It is important to keep the draft bill in perspective. Numerous privacy and security bills have been proposed over the years and Congress has, to date, been unable to pass anything coming close to comprehensive national legislation. For example, repeated attempts to pass federal security breach legislation have failed, resulting in a plethora of state laws which are both confusing and inconsistent. If Congress can't bring itself to pass uniform rules dealing with the very real issue of security breaches involving the theft or loss of sensitive personal information, the likelihood of it passing a comprehensive law governing the collection and use of personal information -- a far less serious matter -- seems limited, at best.
Nevertheless, it remains useful to examine the bill and how it addresses key issues that affect eCommerce companies. Even if the bill fails to gather support in Congress, individual states may feel inspired to adopt some of its provisions.
Background. To date, the laws governing online information collection and usage have been a patchwork. While some states, like California, have enacted more general Internet-related privacy laws, the federal government has never seen fit to act globally in this arena, leaving businesses generally to self-regulate through the voluntary adoption of privacy policies. Although it may come as a surprise to some, there is no federal law mandating privacy policies as a general matter. Instead, Congress has limited such requirements to discrete categories of businesses (such as online businesses catering to children, banks and financial institutions, and health care providers, among others).
Key protections for business. Most notably—and importantly—for direct marketers, the draft bill has a clear preemption provision. In other words, it supersedes “any provision of a statute, regulation, or rule of a State that includes requirements for the collection, use, or disclosure of covered information.” This would dramatically simplify the initial task of understanding the scope of a company's legal obligations in this arena, and would prohibit overlapping regulation by the states. Just as importantly, the bill provides no private right of action in federal or state court, not even the much abused class action lawsuit. Enforcement would rest in the hands of regulators rather than plaintiffs’ lawyers—removing a profit motive for enforcement which often prevents reasonable settlements. Unlike plaintiffs' attorneys, regulators will take into account the unique facts and circumstances of each case and exercise something akin to "prosecutorial discretion" in determining which cases to bring and the appropriateness of any resulting penalty.
Who is subject to the requirements of the bill? The only companies that escape its reach are those that (1) collect “covered information” from less than 5,000 individuals in any 12-month period and (2) do not collect “sensitive information.” Unless you meet both of these criteria, you are subject to all of the bill's requirements.
What information does the bill cover? In terms of what is deemed to be private information, the bill's reach is unprecedented and ought to be very worrisome to the industry. A person's name, alone, is suddenly protected, as any individual's postal address, telephone number, or email address. To date, no state or federal law reaches this far, and, as drafted, it leads to absurd results. For example, it could mean that telephone companies have broken the law by publishing their local "white pages," since names and/or telephone numbers are deemed private. Private information also includes fax numbers, unique biometric data, any government-issued identification number, financial account numbers (including credit and debit card numbers) along with any password necessary to permit access, any “unique persistent identifier,” including an IP address, and even preference profiles. (Under the bill, a "preference profile" means “a list of information, categories of information, or preferences associated with a specific individual or a computer or device owned or used by a particular user that is maintained by or relied upon by a covered entity.”) “Sensitive information” is defined to include all medical information; race or ethnicity; religious beliefs; sexual orientation; financial information associated with a financial account; and “precise geolocation information.”
The following is a sampling of some of the substantive provisions of the bill:
- The bill requires a “privacy notice” to be made available to every individual from whom “covered information” is obtained. Where information is collected via the Internet, the notice must be clearly and conspicuously posted and accessible from the home page. Given FTC guidance in this area, the clear and conspicuous requirement would mean the link should be visible without scrolling down. Where information is collected by means other than the Internet, the notice must be provided in writing before the information is collected. It appears that this requirement could be met by with a counter display or printed handout. However, such a sign or handout would be far more than a simple "heads up" notice.
- There are fifteen separate content requirements for a “privacy notice." It would need to include the nature of the “covered information” collected; how such information is collected; the specific purposes to which such information is put; how (and how long) such information is stored; how such information may be combined with other information obtained about the individual from other sources; how the information is disposed of; the purposes for which such information is disclosed to third parties and the “categories” of such third parties; the choices available to consumer to limit or prohibit collection or disclosure; the means by and extent to which the individual may obtain access to such information; the process by which notice is given of changes to the policy; and the effective date of the policy. While some of these disclosures are familiar to online sellers, they—in whole—exceed customary industry practices.
- Businesses must obtain the prior consent of the individual to collect and use “covered information.” Such consent must be either an “affirmative grant” or a failure “to decline consent,” either of which must follow the provision of the privacy statement to the individual. Strikingly, however, the law allows the consumer to withdraw consent to the use information at any time, even if it was previously collected after consent was obtained.
- With some exceptions, express affirmative consent must be obtained in the event of any material change to the privacy notice or any new use of information which an individual would reasonably “not expect based on the covered entity’s prior privacy notice.”