Frankfurt Kurnit Klein & Selz

April 15th, 2011

Kerry and McCain Introduce “Commercial Privacy Bill of Rights Act of 2011”

Senators John Kerry (D-MA) and John McCain (R-AZ) introduced a privacy bill this week that seeks to provide consumers with more transparency and control regarding the collection, use, storage, and transfer of their personal information. The bill – in its infancy and likely to face opposition – does not require changes in privacy practices unless and until it is enacted. But with bipartisan backing, it’s a privacy bill that could pass. Here’s a summary.

Entitled the “Commercial Privacy Bill of Rights Act of 2011,” the bill would impose a number of requirements upon any entity that “collects, uses, transfers, or stores covered information concerning more than 5,000 individuals during any consecutive 12-month period.” “Covered information” would include personally identifiable information (“PII”), unique identifier information (“UII”), and any information that is collected, used or stored in connection with PII or UII such that the information may reasonably be used by the collecting party to identify a specific individual. (The bill expressly excludes from its purview information that is public and information that is obtained from a widely and publicly available forum where the individual voluntarily shared the information.) Specifically, the bill proposes that businesses or individuals covered by the Act provide consumers with the following rights:

• Security and Accountability. Covered entities must create and implement security measures to protect the covered information that they collect and maintain, and they must have a process to respond to inquiries from individuals regarding how their information will be collected, stored, and used.
• Notice and Individual Participation. Covered entities must provide consumers with “clear, concise, and timely notice” of their practices regarding the collection, use, and storage of covered information. The bill also proposes that covered entities must provide consumers with clear and conspicuous opportunities to opt-out of information collection that is not authorized by the Act and the use by third parties of covered information for advertising or marketing purposes (including behavioral advertising). Additionally, the bill would require covered entities to provide consumers with an opt-in mechanism for consent to: (i) the collection or use of sensitive PII (with certain limited exceptions, e.g., to process a transaction or deliver services requested by a consumer); and (ii) the unauthorized use of previously collected covered information if there is a material change in the applicable privacy practices or such use creates a risk of economic or physical harm to the consumer. Finally, the Act would mandate that consumers be provided with access and the right to correct their information.
• Data Minimization. The bill would require covered entities to collect “only as much covered information relating to an individual as is reasonably necessary” for the statutorily sanctioned purposes (i.e., those purposes that are not “unauthorized uses”) and to retain such information only so long as reasonably necessary to accomplish the permitted purposes.

The bill vests the power to enforce these requirements with the Federal Trade Commission (“FTC”), though state Attorneys General may bring civil actions if the FTC has not commenced a proceeding; private rights of action are prohibited.

The proposed Commercial Privacy Bill of Rights Act comes at a time when privacy is at the forefront of the regulatory discussion; while the industry has been largely left to self-regulate in the area of online privacy, there has been increased discussion recently about the growing need for enforceable legal guidelines. The bill itself notes that the existing “self-policing schemes” provide “insufficient privacy protection to individuals” and have not yet “provide[d] baseline fair information practice[s].” (The bill, however, does include a “safe harbor” provision, whereby the FTC will establish requirements for and approve self-regulatory programs in which businesses can voluntarily participate, thus exempting them from certain of the Act’s requirements.) Additionally, Senator Kerry acknowledged the FTC’s recent do-not-track proposal, explaining that such a provision did not make its way into the current draft due to “the balance between consumer support and industry support” but that “it may well be one of the amendments that we continue to talk about.”

For more information on the potential legislation, privacy guidelines or any other advertising law issue, please contact Terri Seligman at tseligman@fkks.com or (212) 826 5580, or any other member of the Frankfurt Kurnit Advertising Group. For more alerts and general announcements from our firm, follow us on Twitter.
Disclaimer. This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.