On Tuesday, April 12, 2011, Senators John Kerry (D-MA) and John McCain (R-AZ) formally introduced the Commercial Privacy Bill of Rights Act of 2011 (S. 799). If enacted by Congress in its current form, the Act will require companies to provide greater transparency to consumers regarding what personal information companies are collecting and how it will be used. The Act also would authorize enforcement by the Federal Trade Commission (FTC) or State Attorneys General and provide for penalties of up to $16,500 per day, up to a maximum of $3,000,000. The Act also would mandate that companies offer “opt-out” mechanism for all collected personal information and impose an “opt-in” mechanism for “sensitive” personal information.
The Act’s primary purpose is to establish a comprehensive, unified framework to address the collection and use of The Act also would authorize enforcement by the FTC or State Attorneys General and provide for penalties of up to $16,500 per day, up to a maximum of $3,000,000. personally identifiable information such as name, postal addresses, unique identifiers, geographic location, e-mail addresses, phone numbers, bank and credit account numbers, non-work phone numbers, and biometric data. It also broadly would include “[a]ny information that is collected, used or stored in connection with personally identifiable or unique identifier information in a manner that may reasonably be used by the party collecting the information to identify a specific individual.” (emphasis added)
The proposed Act requires that companies “have managerial accountability, proportional to the size and structure of the covered entity, for the adoption and implementations of policies consistent with [the] Act.” Companies would be required to implement comprehensive personally identifiable information privacy protection programs based on reasonable expectations of privacy, and to deal with relevant threats to keeping such covered information private and secure.
The legislation proposed by Senators Kerry and McCain is quite wide in scope, but highlights include:
- Required opt-out for all information and opt-in for sensitive information. Optouts are considered by many to be a best practice but are not currently required by most U.S. laws. The proposed bill would require companies to give “robust and clear” notice that the opt-out was available, and for “sensitive” information (as defined in the bill) the collection and use of the information would require the affirmative consent of the consumer.
- Limitation on the Data that can be collected. Under the proposed legislation, companies could only collect covered information they need to provide a transaction or services. If they hand off covered information to third parties, there should be contracts binding what those third parties can do with the data.
- Establishment of “Safe Harbor” Programs. The FTC could approve nongovernmental organizations to oversee voluntary “Safe Harbor” programs that would allow companies to shield themselves from liability by implementing agreed procedures.
- Federal Authorities Play Lead Role in Enforcement. The proposed legislation would enable both state Attorneys General and the FTC to enforce the new privacy rules, but the state authorities would have to yield to the FTC if both wished to pursue the same case. Significantly, the proposed legislation does not provide a private right of action for individuals to bring claims.
Currently, the proposed Act does not set forth any form of "Do Not Track" mechanism or data breach notification requirements.