Expect the new Democratic majorities in Congress to show a renewed interest in privacy law issues. Technology-oriented privacy issues will be addressed both through reinvigorated oversight of governmental activities and legislative efforts having a more direct effect on the private sector. At the same time, final action on important privacy-related matters is awaited from both the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC).
On Capitol Hill, look for action in two main areas. One is renewed and deeper scrutiny of government collection and use of personal information. This will include hearings and possible legislation regarding domestic and foreign intelligence surveillance by the National Security Agency and other bodies, as well as airline passenger databases (including the Department of Homeland Security's cargo screening project that has been extended to passengers). Sen. Patrick Leahy (D-Vermont), the new chair of the Senate Judiciary committee, has promised more vigorous oversight of Administration activities in this area. Examination of issues related to implementation of the Freedom of Information Act and a possible revisit of the REAL ID Act also are likely. Look for high-profile congressional hearings, frequent news of controver-sial government practices and possible legislative reforms.
The second area of expected legislative action includes several topics that may directly affect private businesses. This category includes regulation of spyware, notification of security breaches, Radio Frequency Identification Devices (RFID) and comprehensive privacy legislation, as well as unfinished business at the FTC relating to email spam and telemarketing.
Spyware continues to be the bane of Internet users, but Congress has yet to make much headway on reaching a sufficient consensus to permit legislation. Congressional leaders cannot agree on the fundamental approach: should federal law address spyware primarily as criminal activity or, alternatively, as a regulatory matter? Last year, reflecting this uncertainty, the House of Representatives passed two bills addressing spyware, one of each type, but the Senate did not act.
For its part, the FTC has seen fit not to wait for Congress. In November, it brought an enforcement action against Zango, the nation's largest provider of affiliate network "adware" services. In addition, emerging industry standards regarding acceptable practices in connection with downloadable soft-ware, such as those of the online privacy company TRUSTe, may be helping to create an industry consensus.
Nonetheless, the link between spyware and identity theft, as well as the growing number of state spyware laws, may produce a renewed push for federal legislation in order to create national standards and, possibly, preempt state laws that impose different standards. However, the Democratic majority may be less inclined than past Congresses to preempt state legislation, preferring to allow state attorneys general to bring additional enforcement actions.
Security Breach Notification
Announcements of security breaches continue to be roughly weekly occurrences. Currently, approximately 35 states have enacted laws requiring notification of security breaches, although the details differ among the states.
The new Congress will surely revisit federal legislation on this issue. One likely form of federal legislation would be the creation of a uniform national requirement. In weighing such legislation, a major question will be what event or circumstances should trigger a reporting obligation. For example, should notice be required in the event of a "reasonable risk of identity theft" or only when there is a "significant risk of identity theft?" Other contentious issues include whether the legislation should focus on identity theft or should address a broader range of potential harms and the extent to which a federal statute should preempt state laws in this area-the very laws credited with alerting the nation to the security breach problem in the first place. This last issue has real consequences; if the California law (the first breach notification statute) and other state laws modeled on California's had been preempted, far fewer notices of security breaches probably would have been given.
Radio Frequency Identification Devices
RFIDs have many promising uses, but also have raised fears among privacy advocates. These devices emit a short-range radio signal that allows the tracking of particular items to which they are attached. Although to date RFIDs have been implemented mostly in bulk operations such as shipping, they are increasingly appearing in items such as automobile toll cards (e.g., Easy Pass) and, now, credit cards. The Department of Homeland Security is considering whether, under the REAL ID Act, to require states to build RFID chips into drivers' licenses.
Privacy advocates have expressed concern that, as RFID devices move into individual items, they may give rise to excessive disclosures of information. This concern is particularly keen in the case of credit cards, because thieves equipped with RFID scanners can acquire identity and credit card information merely by being near a "no swipe" credit card equipped with that technology. Watch for congressional hearings and possible legislation later in the session.
Comprehensive Privacy Legislation
In the United States, privacy laws tend to be sector- or technology-specific. For example, federal laws have been enacted to address financial privacy (Gramm-Leach-Bliley Act) and health insurance issues (Health Insurance Portability and Accountability Act). At other times, Congress has chosen to adopt specific laws to address email marketing (CAN-SPAM) or telemarketing (Do Not Call). Each law addressed a specific issue; unsurprisingly, they differ in their approaches. Some laws establish "floors" for acceptable practices; others particular rules. Some allow more stringent state laws; others preempt state laws that impose additional requirements.
Congress has not attempted to develop legislation that addresses privacy issues in a more systematic and unified way, similar to the more unified approaches to data protection taken by some other nations, especially in the European Union. Sen. Hillary Clinton (D-New York) introduced one such bill last year, but nothing came of it. Sen. Leahy has his own proposal, and others are sure to be introduced this year. As of this writing, Congress appears unlikely to have the time or interest to make a serious attempt at crafting a more comprehensive approach this year. Look instead for hearings this year with a view towards possible legislation in 2008.
Do Not Mail
On the heels of the Do Not Call list and the CAN-SPAM Act, some privacy advocates are urging adoption of a Do Not Mail law. Such bills have been introduced in several state legislatures, but none have yet been enacted. These proposals are of obvious concern to direct mailers and advertisers that rely upon the postal system for hardcopy delivery of promotional materials, flyers, and other offers. Congress only last year passed comprehensive postal reform legislation that did not contain a Do Not Mail provision. Do not expect the new Congress to take this up on its agenda, but keep an eye out for further activity at the state level.
Unfinished FTC Rulemakings
The FTC in recent years has taken an aggressive stance in privacy enforcement matters, bringing cases against spammers and purveyors of spyware. However, the business community is still awaiting action by the FTC on two rulemaking proceedings that should have significant privacy implications.
The oldest of these is the rulemaking to implement the CAN-SPAM Act. In 2004, the FTC promulgated regulations to define commercial emails that are subject to the Act and establish a number of related rules. These rules have served as the legal basis for several enforcement cases in the years since. However, several issues raised in the Notice of Proposed Rulemaking, while fully addressed in the comments, still await agency resolution. These include matters such as: which entity would be considered the "sender" under the CAN-SPAM Act where multiple parties would seem to satisfy the definition; (2) the regulatory treatment of "forward-to-a-friend" website-based email marketing; and (3) a proposed reduction in the amount of time allowed companies to comply with Do Not Email requests. Comments on these issues were completed in the summer of 2005, but no decision has yet issued.
More recently, in fall 2006, the FTC proposed to ban prerecorded marketing calls even to customers with whom the seller has an established business relationship. The FTC tentatively concluded that the considerations underlying its call abandonment rule and its desire to protect residents' privacy required this step, although the agency had allowed such calls for two years and there is no record of abuses. Numerous businesses have expressed concern about the proposal, fearing that it will impair their ability to communicate with their customers and noting that the FTC proposal would conflict with existing FCC rules that would allow such calls.
Unfinished FCC Rulemakings
For its part, expect the FCC to complete fairly soon its proceeding to strengthen its rules regarding the security and disclosure of telecommunications and wireless customer calling data. This proceeding, launched in response to publicity last year regarding the relative ease by which "pretexters" have been able to obtain detailed calling records that are supposed to be private, is expected to tighten rules governing access to calling data. It may also change existing rules to require affirmative customer consent before carriers may share customer calling information with joint venturers and independent companies.