Identifying Key Provisions in the Commercial Privacy Bill of Rights Act of 2011

After months of deliberation, Sens. John McCain (R-Ariz.) and John Kerry (D-Mass.) have just introduced a comprehensive privacy bill entitled, theCommercial Privacy Bill of Rights Act of 2011 (the Bill). Released in a press conference held by McCain and Kerry, the Bill establishes a baseline framework for the privacy, security and management of personal information and contemplates five FTC rulemakings to flesh out the framework's details.

Today, we are summarizing the Bill's definitions and key provisions, all of which might change once the Bill is debated in the Senate. Please stay tuned to future blog entries for updates.

DEFINITIONS

As is the case with all legislation, the devil is in the details and the Bill's definitions are key to determining to whom (a "covered entity") and to what ("covered information") the Bill's provisions would apply. Further, with respect to the Bill's regulation of consumer choice, some categories of "covered information" would be subject to more stringent regulation than other categories. We provide the definitions of "covered entity," "covered information" and other key definitions below and then summarize and discuss its Titles.

A Covered entity is any person subject to the Federal Trade Commission's (FTC) Section 5 authority who collects, uses, transfers, or stores covered information concerning more than 5,000 individuals over any consecutive 12-month period. While this is not a part of the official definition section, Title VI, as discussed below, seeks to include telecom and nonprofit entities that are typically not covered under the FTC Act.

Covered information consists of "personally identifiable information" (PII), including "sensitive PII (SPII), "unique identifier information" (UII), and any other information that is collected, used, or stored in connection with PII or UII in a manner that may reasonably be used to identify a specific individual.

  • PII is an individual's: first and last name, postal address of physical place of residence, email address, telephone or mobile device number, social security number, credit card account number, biometric data such as fingerprints and retina scans; and, when used in conjunction with the above information, one's date of birth, birth certificate number, place of birth, and precise geolocation.
  • SPII is PII which, if lost, compromised, or disclosed without authorization, carries a significant risk of economic or physical harm – information such as that relating to a precise medical condition or health record or one's religious affiliation. It is a positive development that we do not see greater expansion of the harm standard for SPII to emotional harms such as embarrassment or the ambiguous fear of being monitored. UII is an individual's customer number carried in a "cookie," user IDs, and processor or device serial numbers.
  • Unauthorized use is defined as "the use of covered information by a covered entity or its service provider for any purpose not authorized by the individual to whom such information relates." Importantly, if an individual and a covered entity previously established an account for the receipt of products or services offered by the covered entity—that is, the parties have an "established business relationship"—then the covered entity's use of an individual's covered information is, indeed, authorized under certain circumstances . Use of covered information that is unreasonable or inconsistent with the covered entity's privacy policy (see Title II summary below), however, remains an unauthorized use.

SECURITY, ACCOUNTABILITY & PRIVACY BY DESIGN: TITLE I

Security & Accountability: Sections 101 & 102. The Bill requires that the FTC initiate a rulemaking within 180 days of the Bill's passage to address requirements for the safeguarding of covered information by covered entities. While, the Bill does not adopt the existing Gramm-Leach-Bliley Act (GLB) security safeguards, the requirements that would result from an FTC rulemaking under the Bill must be consistent with those and other existing safeguards practices, while allowing for some flexibility proportional to the size, type and nature of the covered entity, and the covered information that entity collects. The safeguards requirement is coupled with an accountability program that would enlist company management to be responsive to public inquiries, and would describe a means of compliance with the Bill upon any request from the FTC or an approved self regulatory entity (Self Regulation is described in Title V).

Privacy By Design: Section 103. The concept of designing privacy standards into the research and development phase of a project involving information collection, storage, use and/or distribution is incorporated in the Bill.

NOTICE, CHOICE & ACCESS: TITLE II

Transparent Notice in Privacy Policies: Section 201. The Bill also requires that, within 60 days of enactment, the FTC initiate a rulemaking to develop requirements that covered entities provide "clear, concise and timely notice" to individuals of the covered entity's: (1) practices regarding collection, use, transfer and storage of covered information, and (2) the specific purposes for each of those practices. In keeping with recommendations in FTC and Department of Commerce reports (see our previous posts on those reports here and here), in addition to the original notice, notice would also be required prior to implementing material changes in privacy policies. In the rulemaking under this subsection, the FTC may take into account some implementation considerations, such as the type of devices on which the Notice will be seen (this is a nod to previous criticisms regarding the length and density of most privacy policies on mobile devices). There is also a timing-of-notice provision if notice is not provided at the time of collection (this provision is in recognition of the on-page disclosures that are becoming more common in the online behavioral advertising space). The FTC may also draft sample notice guidance and guidance to assist with automating the notice function.

