By Emily Leach, CIPP

Senators John Kerry (D-MA) and John McCain(R-AZ) yesterday presented the “Commercial Privacy Bill of Rights Act of 2011,” laying a framework for the protection of Americans’ personal information in the online environment.

Some highlights include:

  • A right to opt out of online behavioral advertising
  • A requirement that “covered entities” receive opt-in consent before collecting sensitive personal information
  • A requirement that “covered entities” implement a Privacy by Design model to protect consumer information, including collecting and storing only the information necessary to the intended purpose for as long as it is needed
  • The ability for people to access their information and, if necessary, correct it

Industry and privacy experts alike are weighing in on the implications of the bill, which the senators describe as predicated on the beliefs that “personal privacy is worthy of protection through appropriate legislation” and current laws provide “inadequate privacy protection for individuals engaging in and interacting with persons engaged in interstate commerce.”

Power to the FTC

While the bill contains some provisions that impose regulations directly onto covered entities, much of the onus of rulemaking falls on the FTC.

“This will give the FTC significant power to shape the privacy landscape in this country,” says Lisa Sotto, of Hunton & Williams, which has provided a detailed outline of the bill in its Privacy and Information Security Law Blog.

Sotto points out, “The bill does not pick up on the FTC's new focus on harm to human dignity. Instead, the bill focuses on traditional notions of harm, specifically economic and physical harms.”

The bill also eliminates private rights of action, giving the right to bring suit against violators to state attorneys general and the FTC. Amy Mushahwar of Reed Smith LLP says this is good news, noting, “by excluding a private right of action and shutting out the class-action bar, this bill does not make the same mistake that was made in the telemarketing context nearly 20 years ago.”

What’s covered?

The bill broadly refers to a “covered entity” as anyone that “collects, uses, transfers or stores ‘covered information’ on more than 5,000 individuals” over a consecutive 12-month period and is subject to FTC authority, the Communications Act or is a nonprofit.

Covered information refers to personally identifiable information (PII), while the subset of sensitive personal information includes medical data, religious affiliation and information that “if lost, compromised or disclosed without authorization…carries a significant risk of economic or physical harm.”  This goes to further Sotto’s point about the bill’s neglect of “harm to human dignity.”

A CNET News report points out that the umbrella of covered entities does not include government agencies and police.

Recent government breaches and use of surveillance technologies prompts Jim Harper of the Cato Institute to ask in the report, “What's a bill of rights if it doesn't provide rights against the government?"

The report notes that the bill is being unveiled at a time when the Obama Justice Department is lobbying for broader surveillance powers, potentially causing the government exemption to appear more pointed.

What does it mean for businesses?

Opt in. Opt out. Privacy by Design. Consumers’ ability to access and correct their information. In short, the FTC is tasked in this bill with creating rules that will see businesses meeting customer expectations and complying with their choices relating to how their information will be collected, used and protected throughout its lifecycle.

In that vein, the bill requires managerial accountability, an inquiry response process and that covered entities implement Privacy by Design, “incorporating necessary development processes and practices throughout the product life cycle that are designed to safeguard the personally identifiable information that is covered…”

According to Sotto, the bill picks up on “central concepts in European data protection”—such as data minimization, data integrity and consumers’ ability to access, correct and block the use of their data—“but modernizes them so they don't become a hindrance to doing business.”

What about self-regulation?

There is a provision in the bill allowing the FTC to establish a safe harbor program and to approve non-governmental initiatives such as industry self-regulatory programs for online behavioral advertising. A ClickZ report says it’s not clear whether the Digital Advertising Alliance program would satisfy the FTC’s requirements.

Mushahwar and others are encouraged by this open door.

“Industry is already well on its way towards greater self-policing efforts in the area of online behavioral advertising. These serious efforts ought to be provided an opportunity to demonstrate that strong self-regulation is a more sensible and flexible solution than static legislation, particularly in an area where privacy expectations, consumer tastes, commercial needs and technology are rapidly evolving,” Mushahwar said. 

What about do not track?

Amid FTC calls for a do-not-track mechanism and the recent introduction of a bill by Rep. Jackie Speier (D-CA) proposing the same, the Kerry/McCain bill makes no mention of do not track. The New York Times reports that Kerry acknowledged the initiative in yesterday’s press conference but said it “didn’t seem to fit into our ability to get the balance between consumer support and industry support that we were able to get.”

However, he has not discounted it entirely, stating, “It may well be one of the amendments that we continue to talk about.”

What do people think?

So far, response from industry and privacy advocates is split.

The Direct Marketing Association and the Interactive Advertising Bureau are quoted in The New York Times as voicing concern over the bill’s provision allowing consumers to access and correct their data. Linda Woolley, the executive vice president of Washington operations at the Direct Marketing Association, said this provision would be expensive and require serious user authentication.

Microsoft, HP, Intel and eBay have released a joint statement supporting the bill, saying, “The complexity of existing privacy regulations makes it difficult for many businesses to comply with the law.” The companies said the bill “strikes the appropriate balance by providing businesses with the opportunity to enter into a robust self?regulatory program."

Meanwhile, CDT Consumer Privacy Project Director Justin Brookman told PCMagazine the bill "provides a solid foundation for the discussion of how to enact such protections over the months ahead."

Some privacy advocates are saying the bill could have and should have gone farther, requiring a do-not-track mechanism. But Sotto applauds the senators for “seeking to craft a bill that would be reasonably palatable to those on both ends of the spectrum, from privacy advocates to those involved in behavioral advertising.”

What do you think?

Would you like to weigh in on the Kerry/McCain online privacy bill? E-mail us at, or get a conversation going on the IAPP Privacy List.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

It's Innovation Awards Time!

We're searching for today's privacy innovators. Sound like anyone you know? (Perhaps even you?) Tell us about it! We'll announce the winners at P.S.R.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

It's Innovation Awards Time!

We're searching for today's privacy innovators. Sound like anyone you know? (Perhaps even you?) Tell us about it! We'll announce the winners at P.S.R.

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

Get Schooled in Privacy

Looking to get some higher-ed in privacy? Check out these schools that include data privacy courses in their curricula.

Are You Ready for the GDPR?

Check out the IAPP GDPR Readiness Assessment Powered by TRUSTe and find out where you stand when it comes to GDPR compliance.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

The IAPP Asia Privacy Forum Returns

Delivering inspired education and discussion on the top data protection issues of today, you can’t miss it. Register now.

P.S.R.: Lewinsky to Explore Online Shaming

With three stellar keynotes confirmed, incl. Monica Lewinsky, we’ve opened registration early so you can secure your spot now.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

It's Innovation Awards Time!

We're searching for today's privacy innovators. Sound like anyone you know? (Perhaps even you?) Tell us about it! We'll announce the winners at P.S.R.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»