On March 16, 2011, the U.S. Senate Committee on Commerce, Science, and Transportation held a hearing to examine online consumer privacy, with an emphasis on the use of behavioral targeting by online advertisers. The hearing, which included two panels of witnesses from the government and industry sectors, touched upon a growing number of legislative and regulatory proposals that attempt to strike a balance between protecting consumer privacy, ensuring continued business innovation, and preserving the free and diverse online content to which consumers have grown accustomed.
Committee members attending the hearing included Sen. John Kerry (D-MA), Sen. Mark Pryor (D-AR), Sen. Amy Klobuchar (D-MN), Sen. Johnny Isakson (R-GA), and Sen. Claire McCaskill (D-MO). Sen. Kerry, current Chairman of the Subcommittee on Communications, Technology, and the Internet, opened the hearing with statistics that reflect Americans' concern about online tracking. He described online applications as "observational opportunities" for data collection companies, and noted the increasing ability to merge offline and online information to create highly-detailed consumer profiles. Stating that "we cannot let the status quo stand," Sen. Kerry briefly described the legislation he is drafting with Sen. John McCain (R-AZ). The bill will propose a "commercial privacy bill of rights" that would establish a common code of conduct, which Sen. Kerry believes would encourage information sharing by establishing general protections for consumers while creating fair terms and conditions for online businesses.
Committee Chairman Jay Rockefeller (D-WV), who did not attend the hearing, issued a statement voicing his support for legislation that would impose basic privacy rules, and described self-regulatory efforts in the privacy area as "a failed experiment."
A summary of the two panel sessions is set forth below.
Panel 1: Updates from the FTC and Dept. of Commerce
The first panel of witnesses included Lawrence Strickling, Assistant Secretary of Commerce for Communications and Information at the U.S. Department of Commerce and Federal Trade Commission Chairman Jon Leibowitz.
Mr. Strickling opened his remarks by announcing that the Obama Administration is recommending legislation that will address consumer privacy concerns. He further stated that such legislation should incorporate three elements, which were included within the Commerce Department's privacy framework released in December 2010.1
First, the legislation should include a consumer privacy bill of rights that provides baseline consumer data privacy protections that are enforceable and based on agreed-upon principles for the handling of consumer information. Second, the legislation should give the FTC explicit authority to enforce any baseline protections. Third, the legislation should create a framework that provides incentives, such as a safe harbor, for businesses to develop and adopt the principles.
Chairman Leibowitz opened his remarks with a brief overview of the privacy framework released by FTC Staff in a draft report on December 2010.2
He highlighted the framework's three primary recommendations that include (1) greater consumer protections built into everyday business practices, or "privacy by design"; (2) simplified choice with real-time controls, including a Do Not Track mechanism; and (3) increased transparency whereby choice mechanisms are easy-to-find and easy-to-use.
Chairman Leibowitz's comments focused primarily on the proposed Do Not Track mechanism, which he and other members of the FTC Staff believe will build consumer trust and encourage business innovation. He cited five principles that FTC Staff believe are essential for any Do Not Track mechanism, including (1) universal deployment to avoid a patchwork of mechanisms; (2) easy-to-use and easy-to-locate; (3) persistent, so that consumer choices cannot be removed by businesses; (4) an opt-out regime that covers all tracking, and not simply the receipt of targeted advertising; and (5) a mechanism that is effective, enforceable, and without technical loopholes. Chairman Leibowitz downplayed concerns expressed by Sen. McCaskill that proposals such as the Do Not Track mechanism could negatively affect the economic vibrancy of the Internet. Responding to Sen. McCaskill's statements that such proposals may serve only to handcuff reputable online firms while doing little to thwart bad actors, Leibowitz stated that "the sky won't fall down on Internet commerce."
Finally, Chairman Leibowitz highlighted recent enforcement actions, including a settlement with online ad placement firm Chitika. He warned that the settlement is the first of many to come and stated the Commission's hope that the settlement sends a signal to the online advertising community.
Panel 2: Perspectives from Industry and Consumer Advocates
The second panel of witnesses consisted of industry representatives and consumer advocates, and included executives from Microsoft, Intuit, and online media buyer GroupM Interaction, as well as counsel from the American Civil Liberties Union.
Erich Anderson, Vice President and Deputy General Counsel at Microsoft, endorsed the Obama Administration's call for federal privacy legislation that would establish reasonable baseline privacy practices. Mr. Anderson also expressed support for provisions within the draft legislation circulated by Senators Kerry and McCain. Barbara Lawler, Chief Privacy Officer at Intuit, also stated her support for legislation that includes the principles-based approach endorsed by the Administration, which Ms. Lawler believes will be the most effective approach to ensure broad adoption by businesses. She further noted that any legislation must account for the current lack of uniformity among the various approaches to privacy, which would require aligning existing state-level privacy regimes. On the international level, achieving uniformity would necessitate greater coordination between the U.S., the European Union (EU), and the Asia-Pacific Economic Cooperation (APEC).
John Montgomery, chief operating office for the North American unit of GroupM Interaction, highlighted the online advertising industry's self-regulatory program operated by the Digital Advertising Alliance. The program employs a clickable icon that appears over online advertisements, and allows consumers to both view the information being collected and opt-out of further collection. Mr. Montgomery noted ongoing efforts to build further industry support for the icon program. During the first panel, Chairman Leibowitz questioned whether such a solution goes far enough in giving meaningful choice to consumers, but he described the program as "promising."
Current and Pending Privacy Legislation
The Senate hearing took place as a number of federal consumer privacy bills have either been introduced or are expected to be introduced in the coming weeks. Please see the chart accompanying this advisory for a snapshot of the key provisions within both the introduced and pending legislation.
Kelley Drye & Warren LLP
Kelley Drye & Warren's Privacy and Information Security
practice is a leader in advising clients on privacy and information security issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients' customer data, and representing clients in connection with federal and state regulator privacy investigations regarding their privacy and data security practices.
For more information about this advisory, contact:
Dana B. Rosenfeld
Alysa Zeltzer Hutnik
Information about the Commerce Department's proposed privacy framework can be found in Kelley Drye & Warren's December 22, 2010
Information about the FTC's proposed privacy framework can be found in Kelley Drye & Warren's December 8, 2010