This is another big week for privacy. On Monday, Senate Commerce Chairman Jay Rockefeller introduced the Do-Not-Track Online Act of 2011, which we posted about here. And yesterday, the newly created Senate Subcommittee on Privacy, Technology and the Law held its first hearing. The hearing focused on mobile privacy issues, but also touched on other important privacy-related matters, including reform of the Electronic Communications Privacy Act and data security breaches. The following are highlights from the hearing:
- Jessica Rich, Deputy Director of the Federal Trade Commission’s Bureau of Consumer Protection, testified that the FTC has “a number of active investigations into privacy issues associated with mobile devices, including children’s privacy.”
- Ms. Rich also noted that the draft Staff Report published by the FTC in December addresses mobile privacy issues in certain respects, including recommending that companies obtain affirmative express consent before collecting or sharing sensitive information such as precise geolocation data. In response to a question from Senator Al Franken, Ms. Rich explained that location data is especially sensitive because it often involves the data of children and teens and, when gathered over time, can be used to determine what church or political meetings a person attends and when and where a child walks to and from school. She also noted stalking concerns. Ms. Rich also expressed concerns that mobile users are even less likely than other online consumers to read detailed privacy screens, given the small screens of most mobile devices, but noted that the FTC Staff Report recommends clearer disclosures and simpler consent mechanisms. With respect to the status of the Staff Report, Ms. Rich’s written remarks indicate that FTC staff is analyzing the comments it received on its draft Staff Report and will take them into consideration in preparing a final report for release later this year.
- Senate Judiciary Chairman Patrick Leahy indicated that he plans to “introduce a bill very shortly” to update the Electronic Communications Privacy Act to address the development of remote data storage. In questions directed to Deputy Assistant Attorney General Jason Weinstein, Senator Leahy expressed concern about whether there are gaps in ECPA with respect to remotely stored location information.
- Senator Tom Coburn asked Ms. Rich several questions to determine the extent to which the FTC needs additional statutory authority to facilitate the FTC’s ability to protect consumers. (Senator Coburn asked Ms. Rich to submit to the Committee a list of the proposals from the FTC staff report that currently can be implemented under Section 5 of the FTC Act and which are forward-looking policy goals.) While Senator Franken seemed disposed toward legislation, his remarks noted that he appreciates business models that provide users free services and the continued ability of technology companies to provide innovative services to users.
- In his testimony, Mr. Weinstein indicated support for congressional action with respect data retention and data breach notification. He indicated that it is vital that law enforcement be notified of breaches in order to investigate cybercrimes. Specifically, he said for law enforcement to be successful in investigating identity theft, law enforcement needs to receive prompt reporting from victim companies and the opportunity to delay notification to consumers where appropriate. Ms. Rich noted that the FTC strongly supports data security and data breach legislation, with strong civil penalties, although noted that data security legislation should not require “perfection.”