Experts Discuss Proposed “Commercial Privacy Bill of Rights”
By Emily Leach, CIPP
Senators John Kerry (D-MA) and John McCain(R-AZ) yesterday presented the “Commercial Privacy Bill of Rights Act of 2011,” laying a framework for the protection of Americans’ personal information in the online environment.
Some highlights include:
- A right to opt out of online behavioral advertising
- A requirement that “covered entities” receive opt-in consent before collecting sensitive personal information
- A requirement that “covered entities” implement a Privacy by Design model to protect consumer information, including collecting and storing only the information necessary to the intended purpose for as long as it is needed
- The ability for people to access their information and, if necessary, correct it
Industry and privacy experts alike are weighing in on the implications of the bill, which the senators describe as predicated on the beliefs that “personal privacy is worthy of protection through appropriate legislation” and current laws provide “inadequate privacy protection for individuals engaging in and interacting with persons engaged in interstate commerce.”
Power to the FTC
While the bill contains some provisions that impose regulations directly onto covered entities, much of the onus of rulemaking falls on the FTC.
“This will give the FTC significant power to shape the privacy landscape in this country,” says Lisa Sotto, of Hunton & Williams, which has provided a detailed outline of the bill in its Privacy and Information Security Law Blog.
Sotto points out, “The bill does not pick up on the FTC's new focus on harm to human dignity. Instead, the bill focuses on traditional notions of harm, specifically economic and physical harms.”
The bill also eliminates private rights of action, giving the right to bring suit against violators to state attorneys general and the FTC. Amy Mushahwar of Reed Smith LLP says this is good news, noting, “by excluding a private right of action and shutting out the class-action bar, this bill does not make the same mistake that was made in the telemarketing context nearly 20 years ago.”
The bill broadly refers to a “covered entity” as anyone that “collects, uses, transfers or stores ‘covered information’ on more than 5,000 individuals” over a consecutive 12-month period and is subject to FTC authority, the Communications Act or is a nonprofit.
Covered information refers to personally identifiable information (PII), while the subset of sensitive personal information includes medical data, religious affiliation and information that “if lost, compromised or disclosed without authorization…carries a significant risk of economic or physical harm.” This goes to further Sotto’s point about the bill’s neglect of “harm to human dignity.”
A CNET News report points out that the umbrella of covered entities does not include government agencies and police.
Recent government breaches and use of surveillance technologies prompts Jim Harper of the Cato Institute to ask in the report, “What's a bill of rights if it doesn't provide rights against the government?"
The report notes that the bill is being unveiled at a time when the Obama Justice Department is lobbying for broader surveillance powers, potentially causing the government exemption to appear more pointed.
What does it mean for businesses?
Opt in. Opt out. Privacy by Design. Consumers’ ability to access and correct their information. In short, the FTC is tasked in this bill with creating rules that will see businesses meeting customer expectations and complying with their choices relating to how their information will be collected, used and protected throughout its lifecycle.
In that vein, the bill requires managerial accountability, an inquiry response process and that covered entities implement Privacy by Design, “incorporating necessary development processes and practices throughout the product life cycle that are designed to safeguard the personally identifiable information that is covered…”
According to Sotto, the bill picks up on “central concepts in European data protection”—such as data minimization, data integrity and consumers’ ability to access, correct and block the use of their data—“but modernizes them so they don't become a hindrance to doing business.”
What about self-regulation?
There is a provision in the bill allowing the FTC to establish a safe harbor program and to approve non-governmental initiatives such as industry self-regulatory programs for online behavioral advertising. A ClickZ report says it’s not clear whether the Digital Advertising Alliance program would satisfy the FTC’s requirements.
Mushahwar and others are encouraged by this open door.
“Industry is already well on its way towards greater self-policing efforts in the area of online behavioral advertising. These serious efforts ought to be provided an opportunity to demonstrate that strong self-regulation is a more sensible and flexible solution than static legislation, particularly in an area where privacy expectations, consumer tastes, commercial needs and technology are rapidly evolving,” Mushahwar said.
What about do not track?
Amid FTC calls for a do-not-track mechanism and the recent introduction of a bill by Rep. Jackie Speier (D-CA) proposing the same, the Kerry/McCain bill makes no mention of do not track. The New York Times reports that Kerry acknowledged the initiative in yesterday’s press conference but said it “didn’t seem to fit into our ability to get the balance between consumer support and industry support that we were able to get.”
However, he has not discounted it entirely, stating, “It may well be one of the amendments that we continue to talk about.”
What do people think?
So far, response from industry and privacy advocates is split.
The Direct Marketing Association and the Interactive Advertising Bureau are quoted in The New York Times as voicing concern over the bill’s provision allowing consumers to access and correct their data. Linda Woolley, the executive vice president of Washington operations at the Direct Marketing Association, said this provision would be expensive and require serious user authentication.
Microsoft, HP, Intel and eBay have released a joint statement supporting the bill, saying, “The complexity of existing privacy regulations makes it difficult for many businesses to comply with the law.” The companies said the bill “strikes the appropriate balance by providing businesses with the opportunity to enter into a robust self‐regulatory program."
Meanwhile, CDT Consumer Privacy Project Director Justin Brookman told PCMagazine the bill "provides a solid foundation for the discussion of how to enact such protections over the months ahead."
Some privacy advocates are saying the bill could have and should have gone farther, requiring a do-not-track mechanism. But Sotto applauds the senators for “seeking to craft a bill that would be reasonably palatable to those on both ends of the spectrum, from privacy advocates to those involved in behavioral advertising.”
What do you think?