Retention.com simultaneously.

Contacts not on your list

#1: Retention.com gets you contacts who are NOT already on your list.

This is the most important difference between the two. And yes, it’s legal to email them in the USA.

BounceX’s matching technology is fantastic, but at the end of the day, you’re sending more emails to people who are already on your list.

Retention.com is a source of new, fresh leads using Email-Based Retargeting. 

It’s legal, and CAN-SPAM and CCPA compliant. 

Postal records

#2: Retention.com also gives you postal records. You can trigger automated postcards from website visits.

BounceX isn’t going to give you postal records. 

This is a major difference. 

Direct mail is a substantially less crowded channel than it used to be, and we can pass you hyper-targeted lists of website visitors by landing page.

Affordable

#3: Retention.com is affordable, and easy to get started.

Pricing starts at around 25¢ per record. 

You pay for the record once, and can market to them until the customer opts-out. 

You can get our code on your website and integrated with your ESP in under five minutes.

BounceX...not so much.

Contacts once a day

#4: Retention.com only gives you contact records once a day.

BounceX has the advantage here, as a real-time triggered-email solution. 

Retention.com sends contact records to your ESP or CRM once a day, at around 11 am EST.

We recommend you set up an automation in your ESP that nurtures and builds trust with these website visitors, and gently nudges them down your marketing funnel. 

It’s different than mailing someone on your list.

GetEmails is self serve

#5: Retention.com is self-serve.

BounceX is a full-service marketing agency. They’re going to design and execute all of the campaigns for you.

Retention.com is a lightweight SaaS application that identifies people on your website, then sends the contact records to your ESP, CRM, or Direct Mail automation system for you to do the marketing.

CAN-SPAM compliant

#6: Retention.com is CAN-SPAM compliant, but NOT GDPR compliant (but our database of contact records is only from the US)

The second most frequently-asked question we get is, “Is this legal?”

The answer is yes. Click through to our legal section. Retention.com is US CAN-SPAM and CCPA compliant, but it’s not GDPR compliant.

BounceX is.

In Summary

Retention.com gets you contacts who are NOT already on your list. BounceX sends more emails to people you’ve already been emailing. 

Retention.com broadens your audience by sending you opted-in contact information of people that visited your website. With postal records. 

Questions? Let me know: adam[at]retention.com

The Two Whys of Email-Based Retargeting - Why We Created A New Category

“How do you get to be the leader? Be the first-est with the most-est.”

Jack Trout, Positioning 

“People don’t buy what you do, they buy why you do it.” 

Simon Sinek’s TED Talk

When explaining why we’re creating the Email-Based Retargeting category, there are two different whys to address:

  1. The Simon Sinek Why. “People don’t buy what you do, they buy why you do it.” In this case that means, aside from marketing advantages, why we’re doing what we’re doing with Retention.com and Email-Based Retargeting in the first place.
  2. The Category Why. Why do the great marketers of our past think it’s accretive to revenue and enterprise value to create a category when creating and launching a product?

The Simon Sinek Why

We’re Democratizing Identification Monetization 

If you know what Retention.com actually does (we identify anonymous web traffic and give you their email and postal address), the first question you probably have is, “Is that legal?” 

(The answer is yes, in the USA. Not anywhere else.)

Shortly thereafter you probably thought, “I’m emailing someone who was on my site but didn’t give me their info. Isn’t that too invasive?”

To answer this question, I would like to draw your attention to the data that Google collects about you every minute of every day.

We live in a world where invasiveness is so extreme that it’s difficult to get your head around it.

Here’s what Google can access and monetize*:

It’s hard to internalize just how invasive this is, but as a society, we seem to be fine with it. And that’s not even including Facebook or any other social media site that collects data about you.

Legally emailing someone to monetize a visit to your website isn’t nearly as invasive as monetizing even one of the bullet points listed above, let alone all of them at once, 24/7/365.

Not only that, Google and Facebook are monetizing visits to your website with the exact same technology we’re using to track visitors.

They’re making you pay over and over again for the same display and search retargeting clicks.

It’s time for you and your business to take advantage of that exact same identification technology, and monetize those visits for yourself. 

It’s time for you to start doing Email-Based Retargeting.

Now we’ll address the other why.

The Category Why

If you can create a category, do it

The best book on creating a category and why you should do so if you can is Positioning, by Al Reis and Jack Trout.

They write: “The easiest way into someone’s mind is to be first.” 

They defend their statement by asking if you know who the second person was to step foot on the moon or fly across the Atlantic, or what the second highest mountain in the world is. 

Point taken. 

What’s the easiest way to be first? 

To introduce a completely new thing, or way of doing something, and to introduce your product or service as the first product or service to do that thing.

Seth Godin addresses category creation in a slightly different way, but in my opinion, it’s just semantics. 

As Seth hypothesizes in The Dip, it’s imperative to be the “best in the world” at something. 

Creating a narrative that you’re the best in the world at something is simply creating a narrow category for your company or product to dominate.

Why did we think Retention.com deserved its own category?

It’s new, it’s different, and no one has ever heard of it

Anthony Kennada, the founder of Gainsight, a category creator in the Customer Success space, made a checklist for deciding if your industry is right for category creation in his book called... you guessed it! Category Creation.

In his words, if you answer yes to all or even a few of these items on this checklist, category creation is right for you. 

  1. Little or no competitors in your space: check
  2. Low search volume/cheaper ad inventory: check
  3. No press or media coverage: check
  4. A marginalized buyer no company is paying attention to: this doesn’t really apply to us
  5. Small but passionate niche of people who get it: check
  6. Larger population of people who don’t get it (right away): check

Despite Software-as-a-Service (SaaS) becoming increasingly commoditized, Retention.com actually does something completely new and different that no one has ever heard of.

At the same time, people are excited to hear about it. 

When they put the code on their website, it works. We send them email addresses they don’t have yet, of real people.

Those are the perfect ingredients for category creation, so we created Email-Based Retargeting.

4 Benefits of Category Creation

1. You get more market share

The most straightforward benefit of creating a category is that if you can continue to dominate that category, and not be dethroned by a “fast follower,” market share accrues to you.

The Harvard Business Review says companies that create categories enjoy 53 percent higher revenue growth and 74 percent higher market capitalization growth than their counterparts that “disrupt.”

2. If you develop the category properly, you can own a term in the mind of the market

In Positioning, the authors say that if you own a term in the mind of the market, the #2 brand that comes to mind will win half the market share, and #3 will be another half still. 

Today’s examples are actually even more profound than that. They’re completely monopolistic. 

Google for Search. Amazon for e-Commerce. Uber for Ride Sharing. Twitter for Tweeting. 

Examples that are closer to home for what we’re trying to do at Retention.com are HubSpot for Inbound Marketing, Drift for Conversational Marketing, ClickFunnels for Sales Funnels, and MailChimp for Email Marketing. 

What about if you’re entering a crowded, established category? 

You can still own a term (or phrase) in the mind of the market by resegmenting the market.

Some great examples of recent niche plays by companies that I follow who have done a great job at resegmenting a crowded space are Convertkit (Email Marketing for Professional Bloggers), and Klaviyo (Email Marketing for Ecommerce). 

The beautiful part of owning a term in the mind of the market (or not-so-beautiful, depending on which side of it you’re on) is you don’t necessarily have to be the company that invented the product to own the term. But if you do own the term, your prospects are likely to think you were the innovator.

3. Publicity is easier in a new category than in a mature, crowded space

Publicity is easier for a category creator because journalists are always looking for something new to share with their audience.  

The proof seems to be in the pudding for this one. As of now, we’ve been able to line up appearances on 10 podcasts in a week, a co-promotion with AppSumo, and several help-a-reporter-out placements. 

I’m convinced there’s no way we could have lined up those appearances with our product in the email marketing space, which has been around for 15 years with more than 150 vendors.

4. You can cultivate a community that evangelizes your brand for you

Cultivating a community of brand champions who agree that you’re solving a valuable problem will help validate your category and grow the industry. 

This community takes time to develop, and starts with appealing to the human side of early adopters. 

Gainsight Founder Anthony Kennada points out that if you can cultivate a group of early adopters via educational content on your blog, featuring successful customers on your website, and hosting live events and conferences featuring early adopters as speakers. “Their support can create a network effect that propels category awareness and thought leadership into the marketplace, sparking a flywheel that will compound and gain momentum as time goes on.”

What can go wrong: Beware the “fast follower”

Pioneers often die with arrows in their backs.

Creating a category is the easy part. Developing it and defending your leadership position over the years is the hard part. 

Google has 91 percent market share in Search. They most certainly did not create the Search category.

Mailchimp is a great example in Email Marketing. They have become synonymous with the term over the years through building a great company and brand with a freemium strategy. But Constant Contact was the pioneer.

An innovative “fast-follower” can take advantage of the effort and capital you have invested in creating a category. With an educated market, it’s much easier to move quickly and take market share with innovative “us vs. them” marketing.

How do you defend your leadership position? 

Jack Trout and Al Ries say that you do it through brand. Position your product to be the standard by which every new product is compared to.

“The essential ingredient in securing the leadership position is getting into the mind first,” they write. “The essential ingredient in keeping the position is reinforcing the original concept.” 

The example they use is Coca-Cola. “The Real Thing” is a strategy every leader can employ. It immediately forces the prospect to judge any competitor by the standard Coca-Cola has set.

What’s the reality of actually doing that in today’s world? 

There’s an infinite supply of everything, new vendors are popping up left and right with newer, better products, and there are more low-cost ways to get initial virality to get products off the ground.

I believe the answer is still brand, but the definition has changed. 

Today, securing positioning takes so much more than a great tagline. Your brand is the value provided to your market through content, the community you cultivate around your product, your ability to attract talent and stay innovative, and the connection you can create between the people behind your product and the people behind the logos you’re selling to. 

Like most worthwhile things in life, it’s a slow, day-in and day-out grind that you can’t really tell is working in the short run, but something beautiful will ensue over the long term.

*courtesy of Dylan Curran at The Guardian

Listen to me and Helen talk about Email-Based Retargeting:

https://youtu.be/TrwXkq_pVao

The Complete Guide to Email-Based Retargeting

At Retention.com, we define Email-Based Retargeting as the following: 

Email-Based Retargeting uses identification technology - usually cookies or cross-device ID - to identify anonymous website visitors. 

Those visitors are matched to a partner network database of contact records (with opt-ins), and the end user is sent email addresses of people who are not already on their list.

Email-Based RetargetingThe last part of the definition - “... of people who are not already on your list” is what separates Email-Based Retargeting from all technology before it, such as Cart Abandonment, Category Abandonment, and Behaviorally Triggered Email. 

With Email-Based Retargeting (unlike display retargeting), the end user pays once and owns the contact record forever. As long as there is an opt-out link in the email, the end-user can email that contact record for as long as they wish.

Email-Based Retargeting is a new, incremental acquisition channel. 

EBR works behind the scenes. Most businesses can easily add EBR to the Email and Direct Mail Marketing that you are currently doing to grow customer acquisition.

