When the Federal Trade Commission (FTC) issued its privacy report in December 2010, it discussed the possibility of providing consumers with a universal choice mechanism, that would permit or prevent the collection and use of data regarding a consumer's online searching and browsing activities. However, the Commission admitted that it lacked the authority to establish such a requirement without Congressional authorization. A bill introduced by Rep. Jackie Speier (D-CA) would provide the necessary authorization.
H.R. 654, titled the "Do Not Track Me Online Act," would require the FTC to establish standards for an online opt-out mechanism that would allow consumers to "effectively and easily" prohibit the collection or use of any "covered information."
"Covered information" includes any of the following information that is transmitted online:
- The online activity of an individual (such as web sites accessed, content viewed on web sites, date and time of access, the computer and geolocation from which online information was accessed, and the device, browser or application used to access online information);
- A unique identifier such as a customer number or an Internet protocol address;
- Name, postal address, email address, user name, telephone or fax number, and a government-issued ID;
- Financial account number, or a credit/debit card number, or a security code/password that is necessary to access a financial account.
The bill would also require "covered entities" to disclose their information collection practices, including the names of those with whom the entities disclose such information. The bill allows, but does not require, the FTC to develop rules requiring covered entities to provide consumers with access to their data.
A "covered entity" is someone who is engaged in interstate commerce and collects or stores online data containing covered information. A company that meets all of the following requirements is excluded from the definition of covered entity and would therefore be exempt from the bill's requirements:
- The company stores covered information from or about fewer than 15,000 individuals;
- It collects covered information from or about fewer than 10,000 individuals during any 12-month period;
- It does not collect or store "sensitive information" ("sensitive information" includes medical or health data; race or ethnicity; religion; sexual orientation; financial information (unless provided by the individual), precise geolocation, unique biometric data, and Social Security number); and
- It does not use covered information to study, monitor or analyze the behavior of individuals as the company's primary business.
The FTC may exempt the following common business practices from the bill's requirements:
- Providing customer service and support;
- Analyzing data to improve a service, product or operation;
- Basic business functions such as accounting, inventory, and supply chain management; and Protecting IP rights.
The bill would not pre-empt state laws and would not curtail any of the FTC's existing powers. The bill authorizes civil enforcement by state Attorneys General and the FTC, with civil penalties up to $5,000,000 for a series of violations.
Rep. Speier also introduced a bill called the Financial Information Privacy Act of 2011 (H.R. 653) that mirrors California's financial privacy law. The bill would prevent financial institutions from sharing or selling personally identifiable nonpublic information with affiliates without giving consumers an opportunity to opt-out, and it would require that a financial institution obtain opt-in consent before sharing information with unaffiliated third parties.