Kerry, McCain Circulate "Commercial Privacy Bill of Rights"
Just a week after the Obama Administration announced its support for comprehensive privacy legislation in testimony before the Senate Commerce Committee, Senator John Kerry (D-Mass.) has released a draft bill that attempts to respond to the Administration's call for broad baseline privacy protections for consumers. Kerry's bill, which is co-sponsored by Senator John McCain (R-Ariz.) is still undergoing revisions, but a draft [PDF] was released to the public earlier this week.
We have closely followed congressional efforts on privacy legislation over the 112th Congress and would offer this high level overview of how the Kerry/McCain legislation stacks up against other efforts:
- The draft envisions a significant role for the FTC and includes provisions requiring the FTC to promulgate rules on a number of important issues, including the appropriate consent mechanism for uses of data. The FTC would also be tasked with issuing rules obligating businesses to provide reasonable security measures for the consumer data they maintain and to provide transparent notices about data practices.
- The draft also states that businesses should "seek" to collect only as much "covered information" as is reasonably necessary to provide a transaction or service requested by an individual, to prevent fraud, or to improve the transaction or service.
- "Covered information" is defined broadly and would include not just "personally identifiable information" (such as name, address, telephone number, social security number), but also "unique identifier information," including a customer number held in a cookie, a user ID, a processor serial number or a device serial number. Unlike definitions of "covered information" that appear in separate bills authored by Reps. Bobby Rush (D-Ill.) and Jackie Speier (D-Cal.), this definition specifically covers cookies and device IDs.
- The draft encompasses a data retention principle, providing that businesses should only retain covered information only as long as necessary to provide the transaction or service "or for a reasonable period of time if the service is ongoing."
- The draft contemplates enforcement by the FTC and state attorneys general. Notably -- and in contrast to Rep. Rush's bill -- the draft does not provide a privacy right of action for individuals who are affected by a violation.
- Nor does the bill specifically address the much-debated "Do Not Track" opt-out mechanism that was recommended in the FTC's recent staff report on consumer privacy. (You can read our analysis of that report here.)
As noted above, the draft is reportedly still a work in progress. Inside Privacy will provide additional commentary on the Kerry legislation and other congressional privacy efforts as they develop.