Leading congressional proponents of strong privacy protections for consumers' personal information have recently introduced legislation that advances the debate in Congress regarding whether and how such increased protections should be implemented. As discussed below, these bills are quite broad in scope - covering online (and, under some of the bills, offline) collection, use, and disclosure of personal information by organizations in all industries.
Although the enactment of legislation is by no means certain at this point because of the differing approaches to data privacy and security issues taken by the Senate and House sponsors and the congressional committees with jurisdiction over these matters, apparent bipartisan support for new consumer privacy protections has improved the prospects of such legislative initiatives. Businesses should therefore carefully monitor these bills, which, if enacted, could establish significant new regulatory burdens and costs for a wide range of companies.1This article provides an overview of three major privacy bills that have been introduced by leading legislators in the House and Senate,2and highlights some of the key issues and differences within and among them.
The Kerry-McCain Bill (S. 799)
On April 12, 2011, Sens. Kerry (D-MA) and McCain (R-AZ) introduced the Commercial Privacy Bill of Rights Act of 2011 (the "CPBRA").3Their bipartisan proposal will likely be the foundation for Commerce Committee efforts to craft a consumer privacy "bill of rights" that could win the support of a majority in the Senate and build momentum for action by the House. The Committee has already held hearings on an earlier "discussion draft" of their bill, and Committee chairman Sen. Rockefeller (D-WV) has made enactment of a privacy bill one of the Committee's highest priorities. Although no specific timetable has been announced, the Commerce Committee could proceed relatively quickly to consider the bill.
The CPBRA would establish new consumer privacy rights that would be protected through several separate and extensive new rulemakings by the Federal Trade Commission (the "FTC"), which would be given broad oversight and enforcement authority. These include consumers' rights to:
• Security and accouuntability, requiring covered entities to incorporate "privacy by design" into the development of new products and services and to establish procedures for protecting covered information from unauthorized use;
• Notice, requiring covered entities to provide individuals with "clear, concise, and timely notice" of their practices for the collection, use, transfer, and storage of covered information, the specific purposes of those practices, and any material change in such practices before the change is implemented;4
• Individual participation , requiring covered entities to offer individuals clear and conspicuous mechanisms to opt out of certain uses of their covered information (and even to opt in to certain uses or disclosures, such as where sensitive information is at issue), and to permit individuals to access their personally identifiable information ("PII"), to correct inaccuracies in such information, and, where service is terminated or a covered entity enters bankruptcy, to have such information rendered not personally identifiable; and
• Additional rights regarding data minimization ( e.g ., collection of only the data necessary to a specific purpose and retention of data only as long as necessary or reasonable), constraints on distribution of personal data to third parties, and data integrity ( e.g ., protecting the accuracy of data).
The new regulations would be enforced by the FTC and violations would be subject to penalties under Section 5 of the FTC Act. State attorneys general could bring enforcement actions in federal court, which could result in additional civil penalties of up to $3,000,000.
The bill would also mandate an additional rulemaking to establish the FTC's oversight and enforcement of "safe harbor" programs, under which participating covered entities would be required to meet minimum privacy protection requirements in exchange for an exemption from certain provisions of the CPBRA.The Department of Commerce (the "DOC") would broker the development of "codes of conduct" among stakeholders to form the basis for the safe harbor programs.
Overlapping state laws would be preempted - except for laws relating to data breach notification, fraud, or the collection, use, or disclosure of health or financial information - and there would be no private rights of action.
Additionally, and with perhaps only a few exceptions, the bill provides that if a covered entity is subject to the CPBRA and any one of the other federal privacy statutes enumerated in the bill, such as the Gramm-Leach Bliley Act (the "GLBA") or the Fair Credit Reporting Act (the "FCRA"), then such other federal statute would prevail.5
The Stearns Bill (H.R. 1528)
On April 13, 2011, Rep. Stearns (R-FL) introduced the Consumer Privacy Protection Act (the "CPPA").6The Stearns bill, which also has bipartisan support, differs from the Kerry-McCain proposal in several material respects, and its prospects are somewhat less certain.
Rep. Stearns' bill was referred to the House Energy and Commerce Committee, where Rep. Bono Mack (R-CA), who chairs the Subcommittee on Commerce, Manufacturing, and Trade, has been assigned the lead role on privacy issues. Bono Mack has publicly acknowledged the critical importance of protecting individual privacy, but has also urged consideration of the potential effect of such legislation on the U.S. technology sector and its ability to compete internationally.
The CPPA would require covered entities to:
• Implement a privacy policy regarding the collection, sale, disclosure for consideration, and certain other uses of a consumer's PII;
• Make the policy easily available to consumers at the time their PII is first collected, if the PII may be used for a purpose unrelated to the transaction with the consumer;
• Provide a privacy notice to consumers before any PII is used by the covered entity for a purpose unrelated to a transaction with the consumer and upon any material change in the privacy policy;
• Allow consumers to "preclude" the sale or disclosure of their information, for a purpose unrelated to a transaction with the consumer, to certain entities not affiliated with a covered entity; and
• Implement an information security policy that is designed to prevent the unauthorized disclosure or release of a consumer's PII.
As with the CPBRA, these requirements would be enforced by the FTC, which would be authorized to issue implementing regulations and guidance regarding compliance. Violations would be considered violations of Section 5 of the FTC Act and subject to civil penalties of double the amount provided by the FTC Act, up to a maximum of $500,000 for all related violations by a single violator.
The CPPA would encourage covered entities to participate in FTC-approved self-regulatory programs by deeming participating entities compliant with the requirements established by the CPPA, and would prescribe the terms of a dispute-resolution process for entities participating in such programs. The measure would fully preempt state laws regarding matters addressed by the CPPA and would exclude private rights of action. However, the CPPA would not preempt existing federal privacy laws, such as the GLBA and the FCRA.
