Executive Summary

On May 4, 2010, key lawmakers in the House Energy and Commerce Committee unveiled a long-awaited draft consumer privacy bill that, if enacted, would provide a nationwide regulatory scheme for the protection of consumers’ personal information. Although the bill will almost certainly be revised before enacted, it nonetheless highlights the need for companies to anticipate privacy and information collection practices that may be imposed in a final bill, and in particular, the potential limitation of a company’s use of pre-existing database information collected prior to the law’s passage.

This legal alert will briefly summarize the scope and application of the proposed draft bill. This alert also will describe the methods of enforcement and explain the bill’s administrative implications for the Federal Trade Commission and the Federal Communications Commission. Finally, this alert will discuss steps that businesses can take now to prepare themselves for the new regulations on the horizon.

 

Scope and Application

One important highlight is that the proposed draft bill addresses offline information, something many privacy practitioners have long expected. Non-industry specific privacy laws (as opposed to industry specific laws such as those in the health and finance industries) generally cover only information collected online, and the bill recognizes that that distinction should end. Further, the proposed act applies to almost any non-government entity that collects “covered information” about individuals. Covered information would include basic forms of personal information, such as an individual’s name, postal and e-mail addresses, telephone and facsimile numbers, government-issued identification numbers (e.g., Social Security numbers, driver’s license numbers) and financial account numbers. However, it would also include more contemporary forms of data such as those used for behavioral advertising, (e.g., “preference profiles” of information associated with an individual and “unique persistent identifiers” such as customer numbers, Internet Protocol addresses and user aliases.) Previously these forms of information identifiers have been considered non-personally identifiable information (Non-PII) and therefore not covered by privacy laws, which focus on personally identifiable information (PII). A new line of thinking gaining prevalence in the privacy community is that no distinction exists between PII and Non-PII, because Non-PII can easily lead (some say) to the discovery of PII about a person. However, while it is clear that theft of PII has a specific, identifiable harm – identity theft – the same cannot be said for Non-PII, the theft or unauthorized use of which has only inchoate harms.

Notice Requirements

Under the proposed act, regulated entities must provide a clear, understandable privacy notice that identifies the categories of information collected, the specific purposes for the collection and use of the information, and how the information is stored, used in conjunction with third-party data and disposed. But the draft proposal does not stop there.

The notice must also state the purposes for which the information may be disclosed to third-parties, list the categories of third-parties that may receive the information, and provide information on how to access or limit what information is collected. Finally, the notice must explain the individual’s options and rights for accessing and inquiring about their collected information, and describe how the company will notify the individual of material changes to its privacy policy.

When the notice is presented through a website, it must be “clearly and conspicuously” posted and be directly accessible from a link on the website’s homepage. In “offline” transactions, the notice generally must be provided to the individual in writing before any information is collected.

Consent:  General Rule is Opt-Out; Sensitive Data Collection and Sharing with Third Parties is Opt-In

Under the proposed draft, companies generally would be allowed to collect information unless a person affirmatively opts-out after being provided with the requisite opt-out notice and their opt-out rights.

As to certain information deemed “sensitive,” however, the draft requires companies to obtain express, affirmative “opt-in consent.”  “Sensitive data” includes eg. medical records, information on race and sexual orientation, financial records, and (with particular relevance to the proliferation of mobile device-based applications) precise geo-location information. Opt-in consent is also required with respect to a company’s sharing of information about a person with unrelated third parties, and whenever a company makes material changes to its privacy practices that impact previously-collected information.

Practical Exceptions

The draft provides several pragmatic exemptions aimed at minimizing business interruptions. One such exemption excuses the consent requirement for sharing information with third-party service providers such as data processing and customer support centers that perform administrative tasks concerning customer transactions. The proposal also exempts certain offline transactions where limited covered information is collected solely for internal operating purposes or to complete or enforce the transaction.

Behavioral Advertising Exception

The relatively new field of behavioral advertising is also addressed by the proposed draft. Behavioral advertising networks generally traffic only in Non-PII and are currently subject to an industry promulgated, self-regulatory framework, which requires notice and publication of an opt-out ability. The draft recognizes this current framework, and would continue the opt-out regime only if the industry provides individuals with both the means to review and modify the criteria upon which behavioral advertising is delivered to them and a “readily-accessible” mechanism to manage and save their opt-out preferences.

Enforcement and The Federal Trade Commission

The Federal Trade Commission (FTC) would be empowered to adopt rules to implement and enforce the new law. The FTC would also conduct a public education campaign to let consumers know about their opt-out rights under the new law.

Violations would be treated as unfair and deceptive acts in violation of the FTC Act. Notably, overlapping state privacy laws would be preempted, but state attorneys general would be empowered to enforce the federal law. However, no state enforcement action could be brought against an entity that is already a defendant in a pending federal enforcement action. The proposed act does not provide any private right of action.

Consistent Federal Regulatory Scheme

The draft also envisions the harmonization of its requirements with other federal laws. Within a year of its enactment, the measure would require the Federal Communication Commission to issue a report identifying all provisions of federal communication law that address subscriber privacy and describe how those provisions can be reconciled with the proposed act to create a “consistent regulatory scheme for covered entities and individuals.”

Business Implications For Today

Because few entities are in compliance with the basic notice and consent provisions of this proposal, if enacted the proposal could require a majority of companies to jettison any covered information they currently maintain. Nonetheless, there are several steps that businesses can take to mitigate the impacts of this potential “sea change.”

At the very least, companies should begin to compile precise records about what information they collect, how they collect it, how it is used and by whom. Over time, this will enable those companies to make more concise and plain disclosures about how they use this information.

Also, companies that have not done so should amend their privacy policies to provide a mechanism for notifying and obtaining consent from users to any material changes in the policy. For example, a privacy policy could state that notice of material changes will be emailed to a specific email associated with the individual’s use of the website. Alternatively, the website could provide a form where users sign up to receive notices (which will be far less cumbersome than emailing every person who visited the website).

Finally, businesses should encourage their web developers to start integrating links or space for disclosure at the website where information is collected, and to itemize how that information is actually used. Although this is currently difficult to track, engaging the appropriate persons now can help prepare your business for the limitations that are bound to be imposed in the future.

Knowledge Center

Match our knowledge to your needs

Proud Member

Proud Member

Leadership Council for Legal Diversity

Contact Us