Posted on July 21, 2010 by Bret Cohen

Rep. Rush Introduces Privacy Bill to Regulate Collection and Use of Personal Information

On July 19, Rep. Bobby Rush (D-Ill.), chairman of the House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection, introduced a privacy bill, H.R. 5777, that would codify certain fair information principles into law for "covered entities" that collect, maintain, use, and transfer to third parties any "covered information" (consisting of personally identifiable information as well as any "unique identifier," including IP addresses).  Covered entities would be those that (a) store covered information from or about at least 15,000 individuals; (b) collect covered information from or about at least 10,000 individuals during any 12-month period; (c) collect or store "sensitive information" (defined as an individual's medical history, race or ethnicity, religious beliefs, sexual orientation or behavior, financial information, precise geolocation information, biometric data, or Social Security number); or (d) use covered information to study, monitor, or analyze the behavior of individuals as the entity's primary business.  The bill, titled the “BEST PRACTICES Act,” would require each covered entity, with some exceptions, to do the following:

  • Make specific privacy disclosures to individuals whose personal information it collects or maintains "in concise, meaningful, timely, prominent, and easy-to-understand notice or notices" in a manner to be specified by the Federal Trade Commission (FTC);
  • Provide individuals with a "reasonable means" to opt out of the information collection and use for non-operational purposes (though covered entities would be permitted to require consent to the collection and use as a condition of service to individuals with which it has a direct relationship);
  • Obtain opt-in consent before (a) disclosing covered information to third parties (except for joint marketing purposes); (b) collecting, using, or disclosing sensitive information; or (c) monitoring all or substantially all of an individual's Internet or computer activity;
  • Obtain opt-in consent to any "material" changes to privacy practices governing previously collected information or sensitive information;
  • Establish "reasonable procedures" to assure the accuracy of the covered information or sensitive information collected, assembled, or maintained, with the FTC issuing rules on what is "reasonable";
  • Upon request and subject to identity verification, provide individuals with "reasonable access" to, and the ability to dispute the accuracy or completeness of, covered or sensitive information about that individual if such information may be used for purposes that could result in an "adverse decision" against the individual, in a manner to be specified by the FTC;
  • Establish, implement, and maintain "reasonable and appropriate" administrative, technical, and physical safeguards for covered information stored and used by the entity;
  • Provide a process for individuals to file complaints concerning policies and procedures required by the bill;
  • Conduct a privacy risk assessment prior to the implementation of any plans by which the entity intends to collect, or believes there is a reasonable likelihood it will collect, covered or sensitive information from or about more than 1,000,000 individuals;
  • Retain covered or sensitive information only as long as necessary to fulfill a legitimate business purpose or comply with a legal requirement; and
  • Conduct periodic assessments to evaluate whether it is necessary to continue to retain information already collected, and whether ongoing information collection practices remain necessary for a legitimate business purpose.

The bill would provide exceptions from certain provisions for:

  • Covered entities that participate in FTC-sanctioned industry self-regulatory programs that provide alternate mechanisms for obtaining consumer consent to information collection and use.  These programs, at minimum, would be required to (a) provide a clear and conspicuous opt-out mechanism (which may be a preference management tool that will enable individuals to make more detailed choices about the transfer of covered information to a third party); (b) provide a clear and conspicuous mechanism to set communication, online behavioral advertising, and other preferences that, when selected by the individual, applies the individual's selected preferences to all covered entities participating in the program; and (c) establish procedures for the review of applications, periodic assessment of members, and enforcement of violations for covered entities participating in the program;
  • The collection, use, or disclosure of aggregated or anonymized information (allowing the FTC to set rules regarding the levels of aggregation or anonymization necessary to qualify for the exception); and
  • Activities covered by other federal privacy laws.

If enacted, the bill could be enforced by the FTC or state attorneys general, with civil penalties authorized up to $5,000,000 for each type of violation.  The bill also would create a private right of action for individuals whose covered or sensitive information is "willfully" collected or used without the required consent, allowing recovery of actual damages not more than $1,000, punitive damages, and costs and attorney's fees.  There would be a two-year statute of limitations.

This bill contains a number of provisions similar to a discussion draft of privacy legislation published by Reps. Rick Boucher (D-Va.) and Cliff Stearns (R-Fl.) in May.  Like the Boucher-Stearns proposal (which has not been formally introduced), the Rush bill would usher in a series of stricter European-like privacy protections to the collection and use of information, now regulated on an ad hoc basis by the FTC under its authority to regulate unfair and deceptive trade practices under Section 5 of the FTC Act.

