On April 12, 2011, Senator John Kerry (D-MA) and Senator John McCain (R-AZ) introduced the “Commercial Privacy Bill of Rights Act of 2011” to establish the first federal statutory baseline of consumer privacy protection that would apply across industry sectors. The bill would govern how customer information is used, stored, and distributed online. We will provide more analysis soon, but for now, here are the highlights:
Information covered. The bill applies to broad categories of information, including names, addresses, phone numbers, e-mail addresses, other unique identifiers, and biometric data when any of those categories are combined with a date of birth, place of birth, birth certificate number, location data, unique identifier information (that does not, alone, identify an individual), information about an individual’s use of voice services, or any other information that could be used to identify the individual.
Right to security and accountability. Information-collecting entities would be required to implement security measures to protect user information and would be prohibited from collecting more individual information than is necessary “to enforce a transaction or deliver a service requested by that individual,” subject to certain exceptions.
Privacy by design. Entities would be required to implement privacy by design concepts, which would require entities to incorporate privacy protection into each stage of product or service development in a manner that is much more comprehensive than previously required anywhere in the United States.
Privacy policies. Entities would be required to have privacy policies or disclosures that clearly, concisely, and timely notify individuals of the entities’ practices “regarding the collection, use, transfer, and storage” of individual information, and entities would also be required to notify individuals when their practices undergo “material changes.”
Right to notice, consent, access and correction of information. The bill would offer individuals the option to opt-out of most information collection activities and require that individuals affirmatively consent to sharing certain information with third parties, and for an entity’s collection of especially sensitive personal information. Entities would also have the right to access and correct information that entities maintain about them.
Service providers. The bill would require entities that contract with any service provider that has access to individual information to require the service provider to comply with the requirements of the bill, and to comply with the entity’s information policies and practices.
Third parties and data transfers. The bill would restrict the ability to transfer or share individual information with third parties, and would obligate the transferring entity to contract with any such third party for the protection of the individual information before transferring it.
Enforcement. The bill would empower state attorneys general and the Federal Trade Commission (“FTC”) to enforce the new restrictions. It would allow the FTC to develop safe harbor programs for authorized information collection.
Scope. The new rules would apply to non-profit organizations (a potential expansion of FTC authority), telecommunications common carriers (an expansion of FTC authority), and other entities which collect personal information on more than 5,000 individuals in a given year. The bill’s restrictions would not extend to federal and state governments or law enforcement agencies.
The privacy protections follow the decision by many popular Internet browsers to allow users to select a “do-not-track” feature for their searches. Leading Internet merchants and privacy watchdog groups praised the bipartisan bill, calling it “an important step” toward the development of a comprehensive national privacy law, while critics maintain that it does not go far enough to protect consumer privacy rights.