With the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act on July 21, 2010, Congress has moved its attention to matters related to privacy, data security, and cybersecurity. In the weeks leading into the August recess, both the House Energy and Commerce Committee and the Senate Committee on Commerce, Trade and Transportation held hearings on privacy. A recent House hearing coincided with the introduction of new legislation. While it is not clear whether either Committee will be able to approve legislation before the end of this session, it is apparent that the stage is being set to address these issues in the 112th Congress.

House Consideration of Privacy

Congressional interest in issues of privacy started to rise in May 2010. On May 4, 2010, Rep. Boucher (D-VA) released a discussion draft of a privacy bill for public comment. This draft bill, which has yet to be formally introduced in Congress, would have major implications for many longstanding and important business practices. For instance, the bill would broadly restrict the collection and transfer of consumer data online as well as offline, and would establish notice and opt-out consent requirements for first party data collection and use. The bill would also effectively require opt-in consent for the transfer of personal data to third parties except in limited circumstances. Neither of these standards are the current practice in industry. In response to the release of this discussion draft, over 60 comments from various trade associations, companies, and consumer advocate groups were submitted to Rep. Boucher raising concerns with the draft legislative proposal.  

On July 19, 2010, Rep. Rush (D-IL) introduced H.R. 5777, the BEST PRACTICES Act. This bill builds on the discussion draft released by Rep. Boucher but includes several significant differences. Like Rep. Boucher’s bill, H.R. 5777 would impose restrictions on the collection and transfer of consumer data online as well as offline, and establish a similar consent framework with respect to first party and third party data practices. However, Rep. Rush’s bill takes a different approach in providing a safe harbor under which entities that comply with approved self-regulatory programs are not subject to certain requirements. In particular, such companies would be permitted to transfer data to third parties subject to an opt-out. Another significant aspect of this bill that is different from Rep. Boucher’s draft is the inclusion of accuracy, access, and dispute resolution provisions.  

The House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection held a hearing on July 22, 2010, to consider H.R. 5777 and general consumer privacy issues. The Subcommittee, which is chaired by Rep. Rush, mainly focused on the bill’s provisions that would create a safe harbor and enforcement mechanism, in particular the bill’s private right of action and enforcement by the state attorneys general. Rep. Rush stated he intends to move the bill quickly to the full committee for consideration.  

At this hearing, David Vladeck, the Director of the Bureau of Consumer Protection at the Federal Trade Commission, offered a few suggestions for the Subcommittee to consider as part of its legislative process:

  • He recommended requiring companies to provide a short disclosure at the point of collection or use.  
  • He further recommended simplifying consumer choice mechanisms.  
  • He stated that sharing of individuals’ data among companies affiliated through common ownership should not necessarily be exempt from consent requirements. He explained that consumers do not understand relationships between companies based on corporate control and may not appreciate the distinction between an affiliate and a third party.

On July 28, 2010, the House Judiciary Subcommittee on Crime, Terrorism, and Homeland Security held a hearing on online privacy, social networking, and crime victimization. The Subcommittee heard testimony from federal law enforcement agencies describing the rising incidence and complexity of online crimes relating to personal information shared online, as well as law enforcement strategies to counter these criminal acts. Additionally, industry and public interest groups discussed the protection of personal information online, particularly on social networks, as well as the tools available to consumers to maintain the privacy of their data.  

Senate Commerce Holds Hearings on Consumer Online Privacy

The Senate Committee on Commerce, Science, and Transportation held a hearing on consumer privacy on July 27, 2010. The Committee broadly explored online advertising, discussed whether consumers may be harmed by aggregating consumer data for marketing purposes, and considered the adequacy of current practices related to transparency and choice. During the hearing, Sen. Kerry (D-MA) commented that he intends to work with Sen. Pryor (D-AR) to build a record on which to develop common standards for protecting consumers online. Sen. Pryor has already chaired two hearings on children’s privacy and safety in the Subcommittee on Consumer Protection, Product Safety, and Insurance.  

Chairman Leibowitz of the Federal Trade Commission (“FTC”) testified at the hearing. He discussed the FTC’s 2009 Staff Report on guidelines for self-regulatory principles for online behavioral advertising as well as the FTC’s series of roundtable discussions on privacy. He said the FTC plans to release a report later this year making recommendations on:  

  • Incorporating privacy into business practices,  
  • Simplifying consumer choice,  
  • Improving transparency,  
  • Providing access and correction rights to data maintained by data brokers, and  
  • Requiring affirmative express consent for material retroactive changes to how data will be used.  

Chairman Leibowitz commented that the FTC is considering various approaches to providing consumers with clear notice and choice including a mechanism for a universally recognized opt-out. Regarding transparency, Chairman Leibowitz said the FTC is considering ways to improve disclosures made through privacy policies and commented that companies could use a standardized format or terms. He also suggested that companies could provide a disclosure box, in addition to a privacy policy, in which companies could disclose material terms and provide a choice mechanism