For the past couple of years, website companies, advertisers, internet service providers and privacy advocacy groups have been anxiously anticipating sweeping online privacy legislation from Representative Rick Boucher (D. Va.). On May 4, 2010, Representatives Boucher and Cliff Stearns (R. Fla.) unveiled a proposed bill which, if enacted, would create dramatic new regulations governing the collection, use and disclosure of certain personally identifiable information (PII), both online and offline. This bill, if enacted as currently written, will impact essentially every website and every company that engages in targeted marketing.
In addition to ‘traditional’ PII (e.g. name, address, telephone number, e-mail address, biometric information such as fingerprints, social security number, et al), the bill places even greater restrictions on “sensitive information” such as medical history, race, religion, sexual orientation, and financial records. The bill clearly targets and restricts the use of PII for marketing, advertising, and sales, including the sharing of PII with third parties, distinguishing such uses and disclosures from more broadly permissible operational or transactional uses (e.g. as needed to complete a transaction or to prevent security breaches or comply with applicable disclosure laws).
The bill would impose strict guidelines on “covered entities”, defined to broadly encompass persons engaged in interstate commerce (excluding government agencies or persons collecting information from fewer than 5,000 individuals in any 12-month period and which persons do not collect sensitive information), meaning the bill is not limited to online collection, but offline as well. Online covered entities would have to comply with specific notice and consent requirements by posting bill-compliant policy notices online and obtaining the consent of the individual before using PII other than for permitted operational or transactional purposes. Consent would generally be on an “opt-out” basis, but some notable exceptions requiring express, affirmative consent from the individual include: (1) if the collector of the PII desires to sell, share or otherwise disclose the PII to an unaffiliated third party; (2) disclosure or use of location-based information; (3) information substantially revealing an individual’s online activity; or (4) collection or disclosure of sensitive information. Covered entities that collect information by any other means than the internet would be required to provide written notice (with the same level of specificity as required for online notice) to individuals before collecting any covered PII. All covered entities would be required to adopt procedures to assure the accuracy of any collected information, and would further be required to establish security measures to protect collected information that stand up to Federal Trade Commission (FTC) guidelines.
The bill is strictly federal, expressly preempting state laws and precluding private rights to civil action. Enforcement and regulation of the bill would fall to the FTC, although state attorneys general or state agencies with oversight over consumer protection could bring actions on behalf of the FTC. Over the next two months, Representatives Boucher and Stearns invite public comment and will amend the bill before introducing it before the House. Companies who may be significantly impacted should consider providing official comments. Without a doubt, there will be much comment and much debate from both sides of the issue. A copy of the proposed bill is attached here.