FAQsHere are the answers to the 10 questions we get asked the most:

  1. Q: Is Retention.com/Email-Based Retargeting legal? 
    A: Yes, in the USA. Not only is it legal, it’s aligned with Spamhaus’ best practices. Read more about that here.
  2. Q: Does the technology work outside the US?
    A: No, it does not. There are only US email addresses in our database.
  3. Q: How is this different than BounceX?
    A: BounceX sends more real-time emails to people on your list. Email-Based Retargeting sends you customer records of prospects, once a day, who are not yet on your list.
  4. Q: How should I initially engage with these prospects?
    A: A fairly simple welcome series (3-5 emails) is necessary to warm them up to your brand. Tell your story and be as human as possible. If you are an eCommerce brand, offer a store-wide discount. After the warm-up process, add them to your standard newsletter flow. We give you the landing page the prospect landed on, so you can be as sophisticated as you’d like.
  5. Q: How long does it usually take people to convert these emails into customers?
    A: These prospects are much higher up the sales funnel than the rest of your email list, who either opted-in or purchased something. It’s going to take more time to warm them up to your brand and convert them. It’s different for every company, but we encourage people to evaluate Email-Based Retargeting over a 45-60 day period.
  6. Q: What is the approximate customer acquisition cost from the Email-Based Retargeting channel?
    A:
    This varies dramatically from business to business. However, generically our eCommerce customers report around a $20-25 CAC from Email-Based Retargeting, in line with their CAC from social.
  7. Q: How much does Email-Based Retargeting cost?
    A: Retention.com has plans starting at $19, which is around $25c per contact.
  8. Q: Do I have to pay for emails already on my list?
    A: No, you do not. You can upload a suppression list. We will do this automatically with your ESP integration.
  9. Q: What percentage of my traffic will you be able to identify through Email-Based Retargeting? How many emails will I get each day?
    A: We generally identify around 35% of all US-based traffic. We match a large percentage of that to our database, but it varies greatly by business.
  10. Q: What ESP’s do you integrate with?
    A: We are building out integrations to all major ESPs, and Zapier and Segment. If you don’t see your ESP here, shoot us a note at support [at] retention [dot] com.

CLICK HERE TO GET STARTED WITH RETENTION.

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States.
Introduced:January 3, 2018
Signed into law:June 28, 2018
Code: California Civil Code
Section:1798.100
Status: Passed

Copy of the official California Consumer Privacy Act of 2018

Senate Bill No. 1121
CHAPTER 735

 

An act to amend Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.120, 1798.125, 1798.130, 1798.135, 1798.140, 1798.145, 1798.150, 1798.155, 1798.185, 1798.192, 1798.196, and 1798.198 of, and to add Section 1798.199 to, the Civil Code, relating to personal information, and declaring the urgency thereof, to take effect immediately.

 

[ Approved by Governor  September 23, 2018. Filed with Secretary of State  September 23, 2018. ]

 

LEGISLATIVE COUNSEL'S DIGEST

SB 1121, Dodd. California Consumer Privacy Act of 2018.
(1) Existing law, the California Consumer Privacy Act of 2018, grants, commencing on January 1, 2020, a consumer various rights with regard to personal information relating to that consumer that is held by a business, including the right to request a business to delete any personal information about the consumer collected by the business, and requires the business to comply with a verifiable consumer request to that effect, unless it is necessary for the business or service provider to maintain the customer’s personal information in order to carry out specified acts. The act requires a business that collects personal information about a consumer to disclose the consumer’s right to delete personal information described above on its Internet Web site or in its online privacy policy or policies.
This bill would modify that requirement by requiring a business that collects personal information about a consumer to disclose the consumer’s right to delete personal information in a form that is reasonably accessible to consumers and in accordance with a specified process.
(2) The act establishes several exceptions to the requirements imposed, and rights granted, by the act, including prohibiting the act from being interpreted to restrict the ability of a business to comply with federal, state, or local laws, and by providing that the act does not apply if it is in conflict with the California Constitution.
This bill would provide that the rights afforded to consumers and the obligations imposed on any business under the act does not apply if those rights or obligations would infringe on the noncommercial activities of people and entities described in a specified provision of the California Constitution addressing activities related to newspapers and periodicals. The bill would also prohibit application of the act to personal information collected, processed, sold, or disclosed pursuant to a specified federal law relating to banks, brokerages, insurance companies, and credit reporting agencies, among others, and would also except application of the act to that information pursuant to the California Financial Information Privacy Act. The bill would provide that these exceptions, and the exception provided to information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994, do not apply to specific provisions of the act related to unauthorized theft and disclosure of information. The bill would revise and expand the exception provided for medical information, would except a provider of health care or a covered entity, and would also except information collected as part of clinical trials, as specified. The bill would also clarify that the act does not apply if it is in conflict with the United States Constitution.
(3) The act generally provides for its enforcement by the Attorney General, but also provides for a private right of action in connection with certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information, as defined for this purpose, provided that the consumer bringing an action notify the Attorney General of the action in accordance with a specified process. The act provides that a business, service provider, or other person who violates its provisions, and fails to cure those violations within 30 days, is liable for a civil penalty under laws relating to unfair competition in an action to be brought by the Attorney General. The act prescribes a formula for allocating civil penalties and settlements assessed in these actions with 80% to be allocated to the jurisdictions of the behalf of which the action was brought.
This bill would clarify that the only private right of action permitted under the act is the private right of action described above for violations of unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information and would delete the requirement that a consumer bringing a private right of action notify the Attorney General. The bill would remove references to laws relating to unfair competition in connection with Attorney General actions described above. The bill would limit the civil penalty to be assessed in an Attorney General action in this context to not more than $2,500 per violation or $7,500 per each intentional violation and would specify that an injunction is also available as remedy. The bill would eliminate the formula for allocating penalties and settlements and would instead provide that all of these moneys be deposited in the Consumer Privacy Fund with the intent to offset costs incurred by the courts and the Attorney General in connection with the act. The bill would also revise timelines and requirements regarding the promulgation of regulations by the Attorney General in connection with the act.
(4) The act makes its provisions operative on January 1, 2020, provided a specified contingency is satisfied. Provisions of the act supersede and preempt laws adopted by local entities regarding the collection and sale of a consumer’s personal information by a business.
This bill would make the provisions of the act that supersede and preempt laws adopted by local entities, as described above, operative on the date the bill becomes effective.
(5) This bill would also make various technical and clarifying changes to the act.
(6) This bill would declare that it is to take effect immediately as an urgency statute.

DIGEST KEY

Vote: 2/3   Appropriation: no   Fiscal Committee: yes   Local Program: no  


BILL TEXT

THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

SECTION 1.

Section 1798.100 of the Civil Code, as added by Section 3 of Chapter 55 of the Statutes of 2018, is amended to read:

1798.100.

(a) A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.

(b) A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.
(c) A business shall provide the information specified in subdivision (a) to a consumer only upon receipt of a verifiable consumer request.
(d) A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period.
(e) This section shall not require a business to retain any personal information collected for a single, one-time transaction, if such information is not sold or retained by the business or to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.

SEC. 2.

Section 1798.105 of the Civil Code, as added by Section 3 of Chapter 55 of the Statutes of 2018, is amended to read:

1798.105.

(a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.

(b) A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumer’s rights to request the deletion of the consumer’s personal information.
(c) A business that receives a verifiable consumer request from a consumer to delete the consumer’s personal information pursuant to subdivision (a) of this section shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.
(d) A business or a service provider shall not be required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business or service provider to maintain the consumer’s personal information in order to:
(1) Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
(2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
(3) Debug to identify and repair errors that impair existing intended functionality.
(4) Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
(5) Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
(6) Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
(7) To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
(8) Comply with a legal obligation.
(9) Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

SEC. 3.

Section 1798.110 of the Civil Code, as added by Section 3 of Chapter 55 of the Statutes of 2018, is amended to read:

1798.110.

(a) A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:

(1) The categories of personal information it has collected about that consumer.
(2) The categories of sources from which the personal information is collected.
(3) The business or commercial purpose for collecting or selling personal information.
(4) The categories of third parties with whom the business shares personal information.
(5) The specific pieces of personal information it has collected about that consumer.
(b) A business that collects personal information about a consumer shall disclose to the consumer, pursuant to paragraph (3) of subdivision (a) of Section 1798.130, the information specified in subdivision (a) upon receipt of a verifiable consumer request from the consumer.
(c) A business that collects personal information about consumers shall disclose, pursuant to subparagraph (B) of paragraph (5) of subdivision (a) of Section 1798.130:
(1) The categories of personal information it has collected about that consumer.
(2) The categories of sources from which the personal information is collected.
(3) The business or commercial purpose for collecting or selling personal information.
(4) The categories of third parties with whom the business shares personal information.
(5) The specific pieces of personal information the business has collected about that consumer.
(d) This section does not require a business to do the following:
(1) Retain any personal information about a consumer collected for a single one-time transaction if, in the ordinary course of business, that information about the consumer is not retained.
(2) Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.

SEC. 4.

Section 1798.115 of the Civil Code, as added by Section 3 of Chapter 55 of the Statutes of 2018, is amended to read:

1798.115.

(a) A consumer shall have the right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer:

(1) The categories of personal information that the business collected about the consumer.
(2) The categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold.
(3) The categories of personal information that the business disclosed about the consumer for a business purpose.
(b) A business that sells personal information about a consumer, or that discloses a consumer’s personal information for a business purpose, shall disclose, pursuant to paragraph (4) of subdivision (a) of Section 1798.130, the information specified in subdivision (a) to the consumer upon receipt of a verifiable consumer request from the consumer.
(c) A business that sells consumers’ personal information, or that discloses consumers’ personal information for a business purpose, shall disclose, pursuant to subparagraph (C) of paragraph (5) of subdivision (a) of Section 1798.130:
(1) The category or categories of consumers’ personal information it has sold, or if the business has not sold consumers’ personal information, it shall disclose that fact.
(2) The category or categories of consumers’ personal information it has disclosed for a business purpose, or if the business has not disclosed the consumers’ personal information for a business purpose, it shall disclose that fact.
(d) A third party shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out pursuant to Section 1798.120.

SEC. 5.

Section 1798.120 of the Civil Code, as added by Section 3 of Chapter 55 of the Statutes of 2018, is amended to read:

1798.120.

(a) A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out.

(b) A business that sells consumers’ personal information to third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold and that consumers have the “right to opt-out” of the sale of their personal information.
(c) Notwithstanding subdivision (a), a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age. This right may be referred to as the “right to opt-in.”
(d) A business that has received direction from a consumer not to sell the consumer’s personal information or, in the case of a minor consumer’s personal information has not received consent to sell the minor consumer’s personal information shall be prohibited, pursuant to paragraph (4) of subdivision (a) of Section 1798.135, from selling the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides express authorization for the sale of the consumer’s personal information.

SEC. 6.

Section 1798.125 of the Civil Code, as added by Section 3 of Chapter 55 of the Statutes of 2018, is amended to read:

1798.125.

(a) (1) A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including, but not limited to, by:

(A) Denying goods or services to the consumer.
(B) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
(C) Providing a different level or quality of goods or services to the consumer.
(D) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
(2) Nothing in this subdivision prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.
(b) (1) A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.
(2) A business that offers any financial incentives pursuant to subdivision (a), shall notify consumers of the financial incentives pursuant to Section 1798.135.
(3) A business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent pursuant to Section 1798.135 which clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time.
(4) A business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.

SEC. 7.

Section 1798.130 of the Civil Code, as added by Section 3 of Chapter 55 of the Statutes of 2018, is amended to read:

1798.130.

