The quest for comprehensive, federal privacy legislation has been on many a lawmakers’ wish list for years, and two House members took the next step this week with the release of draft legislation that would require opt-in access to sensitive online data, an expectation of privacy regarding third-party apps, and easily accessible privacy practices.
Consumer groups, however, said the bill does not do enough and criticized provisions that would prevent stronger state laws or individual lawsuits.
“Our goal is to encourage greater levels of electronic commerce by providing to Internet users the assurance that their experience online will be more secure,” Rep. Rick Boucher, a Virginia Democrat and chairman of the House Subcommittee on Communications, Technology, and the Internet, said in a statement. “That greater sense of privacy protection will be particularly important in encouraging the trend toward the cloud computing.”
Boucher said the bill will not disrupt the online advertising industry, but “simply extends to consumers important baseline privacy protections.”
Boucher unveiled the legislation with Rep. Cliff Stearns, a Florida Republican and ranking member of the subcommittee. At this point, it is just a draft, is being circulated for comment, and has not been formally introduced in Congress.
“I have been working for years to enact meaningful privacy protection legislation and this draft is advancing the process,” Stearns said. “While I may not support everything in the current draft bill, it is important to get the input of stakeholders. I look forward to working with Chairman Boucher to improve upon his hard work.”
Specifically, the bill would require a company that collects personally identifiable information to display an understandable privacy policy that explains how the company uses its customers’ data.
The bill also says that companies can collect information about individuals unless they opt-out of those services. Consent would not be required to collect operational or transactional data like Web logs or cookies, or to aggregate anonymous Web data. Information that is collected would have to be anonymized or deleted within 18 months.
Express consent would be required for private information like medical records, financial accounts, Social Security number, sexual orientation, government-issued identifiers and precise geographic location information. Consent would also be required for a company to share non-operational or non-transactional data with third parties.
As it relates to behavioral advertising – or serving up more relevant ads based on Web history – a third-party ad network would need to provide opt-out options via a “clear, easy-to-find link to a webpage for the ad network that allows a person to edit his or her profile and, if he chooses, to opt out of having a profile, provided that the ad network does not share the individual’s information with anyone else.”
The Federal Trade Commission would be required to enforce the bill, so they could hand down penalties or file suit against a company that violated the rules. State attorneys general and consumer protection agencies would also be able to enforce it. It would go into effect one year after it is signed into law.
In a statement, Facebook said it applauded Boucher for “engaging in a thoughtful, deliberative process by releasing a discussion draft prior to introducing legislation.”
“As public attitudes towards sharing and control over information evolve and become more diverse, Rep. Boucher has taken an important step in what promises to be a productive and vigorous public dialogue about privacy in the Internet age,” Facebook spokesman Andrew Noyes said in an e-mail. “We look forward to being part of the discussion.”
Google and Microsoft had a similar view.
“We believe strong, consensus protections for data privacy are vital to support both the interests of our users and future innovation,” a Google spokesman said. “We are reviewing the draft legislation now and look forward to working with Congress on this important issue.”
“Microsoft has long advocated for a comprehensive federal privacy bill,” Microsoft spokeswoman Christina Pearson said in an e-mail. “We look forward to working with Chairman Boucher, Rep. Stearns and the House and Senate on this important effort to ensure consumer privacy is protected.”
A Yahoo spokeswoman said that Boucher and Stearns took “an important step” with their bill.
“While there certainly remain some fundamental issues to be worked out to make sure that this legislation protects the extraordinary breadth of free services for consumers made possible by online advertising, Yahoo commends the hard work that Representatives Boucher and Stearns have done thus far and we are grateful that they have stated they are not looking to disrupt this business model with their legislation,” she said in a statement. “We look forward to continuing to work constructively with the sponsors of this legislation and others in Congress as they debate this complex but important issue.”
Specifically, they were concerned that the bill would pre-empt current state, online privacy bills and ban a private right of action – or individual lawsuits. The groups also did not think the “opt-out” provisions of the bill went far enough to protect consumer rights, and were concerned that companies could keep data for 18 months.
“Please explain to me why a marketer would need your information for 18 months?” asked Michelle DeMooy, senior associate for national priorities at Consumer Action.
“This bill really adopts and endorses an archaic … notice and consent regime that we know does not work,” said John Simpson from Consumer Watchdog.
Simpson said Internet companies will likely be thrilled by the bill.
“I can’t imagine that the industry would be happier if they’d written a bill themselves,’ he said. “This basically gives them absolutely everything they want with no meaningful protection for consumers whatsoever. To describe it as industry-friendly is an understatement.”
“What we need is better default rules of the road for how privacy occurs on the Internet [so] you don’t have to worry about opting-out,” said Peter Eckersley, senior staff technologist at the Electronic Frontier Foundation (EFF).
“One of the biggest concerns that we have with the current regime is that when opt-outs are present, they’re frequently kind of dummy opt-outs,” Eckersley continued. “What you’re opting out of is not the collection of information about you, but rather the targeting of advertising to you based on the information that was previously collected. You have no option of being surveilled, you can only opt out of being marketed to.”
Ginger McCall, staff counsel with the Electronic Privacy Information Center (EPIC), said that the opt-out requirements “simply maintains the status quo” while the state pre-emption clause denies the states a more innovative solution to combating violations.
Evan Hendricks, editor and publisher of Privacy Times, did not mince words.
“No bill would be better than this bill,” he said. “This is a non-starter. I don’t feel compelled [to thank Boucher for his efforts], but I will thank him if he realizes that this thing should be buried.”
Other groups that voiced their concern on the call included the World Privacy Forum, the Consumer Federation of America, the Privacy Rights Clearinghouse, and the Center for Digital Democracy.
Editor’s Note: This story was updated on Wednesday with comment from Yahoo.
Tue, May 4, 2010 at 10:19 am