Privacy Bill Aimed at Protecting Personally Identifiable Information?

Senators Kerry and McCain recently introduced a bill entitled “Commercial Privacy Bill of Rights Act of 2011.”  The purpose of the bill is

To establish a regulatory framework for the comprehensive protection of personal data for individuals under the aegis of the Federal Trade Commission, and for other purposes.

How comprehensive is the privacy protection for individuals when the bill only covers entities collecting, using, transferring or storing personally identifiable information on more than 5,000 individuals in a 12 month period?  What about the personally identifiable information collected by your independent insurance agent or the dealership you take your car to for servicing?  Those businesses probably don’t collect and use personally identifiable information on more than 5,000 individuals in a 12 month period, but they have your personally identifiable information.

The bill makes a number of findings, including

  • Personal privacy should be protected through appropriate legislation.
  • The success of businesses depends on trust in the treatment of personally identifiable information.
  • People have a significant interest in their personal information, especially when interacting with those engaged in interstate commerce, and have a right to control how the information is collected, used, stored or transferred.
  • People engaged in interstate commerce and who collect personally identifiable information are responsible for treating that information with respect and according to a common standard.
  • State regulation of personally identifiable information could lead to inconsistent standards and protections.
  • Federal, state and local governments fail to adequately protect the privacy of individuals interacting with persons engaged in interstate commerce.
  • Industry self-regulation leads to some self-policing schemes that do not adequately protect individuals’ privacy.
  • Many collectors of personally identifiable information do not provide baseline fair information practice protections.
  • Due to advances in technology, information gatherers can effortlessly compile highly detailed personal histories of individuals.
  • Personal information about individuals is collected, combined, sold or transferred to third parties for purposes unknown to the subject individual.
  • Congress has enacted statutes to protect privacy in specific areas, but the Federal Government has an interest in creating protection that covers all collectors of personally identifiable information.
  • The Federal Trade Commission considers current private self-regulation efforts inadequate.  The Commission also thinks first-party data collection practices are distinguishable from third party practices with respect to behavioral advertising.  Consumers may expect to receive recommendations from companies they deal directly with over the Internet.
  • Commerce will be stimulated by the greater consumer confidence created by clear and consistent rules enhancing privacy protection.

Personally identifiable information includes only an individual’s first and last name, the address of her physical place of residence, her email address, her telephone number, her social security number, her credit card account number, unique identifier information that alone can be used to identify her specifically, and her biometric data.  If used, transferred or stored in connection with one or more of the above pieces of information, the following items are also personally identifiable information:  date of birth, the number on a certificate of birth or adoption, place of birth, unique identifier information that cannot alone be used to identify a specific individual, precise geographical location equivalent to a global positioning system, detailed information about the uses of voice services, and any other information that may reasonably be used by a collecting, using or storing party to identify an individual.  There is a difference between covered information under the Act and personally identifiable information.  In this summary I refer to personally identifiable information to keep things from becoming overly complicated.

The bill is divided into 7 titles:

  • Right to Security and Accountability
  • Right to Notice and Individual Participation
  • Rights Relating to Data Minimization, Constraints on Distribution, and Data Integrity
  • Enforcement
  • Co-Regulatory Safe Harbor Programs
  • Application with Other Federal Laws
  • Development of Commercial Data Privacy Policy in the Department of Commerce

Right to Security and Accountability.  The Commission is charged with making rules for security measures applicable to covered entities (described under Enforcement) to protect the personally identifiable information they collect and maintain.  Every covered entity must have managerial accountability for implementing the Act and have a process for responding to non-frivolous inquiries from individuals regarding the collection, use, transfer or storage of their personally identifiable information.  Covered entities must design their products to protect personally identifiable information and implement managerial processes and practices designed to comply with the Act. 