Rush will conduct a hearing on July 22 at 2:00 PM to discuss the bill and the Boucher-Stearns proposal.

Tags: , , , ,
Posted on May 5, 2010 by Bret Cohen

Reps. Boucher and Stearns Release Long-Awaited Advertising Privacy Bill

On May 4, Representatives Rick Boucher (D-Va.) and Cliff Stearns (R-Fl.) of the House Subcommittee on Communications, Technology, and the Internet published a discussion draft of long-anticipated privacy legislation that would restrict companies’ online collection and use of personal information and online activity, including use for the purpose of targeted online advertising.  Here are some observations about the draft bill, in its current form:

  • The bill would require any company that collects “covered information” from or about individuals to obtain opt-in consent to a statutorily mandated privacy policy containing at least fifteen enumerated disclosures.  Consent would be deemed adequate if the user expressly opted in to the information collection after being presented with the required disclosures, or in most circumstances if the user “does not decline consent at the time such statement is presented."  This would seem to imply that web sites would need to ensure that privacy policies appear on users’ screens at some point, to either expressly opt in or to fail to “decline consent” when the statement is presented to the user.  At the same time, however, the bill permits privacy policies to be “accessible through a direct link from the Internet homepage of the web site.”  It is unclear, then, whether the bill would consider the existence of such a link to be sufficient to infer that a user “does not decline consent” when merely accessing a web site, which would otherwise obviate the need to obtain opt-in consent.
  • In a few specific circumstances, the bill would permit the use of web site user information for the purposes of marketing, advertising, or selling only with express opt-in consent.  This includes (1) when the web site wishes to disclose the information to unaffiliated third parties, such as advertisement networks, unless certain requirements are met (see the next bullet); (2) when the web site collects or discloses any “sensitive information,” which is defined as medical records or history, race, ethnicity, religious beliefs, sexual orientation, financial records or other information associated with a financial account, or geolocation information; or (3) when the web site collects or discloses “all or substantially all of an individual’s online activity.”
  • Nevertheless, the bill would provide an exception permitting a web site to share user information with unaffiliated third parties for the purposes of marketing, advertising, or selling without express opt-in consent if it:  (1) provides users with a “readily accessible” opt-out mechanism; (2) deletes or renders anonymous any “covered information” within 18 months after it is first collected; (3) allows users to review and modify, or completely opt out of having, any profiles maintained about their preferences by web sites or their advertisement network partners for marketing purposes (these so-called “preference profiles” must be accessible through a hyperlinked “symbol or seal” on the web site and on or near any advertisement served based on the profile); and (4) prohibits advertisement networks from further disclosing any such information they receive.  This would seem to almost directly endorse the use of the online behavioral privacy icon put forth by groups supporting industry self-regulation of behavioral advertising.
  • The term “covered information” would include a number of individual data elements – such as name, e-mail address, and Social Security number – that might otherwise be considered personally identifiable information under other statutory or regulatory regimes (at least in combination with other data elements).  In addition to the novel development of regulating the collection of these data elements individually, the bill includes in its definition of covered information:

    "Any unique persistent identifier, such as a customer number, unique pseudonym or user alias, Internet Protocol address, or other unique identifier, where such identifier is used to collect, store, or identify information about a specific individual or a computer, device, or software application owned or used by a particular user or that is otherwise associated with a particular user."

     Adopting this definition would be significant because no American privacy law has ever considered an anonymous identifier or IP address to be legally protected information (though IP addresses are considered to be personally identifiable in the EU and FTC Chairman Jon Leibowitz commented just a couple weeks ago that he believes that IP addresses should be considered personal information).  Additionally, this definition means that the bill would apply to any web site that maintains and uses information about users keyed to a unique identifier, which means that it applies to just about every web site that collects user registration information.

