US Sens. John Kerry (D-Mass.) and John McCain (R-Ariz.) introduced federal privacy legislation on April 12 that would require companies to provide consumers with opt-out mechanisms and to notify consumers of the collection and use of personally identifiable information (PII) both online and offline. However, the Commercial Privacy Bill of Rights Act of 2011 does not include a Do Not Track provision.
The omission of Do Not Track language separates the Kerry-McCain bill from the legislation Rep. Jackie Speier (D-Calif.) introduced in February and the FTC’s call last December for a universal Do Not Track mechanism.
The bill would require the FTC to establish rules governing how companies communicate their information collection practices to consumers, specifically that companies offer an opt-out mechanism for third-party behavioral tracking and advertising. It also requires companies add an opt-in mechanism for the collection of personally identifiable information and the transfer of previously collected data to a third party for use not previously communicated to the consumer.
The bill would require companies to develop a comprehensive information privacy program that would ensure data collected by the company is managed in accordance with the bill’s requirements. It would also require companies to provide an opt-in mechanism for the collection and use of any consumer data for reasons “other than to process a transaction or service requested by that individual.”
“One of the things we worry about is [the impact this bill would have on] self-regulation,” said Jerry Cerasale, SVP of government affairs at the Direct Marketing Association. “We’re a huge proponent of self-regulation, and having the FTC as an authority of the self-regulatory program changes it from being a self-regulatory program.”
The bill defines personally identifiable information as an individual’s first and last name, address, email address “if it contains the individual’s name,” personal phone number, Social Security number, or other government-issued identification number tied to an individual, such as “a customer number held in a cookie.”
Companies would also need consumer’s consent to change how they use such data or to share that personally identifiable information with a third party for public display or other reasons. Companies would also be required to notify consumers of “types of unauthorized uses” of information when transferred to a third party.
Consumers would also have the option to request that all personally identifiable information collected by a company be rendered unidentifiable.
The bill states a company may use collected consumer data to market to an individual consumer, provided that he or she opts-in and the company collects that consumer’s information itself.
“Consumers want to shop, browse and share information in an environment that is respectful of their personal information. Our legislation sets forth a framework for companies to create such an environment and allows businesses to continue to market and advertise to all consumers, including potential customers,” said McCain in a statement announcing the bill. “However, the bill does not allow for the collection and sharing of private data by businesses that have no relationship to the consumer for purposes other than advertising and marketing.”
The bill would also enable the creation of “safe harbor programs” that would help companies self-regulate, provided they establish rules and practices consistent with those outlined in the bill. The FTC would approve and supervise these programs, according to the legislation.