iapp-privacycore
Webcon_TE_300x250_ad_Sept_2016-01
DPC16_Banner_300x250-COPY

 

By Emily Leach, CIPP

Senators John Kerry (D-MA) and John McCain(R-AZ) yesterday presented the “Commercial Privacy Bill of Rights Act of 2011,” laying a framework for the protection of Americans’ personal information in the online environment.

Some highlights include:

  • A right to opt out of online behavioral advertising
  • A requirement that “covered entities” receive opt-in consent before collecting sensitive personal information
  • A requirement that “covered entities” implement a Privacy by Design model to protect consumer information, including collecting and storing only the information necessary to the intended purpose for as long as it is needed
  • The ability for people to access their information and, if necessary, correct it

Industry and privacy experts alike are weighing in on the implications of the bill, which the senators describe as predicated on the beliefs that “personal privacy is worthy of protection through appropriate legislation” and current laws provide “inadequate privacy protection for individuals engaging in and interacting with persons engaged in interstate commerce.”

Power to the FTC

While the bill contains some provisions that impose regulations directly onto covered entities, much of the onus of rulemaking falls on the FTC.

“This will give the FTC significant power to shape the privacy landscape in this country,” says Lisa Sotto, of Hunton & Williams, which has provided a detailed outline of the bill in its Privacy and Information Security Law Blog.

Sotto points out, “The bill does not pick up on the FTC's new focus on harm to human dignity. Instead, the bill focuses on traditional notions of harm, specifically economic and physical harms.”

The bill also eliminates private rights of action, giving the right to bring suit against violators to state attorneys general and the FTC. Amy Mushahwar of Reed Smith LLP says this is good news, noting, “by excluding a private right of action and shutting out the class-action bar, this bill does not make the same mistake that was made in the telemarketing context nearly 20 years ago.”

What’s covered?

The bill broadly refers to a “covered entity” as anyone that “collects, uses, transfers or stores ‘covered information’ on more than 5,000 individuals” over a consecutive 12-month period and is subject to FTC authority, the Communications Act or is a nonprofit.

Covered information refers to personally identifiable information (PII), while the subset of sensitive personal information includes medical data, religious affiliation and information that “if lost, compromised or disclosed without authorization…carries a significant risk of economic or physical harm.”  This goes to further Sotto’s point about the bill’s neglect of “harm to human dignity.”

A CNET News report points out that the umbrella of covered entities does not include government agencies and police.

Recent government breaches and use of surveillance technologies prompts Jim Harper of the Cato Institute to ask in the report, “What's a bill of rights if it doesn't provide rights against the government?"

The report notes that the bill is being unveiled at a time when the Obama Justice Department is lobbying for broader surveillance powers, potentially causing the government exemption to appear more pointed.

What does it mean for businesses?

Opt in. Opt out. Privacy by Design. Consumers’ ability to access and correct their information. In short, the FTC is tasked in this bill with creating rules that will see businesses meeting customer expectations and complying with their choices relating to how their information will be collected, used and protected throughout its lifecycle.

In that vein, the bill requires managerial accountability, an inquiry response process and that covered entities implement Privacy by Design, “incorporating necessary development processes and practices throughout the product life cycle that are designed to safeguard the personally identifiable information that is covered…”

According to Sotto, the bill picks up on “central concepts in European data protection”—such as data minimization, data integrity and consumers’ ability to access, correct and block the use of their data—“but modernizes them so they don't become a hindrance to doing business.”

What about self-regulation?

There is a provision in the bill allowing the FTC to establish a safe harbor program and to approve non-governmental initiatives such as industry self-regulatory programs for online behavioral advertising. A ClickZ report says it’s not clear whether the Digital Advertising Alliance program would satisfy the FTC’s requirements.

Mushahwar and others are encouraged by this open door.

“Industry is already well on its way towards greater self-policing efforts in the area of online behavioral advertising. These serious efforts ought to be provided an opportunity to demonstrate that strong self-regulation is a more sensible and flexible solution than static legislation, particularly in an area where privacy expectations, consumer tastes, commercial needs and technology are rapidly evolving,” Mushahwar said. 

What about do not track?

Amid FTC calls for a do-not-track mechanism and the recent introduction of a bill by Rep. Jackie Speier (D-CA) proposing the same, the Kerry/McCain bill makes no mention of do not track. The New York Times reports that Kerry acknowledged the initiative in yesterday’s press conference but said it “didn’t seem to fit into our ability to get the balance between consumer support and industry support that we were able to get.”

However, he has not discounted it entirely, stating, “It may well be one of the amendments that we continue to talk about.”

What do people think?

So far, response from industry and privacy advocates is split.

The Direct Marketing Association and the Interactive Advertising Bureau are quoted in The New York Times as voicing concern over the bill’s provision allowing consumers to access and correct their data. Linda Woolley, the executive vice president of Washington operations at the Direct Marketing Association, said this provision would be expensive and require serious user authentication.

Microsoft, HP, Intel and eBay have released a joint statement supporting the bill, saying, “The complexity of existing privacy regulations makes it difficult for many businesses to comply with the law.” The companies said the bill “strikes the appropriate balance by providing businesses with the opportunity to enter into a robust self?regulatory program."

Meanwhile, CDT Consumer Privacy Project Director Justin Brookman told PCMagazine the bill "provides a solid foundation for the discussion of how to enact such protections over the months ahead."

Some privacy advocates are saying the bill could have and should have gone farther, requiring a do-not-track mechanism. But Sotto applauds the senators for “seeking to craft a bill that would be reasonably palatable to those on both ends of the spectrum, from privacy advocates to those involved in behavioral advertising.”

What do you think?

Would you like to weigh in on the Kerry/McCain online privacy bill? E-mail us at publications@privacyassociation.org, or get a conversation going on the IAPP Privacy List.

Comments

If you want to comment on this post, you need to login.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with other privacy pros, dive deep into a specialized topic or simply share a common interest, IAPP Communities are for you.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

We Need You! Call for Volunteers Opens Soon!

Advisory Board Leaders call opens Oct. 3; KnowledgeNet Chapter Chairs call opens Oct. 6. Don't miss out on your chance to lead!

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

NEW! FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

IAPP-OneTrust PIA Platform

Simplify privacy impact assessments with this cloud-based customizable platform - free to IAPP members!

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

IAPP Communities

Meet locally with other privacy pros, dive deep into a specialized topic or simply share a common interest, IAPP Communities are for you.

More Resources »

Time to Get to Work at the Congress

Thought leadership, a thriving community and unrivaled education...the Congress prepares you for the challenges ahead. Register today.

GDPR Comprehensive London

Our third and final GDPR Comprehensive 2016 was a great success. London delegates spent two full days with world-recognized experts taking a guided tour of the GDPR.

Call for Speakers at Summit 2017

Are you an engaging speaker with privacy expertise to share? We want you! Submit a proposal today! The Call for Speakers closes Oct. 2, 2016.

GDPR's Top Impacts - Webcon Delivered in French

Rejoignez des experts pour en savoir plus : Les 10 conséquences pratiques les plus importantes du RGPD. S’inscrire maintenant.

Intensive Education at the Practical Privacy Series

The Series is returning to DC, this year spotlighting Data Breach, FTC and Consumer Privacy, GDPR and Government privacy issues. It’s the education you need now!

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»