On April 12, Senators John Kerry (D-MA) and John McCain (R-AZ) introduced the Commercial Privacy Bill of Rights Act of 2011 (S. 799). The bill would require "covered entities" to (1) provide notice of their data collection practices and to disclose the purposes for the data collection; (2) provide an opt-out mechanism for "covered information" and an opt-in mechanism for sensitive information; (3) establish procedures for safeguarding data; (4) and implement privacy protections throughout the life cycle of a product ("privacy by design"). Certain provisions of the bill would direct the FTC to initiate rulemaking proceedings within specified timeframes, but the bill also imposes requirements directly on covered entities. The bill does not contain a "do not track" provision. (We summarized Rep. Speier's Do Not Track bill in our February 2011 Alert.)
The bill mandates that covered entities collect only as much information as is reasonably necessary and maintain the information only as long as necessary. The bill would authorize the FTC to develop a safe harbor program, and would provide individuals with the right to access and change certain information that covered entities maintain - something the Direct Marketing Association has repeatedly said would be an expensive requirement for its members.
The bill would apply to an entity (1) that collects, uses, transfers or stores "covered information" concerning more than 5,000 individuals during any consecutive 12-month period, and (2) that is within the FTC's jurisdiction or is a common carrier under the Communications Act of 1934 or is non-profit organization. The bill does not provide a private right of action and it preempts some, but not all, state privacy laws.
On April 13, Representatives Cliff Stearns (R-FL) and Jim Matheson (D-UT) introduced the Consumer Privacy Protection Act of 2011 (H.R. 1528). This bill would require covered entities to disclose that the personally identifiable information collected by the covered entity may be used or disclosed for purposes or transactions unrelated to that for which it was collected.
The bill would require covered entities to provide an opt-out from the sale or disclosure for consideration of an individual's personally identifiable information. A covered entity is "an entity (or an agent or affiliate of the entity) that collects (by any means, through any medium) sells, discloses for consideration, or uses personally identifiable information of more than 5,000 consumers during any consecutive 12-month period."
The bill provides a safe harbor for entities that participate in an approved self regulatory program. The bill preempts all state laws relating to the collection and use of personal information "in commerce," does not allow a private right of action, and does not allow enforcement by state Attorneys General.
This client alert is a publication of Loeb & Loeb LLP and is intended to provide information on recent legal developments. This client alert does not create or continue an attorney client relationship nor should it be construed as legal advice or an opinion on specific situations. For more information, please contact a member of Loeb & Loeb's Advanced Media and Technology Group.
Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.