Last week saw a flurry of activity on the privacy front, likely unprecedented at least in recent history. Over the course of less than 48 hours, three different privacy bills were introduced in the House of Representatives, one by Rep. Bobby Rush (D-Ill.), and two by Congresswoman Jackie Speier (D-Cal.). Speier is no stranger to the privacy arena, having been the primary driver behind very similar legislation, the California Financial Privacy Act, that was passed in her home state back in 2003. In a somewhat unique twist, Speier introduced two bills on Friday – the "Financial Information Privacy Act of 2011" and the "Do Not Track Me Online Act." We discuss each of the Rush bill and the Speier "Do Not Track Me Online" bill below (with a separate article on Speier’s "Financial Information Privacy Act of 2011" bill to follow shortly).
Rush Bill
Rush’s bill, essentially the same bill he introduced in July 2010 during the last Congress, is focused on enhancing consumer privacy online. Rush’s bill, dubbed "Best Practices Act for Online Privacy," allows for the collection and use of information from consumers, but requires entities to provide consumers with the ability to opt out from such collection, and to obtain a consumer’s consent before his/her data may be shared with any third party. Rush's proposed legislation, which would apply to both online and offline companies collecting personally identifiable data from customers, attempts to build federal standards around the ways personal data can be collected and used.
More specifically, the Rush bill provides (again):
- Companies are required to provide concise, meaningful, timely, prominent and easy-to-understand notice to users about their privacy policies and practices, including what information and why
- Internet companies, like search engines and social networks, would be required to get explicit consent from consumers before using any sensitive personal information for commercial purposes
- Companies that have already collected personal information may keep such data on hand as long as it either serves a legitimate business need or is used for law-enforcement needs
- State attorneys general may also bring actions against companies that violate customers’ privacy rights, with a maximum penalty of $5 million
- Companies outside the Federal Trade Commission’s traditional jurisdiction — including financial services firms, nonprofits and agricultural businesses — are exempted
- The FTC shall be tasked with establishing regulations under this proposed law, including the establishment of a safe harbor program for companies that wish to self-regulate. By voluntarily pledging to follow the new privacy policy, Rush is proposing that companies would no longer need to obtain user consent to share information.
Both in contrast to Speier’s "Do Not Track Me Online" bill and interesting in its own right, Rush’s bill does not mandate a do-not-track mechanism that would give consumers an easy way to opt out of having their Web activities tracked for advertising purposes, as does the Speier bill.
Speier’s "Do Not Track Me Online" Bill
By way of background, the "Do Not Track Me Online" bill is intended to define (i) who is subject to the bill, (ii) the nature of data that is subject to the bill, (iii) the Federal Trade Commission's (“FTC”) responsibility to establish online opt-out mechanisms, and (iv) the penalties assessed against violators of the proposed Do Not Track Me laws, if applicable.
The term covered entity is defined to include any party that collects and stores online data containing covered information in interstate commerce. Covered information is represented by a fairly extensive rundown of information generated from an individual’s online activity, including: (i) the websites and content accessed, (ii) the date and hour of online access, (iii) the computer and geo-location from which online information was accessed, (iv) the means by which such information is accessed (i.e., device, browser or application), (v) any unique user identifiers (i.e., customer numbers, IP addresses, etc.), and (vi) personal information (i.e., name, address, email addresses, etc.). From there the bill creates a further category – sensitive information. The term sensitive information is defined to encompass medical history (including both physical and mental health information), an individual’s social security number, unique biometric data, race or ethnicity, religious beliefs, sexual behavior, income assets, financial records and related information, and a user’s geo-location information.
The bill directs the FTC to establish and promulgate, within 18 months from its enactment, standards that establish an online opt-out mechanism that allows consumers to stop the collection or use of any covered information and to require a covered entity to honor such individuals’ opt-out decisions. Moreover, covered entities are required to disclose their information collection and use-practices, and have processes and procedures in place to abstain from the collection of covered information from those consumers that have opted-out of such collection or use, unless the consumer changes his/her opt-out preferences. Moreover, the FTC is given the authority to prescribe regulations it feels are necessary to carry out the purposes of this bill, to perform random audit of covered entities for investigative purposes to ensure compliance with the regulations, and to take any action it deems necessary to monitor, implement and enforce the regulations.
Sensitive to the realities that there are many uses of data, the bill enumerates several data uses that the FTC may exempt from some or all of the regulations. For example, the bill contemplates that there are data uses where consumer choice is not necessary, including analyzing data related to use of a product (e.g., web metrics), customer service, basic business functions (e.g., accounting, inventory, quality assurance and supply chain management), protecting or defending one’s rights or property, and compliance with applicable federal, state or local laws.
The Speier bill provides that a violation of the regulation amounts to a deceptive and unfair advertising and marketing practice, under 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)). In contrast to the Rush bill, Speier’s bill more closely follows the recent FTC report on Privacy, which asked for comment on a proposed do-not-track mechanism. While the Rush bill contemplates the FTC establishing rules to implement his Best Practices for Online Privacy initiative, Speier’s bill goes further by specifically empowering the FTC under Section 553 of Title 5 to prosecute deceptive and unfair advertising practices. The most immediate challenges facing Speier: no GOP co-sponsor, she’s not a member of the House Energy and Commerce Committee, and the likelihood that we’ll see several more privacy bills introduced in the coming weeks and months.
Senate Judiciary Committee on Privacy, Technology and the Law
Lastly, on February 14, 2011, Sen. Patrick Leahy (D-Vt.), Chairman of the Senate Judiciary Committee, announced the creation of a subcommittee on Privacy, Technology and the Law. The subcommittee will be chaired by Sen. Al Franken (D-Minn.), and its jurisdiction will include oversight of laws and policies that govern the commercial collection, use and dissemination of personal information. Both the niche and agenda of this subcommittee remains somewhat in flux, as is the manner in which this committee will navigate the choppy and increasingly crowded privacy waters. While this subcommittee will increase the Senate’s focus on privacy issues, it is likely to encounter both political and jurisdictional conflicts with the Financial Services and Commerce Committees when proposing legislation.
Why This Is Important
While Congress continues to consider and debate various incarnations of a privacy law and model, this issue is clearly picking up momentum. There is also fervent activity within the states and courts, as privacy causes of action continue to be used by class-action plaintiff attorneys. With the FTC and DOC both issuing final privacy reports this year, 2011 promises to be an interesting year in the privacy world.
