On May 4, 2010, Representative Rick Boucher (D-VA), the Chairman of the House Subcommittee on Communications, Technology, and the Internet, and Cliff Stearns (R-FL), Ranking Republican Member of the Subcommittee, released a discussion draft of privacy legislation. The draft proposes comprehensive disclosure and consent requirements for information collected through the Internet and by other means. Representatives Boucher and Stearns are gathering feedback on the draft and plan to develop a revised bill in the next several weeks.
The draft legislation covers entities “engaged in interstate commerce that collect data containing covered information.” This broad scope would potentially impact a wide range of activities, including retail, web publishing, search engines, Internet advertising, social networking, and Internet access. Covered information includes a range of personal information, such as an individual’s social security number, contact information, and email address. The scope also extends to certain financial information and preference profiles.
Disclosure and consent requirements form the core of the draft legislation. The bill requires display of detailed privacy-related notices and specifies protocols for gaining necessary consumer consents for the collection, use, and sharing of covered information. An individual must consent to the collection, use, or sharing of her information. The draft generally permits “opt-out” consent, but certain types of information and uses require express, affirmative “opt-in” consent.
Situations requiring affirmative consent include the collection or disclosure of “sensitive” covered information. This information includes medical and financial records, race, religion, sexual orientation, and “precise geolocation information.” Affirmative consent is also required before a material change in an entity’s privacy or disclosure practices. In addition, the draft prohibits the collection, use, or disclosure of information “about all or substantially all of an individual’s online activity,” for any purpose, without affirmative consent. Further, the bill prohibits “any provider of a product or service that uses location-based information” from disclosing such “information concerning the user of such product or service” without affirmative consent.
A user must also provide affirmative consent to permit disclosure of covered information to a third party. However, covered entities can share such information under certain circumstances with “service providers,” which are entities that handle advertisements or provide other administrative functions for covered entities, such as data processing and customer support. In addition, with regard to individual managed preference profiles, the draft permits disclosure to an “advertisement network”—provided that the network does not disclose the information to another party without the affected individual’s affirmative consent.
The draft includes a number of exceptions to its disclosure and consent requirements. These exceptions are intended to mitigate burdens on Internet commerce. For example, the draft exempts certain information from notice requirements when such information is collected for “operational” or “transactional” purposes. These purposes include improvement of an entity’s products, services, or operations, and disclosure to affiliates that possess similar privacy policies and practices. Operational purposes, however, expressly exclude use or disclosure for marketing, advertising, or sales purposes. Additionally, the draft generally permits aggregation and disclosure of information rendered anonymous as long as such information cannot identify a specific individual or device.