Ending a year of speculation, Rep Rick Boucher (D-Va) and Rep Cliff Stearns (R-Fla) unveiled a draft of their proposed privacy legislation on May 4, 2010. The bill was released for a comment period before the legislators formally introduce the law to Congress.

“Online advertising supports much of the commercial content, applications and services that are available on the Internet today without charge, and this legislation will not disrupt this well established and successful business model. It simply extends to consumers important baseline privacy protections,” Rep. Boucher, Chairman of the Subcommittee on Communications, Technology, and the Internet, said in a statement.

The proposed legislation has several significant elements:

  • Disclosure of privacy practices. Any company that collects personally identifiable information about individuals would be required to conspicuously display a clearly-written, understandable privacy policy that explains how information about individuals is collected, used, stored and disclosed, and how they can limit or prohibit such use of their information. The policy would also have to include a link or toll-free telephone number for the FTC's Consumer Response Center.  
  • General rule: opt-out consent. Companies may collect information about individuals unless an individual affirmatively opts-out of the collection, so long as the company has made its privacy policy available and has provided the individuals with the opportunity to decline consent . Opt-out consent would also apply generally to a Web site that relies upon third-party services to effectuate a first-party transaction – such as an ad provider. Consent would not be required to collect and use data for operational or transactional purposes.  
  • 'Sensitive data’ would require opt-in. Unlike the collection of personally identifiable information, companies would need an individual’s express opt-in consent to collect or disclose sensitive information about an individual, which the legislation defines to include medical records, financial accounts, sexual orientation, race, religion and precise geographic location information.  
  • Disclosure of information to unaffiliated parties requires opt-in. Under the proposed law, individuals would have a reasonable expectation that a company would not share their information with unrelated third parties. Therefore, companies would be required to get an individual's affirmative permission to share his or her personally identifiable information with unaffiliated third parties other than for an operational or transactional purpose.  
  • Targeted advertising. Companies could only collect and disclose information about an individual's online activity if they have made their privacy policy available to individuals and obtained their express consent. However, companies that work with third-party networks to create targeted advertising using a profile based on an individual’s information and Web-surfing history can rely on opt-out as consent so long as the company provides a readily accessible opt-out mechanism, deletes or renders the profile information anonymous no later than 18 months after it was collected, and prominently places a seal or symbol on its Web site and on or near any targeted advertising. The seal or symbol must link to a description of the company's practices to create preference profiles and permit individuals to review, modify or opt-out of having such a profile. Consumers' opt-in is required for an advertising network to disclose this information to any outside entity.  
  • Offline data collection notice requirements. If a company plans to collect information about individuals offline, it must notify customers in advance using a written privacy notice that details the company’s practices, including collection (a description of the information being collected as well as how and why it is being collected), storage (how it is stored and for what duration), consumer access (whether or not individuals are allowed to access their information and if there are limits on their access), disposal (how the information is disposed of or anonymized), and disclosure (why and to what types of other companies the data might be disclosed, and whether it might be linked or combined with other data about the individual).  
  • Security and data breach notification. Companies must establish reasonable procedures to ensure the accuracy of the information they collect and must also “establish, implement, and maintain appropriate administrative, technical, and physical safeguards” as determined by the FTC.  
  • Enforcement and preemption. Enforcement would be provided by the FTC, which would adopt rules to implement the law, and states, through attorneys general or consumer protection agencies. The bill expressly forbids a private right of action and preempts all state laws that include requirements for collection, use or disclosure of covered information.

Why it matters: If passed, the proposed bill would create a comprehensive federal approach to privacy for businesses both on and offline, with several important changes to current industry standards and law. The bill, as currently drafted, expands the common definition of personally identifiable information to include an IP address, a pseudonym or other “unique identifiers.” It also establishes that opt-out consent would be the general rule for the collection of personally identifiable information, but opt-in consent would be required for sharing such information and for collecting sensitive information. For ad networks, the new behavioral advertising icon will come in handy, as the current bill allows for opt-out consent if the network provides prominent notice through use of an icon, and allows people to access and edit their profiles. Otherwise, consumers must opt-in for ad networks to track and collect their information.