Congress Gets Active on Privacy
Two major privacy bills were introduced in Congress during April. This burst of legislative action, coming on the heels of several earlier legislative proposals, and coupled with seemingly daily news reports of new perceived privacy intrusions by businesses or governments, suggests that privacy likely will remain a hot button on the Congressional agenda throughout the year.
Two New Bills
On April 12, Sen. John Kerry (D-MA) and Sen. John McCain (R-AZ) introduced S. 799, the Commercial Privacy Bill of Rights Act of 2011, which would establish a baseline privacy law at the federal level. The bill would create a regulatory framework for the comprehensive protection of personal data for individuals, largely under the aegis of the Federal Trade Commission (FTC). Sen. Kerry has stated that the bill is designed to implement a balanced approach that recognizes legitimate interests of both consumers and businesses, and relies substantially on approaches developed by the FTC over the past dozen years.
The next day, Rep. Cliff Stearns (R-FL) introduced his Consumer Privacy Protection Act (H.R.1528), which proposes a less comprehensive framework while allowing consumers to restrict the sale or disclosure of personal information.
To date, federal privacy law in the United States has taken the form of sector-specific legislation, such as the Gramm-Leach-Bliley Act for financial services and the Communications Act for telecommunications. The absence of a general federal privacy law has caused difficulties for businesses operating internationally, as many foreign countries do have comprehensive privacy laws and may restrict data transfer to the U.S. unless extra protective measures are taken. That is why many U.S. businesses have had to enroll in the Department of Commerce's “safe harbor” program facilitating transfers from the European Union.
The Kerry-McCain and Stearns bills would have major implications for businesses that collect and use consumer information, and for businesses that generate revenue by selling personal data or by using consumer information in marketing. Perhaps the greatest impact would be on businesses that rely on consumer information to generate revenue, such as through advertising, or that function as data brokers.
Both bills start with a definition of “personally identifiable information” and include certain additional information. The Senate bill defines the term more broadly. Both bills would require increased transparency, through a variety of “notice and choice” mechanisms. And both bills authorize the use of a consumer's information in performing the service for which it was provided, while generally allowing other uses (including transfers to third parties) on an “opt-out” basis. But there are numerous and significant differences in the details.
The Kerry-McCain bill is noteworthy because, unlike most U.S. legislative privacy proposals, it addresses all of the commonly accepted “Fair Information Privacy Principles” (or FIPPs). In contrast, the Stearns bill does not, taking a more narrowly focused approach.
For example, the Kerry-McCain bill includes the concepts of purpose limitation and data minimization—the ideas that a business collects consumer data only for specified purposes and collects no more than is needed—but the Stearns bill does not. Also, the Kerry-McCain bill contains a data-retention provision, while the Stearns bill does not. S. 799 also breaks new ground by being the first major congressional initiative to include a “privacy-by-design” provision of the type now being encouraged by the FTC.
Neither the Kerry-McCain nor the Stearns bill contains a “Do-Not-Track” provision of the type that has received an endorsement from the FTC, although a competing bill in the House of Representatives sponsored by Rep. Jackie Speier (D-CA) does. Sen. Kerry indicated that the idea could be considered at the committee markup stage.
The bills also present different approaches to regulating the transfer of personal information to unaffiliated third parties, as well as the degree to which the business that collects the information would have to hold subsequent transferees to similar levels of protection. The Kerry-McCain bill contains what has become known as the “Facebook exception”—allowing unrelated businesses with which a consumer separately has an established business relationship to be exempt from most of the bill's limitations applicable to third parties. In effect, if a user signs into Site A using her Facebook identity, both A and Facebook would be deemed “first parties” under the Senate bill.
Both bills would federalize information security law, with the Senate bill directing the FTC to conduct a rulemaking to establish appropriate security standards consistent with FTC guidance and industry practice. The Stearns bill would simply require businesses to have an information security policy approved by senior management.
Both bills would effectively preempt most state consumer privacy laws relating to the collection, use or disclosure of consumer information covered by the Act. Private rights of action to enforce the Act would be prohibited. However, the Act would not preempt state laws regarding the privacy of health or financial information, data-security-breach notification or anti-fraud laws. Although the bills generally would not affect current sector-specific privacy laws, the Kerry-McCain bill would supersede the Customer Proprietary Network Information provisions of the Communications Act (47 U.S.C. §222) and the privacy provisions of the Cable Act (47 U.S.C.§551), replacing them with its own regime.
Finally, both bills would endorse industry self-regulatory systems which, if adhered to by businesses, would largely insulate them from enforcement actions by the FTC or the states. Self-regulatory systems would be approved by the FTC. Here, too, the bills differ in their details, with the Stearns bill appearing generally more favorable to the self-regulatory approach.
The prospects of these bills are unclear. The partisan divide in the current Congress makes passing any legislation difficult, although consumer privacy is one issue on which Democrats and Republicans may be able to find some common ground.
In the Senate, the Kerry-McCain bill, co-sponsored by two influential senators deserves to be viewed as a serious and significant approach to privacy legislation. It has already received support from important high-technology companies, such as Microsoft, Intel and eBay. On the other hand, the Digital Advertising Alliance, which has promoted a do-not-track self-regulatory regime, believes the bill'sintroduction substantially undermines its current efforts, and some consumer advocates find fault with S. 799's omission of a do-not-track mechanism and its preemption of private lawsuits.
Finding agreement with the House of Representatives may be challenging. Rep. Stearns' bill appears to be the most “business friendly” of the major privacy proposals currently under consideration. Perhaps for that reason, it was criticized as weak by consumer advocacy groups as it was introduced. The Direct Marketing Association also criticized the role Rep. Stearns would give the FTC.