Congress has been busy recently on the consumer privacy front. Three federal privacy bills were recently proposed — two by Representative Jackie Speier (D-Calif.) and one by Representative Bobby Rush (D-Ill.).
Rush Best Practices Act
On February 10, 2011, Rep. Rush reintroduced his Best Practices Act (http://tinyurl.com/6kkucwx), which would establish national requirements for collecting and sharing personal information. The legislation ensures that consumers have meaningful choices about the collection, use, and disclosure of their personal information and requires companies to:
- Disclose their practices with respect to the collection, use, disclosure, merging, and retention of personal information, and explain consumers' options regarding those practices.
- Provide disclosures of their practices in concise, meaningful, timely, and easy-to-understand notices, and directs the FTC to establish flexible and reasonable standards and requirements for such notices.
- Obtain "opt-in" consent to disclose information to a third party. In the bill, the term, "third party" would be defined based on consumers' reasonable expectations rather than corporate structure.
- Provide special treatment for sensitive information (e.g., medical, financial, sexual orientation, or geolocation information), including opt-in express affirmative consent for collection, use, and disclosure.
- Establish a "safe harbor" that would exempt companies from the opt-in consent requirement, provided those companies participate in a universal opt-out program operated by self-regulatory bodies and monitored by the FTC.
- Have reasonable procedures to ensure the accuracy of the personal information they collect. The bill also would require the companies to provide consumers with reasonable access to, and the ability to correct or amend, certain information.
Have reasonable procedures to secure information and to retain personal information only as long as it is necessary to fulfill a legitimate business or law enforcement need. As a general rule, companies could continue to disclose personal information without consumer consent to third-party service providers for the purpose of providing services or products requested, ordered, or purchased by a consumer.
Speier Do Not Track Me Online Act
On February 11, a day after Rep. Rush's bill was introduced, Rep. Speier introduced her Do Not Track Me Online Act (http://tinyurl.com/6892yka). If passed, the law would direct the FTC to develop standards for a "do not track" mechanism that would allow individuals to choose upfront to opt out of the collection, use, or sale of their online activities, and require covered entities to respect consumers' choices. Failure to do so would be considered an unfair or deceptive act, subjecting the offender to FTC enforcement actions and other potential legal claims. In addition to the FTC, state attorneys general would have the authority to bring a civil action to enforce violations. Civil penalties would be calculated by multiplying the number of days a company was not in compliance by an amount of up to $11,000 per day, up to a maximum total liability of $5 million.
The bill answers the call of the FTC in its December 2010 privacy report that encouraged the development of a do not track mechanism akin to the "do not call" list but used to indicate when an individual does not want his or her Internet activity to be tracked. Rather than a true list, do not track would be accomplished through a simple, easy-to-use mechanism, such as a setting on consumers' browsers enabling consumers to choose whether to allow the collection of data regarding their online searching and browsing activities.
The FTC would have 18 months to develop regulations for an opt-out mechanism. The opt-out mechanism must "allow a consumer to effectively and easily prohibit the collection or use of any covered information and to require a covered entity to respect the choice of such consumer to opt-out of such collection or use." The law would apply to companies that collect personal information online, such as online browsing activity, IP addresses, and traditional personal information, such as names, e-mail addresses, and phone numbers. Companies would be required to notify consumers of their collection and sharing practices, including with whom they share consumer information.
Speier Financial Information Privacy Act
Also on February 11, Rep. Speier introduced the Financial Information Privacy Act of 2011 (FIPA) (http://tinyurl.com/5wsc96s), which would amend the Gramm-Leach-Bliley Act to bring it in line with California's financial privacy law. The California law prohibits financial institutions from sharing or selling personally identifiable nonpublic information with affiliates without an opportunity to opt-out, or in the case of unaffiliated third parties, a requirement that consumers opt-in. The bill would strengthen privacy protections for individuals, making it more difficult for banks and other financial institutions to share information. The bill will likely be strongly opposed by the financial industry.