Date: May 14, 2010
Rep. Rick Boucher (D-Va.), Chairman of the U.S. House of Representatives Committee on Energy and Commerce Subcommittee on Communications, Technology and the Internet, and Subcommittee Ranking Member Cliff Stearns (R-Fl.), released a discussion draft of a long-awaited privacy bill on May 4. The purpose of the legislation is to protect consumer privacy by requiring companies to disclose their privacy practices, provide details on how they collect and use information, and obtain consent before collecting and using "covered information" or "sensitive information." It also establishes how and when that kind of information can be shared with third parties. The bill applies to any entity that conducts interstate commerce and collects data from users, both online and offline. While privacy advocates contend that the bill does not do enough to protect consumer privacy, the business community views it as a sweeping new regime that in some ways imposes more restrictions on business operations, both of for-profit and of non-profit organizations, than EU law.
The bill defines "covered information" to include information such as names, addresses, Social Security numbers, and bank account numbers, but the term also covers what is referred to as "any persistent identifier." That term is defined to include a customer number, "unique pseudonym or user alias," IP address, or other unique identifier used to store or identify information about a specific individual or a computer, device or software application owned or used by a particular user or otherwise associated with a particular user. "Preference profiles" are also "covered information." The net result is to eliminate current, common sense distinctions between personal and non-personal information.
All covered entities must post a privacy notice on their web page or, if a company collects information offline, a privacy notice must be provided in writing before any information can be collected. Detailed notices must inform users of data collection practices, such as what information is collected, how it will be used, how it will be collected, where it will be stored, and how long it will be stored in identifiable form. In addition, the privacy notice must inform users as to how they can access their information, limit the collection and disclosure of their information, and contact the company to submit questions or complaints on how the entity handles information, as well as how the company will handle material changes.
Covered entities must also obtain consent before collecting and using "covered information." An opt-out would be necessary for all consent agreements, and a user must have the right to opt-out of information collection after consent is originally given. A company would then be prohibited from collecting any more information or using any information previously collected. This consent requirement excludes data collected for transactional or operational purposes, but this exemption does not apply to data collected for advertising or marketing purposes. A lack of clarity in some of the definitions and exemptions will raise questions about obligations and requirements, putting the practicality of the concept in doubt. It is not possible, for example, to offer written notice to a consumer calling a consumer hotline before a company begins an information intake process to respond to a consumer request. Similarly, while the operational purpose exemption allows for "disclosure" of information reasonably believed to be required, collection and use of that information must be covered.
The bill treats "sensitive information" differently from "covered information." Covered entities are prohibited from collecting or disclosing "sensitive information" unless users are notified and provide express affirmative consent. Importantly, "sensitive information" is much more broadly defined then ever before, and includes medical records, race, religious beliefs, sexual orientation, financial records, and geolocation information Similarly, the collection or disclosure of a user's online activity is prohibited without notice and express affirmative consent.
Concerns about online behavioral advertising (OBA) are part of the impetus of the bill, and one reason for the breadth of the definitions. The bill restricts the disclosure of covered information about an individual's online activity without a privacy notice and express affirmative consent, dictates how and when information can be shared with third parties, and includes an exception for individual managed preference profiles if a readily accessible opt-out mechanism is used and information is deleted or made anonymous after 18 months. Industry OBA guidelines have drawn a careful distinction between first party (including affiliates) and third party data collection and sharing, distinctions that do not appear to be made in the draft.
The Federal Trade Commission (FTC) can adopt expedited rulemaking procedures to adopt rules implementing the act. The FTC will have the power to enforce the act, treating any violation as an unfair and deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices. State Attorneys General also have enforcement rights under the bill. The bill does not create a private right of action, and preempts state law.
Many questions arise about application of the requirements to a wide variety of activities by for-profit and non-profit entities. For example, will intake of disaster relief donations by phone be limited or delayed because of a requirement that written privacy notices be provided before information is collected? Will businesses, including professional and trade associations, have to send written privacy notices before sending information by mail or fax to prospects? The draft bill specifies that it will have no effect on existing privacy laws, like the Gramm-Leach-Bliley Act (GLB), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Children's Online Privacy Protection Act (COPPA), and CAN SPAM Act of 2003 (CAN SPAM), but aspects of the bill conflict with those laws. For example, unsolicited commercial email messages can be sent to consumers so long as the message complies with CAN SPAM.
The bill is being discussed at a time when privacy is on the agenda at the agency level. The Department of Commerce (DOC) is engaged in a review of the U.S. privacy framework, and the Federal Trade Commission is reviewing COPPA. Concepts such as the definition of personal information and approaches to protect privacy will likely be discussed in all of the venues, and could have an impact on the legislative discussions. Comments to DOC must be submitted by June 7, and COPPA comments must be submitted to the FTC by June 30. The FTC will also host a workshop on June 2.
To read the draft bill, see: http://www.boucher.house.gov/images/stories/Privacy_Draft_5-10.pdf. For information on the DOC review, see: http://edocket.access.gpo.gov/2010/pdf/2010-9450.pdf . For information on the COPPA review, see: http://ftc.gov/opa/2010/04/coppa.shtm . A preliminary agenda for the June 2 workshop is also available at http://ftc.gov/bcp/workshops/coppa/Agenda_2010COPPARoundtable.pdf.
FOR MORE INFORMATION, please contact Sheila A. Millar (202.434.4143; firstname.lastname@example.org) or Tracy P. Marshall (202.434.4234; email@example.com).