Observations on the first Congressional attempt at an Internet privacy bill

In a widely anticipated step, a discussion draft of an Internet privacy bill in the House of Representatives was released today, giving observers the chance to see where Congress might be headed with such legislation. The bill, sponsored by Reps. Rick Boucher (Democrat of Virginia) and Cliff Stearns (Republican from Florida), has yet to be formally or informally named, but the relatively brief (27 pages including over 6 pages of definitions) draft looks to be very narrowly focused on constraining data collection and use practices by commercial organizations outside of sales transactions or other routine operations. While most of the media attention on the pending legislation has been focused on Internet privacy practices, the scope of the discussion draft includes offline data collection (the bill uses the term “manual”) as well. The following provides some of the highlights and initial observations from reading the discussion draft.

The coverage of the draft bill focuses on two aspects:  the nature of the information, and the entity collecting or using it. It defines covered information to include standard contact information such as name, address, telephone number, and email address, as well as biometric data, social security number, credit card or other account number, consumer preferences used by the entity,  any unique persistent identifier such as a customer number or IP address if the identifier is used to “collect, store, or identify information about a specific individual” or a computer or other device owned, used, or associated with a particular user. The inclusion of IP address among the covered information should not be construed as designating it personally identifiable information, especially because IP addresses would presumably only be included if they were static or permanently assigned to individual users, but the tacit implication is interesting, inasmuch as it runs counter to current judicial precedent in the U.S. The breadth of this list seems fairly exhaustive, aside from the fact that there are a lot of exceptions to the rules about collecting and using this data.

There is also a separate list of personal information types categorized as “sensitive information” that demand stronger levels of consent. Sensitive information would include data in medical records, financial account records, precise geographic location, and personal characteristics such as race, religious preference, or sexual orientation. Basically, where sensitive information is involved, the bill would require explicit affirmative consent before disclosure.

The provisions of the bill would apply to what it calls “covered entities” — anyone engaged in interstate commerce collecting any covered information, except for those collecting covered information from fewer than 5,000 individuals annually. The bill would also not apply to government agencies; at first glance it might seem obvious that such agencies are already constrained in their data collection practices by the Privacy Act, but that law only applies to federal agencies (specifically to executive branch agencies, the military, and independent regulatory agencies), not to state or local government authorities. In an acknowledgment of the overlap between this bill as drafted and many federal laws and regulations that include privacy protections or limitations on use and disclosure of data without consent, the discussion draft makes clear the bill will have no impact on Graham-Leach Bliley,  the Fair Credit Reporting Act, HIPAA, the Social Security Act, the Communications Act, the Children’s Online Privacy Protection Act, or CAN-SPAM. It does not mention (but perhaps should) some other laws with similar provisions, presumably because they apply primarily to organizations or entities that are no conventional commercial entities. For instance, presumably FERPA was left out because schools and educational institutions don’t typically fall under the covered entity definition in the bill, but at least with respect to many colleges and universities, they certainly engage in commercial interstate commerce.

Proposed requirements
The basic stipulation in the bill says before a covered entity can collect information from someone, it has to provide notice (with detailed contents and methods for providing notice specified in the bill) and get consent from the individual whose data will be collected. In online settings, the idea is that the entity would post such a notice conspicuously on its website, in much the same way privacy notices are typically posted today. For manual data collection, advance notice must be provided in writing. In addition, advance notice and affirmative consent must be obtained by an entity before it can effect a change in its privacy policy or data use practices that would affect data it already collected. This seems a direct response to the by-now familiar behavior of Facebook and other social networking sites, who make changes that apply retro-actively and in some cases override privacy preferences users have already configured. There is also a requirement for “express affirmative consent” (in our interpretation, another way of saying “opt-in”) before an entity can disclose personal data to unaffiliated parties, or disclose sensitive information (particularly including a user’s geographic location), or collect or disclose a complete record of an individual’s online activity. This last item seems intended to address concerns about at behavioral targeting and monitoring activities.

As well-intentioned as these rules may be, particularly in online interactions, it’s hard to see how the provisions in this bill would improve much on the publication of privacy policies and terms of use that many Internet sites already do. Even if these proposed regulations made posting of such notices universal, the bill stipulates that the consent model is opt-out, meaning individuals are considered to have consented as long as they do not explicitly deny consent, whether or not they have seen the notice posted or are even aware it exists. This puts the onus squarely on the user, rather than the entity, and would seem to offer entities a clear path to compliance with the terms in the bill regardless of any actual strengthening of privacy protections for consumers. There are a limited set of cases where affirmative consent is required, and in some industries that alone is a significant step forward, but much of the sensitive information enumerated in the bill is already subject to disclosure limitations and consent requirements under laws like HIPAA and GLBA.

Covered entities are also obligated under the bill to provide appropriate security safeguards, although the draft language is entirely subjective on just what those might be, other than saying they are whatever the Federal Trade Commission determines to be necessary.

The intent of this bill seems to be to balance personal privacy and consumer preferences about the use of their personal information with business needs to, well, do business. With the need to avoid unreasonably constraining businesses from gathering the information they need to conduct transactions with or otherwise serve their customers, the bill would exempt covered entities from the notice and consent requirements if the information to be collected is for a transactional or operational purpose. Both of these terms are defined in the text of the bill, but generally speaking, if the data is collected in order to provide a product or service to a customer, such as completing an online order, the rules don’t apply. The operational purposes exception also allows an entity to share data it collects with a parent company, subsidiary, or affiliate (affiliated means under common ownership or corporate control) . There are however some business activities that are explicitly called out as not being considered part of “operational purposes” such as marketing, advertising, or disclosure to an unaffiliated party. Also explicitly excluded from coverage is any information that has been “rendered anonymous” by removing or obscuring sufficient personal information that there “is no reasonable basis to believe” it could be used to identify the individual it relates to. The word reasonable is of course subjective, but given recent research showing the ease with which “de-identified” data can in fact be positively associated with an individual, it would be nice to see some more explicit language on what is required for anonymity.

The primary enforcement mechanism for the provisions in this bill is through the Federal Trade Commission under the unfair and deceptive trade practice doctrine of the FTC Act. The bill allows for enforcement by civil action at the state attorney general level, but explicitly does not provide a private right of action. The bill is also intended to preempt any existing state or local regulation covering the collection, use, and disclosure of the personal information described in the bill.