Earlier this year, U.S. Senators John Kerry (D-Mass.) and John McCain (R-Ariz.) introduced S. 799, the “Commercial Privacy Bill of Rights Act of 2011,” which would establish, for the first time in the United States, a comprehensive framework for the collection, use, storage, and transfer of covered information. If passed as currently drafted, the bill would impose generally applicable notice, choice, security, access, and other obligations on companies that collect information about individuals, both online and offline, requiring fundamental changes to how they do business and interact with their customers.
The bill would be enforced by the Federal Trade Commission (“FTC”) and state Attorneys General. There would be no private right of action. It would apply to nonprofits and certain common carriers that are not traditionally subject to FTC jurisdiction. The bill would preempt state privacy laws governing the collection, use, or disclosure of “covered information,” except those laws relating to health or financial information, fraud, and data breach notification.
We expect the legislative process with respect to this bill to be somewhat protracted, as other stakeholders, such as privacy advocates, have already complained that it should provide greater restrictions on companies’ collection, use, and disclosure of data. Below is a short high-level summary of the bill’s scope and application.
TO WHOM AND WHAT WOULD IT APPLY?
The bill would generally regulate “Covered Entities,” defined as those that collect, use, transfer, or store the “Covered Information” of more than 5,000 individuals during any consecutive 12-month period.
“Covered Information” is defined broadly and obscures the traditional distinction between “Personally Identifiable Information” (“PII”) and non-PII. It does this by including both traditional PII (name, address, phone, and so forth) as well as “Unique Identifier Information” (“UII”), which means a unique persistent identifier associated with an individual or a networked device—which could be anything from a customer number held in a cookie to a user ID. Covered Information also encompasses any information stored in connection with either PII or UII that may be used to identify an individual.
More restrictive conditions are imposed on “Sensitive PII,” which means information related to a medical condition, health record, or religious affiliation, as well as PII which, if lost, compromised, or disclosed without authorization, carries a significant risk of economic or physical harm. Neither “significant risk” nor “harm” is defined, leaving open the possibility of a broad reading.
WHAT WOULD IT REQUIRE?
The bill would:
• Impose a notice and choice regime – The bill directs the FTC to promulgate rules to require a Covered Entity to:
• Provide clear, concise, and timely notice of its Covered Information collection, use, transfer, and storage practices;
• Offer a clear and conspicuous opt-out mechanism for any Unauthorized Use of Covered Information (except for any use requiring opt-in consent). “Unauthorized Use” means use for any purpose “not authorized by the individual.” It does not include certain commonly accepted uses, including first party marketing and analytics, as long as the information used was collected directly by the Covered Entity or its service provider;
• Offer a robust, clear, and conspicuous opt-out mechanism for the use by a third party of Covered Information for behavioral advertising or marketing;
• Offer a clear and conspicuous mechanism for opt-in consent for the collection, use, or transfer of Sensitive PII, with a few limited exceptions; and
• Offer a clear and conspicuous mechanism for opt-in consent for a new material use or transfer of previously collected Covered Information if the new use or transfer creates a risk of economic or physical harm. Note that this standard is far less stringent than that currently espoused by the FTC, which requires notice and opt-in consent to any material retroactively-applied change, regardless of whether the change presents a risk of harm.
• Restrict the transfer of Covered information to third parties – A Covered Entity would have to ensure the third party is legitimate (by doing due diligence), contractually restrict its use of the Covered Information, and notify the FTC of a material violation of the contract. This last provision in particular is likely to be subject to significant negotiation, as it would impose a novel requirement under U.S. law.
• Make “privacy by design a legal requirement – This provision echoes a similar recommendation made by the FTC in the preliminary privacy report that it issued in December 2010, and it would require Covered Entities to implement a comprehensive information privacy program.
• Codify the requirement that businesses maintain reasonable security for PII – By way of enforcement actions, the FTC has effectively imposed the requirement that businesses have reasonable security measures in place in order to protect personal information. The bill would direct the FTC to promulgate rules that are technologically neutral and consistent with current FTC guidance and industry practices.
• Impose accountability, access and correction, anonymization, data minimization, as well as data integrity standards – These requirements are grounded in the Fair Information Practice Principles stressed in the Green Paper released last year by the Department of Commerce.
WOULD THERE BE ANY SAFE HARBORS?
The bill directs the FTC to issue rules to establish safe harbor programs to be administered by non-governmental organizations. The programs would establish mechanisms for participants to implement the law’s requirements with regard to (1) online behavioral advertising, (2) location-based advertising, and (3) other Unauthorized Uses. Participating and compliant Covered Entities would be exempt only from the provisions of Title II (notice, choice, access, and anonymization) and Title III (data minimization, constraints on distribution, and data integrity).