A long-awaited draft of a Congressional bill was released on May 4 that enhances consumer privacy protections both online and offline and seeks to push American privacy legislation closer to the strict regime used in Europe.

The bill's sponsors, Representative Rick Boucher, Democrat of Virginia, and Representative Cliff Stearns, Republican of Florida, are seeking comments on the draft, may revise the draft based on comments and meetings with privacy and advertising groups, and hope to formally introduce a bill in the House in the next few months.

The bill is broad in scope, applying both to the online and offline collection of personal information and also regulating certain aspects of behavioral advertising. Unlike other privacy laws and regulations, the bill uses the term "covered information" instead of "personal information" or "personally identifiable information." Covered information includes a consumer's name, postal address, email address, telephone and fax number, any government-issued identification number (such as a social security number or driver's license number), financial account number with a password or code necessary to access the account, biometric data, a unique identifier (including a customer number or Internet Protocol address used to link data to a specific individual or his or her computer, device or application), and a "preference profile" which is defined as "a list of information, categories of information, or preferences associated with a specific individual or a computer or device owned or used by a particular user that is maintained by or relied upon by a covered entity."

In general, the bill requires companies that collect covered information to provide notice of their privacy practices before collecting any covered information. There is an exemption from the notice requirement (and possibly from the opt-in consent requirement for retroactive changes to a privacy policy) for covered information collected, used or disclosed for "transactional" or "operational" purposes, as long as the information collected is not used for marketing purposes.

Regarding consent to collect, use or disclose covered information, the bill generally provides:

  • an opt-out framework for collecting covered information as long as the company collecting information provides notice of its privacy policy, as required by the bill
  • an opt-in framework for collection or disclosure of sensitive information (sensitive information includes medical records, race, ethnicity, religious beliefs, sexual orientation, financial records, and precise geographical location)
  • an opt-in framework for retroactive material changes to a privacy policy
  • on opt-in framework for disclosing covered information to unaffiliated parties
  • an opt-in framework for disclosing location-based information

Opt-in consent requires express, affirmative consent.

Nothing in the draft bill prohibits a company from collecting or disclosing aggregate information or covered information that has been rendered anonymous. However, to render data anonymous, it must be non-identifiable with respect to both the individual and the device used by the individual, from which such data was obtained.

The bill also requires covered entities and their service providers to establish, implement and maintain appropriate administrative, technical and physical safeguards to ensure the accuracy, integrity, confidentiality and security of covered information.

With respect to behavioral advertising, the bill provides an opt-out framework as long as certain requirements are met. According to the executive summary released with the bill, the bill applies "opt-out consent to the sharing of an individual's information with a third-party ad network if there is a clear, easy-to-find link to a webpage for the ad network that allows a person to edit his or her profile, and if he chooses, to opt out of having a profile, provided that the ad network does not share the individual's information with anyone else."

If enacted into law, it would be enforced by the FTC as if it were part of the FTC Act; the bill also authorizes the FTC to promulgate rules to carry out the law. It would also be enforced by state Attorneys General and state consumer protection agencies, but there is no private right of action.

The bill would preempt any state law "that includes requirements for the collection, use, or disclosure of covered information." With such broad preemption language, the bill as currently drafted would potentially have a profound effect if it superseded those state laws that regulate the collection or disclosure of personal information. The bill states that it would have no effect on other federal privacy laws including Gramm-Leach-Bliley, Fair Credit Reporting Act, HIPAA, and COPPA. If enacted, the law would take effect one year after enactment.

A copy of the bill is available here.