On April 13, 2011, Representatives Cliff Stearns (R-FL) and Jim Matheson (D-UT) introduced privacy legislation that seeks to ensure that consumers have greater control and are better informed on the collection and use of their personal information. The Consumer Privacy Protection Act of 2011 would provide consumers with control over certain uses of personal information collected online and offline. Protections under the bi-partisan Stearns-Matheson bill include consumer notice requirements and the ability for consumers to limit disclosures of personal information to third parties.
The bill contains many provisions consistent with the Commercial Privacy Bill of Rights Act of 2011, introduced in the Senate by Senators Kerry (D-MA) and McCain (R-AZ) on April 12, 2011. Both bills would be enforced by the Federal Trade Commission (FTC), include a self-regulatory ‘safe harbor' framework, permit the FTC to seek civil penalties for violations, preempt similar state laws, and exclude a private right of action. Contrary to the Kerry-McCain bill, the Stearns-Matheson bill does not cover certain telecommunications providers within its scope. Additionally, civil penalties under the Stearns-Matheson bill are set at double the amount permitted under the FTC Act (for a total of $32,000 per violation) with a maximum civil penalty of $500,000. The potential civil penalties under the Stearns-Matheson bill are greater per violation, but less overall, than the civil penalties proposed in the Kerry-McCain bill.
What Personal Information is Protected by the Bill?
Similar to the Kerry-McCain bill, the Stearns-Matheson bill protects a consumer's "personally identifiable information" (PII), including:
- Postal address;
- Email address;
- Telephone or mobile device numbers;
- Social security number or government-issued identification number; and
- Credit and debit card account numbers.
The bill also provides that if a consumer's date or place of birth or electronic address, including IP address, is disclosed in connection with PII, then the data would be subject to the bill's requirements. However, the Stearns-Matheson bill does not address biometric data and unique persistent identifiers (e.g. cookies) that can link a specific device to an individual - as included in the Kerry-McCain bill. Additionally, the bill excludes anonymous or aggregate data that does not identify a consumer, information about a consumer inferred from data maintained about a consumer, and publicly available information from the definition of PII.
Who is Required to Comply with the Bill?
The bill would impose requirements on "covered entities," including their agents and subsidiaries, that collect, sell, or disclose for consideration or use personally identifiable information of more than 5,000 consumers over the course of a year. Notably, the bill specifically addresses consumers without mention of employees, which is distinct from the Kerry-McCain bill that addresses individuals. The bill would apply to non-profit organizations, like the Kerry-McCain bill, but exempts government agencies and professional service providers, such as lawyers and doctors, that are bound by professional nondisclosure standards. The bill also exempts "data processing outsourcing entities" that provide IT processing, web hosting, or telecommunications services as long as they have a contractual obligations to the covered entity to secure personal information. Finally, given that a violation of the provisions of the legislation is treated as a violation of Section 5 of the FTC Act, entities that are exempt from the FTC's Section 5 enforcement jurisdiction (such as certain telecommunications providers, banks, etc.) appear to be excluded from the bill's coverage as well.
Notice and Opt-Out Consent to Use PII Required
The bill also would require covered entities to provide consumers with an "opt-out" option to preclude the sale or disclosure of a consumer's PII to non-affiliated third parties. The bill further provides that businesses cannot request that consumers reconsider their opt-out preference until at least a year after opt-out. However, the bill specifies that opt-out protection has an expiration date, remaining in effect for only five years or until the consumer opts-in, whichever is sooner.
Do Not Track
Like the Kerry-McCain bill, the Stearns-Matheson bill does not include a ‘Do Not Track' mechanism to limit the collection of personal information by online behavioral advertisers. As a result, the bill differs from Rep. Jackie Speier's (D-CA) Do Not Track Me Online Act (H.R. 654) and recommendations in the Preliminary FTC Staff Report, which both call for a Do Not Track mechanism.
Self-Regulatory ‘Safe Harbor' Framework
The bill relies on a self-regulatory framework to protect consumer privacy. A covered entity is presumed to be in compliance with the bill if the entity participates in an FTC-approved self-regulatory program. Non-compliance would have to be proven by clear and convincing evidence, a heightened evidentiary hurdle for consumers.
To qualify for FTC approval, the self-regulatory program must provide equal or greater consumer protections than those identified under the bill, include an initial review of the covered entities' privacy policies and statements, and utilize self-review and self-certification processes as well as periodic and random reviews. The self-regulatory programs must also provide dispute resolution procedures that consumers must use before seeking a resolution from the FTC. In the event of involuntary suspension or termination from participation in the self-regulatory program for program noncompliance, the program must notify the FTC and publish notice of suspension or termination.
Data Security and Accountability
The bill requires covered entities to implement information security policies designed to prevent or mitigate the unauthorized disclosure of personal information. The bill also requires designation of an officer responsible for implementing information security policies and procedures.
The bill authorizes the FTC to issue regulations and interpretive rules regarding specific practices and designates the FTC as the sole enforcement authority for violations of the bill. While the bill applies only to covered entities, non-covered entities that elect to participate in a self-regulatory program are entitled to the same procedural rights and benefits under the bill in any FTC unfair or deceptive trade practice action to the extent such action relates to the entities' privacy policies. A violation of the bill by a covered entity would be considered an "unfair or deceptive act or practice" under the FTC Act, except that the civil penalties would double for a violation under the bill, not to exceed $500,000 for all related violations by a single covered entity.
The bill would broadly preempt state action that relates to or affects the collection, use, sale, disclosure, retention or dissemination of PII in commerce and, similar to the Kerry-McCain bill, there is no private right of action under the Stearns-Matheson bill. However, the bill does not explicitly provide States Attorneys General with the ability to conduct investigations and bring civil actions for violations.
The Consumer Privacy Protection Act of 2011 introduced in the House would provide consumers with certain control over the use and disclosure of personal information similar to the Kerry-McCain bill introduced in the Senate. The bills follow a growing list of consumer online privacy bills introduced this term - Rep. Bobby Rush's (D-IL) BEST PRACTICES Act, Rep. Jackie Speier's (D-CA) Do Not Track Me Online Act of 2011, and Senators Kerry and McCain's Commercial Privacy Bill of Rights Act of 2011. These bills evidence growing Congressional momentum for consumer privacy legislation that could have a significant impact on companies that utilize consumer data.
Kelley Drye & Warren LLP
Kelley Drye & Warren's Privacy and Information Security practice is a leader in advising clients on privacy and information security issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients' customer data, and representing clients in connection with federal and state regulator privacy investigations regarding their privacy and data security practices.
For more information about this advisory, contact:
Dana B. Rosenfeld
John J. Heitmann
Alysa Zeltzer Hutnik
Christopher M. Loeffler