The Boucher Bill is still under review, even after being met with heavy criticism earlier this year. The bill, which was dubbed the “Best Practices Act,” is a comprehensive framework that intends to regulate the protection of consumer data.

The Boucher Bill is set to right what some believe is a “gap” in the regulation of collection and use of personal data. Right now, there is no national legislation governing how companies tell consumers that they are collecting data, but companies post privacy notices because a California law requires it, and for most companies it is difficult to separate California consumers from non-California consumers. On the other hand, companies such as Google and Facebook are constantly scrutinized for not posting adequate privacy policies, or otherwise failing to address what exactly they are doing with the data that these Internet giants collect via the web. The bill attempts to clarify these questions and provide a framework for any company that collects personal data from consumers.

The Boucher Bill has two basic requirements. First, it requires companies that collect personal data from consumers to establish a comprehensive privacy policy. Essentially, this means that whenever a company collects any information that identifies a single person — or a single computer or device — it must alert consumers about the collection with a privacy notice or policy. According to the bill, the privacy policy should provide the consumers with all the details about the collection, use and storage of their data. The requirements for the policy go well beyond what is currently required by California law. For example, the bill requires the policy to explain for how long the company retains the data in identifiable form and how it disposes of or renders anonymous personal information after the expiration of the retention period.

The notice requirements would not apply to personal information that is collected by any means that does not utilize the Internet. This means that data collected at a trade show or via a sales event may not be covered by the bill. The notice requirements also do not apply to information that is collected for a transactional purpose or operational purpose, or that consists solely of a first name or initial and last name, a postal address, a telephone or fax number, and/or an email address, and is part of a first party transaction. At this point, this appears to exempt the routine web logs or session cookies that are collected and necessary for the functioning of the website, but a question remains whether these limitations would include personal information, such as name and billing information, if this information is used for no other purpose but to effectuate the transaction.

The second portion of the Boucher Bill is more troubling to companies that collect and use consumer data. Companies that collect personal information need to obtain express affirmative consent of the individual before selling, sharing, or otherwise disclosing that information to an “unaffiliated party.” This means that a consumer would have to opt-in to such a disclosure. A consumer must also opt-in to the collection or disclosure of “sensitive information,” such as medical records, race or ethnicity, religious beliefs, sexual orientation, financial records, or precise geo-location information. This affirmative consent must be acquired prior to a company’s collection of the sensitive data. Similarly, a company needs to obtain a consumer’s express affirmative consent in order to collect or disclosure of all or substantially all of an individual’s online activity or in the event it makes a material change to its privacy policy.

The reactions to the Boucher Bill thus far have been negative, with companies complaining that it is overly broad and that the opt-in requirements would prevent the free-flow of information that has made operating businesses online effective and consumer friendly.