The Rockefeller Bill (S. 913)
On May 9, 2011, Chairman Rockefeller introduced the Do-Not-Track Online Act of 2011 (the "DNTOA").7The DNTOA is not a comprehensive consumer privacy bill, but requires only the implementation of a "Do-Not-Track" ("DNT") mechanism to allow individuals to direct that their online activities not be tracked. It would apply to providers of online services that are already subject to the FTC Act, including providers of mobile applications and services, and to nonprofit organizations.
The DNTOA would direct the FTC to issue regulations that (1) establish standards for DNT mechanisms by which individuals could exercise choice regarding providers' collection of their information, and (2) require online companies to accommodate a consumer's DNT preference unless (i) the collection and use of information are necessary to provide a service requested by the consumer and the information is either anonymized or deleted after the service is delivered, or (ii) notice was provided and consumer consent was obtained. The regulations would be enforced by the FTC, but could also be enforced through civil actions brought by state attorneys general or other state officials.
Comparing The Bills
The Rockefeller bill has just one purpose - to implement a DNT mechanism. The Kerry-McCain and Stearns bills are more comprehensive privacy proposals and are similar to each other in some respects, which suggests that certain common elements could garner enough Congressional support to become the basis for viable legislation. Based on the current versions of each bill, such common elements include:
• Requirements for both online and offline collection and use of consumers' PII;
• Requirements that "covered entities" collecting, using, or disclosing PII: (1) notify consumers of the entities' data collection, use, and disclosure practices; (2) explain the purposes for which information is collected, used, and disclosed; (3) provide notice of material changes to the terms of the initial privacy notice; (4) afford consumers the opportunity to oppose the sharing of their PII with third parties for marketing and other purposes outside of listed exceptions; and (5) undertake measures to protect the security of PII, including when shared with a third party;
• Broad preemption of overlapping state laws (although the CPBRA contains significant carve-outs for state laws addressing the treatment of health or financial information, data breach notification, or fraud);
• Giving effect to existing federal privacy laws, such as the GLBA, FCRA, Right to Financial Privacy Act, and Health Insurance Portability and Accountability Act, so that covered entities would not be subject to multiple and perhaps conflicting privacy requirements (although the CPBRA appears to preempt privacy regulation of cable and telecommunications entities);
• Preclusion of private rights of action;
• Additional penalties for certain violations; and
• Establishment of voluntary self-regulatory or "safe harbor" programs.
However, despite these similarities, the bills differ considerably in how such principles would be implemented and enforced. At a high level, the Kerry-McCain bill is more sweeping and prescriptive than the Stearns bill in that it covers more areas, contains more detailed baseline requirements of what is acceptable and expected behavior by companies, and would grant the FTC new rulemaking and other powers to accomplish its broader objectives. By contrast, the Stearns bill focuses primarily on required disclosures through privacy policies and industry self-regulatory programs approved by the FTC. Notably, for example, the Stearns bill does not include the following elements of the Kerry-McCain bill:
• Establish a privacy "bill of rights" or grant the FTC new rulemaking authority with respect to such rights;
• Mandate "privacy by design" for a company's development of its products and services;
• Specify authorized uses for PII;
• Require opt- in consent for certain uses or disclosures of certain PII;
• Require that covered entities engage in specific due diligence before selecting service providers and impose data-use restrictions on them;
• Afford individuals rights to access and correct their PII maintained by covered entities;
• Mandate supervision of safe harbor programs;
• Permit enforcement by state attorneys general; or
• Provide a role for the DOC or any other governmental entity in brokering the provisions of a safe harbor program.
These key differences between the bills will no doubt lead to vigorous debate and will make it more difficult to achieve compromise privacy legislation in this Congress.
In the wake of several recent high-profile data security incidents as well as consumers' increasingly vocal dissatisfaction with the level of control they have over their own personal information, the growing bipartisan support for heightened privacy protections for consumers' personal information seems to demonstrate a greater willingness on the part of Congressional leaders to address these concerns head-on. Although it remains to be seen whether any particular bill discussed above will be enacted, given the likely opportunities industry participants will have to help shape FTC implementing regulations as well as any new self-regulatory initiatives that may flow from these or other bills, businesses should closely monitor all legislative developments in this space to ensure that they understand the potentially significant costs and risks associated with any new federal law(s) addressing consumer information privacy. 1 Despite the broad scope of these proposed bills, neither the Kerry-McCain nor the Stearns bill (discussed herein) would apply to entities that do not collect, transfer, sell, disclose for consideration, or use personal information of more than 5,000 consumers during any consecutive 12-month period.
2 In the wake of recent high-profile data breaches involving Sony, Epsilon, and others, Congress is also considering legislation to create new requirements in the context of data security, including the proposed Secure and Fortify Electronic Data Act ("SAFE Act"), which was released as a discussion draft on June 10, 2011. Although both Republicans and Democrats expressed concerns regarding the bill during a hearing on June 15, 2011, both sides have stated that they hope to reach a consensus.
3 S. 799, 112th Cong. (2011).
4 The bill would authorize the FTC to provide a draft model template for use by covered entities in designing the required notices.
5 It is unclear how broadly such deemed compliance would apply in practice. For example, since both the GLBA and the CPBRA have sections that address when consumer consent is required, it is possible that a covered entity subject to both laws would have to comply only with the GLBA's consent provisions, despite the fact that the two consent sections do not completely overlap.
6 H.R. 1528, 112th Cong. (2011).
7 S. 913, 112th Cong. (2011).
Published July 1, 2011.