Foley's Privacy Blog has previously posted a podcast on the Kerry Bill and the authors wanted to post additional information on this bill, given the attention it is receiving. On March 11, 2011, Senator John Kerry issued a Staff Working Draft of his Commercial Privacy Bill of Rights Act 2011 (the “Bill”). The Bill, co-sponsored by Senator John McCain of Arizona, seeks to “establish a regulatory framework for the comprehensive protection of personal data for individuals under the aegis of the Federal Trade Commission.” Staff Working Draft of Commercial Privacy Bill of Rights Act 2011, p. 1 (the "Act"). The Bill was promulgated in part because “[e]xisting State, local, and Federal laws provide inadequate privacy protection for individuals engaging in and interacting with persons engaged in interstate commerce.” Id. at 3:20-23.
The Act directs all covered entities to comply with the privacy requirements set forth in the Bill. A covered entity is defined as “any person that collects, uses, transfers or maintains covered information concerning more than 5,000 individuals during any consecutive 12-month period” and is subject to Federal Trade Commission (“FTC”) jurisdiction, as well as common carrier and non-profit organizations. Id. at 20:12-25; 21:1-13.
The information covered by the Act includes: 1) personally identifiable information (“PII”); 2) sensitive personally identifiable information (PII that “if lost, compromised, or disclosed without authorization could result in harm to an individual”); and 3) unique identifiable information (“UII”), defined as “a unique persistent identifier associated with an individual or networked device.” Additionally, the Act covers “any information collected in connection with personally identifiable information or unique identifier information.” Id. at 6:15-17; 8:20-25; 12:1-8.
TiTle I- Right to Security and Accountability
Within 180 days of enactment of the Act, the FTC must institute a rulemaking process to require each covered entity to enact conforming privacy measures. Each covered entity must have managerial accountability for the implementation of the Act, a process for responding to complaints, and describe compliance to the FTC upon request.
TITLe ii- right to notice and individual participation
Within 18 months of enactment of the Act, the FTC must require each covered entity to provide notice to individuals related to collection of covered information in a form that individuals can readily access, and also require that covered entities provide notice before implementing a material change in collection of covered information. The FTC may draft guidance for covered entities to use in devising their policies.
Within 24 months, the FTC must require each covered entity to offer individuals an opt-out consent for certain unauthorized use of their PII as well as an opt-in consent for other uses of their PII. Individuals must also have access to information regarding the use of their PII and be permitted to request that their PII be rendered not personally identifiable. Third-parties must only use the information opted into for the use described by the covered entity. The FTC may also devise alternative means to terminate the use of PII.
Title III- Right to Purpose Specification; data minimization; constraints on distribution; data integrity
Covered entities must only collect as much information as reasonably necessary and retain the information only as long as necessary.
Specific contracts are required for transfer of PII from a covered entity to a third-party. Covered entities must place clear notices regarding the way that they plan to transfer covered information to any third-party, and cannot transfer information to a third-party that it knows has violated the specific contract. Third-parties who receive information will be subject to the Act, unless the FTC finds that the third-party cannot reasonably comply with the requirements of the Act.
Title IV- application and Enforcement
A violation of the Act will be treated as an “unfair and deceptive act or practice” in violation of the FTC Act, and any violations of this Act will expose the violator to all available penalties under the FTC Act. Id. at 21:16-22.
In enforcement of the Act, the FTC must not require the use of any particular technology, software or hardware.
If the attorney general of a given state has a reason to believe the Act has been violated, that attorney general may bring a civil action on behalf of that states’ residents. The attorney general must provide written notice to the FTC, and the FTC will have the right to intervene in the action. However, if the FTC has instituted an action under the Act, the attorney general may not bring an action.
A violation of the Act can result in up to a $2,000,0000 or $3,000,000 penalty depending on which title of the Act was violated.
The Act supersedes all state laws, except those dealing with health information, financial information, data breaches, or fraud. The Act disallows any private right of action.
Title V- co-regulatory safe harbor programs
The most notable section of this Act is arguably this title, which requires the establishment of safe harbor programs under which a non-governmental organization will administer a program to implement the requirements of the Act. This organization would be tasked with establishing a mechanism to institute the Act, offering a means of opting out, and implementing a “comprehensive information privacy program.” Id. at 28:16-17. These programs would be supervised and enforced by the FTC. Covered entities that participate in the safe harbor program will be exempt from the major provisions of this Act if the safe harbor program is “substantially the same as, or more protective of privacy than, the requirements” of the Act. Id. at 30:14-16.
The FTC may also host a website for providing opt-out tools offered by the safe harbor programs. The FTC may require the safe harbor program to participate in the FTC-hosted website.