Following weeks of anticipation, on April 12, 2011 Senators John Kerry (D-MA) and John McCain (R-AZ) introduced legislation aimed at providing consumers with greater control over the collection and use of their personal information accessible through online and offline channels. The Commercial Privacy Bill of Rights Act of 2011 would create baseline fair information practice protections for consumers similar to those outlined in the December 2010 Department of Commerce Privacy Green Paper. Such protections would include consumer notice prior to the collection of personal information, and opt-in or opt-out consent mechanisms depending on the type of personal information collected and its intended use. The bill does not propose a Do Not Track mechanism for online behavioral advertising, in contrast to recent Federal Trade Commission (FTC) staff recommendations and a House bill introduced by Representative Jackie Speier (D-CA). Senator Kerry explained this reflects the authors' goals in balancing the interests of consumers and businesses.
The bi-partisan Senate legislation is the latest of several federal proposals to increase protection of consumer data by defining baseline privacy practices across myriad industry sectors. The Senate Committee on Commerce, Science and Transportation, of which Senator Kerry is a member, has jurisdiction over consumer privacy, and both co-sponsor and former committee chair Senator McCain, and current committee chair Senator John D. Rockefeller IV (D-WV), have supported the need for legislation in this area.
The bill's coverage is broad: nearly all online and offline businesses fall within scope. Notably, this includes telecommunications providers, as well as non-profits, and the FTC would be the lead enforcer against such entities for violations, with the ability to levy $16,500 up to $3 Million in civil penalties for violations. Similar state laws would be preempted. The bill does not provide for a private right of action.
Consistent with Sen. Kerry's statement that "we cannot let the status quo stand," made during last month's Senate privacy hearing, the bill describes an environment in which self-regulation, and existing state, local, and federal laws, have yet to provide adequate consumer privacy protections. By proposing a number of black letter requirements on privacy and data security practices, and setting forth significant monetary penalty provisions for violations, the bill is clearly intended to change the legal status quo in the privacy realm. This alert summarizes the key proposed changes to privacy and data security requirements set forth in the legislation, and provides a chart in the appendix summarizing the various federal bills on point.
What Personal Information is Within the Bill's Scope?
The bill defines personally identifiable information ("PII") as the following consumer information:
- Physical/mailing address;
- Telephone or mobile device numbers;
- Social security number or government-issued identification number;
- Credit card account numbers;
- Any unique, persistent identifier (such as a cookie containing a customer number, user identification, or device serial number) that can link a specific device to an individual.
The bill also provides that the following data - a consumer's place or date of birth, birth or adoption certificate number, precise geographic location, customer proprietary network information ("CPNI"), or other information that reasonably could be used to identify an individual - if combined with any PII (via use, storage, or transmission) - would become PII and be subject to the bill's protections.
Who Is Covered by the Bill?
If enacted, the bill would impose a number of requirements on "covered entities," which the bill defines as any person that collects, uses, transfers, or maintains personal information concerning more than 5,000 "individuals" within a single year. (The bill does not clarify whether the term "individuals" within this context applies to consumers, employees, or both.) The bill also applies its requirements to common carriers that are subject to the Communications Act (i.e., telecommunications providers, including wireless companies), and to non-profit organizations.
Notice and Opt-out/Opt-In Consent to PII Use Required
The bill would require the FTC to promptly issue rules requiring covered entities (a) to provide "clear, concise, and timely" notice to consumers about the entity's information practices and specific purposes of those practices prior to the collection, use, and transfer of PII, and before the entity makes material changes to how it collects and uses personal data; and (b) to maintain this notice in a form that individuals can readily access.
The bill also would require the FTC to issue rules requiring covered entities (a) to provide a "clear and conspicuous" opt-out mechanism when using PII in a manner that the individual did not authorize, and (b) to provide a "robust, clear, and conspicuous" opt-out mechanism for use by third parties of the individual's behavioral advertising or marketing.
A more stringent opt-in consent requirement would apply to the collection, use, and transfer of sensitive personal information, such as health information or religious affiliation. The opt-in requirement also would apply to covered entities that intend to use or transfer previously-collected PII following a material change to its stated privacy practices.
"Privacy By Design" Provisions
Covered entities that collect PII would have to enact policies and procedures to ensure compliance with the bill's requirements. The bill adopts "privacy by design" provisions consistent with the FTC's December 2010 draft privacy framework, and would require covered entities to do the following:
- Enact policies to safeguard PII throughout the product or data lifecycle, and develop procedures to respond to identified issues and complaints.