(a) In order to comply with Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125, a business shall, in a form that is reasonably accessible to consumers:

(1) Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address.
(2) Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable consumer request from the consumer. The business shall promptly take steps to determine whether the request is a verifiable consumer request, but this shall not extend the business’s duty to disclose and deliver the information within 45 days of receipt of the consumer’s request. The time period to provide the required information may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period. The disclosure shall cover the 12-month period preceding the business’s receipt of the verifiable consumer request and shall be made in writing and delivered through the consumer’s account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business, in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance. The business shall not require the consumer to create an account with the business in order to make a verifiable consumer request.
(3) For purposes of subdivision (b) of Section 1798.110:
(A) To identify the consumer, associate the information provided by the consumer in the verifiable consumer request to any personal information previously collected by the business about the consumer.
(B) Identify by category or categories the personal information collected about the consumer in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information collected.
(4) For purposes of subdivision (b) of Section 1798.115:
(A) Identify the consumer and associate the information provided by the consumer in the verifiable consumer request to any personal information previously collected by the business about the consumer.
(B) Identify by category or categories the personal information of the consumer that the business sold in the preceding 12 months by reference to the enumerated category in subdivision (c) that most closely describes the personal information, and provide the categories of third parties to whom the consumer’s personal information was sold in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information sold. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (C).
(C) Identify by category or categories the personal information of the consumer that the business disclosed for a business purpose in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information, and provide the categories of third parties to whom the consumer’s personal information was disclosed for a business purpose in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information disclosed. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (B).
(5) Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers’ privacy rights, or if the business does not maintain those policies, on its Internet Web site, and update that information at least once every 12 months:
(A) A description of a consumer’s rights pursuant to Sections 1798.110, 1798.115, and 1798.125 and one or more designated methods for submitting requests.
(B) For purposes of subdivision (c) of Section 1798.110, a list of the categories of personal information it has collected about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information collected.
(C) For purposes of paragraphs (1) and (2) of subdivision (c) of Section 1798.115, two separate lists:
(i) A list of the categories of personal information it has sold about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information sold, or if the business has not sold consumers’ personal information in the preceding 12 months, the business shall disclose that fact.
(ii) A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months by reference to the enumerated category in subdivision (c) that most closely describe the personal information disclosed, or if the business has not disclosed consumers’ personal information for a business purpose in the preceding 12 months, the business shall disclose that fact.
(6) Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Sections 1798.110, 1798.115, 1798.125, and this section, and how to direct consumers to exercise their rights under those sections.
(7) Use any personal information collected from the consumer in connection with the business’s verification of the consumer’s request solely for the purposes of verification.
(b) A business is not obligated to provide the information required by Sections 1798.110 and 1798.115 to the same consumer more than twice in a 12-month period.
(c) The categories of personal information required to be disclosed pursuant to Sections 1798.110 and 1798.115 shall follow the definition of personal information in Section 1798.140.

SEC. 8.

Section 1798.135 of the Civil Code, as added by Section 3 of Chapter 55 of the Statutes of 2018, is amended to read:

1798.135.

(a) A business that is required to comply with Section 1798.120 shall, in a form that is reasonably accessible to consumers:

(1) Provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.
(2) Include a description of a consumer’s rights pursuant to Section 1798.120, along with a separate link to the “Do Not Sell My Personal Information” Internet Web page in:
(A) Its online privacy policy or policies if the business has an online privacy policy or policies.
(B) Any California-specific description of consumers’ privacy rights.
(3) Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Section 1798.120 and this section and how to direct consumers to exercise their rights under those sections.
(4) For consumers who exercise their right to opt-out of the sale of their personal information, refrain from selling personal information collected by the business about the consumer.
(5) For a consumer who has opted-out of the sale of the consumer’s personal information, respect the consumer’s decision to opt-out for at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.
(6) Use any personal information collected from the consumer in connection with the submission of the consumer’s opt-out request solely for the purposes of complying with the opt-out request.
(b) Nothing in this title shall be construed to require a business to comply with the title by including the required links and text on the homepage that the business makes available to the public generally, if the business maintains a separate and additional homepage that is dedicated to California consumers and that includes the required links and text, and the business takes reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally.
(c) A consumer may authorize another person solely to opt-out of the sale of the consumer’s personal information on the consumer’s behalf, and a business shall comply with an opt-out request received from a person authorized by the consumer to act on the consumer’s behalf, pursuant to regulations adopted by the Attorney General.

SEC. 9.

Section 1798.140 of the Civil Code, as added by Section 3 of Chapter 55 of the Statutes of 2018, is amended to read:

1798.140.

For purposes of this title:

(a) “Aggregate consumer information” means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. “Aggregate consumer information” does not mean one or more individual consumer records that have been de­identified.
(b) “Biometric information” means an individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
(c) “Business” means:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
(2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark.
(d) “Business purpose” means the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected. Business purposes are:
(1) Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
(2) Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
(3) Debugging to identify and repair errors that impair existing intended functionality.
(4) Short-term, transient use, provided the personal information that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
(5) Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
(6) Undertaking internal research for technological development and demonstration.
(7) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
(e) “Collects,” “collected,” or “collection” means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.
(f) “Commercial purposes” means to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction. “Commercial purposes” do not include for the purpose of engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.
(g) “Consumer” means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.
(h) “Deidentified” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:
(1) Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
(2) Has implemented business processes that specifically prohibit reidentification of the information.
(3) Has implemented business processes to prevent inadvertent release of deidentified information.
(4) Makes no attempt to reidentify the information.
(i) “Designated methods for submitting requests” means a mailing address, email address, Internet Web page, Internet Web portal, toll-free telephone number, or other applicable contact information, whereby consumers may submit a request or direction under this title, and any new, consumer-friendly means of contacting a business, as approved by the Attorney General pursuant to Section 1798.185.
(j) “Device” means any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device.
(k) “Health insurance information” means a consumer’s insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the consumer, or any information in the consumer’s application and claims history, including any appeals records, if the information is linked or reasonably linkable to a consumer or household, including via a device, by a business or service provider.
(l) “Homepage” means the introductory page of an Internet Web site and any Internet Web page where personal information is collected. In the case of an online service, such as a mobile application, homepage means the application’s platform page or download page, a link within the application, such as from the application configuration, “About,” “Information,” or settings page, and any other location that allows consumers to review the notice required by subdivision (a) of Section 1798.145, including, but not limited to, before downloading the application.
(m) “Infer” or “inference” means the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.
(n) “Person” means an individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, and any other organization or group of persons acting in concert.
(o) (1) “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(B) Any categories of personal information described in subdivision (e) of Section 1798.80.
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
(2) “Personal information” does not include publicly available information. For these purposes, “publicly available” means information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge. Information is not “publicly available” if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained. “Publicly available” does not include consumer information that is deidentified or aggregate consumer information.
(p) “Probabilistic identifier” means the identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.
(q) “Processing” means any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means.
(r) “Pseudonymize” or “Pseudonymization” means the processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.
(s) “Research” means scientific, systematic study and observation, including basic research or applied research that is in the public interest and that adheres to all other applicable ethics and privacy laws or studies conducted in the public interest in the area of public health. Research with personal information that may have been collected from a consumer in the course of the consumer’s interactions with a business’s service or device for other purposes shall be:
(1) Compatible with the business purpose for which the personal information was collected.
(2) Subsequently pseudonymized and deidentified, or deidentified and in the aggregate, such that the information cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.
(3) Made subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
(4) Subject to business processes that specifically prohibit reidentification of the information.
(5) Made subject to business processes to prevent inadvertent release of deidentified information.
(6) Protected from any reidentification attempts.
(7) Used solely for research purposes that are compatible with the context in which the personal information was collected.
(8) Not be used for any commercial purpose.
(9) Subjected by the business conducting the research to additional security controls limit access to the research data to only those individuals in a business as are necessary to carry out the research purpose.
(t) (1) “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
(2) For purposes of this title, a business does not sell personal information when:
(A) A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.
(B) The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer’s personal information for the purposes of alerting third parties that the consumer has opted out of the sale of the consumer’s personal information.
(C) The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose if both of the following conditions are met:
(i) The business has provided notice that information being used or shared in its terms and conditions consistent with Section 1798.135.
(ii) The service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.
(D) The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with Sections 1798.110 and 1798.115. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with Section 1798.120. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).
(u) “Service” or “services” means work, labor, and services, including services furnished in connection with the sale or repair of goods.
(v) “Service provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.
(w) “Third party” means a person who is not any of the following:
(1) The business that collects personal information from consumers under this title.
(2) (A) A person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract:
(i) Prohibits the person receiving the personal information from:
(I) Selling the personal information.
(II) Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract.
(III) Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.
(ii) Includes a certification made by the person receiving the personal information that the person understands the restrictions in subparagraph (A) and will comply with them.
(B) A person covered by this paragraph that violates any of the restrictions set forth in this title shall be liable for the violations. A business that discloses personal information to a person covered by this paragraph in compliance with this paragraph shall not be liable under this title if the person receiving the personal information uses it in violation of the restrictions set forth in this title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the person intends to commit such a violation.
(x) “Unique identifier” or “Unique personal identifier” means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device. For purposes of this subdivision, “family” means a custodial parent or guardian and any minor children over which the parent or guardian has custody.
(y) “Verifiable consumer request” means a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify, pursuant to regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information. A business is not obligated to provide information to the consumer pursuant to Sections 1798.110 and 1798.115 if the business cannot verify, pursuant this subdivision and regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185, that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer’s behalf.

SEC. 10.

Section 1798.145 of the Civil Code, as added by Section 3 of Chapter 55 of the Statutes of 2018, is amended to read:

1798.145.

(a) The obligations imposed on businesses by this title shall not restrict a business’s ability to:

(1) Comply with federal, state, or local laws.
(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.
(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.
(4) Exercise or defend legal claims.
(5) Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.
(6) Collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.
(b) The obligations imposed on businesses by Sections 1798.110 to 1798.135, inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.
(c) (1) This title shall not apply to any of the following:
(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).
(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.
(C) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.
(2) For purposes of this subdivision, the definitions of “medical information” and “provider of health care” in Section 56.05 shall apply and the definitions of “business associate,” “covered entity,” and “protected health information” in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.
(d) This title shall not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
(e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.
(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.
(g) Notwithstanding a business’s obligations to respond to and honor consumer rights requests pursuant to this title:
(1) A time period for a business to respond to any verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.
(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.
(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.
(h) A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.
(i) This title shall not be construed to require a business to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.
(j) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers.
(k) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.

SEC. 11.

Section 1798.150 of the Civil Code, as added by Section 3 of Chapter 55 of the Statutes of 2018, is amended to read:

1798.150.

(a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
(B) Injunctive or declaratory relief.
(C) Any other relief the court deems proper.
(2) In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.
(b) Actions pursuant to this section may be brought by a consumer if, prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer provides a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated. In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business. No notice shall be required prior to an individual consumer initiating an action solely for actual pecuniary damages suffered as a result of the alleged violations of this title. If a business continues to violate this title in breach of the express written statement provided to the consumer under this section, the consumer may initiate an action against the business to enforce the written statement and may pursue statutory damages for each breach of the express written statement, as well as any other violation of the title that postdates the written statement.
(c) The cause of action established by this section shall apply only to violations as defined in subdivision (a) and shall not be based on violations of any other section of this title. Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law. This shall not be construed to relieve any party from any duties or obligations imposed under other law or the United States or California Constitution.

SEC. 12.

Section 1798.155 of the Civil Code, as added by Section 3 of Chapter 55 of the Statutes of 2018, is amended to read:

1798.155.

(a) Any business or third party may seek the opinion of the Attorney General for guidance on how to comply with the provisions of this title.

(b) A business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General. The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.
(c) Any civil penalty assessed for a violation of this title, and the proceeds of any settlement of an action brought pursuant to subdivision (b), shall be deposited in the Consumer Privacy Fund, created within the General Fund pursuant to subdivision (a) of Section 1798.160 with the intent to fully offset any costs incurred by the state courts and the Attorney General in connection with this title.

SEC. 13.

Section 1798.185 of the Civil Code, as added by Section 3 of Chapter 55 of the Statutes of 2018, is amended to read:

1798.185.

