Governance & Risk Management , Privacy
Bill Aims to Safeguard Personal Information
Measure Balances Privacy, Business Use of Consumer DataThe aim of the Commercial Privacy Bill of Rights Act of 2011 is to establish a baseline code of conduct for how personally identifiable information and information that can uniquely identify an individual or networked device are used, stored and distributed.
The bill's introduction comes at a time of heightened concern over privacy. On April 1, online marketer Epsilon revealed millions of e-mail addresses it maintains for some of the companies largest banks and retailers were pilfered (see Growing Roster Affected by Epsilon Breach).
Kerry characterized the bipartisan legislation as a "common sense" victory in the nation's capital where partisanship and division too often triumphs. "Our bill makes fair information practices the rules of the road, gives Americans the assurance that their personal information is secure, and allows our information driven economy to continue to thrive in today's global market," Kerry, who chairs the Commerce Subcommittee on Communications, Technology and the Internet, said in a statement.
The legislation would establish a framework where consumers can shop, browse and share information in an environment that is respectful of their personal information. "However, the bill does not allow for the collection and sharing of private data by businesses that have no relationship to the consumer for purposes other than advertising and marketing," said McCain, who chaired the Commerce Committee when Republican held a majority in the Senate. "It is this practice that American consumers reject as an unreasonable invasion of privacy. This bill would put in place rules to guide the Federal Trade Commission in its ability to ensure the security of personal information while providing businesses more clarity in the commission's jurisdiction."
The bill would require those who collect data to implement security measures to protect the information they amass and maintain. Information collectors also would need to provide clear notice to individuals on the collection practices and the purpose for such collection. Additionally, the collector would be required furnish a mechanism individuals can use to opt-out of any information collection that is not authorized by the bill and provide opt-in for the collection of sensitive personally identifiable information.
Respecting companies existing relationships with customers and the ability to develop a relationship with a potential customers, the bill would require clear notice to individuals of their abilities to opt-out of the information collection for the purpose of transferring the data to third parties for behavioral advertising. The measure also would require collectors to provide individuals either the ability to access and correct their information, or to request cessation of its use and distribution.
The bill also would require information collectors to collect only as much information as necessary to process or enforce a transaction or deliver a service, but allow for the collection and use of information for research and development to improve the transaction or service and retain it for only a reasonable period of time.
Another provision would require collectors to bind third parties by contract to ensure that any individual information transferred to the third party be used and maintained in accordance with the bill's requirements. The bill would oblige the collector to attempt to establish and maintain reasonable procedures to ensure that information is accurate.
The bill, if enacted, also would:
- Direct states attorneys general and the Federal Trade Commission to enforce the bill's provisions, but not allow simultaneous enforcement by a state attorney general and the FTC.
- Allow the FTC to approve nongovernmental organizations to oversee safe harbor programs that would be voluntary for participants to join, but would have to achieve protections as rigorous or more so as those enumerated in the bill. The incentive for enrolling in a safe harbor program? Participants could design or customize procedures for compliance and the ability to be exempted from some of the bill's requirements.
- Direct the Department of Commerce to convene stakeholders for the development of applications for safe harbor programs to be submitted to the FTC.
- Provide for research on privacy enhancement and improved information sharing.