It is by no means settled that the American public cares about the privacy of much of its personal information – other than a few narrow categories such as financial account data. On one hand, surveys taken over the past decade have often reported that high percentages of Americans don’t want private companies to collect or use their personal information without their consent. On the other hand, well over a 100 million Americans participate in social networking sites in which they freely publish the details of their professional and personal lives for large portions of the world to know. In an interview earlier this year, Facebook founder Marc Zuckerberg opined that “People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that has evolved over time.”
The coming wave of privacy legislation and regulation
Despite the social trends toward increased personal disclosure, the Federal Trade Commission and Congress have been pressing for new regulations that would heavily burden the collection and use of personal information from individuals. The FTC held a series of roundtables on Internet privacy this spring and has recently signaled that it may be about to move ahead with new privacy regulations. This summer, Representatives Rick Boucher and Bobby Rush brought two separate privacy bills to the House and Senator John Kerry promised to introduce a third bill in the Senate.
Both on and off-line information gathering will be affected
The most important, but non-obvious, element of the House bills is that they apply to any person who collects “covered” personal information from the public – regardless of whether the collection occurs online, via snail-mail, in-person or otherwise. “Covered” information includes any of the data that would typically be gathered on a registration form, such as an individual’s first and last name, postal address, telephone number or email address. It includes “unique persistent identifiers,” such as customer numbers and IP addresses. It also includes preference profiles.
While the bills provide exceptions for persons who conduct a small amount of data collection, the limits are low. The Boucher bill only excludes persons who collect information from fewer than 5,000 persons in a 12 month period. This means that the Boucher bill would apply to a business that annually creates more than 5,000 new credit accounts with individuals, a web site operator that adds more than 5,000 e-mail addresses to its list-serve, a market research firm that interviews more than 5,000 consumers, or a newspaper that adds more than 5,000 new subscribers. The bills could also apply to advocacy, political and religious groups, if their activities were deemed to involve interstate commerce.
While the FTC and Senator Kerry have yet to release drafts of their proposed rules, the outlines of the regime to come can be ascertained from the two House bills, which are broadly similar. Unless there is a sea change in Washington, businesses of all kinds are likely to see their freedom to gather about individuals sharply curtailed.
The privacy notice requirements will be especially hard on off-line businesses
Firms involved in investigative work, such as news organizations, could also find compliance problematic. The requirement to get an individual’s consent before using his name in a news article could spike many a story or shut down an investigation before it began. These rules could also create problems for scientific or market researchers who depend on mass public data collection.
The restrictions on “sensitive” data raise Constitutional questions
Both bills include a long list of “sensitive information” that generally may not be collected, used or disclosed without express affirmative – “opt in” -- consent. In other words, you can’t record or report this information unless the individual first gives you permission to do so. The definitions of sensitive information in the House bills are very broad. Under the Rush bill, it includes an individual’s (i) medical history, physical or mental health, or the provision of health care to the individual, (ii) race or ethnicity, (iii) religious beliefs and affiliation, (iv) sexual orientation or sexual behavior, (v) income, assets, liabilities, or financial records, and other financial information associated with a financial account, (vi) precise geolocation information, (vii) biometric data, and (viii) Social Security number.
While restrictions on collection of Social Security and bank account numbers seem appropriate, restrictions on collection of medical, demographic and financial information are problematic. For example, the restrictions on collecting or reporting information on religious affiliation would appear to prohibit a newspaper from publishing a story that noted the church affiliation of a controversial minister, or the financial ties of a congressman, without first getting express, affirmative consent. The restriction on the collection of data about race and ethnicity would prevent a supermarket chain that catered to ethnic minorities from conducting demographic research in a neighborhood – without the prior notice and express affirmative consent that could tip off its competitors to its plans for expansion in the area.
To make matters worse, neither bill provides a much of an exception for publicly available information. The Boucher bill provides no exception for publicly available information at all. The Rush bill limits collection and use of publicly availably information to data found in government records, widely distributed media or legally mandated disclosures.
This means that under the House bills, it could be illegal for a covered person to record or report, based on his personal observation, that an individual was walking on crutches and wearing a cast, was of Irish descent, or was marching in a gay pride or traditional marriage parade, without first giving the person a privacy notice and getting his express consent. It would also be illegal for the covered person to even interview the individual about these subjects without first giving a privacy notice and getting express affirmative consent.
In Cox Broadcasting Corp. v. Cohn, 420 U.S. 469, 489 (1975), the U.S. Supreme court noted that “claims of privacy . . . directly confront the constitutional freedoms of speech and press.” While the Supreme Court has recognized that individuals do have privacy rights, it has taken a cautious approach to defining the extent of these rights. For example, in The Florida Star v. B.J.F., 491 U.S. 524, 541 (1989), the Court was only willing to state that “[t]o the extent sensitive information rests in private hands, the government may under some circumstances” – but not all circumstances – “forbid its nonconsensual acquisition” (emphasis added).
Private information that the Supreme Court has classified as “sensitive” and presumably protected from nonconsensual disclosure has had a limited scope, such as attorney-client communications or school records. See Mohawk Industries, Inc. v. Carpenter, 130 S.Ct. 599 U.S. (2010) (classifying attorney-client communications as “sensitive information”), Owasso Independent School Dist. No. I-011 v. Falvo, 534 U.S. 426 (2002) (classifying the education records of children as “sensitive information”). It certainly has not included information that individuals have made available to the general public by their participation in public affairs. Bartnicki v. Vopper, 532 U.S. 514, 534 (2001) (noting that“[o]ne of the costs associated with participation in public affairs is an attendant loss of privacy”).
By attempting to prevent the collection, use or disclosure of so many categories of information that heretofore have been freely available to all comers, both House bills stand a serious risk being found to violate the First Amendment.
What to expect
Given the numerous problems in the legislation currently before the House, and the lack of a serious groundswell of public support for any privacy legislation, there is likely to be considerable retooling before any new privacy legislation or regulation becomes a reality.
This being said, there are elements in the House bills that are likely to be included in any future legislation or regulations – some of which could have a retroactive effect of businesses that collect consumer data. We will report on these elements in future articles on this blog.