Congress Explores Consumer Privacy Protection New Privacy Legislation and FTC Testimony Indicates Direction of Privacy Regulation

Kelley Drye Client Advisory

The emergence of privacy legislation from several committees in both chambers of Congress in the past months, combined with the ongoing Federal Trade Commission (“FTC”) scrutiny of existing privacy practices of companies during the past year, reflect a growing concern for consumer privacy that may well lead to the establishment of standardized data security and data privacy regulations in the United States. Both chambers of Congress held hearings in the past two weeks to discuss the current status of consumer privacy protection and the creation of new privacy protection measures.

On Thursday, July 22, 2010, the House Energy and Commerce Committee’s Subcommittee on Commerce, Trade, and Consumer Protection, chaired by Representative Bobby Rush (D-IL), conducted a hearing to discuss the Chairman’s recently introduced H.R. 5777 – Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act” (The Best Practices Act). Witnesses included key stakeholders on privacy policy – representatives from privacy advocacy organizations and private industry, and notably, David Vladeck, Director of the FTC’s Bureau of Consumer Protection.

The Senate Committee on Commerce, Science, and Transportation held their hearing regarding online privacy practices and the future of consumer privacy protection on Tuesday, July 27, 2010,. Witnesses included FTC Chairman Jon Leibowitz, Federal Communications Commission (“FCC”) Chairman Julius Genachowski, as well as representatives from Google, Apple, and Facebook.

FTC’s Consumer Privacy Focus

Chairman Leibowitz and Director David Vladeck testified in their respective hearings to the FTC’s heavy focus on privacy over the last year. They highlighted some of the Commission’s law enforcement actions that have scrutinized companies’ privacy protection practices in a wide array of areas, such as data security, identity theft, children’s privacy, and spam, spyware, and telemarketing practices.

The FTC’s testimony addressed the Commission’s recent review of privacy regulations, including a review of the Children’s Online Privacy Protection Act, as well as noting the issues raised in the FTC’s series of privacy roundtables designed to explore privacy protection challenges.

Chairman Leibowitz’s testimony in Congress provided some insight into the issues the FTC plans to address with a report discussing the privacy roundtables, including:

  • How companies should incorporate privacy and security protections into their everyday business practices;
  • Whether and how to simplify privacy choices presented to consumers to help ensure that consumer choices about privacy are made in a meaningful and informed manner; and
  • Improving privacy policies and other privacy notifications to increase transparency about commercial data practices.

The FTC has indicated that it will provide a comprehensive report later this year discussing these issues and other topics raised at the privacy roundtables.1

New Draft Privacy Legislation

The broad and detailed comments on privacy principles, consumer education, and privacy practices offered by the FTC at the hearings point toward a strong interplay between the FTC and Congress in the development of privacy standards and regulation in the coming year. Critical to building support for the legislation will be the support of stakeholders from consumer privacy groups and private industry, and that support will depend upon both the scope of new policy, and the parameters of enforcement.

The Chairman Rush Best Practices Act released last week aims to codify certain privacy fair information practices and foster transparency about the commercial use of personal information, provide consumers with meaningful choice about the collection, use, and disclosure of such information, and for other purposes.” 2

H.R. 5777 would regulate how organizations must disclose privacy practices, obtain consent to collect and use consumer information, and protect stored consumer data. For example, businesses would be required to disclose their privacy practices in a concise, meaningful, timely, prominent, and easy-to-understand [format] in accordance with regulations issued by the [FTC]” and would be required to obtain opt-in consent for certain information practices, such as sharing information with third parties, collecting or using sensitive information,” or monitoring consumer’s Internet activity.

The FTC has expressed support for key proposals in both the previously released draft bill from Chairman Boucher and Representative Stearns and the Chairman Rush bill, praising portions of the legislation that create data security and accuracy requirements, provide the FTC with rulemaking authority under the Administrative Procedures Act to promulgate specific privacy regulations, and require organizations to simplify privacy notice and consent procedures.

Keeping with the FTC’s focus on simplifying privacy procedures, Mr. Vladeck expressed concern during his testimony over portions of H.R. 5777 that would provide a safe harbor for entities in compliance with Commission-approved self-regulatory programs. According to the FTC’s testimony at the House Subcommittee hearing, the Commission believes that creating multiple privacy compliance standards, through industry self-regulatory programs, would interfere with goals to simplify privacy practices for consumers.

Federal Privacy Legislation Moving Forward

In addition to House privacy proposals, which are likely to be merged into a single House privacy bill, Senator Kerry (D-MA) has indicated that he intends to introduce an online privacy bill into the Senate to create standards for how consumer data is collected, used, and shared, and provide consumers with more control over their personal information.

According to prepared statements by Senator Kerry, he hopes to pass privacy legislation early in the next Congress. A bill introduced by Senator Kerry could go beyond regulation of targeted advertising, as the Senator has noted that “[p]rotecting the privacy of consumers online involves much more than the targeted advertising to which they are subjected . . . . [s]uch advertising is just one result of the information that is routinely collected about us online.” Senator Kerry also went on to note that consumers have the right to control the distribution of personal information and that it is problematic that current laws do not adequately protect a consumer’s right to control the collection, use, and distribution of their personal information.

Given Congress’s and the FTC’s recent scrutiny of consumer privacy protection, it is likely that new privacy regulation or legislation will emerge from this debate. Recognizing the limited number of legislative days left in the 111th Congress and the fact that both Chambers face a number of other priorities, it is unclear whether new privacy legislation can be enacted this year – that said, the legislative proposals currently under discussion will no doubt lay the groundwork for consideration in the next Congress. We will continue to monitor the FTC’s actions and legislative updates as lawmakers and regulators focus on the future of consumer privacy protection.

Kelley Drye & Warren LLP

Kelley Drye & Warren’s Privacy and Information Security practice is a leader in advising clients on privacy and information security issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients’ customer data, and representing clients in connection with federal and state regulator privacy investigations regarding their privacy and data security practices.

Kelley Drye’s Government Relations and Public Policy Practice Group helps clients interpret and shape governing laws, enabling them to achieve and maintain market leadership. The varied backgrounds of its government relations lawyers and professionals enable the team to handle a variety of clients needs including representation and strategic planning.

For more information about this Client Advisory, please contact:

Dana Rosenfeld
(202) 342-8588

Alysa Hutnik
(202) 342-8603

1 Information about the FTC’s past privacy roundtables can be found in Kelley Drye and Warren’s March 29, 2010, February 3, 2010, and December 15, 2009 client advisories.

2 A copy of H.R. 5777 is available at http://​www​.house​.gov/​r​u​s​h​/​p​d​f​/​B​P​A​C​T​_​0​0​4.pdf.