Wednesday, April 13, 2011

Senators Introduce Proposed “Commercial Privacy Bill of Rights Act”

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

A new comprehensive regulatory framework to protect consumers’ personal information would be established by a Senate Bill unveiled by Senators John Kerry (D-Mass.) and John McCain (R-Ariz.) on April 12. If enacted, the proposed “Commercial Privacy Bill of Rights Act of 2011” (S. 799) would regulate the collection, use, and dissemination of covered information.

“John and I start with a bedrock belief that protecting Americans’ personal, private information is vital to making the Information Age everything it should be,” said Senator Kerry. “Americans have a right to decide how their information is collected, used, and distributed and businesses deserve the certainty that comes with clear guidelines.”

Senator McCain said, “Consumers want to shop, browse and share information in an environment that is respectful of their personal information. Our legislation sets forth a framework for companies to create such an environment and allows businesses to continue to market and advertise to all consumers, including potential customers.”

Covered Information

The measure would cover personally identifiable information (PII)—including name, postal address, e-mail address, phone number, Social Security, credit card number, and biometric data—as well as any information that is used, collected, or stored in connection with PII in a manner that may reasonably be used to identify a specific individual—such as a birth date or an IP address.

Coverage would exclude PII obtained from public records; PII obtained from a forum where the individual voluntarily shared the information, that is widely and publicly available, and that contains no restrictions on who can access and view such information; PII reported in public media; and PII dedicated to contacting an individual at the individual’s place of work

Covered Entities

The law would apply to any person who collects, uses, or transfers covered information concerning more than 5,000 individuals during a 12-month period, and over whom the Federal Trade Commission has authority pursuant to Sec. 5(a) (2) of the FTC Act. The law also would apply to common carriers under the Communications Act of 1934 and to nonprofit organizations.

Right to Security and Accountability

The bill would call on the FTC to create rules requiring covered entities to carry out security measures to protect covered information.

Taking a “privacy by design” approach to data protection, the bill would require covered entities to implement a comprehensive information privacy program by incorporating development processes and practices throughout the product life cycle that are designed to safeguard PII based on the subject individuals’ reasonable expectations and any relevant threats.

Covered entities also would be required to maintain appropriate management processes and practices throughout the data life cycle.

Right to Notice and Individual Participation

Collectors of information would be required to provide clear notice to individuals on their collection practices and the purpose for such collection. Additionally, individuals would have to have the ability to opt out of any information collection that would otherwise be unauthorized by the law, as well as the ability to opt out of having their information used by third parties for behavioral marketing or advertising.

Affirmative consent (opt-in) would be required for the collection of sensitive personally identifiable information, including information related to a medical condition or religious affiliation.

Individuals would be given the right to access and correct their information, or to request cessation of its use and distribution.

Data Minimization, Constraints on Distribution, Data Integrity

Collectors of information would be permitted to collect only as much information as necessary to process or enforce a transaction, to deliver a service, to prevent or detect fraud, to investigate a possible crime, to engage in advertising or marketing, for research and development, or for certain internal operations.

Information could be retained only as long as it takes to provide or deliver goods or services to the subject individual or as long as the information is necessary for research and development purposes.

Collectors would have to contractually bind third parties to which they transfer information, to ensure that the third parties comply with the law’s requirements. The bill would require the collector to attempt to establish and maintain reasonable procedures to ensure that PII collected and maintained is accurate, if that PII could be used to deny consumers benefits or could cause significant harm.


A knowing or repetitive violation of the law would be treated as an unfair or deceptive act or practice in violation of the FTC Act. The FTC would be charged with enforcing the measure. State attorneys general also would have enforcement powers, unless the FTC takes action first. Violations would be subject to civil penalties.

The bill provides that it may not be construed to provide any private right of action.

The measure would supersede state laws relating to the collection, use, or disclosure of covered information. It would not preempt state laws (1) addressing health or financial information, (2) addressing notification requirements in the event of a data breach, or (3) relating to acts of fraud.

Safe Harbor

The bill would direct the FTC to create requirements for the establishment and administration of voluntary safe harbor programs to be overseen by nongovernmental organizations. Safe harbor programs would have to achieve protections at least as rigorous as those enumerated in the bill.

As incentive for enrolling in a safe harbor program, participants would be permitted to design or customize procedures for compliance and would be exempt from some requirements of the bill.

Further Information

Further information, including the text of the bill, is available here on Senator Kerry’s website.

No comments: