As expected, Rep. Cliff Stearns (R-FL) and co-sponsor Rep. Jim Matheson (D-UT) introduced the “Consumer Privacy Protection Act of 2011” earlier today. The bill follows closely on the heels of the “Consumer Privacy Bill of Rights Act” (S. 799), which was introduced yesterday by Senators John Kerry (D-MA) and John McCain (R-AZ). (You can read our summary of S.799 here.) The following is a summary of Rep. Stearns’ bill that highlights its key differences from S.799.
Scope: The bill would regulate the online and offline collection and use of traditional forms of personally identifiable information (e.g., name, address, email). The scope is therefore narrower than S.799, which also covers the collection and use of “unique identifiers” and IP addresses.
Notice obligations: The bill requires covered entities to provide notice in three instances:
- Notice in a privacy policy;
- Notice in a “statement” made before any PII collected from a consumer is used for a purpose unrelated to the transaction for which it was collected; and
- Notice for material changes to privacy policy statements.
S.799 contemplates the first and third forms of notice; not the second.
Consent obligations: Unlike S.799, the Stearns bill does not obligate entities to obtain opt-in consent in any circumstance. It requires opt-out consent before selling PII that may be used for a purpose unrelated to the transaction in which the PII was collected unless the purchasing entity is (1) under common control with the covered entity; or (2) contractually obligated to comply with the practices enumerated under the entity’s privacy policy. A covered entity may provide the consumer an opportunity to permit the sale (or disclosure for consideration) of such information in exchange for a benefit to the consumer.
In other circumstances, a covered entity may offer consumers other opportunities to limit collection or use of PII, but is not required to do so.
Other obligations. The bill requires covered entities to prepare an information security policy applicable to their information management practices and treatment of PII. The bill does not contain provisions relating to privacy by design, data access, data retention, data integrity, or data minimization, which are part of S.799.
Enforcement:
- Violations would be considered unfair or deceptive practices under the FTC Act.
- Covered entities would be presumed to be in compliance with the bill if they comply with FTC-approved industry self-regulatory programs that provide privacy protections that are substantially equivalent or greater to those provided in the bill.
- The bill does not contemplate enforcement by state attorneys general. (It differs from S.799 in this regard.)
- Nor does the bill provide a private right of action.
Preemption: Like S.799, the bill preempts state law that relates to its terms.
We will continue to monitor these legislative developments.