On April 12, 2011, U.S. Senators John Kerry (D-MA) and John McCain (R-AZ) introduced the Commercial Privacy Bill of Rights Act of 2011 (the “Act”) to “establish a regulatory framework for the comprehensive protection of personal data for individuals under the aegis of the Federal Trade Commission.” The bill applies broadly to entities that collect, use, transfer or store the “covered information” of more than 5,000 individuals over a consecutive 12-month period. Certain provisions of the bill would direct the FTC to initiate rulemaking proceedings within specified timeframes, but the bill also imposes requirements directly on covered entities.
The defined terms included in the bill are key to understanding its implications.
A “covered entity” is any person who collects, uses, transfers or stores covered information concerning more than 5,000 individuals during any consecutive 12-month period, and is either (1) subject to the FTC’s authority under Section 5 of the FTC Act, (2) a common carrier subject to the Communications Act of 1934 or (3) a nonprofit organization.
“Covered information” means only:
- Personally identifiable information
- Unique identifier information
- Any information that is collected, used or stored in connection with personally identifiable information or unique identifier information in a manner that may reasonably be used by the party collecting the information to identify a specific individual
The term “covered information” does not include:
- Personally identifiable information obtained from public records that is not merged with covered information gathered elsewhere
- Personally identifiable information that is obtained from a forum
- where the individual voluntarily shared the information or authorized the information to be shared; and
- that is widely and publicly available and contains no restrictions on who can access and view such information.
- Personally identifiable information reported in public media
- Personally identifiable information dedicated to contacting an individual at the individual’s place of work
“Personally identifiable information” means any of the following information about an individual:
- The first name (or initial) and last name of an individual, whether given at birth or time of adoption, or resulting from a lawful change of name
- The postal address of a physical place of residence of such individual
- An email address
- A telephone number or mobile device number
- A Social Security number or other government issued identification number issued to such individual
- The account number of a credit card issued to such individual
- Unique identifier information that alone can be used to identify a specific individual
- Biometric data about such individual, including fingerprints and retina scans
The term “personally identifiable information” also includes any of the following information if it is used, transferred or stored in connection with one or more of the items of information described above:
- A date of birth
- The number of a certificate of birth or adoption
- A place of birth
- Unique identifier information that alone cannot be used to identify a specific individual.
- Precise geographic location, at the same degree of specificity as a global positioning system or equivalent system, and not including any general geographic information that may be derived from an Internet Protocol address
- Information about an individual’s quantity, technical configuration, type, destination, location and amount of uses of voice services, regardless of technology used
- Any other information concerning an individual that may reasonably be used by the party using, collecting or storing that information to identify that individual
“Sensitive personally identifiable information” means:
- Personally identifiable information which, if lost, compromised or disclosed without authorization either alone or with other information, carries a significant risk of economic or physical harm; or
- Information related to a particular medical condition or a health record; or the religious affiliation of an individual.
“Unauthorized use” means the use of covered information by a covered entity or its service provider for any purpose not authorized by the individual to whom such information relates. The term “unauthorized use” does not include the following uses of covered information relating to an individual by a covered entity or its service provider (if the use is reasonable and consistent with the practices and purposes described in the covered entity’s privacy notice given the individual):
- To process and enforce a transaction or deliver a service requested by that individual
- To operate the covered entity that is providing a transaction or delivering a service requested by that individual, such as inventory management, financial reporting and accounting, planning and product or service improvement or forecasting
- To prevent or detect fraud or to provide for a physically or virtually secure environment
- To investigate a possible crime
- Use that is required by a provision of law or legal process
- To market or advertise to an individual from a covered entity within the context of a covered entity’s own Internet website, services or products if the covered information used for such marketing or advertising was
- collected directly by the covered entity; or
- shared with the covered entity at the affirmative request of the individual; or by an entity with which the individual has an established business relationship.
- Use that is necessary for the improvement of transaction or service delivery through research, testing, analysis and development
- Use that is necessary for internal operations, including the following:
- Collecting customer satisfaction surveys and conducting customer research to improve customer service information.
- Information collected by an Internet website about the visits to such website and the click-through rates at such website to improve website navigation and performance; or to understand and improve a the interaction of an individual with the advertising of a covered entity.
- Use by a covered entity with which an individual has an established business relationship which the individual could have reasonably expected, at the time such relationship was established, was related to a service provided pursuant to such relationship; and which does not constitute a material change in use or practice from what could have reasonably been expected.
In brief, the bill incorporates the following key elements:
Right to Security and Accountability. The bill instructs the FTC to initiate a rulemaking proceeding that would require each covered entity to implement security measures to protect the covered information the entity collects and maintains. The bill also requires each covered entity to have “managerial accountability” (proportional to the entity’s size and structure) and to implement processes for responding to non-frivolous consumer inquiries. In addition, the bill includes a “privacy by design” provision which requires each covered entity to implement a comprehensive information privacy program by incorporating necessary development processes and practices throughout the product life cycle that are designed to safeguard PII that is covered information.
Right to Notice and Individual Participation. The bill instructs the FTC to initiate a rulemaking proceeding to require each covered entity to provide clear, concise and timely notice regarding the entity’s information practices, and the purposes of, and any material changes to, such practices. The bill also instructs the FTC to initiate a rulemaking proceeding that requires each covered entity to offer a clear and conspicuous mechanism for individuals to opt-out of the (1) “unauthorized use” of their covered information (unless such use requires an opt-in), or (2) use by third parties of their covered information for behavioral advertising or marketing purposes.
In short, opt-in consent is required for (1) the collection, use or transfer of sensitive PII (other than for processing a transaction or delivering a service, fraud prevention and detection or physical or virtual security purposes), and (2) the use of previously collected covered information or transfer to a third party for an unauthorized use of such information if there is a material change to the entity’s stated practices or if such use or transfer creates a risk of economic or physical harm to an individual. In addition to consent mechanisms, the bill directs the FTC to initiate a rulemaking proceeding to require each covered entity to provide individuals with (1) appropriate and reasonable access to, and the ability to correct, their information, and (2) the option to request that the individual’s PII that is covered information be rendered not personally identifiable, if possible, when the entity enters bankruptcy or the individual terminates its relationship with the entity, except where the individual has shared the information with the covered entity in a “widely and publicly available forum.”
Rights Relating to Data Minimization; Constraints on Distribution; Data Integrity. Covered entities shall collect only as much covered information as is reasonably necessary for the purposes that are not considered “unauthorized uses” (as outlined above), and retain covered information for such duration as is reasonably necessary (1) to provide the transaction or service, (2) to conduct research and development, or (3) as required by law. Covered entities also must attempt to establish and maintain reasonable procedures to ensure that certain PII that is covered information is accurate in instances where the information could be used to deny benefits to consumers or cause significant harm.
Safe Harbor. The bill calls for the FTC to approve non-governmental organizations to run voluntary safe harbor programs that would exempt participating entities from certain requirements of the Act.
Enforcement. “Knowing or repetitive” violations shall be enforceable by the FTC as unfair or deceptive acts or practices, and state attorneys general also may bring civil actions. Violators may subject to civil penalties, but the bill explicitly does not provide any private right of action.
As we reported in July 2010, Senator Kerry announced his intention to introduce an online privacy bill as Chairman of the Commerce Subcommittee on Communications, Technology, and the Internet and indicated that the bill would go beyond the regulation of targeted advertising. In December, we reported that the Senior Advisor to Senator Kerry briefed the members of the Centre for Information Policy Leadership at Hunton & Williams on this privacy legislation.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code