On April 12, 2011, Senator John Kerry (D-MA) and Senator John McCain (R-AZ) introduced the “Commercial Privacy Bill of Rights Act of 2011” to establish the first federal statutory baseline of consumer privacy protection that would apply across industry sectors. The bill would govern how customer information is used, stored, and distributed online. We will provide more analysis soon, but for now, here are the highlights:
Information covered. The bill applies to broad categories of information, including names, addresses, phone numbers, e-mail addresses, other unique identifiers, and biometric data when any of those categories are combined with a date of birth, place of birth, birth certificate number, location data, unique identifier information (that does not, alone, identify an individual), information about an individual’s use of voice services, or any other information that could be used to identify the individual.
Right to security and accountability. Information-collecting entities would be required to implement security measures to protect user information and would be prohibited from collecting more individual information than is necessary “to enforce a transaction or deliver a service requested by that individual,” subject to certain exceptions.
Privacy by design. Entities would be required to implement privacy by design concepts, which would require entities to incorporate privacy protection into each stage of product or service development in a manner that is much more comprehensive than previously required anywhere in the United States.