Yesterday, the Federal Trade Commission (FTC) issued its report, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers.” In a previous blog post we provided an overview of the report and noted that one of the five “action items” highlighted by the FTC in the report is to focus on the practices of information brokers (also referred to in the report and otherwise as “data brokers”). Most notably, the FTC calls on Congress to consider enacting targeted legislation to provide greater transparency for, and control over, the practices of information brokers and to allow consumers to access their data maintained by information brokers. The FTC notes in the report that Congress could model any such legislation on H.R. 2221 (the “Data Accountability and Trust Act”), a bill that the House passed during the 111th Congress, as well as similar bills introduced in the 112th Congress.
H.R. 2221 was passed by the House on December 8, 2009, but died in the Senate. The bill contained several provisions relating to information security, such as a data breach notification provision and a provision requiring entities that own or possess personal information to establish security policies and procedures. In addition, the bill included some data accuracy and access provisions that were targeted specifically to information brokers. In pertinent part, the bill would require information brokers to:
· establish reasonable procedures to assure the maximum possible accuracy of the personal information it collects, assembles, or maintains;
· allow each individual whose personal information it maintains to review such information, at the individual’s request at least one time per year and at no cost to the individual; and
· allow each individual whose personal information it maintains to dispute the accuracy of any such information, correcting the information as necessary.
However, the bill would deem any information broker that is engaged in activities subject to the Fair Credit Reporting Act (“FCRA”) and that is in compliance with sections 609, 610, and 611 of the FCRA to be in compliance with these data accuracy and access provisions.
Several bills were also introduced during the 112th Congress that contained data accuracy and access provisions similar to those in H.R. 2221. These bills are: (1) Data Accountability and Trust Act, H.R. 1707, 112th Congress (2011); (2) Data Accountability and Trust Act of 2011, H.R. 1841, 112th Congress (2011); and (3) Data Security and Breach Notification Act of 2011, S. 1207, 112th Congress (2011).