(a) On or before July 1, 2020, the Attorney General shall solicit broad public participation and adopt regulations to further the purposes of this title, including, but not limited to, the following areas:

(1) Updating as needed additional categories of personal information to those enumerated in subdivision (c) of Section 1798.130 and subdivision (o) of Section 1798.140 in order to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.
(2) Updating as needed the definition of unique identifiers to address changes in technology, data collection, obstacles to implementation, and privacy concerns, and additional categories to the definition of designated methods for submitting requests to facilitate a consumer’s ability to obtain information from a business pursuant to Section 1798.130.
(3) Establishing any exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights, within one year of passage of this title and as needed thereafter.
(4) Establishing rules and procedures for the following:
(A) To facilitate and govern the submission of a request by a consumer to opt-out of the sale of personal information pursuant to paragraph (1) of subdivision (a) of Section 1798.145.
(B) To govern business compliance with a consumer’s opt-out request.
(C) For the development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information.
(5) Adjusting the monetary threshold in subparagraph (A) of paragraph (1) of subdivision (c) of Section 1798.140 in January of every odd-numbered year to reflect any increase in the Consumer Price Index.
(6) Establishing rules, procedures, and any exceptions necessary to ensure that the notices and information that businesses are required to provide pursuant to this title are provided in a manner that may be easily understood by the average consumer, are accessible to consumers with disabilities, and are available in the language primarily used to interact with the consumer, including establishing rules and guidelines regarding financial incentive offerings, within one year of passage of this title and as needed thereafter.
(7) Establishing rules and procedures to further the purposes of Sections 1798.110 and 1798.115 and to facilitate a consumer’s or the consumer’s authorized agent’s ability to obtain information pursuant to Section 1798.130, with the goal of minimizing the administrative burden on consumers, taking into account available technology, security concerns, and the burden on the business, to govern a business’s determination that a request for information received by a consumer is a verifiable consumer request, including treating a request submitted through a password-protected account maintained by the consumer with the business while the consumer is logged into the account as a verifiable consumer request and providing a mechanism for a consumer who does not maintain an account with the business to request information through the business’s authentication of the consumer’s identity, within one year of passage of this title and as needed thereafter.
(b) The Attorney General may adopt additional regulations as necessary to further the purposes of this title.
(c) The Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.

SEC. 14.

Section 1798.192 of the Civil Code, as added by Section 3 of Chapter 55 of the Statutes of 2018, is amended to read:

1798.192.

Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable. This section shall not prevent a consumer from declining to request information from a business, declining to opt-out of a business’s sale of the consumer’s personal information, or authorizing a business to sell the consumer’s personal information after previously opting out.

SEC. 15.

Section 1798.196 of the Civil Code, as added by Section 3 of Chapter 55 of the Statutes of 2018, is amended to read:

1798.196.

This title is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the United States or California Constitution.

SEC. 16.

Section 1798.198 of the Civil Code, as added by Section 3 of Chapter 55 of the Statutes of 2018, is amended to read:

1798.198.

(a) Subject to limitation provided in subdivision (b), and in Section 1798.199, this title shall be operative January 1, 2020.

(b) This title shall become operative only if initiative measure No. 17-0039, The Consumer Right to Privacy Act of 2018, is withdrawn from the ballot pursuant to Section 9604 of the Elections Code.

SEC. 17.

Section 1798.199 is added to the Civil Code, to read:

1798.199.

Notwithstanding Section 1798.198, Section 1798.180 shall be operative on the effective date of the act adding this section.

SEC. 18.

This act is an urgency statute necessary for the immediate preservation of the public peace, health, or safety within the meaning of Article IV of the California Constitution and shall go into immediate effect. The facts constituting the necessity are:

In order to prevent the confusion created by the enactment of conflicting local laws regarding the collection and sale of personal information, it is necessary that this act take immediate effect.

Controlling the Assault of Non- Solicited Pornography and Marketing Act of 2003

The Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003, signed into law by President George W. Bush on December 16, 2003, established the United States' first national standards for the sending of commercial e-mail and requires the Federal Trade Commission to enforce its provisions.
Public law: Pub.L. 108–187
U.S.C. sections created: 15 U.S.C. ch. 103
Statutes at Large: 117 Stat. 2699
Enacted by: the 108th United States Congress
Titles amended: 15 U.S.C.: Commerce and Trade
Long title: Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003

Copy of the official CAN-SPAM Act of 2003

[108th Congress Public Law 187]
[From the U.S. Government Printing Office]


[DOCID: f:publ187.108]

[[Page 117 STAT. 2699]]

Public Law 108-187
108th Congress

                                 An Act


 
To regulate interstate commerce by imposing limitations and penalties on 
   the transmission of unsolicited commercial electronic mail via the 
             Internet. <<NOTE: Dec. 16, 2003 -  [S. 877]>> 

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled, <<NOTE: Controlling the 
Assault of Non-Solicited Pornography and Marketing Act of 2003.>> 

SECTION 1. <<NOTE: 15 USC 7701 note.>> SHORT TITLE.

    This Act may be cited as the ``Controlling the Assault of Non-
Solicited Pornography and Marketing Act of 2003'', or the ``CAN-SPAM Act 
of 2003''.

SEC. 2. <<NOTE: 15 USC 7701.>> CONGRESSIONAL FINDINGS AND POLICY.

    (a) Findings.--The Congress finds the following:
            (1) Electronic mail has become an extremely important and 
        popular means of communication, relied on by millions of 
        Americans on a daily basis for personal and commercial purposes. 
        Its low cost and global reach make it extremely convenient and 
        efficient, and offer unique opportunities for the development 
        and growth of frictionless commerce.
            (2) The convenience and efficiency of electronic mail are 
        threatened by the extremely rapid growth in the volume of 
        unsolicited commercial electronic mail. Unsolicited commercial 
        electronic mail is currently estimated to account for over half 
        of all electronic mail traffic, up from an estimated 7 percent 
        in 2001, and the volume continues to rise. Most of these 
        messages are fraudulent or deceptive in one or more respects.
            (3) The receipt of unsolicited commercial electronic mail 
        may result in costs to recipients who cannot refuse to accept 
        such mail and who incur costs for the storage of such mail, or 
        for the time spent accessing, reviewing, and discarding such 
        mail, or for both.
            (4) The receipt of a large number of unwanted messages also 
        decreases the convenience of electronic mail and creates a risk 
        that wanted electronic mail messages, both commercial and 
        noncommercial, will be lost, overlooked, or discarded amidst the 
        larger volume of unwanted messages, thus reducing the 
        reliability and usefulness of electronic mail to the recipient.
            (5) Some commercial electronic mail contains material that 
        many recipients may consider vulgar or pornographic in nature.
            (6) The growth in unsolicited commercial electronic mail 
        imposes significant monetary costs on providers of Internet 
        access services, businesses, and educational and nonprofit 
        institutions that carry and receive such mail, as there is a 
        finite volume of mail that such providers, businesses, and

[[Page 117 STAT. 2700]]

        institutions can handle without further investment in 
        infrastructure.
            (7) Many senders of unsolicited commercial electronic mail 
        purposefully disguise the source of such mail.
            (8) Many senders of unsolicited commercial electronic mail 
        purposefully include misleading information in the messages' 
        subject lines in order to induce the recipients to view the 
        messages.
            (9) While some senders of commercial electronic mail 
        messages provide simple and reliable ways for recipients to 
        reject (or ``opt-out'' of) receipt of commercial electronic mail 
        from such senders in the future, other senders provide no such 
        ``opt-out'' mechanism, or refuse to honor the requests of 
        recipients not to receive electronic mail from such senders in 
        the future, or both.
            (10) Many senders of bulk unsolicited commercial electronic 
        mail use computer programs to gather large numbers of electronic 
        mail addresses on an automated basis from Internet websites or 
        online services where users must post their addresses in order 
        to make full use of the website or service.
            (11) Many States have enacted legislation intended to 
        regulate or reduce unsolicited commercial electronic mail, but 
        these statutes impose different standards and requirements. As a 
        result, they do not appear to have been successful in addressing 
        the problems associated with unsolicited commercial electronic 
        mail, in part because, since an electronic mail address does not 
        specify a geographic location, it can be extremely difficult for 
        law-abiding businesses to know with which of these disparate 
        statutes they are required to comply.
            (12) The problems associated with the rapid growth and abuse 
        of unsolicited commercial electronic mail cannot be solved by 
        Federal legislation alone. The development and adoption of 
        technological approaches and the pursuit of cooperative efforts 
        with other countries will be necessary as well.

    (b) Congressional Determination of Public Policy.--On the basis of 
the findings in subsection (a), the Congress determines that--
            (1) there is a substantial government interest in regulation 
        of commercial electronic mail on a nationwide basis;
            (2) senders of commercial electronic mail should not mislead 
        recipients as to the source or content of such mail; and
            (3) recipients of commercial electronic mail have a right to 
        decline to receive additional commercial electronic mail from 
        the same source.

SEC. 3. <<NOTE: 15 USC 7702.>> DEFINITIONS.

    In this Act:
            (1) Affirmative consent.--The term ``affirmative consent'', 
        when used with respect to a commercial electronic mail message, 
        means that--
                    (A) the recipient expressly consented to receive the 
                message, either in response to a clear and conspicuous 
                request for such consent or at the recipient's own 
                initiative; and
                    (B) if the message is from a party other than the 
                party to which the recipient communicated such consent, 
                the recipient was given clear and conspicuous notice at

[[Page 117 STAT. 2701]]

                the time the consent was communicated that the 
                recipient's electronic mail address could be transferred 
                to such other party for the purpose of initiating 
                commercial electronic mail messages.
            (2) Commercial electronic mail message.--
                    (A) In general.--The term ``commercial electronic 
                mail message'' means any electronic mail message the 
                primary purpose of which is the commercial advertisement 
                or promotion of a commercial product or service 
                (including content on an Internet website operated for a 
                commercial purpose).
                    (B) Transactional or relationship messages.--The 
                term ``commercial electronic mail message'' does not 
                include a transactional or relationship message.
                    (C) Regulations <<NOTE: Deadline.>> regarding 
                primary purpose.--Not later than 12 months after the 
                date of the enactment of this Act, the Commission shall 
                issue regulations pursuant to section 13 defining the 
                relevant criteria to facilitate the determination of the 
                primary purpose of an electronic mail message.
                    (D) Reference to company or website.--The inclusion 
                of a reference to a commercial entity or a link to the 
                website of a commercial entity in an electronic mail 
                message does not, by itself, cause such message to be 
                treated as a commercial electronic mail message for 
                purposes of this Act if the contents or circumstances of 
                the message indicate a primary purpose other than 
                commercial advertisement or promotion of a commercial 
                product or service.
            (3) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (4) Domain name.--The term ``domain name'' means any 
        alphanumeric designation which is registered with or assigned by 
        any domain name registrar, domain name registry, or other domain 
        name registration authority as part of an electronic address on 
        the Internet.
            (5) Electronic mail address.--The term ``electronic mail 
        address'' means a destination, commonly expressed as a string of 
        characters, consisting of a unique user name or mailbox 
        (commonly referred to as the ``local part'') and a reference to 
        an Internet domain (commonly referred to as the ``domain 
        part''), whether or not displayed, to which an electronic mail 
        message can be sent or delivered.
            (6) Electronic mail message.--The term ``electronic mail 
        message'' means a message sent to a unique electronic mail 
        address.
            (7) FTC act.--The term ``FTC Act'' means the Federal Trade 
        Commission Act (15 U.S.C. 41 et seq.).
            (8) Header information.--The term ``header information'' 
        means the source, destination, and routing information attached 
        to an electronic mail message, including the originating domain 
        name and originating electronic mail address, and any other 
        information that appears in the line identifying, or purporting 
        to identify, a person initiating the message.
            (9) Initiate.--The term ``initiate'', when used with respect 
        to a commercial electronic mail message, means to originate or 
        transmit such message or to procure the origination or

[[Page 117 STAT. 2702]]

        transmission of such message, but shall not include actions that 
        constitute routine conveyance of such message. For purposes of 
        this paragraph, more than one person may be considered to have 
        initiated a message.
            (10) Internet.--The term ``Internet'' has the meaning given 
        that term in the Internet Tax Freedom Act (47 U.S.C. 151 nt).
            (11) Internet access service.--The term ``Internet access 
        service'' has the meaning given that term in section 231(e)(4) 
        of the Communications Act of 1934 (47 U.S.C. 231(e)(4)).
            (12) Procure.--The term ``procure'', when used with respect 
        to the initiation of a commercial electronic mail message, means 
        intentionally to pay or provide other consideration to, or 
        induce, another person to initiate such a message on one's 
        behalf.
            (13) Protected computer.--The term ``protected computer'' 
        has the meaning given that term in section 1030(e)(2)(B) of 
        title 18, United States Code.
            (14) Recipient.--The term ``recipient'', when used with 
        respect to a commercial electronic mail message, means an 
        authorized user of the electronic mail address to which the 
        message was sent or delivered. If a recipient of a commercial 
        electronic mail message has one or more electronic mail 
        addresses in addition to the address to which the message was 
        sent or delivered, the recipient shall be treated as a separate 
        recipient with respect to each such address. If an electronic 
        mail address is reassigned to a new user, the new user shall not 
        be treated as a recipient of any commercial electronic mail 
        message sent or delivered to that address before it was 
        reassigned.
            (15) Routine conveyance.--The term ``routine conveyance'' 
        means the transmission, routing, relaying, handling, or storing, 
        through an automatic technical process, of an electronic mail 
        message for which another person has identified the recipients 
        or provided the recipient addresses.
            (16) Sender.--
                    (A) In general.--Except as provided in subparagraph 
                (B), the term ``sender'', when used with respect to a 
                commercial electronic mail message, means a person who 
                initiates such a message and whose product, service, or 
                Internet web site is advertised or promoted by the 
                message.
                    (B) Separate lines of business or divisions.--If an 
                entity operates through separate lines of business or 
                divisions and holds itself out to the recipient 
                throughout the message as that particular line of 
                business or division rather than as the entity of which 
                such line of business or division is a part, then the 
                line of business or the division shall be treated as the 
                sender of such message for purposes of this Act.
            (17) Transactional or relationship message.--
                    (A) In general.--The term ``transactional or 
                relationship message'' means an electronic mail message 
                the primary purpose of which is--
                          (i) to facilitate, complete, or confirm a 
                      commercial transaction that the recipient has 
                      previously agreed to enter into with the sender;

[[Page 117 STAT. 2703]]

                          (ii) to provide warranty information, product 
                      recall information, or safety or security 
                      information with respect to a commercial product 
                      or service used or purchased by the recipient;
                          (iii) to provide--
                                    (I) notification concerning a change 
                                in the terms or features of;
                                    (II) notification of a change in the 
                                recipient's standing or status with 
                                respect to; or
                                    (III) at regular periodic intervals, 
                                account balance information or other 
                                type of account statement with respect 
                                to,
                      a subscription, membership, account, loan, or 
                      comparable ongoing commercial relationship 
                      involving the ongoing purchase or use by the 
                      recipient of products or services offered by the 
                      sender;
                          (iv) to provide information directly related 
                      to an employment relationship or related benefit 
                      plan in which the recipient is currently involved, 
                      participating, or enrolled; or
                          (v) to deliver goods or services, including 
                      product updates or upgrades, that the recipient is 
                      entitled to receive under the terms of a 
                      transaction that the recipient has previously 
                      agreed to enter into with the sender.
                    (B) Modification of definition.--The Commission by 
                regulation pursuant to section 13 may modify the 
                definition in subparagraph (A) to expand or contract the 
                categories of messages that are treated as transactional 
                or relationship messages for purposes of this Act to the 
                extent that such modification is necessary to 
                accommodate changes in electronic mail technology or 
                practices and accomplish the purposes of this Act.
SEC. 4. PROHIBITION <<NOTE: 15 USC 7703.>> AGAINST PREDATORY AND 
                    ABUSIVE COMMERCIAL E-MAIL.

    (a) Offense.--
            (1) In general.--Chapter 47 of title 18, United States Code, 
        is amended by adding at the end the following new section:
``Sec. 1037. Fraud and related activity in connection with 
                    electronic mail

    ``(a) In General.--Whoever, in or affecting interstate or foreign 
commerce, knowingly--
            ``(1) accesses a protected computer without authorization, 
        and intentionally initiates the transmission of multiple 
        commercial electronic mail messages from or through such 
        computer,
            ``(2) uses a protected computer to relay or retransmit 
        multiple commercial electronic mail messages, with the intent to 
        deceive or mislead recipients, or any Internet access service, 
        as to the origin of such messages,
            ``(3) materially falsifies header information in multiple 
        commercial electronic mail messages and intentionally initiates 
        the transmission of such messages,
            ``(4) registers, using information that materially falsifies 
        the identity of the actual registrant, for five or more 
        electronic

[[Page 117 STAT. 2704]]

        mail accounts or online user accounts or two or more domain 
        names, and intentionally initiates the transmission of multiple 
        commercial electronic mail messages from any combination of such 
        accounts or domain names, or
            ``(5) falsely represents oneself to be the registrant or the 
        legitimate successor in interest to the registrant of 5 or more 
        Internet Protocol addresses, and intentionally initiates the 
        transmission of multiple commercial electronic mail messages 
        from such addresses,

or conspires to do so, shall be punished as provided in subsection (b).
    ``(b) Penalties.--The punishment for an offense under subsection (a) 
is--
            ``(1) a fine under this title, imprisonment for not more 
        than 5 years, or both, if--
                    ``(A) the offense is committed in furtherance of any 
                felony under the laws of the United States or of any 
                State; or
                    ``(B) the defendant has previously been convicted 
                under this section or section 1030, or under the law of 
                any State for conduct involving the transmission of 
                multiple commercial electronic mail messages or 
                unauthorized access to a computer system;
            ``(2) a fine under this title, imprisonment for not more 
        than 3 years, or both, if--
                    ``(A) the offense is an offense under subsection 
                (a)(1);
                    ``(B) the offense is an offense under subsection 
                (a)(4) and involved 20 or more falsified electronic mail 
                or online user account registrations, or 10 or more 
                falsified domain name registrations;
                    ``(C) the volume of electronic mail messages 
                transmitted in furtherance of the offense exceeded 2,500 
                during any 24-hour period, 25,000 during any 30-day 
                period, or 250,000 during any 1-year period;
                    ``(D) the offense caused loss to one or more persons 
                aggregating $5,000 or more in value during any 1-year 
                period;
                    ``(E) as a result of the offense any individual 
                committing the offense obtained anything of value 
                aggregating $5,000 or more during any 1-year period; or
                    ``(F) the offense was undertaken by the defendant in 
                concert with three or more other persons with respect to 
                whom the defendant occupied a position of organizer or 
                leader; and
            ``(3) a fine under this title or imprisonment for not more 
        than 1 year, or both, in any other case.

    ``(c) Forfeiture.--
            ``(1) In general.--The <<NOTE: Courts.>> court, in imposing 
        sentence on a person who is convicted of an offense under this 
        section, shall order that the defendant forfeit to the United 
        States--
                    ``(A) any property, real or personal, constituting 
                or traceable to gross proceeds obtained from such 
                offense; and
                    ``(B) any equipment, software, or other technology 
                used or intended to be used to commit or to facilitate 
                the commission of such offense.

[[Page 117 STAT. 2705]]

            ``(2) Procedures.--The <<NOTE: Applicability.>> procedures 
        set forth in section 413 of the Controlled Substances Act (21 
        U.S.C. 853), other than subsection (d) of that section, and in 
        Rule 32.2 of the Federal Rules of Criminal Procedure, shall 
        apply to all stages of a criminal forfeiture proceeding under 
        this section.

    ``(d) Definitions.--In this section:
            ``(1) Loss.--The term `loss' has the meaning given that term 
        in section 1030(e) of this title.
            ``(2) Materially.--For purposes of paragraphs (3) and (4) of 
        subsection (a), header information or registration information 
        is materially falsified if it is altered or concealed in a 
        manner that would impair the ability of a recipient of the 
        message, an Internet access service processing the message on 
        behalf of a recipient, a person alleging a violation of this 
        section, or a law enforcement agency to identify, locate, or 
        respond to a person who initiated the electronic mail message or 
        to investigate the alleged violation.
            ``(3) Multiple.--The term `multiple' means more than 100 
        electronic mail messages during a 24-hour period, more than 
        1,000 electronic mail messages during a 30-day period, or more 
        than 10,000 electronic mail messages during a 1-year period.
            ``(4) Other terms.--Any other term has the meaning given 
        that term by section 3 of the CAN-SPAM Act of 2003.''.
            (2) Conforming amendment.--The chapter analysis for chapter 
        47 of title 18, United States Code, is amended by adding at the 
        end the following:
``Sec.
``1037. Fraud and related activity in connection with electronic 
           mail.''.

    (b) United <<NOTE: 28 USC 994 note.>> States Sentencing 
Commission.--
            (1) Directive.--Pursuant to its authority under section 
        994(p) of title 28, United States Code, and in accordance with 
        this section, the United States Sentencing Commission shall 
        review and, as appropriate, amend the sentencing guidelines and 
        policy statements to provide appropriate penalties for 
        violations of section 1037 of title 18, United States Code, as 
        added by this section, and other offenses that may be 
        facilitated by the sending of large quantities of unsolicited 
        electronic mail.
            (2) Requirements.--In carrying out this subsection, the 
        Sentencing Commission shall consider providing sentencing 
        enhancements for--
                    (A) those convicted under section 1037 of title 18, 
                United States Code, who--
                          (i) obtained electronic mail addresses through 
                      improper means, including--
                                    (I) harvesting electronic mail 
                                addresses of the users of a website, 
                                proprietary service, or other online 
                                public forum operated by another person, 
                                without the authorization of such 
                                person; and
                                    (II) randomly generating electronic 
                                mail addresses by computer; or
                          (ii) knew that the commercial electronic mail 
                      messages involved in the offense contained or 
                      advertised an Internet domain for which the 
                      registrant of the domain had provided false 
                      registration information; and

[[Page 117 STAT. 2706]]

                    (B) those convicted of other offenses, including 
                offenses involving fraud, identity theft, obscenity, 
                child pornography, and the sexual exploitation of 
                children, if such offenses involved the sending of large 
                quantities of electronic mail.

    (c) Sense of Congress.--It is the sense of Congress that--
            (1) Spam has become the method of choice for those who 
        distribute pornography, perpetrate fraudulent schemes, and 
        introduce viruses, worms, and Trojan horses into personal and 
        business computer systems; and
            (2) the Department of Justice should use all existing law 
        enforcement tools to investigate and prosecute those who send 
        bulk commercial e-mail to facilitate the commission of Federal 
        crimes, including the tools contained in chapters 47 and 63 of 
        title 18, United States Code (relating to fraud and false 
        statements); chapter 71 of title 18, United States Code 
        (relating to obscenity); chapter 110 of title 18, United States 
        Code (relating to the sexual exploitation of children); and 
        chapter 95 of title 18, United States Code (relating to 
        racketeering), as appropriate.
SEC. 5. OTHER <<NOTE: 15 USC 7704.>> PROTECTIONS FOR USERS OF 
                    COMMERCIAL ELECTRONIC MAIL.

