On May 9, 2011, Senator John Rockefeller (D-WV), chairman of the U.S. Senate Committee on Commerce, Science, and Transportation, introduced the Do-Not-Track Online Act of 2011. The bill tasks the Federal Trade Commission with creating and implementing a do-not-track (“DNT”) mechanism for users who do not want to have personal information collected by providers of online services.
As we previously noted, Rep. Jackie Speier (D-CA) dropped do-not-track legislation in February, and another DNT bill is making its way through the California State Senate. The following summarizes Sen. Rockefeller’s bill and highlights some key differences from Rep. Speier’s H.R. 654.
Scope. Unlike H.R. 654, Sen. Rockefeller’s bill does not include a definition of “covered entity.” It would be up to the FTC to determine which providers of online services are required to comply with the DNT rules. The FTC would also have the responsibility of interpreting what “personal information” would be covered by the regulations.
Rulemaking obligations. Similar to H.R. 654, Sen. Rockefeller’s bill would require the FTC to promulgate regulations that (1) establish standards for implementing a mechanism whereby individuals can “simply and easily” indicate whether they want online service providers to collect personal information, and (2) prohibit service providers from collecting personal information on users who have expressed a DNT preference.
Notwithstanding a user’s DNT preference, Sen. Rockefeller’s bill specifies that service providers must be allowed to collect personal information (1) when necessary to provide a requested service, as long as the information is then anonymized or deleted, or (2) if the individual receives clear notice and provides consent.
In promulgating the regulations, the FTC would be required to consider six factors: the appropriate scope of the rules, technical feasibility and costs for implementation and compliance, existing DNT mechanisms, how DNT mechanisms should be publicized and offered, whether and how information can be collected anonymously, and the standards under which personal information may be collected and used to provide services requested by a user, even if that user has expressed a DNT preference.
Enforcement.
- Violations would be considered unfair or deceptive practices under the FTC Act. Nonprofits are expressly included within the FTC’s enforcement authority.
- State attorneys general would also be empowered to bring civil suits, with a cap of $15,000,000 for all civil penalties against a person that violates a rule (higher than the $5,000,000 cap contemplated under H.R. 654).
- Neither H.R. 654 nor Sen. Rockefeller’s bill provides for a private right of action.
Preemption. Unlike H.R. 654, Sen. Rockefeller’s bill does not address the preemption of inconsistent state laws.
Biennial review and assessment. Sen. Rockefeller’s bill contains a review requirement not found in H.R. 654: Two years after the effective date of the regulations, the FTC must report to Congress on the implementation of the Act, the regulations’ effectiveness, and the effect on online commerce.
A number of consumer protection groups, including the ACLU, Privacy Rights Clearinghouse, and Consumer Watchdog, have expressed support for Sen. Rockefeller’s bill. According to The Hill, the DNT provision of Sen. Rockefeller’s bill is expected to be discussed as an amendment to the Kerry-McCain bill, which we analyzed here.
Inside Privacy will continue to inform you of relevant developments with this bill and other privacy-related legislative proposals.