Legislation on Internet privacy has been mushrooming since release of the Federal Trade Commission’s report last December calling for adoption of a “Do Not Track” mechanism, similar in concept to the “Do Not Call” registry, for consumer protection against unwanted online tracking and targeted ads. Bills are pending in the U.S. House and the California Legislature that would implement the FTC’s Do Not Track recommendation.
This week, the legislative landscape got more crowded and interesting with the bipartisan introduction of a “Commercial Privacy Bill of Rights” by Senators John Kerry and John McCain. Unlike its counterparts in the House and California, the Kerry-McCain bill does not include Do Not Track, setting up a potential showdown on a core element between the two chambers in an eventual conference to hash out a final bill. Still, the Kerry-McCain privacy plan is extremely comprehensive and, given the bipartisan alliance and political stature of its authors, could become the focal point in Congress for enactment of the nation’s first Internet privacy law.
In brief, the Kerry-McCain privacy rights include:
· The Right to Security – Internet marketers must implement security measures to protect the consumer information they collect and maintain.
· The Right to Notice, Consent, Access and Correction of Information – Internet marketers must give consumers clear and timely notice of their information collection, use, transfer and storage practices and purposes and any material changes to them. Consumers must be allowed to opt-out of data collection not authorized by them (i.e., uses other than in a requested transaction or service; marketing to them by the collector of the data or by other companies that received the data with their permission; product and service enhancements; website analytics). Consumers also must opt-in for the collection of sensitive personal information (i.e., name, email address, phone, credit card or social security number which, if lost or disclosed without permission, could cause harm) except for use in a transaction or service. Consumers also must be given clear notice of their right to opt-out of data-sharing for behavioral advertising. Consumers may also see and correct their data and request at any time that it no longer be used or distributed.
· The Right to Data Minimization, Constraints on Distribution, and Data Integrity – Internet marketers can only collect as much data as necessary to process a transaction, provide a service, or to use to improve service, and can only keep the data for a reasonable time. They must contractually bind third party recipients of the data to comply with the law’s privacy protections and their own privacy policies, and they must take reasonable steps to ensure the data’s accuracy.
Under the legislation, the FTC, with the help of the Department of Commerce, would develop and oversee voluntary safe harbor programs that businesses could join as a way of minimizing the impact of the law and their liability. The FTC also would be required to pass rules fleshing out the law’s provisions and would be its primary enforcer. State Attorneys General also will be able to enforce the law, but only when the FTC hasn’t. Lawsuits by consumers or other private parties to enforce the law would not be allowed.
Kerry-McCain attempts to strike a balance between the privacy interests of consumers and the commercial interests of Internet marketers in using behavioral advertising to target consumers. Online privacy is shaping up to be the consumer issue of the year in Congress. With or without Do Not Track, the likelihood of passage of a federal Internet privacy law, imposing significant data collection, sharing and security requirements on Internet marketers, appears to be great.
It is in the interest of anyone marketing to consumers on the Internet to follow the privacy debate in Congress (and California), and to anticipate and understand the new privacy requirements that are headed their way. I will continue to pay close attention to the action and will be happy to try to answer any questions you may have on this or any other topic of FTC advertising regulation. Please don’t hesitate to contact me at any time.