    (a) Requirements for Transmission of Messages.--
            (1) Prohibition of false or misleading transmission 
        information.--It is unlawful for any person to initiate the 
        transmission, to a protected computer, of a commercial 
        electronic mail message, or a transactional or relationship 
        message, that contains, or is accompanied by, header information 
        that is materially false or materially misleading. For purposes 
        of this paragraph--
                    (A) header information that is technically accurate 
                but includes an originating electronic mail address, 
                domain name, or Internet Protocol address the access to 
                which for purposes of initiating the message was 
                obtained by means of false or fraudulent pretenses or 
                representations shall be considered materially 
                misleading;
                    (B) a ``from'' line (the line identifying or 
                purporting to identify a person initiating the message) 
                that accurately identifies any person who initiated the 
                message shall not be considered materially false or 
                materially misleading; and
                    (C) header information shall be considered 
                materially misleading if it fails to identify accurately 
                a protected computer used to initiate the message 
                because the person initiating the message knowingly uses 
                another protected computer to relay or retransmit the 
                message for purposes of disguising its origin.
            (2) Prohibition of deceptive subject headings.--It is 
        unlawful for any person to initiate the transmission to a 
        protected computer of a commercial electronic mail message if 
        such person has actual knowledge, or knowledge fairly implied on 
        the basis of objective circumstances, that a subject heading of 
        the message would be likely to mislead a recipient, acting 
        reasonably under the circumstances, about a material fact

[[Page 117 STAT. 2707]]

        regarding the contents or subject matter of the message 
        (consistent with the criteria used in enforcement of section 5 
        of the Federal Trade Commission Act (15 U.S.C. 45)).
            (3) Inclusion of return address or comparable mechanism in 
        commercial electronic mail.--
                    (A) In general.--It is unlawful for any person to 
                initiate the transmission to a protected computer of a 
                commercial electronic mail message that does not contain 
                a functioning return electronic mail address or other 
                Internet-based mechanism, clearly and conspicuously 
                displayed, that--
                          (i) a recipient may use to submit, in a manner 
                      specified in the message, a reply electronic mail 
                      message or other form of Internet-based 
                      communication requesting not to receive future 
                      commercial electronic mail messages from that 
                      sender at the electronic mail address where the 
                      message was received; and
                          (ii) remains capable of receiving such 
                      messages or communications for no less than 30 
                      days after the transmission of the original 
                      message.
                    (B) More detailed options possible.--The person 
                initiating a commercial electronic mail message may 
                comply with subparagraph (A)(i) by providing the 
                recipient a list or menu from which the recipient may 
                choose the specific types of commercial electronic mail 
                messages the recipient wants to receive or does not want 
                to receive from the sender, if the list or menu includes 
                an option under which the recipient may choose not to 
                receive any commercial electronic mail messages from the 
                sender.
                    (C) Temporary inability to receive messages or 
                process requests.--A return electronic mail address or 
                other mechanism does not fail to satisfy the 
                requirements of subparagraph (A) if it is unexpectedly 
                and temporarily unable to receive messages or process 
                requests due to a technical problem beyond the control 
                of the sender if the problem is corrected within a 
                reasonable time period.
            (4) Prohibition of transmission of commercial electronic 
        mail after objection.--
                    (A) In general.--If a recipient makes a request 
                using a mechanism provided pursuant to paragraph (3) not 
                to receive some or any commercial electronic mail 
                messages from such sender, then it is unlawful--
                          (i) for the sender to initiate the 
                      transmission to the recipient, more than 10 
                      business days after the receipt of such request, 
                      of a commercial electronic mail message that falls 
                      within the scope of the request;
                          (ii) for any person acting on behalf of the 
                      sender to initiate the transmission to the 
                      recipient, more than 10 business days after the 
                      receipt of such request, of a commercial 
                      electronic mail message with actual knowledge, or 
                      knowledge fairly implied on the basis of objective 
                      circumstances, that such message falls within the 
                      scope of the request;
                          (iii) for any person acting on behalf of the 
                      sender to assist in initiating the transmission to 
                      the recipient, through the provision or selection 
                      of addresses to which the message will be sent, of 
                      a commercial electronic

[[Page 117 STAT. 2708]]

                      mail message with actual knowledge, or knowledge 
                      fairly implied on the basis of objective 
                      circumstances, that such message would violate 
                      clause (i) or (ii); or
                          (iv) for the sender, or any other person who 
                      knows that the recipient has made such a request, 
                      to sell, lease, exchange, or otherwise transfer or 
                      release the electronic mail address of the 
                      recipient (including through any transaction or 
                      other transfer involving mailing lists bearing the 
                      electronic mail address of the recipient) for any 
                      purpose other than compliance with this Act or 
                      other provision of law.
                    (B) Subsequent affirmative consent.--A prohibition 
                in subparagraph (A) does not apply if there is 
                affirmative consent by the recipient subsequent to the 
                request under subparagraph (A).
            (5) Inclusion of identifier, opt-out, and physical address 
        in commercial electronic mail.--(A) It is unlawful for any 
        person to initiate the transmission of any commercial electronic 
        mail message to a protected computer unless the message 
        provides--
                    (i) clear and conspicuous identification that the 
                message is an advertisement or solicitation;
                    (ii) clear and conspicuous notice of the opportunity 
                under paragraph (3) to decline to receive further 
                commercial electronic mail messages from the sender; and
                    (iii) a valid physical postal address of the sender.
            (B) Subparagraph (A)(i) does not apply to the transmission 
        of a commercial electronic mail message if the recipient has 
        given prior affirmative consent to receipt of the message.
            (6) Materially.--For purposes of paragraph (1), the term 
        ``materially'', when used with respect to false or misleading 
        header information, includes the alteration or concealment of 
        header information in a manner that would impair the ability of 
        an Internet access service processing the message on behalf of a 
        recipient, a person alleging a violation of this section, or a 
        law enforcement agency to identify, locate, or respond to a 
        person who initiated the electronic mail message or to 
        investigate the alleged violation, or the ability of a recipient 
        of the message to respond to a person who initiated the 
        electronic message.

    (b) Aggravated Violations Relating to Commercial Electronic Mail.--
            (1) Address harvesting and dictionary attacks.--
                    (A) In general.--It is unlawful for any person to 
                initiate the transmission, to a protected computer, of a 
                commercial electronic mail message that is unlawful 
                under subsection (a), or to assist in the origination of 
                such message through the provision or selection of 
                addresses to which the message will be transmitted, if 
                such person had actual knowledge, or knowledge fairly 
                implied on the basis of objective circumstances, that--
                          (i) the electronic mail address of the 
                      recipient was obtained using an automated means 
                      from an Internet website or proprietary online 
                      service operated by another person, and such 
                      website or online service included, at the time 
                      the address was obtained, a notice stating that 
                      the operator of such website or online

[[Page 117 STAT. 2709]]

                      service will not give, sell, or otherwise transfer 
                      addresses maintained by such website or online 
                      service to any other party for the purposes of 
                      initiating, or enabling others to initiate, 
                      electronic mail messages; or
                          (ii) the electronic mail address of the 
                      recipient was obtained using an automated means 
                      that generates possible electronic mail addresses 
                      by combining names, letters, or numbers into 
                      numerous permutations.
                    (B) Disclaimer.--Nothing in this paragraph creates 
                an ownership or proprietary interest in such electronic 
                mail addresses.
            (2) Automated creation of multiple electronic mail 
        accounts.--It is unlawful for any person to use scripts or other 
        automated means to register for multiple electronic mail 
        accounts or online user accounts from which to transmit to a 
        protected computer, or enable another person to transmit to a 
        protected computer, a commercial electronic mail message that is 
        unlawful under subsection (a).
            (3) Relay or retransmission through unauthorized access.--It 
        is unlawful for any person knowingly to relay or retransmit a 
        commercial electronic mail message that is unlawful under 
        subsection (a) from a protected computer or computer network 
        that such person has accessed without authorization.

    (c) Supplementary Rulemaking Authority.--The Commission shall by 
regulation, pursuant to section 13--
            (1) modify the 10-business-day period under subsection 
        (a)(4)(A) or subsection (a)(4)(B), or both, if the Commission 
        determines that a different period would be more reasonable 
        after taking into account--
                    (A) the purposes of subsection (a);
                    (B) the interests of recipients of commercial 
                electronic mail; and
                    (C) the burdens imposed on senders of lawful 
                commercial electronic mail; and
            (2) specify additional activities or practices to which 
        subsection (b) applies if the Commission determines that those 
        activities or practices are contributing substantially to the 
        proliferation of commercial electronic mail messages that are 
        unlawful under subsection (a).

    (d) Requirement To Place Warning Labels on Commercial Electronic 
Mail Containing Sexually Oriented Material.--
            (1) In general.--No person may initiate in or affecting 
        interstate commerce the transmission, to a protected computer, 
        of any commercial electronic mail message that includes sexually 
        oriented material and--
                    (A) fail to include in subject heading for the 
                electronic mail message the marks or notices prescribed 
                by the Commission under this subsection; or
                    (B) fail to provide that the matter in the message 
                that is initially viewable to the recipient, when the 
                message is opened by any recipient and absent any 
                further actions by the recipient, includes only--
                          (i) to the extent required or authorized 
                      pursuant to paragraph (2), any such marks or 
                      notices;

[[Page 117 STAT. 2710]]

                          (ii) the information required to be included 
                      in the message pursuant to subsection (a)(5); and
                          (iii) instructions on how to access, or a 
                      mechanism to access, the sexually oriented 
                      material.
            (2) Prior affirmative consent.--Paragraph (1) does not apply 
        to the transmission of an electronic mail message if the 
        recipient has given prior affirmative consent to receipt of the 
        message.
            (3) Prescription <<NOTE: Deadline.>> of marks and notices.--
        Not later than 120 days after the date of the enactment of this 
        Act, the Commission in consultation with the Attorney General 
        shall prescribe clearly identifiable marks or notices to be 
        included in or associated with commercial electronic mail that 
        contains sexually oriented material, in order to inform the 
        recipient of that fact and to facilitate filtering of such 
        electronic mail. The <<NOTE: Federal Register, 
        publication.>> Commission shall publish in the Federal Register 
        and provide notice to the public of the marks or notices 
        prescribed under this paragraph.
            (4) Definition.--In this subsection, the term ``sexually 
        oriented material'' means any material that depicts sexually 
        explicit conduct (as that term is defined in section 2256 of 
        title 18, United States Code), unless the depiction constitutes 
        a small and insignificant part of the whole, the remainder of 
        which is not primarily devoted to sexual matters.
            (5) Penalty.--Whoever knowingly violates paragraph (1) shall 
        be fined under title 18, United States Code, or imprisoned not 
        more than 5 years, or both.
SEC. 6. BUSINESSES <<NOTE: 15 USC 7705.>> KNOWINGLY PROMOTED BY 
                    ELECTRONIC MAIL WITH FALSE OR MISLEADING 
                    TRANSMISSION INFORMATION.

    (a) In General.--It is unlawful for a person to promote, or allow 
the promotion of, that person's trade or business, or goods, products, 
property, or services sold, offered for sale, leased or offered for 
lease, or otherwise made available through that trade or business, in a 
commercial electronic mail message the transmission of which is in 
violation of section 5(a)(1) if that person--
            (1) knows, or should have known in the ordinary course of 
        that person's trade or business, that the goods, products, 
        property, or services sold, offered for sale, leased or offered 
        for lease, or otherwise made available through that trade or 
        business were being promoted in such a message;
            (2) received or expected to receive an economic benefit from 
        such promotion; and
            (3) took no reasonable action--
                    (A) to prevent the transmission; or
                    (B) to detect the transmission and report it to the 
                Commission.

    (b) Limited Enforcement Against Third Parties.--
            (1) In general.--Except as provided in paragraph (2), a 
        person (hereinafter referred to as the ``third party'') that 
        provides goods, products, property, or services to another 
        person that violates subsection (a) shall not be held liable for 
        such violation.
            (2) Exception.--Liability for a violation of subsection (a) 
        shall be imputed to a third party that provides goods, products, 
        property, or services to another person that violates subsection 
        (a) if that third party--

[[Page 117 STAT. 2711]]

                    (A) owns, or has a greater than 50 percent ownership 
                or economic interest in, the trade or business of the 
                person that violated subsection (a); or
                    (B)(i) has actual knowledge that goods, products, 
                property, or services are promoted in a commercial 
                electronic mail message the transmission of which is in 
                violation of section 5(a)(1); and
                    (ii) receives, or expects to receive, an economic 
                benefit from such promotion.

