National Online Privacy Law a ‘When,’ Not an ‘If’

Between high-noon debt-ceiling standoffs and government shutdown threats, Congress has continued to seek consensus around a national online privacy law, sparked by the Federal Trade Commission’s (FTC) 2010 preliminary report calling, among other things, for a “Do Not Track” (“DNT”) option for consumers. Passage now is hardly assured as the 2012 election campaign gets underway, but given current bipartisan sponsorship and industry support of leading bills, eventual enactment seems to be a matter of when, not if.

Meanwhile, privacy protection remains a top FTC priority. Earlier this year, it reached a landmark settlement with Google requiring, among other things, opt-in to third party datasharing. On the policy front, the FTC is developing a final set of online privacy recommendations, has just proposed changes to the Children’s Online Privacy Protection Rule to address new technologies, and will be hosting a workshop on privacy implications of facial technology in social networking and mobile apps.

While a flurry of bills have been introduced, “The Commercial Privacy Bill of Rights Act of 2011,” co-sponsored by Senators John Kerry (D-Mass.) and John McCain (R-Az.), seems poised to be the prime legislative vehicle. It could be blended with a House bill, the “Consumer Privacy Protection Act of 2011,” introduced by Reps. Cliff Stearns (R-Fla.) and Jim Matheson (D-Utah). Neither includes DNT, but should Congress decide to give consumers that option, there is no shortage of DNT measures, including ones introduced by Sen. Jay Rockefeller (D-W.Va.), Rep. Jackie Speier (D-Calif.), and jointly by Reps. Ed Markey (D-Mass.) and Joe Barton (R-Texas).

Both Kerry-McCain and Stearns-Matheson adopt the FTC’s “Fair Information Practice Principles” (notice, choice, consent, data access/security), create “safe harbors” for FTC-blessed privacy programs, would largely preempt state privacy laws, and would not allow a private right of action. Their chief differences are that Kerry-McCain is more prescriptive and would delegate substantial rulemaking powers to the FTC, while Stearns-Matheson relies more on disclosure and self-regulation.

Kerry-McCain not only would require privacy policy disclosure, it would set baseline legal standards. These would include not only clear notice of privacy practices, including usage of personally identifiable information (PII), but the right of individuals to opt-out of unauthorized uses of PII, including third-party datasharing for behavioral advertising, and to opt-in for use of sensitive PII (such as financial, health, etc.) and any transfers or uses that were materially different from those specified in the privacy policy and that created a risk of harm. Consumers also would be entitled to access and correct their PII. The FTC would be given broad rulemaking authority to implement the law and both the FTC and state attorneys general would have the power to enforce it.

Stearns-Matheson, by contrast, would require companies to publish privacy policies describing their collection, use and transfer of PII (which many, of course, already do), but stops short of mandating standards or empowering the FTC to establish standards.

Thus far, Kerry-McCain has garnered the most support, including backing from the White House and major technology companies, though consumer group sentiment is mixed. However, a national online privacy law seems assured. The stakes are high for marketers, consumers, and the future of behavioral advertising.

Talking about Direct Response, FTC

Comments are closed.

  • Newsletter Sign Up

    join our mailing list
  • Tags


  • Recent Posts

  • Categories

  • Archives