On April 12, 2011, Senators John Kerry (D-Mass.) and John McCain (R-Ariz.) officially announced proposed bi-partisan legislation that would establish rights to protect individuals when it comes to the collection, use, and dissemination of their personally identifiable information (PII). The Commercial Privacy Bill of Rights Act of 2011 (the Act), which has received public support from the likes of Microsoft, HP, Intel, and eBay, which is referenced in this link, is intended to “establish a regulatory framework for the comprehensive protection of personal data for individuals” and would impose substantial restrictions on businesses that collect PII. The following summary identifies the key privacy rights and several other important provisions contained in the Act and we have included a link to the proposed legislation here, and a link to the firm's prior podcast on the earlier draft is linked here.
Privacy Rights Under the Act.
First, the Act creates a right to security and accountability. Collectors of PII would be required to implement security measures to protect the information they collect and maintain. These measures must be proportional to the size, type, and nature of the information collected. The bill incorporates the increasingly prevalent concept of “privacy by design” requiring companies to develop a comprehensive information privacy program by incorporating necessary development processes and practices throughout the product life cycle that are designed to safeguard PII that is covered information.
In addition, the Act establishes the right to notice, consent, access, and correction of personal information. Specifically, it would impose an obligation on collectors of information to provide clear notice to individuals regarding collection practices, as well as the purpose for such collection. Individuals would have the ability to “opt-out” of any information collection, and must “opt-in” (i.e. provide affirmative express consent) before the entity can collect any "sensitive" PII. Sensitive PII includes PII which can result in significant risk of economic or physical harm, as well as personal health information and religious affiliation.
While the Act does not expressly require the development of a do-not-track mechanism or process, it would also require clear notice to an individual of his or her ability to opt-out of the collection of information where that information would be transferred to third parties for the purpose of behavioral or targeted advertising. The major browser developers have developed and are in the process of enhancing browser-based do-not-track features.
The Act would provide individuals with the right to access and correct their personal information, or to request cessation of its use and distribution, and restricts collectors of information in the amount of information they are authorized to collect and maintain. For example, the Act would only allow such entities to collect as much information as is necessary to process or enforce a transaction, or to deliver a service. Collectors would still be able to gather information for research and development, provided that the information is only maintained for a reasonable period of time. In order to ensure that any individual information transferred to a third party is only used and maintained in accordance with the Act, such collectors would also be required to enter contractual agreements to this effect with the third party recipients of PII. The Act explicitly requires collectors to attempt to establish and maintain reasonable procedures to ensure the accuracy of any collected PII.
Other Key Provisions.
Although it specifically prevents private rights of action and preempts inconsistent state law, the Act provides for enforcement of its provisions by State Attorneys General and the Federal Trade Commission (the FTC), including fines and civil penalties. State laws covering health and financial information, as well as security breach notification laws, would remain unaffected. Knowing or repeated violations of the Act could result in civil penalties up to $16,500 per day or affected individuals, with a cap of $3 million for violating the security and accountability provisions, and a cap of $3 million for violating the notice and individual participation provisions. The Act would prohibit simultaneous enforcement by both a State Attorney General and the FTC.
The Act also grants the FTC with the authority to approve non-governmental organizations to oversee certain “Safe Harbor Programs.” These programs would be voluntary to join, but would require protections at least as rigorous as those contained in the Act. The incentive to participate in a voluntary safe-harbor program is that participants would be able to customize procedures for compliance while being exempt from certain other requirements of the Act.
Finally, the Act contemplates a roll for the Department of Commerce (the DOC) in protecting PII. Specifically, it directs the DOC to assemble stakeholders for the development of applications for safe harbor programs to be submitted to the FTC. It also stipulates that the DOC would play a roll in researching privacy enhancement and improved information sharing.
Praise for the bill was not unanimous, and passage of the bill remains to be seen. A coalition of consumer groups and privacy advocates said the bill needs to be significantly strengthened if it is to effectively protect consumer privacy rights in today’s digital marketplace. In a letter to Senators Kerry and McCain, Consumer Watchdog, the Center for Digital Democracy, Consumer Action, Privacy Rights Clearinghouse and Privacy Times said they could not support the bill at this time. Their concerns include the lack of a mandatory do-not-track mechanism; too much reliance on the “notice and choice” model rather than affirmative opt-in consent; the lack of a privacy right of action for individual plaintiffs; and preemption of state laws that provide stronger protections.
While undoubtedly there will be lively debate concerning the bill, the proposal of this and other recently proposed bills like it suggest that federal privacy legislation is likely in the near future. Companies would be well-served to develop their privacy and security practices and polices with an eye toward the pending privacy legislation