Federal lawmakers today introduced the Commercial Privacy Bill of Rights Act of 2011, which would set guidelines for allowing consumers to opt out of having their personally identifiable information collected, stored and used online and offline. The bill gives the Federal Trade Commission the authority to enact and enforce rules providing consumers with more control over their web-browsing data. If passed, the legislation could significantly affect online advertising and how e-retailers market to consumers through ad networks.
Sen. John Kerry, a Democrat from Massachusetts, and Sen. John McCain, a Republican from Arizona, jointly introduced the bill during a press conference this afternoon. The bipartisan effort advances recommendations set forth by the FTC’s December report on protecting consumer privacy online. The bill also calls on the U.S. Department of Commerce to help the FTC map out the new rules. As introduced, the bill does not include a blanket do-not-track provision that would allow consumers to fully opt out of being tracked as they move around the web, although the senators said the issue would continue to be discussed. “If you have a sufficient [opt out or opt in program] to begin with, that will answer concerns about do not track,” Kerry said.
McCain said consumers’ “fundamental right to privacy” is being intruded upon every day online and that the legislation would enable consumers to stop their information from being collected and used by marketers and advertisers. “We have no legal right today to tell them to stop,” Kerry said. “We want to change that and keep our private data safe by laying down fair information practices for anyone collecting it.”
Kerry said the bill does provide some flexibility for businesses to figure out how to best implement the FTC rules. The bill includes a provision that allows companies to design their own privacy procedures and implement them any way they want so long as they are on par with the standards the FTC sets out, Kerry said.
The bill largely pertains to data collected by third parties, such as ad networks that track visitors to news, entertainment and other web sites, not the e-commerce sites a consumer directly interacts with. The bill does not restrict an e-retailer from tracking the behavior of consumers on its site or from using that behavioral data in a way that improves service, such as by offering a shopper products similar to those he’s viewed or offering a customer satisfaction survey. The bill’s opt-out provision does not pertain to online behavior data collected and used for fraud-detection purposes.
The bill does not restrict e-retailers from collecting personally identifiable data in the course of a transaction. Personally identifiable information, according to the bill, includes a person’s name, physical and e-mail addresses, personal telephone numbers and credit card account numbers. Personally identifiable information also includes “unique persistent identifiers,” such as cookies, if those identifiers can be linked to a specific individual.
David Almeida, a partner at law firm Sedgwick LLP who helps companies defend consumer fraud claims relating to their direct marketing practices, says the Kerry-McCain bill attempts to bring some uniformity to federal privacy legislation. "The United States has historically favored a topical or sectoral approach to privacy regulation that has resulted in a morass of laws and regulations, each designed to protect only certain types of information or classes of individuals, such as data about medical histories, personal finances or minors," he says.
Online advertising trade groups have long favored industry self-regulation over government-mandated rules that could make it harder for ad networks to track online shopper activity.
The Digital Advertising Alliance, an umbrella group of seven trade associations, has developed the self-regulatory AdChoices program, which is designed to allow consumers to opt out of having their information collected and used to serve ads based on their online browsing behavior. A recent analysis of the program by Carnegie Mellon University showed uneven adoption of the program by members of the participating trade associations, such as major ad networks.
The Direct Marketing Association, an ad industry trade group and the association charged with enforcing the AdChoices program, said today it is concerned that government legislation will undermine the efficacy of industry initiatives like AdChoices. “Self-regulatory programs such as this could be undermined by the bill since the FTC would have authority to approve and monitor them,” the DMA wrote in a statement. “This converts self-regulatory efforts to de facto government regulation and will discourage future self-regulatory efforts.”
Consumer advocacy groups were divided over the McCain-Kerry bill. The Consumer Federation of America and Consumers Union, the nonprofit arm of Consumer Reports, issued a letter supporting the bill. “For the first time, all businesses would have to operate under consistent, mandatory standards for online privacy,” says Ioana Rusu, regulatory counsel for Consumers Union. “To us, that’s progress.”
Meanwhile, a letter sent to the senators today and signed by the leaders of several other privacy groups, including Consumer Watchdog and the Center for Digital Democracy, says the bill does not go far enough. The letter cites the lack of a do-not-track mechanism and says the bill relies too heavily on what it calls the “notice and choice” model, which it says could result in complicated privacy policies that consumers may find confusing.