Two significant consumer privacy bills introduced in Congress last week demonstrate that the current Congress will likely take a close look at consumer privacy issues. The bills, S.799, introduced in the Senate by Sens. John Kerry (D-MA) and John McCain (R-AZ), and H.R.1528, introduced in the House of Representatives by Rep. Cliff Stearns (R-FL), would both impose new restrictions on how businesses collect, use and disclose consumer information.
These bills pose a serious concern to media businesses built on consumer advertising. If either bill were enacted, individuals would have a federal right to restrict some uses and sharing of consumer information that is useful in identifying potentially receptive advertising audiences. Companies that rely on online advertising, or on generating revenues by sharing consumer information with other businesses, would face considerable restrictions.
On the other hand, some provisions of these bills could mitigate the harm to some extent by preempting state laws and prohibiting private rights of action. Safe harbor provisions in the bill could potentially offer a means to avoid direct Federal Trade Commission FTC regulation. For these and other reasons, including reliance mostly on "opt-out" consumer choice, Senators Kerry and McCain regard their proposal as balancing the interests of businesses and consumers.
The bills are the latest in a growing effort at the federal level to establish rules-of-the-road for consumer privacy in the U.S., which currently does not have a general comprehensive privacy law. The bills both build upon a series of enforcement actions taken by the FTC over the past dozen years to develop federal privacy standards. These FTC actions have, in effect, created a "common law" of privacy by developing standards for "reasonable" data security and by targeting what the FTC views as "deceptive" privacy and marketing practices.
The sponsors of the bills hold leadership positions in the relevant Senate and House committees that have jurisdiction over consumer privacy, so they are well-positioned to move their proposals.
Although the Senate and House bills differ in a number of respects, they share many important similarities:
- Both bills define "personally identifiable information" (PII) similarly to include, at a minimum:
- first name (or initial) and last name;
- residential postal address;
- email address;
- telephone or mobile device number;
- a Social Security Number or other government-issued identification number; or
- a credit card account number.
The Senate bill would also include within this definition unique identifiers and biometric data.
- Each follows the "notice and choice" model, in which businesses publish a statement describing their privacy policies and consumers have some ability to choose what information to provide or whether it may be shared with other businesses;
- Both bills generally take an "opt-out" approach, in which a business may collect, use, and disclose consumer data unless the consumer affirmatively seeks to stop it from doing so;
- Neither bill contains a "do not track" provision, taking a different approach than current initiatives in the private sector and at the FTC to adopt a "do not track" mechanism to stop interest-based (or "behavioral") advertising;
- Both bills would preempt state consumer privacy laws and state private rights of action;
- Both bills would grant the FTC jurisdiction over consumer privacy matters.
- Both bills would encourage private-sector "safe harbor" programs, with substantive standards equivalent to or more stringent than the bill's privacy standards.
Despite these similarities, the bills differ in a number of respects. For example, the Senate bill includes a "privacy-by-design" provision that would require entities to take consumer privacy expectations into account when designing products, but the House bill does not. The House bill provides for a more narrow right of "opt-out" than the Senate bill, and provides that any "opt-out" would expire after five years.