Senators John Kerry and John McCain introduced the Commercial Privacy Bill of Rights at a press conference today. The stated purpose of the bill is to “establish rights to protect every American when it comes to the collection, use, and dissemination of their personally identifiable information (PII).”

According to a summary of the bill released by Senator Kerry, the three primary privacy rights are:

  1. The right to security and accountability—requiring collectors of information to implement security measures to protect the information they collect and maintain;
  2. The right to notice, consent, access, and correction of information—requiring clear notices of collection practices, the ability to opt-out of collection and transfer of data to third parties for behavioral advertising, consent to collect sensitive PII, and the ability for persons to correct their information and request the cessation of its use; and
  3. The right to data minimization, distribution constraints, and data integrity—requiring collectors to limit collection to only data that is necessary, binding third parties by contract to only use transferred data in accordance with the privacy rights, and to establish procedures that ensure that the information is accurate.

Senator Kerry’s summary also states that the bill would direct state attorneys general and the FTC to enforce the provisions. A private right of action would be precluded. Additionally, the FTC would be permitted to approve safe harbor programs allowing a participant to be exempt from some requirements of the bill. Finally, the Department of Commerce would be directed to assist in developing the safe harbor program as well as engaging in a research component for privacy enhancement and improved information sharing.