Observations on the first Congressional attempt at an Internet privacy bill
In a widely anticipated step, a discussion draft of an Internet privacy bill in the House of Representatives was released today, giving observers the chance to see where Congress might be headed with such legislation. The bill, sponsored by Reps. Rick Boucher (Democrat of Virginia) and Cliff Stearns (Republican from Florida), has yet to be formally or informally named, but the relatively brief (27 pages including over 6 pages of definitions) draft looks to be very narrowly focused on constraining data collection and use practices by commercial organizations outside of sales transactions or other routine operations. While most of the media attention on the pending legislation has been focused on Internet privacy practices, the scope of the discussion draft includes offline data collection (the bill uses the term “manual”) as well. The following provides some of the highlights and initial observations from reading the discussion draft.
The coverage of the draft bill focuses on two aspects: the nature of the information, and the entity collecting or using it. It defines covered information to include standard contact information such as name, address, telephone number, and email address, as well as biometric data, social security number, credit card or other account number, consumer preferences used by the entity, any unique persistent identifier such as a customer number or IP address if the identifier is used to “collect, store, or identify information about a specific individual” or a computer or other device owned, used, or associated with a particular user. The inclusion of IP address among the covered information should not be construed as designating it personally identifiable information, especially because IP addresses would presumably only be included if they were static or permanently assigned to individual users, but the tacit implication is interesting, inasmuch as it runs counter to current judicial precedent in the U.S. The breadth of this list seems fairly exhaustive, aside from the fact that there are a lot of exceptions to the rules about collecting and using this data.
There is also a separate list of personal information types categorized as “sensitive information” that demand stronger levels of consent. Sensitive information would include data in medical records, financial account records, precise geographic location, and personal characteristics such as race, religious preference, or sexual orientation. Basically, where sensitive information is involved, the bill would require explicit affirmative consent before disclosure.
The provisions of the bill would apply to what it calls “covered entities” — anyone engaged in interstate commerce collecting any covered information, except for those collecting covered information from fewer than 5,000 individuals annually. The bill would also not apply to government agencies; at first glance it might seem obvious that such agencies are already constrained in their data collection practices by the Privacy Act, but that law only applies to federal agencies (specifically to executive branch agencies, the military, and independent regulatory agencies), not to state or local government authorities. In an acknowledgment of the overlap between this bill as drafted and many federal laws and regulations that include privacy protections or limitations on use and disclosure of data without consent, the discussion draft makes clear the bill will have no impact on Graham-Leach Bliley, the Fair Credit Reporting Act, HIPAA, the Social Security Act, the Communications Act, the Children’s Online Privacy Protection Act, or CAN-SPAM. It does not mention (but perhaps should) some other laws with similar provisions, presumably because they apply primarily to organizations or entities that are no conventional commercial entities. For instance, presumably FERPA was left out because schools and educational institutions don’t typically fall under the covered entity definition in the bill, but at least with respect to many colleges and universities, they certainly engage in commercial interstate commerce.
Covered entities are also obligated under the bill to provide appropriate security safeguards, although the draft language is entirely subjective on just what those might be, other than saying they are whatever the Federal Trade Commission determines to be necessary.
The intent of this bill seems to be to balance personal privacy and consumer preferences about the use of their personal information with business needs to, well, do business. With the need to avoid unreasonably constraining businesses from gathering the information they need to conduct transactions with or otherwise serve their customers, the bill would exempt covered entities from the notice and consent requirements if the information to be collected is for a transactional or operational purpose. Both of these terms are defined in the text of the bill, but generally speaking, if the data is collected in order to provide a product or service to a customer, such as completing an online order, the rules don’t apply. The operational purposes exception also allows an entity to share data it collects with a parent company, subsidiary, or affiliate (affiliated means under common ownership or corporate control) . There are however some business activities that are explicitly called out as not being considered part of “operational purposes” such as marketing, advertising, or disclosure to an unaffiliated party. Also explicitly excluded from coverage is any information that has been “rendered anonymous” by removing or obscuring sufficient personal information that there “is no reasonable basis to believe” it could be used to identify the individual it relates to. The word reasonable is of course subjective, but given recent research showing the ease with which “de-identified” data can in fact be positively associated with an individual, it would be nice to see some more explicit language on what is required for anonymity.
The primary enforcement mechanism for the provisions in this bill is through the Federal Trade Commission under the unfair and deceptive trade practice doctrine of the FTC Act. The bill allows for enforcement by civil action at the state attorney general level, but explicitly does not provide a private right of action. The bill is also intended to preempt any existing state or local regulation covering the collection, use, and disclosure of the personal information described in the bill.