Right to Notice and Individual Participation.  Each covered entity must provide clear, concise and timely notice to individuals of the entity’s practices regarding the collection, use, transfer, and storage of personally identifiable information and the specific purposes of those practices.  Covered entities must also provide notice of material changes and make notices easily accessible to individuals. 

Covered entities must offer a clear and conspicuous mechanism for opting out of consent for any use of their personally identifiable information that would otherwise be a use not specifically authorized and for use of their personally identifiable information by third parties.  Covered entities must offer a clear and conspicuous mechanism for opting in for the collection, use or transfer of personally identifiable information other than for processing the transaction, fraud enforcement or providing a secure environment.  Covered entities must also offer an opt-in mechanism for previously collected data when there is a material change in the covered entity’s stated practices and such a change creates a risk of harm to an individual. 

Covered entities must provide individuals with access to their information and a way to correct errors.  Covered entities must provide a mechanism for individuals to request that their information be rendered not personally identifiable in the event of the covered entity’s bankruptcy or the termination of the relationship.

Third parties can use personally identifiable information only to the extent of the opt-in consent.

Rights Relating to Data Minimization, Constraints on Distribution, and Data Integrity.  Covered entities may collect personally identifiable information only to the extent necessary to process the transaction, prevent fraud, investigate a possible crime, comply with the law, for the covered entity to market to an individual if the information used was directly collected by the covered entity, for research and development for product improvement or for internal operations, such as customer satisfaction surveys and improving website navigation.

Covered entities can retain personally identifiable information only for the duration necessary to provide the service, necessary for research and development or required by law.

Covered entities must provide in contracts with third parties to whom the information is transferred that the third parties may use the information consistent with the Act, as specified by contract, and may not combine information that is not personally identifiable with other information to determine the identity of an individual unless opt-in consent is obtained.

Covered entities may not transfer information to unreliable third parties.

Third parties receiving information from covered entities are subject to the Act’s provisions to the same extent as covered entities.

Covered entities must attempt to establish and maintain reasonable procedures to ensure that personally identifiable information is accurate when the information could be used to deny consumers benefits and cause significant harm.

Enforcement.  A covered entity is any person who collects, uses, transfers or stores personally identifiable information on more than 5,000 individuals during a 12 month period and is someone the FTC has authority over under 15 USC 45(a)(2) regarding unfair methods of competition or deceptive acts or practices affecting commerce, a common carrier or a non-profit organization.  Knowing or repetitive violations of the Act will be treated as unfair or deceptive acts or practices in violation of the Federal Trade Commission Act, 15 USC 57a(a)(1)(B).

State Attorneys General may enforce the Act in U.S. District Court.

Civil penalties range from $16,500 for each day of noncompliance to $16,500 for each individual whose consent was not obtained.  The maximum total civil penalty is $3,000,000.

Co-Regulatory Safe Harbor Programs.  The Commission shall establish requirements for safe harbor programs.  The safe harbor programs cover uses that offer consumers an opt-out for the transfer of information to a third party for behavior advertising purposes, location-based advertising purposes or for uses not authorized by the individual.  Safe harbor programs must protect the privacy of individuals at least to the same extent as the requirements of the provision from which the covered entity seeks a safe harbor.

Application with Other Federal Laws.  Other federal privacy laws continue to apply and the Act does not modify, limit or supersede them.

Development of Commercial Data Privacy Policy in the Department of Commerce.  The Secretary of Commerce has the responsibility of developing commercial data privacy policy by convening forums of stakeholders to develop codes of conduct, expanding interoperability of the U.S. commercial data privacy framework with other national and regional privacy frameworks, conducting research to improve privacy protection under the Act and conducting research on improving data sharing practices.

The bill only covers entities collecting, using, transferring or storing personally identifiable information on more than 5,000 individuals in a 12 month period.  Quite a bit of personally identifiable information is not covered by the bill.  While it is a step in the right direction to recognize the problems articulated in the bill’s findings, the bill falls short of the goal of creating protection that covers all collectors of personally identifiable information.