On May 4, 2010, Rep. Rick Boucher (D-VA), the House Energy and Commerce Communications, Technology, and the Internet Subcommittee Chairman, and Rep. Cliff Stearns (R-FL), the Ranking Member of the Subcommittee, released a discussion draft of a privacy bill intended to address concerns about online behavioral advertising and place limits on how consumer personal information is collected, used, and disclosed. The bill would require organizations that collect consumer information to (1) clearly and conspicuously disclose privacy policies; (2) allow consumers to opt out of information collection and sharing and, in some instances, require the consumers’ express affirmative consent to the information practices; and (3) allow the Federal Trade Commission (FTC) to adopt rules to implement and enforce the bill’s requirements.
The release of the draft bill follows increased legislative and regulatory scrutiny over consumer privacy protection measures—a topic that was extensively explored in recent House Energy and Commerce Committee hearings, in the FTC’s recent series of privacy roundtables, and addressed, at least partially, in the FTC’s April 26, 2010, announcement that it intends to develop Internet privacy guidelines. All of these efforts underscore that regulation of business practices concerning consumer information will likely remain at the forefront for the near future. A more detailed analysis of the Boucher/Stearns bill follows.
Disclosure of Privacy Practices
- “Covered entity” means any person who collects data containing “covered information,” but excludes government agencies and any person who collects covered information from fewer than 5,000 individuals in a 12-month period and does not collect “sensitive information.”
- “Covered information” means any of the following about a consumer:
- first name or initial and last name, postal address, telephone or fax number, e-mail address, unique biometric data, Social Security number or other government-issued identification number, financial account number and any required security access code;
- any unique persistent identifier (e.g., customer number, unique pseudonym or user alias, Internet Protocol address) where such identifier is used to identify information about a specific consumer or a computer, device, or software application associated with a particular user;
- a preference profile (e.g., a list of information, categories of information, or preferences associated with a specific consumer or a computer or device owned or used by a particular user that is maintained by or relied upon by a covered entity); or
- any other information that is collected, stored, used, or disclosed in connection with the identifiers described above.
- Covered information that is collected solely for transactional or operational purposes will not be subject to the consent provisions of this bill.
These proposed definitions are broader than similar definitions of personal information set forth in existing federal privacy laws as they encompass any information that identifies or is associated with a consumer, expressly including a unique persistent identifier alone, as well as a “preference profile”—an expansive term that notably could include such items as social networking profiles, customer preference lists, stored information on a mobile device, etc. In addition, the bill would cover the offline collection of data for marketing purposes or disclosure to unaffiliated third parties for such purposes
a description of the type of collected information and how this information is collected, stored, used, and disposed of—including how long the information is stored;
whether this information is merged, linked, or combined with other personal information;
the manner in which a consumer may limit or prohibit the collection, use, or disclosure of personal information; and
a means by which a consumer can contact an entity with inquiries or complaints regarding the collection, use, or disclosure of personal information.
Collection, Use, and Disclosure of Consumer Information
Opt-Out for Collection and Use of Covered Information
If, however, a consumer opts out after personal information has been collected, that action has a retroactive effect, and the organization would be prohibited from collecting further covered information from the consumer, or using covered information previously collected.
Opt-In Requirements: Express Affirmative Consent Required
One underlying theme of the bill is the premise that a consumer has a reasonable expectation that an organization will not share covered information with an unaffiliated third-party. As such, the bill would require organizations that share information with unaffiliated third-parties to obtain a consumer’s express affirmative consent before disclosing such information to such third-party entities.
Further, unlike the opt-out requirements for the general collection and use of covered information, organizations would be required to obtain express affirmative consen
t to collect and use “sensitive information.”
“Sensitive information” is defined by the bill to include medical information, race or ethnicity, religious beliefs, sexual orientation, financial records or other financial information, and precise geographic location information.
Additionally, express affirmative consent is required if an organization collects or discloses all or substantially all of a consumer’s online activity. This requirement is likely in response to the ISP-based models of online behavioral advertising that previously were scrutinized by Congress, regulators, and consumer protection advocacy groups.
Advertisement Network Exception
As noted above, disclosure of information to an unaffiliated third-party generally would require a consumer’s express affirmative consent. The affirmative consent provisions do not, however, apply to the collection, use, and disclosure of covered information used with an advertisement network—an entity that collects information about a person or an IP address from numerous websites, creates a profile, and creates targeted advertisements based on that profile—under certain circumstances. An organization may share information with a third-party ad network without a consumer’s express affirmative consent provided that:
- The consumer is given the opportunity to opt-out of this type of information disclosure;
The organization provides a clear, easy-to-find link to a web page for the advertisement network that allows a consumer to edit his or her profile or opt-out of having a profile all together;
The organization deletes or renders anonymous any covered information not later than 18 months after the date the information is collected;
The organization uses a symbol or seal in a prominent location on its website and on or near the advertisements to link the consumer to additional information about its practices related to preference profiles and how the consumer can opt-out; and
The advertisement network does not disclose consumers’ information to another party.
The bill also is significant in that it would effectively supersede provisions of the FTC Act and expressly cover common carriers subject to Federal Communications Commission (FCC) jurisdiction. In addition, the bill would require the FCC to issue a report to the Commerce Committee describing how federal communications law may be harmonized with the provisions of the bill to create a “consistent regulatory regime for covered entities and individuals.”
The bill would require an organization to implement and maintain appropriate administrative, technical, and physical safeguards to protect the covered information, as determined necessary by the FTC. These safeguards would focus on ensuring the security of the information; protecting the information from threats, unauthorized access or loss; and securing the information and conducting an internal investigation in the event of a breach.
Implementation and Enforcement
The bill provides for the FTC to promulgate regulations to implement and enforce the bill’s provisions. A violation of the bill would be considered an unfair or deceptive act or practice under the FTC Act, and subject the covered entity to civil penalties in the amount of $16,000 per violation. The bill also provides for enforcement by state attorneys general so long as the state attorney general notifies the FTC of its intention to bring an enforcement action and there is no pending federal action related to the same matter. The bill would supersede any state regulation that includes requirements for the collection, use, or disclosure of covered information. The bill does not provide for a private right of action.
Implications and Next Steps
Organizations would be well advised to monitor how this proposed legislation develops. Release of the bill, even in discussion draft form, indicates that Congress is not taking concerns raised about online behavioral advertising lightly. Representatives Boucher and Stearns are looking for stakeholders and fellow members of the House Energy and Commerce Committee to advance the discussion on this issue. Additionally, even if the draft bill is not formally introduced or enacted in some form, release of the bill with support from both sides of the aisle may bolster similar state or federal legislative actions or further activity by the FTC.
Kelley Drye & Warren LLP
Kelley Drye & Warren's Privacy and Information Security
practice is a leader in advising clients on privacy and information security issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients' customer data, and representing clients in connection with federal and state regulator privacy investigations regarding their privacy and data security practices.
For more information about this Client Advisory, please contact:
Dana B. Rosenfeld
Alysa Z. Hutnik
Christopher M. Loeffler