- Limit personal information collection to the extent necessary to process a transaction or deliver a service requested by the customer, and retain such information only for as long as is needed to provide the transaction or service.
- Ensure that the collected PII is accurate and provide consumers with "appropriate and reasonable" access to collected information. Further, provide a mechanism by which consumers can correct inaccurate personal information.
Third Party Restrictions
The bill also would require that covered entities conduct due diligence before transferring PII to a third party, and it generally would treat third parties that receive PII as if they were covered entities. ("Third Parties" under the bill are those unrelated to the covered entity by common ownership or corporate control, are not a service provider of the covered entity, and does not have a prior business relationship with the individual).
Specifically, covered entities would have to contractually limit the use of PII by third-party partners to purposes consistent with the bill's provisions. Further, third parties would be prohibited from combining non-PII data that they receive with other consumer information to create identifiable profiles.
The bill expressly prohibits the FTC from mandating specific hardware or software technology options to meet the bill's requirements.
Do Not Track
Further, the bill does not include a Do Not Track provision to limit the collection of personal information by online advertisers, such as the one proposed in the House bill Do Not Track Me Online Act of 2011 (H.R. 654) introduced by Rep. Speier in February 2011, and as recommended by the FTC staff in its proposed framework for protecting consumer privacy released late last year. Do Not Track was a subject of detailed inquiry at the Senate hearing on privacy last month, including concerns about how it would work and whether it would harm commerce.
Consumer groups including Consumer Watchdog, Center for Digital Democracy, Consumer Action, Privacy Rights Clearinghouse and Privacy Times immediately announced their unwillingness to support the bill absent a Do Not Track provision.
Data Security and Accountability
The bill would require the FTC to initiate rules requiring business to implement security measures that protect consumers' personally-identifiable information ("PII") in a manner proportional to the size and type of the information collected, and businesses would be required to implement managerial accountability for the privacy and data security policies required by the legislation.
Enforcement and Safe Harbor
If enacted, the bill would give enforcement authority to the FTC, and violations could result in civil penalties up to $16,500 per violation, with a maximum civil penalty of $3 million. The FTC can enforce the requirements against any business that collects, uses, transfers, or stores personal information of more than 5,000 individuals within a year. In other words, the bill's provisions appear to apply broadly to nearly all online and offline businesses, so long as the PII maintained extends beyond 5,000 individuals (which may include employee and former employee data). The bill's broad scope also permits the FTC to bring enforcement actions against telecommunications companies and non-profit organizations, which are typically outside the FTC's jurisdiction.
Under the bill, State Attorneys General could conduct investigations and bring civil actions against parties that violate the bill's provisions. The attorneys general, however, could not enforce the bill's provisions simultaneous with the FTC, and would be required to give the FTC notice prior to initiating a civil action. In such cases, the FTC would retain a right to intervene. The bill would preempt any similar state law provisions, except for state laws that address (1) the collection, use, or disclosure of health or financial information; (2) notification requirements in the event of a data breach; and (3) acts of fraud.
There is no private right of action under the bill, eliminating consumer class action suits for violations of the Act.
Within one year following the bill's enactment, the bill would require the FTC to issue rules for the creation of a self-regulatory Safe Harbor program. While the program would be subject to FTC oversight, the bill gives a significant role to the U.S. Department of Commerce to convene stakeholders and develop codes of conduct for safe harbor under the Act. Covered entities that demonstrate compliance with the Safe Harbor requirements would be exempt from certain bill provisions. Additionally, the Department of Commerce would have an ongoing role in developing data sharing policy domestically and in coordination with other nations, with the objective of growing Internet commerce.
The Commercial Privacy Bill of Rights Act of 2011 represents the most comprehensive consumer privacy legislation introduced during the current session, and follows consumer privacy-focused bills introduced earlier this year by Rep. Speier, and the BEST PRACTICES ACT (H.R. 611) introduced by Rep. Bobby Rush (D-Ill.). Additional consumer privacy legislation, including bills from Rep. Cliff Stearns (R-FL), Rep. Ed Markey (D-MA), and Rep. Mary Bono Mack (R-CA), is expected to be introduced in the coming days and weeks.
Kelley Drye & Warren LLP
Kelley Drye & Warren's Privacy and Information Security practice is a leader in advising clients on privacy and information security issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients' customer data, and representing clients in connection with federal and state regulator privacy investigations regarding their privacy and data security practices.
For more information about this advisory, contact:
Dana B. Rosenfeld
John J. Heitmann
Alysa Zeltzer Hutnik
Christopher M. Loeffler