By Emily Leach, CIPP

Senators John Kerry (D-MA) and John McCain(R-AZ) yesterday presented the “Commercial Privacy Bill of Rights Act of 2011,” laying a framework for the protection of Americans’ personal information in the online environment.

Some highlights include:

  • A right to opt out of online behavioral advertising
  • A requirement that “covered entities” receive opt-in consent before collecting sensitive personal information
  • A requirement that “covered entities” implement a Privacy by Design model to protect consumer information, including collecting and storing only the information necessary to the intended purpose for as long as it is needed
  • The ability for people to access their information and, if necessary, correct it

Industry and privacy experts alike are weighing in on the implications of the bill, which the senators describe as predicated on the beliefs that “personal privacy is worthy of protection through appropriate legislation” and current laws provide “inadequate privacy protection for individuals engaging in and interacting with persons engaged in interstate commerce.”

Power to the FTC

While the bill contains some provisions that impose regulations directly onto covered entities, much of the onus of rulemaking falls on the FTC.

“This will give the FTC significant power to shape the privacy landscape in this country,” says Lisa Sotto, of Hunton & Williams, which has provided a detailed outline of the bill in its Privacy and Information Security Law Blog.

Sotto points out, “The bill does not pick up on the FTC's new focus on harm to human dignity. Instead, the bill focuses on traditional notions of harm, specifically economic and physical harms.”

The bill also eliminates private rights of action, giving the right to bring suit against violators to state attorneys general and the FTC. Amy Mushahwar of Reed Smith LLP says this is good news, noting, “by excluding a private right of action and shutting out the class-action bar, this bill does not make the same mistake that was made in the telemarketing context nearly 20 years ago.”

What’s covered?

The bill broadly refers to a “covered entity” as anyone that “collects, uses, transfers or stores ‘covered information’ on more than 5,000 individuals” over a consecutive 12-month period and is subject to FTC authority, the Communications Act or is a nonprofit.

Covered information refers to personally identifiable information (PII), while the subset of sensitive personal information includes medical data, religious affiliation and information that “if lost, compromised or disclosed without authorization…carries a significant risk of economic or physical harm.”  This goes to further Sotto’s point about the bill’s neglect of “harm to human dignity.”

A CNET News report points out that the umbrella of covered entities does not include government agencies and police.

Recent government breaches and use of surveillance technologies prompts Jim Harper of the Cato Institute to ask in the report, “What's a bill of rights if it doesn't provide rights against the government?"

The report notes that the bill is being unveiled at a time when the Obama Justice Department is lobbying for broader surveillance powers, potentially causing the government exemption to appear more pointed.

What does it mean for businesses?

Opt in. Opt out. Privacy by Design. Consumers’ ability to access and correct their information. In short, the FTC is tasked in this bill with creating rules that will see businesses meeting customer expectations and complying with their choices relating to how their information will be collected, used and protected throughout its lifecycle.

In that vein, the bill requires managerial accountability, an inquiry response process and that covered entities implement Privacy by Design, “incorporating necessary development processes and practices throughout the product life cycle that are designed to safeguard the personally identifiable information that is covered…”

According to Sotto, the bill picks up on “central concepts in European data protection”—such as data minimization, data integrity and consumers’ ability to access, correct and block the use of their data—“but modernizes them so they don't become a hindrance to doing business.”

What about self-regulation?

There is a provision in the bill allowing the FTC to establish a safe harbor program and to approve non-governmental initiatives such as industry self-regulatory programs for online behavioral advertising. A ClickZ report says it’s not clear whether the Digital Advertising Alliance program would satisfy the FTC’s requirements.

Mushahwar and others are encouraged by this open door.

“Industry is already well on its way towards greater self-policing efforts in the area of online behavioral advertising. These serious efforts ought to be provided an opportunity to demonstrate that strong self-regulation is a more sensible and flexible solution than static legislation, particularly in an area where privacy expectations, consumer tastes, commercial needs and technology are rapidly evolving,” Mushahwar said. 

What about do not track?

Amid FTC calls for a do-not-track mechanism and the recent introduction of a bill by Rep. Jackie Speier (D-CA) proposing the same, the Kerry/McCain bill makes no mention of do not track. The New York Times reports that Kerry acknowledged the initiative in yesterday’s press conference but said it “didn’t seem to fit into our ability to get the balance between consumer support and industry support that we were able to get.”

However, he has not discounted it entirely, stating, “It may well be one of the amendments that we continue to talk about.”

What do people think?

So far, response from industry and privacy advocates is split.

The Direct Marketing Association and the Interactive Advertising Bureau are quoted in The New York Times as voicing concern over the bill’s provision allowing consumers to access and correct their data. Linda Woolley, the executive vice president of Washington operations at the Direct Marketing Association, said this provision would be expensive and require serious user authentication.

Microsoft, HP, Intel and eBay have released a joint statement supporting the bill, saying, “The complexity of existing privacy regulations makes it difficult for many businesses to comply with the law.” The companies said the bill “strikes the appropriate balance by providing businesses with the opportunity to enter into a robust self?regulatory program."

Meanwhile, CDT Consumer Privacy Project Director Justin Brookman told PCMagazine the bill "provides a solid foundation for the discussion of how to enact such protections over the months ahead."

Some privacy advocates are saying the bill could have and should have gone farther, requiring a do-not-track mechanism. But Sotto applauds the senators for “seeking to craft a bill that would be reasonably palatable to those on both ends of the spectrum, from privacy advocates to those involved in behavioral advertising.”

What do you think?

Would you like to weigh in on the Kerry/McCain online privacy bill? E-mail us at, or get a conversation going on the IAPP Privacy List.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»