Ending a year of speculation, Rep Rick Boucher (D-Va) and Rep Cliff Stearns (R-Fla) unveiled a draft of their proposed privacy legislation on May 4, 2010. The bill was released for a comment period before the legislators formally introduce the law to Congress.
“Online advertising supports much of the commercial content, applications and services that are available on the Internet today without charge, and this legislation will not disrupt this well established and successful business model. It simply extends to consumers important baseline privacy protections,” Rep. Boucher, Chairman of the Subcommittee on Communications, Technology, and the Internet, said in a statement.
The proposed legislation has several significant elements:
- 'Sensitive data’ would require opt-in. Unlike the collection of personally identifiable information, companies would need an individual’s express opt-in consent to collect or disclose sensitive information about an individual, which the legislation defines to include medical records, financial accounts, sexual orientation, race, religion and precise geographic location information.
- Disclosure of information to unaffiliated parties requires opt-in. Under the proposed law, individuals would have a reasonable expectation that a company would not share their information with unrelated third parties. Therefore, companies would be required to get an individual's affirmative permission to share his or her personally identifiable information with unaffiliated third parties other than for an operational or transactional purpose.
- Offline data collection notice requirements. If a company plans to collect information about individuals offline, it must notify customers in advance using a written privacy notice that details the company’s practices, including collection (a description of the information being collected as well as how and why it is being collected), storage (how it is stored and for what duration), consumer access (whether or not individuals are allowed to access their information and if there are limits on their access), disposal (how the information is disposed of or anonymized), and disclosure (why and to what types of other companies the data might be disclosed, and whether it might be linked or combined with other data about the individual).
- Security and data breach notification. Companies must establish reasonable procedures to ensure the accuracy of the information they collect and must also “establish, implement, and maintain appropriate administrative, technical, and physical safeguards” as determined by the FTC.
- Enforcement and preemption. Enforcement would be provided by the FTC, which would adopt rules to implement the law, and states, through attorneys general or consumer protection agencies. The bill expressly forbids a private right of action and preempts all state laws that include requirements for collection, use or disclosure of covered information.
Why it matters: If passed, the proposed bill would create a comprehensive federal approach to privacy for businesses both on and offline, with several important changes to current industry standards and law. The bill, as currently drafted, expands the common definition of personally identifiable information to include an IP address, a pseudonym or other “unique identifiers.” It also establishes that opt-out consent would be the general rule for the collection of personally identifiable information, but opt-in consent would be required for sharing such information and for collecting sensitive information. For ad networks, the new behavioral advertising icon will come in handy, as the current bill allows for opt-out consent if the network provides prominent notice through use of an icon, and allows people to access and edit their profiles. Otherwise, consumers must opt-in for ad networks to track and collect their information.