Among other things, the bill contains the following requirements:
- Collectors of information must implement security measures to protect the information they collect and maintain.
- Collectors of information must provide clear notice to individuals of the collection practices and the purposes of such collection. Additionally, collectors must provide the ability for an individual to opt out of any information collection that is unauthorized by the Act and to provide affirmative consent (opt-in) for the collection of sensitive personally identifiable information. Respecting companies’ existing relationships with customers and the ability to develop a relationship with a potential customers, the bill would require "robust and clear" notice to an individual of his or her ability to opt-out of the collection of information for the purpose of transferring it to third parties for behavioral advertising. It would also require collectors to provide individuals either the ability to access and correct their information, or to request cessation of its use and distribution.
- Collectors must bind third parties by contract to ensure that any individual information transferred to the third party by the collector will only be used or maintained in accordance with the bill’s requirements. The bill requires the collector to attempt to establish and maintain reasonable procedures to ensure that information is accurate.
Further, the bill stretches the definition of personal information beyond any commonly understood meaning of that term. It includes email addresses and postal addresses, and if "used, transferred or stored" in connection with any of the foregoing, birth date, and most significantly, "unique identifier information." Unique identifier information is defined as "a unique persistent identifier associated with an individual or a networked device, including a customer number held in a cookie, a user ID, a processor serial number, or a device serial number." This definition essentially means that virtually any data collected about a browsing session will be protected by this statute, with strict limits on the ability to use or transfer that data without approval.
The existence of an "established business relationship" exception to some of the requirements of the bill provides cold comfort. It applies not to the commonly understood relationship of customer and merchant, but only to the "establishment of an account." While this may be typical of some merchants' relationships with their customers, many retailers do not require the establishment of an account in order to make a purchase. It is interesting to note, however, that the 800 pound gorillas in the online space, notably Google and Facebook, would be the most likely to benefit from this exception.
The bill seeks to accomplish these objectives by requiring the FTC to promulgate regulations effectuating the statute's requirements for the most part within 60 to 180 days after enactment of the bill, depending upon the provision at issue. Accordingly, it will likely be a long time before these requirements take effect (if ever), given the Congressional legislative calendar, and the frequently protracted rule-making process that would attend any promulgation of regulations. During both the legislative process and the regulatory process, the direct marketing industry will have an opportunity to point out the technical challenges presented by this statute, as well as the potential unintended consequences, including damage to the economy, that the statute could create.