Businesses that collect data from consumers online should be prepared to see some new legislation regulating their business practices. Senators John Kerry (D-MA) and John McCain (R-AZ) proposed the "Commercial Privacy Bill of Rights Act of 2011" in the Senate last week. The Kerry-McCain bill would create the nation's first comprehensive privacy law, covering data across all industries. As well, other privacy legislation is being introduced in Congress, including a proposed "Consumer Privacy Protection Act of 2011" that Representatives Cliff Stearns (R-FL) and Jim Matheson (D-UT) introduced last week in the House of Representatives. Given the strong bipartisan support for privacy legislation that we are seeing, it seems only a matter of time before Congress passes a comprehensive privacy law. These proposed laws will have significant implications for businesses that process personal information.
The Kerry-McCain bill sets forth a number of requirements for companies that collect, use, transfer or store the personal information of more than 5,000 individuals during any consecutive 12-month period. These companies would be obligated, among other things, to:
- Establish "managerial accountability" for implementing required privacy policies;
- Set up a process for responding to non-frivolous data subject inquiries regarding the processing of their personal information; s
- Implement a "comprehensive information privacy program," including "incorporating necessary development process and practices throughout the product life cycle" to safeguard personal information;
- Provide notice to data subjects of (a) company practices regarding processing personal information, (b) the purposes of those practices, and (c) any material changes to those practices;
- Make available opt-out mechanisms to data subjects before using their personal information in certain ways, such as providing it to third parties for "behavioral advertising or marketing";
- Receive opt-in consent from data subjects before processing certain sensitive personal information, such as health records or religious affiliation;
- Reduce data collection to what is "reasonably necessary" for a limited set of functions, such as processing a transaction; and
- Require by contract that any third party being transferred personal information use that information only in accordance with the provisions of this bill or as specified in the contract.
The enactment of some sort of comprehensive privacy law by Congress seems inevitable. Companies would be wise to consider now how such a law would impact their current business practices and determine whether their data privacy programs and practices need to be implemented, augmented or revisited.