Today, Senator John Kerry and Senator John McCain held a press conference to introduce a new bill titled the “Commercial Privacy Bill of Rights Act of 2011.”

You can watch the press conference announcing the introduction of the bill.

For more information:

  • A summary of the press conference announcing the bill
  • Text of the bill
  • Bill summary
  • Press release

Highlights of the bill:

  • The bill does not create a private right of action, but instead directs state attorneys general and the FTC to enforce the bill.
  • Although the bill does not create a private right of action, it requires each “covered entity” to “have a process to respond to non-frivolous inquiries from individuals regarding the collection, use, transfer, or storage of covered information related to such individuals”.
  • The bill preempts state law relating to entities covered by the regulations issued under the bill, to the extent the state law provisions relate to the collection, use, or disclosure of (i) covered information addressed in the bill, (ii) personally identifiable information or personal identification information addressed in provisions of state law. However, the bill does not preempt the applicability of state laws that (i) address the collection, use, or disclosure of health or financial information, (ii) address notification requirements in the event of data breach, or (iii) to the extent that they relate to acts of fraud.
  • The bill generally applies to persons who collect, use, transfer, or store “covered information” concerning more than 5,000 individuals during any 12 month period.
  • The bill applies to third parties that receive covered information from a covered entity as if they were covered entities, except to the extent the FTC exempts certain classes of third parties.