Choice (Opt-Out vs. "Robust" Opt-Out vs. Opt-In): Section 202(a). Within 180 days of passage of the Bill, the FTC would also initiate a rulemaking to develop requirements governing individual choice mechanisms for whether and when individuals may opt-in or opt-out of the practices disclosed in a covered entity's privacy policy. For example:

  • OPT-OUT consent (or consent that is given until revoked) would be anything that doesn't fall under "Robust" Opt-Out or Opt-In, which makes us go through two analyses first before making the "Opt-Out" determination. The Bill did not provide examples of what would be considered "Opt-Out."
  • "ROBUST" OPT-OUT (which is not defined by the Bill, but which we gather means something beyond clear, conspicuous and timely notice ) would be required for use by third parties of individuals' covered information for behavioral advertising or marketing.
  • OPT-IN consent (or affirmative consent) would be required for: (1) collection, use or transfer of SPII in a manner unrelated to a transaction or service requested by the individual (exceptions to the SPII opt-in include the prevention of fraud, or providing for a secure physical and virtual environment); (2) use or transfer of previously collected covered information under old privacy policies where a change to the company's stated practices has occurred, and where such use or transfer creates a risk of economic or physical harm to the individual.

Access & Correction: Section 202(a)(4). In keeping with European privacy practices, the Bill also contemplates that covered entities provide reasonable access to data collected about an individual and a means to improve the accuracy of that data. It remains to be seen whether privacy preference mechanisms that are now being offered to improve the accuracy of online behavioral advertising data—e.g., Google Ad Preferences and Yahoo! Ad Interest Manager—provide access to information and opportunity for correction sufficient to satisfy the FTC.

Service Termination or Bankruptcy Covered Information De-Identification: Section 202(a)(5). Upon terminating a covered entity's service or if the covered entity enters into bankruptcy, an individual must be able to "easily request" that all of his/her PII that is not public be rendered de-identifiable. If the PII cannot be rendered de-identifiable, then the covered entity must stop using the information for marketing, and stop unauthorized transfers to third parties.

Exclusion from an Unauthorized Use: Section 202(d). Transfers of covered information to service providers are not considered an unauthorized use of data requiring opt-in consent. However, for service providers to avail themselves of this exclusion, they must conform to the practices in the Bill, and to the privacy policies and practices of its covered entity.

Covered Entity Vicarious Liability: Section 202(d)(3). Under the proposed statute, a covered entity remains responsible for covered information that has been transferred to a service provider.

DATA MINIMIZATION, CONSTRAINTS ON DISTRIBUTION & DATA INTEGRITY: TITLE III

Data Minimization: Section 301. The Bill proposes to limit collection of information to that reasonably necessary to process, enforce or provide a requested transaction or service. The data retention limitations would also allow data retention for marketing/advertising by the covered entity, product research and development, and internal operations.

Covered Information Distribution Constraints: Section 302. This section of the Bill proposes that any covered entity must, by contract, require compliance with the Bill from its vendors and such vendors may only use covered information provided to them as directed in the contract. Covered entities must also specify in third-party contracts that those third parties cannot combine information with non-PII that would render the provided information identifiable (this is in recognition of the ease of database cross-threading). Covered entities would be required to undertake due diligence to confirm that third parties receiving covered information from them are "legitimate organizations" and not unreliable third parties (who have violated or are likely to violate a third-party contract). Covered entities also must report any third-party violations to the FTC. Lastly, third parties receiving covered information would be liable for violations as if they were a covered entity.

Data Integrity/Data Scrubbing: Section 303. The Bill proposes that covered entities establish and maintain reasonable procedures to ensure that PII maintained by them is accurate in circumstances where the covered information could be used to deny consumers benefits or cause them significant harm, except in cases where the information has been provided directly by the consumers.

ENFORCEMENT: TITLE IV

FTC Enforcement Contemplated: Section 402. The FTC will be granted power to enforce this provision through its existing unfair and/or deceptive trade practices jurisdiction. Common carriers and nonprofits not traditionally subject to FTC jurisdiction will be included under this provision. The FTC Enforcement section contemplates that the FTC initiate a rulemaking to develop technology-neutral regulations, but it does not specify a timing.

