On April 12, Senators John Kerry (D-MA) and John McCain (R-AZ) introduced the Commercial Privacy Bill of Rights Act of 2011 (S. 799). The bill would require "covered entities" to (1) provide notice of their data collection practices and to disclose the purposes for the data collection; (2) provide an opt-out mechanism for "covered information" and an opt-in mechanism for sensitive information; (3) establish procedures for safeguarding data; (4) and implement privacy protections throughout the life cycle of a product ("privacy by design"). Certain provisions of the bill would direct the FTC to initiate rulemaking proceedings within specified timeframes, but the bill also imposes requirements directly on covered entities. The bill does not contain a "do not track" provision. (We summarized Rep. Speier's Do Not Track bill in our February 2011 Alert.)

The bill mandates that covered entities collect only as much information as is reasonably necessary and maintain the information only as long as necessary. The bill would authorize the FTC to develop a safe harbor program, and would provide individuals with the right to access and change certain information that covered entities maintain - something the Direct Marketing Association has repeatedly said would be an expensive requirement for its members.

The bill would apply to an entity (1) that collects, uses, transfers or stores "covered information" concerning more than 5,000 individuals during any consecutive 12-month period, and (2) that is within the FTC's jurisdiction or is a common carrier under the Communications Act of 1934 or is non-profit organization. The bill does not provide a private right of action and it preempts some, but not all, state privacy laws.

On April 13, Representatives Cliff Stearns (R-FL) and Jim Matheson (D-UT) introduced the Consumer Privacy Protection Act of 2011 (H.R. 1528). This bill would require covered entities to disclose that the personally identifiable information collected by the covered entity may be used or disclosed for purposes or transactions unrelated to that for which it was collected.

The bill would also require a covered entity to develop a privacy policy describing its practices with respect to "the collection, sale, disclosure for consideration, dissemination, use, and security of the personally identifiable information of consumers", and to share the policy with consumers in the form of a "Privacy Policy Statement." The Privacy Policy Statement that is provided to consumers must be concise, clear, and conspicuous. It must be provided to consumers at the first time the covered entity collects information that may be used for a purpose unrelated to a transaction, and describe who is collecting the information, types of information collected, how the information is used, whether a consumer must provide the information to complete a transaction, and whether such information is subject to sale or disclosure for consideration.

The bill would require covered entities to provide an opt-out from the sale or disclosure for consideration of an individual's personally identifiable information. A covered entity is "an entity (or an agent or affiliate of the entity) that collects (by any means, through any medium) sells, discloses for consideration, or uses personally identifiable information of more than 5,000 consumers during any consecutive 12-month period."

The bill provides a safe harbor for entities that participate in an approved self regulatory program. The bill preempts all state laws relating to the collection and use of personal information "in commerce," does not allow a private right of action, and does not allow enforcement by state Attorneys General.

Copies of the bills are available here and here.