Click "Continue Reading..." for more

 

  • The bill would not only regulate the online collection of covered information from individuals, but also about individuals.  This means that the bill as written would apply to businesses that compile covered information about individuals from publicly available web sites without the express consent of the individuals.  Since these businesses do not have a relationship with the users of the web sites from which they collect information, it is almost impossible for them to make the necessary disclosures to or obtain the consent of these users.  This consequence of the bill could affect businesses such as search engines if they collect and index any “covered information” without the express consent of the subjects of the information.
  • The disclosure and consent requirement would apply to both online and offline collection of covered information.  Disclosure would not be required for the collection of certain information offline, and, importantly, consent would not be required if the information is collected, used, or disclosed for purposes related to the operation of the web site or for administering a specific transaction between the user and the web site.  The latter exception allows web sites to collect covered information, including IP addresses, for the purposes of maintaining the security of their web sites, or for providing services to individuals that use the sites.
  • Web sites would be required to provide mechanisms for individuals to withdraw previously granted consent to use their information for the purposes of marketing, advertising, or selling the information, and must honor this withdrawal of consent.
  • Web sites would be required to ensure the accuracy of the information they collect, and the FTC would be directed to establish data security safeguards that web sites would need to follow to protect covered information they maintain.
  • If enacted, the bill could be enforced by the FTC and state attorneys general, though it expressly disclaims a private right of action.  The bill also would preempt state laws regulating behavioral advertising.

Reaction to the bill’s announcement was mixed. One commenter described the bill as one that “would push American privacy legislation closer to the strict rules that the European Union uses, and would extend privacy protections both on the Internet and offline.”  On the other hand, some privacy advocacy groups believe the bill would not provide tangible benefits for consumers, citing the preemption of stronger state laws, the provision allowing marketers to retain information for 18 months without express user consent, and the bill’s utilization and tacit endorsement of the much-criticized notice-and-consent regime.

In the end, the bill is still only in discussion draft form, Boucher is "facing what may be the most difficult re-election of his 28-year career" this fall, and there are many steps it would need to take before reaching the floor of Congress, which it is highly unlikely to do in the current term.  Still, the release of this bill signals that Congress is taking the issue of online behavioral advertising seriously, and even if not enacted it could create momentum leading to other legislation or increased FTC regulation of online behavioral advertising (as it has warned it might do when releasing and revising its Online Behavioral Advertising Principles most recently in February 2009), or encourage similar federal or state regulation of the collection and use of personal information for marketing purposes.

Thanks to Elizabeth Khalil in the Hogan Lovells privacy group for contributing to this report.
Tags: , ,
Posted on April 14, 2010 by Christopher Wolf

Complimentary Webcast of a Presentation by Hogan & Hartson's Privacy Practice Lead Chris Wolf on New Directions in Enforcement and Policy at the FTC and the Impact on Businesses

The privacy and data security enforcement agenda at the Federal Trade Commission is evolving. Consent decrees are imposing stricter and more specific standards on business with respect to the collection, usage, storage, sharing and disposal of personal information. Recent changes in leadership at the FTC, and public statements from the FTC Chairman and the Director of the Bureau of Consumer Protection, suggest more aggressive privacy and data security enforcement in the coming years. And the entire paradigm of privacy protection, including its foundation of notice and choice, is under reexamination after a series of FTC Roundtables conducted in later-2009 and early-2010.

For businesses under the jurisdiction of the FTC, the impact of this evolving enforcement agenda is significant. Greater attention than ever must be paid to the issue of notice and choice, as well as to the physical, technical and administrative safeguards provided for personal information, to ensure that specific statutory standards enforced by the FTC are met and that the general consumer protection standard of Section 5 is also satisfied.

Historically, enforcement actions by the Commission under Section 5 of the FTC Act focused on businesses that failed to adhere to promises they made about privacy and data security. In many of these cases, the FTC determined that a business’s failure to adhere to their own policies and promises constituted an unfair business practice. In the middle of the last decade, however, the enforcement focus at the FTC began to change. Rather than concentrating enforcement activities exclusively on businesses that failed to adhere to their own promises, the Commission began to look more at whether a business’s actual privacy and data security practices were reasonable.

The many reports of data security breaches required under state laws gave the FTC several new enforcement targets – businesses whose lax data security led to breaches that had to be reported publicly. In these cases, unreasonably lax practices led to a complaint of unfairness under Section 5. Also noteworthy about this phase of FTC enforcement was that nearly all of these cases involved instances in which privacy and security failures resulted in substantial consumer harm. In recent years FTC enforcement has become more “granular,” in the sense that the FTC enforcement staff examines specific details of respondents’ privacy practices and information security measures when assessing “reasonableness.”

By clicking on this link, you will be taken to a 45-minute multimedia presentation on the new directions in enforcement at the FTC, with in-depth cases analysis, including the recent Dave & Busters consent decree involving the absence of filters for outgoing data to protect against the loss of personal data. 

Tags: , , , , ,