Senators John Kerry (D-Mass.) and John McCain (R-Ariz.) have introduced the “Commercial Privacy Bill of Rights Act of 2011” (Kerry pdf; archive pdf) that they say “establishes a framework to protect the personal information of all Americans.” (See reactions from consumer groups after the jump.) From the press release:
The Kerry-McCain Commercial Privacy Bill of Rights Act of 2011 would establish rights to protect every American when it comes to the collection, use, and dissemination of their personally identifiable information (PII).
These privacy rights include:
- The right to security and accountability: Collectors of information must implement security measures to protect the information they collect and maintain.
- The right to notice, consent, access, and correction of information: Collectors of information must provide clear notice to individuals on the collection practices and the purpose for such collection. Additionally, the collector must provide the ability for an individual to opt-out of any information collection that is unauthorized by the Act and provide affirmative consent (opt-in) for the collection of sensitive personally identifiable information. Respecting companies existing relationships with customers and the ability to develop a relationship with a potential customers, the bill would require robust and clear notice to an individual of his or her ability to opt-out of the collection of information for the purpose of transferring it to third parties for behavioral advertising. It would also require collectors to provide individuals either the ability to access and correct their information, or to request cessation of its use and distribution.
- The right to data minimization, constraints on distribution, and data integrity: Collectors of information would be required to collect only as much information as necessary to process or enforce a transaction or deliver a service, but allow for the collection and use of information for research and development to improve the transaction or service and retain it for only a reasonable period of time. Collectors must bind third parties by contract to ensure that any individual information transferred to the third party by the collector will only be used or maintained in accordance with the bill’s requirements. The bill requires the collector to attempt to establish and maintain reasonable procedures to ensure that information is accurate.
Other key elements of the Kerry-McCain Commercial Privacy Bill of Rights include:
- Enforcement: The bill would direct State Attorneys General and the Federal Trade Commission (FTC) to enforce the bill’s provisions, but not allow simultaneous enforcement by both a State Attorney General and the FTC. Additionally, the bill would prevent private rights of action.
- Voluntary Safe Harbor Programs: The bill allows the FTC to approve nongovernmental organizations to oversee safe harbor programs that would be voluntary for participants to join, but would have to achieve protections as rigorous or more so as those enumerated in the bill. The incentive for enrolling in a safe harbor program is that a participant could design or customize procedures for compliance and the ability to be exempt from some requirements of the bill.
- Role of Department of Commerce: The Act directs the Department of Commerce to convene stakeholders for the development of applications for safe harbor programs to be submitted to the FTC. It would also have a research component for privacy enhancement as well as improved information sharing.
Some consumer groups have already responded to the bill’s release. Consumer Watchdog, Center for Digital Democracy, Consumer Action, Privacy Rights Clearinghouse and Privacy Times announced (pdf):
A coalition of consumer groups and privacy advocates welcomed the bipartisan effort by Senators John Kerry and John McCain to craft online privacy legislation today, but said their bill needs to be significantly strengthened if it is to effectively protect consumer privacy rights in today’s digital marketplace.
In a letter to the Senators, Consumer Watchdog, the Center for Digital Democracy, Consumer Action, Privacy Rights Clearinghouse and Privacy Times said they could not support the bill at this time. […]
Here are highlights of the groups’ concerns:
— Meaningful privacy legislation must direct the Federal Trade Commission to require and enforce a “Do Not Track Me” mechanism.
— The bill relies too heavily on the “notice and choice” model and could simply enshrine current practices, allowing the continued compilation of vast digital dossiers that can negatively affect consumers in transactions involving their finances, health and families. — -The bill gives special interest treatment to Facebook, and other social media marketers, that permit them to gather data on their users without sufficient safeguards.
— Consumers must have the right to hold companies accountable for violating their privacy through a private right of action.
— The bill would prohibit states from enacting stronger protections.
— The bill usurps the FTC’s traditional lead role in protecting privacy and turns much of its responsibility over to the Commerce Department. The Commerce Department – as it should – primarily seeks to promote the interests of business. It is not, nor should it be expected to be, the primary protector of consumers’ interests. Commerce, therefore, must not have the lead role in online privacy.
The groups’ full letter is attached to their announcement.