Yesterday, the U.S. Senate Permanent Subcommittee on Investigations held a hearing on “Online Advertising and Hidden Hazards to Consumer Security and Data Privacy.”  The hearing was based on a year-long investigation into a broader set of issues related to consumer privacy and security on the Internet, which narrowed over time to focus specifically on the online advertising industry and the problem posed by “malvertising,” or advertisement-based malware, which cybercriminals can use to target consumers through online advertising.

The hearing was accompanied by a report jointly authored by Subcommittee Chairman Carl Levin and Ranking Member John McCain.  The report, which focused on the problem of malvertising, highlighted recent malware attacks channeled through well-known websites such as YouTube (owned by Google) and Yahoo!.  The report presented four major recommendations for limiting the risk to consumers posed by malvertising: (1) establishing better practices and clearer rules to prevent online advertising abuses; (2) strengthening security information exchanges within the online advertising industry to prevent abuses; (3) clarifying specific prohibited practices in online advertising to prevent abuses and protect consumers; and (4) developing additional “circuit breakers” to protect consumers once malvertising attacks are discovered.

Continue Reading Senate Subcommittee Examines Online Advertising and Security

As expected, Rep. Cliff Stearns (R-FL) and co-sponsor Rep. Jim Matheson (D-UT) introduced the “Consumer Privacy Protection Act of 2011” earlier today.  The bill follows closely on the heels of the “Consumer Privacy Bill of Rights Act” (S. 799), which was introduced yesterday by Senators John Kerry (D-MA) and John McCain (R-AZ).  (You can read our summary of S.799 here.)  The following is a summary of Rep. Stearns’ bill that highlights its key differences from S.799.

Scope:  The bill would regulate the online and offline collection and use of traditional forms of personally identifiable information (e.g., name, address, email).  The scope is therefore narrower than S.799, which also covers the collection and use of “unique identifiers” and IP addresses. 

Notice obligations:  The bill requires covered entities to provide notice in three instances: 

  • Notice in a privacy policy;
  • Notice in a “statement” made before any PII collected from a consumer is used for a purpose unrelated to the transaction for which it was collected; and
  • Notice for material changes to privacy policy statements.    

S.799 contemplates the first and third forms of notice; not the second. 

Consent obligations:  Unlike S.799, the Stearns bill does not obligate entities to obtain opt-in consent in any circumstance.  It requires opt-out consent before selling PII that may be used for a purpose unrelated to the transaction in which the PII was collected unless the purchasing entity is (1) under common control with the covered entity; or (2) contractually obligated to comply with the practices enumerated under the entity’s privacy policy.  A covered entity may provide the consumer an opportunity to permit the sale (or disclosure for consideration) of such information in exchange for a benefit to the consumer. 

In other circumstances, a covered entity may offer consumers other opportunities to limit collection or use of PII, but is not required to do so. Continue Reading Stearns Introduces “Consumer Privacy Protection Act”

Today, Senators John Kerry and John McCain introduced the much-anticipated “Commercial Privacy Bill of Rights Act of 2011,” a bill that would require businesses that collect, use, store or transfer consumer information to implement strong privacy protections in the development of their products and to provide consumers with meaningful choices about how their data is collected, used, and shared. 

As its name suggests, the bill is structured around a set of consumer “rights,” including:

  • The right to security and accountability, which the legislation would protect by authorizing the FTC to require strong data protections and the implementation of “privacy by design” by all companies;
  • The right to notice and individual participation, which would be protected by authorizing the FTC to make rules requiring clear and concise notice of privacy practices (and material changes to those practices) and providing consumers with choices about the ways in which their data is collected, used, and shared; and
  • The rights to data minimization, constraints on distribution, and data integrity, which the bill would protect by imposing limitations on the amount of information a company may collect, the period of time such information may be retained, and on the uses of information transfered by one company to another. 

Continue Reading “Commercial Privacy Bill of Rights Act” Introduced in Senate

Just a week after the Obama Administration announced its support for comprehensive privacy legislation in testimony before the Senate Commerce Committee, Senator John Kerry (D-Mass.) has released a draft bill that attempts to respond to the Administration’s call for broad baseline privacy protections for consumers.   Kerry’s bill, which is co-sponsored by Senator John McCain (R-Ariz.) is still