    (c) Exclusive Enforcement by FTC.--Subsections (f) and (g) of 
section 7 do not apply to violations of this section.
    (d) Savings Provision.--Except as provided in section 7(f)(8), 
nothing in this section may be construed to limit or prevent any action 
that may be taken under this Act with respect to any violation of any 
other section of this Act.

SEC. 7. <<NOTE: 15 USC 7706.>> ENFORCEMENT GENERALLY.

    (a) Violation Is Unfair or Deceptive Act or Practice.--Except as 
provided in subsection (b), this Act shall be enforced by the Commission 
as if the violation of this Act were an unfair or deceptive act or 
practice proscribed under section 18(a)(1)(B) of the Federal Trade 
Commission Act (15 U.S.C. 57a(a)(1)(B)).
    (b) Enforcement by Certain Other Agencies.--Compliance with this Act 
shall be enforced--
            (1) under section 8 of the Federal Deposit Insurance Act (12 
        U.S.C. 1818), in the case of--
                    (A) national banks, and Federal branches and Federal 
                agencies of foreign banks, by the Office of the 
                Comptroller of the Currency;
                    (B) member banks of the Federal Reserve System 
                (other than national banks), branches and agencies of 
                foreign banks (other than Federal branches, Federal 
                agencies, and insured State branches of foreign banks), 
                commercial lending companies owned or controlled by 
                foreign banks, organizations operating under section 25 
                or 25A of the Federal Reserve Act (12 U.S.C. 601 and 
                611), and bank holding companies, by the Board;
                    (C) banks insured by the Federal Deposit Insurance 
                Corporation (other than members of the Federal Reserve 
                System) and insured State branches of foreign banks, by 
                the Board of Directors of the Federal Deposit Insurance 
                Corporation; and
                    (D) savings associations the deposits of which are 
                insured by the Federal Deposit Insurance Corporation, by 
                the Director of the Office of Thrift Supervision;
            (2) under the Federal Credit Union Act (12 U.S.C. 1751 et 
        seq.) by the Board of the National Credit Union Administration 
        with respect to any Federally insured credit union;
            (3) under the Securities Exchange Act of 1934 (15 U.S.C. 78a 
        et seq.) by the Securities and Exchange Commission with respect 
        to any broker or dealer;
            (4) under the Investment Company Act of 1940 (15 U.S.C. 80a-
        1 et seq.) by the Securities and Exchange Commission with 
        respect to investment companies;
            (5) under the Investment Advisers Act of 1940 (15 U.S.C. 
        80b-1 et seq.) by the Securities and Exchange Commission with 
        respect to investment advisers registered under that Act;

[[Page 117 STAT. 2712]]

            (6) under State insurance law in the case of any person 
        engaged in providing insurance, by the applicable State 
        insurance authority of the State in which the person is 
        domiciled, subject to section 104 of the Gramm-Bliley-Leach Act 
        (15 U.S.C. 6701), except that in any State in which the State 
        insurance authority elects not to exercise this power, the 
        enforcement authority pursuant to this Act shall be exercised by 
        the Commission in accordance with subsection (a);
            (7) under part A of subtitle VII of title 49, United States 
        Code, by the Secretary of Transportation with respect to any air 
        carrier or foreign air carrier subject to that part;
            (8) under the Packers and Stockyards Act, 1921 (7 U.S.C. 181 
        et seq.) (except as provided in section 406 of that Act (7 
        U.S.C. 226, 227)), by the Secretary of Agriculture with respect 
        to any activities subject to that Act;
            (9) under the Farm Credit Act of 1971 (12 U.S.C. 2001 et 
        seq.) by the Farm Credit Administration with respect to any 
        Federal land bank, Federal land bank association, Federal 
        intermediate credit bank, or production credit association; and
            (10) under the Communications Act of 1934 (47 U.S.C. 151 et 
        seq.) by the Federal Communications Commission with respect to 
        any person subject to the provisions of that Act.

    (c) Exercise of Certain Powers.--For the purpose of the exercise by 
any agency referred to in subsection (b) of its powers under any Act 
referred to in that subsection, a violation of this Act is deemed to be 
a violation of a Federal Trade Commission trade regulation rule. In 
addition to its powers under any provision of law specifically referred 
to in subsection (b), each of the agencies referred to in that 
subsection may exercise, for the purpose of enforcing compliance with 
any requirement imposed under this Act, any other authority conferred on 
it by law.
    (d) Actions by the Commission.--The Commission shall prevent any 
person from violating this Act in the same manner, by the same means, 
and with the same jurisdiction, powers, and duties as though all 
applicable terms and provisions of the Federal Trade Commission Act (15 
U.S.C. 41 et seq.) were incorporated into and made a part of this Act. 
Any entity that violates any provision of that subtitle is subject to 
the penalties and entitled to the privileges and immunities provided in 
the Federal Trade Commission Act in the same manner, by the same means, 
and with the same jurisdiction, power, and duties as though all 
applicable terms and provisions of the Federal Trade Commission Act were 
incorporated into and made a part of that subtitle.
    (e) Availability of Cease-and-Desist Orders and Injunctive Relief 
Without Showing of Knowledge.--Notwithstanding any other provision of 
this Act, in any proceeding or action pursuant to subsection (a), (b), 
(c), or (d) of this section to enforce compliance, through an order to 
cease and desist or an injunction, with section 5(a)(1)(C), section 
5(a)(2), clause (ii), (iii), or (iv) of section 5(a)(4)(A), section 
5(b)(1)(A), or section 5(b)(3), neither the Commission nor the Federal 
Communications Commission shall be required to allege or prove the state 
of mind required by such section or subparagraph.
    (f) Enforcement by States.--
            (1) Civil action.--In any case in which the attorney general 
        of a State, or an official or agency of a State, has reason to 
        believe that an interest of the residents of that State has been 
        or is threatened or adversely affected by any person who

[[Page 117 STAT. 2713]]

        violates paragraph (1) or (2) of section 5(a), who violates 
        section 5(d), or who engages in a pattern or practice that 
        violates paragraph (3), (4), or (5) of section 5(a), of this 
        Act, the attorney general, official, or agency of the State, as 
        parens patriae, may bring a civil action on behalf of the 
        residents of the State in a district court of the United States 
        of appropriate jurisdiction--
                    (A) to enjoin further violation of section 5 of this 
                Act by the defendant; or
                    (B) to obtain damages on behalf of residents of the 
                State, in an amount equal to the greater of--
                          (i) the actual monetary loss suffered by such 
                      residents; or
                          (ii) the amount determined under paragraph 
                      (3).
            (2) Availability of injunctive relief without showing of 
        knowledge.--Notwithstanding any other provision of this Act, in 
        a civil action under paragraph (1)(A) of this subsection, the 
        attorney general, official, or agency of the State shall not be 
        required to allege or prove the state of mind required by 
        section 5(a)(1)(C), section 5(a)(2), clause (ii), (iii), or (iv) 
        of section 5(a)(4)(A), section 5(b)(1)(A), or section 5(b)(3).
            (3) Statutory damages.--
                    (A) In general.--For purposes of paragraph 
                (1)(B)(ii), the amount determined under this paragraph 
                is the amount calculated by multiplying the number of 
                violations (with each separately addressed unlawful 
                message received by or addressed to such residents 
                treated as a separate violation) by up to $250.
                    (B) Limitation.--For any violation of section 5 
                (other than section 5(a)(1)), the amount determined 
                under subparagraph (A) may not exceed $2,000,000.
                    (C) Aggravated damages.--The court may increase a 
                damage award to an amount equal to not more than three 
                times the amount otherwise available under this 
                paragraph if--
                          (i) the court determines that the defendant 
                      committed the violation willfully and knowingly; 
                      or
                          (ii) the defendant's unlawful activity 
                      included one or more of the aggravating violations 
                      set forth in section 5(b).
                    (D) Reduction of damages.--In assessing damages 
                under subparagraph (A), the court may consider whether--
                          (i) the defendant has established and 
                      implemented, with due care, commercially 
                      reasonable practices and procedures designed to 
                      effectively prevent such violations; or
                          (ii) the violation occurred despite 
                      commercially reasonable efforts to maintain 
                      compliance the practices and procedures to which 
                      reference is made in clause (i).
            (4) Attorney fees.--In the case of any successful action 
        under paragraph (1), the court, in its discretion, may award the 
        costs of the action and reasonable attorney fees to the State.
            (5) Rights <<NOTE: Notice. Records.>> of federal 
        regulators.--The State shall serve prior written notice of any 
        action under paragraph (1) upon

[[Page 117 STAT. 2714]]

        the Federal Trade Commission or the appropriate Federal 
        regulator determined under subsection (b) and provide the 
        Commission or appropriate Federal regulator with a copy of its 
        complaint, except in any case in which such prior notice is not 
        feasible, in which case the State shall serve such notice 
        immediately upon instituting such action. The Federal Trade 
        Commission or appropriate Federal regulator shall have the 
        right--
                    (A) to intervene in the action;
                    (B) upon so intervening, to be heard on all matters 
                arising therein;
                    (C) to remove the action to the appropriate United 
                States district court; and
                    (D) to file petitions for appeal.
            (6) Construction.--For purposes of bringing any civil action 
        under paragraph (1), nothing in this Act shall be construed to 
        prevent an attorney general of a State from exercising the 
        powers conferred on the attorney general by the laws of that 
        State to--
                    (A) conduct investigations;
                    (B) administer oaths or affirmations; or
                    (C) compel the attendance of witnesses or the 
                production of documentary and other evidence.
            (7) Venue; service of process.--
                    (A) Venue.--Any action brought under paragraph (1) 
                may be brought in the district court of the United 
                States that meets applicable requirements relating to 
                venue under section 1391 of title 28, United States 
                Code.
                    (B) Service of process.--In an action brought under 
                paragraph (1), process may be served in any district in 
                which the defendant--
                          (i) is an inhabitant; or
                          (ii) maintains a physical place of business.
            (8) Limitation on state action while federal action is 
        pending.--If the Commission, or other appropriate Federal agency 
        under subsection (b), has instituted a civil action or an 
        administrative action for violation of this Act, no State 
        attorney general, or official or agency of a State, may bring an 
        action under this subsection during the pendency of that action 
        against any defendant named in the complaint of the Commission 
        or the other agency for any violation of this Act alleged in the 
        complaint.
            (9) Requisite scienter for certain civil actions.--Except as 
        provided in section 5(a)(1)(C), section 5(a)(2), clause (ii), 
        (iii), or (iv) of section 5(a)(4)(A), section 5(b)(1)(A), or 
        section 5(b)(3), in a civil action brought by a State attorney 
        general, or an official or agency of a State, to recover 
        monetary damages for a violation of this Act, the court shall 
        not grant the relief sought unless the attorney general, 
        official, or agency establishes that the defendant acted with 
        actual knowledge, or knowledge fairly implied on the basis of 
        objective circumstances, of the act or omission that constitutes 
        the violation.

