Just as privacy remains front page news ("Web’s Hot New Commodity: Privacy", Wall Street Journal, February 28, 2011), it remains a subject of bi-partisan interest on Capitol Hill.
Congressional demands for information from companies following news stories about privacy now are routine. E.g. "Markey, Barton Ask Facebook About Plan to Enable Access to Addresses, Mobile Numbers" (February 2, 2011).
On the Senate side, Senator Patrick Leahy (D-VT) has created a first-ever Sub-Committee on Privacy, Technology and the Law within the Judiciary Committee and has appointed Senator Al Franken (D-MN) subcommittee chair. The committee’s mandate includes
oversight of laws and policies governing
- the collection, protection, use, and dissemination of commercial information by the private sector, including online behavioral advertising;
- privacy within social networking websites and other online privacy issues;
- enforcement and implementation of commercial information privacy laws and policies;
- use of technology by the private sector to protect privacy, enhance transparency and encourage innovation; privacy standards for the collection, retention, use and dissemination of personally identifiable commercial information;
- and privacy implications of new or emerging technologies.
Senator John Kerry (D-MA) is expected to introduce a comprehensive privacy regulatory bill that may include FTC rulemaking authority with a specific mandate regarding opt-in and opt-out consent for the online collection of personal information. The legislation has been rumored for months, but has yet to be introduced, perhaps owing to the need for coordination between the two committees that now have jurisdiction over privacy issues in the Senate, the Commerce and Judiciary Committees. Commerce Committee Chair Sen. Jay Rockefeller (D-WV) has expressed a strong interest in seeing increased legal protections for privacy.
On the House side, four major privacy bills have been introduced this year with more likely to come:
(1) the “Do Not Track Me Online Act of 2011"
(2) the “Financial Information Privacy Act of 2011"
(3) the “BEST PRACTICES Act” and
(4) the “Equal Employment for All Act.”
Representative Jackie Speier (D-CA) introduced the first two bills. The “Do Not Track Me Online Act” would direct the Federal Trade Commission (FTC) to promulgate a Do-Not-Track regulation and would authorize the FTC to require businesses to give consumers an EU-style right of access. More specifically, the bill would require the FTC to promulgate regulations under § 5 of the FTC Act to require the use of “an online opt-out mechanism to allow a consumer to effectively and easily prohibit the collection or use” of online activity. Businesses would also be required to disclose their information practices in an “easily accessible” manner.
The new regulation would have broad application, as it exempts only small businesses who are not primarily in the data collection business and who do not collect or store any “sensitive information” (e.g., regarding race, religion, and income).
Representative Speier’s second offering, the “Financial Information Privacy Act of 2011,” would amend the Gramm-Leach-Bliley Act (GLBA) to require notice and opt-in before a financial institution may share “nonpublic personal information” with unaffiliated third parties, a change from the current opt-out regime. The bill would require notice and opt-out for sharing with affiliates. The bill would also mandate compliance with fairly detailed specifications for the notice and consent forms. For example, the opt-in form for third party sharing would have to be a separate document that “clearly and conspicuously” states the consumer is authorizing “disclosure to nonaffiliated third parties” and must be “dated and signed” by the consumer.
The BEST PRACTICES Act would establish national requirements for collecting and sharing personal information. Notably, "opt-in" consent would be necessary before personal information could be disclosed to a third party. Special treatment is accorded for sensitive information, such as medical, financial, sexual orientation, or geolocation information). For such information, there is a requirement for express affirmative consent for collection, use, and disclosure. A "safe harbor" exempting companies from the opt-in consent requirement is provided for in the legislation, so long as companies participate in FTC-monitored universal opt-out programs operated by self-regulatory bodies.
Also in the financial privacy arena, Representative Steve Cohen (D-TN) recently introduced the “Equal Employment for All Act” that would bar employers from using consumer credit reports for “employment purposes.” With a few exceptions for government jobs, banking-sector jobs, and jobs requiring certain security clearances, the prohibition would be absolute: the source of the report is irrelevant and consumer consent will not cure a violation. If this bill became law, the federal government would joins sixteen states considering a similar prohibitions – California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maryland, Ohio, Pennsylvania, Missouri, Nebraska, New Jersey, New Mexico, New York, Texas, and Vermont.
In the "still to come" category of legislation, Rep. Cliff Stearns (R-FL), co-sponsor of the Boucher Stearns bill from the last Congress, reportedly is working on a revised version of that legislation. Last session’s version would have permitted a web site to share user information with unaffiliated third parties for the purposes of marketing, advertising, or selling without express opt-in consent only if it:
(1) provided users with a “readily accessible” opt-out mechanism;
(2) deleted or rendered anonymous any “covered information” within 18 months after it is first collected;
(3) allowed users to review and modify, or completely opt out of having, any profiles maintained about their preferences by web sites or their advertisement network partners for marketing purposes (these so-called “preference profiles” must be accessible through a hyperlinked “symbol or seal” on the web site and on or near any advertisement served based on the profile); and
(4) prohibited advertisement networks from further disclosing any such information they receive.
Revisions of the Electronic Communications Privacy Act (ECPA) (to extend protection to data held "in the cloud") and of the Communications Assistance for Law Enforcement Act (CALEA) (to permit law enforcement access to communications on "non-traditional channels" such as social networking sites), both affecting personal privacy, also are on the legislative agenda.
In the contentious and (on the House side) de-regulatory environment that exists on Capitol Hill, it is anyone’s bet whether legislation will proceed and become law during he current session of Congress despite the bi-partisan appeal of privacy. But given the amount of attention privacy is receiving in the media, especially on the heels of the FTC and Department of Commerce reports decrying the current state of privacy, all it will take is a major privacy incident to spur the lawmakers to action. Recall that the Video Privacy Protection Act of 1988, 18 U.S.C. § 2710 (2002), was passed as a reaction to the disclosure by a newspaper of Supreme Court nominee Robert Bork’s video rental records. Indeed, many of the country’s major privacy laws arose in reaction to an identified problem (financial privacy, health information privacy, children’s privacy). With online privacy now uniformly recognized as a "problem," and with self-regulation so roundly criticized, a legislative fix is not so far-fetched.
Meanwhile, the States continue to incubate new ideas for the protection of personal information. In Colorado, for example, a bill has been introduced that would allow a business to establish a rebuttable presumption that it was not negligent following a data security breach if it can show that it implemented "best practices" and complied with technology security standards established by the bill to protect personal information. Just as the data security breach laws created a negative incentive for companies to improve data security because if they do not, they have to report their breaches (the "stick approach"), the Colorado proposal offers a "carrot." More on state legislative proposals in blog entries to come.