Today, Senators John Kerry and John McCain introduced the much-anticipated “Commercial Privacy Bill of Rights Act of 2011,” a bill that would require businesses that collect, use, store or transfer consumer information to implement strong privacy protections in the development of their products and to provide consumers with meaningful choices about how their data is collected, used, and shared.
As its name suggests, the bill is structured around a set of consumer “rights,” including:
- The right to security and accountability, which the legislation would protect by authorizing the FTC to require strong data protections and the implementation of “privacy by design” by all companies;
- The right to notice and individual participation, which would be protected by authorizing the FTC to make rules requiring clear and concise notice of privacy practices (and material changes to those practices) and providing consumers with choices about the ways in which their data is collected, used, and shared; and
- The rights to data minimization, constraints on distribution, and data integrity, which the bill would protect by imposing limitations on the amount of information a company may collect, the period of time such information may be retained, and on the uses of information transfered by one company to another.
The majority of the provisions in the bill apply to a broadly defined set of information that includes traditional kinds of personally identifiable information as well as data such as IP addresses and unique identifiers like cookies. Although the bill is built upon broad and general protections, its requirements are actually quite specific and intricate. We think the bill can be distilled into eight key requirements for companies:
1. Provide clear, concise and timely notice of privacy practices and of material changes to those practices.
2. Offer a clear and conspicuous mechanism that allows consumers to opt-out of “unauthorized uses” of their information (i.e., uses not previously authorized by the individual to whom the information relates).
- Unauthorized uses do not include uses of information:
- to deliver a service;
- for product or service improvement;
- for first-party marketing (including first-party marketing by entity receiving data at the request of the individual or from an entity with whom the individual has an established business relationship);
- for uses by an entity with an established business relationship with the consumer if the use is reasonably expected.
3. Offer robust, clear and conspicuous opt-out consent for third-party use of information for behavioral advertising or marketing.
- The bill defines “third parties” as entities that are not—
- service providers, or
- entities with an established business relationship that identify themselves in a clear and conspicuous manner visible to the individual from whom data is collected.
4. Obtain opt-in consent for the collection, use or transfer of sensitive information outside of processing or delivering a service, preventing or detecting fraud, or providing a secure environment.
- Sensitive information includes:
- data that if disclosed would cause significant risk of economic or physical harm; or
- information related to a “precise medical condition or health record” or religious affiliation of an individual.
5. Obtain opt-in consent for material changes to “stated practices” when new uses or disclosures involving previously collected data would create “a risk of physical or economic harm.”
- information security measures;
- an accountability program proportional to the size and structure of the entity;
- a privacy by design program;
- “appropriate and reasonable” access and correction procedures;
- data minimization and data retention policies; and
- data integrity policies where stored information could be used to deny consumers a benefit or cause significant harm.
7. De-identify data after an individual requests the termination of a service (in certain circumstances);
8. Implement third-party contractual requirements–
- Transfers after opt-in consent: If a company transfers information to a third party after obtaining opt-in consent, the company must restrict third-party uses inconsistent with such consent;
- Service provider: If a company wants service provider uses to be “authorized,” the company will need to have a contract that requires the service provider to use data consistent with the company’s practices.
- With all third party contracts, a company must limit uses of information to those that are consistent with the legislation and the services provided; prevent the combination of non-PII with PII without consent; and undertake upfront due diligence.
Violators of the bill’s requirements would be subject to an enforcement action by the FTC or a state attorney general. Importantly, however, the bill does not provide individuals with the right to bring private lawsuits.
Finallly, the bill authorizes the FTC to create rules establishing “co-regulatory safe harbor programs,” which would be administered by nongovernmental organizations. At a minimum, these programs would be required to establish for participants a mechanism for implementing the requirements of the bill with regard to certain types of “unauthorized uses” of information. The mechanism would also be required to offer consumers a means of opting out of the transfer of information to a third party for behavioral advertising, location-based advertising, or other unauthorized uses. Entities that adhere to the rules of a qualifying co-regulatory program would be exempt from the requirements of the bill, other than those relating to security, accountability and privacy by design.
The Kerry-McCain bill is the first piece of comprehensive privacy legislation to be introduced in the Senate in the past ten years. But according to some, another Senate bill (perhaps authored by Senator Jay Rockefeller) may be just around the corner. Activity in the House is also picking up: Rep. Bobby Rush has already introduced a comprehensive bill, the BEST PRACTICES Act, and Rep. Cliff Stearns will reportedly introduce a similar measure later this week. Inside Privacy will continue to follow the activity in Congress closely and will keep you informed of developments as they occur.