The face of online privacy could change dramatically if legislation recently introduced in Congress becomes law. Two proposals, House Bill 1528 in the House of Representatives and Senate Bill 799, would provide for a privacy “bill of rights” covering the online gathering and use of personally identifiable information. The bi-partisan bills have quickly generated praise, but also concern from consumer advocates and industry groups.Both bills are the product of a groundswell of concern about the increasingly invasive gathering and use of consumer data, which often accompanies the most routine online activities. A December 2010 report by the Federal Trade Commission (FTC) described that while consumer information is a critical component of the online economy, many companies treat that information in an “irresponsible or even reckless manner.” Information gathered from web browsing, social networking sites, location-enabled smartphones, loyalty programs, and other online and offline transactions often becomes a commodity in and of itself, to be marketed and sold. Individually, the pieces of information that consumers provide may be innocuous, but once aggregated and compiled, they can become “surprising and dangerous.”
Both bills attempt to address these concerns, while balancing the needs of the online economy to continue to utilize online information. Both bills begin by defining personally identifying information as including name, postal and e-mail addresses, mobile and landline telephone numbers, social security numbers, credit card, and other account numbers. Additional information, including date and place of birth, IP address, and geographic location may be considered personally identifying when aggregated. They exempt information that is in public records or is otherwise “publicly accessible.” Notably, the Senate Bill would also exclude information obtained from, “a forum where the individual voluntarily shared the information.” This is being interpreted as excluding Facebook and other social media networks from the bill’s coverage.
The proposals provide a broad framework for privacy regulation, but would delegate much of the details to the Federal Trade Commission and the Department of Commerce. Included in the framework are new requirements for “clear and conspicuous” privacy notices that identify what information is collected, how it is used, whether it is subject to sale or disclosure, and how it will be secured. Both bills would also require a “robust” mechanism for consumers to opt-out of allowing their information to be sold, disclosed, or used for purposes other than necessary to complete the original transaction.
The proposals would set minimum requirements for security of the information collected, and require senior management accountability for developing and implementing those standards. The Senate proposal would go further, imposing a “privacy by design” regime that would require businesses to incorporate information privacy protections and safeguards throughout the life cycle of a product or data gathering tool, rather than as an afterthought. The Senate bill would also impose rules for data minimization—collecting and retaining the minimum data for the minimum amount of time necessary to complete a transaction—and require procedures to ensure data accuracy.
In the debate following the FTC report, several industry advocates continued to argue in favor of self-regulation rather than legislation. They argued that self-regulation allowed each business to develop the most effective privacy policy and procedures for their needs, and would free their hands to adapt to new technologies as they were developed. They argued that market forces, and not legislation, would effectively encourage self-regulation.
In response to these industry concerns, the proposals would develop a self-regulatory “safe harbor.” Under this plan, codes of conduct and standards for self-regulatory privacy programs would be developed. Businesses could self-regulate and be exempt from the law’s requirements, provided they meet or exceed these standards.
Notably absent from the proposals is a requirement for a “Do Not Track” mechanism, which was a highlight of the FTC’s report. The FTC report did not specifically mandate that Do Not Track be implemented by legislation—it was willing to consider a self-regulatory Do Not Track scheme—but neither the proposed legislation, nor the safe harbor standards address the issue.
The law would be enforced by the FTC, and by state Attorneys General. Penalties of up to $3 million would apply to violations of the law. However, individuals would not have a right to sue for personal violations of their privacy; instead they would be required to bring their complaints to the FTC or their state Attorney General for action. Finally, the proposals would supersede any state laws governing online privacy, allowing only those that cover health and financial information, and laws requiring notice of data breaches.
It is these final provisions that have raised the most concerns about the proposal, particularly among consumer advocates. The Consumers Union and Consumer Federation of America are on record in support of the legislation as providing “consistent, mandatory standards” for privacy protection.
However, other groups, including Consumer Watchdog, the Center for Digital Democracy, Consumer Action, and others, objected to the bill saying that it did not go far enough. They argued that the absence of “Do Not Track,” the absence of a consumer’s right to sue for violations, and the failure to include Facebook and other social media are serious flaws that need to be addressed. Otherwise, they argue, the bill adds very little beyond the current “notice and choice” model that has “been the cornerstone of failed efforts at self-regulation.” Some industry groups have also expressed concern over the amount of power given to the FTC, and fear that legislation would impede self-regulatory efforts.
This is not the only governmental effort to address online privacy. A separate “Do Not Track Me Online Act” was quietly proposed in Congress in February, but no action has yet been taken. The FTC has indicated that it could enforce a Do Not Track mechanism without legislation, although it could only apply to companies that promised not to track, but failed to do so. In California, a “Do Not Track” proposal is being considered by the state legislature. If it were to be passed, however, it would only apply to California and likely be superseded by any federal privacy law.
Hearings on both proposals are expected later this spring in both the House and Senate. Passage of final legislation is likely to take many months and may involve a number of changes before either bill becomes law.