State Attorneys General Actions Contemplated: Section 403. The Bill contemplates state attorney general parens patriae actions in which state attorneys general could file suit on behalf of the residents of their states for any violation of the Bill other than Title III. However, the FTC is clearly given the first bite at the apple. The FTC may intervene in a state AG's action. And, if the FTC files its civil action first, the state AG is preempted from filing his/her own civil action against the same defendants.

No Private Right of Action: Section 406. The Bill specifically states that it does not permit private rights of action, nor does it permit lawsuits under state laws premised upon a violation of the Bill.

Civil Penalties: Section 404. The Bill contemplates per-violation, per-day penalties of $16,500 for knowing and repeated violations of Title I or II, up to a maximum violation penalty of $3 million.

Preemption Light (General Data Laws Preempted / Sector Specific-State & Breach Laws Stand): Section 405. The statute preempts the general laws of any state regarding the collection, use, or disclosure of covered information. However, the Bill would not preempt any state law regarding: (1) disclosure of health or financial information, (2) state laws regarding data breach, and (3) state laws regarding fraud.

CO-REGULATORY SAFE HARBOR PROGRAM: TITLE V

Industry is encouraged that Title V of the Bill preserves the opportunity for industry self regulation. Within one year of the Bill's passage, the FTC will establish a rulemaking proceeding governing the Safe Harbor Program.

Full or Partial Self-Regulation Contemplated: Section 501. Upon obtaining the FTC's approval, nongovernmental organizations may administer programs in which participating covered entities may self-regulate any unauthorized use of covered information, or certain types of unauthorized uses of covered information, such as online behavioral advertising and location-based advertising.

Safe Harbor Program Approval Standards: Section 501(b). The self-regulatory programs must offer consumers of participating covered entities a clear, conspicuous, persistent, and effective means of opting out of the transfer to a third party for unauthorized use of covered information. In addition, the Safe Harbor Programs must provide substantially equivalent or superior protection as otherwise provided under the Bill against unauthorized uses of covered information.

Standards for Exemption from Bill: Section 502. If the FTC finds that the Safe Harbor Program's requirements are substantially the same to those contained in the Bill, then the covered entities participating and complying in a Safe Harbor Program are exempt from: (1) obtaining opt-in consent for the transfer of covered information to third parties for unauthorized use under Title II, or (2) any other provision of Titles II or III.

FTC Oversight: Section 501(d). The FTC has oversight and supervisory authority over Safe Harbor Program administrators. Under that authority, the FTC may impose civil penalties and/or withdraw its authorization for administrators' noncompliance with the Bill's requirements on safe harbors.

APPLICATION OF FEDERAL PRIVACY LAW: TITLE VI

Title VI names the federal privacy laws that the Bill preempts, as well as those that take primacy over the Bill.

Federal Law Preempted by the Bill: Section 601(c). Some provisions in the Communications Act are preempted when they are inconsistent with this Bill. Those provisions pertain to telecommunications and cable subscriber privacy in Sections 222 and 631 of the Communications Act. Nevertheless, it should be noted that the Bill does not at all preempt the Telephone Consumer Protection Act, as noted below.

Federal Law Not Preempted by the Bill: Section 601(d). The Bill lists provisions of 14 federal laws that, when inconsistent with the Bill's provisions, take precedence over the Bill:

  1. The Privacy Act of 1974
  2. The Right to Financial Privacy Act of 1978
  3. The Fair Credit Reporting Act
  4. The Fair Debt Collection Practices Act
  5. The Children's Online Privacy Protection Act of 1998
  6. Title V of the Gramm-Leach-Bliley Act of 1999
  7. Chapters 119, 123, and 206 of Title 18 of the U.S. Code
  8. Section 2710 of Title 18 of the U.S. Code
  9. The Family Educational Rights and Privacy Act of 1974
  10. Section 445 of the General Education Provisions Act
  11. The Privacy Protection Act of 1980S
  12. The regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996, as such regulations relate to a person or transactions described in sections 1172(a) and 1173(a)(1) of the Social Security Act
  13. The Communications Assistance for Law Enforcement Act
  14. The Telephone Consumer Protection Act

DEPARTMENT OF COMMERCE ROLE IN PRIVACY POLICY: TITLE VII

Title VII encapsulates the privacy role that the Department of Commerce requested in its Green Paper. Namely, the Bill proposes that Commerce would "convene private sector stakeholders ... in open forums, to develop codes of conduct in support of applications for safe harbor programs"; broaden the "interoperability" between domestic and foreign data privacy frameworks; and conduct research "related to improving privacy protection" and "improving data sharing practices."