Update 3-24-11: We have learned that Senator Kerry’s office has circulated to selected parties a new version of the draft privacy bill amending the version that is the subject of this blog entry, but has not publicly shared it. When it is distributed publicly, we will report on any changes.
At last week’s Senate Commerce Committee hearing on privacy, Senator John Kerry (D-MA) announced that he will be introducing privacy legislation in this session of Congress. A draft of the Kerry legislation, which also currently lists Senator John McCain (R-AZ) as a co-sponsor, has been circulating around Washington and was published yesterday by the BNA Electronic Commerce & Law Reporter. We share a copy of the draft "Commercial Privacy Bill of Rights Act of 2011" here.
The FTC is given privacy rulemaking authority for the first time in the draft law as well as the authority to approve (and enforce) industry-created Safe Harbor programs. However, as detailed below, the proposed law would impose major and significant new obligations on businesses dealing with personal information.
Major provisions to note:
- Covered information includes "personally identifiable information(PII)" as well as "unique identifier information(UII)" and "any information collected in connection with PII or UII that may be used to identify an individual." Geographical addresses of a physical place of residence are included within the scope of PII. Email addresses would be included if individuals’ names are part of them, but the draft brackets questions over whether that should mean first name or last name or legal name or maiden name or nickname or initials or names embedded with other letters or characters, as in Danny123@xyz.com. Telephone numbers other than work numbers are included within the scope. Credit card account numbers are within the scope. Unique persistent identifiers, such as cookies, user IDs, processor serial numbers or device serial numbers "if used to identify a specific individual." Biometric data such as fingerprints and retina scans are covered. And, if used transferred or maintained in connection with the above, birth dates, birth certificate or adoption numbers and place of birth are covered, as is geolocation data and "any other information concerning an individual that may reasonably be used to identify that individual. Sensitive personally identifiable information is defined in one short paragraph as PII "which if lost, compromised, or disclosed without authorization could result in harm to an individual."
- The FTC is directed to make rules requiring reasonable security measures to protect covered information by a covered entity which is defined as "any person that collects, uses, transfers or maintains covered information concerning more than 5,000 individuals during any consecutive 12-month period" and is subject to FTC jurisdiction, as well as non-profits and telecommunication common carriers.
- Covered entities are required to have proportionate manegerial accountability for the adoption and implementation of policies consistent with the proposed Act, to have a process to respond to nonfrivolous complaints and to "describe its programmatic means of its compliance with the requirements of the Act" upon request from the FTC.
- The FTC is charged with conducting a rulemaking on how covered entities shall provide readily accessible notice regarding the collection and use of personal information and any changes in such collection and use.
- Opt out options must be provided to individuals for any purpose "not authorized by the individual" other than to process a transaction, to "operate the covered entity that is providing a transaction", to prevent or detect fraud, to investigate a possible crime, to engage in first-party marketing (defined as marketing by the entity that driectly collected the information") or for the improvement of service, necessary for internal operations, including customer satisfaction surverys.
- Opt in consent will be required as to sensitive personal information other than to process a transaction or prevent fraud, as to PII previously collected if there is a material change in practices, and the transfer to third parties for an "unauthorized use" or public display.
- Reasonable access by individuals to their PII is mandated.
- If an individual terminates a service or relationship with the covered entity, or if the covered entity enters bankruptcy, individuals are given the right to demand that PII be rendered not personally identifiable or if that is not possible, to cease its collection, use, transfer or maintenance.
- Third parties are prohibited from using PII for which opt in consent is required except in limited circumstances and specific contracts are required for transfers of covered information by covered parties to third parties and the contracts shall provide that "the third party will not combine information that is not personally identifiable… with other information in order to identify individuals with that information." Transfers to "unreliable third parties" is prohibited.
- Covered entities are ordered by the draft law "to seek" to engage in data minimization and minimized retention
- State attorneys general are given civil action authority to enforce the law, in addition to the FTC’s enforcement authority under Section 5 of the FTC Act.
- Monetary penalties are specified with a $2 or $3 million dollar cap on liability depending on the nature of the violation
- No private rights of action are allowed and state laws, except those dealing with health or financial information, data breach notification or fraud are preempted
- The "Co-Regulatory Safe Harbor Programs" provision of the draft law instructs the FTC to set requirements for programs administered by "non-governmental organizations" to implement the requirements of the Act , to offer means of opting out and to implement a "comprehensive information privacy program." Such programs, for which annual reports are required, would be supervised and enforced with penalties by the FTC. Covered entities that participate in approved Safe Harbor Programs are to be exempted from the major provisions of the law "if the Commission finds that the safe harbor program requires compliance with requirements that are the substantially the same (sic) as, or more protective of privacy than, the requirements of the provision from which the exemption sis (sic) granted."
- The FTC may host a web site where consumers can access Safe Harbor opt out tools.