    (g) Action by Provider of Internet Access Service.--
            (1) Action authorized.--A provider of Internet access 
        service adversely affected by a violation of section 5(a)(1), 
        5(b), or 5(d), or a pattern or practice that violates paragraph 
        (2), (3), (4), or (5) of section 5(a), may bring a civil action 
        in

[[Page 117 STAT. 2715]]

        any district court of the United States with jurisdiction over 
        the defendant--
                    (A) to enjoin further violation by the defendant; or
                    (B) to recover damages in an amount equal to the 
                greater of--
                          (i) actual monetary loss incurred by the 
                      provider of Internet access service as a result of 
                      such violation; or
                          (ii) the amount determined under paragraph 
                      (3).
            (2) Special definition of ``procure''.--In any action 
        brought under paragraph (1), this Act shall be applied as if the 
        definition of the term ``procure'' in section 3(12) contained, 
        after ``behalf'' the words ``with actual knowledge, or by 
        consciously avoiding knowing, whether such person is engaging, 
        or will engage, in a pattern or practice that violates this 
        Act''.
            (3) Statutory damages.--
                    (A) In general.--For purposes of paragraph 
                (1)(B)(ii), the amount determined under this paragraph 
                is the amount calculated by multiplying the number of 
                violations (with each separately addressed unlawful 
                message that is transmitted or attempted to be 
                transmitted over the facilities of the provider of 
                Internet access service, or that is transmitted or 
                attempted to be transmitted to an electronic mail 
                address obtained from the provider of Internet access 
                service in violation of section 5(b)(1)(A)(i), treated 
                as a separate violation) by--
                          (i) up to $100, in the case of a violation of 
                      section 5(a)(1); or
                          (ii) up to $25, in the case of any other 
                      violation of section 5.
                    (B) Limitation.--For any violation of section 5 
                (other than section 5(a)(1)), the amount determined 
                under subparagraph (A) may not exceed $1,000,000.
                    (C) Aggravated damages.--The court may increase a 
                damage award to an amount equal to not more than three 
                times the amount otherwise available under this 
                paragraph if--
                          (i) the court determines that the defendant 
                      committed the violation willfully and knowingly; 
                      or
                          (ii) the defendant's unlawful activity 
                      included one or more of the aggravated violations 
                      set forth in section 5(b).
                    (D) Reduction of damages.--In assessing damages 
                under subparagraph (A), the court may consider whether--
                          (i) the defendant has established and 
                      implemented, with due care, commercially 
                      reasonable practices and procedures designed to 
                      effectively prevent such violations; or
                          (ii) the violation occurred despite 
                      commercially reasonable efforts to maintain 
                      compliance with the practices and procedures to 
                      which reference is made in clause (i).
            (4) Attorney fees.--In any action brought pursuant to 
        paragraph (1), the court may, in its discretion, require an 
        undertaking for the payment of the costs of such action, and 
        assess reasonable costs, including reasonable attorneys' fees, 
        against any party.

[[Page 117 STAT. 2716]]

SEC. 8. <<NOTE: 15 USC 7707.>> EFFECT ON OTHER LAWS.

    (a) Federal Law.--(1) Nothing in this Act shall be construed to 
impair the enforcement of section 223 or 231 of the Communications Act 
of 1934 (47 U.S.C. 223 or 231, respectively), chapter 71 (relating to 
obscenity) or 110 (relating to sexual exploitation of children) of title 
18, United States Code, or any other Federal criminal statute.
    (2) Nothing in this Act shall be construed to affect in any way the 
Commission's authority to bring enforcement actions under FTC Act for 
materially false or deceptive representations or unfair practices in 
commercial electronic mail messages.
    (b) State Law.--
            (1) In general.--This Act supersedes any statute, 
        regulation, or rule of a State or political subdivision of a 
        State that expressly regulates the use of electronic mail to 
        send commercial messages, except to the extent that any such 
        statute, regulation, or rule prohibits falsity or deception in 
        any portion of a commercial electronic mail message or 
        information attached thereto.
            (2) State law not specific to electronic mail.--This Act 
        shall not be construed to preempt the applicability of--
                    (A) State laws that are not specific to electronic 
                mail, including State trespass, contract, or tort law; 
                or
                    (B) other State laws to the extent that those laws 
                relate to acts of fraud or computer crime.

    (c) No Effect on Policies of Providers of Internet Access Service.--
Nothing in this Act shall be construed to have any effect on the 
lawfulness or unlawfulness, under any other provision of law, of the 
adoption, implementation, or enforcement by a provider of Internet 
access service of a policy of declining to transmit, route, relay, 
handle, or store certain types of electronic mail messages.

SEC. 9. <<NOTE: 15 USC 7708.>> DO-NOT-E-MAIL REGISTRY.

    (a) In General.--Not <<NOTE: Deadline. Reports.>> later than 6 
months after the date of enactment of this Act, the Commission shall 
transmit to the Senate Committee on Commerce, Science, and 
Transportation and the House of Representatives Committee on Energy and 
Commerce a report that--
            (1) sets forth a plan and timetable for establishing a 
        nationwide marketing Do-Not-E-Mail registry;
            (2) includes an explanation of any practical, technical, 
        security, privacy, enforceability, or other concerns that the 
        Commission has regarding such a registry; and
            (3) includes an explanation of how the registry would be 
        applied with respect to children with e-mail accounts.

    (b) Authorization To Implement.--The Commission may establish and 
implement the plan, but not earlier than 9 months after the date of 
enactment of this Act.

SEC. 10. <<NOTE: 15 USC 7709.>> STUDY OF EFFECTS OF COMMERCIAL 
            ELECTRONIC MAIL.

    (a) In General.--Not <<NOTE: Deadline. Reports.>> later than 24 
months after the date of the enactment of this Act, the Commission, in 
consultation with the Department of Justice and other appropriate 
agencies, shall submit a report to the Congress that provides a detailed 
analysis of the effectiveness and enforcement of the provisions of this 
Act and the need (if any) for the Congress to modify such provisions.

[[Page 117 STAT. 2717]]

    (b) Required Analysis.--The Commission shall include in the report 
required by subsection (a)--
            (1) an analysis of the extent to which technological and 
        marketplace developments, including changes in the nature of the 
        devices through which consumers access their electronic mail 
        messages, may affect the practicality and effectiveness of the 
        provisions of this Act;
            (2) analysis and recommendations concerning how to address 
        commercial electronic mail that originates in or is transmitted 
        through or to facilities or computers in other nations, 
        including initiatives or policy positions that the Federal 
        Government could pursue through international negotiations, 
        fora, organizations, or institutions; and
            (3) analysis and recommendations concerning options for 
        protecting consumers, including children, from the receipt and 
        viewing of commercial electronic mail that is obscene or 
        pornographic.
SEC. 11. IMPROVING <<NOTE: Reports. Deadlines. Procedures. 15 USC 
                      7710.>> ENFORCEMENT BY PROVIDING REWARDS FOR 
                      INFORMATION ABOUT VIOLATIONS; LABELING.

    The Commission shall transmit to the Senate Committee on Commerce, 
Science, and Transportation and the House of Representatives Committee 
on Energy and Commerce--
            (1) a report, within 9 months after the date of enactment of 
        this Act, that sets forth a system for rewarding those who 
        supply information about violations of this Act, including--
                    (A) procedures for the Commission to grant a reward 
                of not less than 20 percent of the total civil penalty 
                collected for a violation of this Act to the first 
                person that--
                          (i) identifies the person in violation of this 
                      Act; and
                          (ii) supplies information that leads to the 
                      successful collection of a civil penalty by the 
                      Commission; and
                    (B) procedures to minimize the burden of submitting 
                a complaint to the Commission concerning violations of 
                this Act, including procedures to allow the electronic 
                submission of complaints to the Commission; and
            (2) a report, within 18 months after the date of enactment 
        of this Act, that sets forth a plan for requiring commercial 
        electronic mail to be identifiable from its subject line, by 
        means of compliance with Internet Engineering Task Force 
        Standards, the use of the characters ``ADV'' in the subject 
        line, or other comparable identifier, or an explanation of any 
        concerns the Commission has that cause the Commission to 
        recommend against the plan.

SEC. 12. RESTRICTIONS ON OTHER TRANSMISSIONS.

    Section 227(b)(1) of the Communications Act of 1934 (47 U.S.C. 
227(b)(1)) is amended, in the matter preceding subparagraph (A), by 
inserting ``, or any person outside the United States if the recipient 
is within the United States'' after ``United States''.

SEC. 13. <<NOTE: 15 USC 7711.>> REGULATIONS.

    (a) In General.--The Commission may issue regulations to implement 
the provisions of this Act (not including the amendments made by 
sections 4 and 12). Any such regulations shall be issued in accordance 
with section 553 of title 5, United States Code.

[[Page 117 STAT. 2718]]

    (b) Limitation.--Subsection (a) may not be construed to authorize 
the Commission to establish a requirement pursuant to section 5(a)(5)(A) 
to include any specific words, characters, marks, or labels in a 
commercial electronic mail message, or to include the identification 
required by section 5(a)(5)(A) in any particular part of such a mail 
message (such as the subject line or body).

SEC. 14. <<NOTE: 15 USC 7712.>> APPLICATION TO WIRELESS.

    (a) Effect on Other Law.--Nothing in this Act shall be interpreted 
to preclude or override the applicability of section 227 of the 
Communications Act of 1934 (47 U.S.C. 227) or the rules prescribed under 
section 3 of the Telemarketing and Consumer Fraud and Abuse Prevention 
Act (15 U.S.C. 6102).
    (b) FCC <<NOTE: Deadline.>> Rulemaking.--The Federal Communications 
Commission, in consultation with the Federal Trade Commission, shall 
promulgate rules within 270 days to protect consumers from unwanted 
mobile service commercial messages. The Federal Communications 
Commission, in promulgating the rules, shall, to the extent consistent 
with subsection (c)--
            (1) provide subscribers to commercial mobile services the 
        ability to avoid receiving mobile service commercial messages 
        unless the subscriber has provided express prior authorization 
        to the sender, except as provided in paragraph (3);
            (2) allow recipients of mobile service commercial messages 
        to indicate electronically a desire not to receive future mobile 
        service commercial messages from the sender;
            (3) take into consideration, in determining whether to 
        subject providers of commercial mobile services to paragraph 
        (1), the relationship that exists between providers of such 
        services and their subscribers, but if the Commission determines 
        that such providers should not be subject to paragraph (1), the 
        rules shall require such providers, in addition to complying 
        with the other provisions of this Act, to allow subscribers to 
        indicate a desire not to receive future mobile service 
        commercial messages from the provider--
                    (A) at the time of subscribing to such service; and
                    (B) in any billing mechanism; and
            (4) determine how a sender of mobile service commercial 
        messages may comply with the provisions of this Act, considering 
        the unique technical aspects, including the functional and 
        character limitations, of devices that receive such messages.

    (c) Other Factors Considered.--The Federal Communications Commission 
shall consider the ability of a sender of a commercial electronic mail 
message to reasonably determine that the message is a mobile service 
commercial message.
    (d) Mobile Service Commercial Message Defined.--In this section, the 
term ``mobile service commercial message'' means a commercial electronic 
mail message that is transmitted directly to a wireless device that is 
utilized by a subscriber of commercial mobile service (as such term is 
defined in section 332(d) of the Communications Act of 1934 (47 U.S.C. 
332(d))) in connection with such service.

SEC. 15. <<NOTE: 15 USC 7713.>> SEPARABILITY.

    If any provision of this Act or the application thereof to any 
person or circumstance is held invalid, the remainder of this Act and 
the application of such provision to other persons or circumstances 
shall not be affected.

[[Page 117 STAT. 2719]]

SEC. 16. <<NOTE: 15 USC 7701 note.>> EFFECTIVE DATE.

    The provisions of this Act, other than section 9, shall take effect 
on January 1, 2004.

    Approved December 16, 2003.

LEGISLATIVE HISTORY--S. 877:
---------------------------------------------------------------------------

SENATE REPORTS: No. 108-102 (Comm. on Commerce, Science, and 
Transportation).
CONGRESSIONAL RECORD, Vol. 149 (2003):
            Oct. 22, considered and passed Senate.
            Nov. 21, considered and passed House, amended.
            Nov. 25, Senate concurred in House amendment with an 
                amendment.
            Dec. 8, House conccurred in Senate amendment.

                                  <all>