The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Reps. Boucher and Stearns Release Long-Awaited Advertising Privacy Bill

On May 4, Representatives Rick Boucher (D-Va.) and Cliff Stearns (R-Fl.) of the House Subcommittee on Communications, Technology, and the Internet published a discussion draft of long-anticipated privacy legislation that would restrict companies’ online collection and use of personal information and online activity, including use for the purpose of targeted online advertising.  Here are some observations about the draft bill, in its current form:

  • The bill would require any company that collects “covered information” from or about individuals to obtain opt-in consent to a statutorily mandated privacy policy containing at least fifteen enumerated disclosures.  Consent would be deemed adequate if the user expressly opted in to the information collection after being presented with the required disclosures, or in most circumstances if the user “does not decline consent at the time such statement is presented."  This would seem to imply that web sites would need to ensure that privacy policies appear on users’ screens at some point, to either expressly opt in or to fail to “decline consent” when the statement is presented to the user.  At the same time, however, the bill permits privacy policies to be “accessible through a direct link from the Internet homepage of the web site.”  It is unclear, then, whether the bill would consider the existence of such a link to be sufficient to infer that a user “does not decline consent” when merely accessing a web site, which would otherwise obviate the need to obtain opt-in consent.

  • In a few specific circumstances, the bill would permit the use of web site user information for the purposes of marketing, advertising, or selling only with express opt-in consent.  This includes (1) when the web site wishes to disclose the information to unaffiliated third parties, such as advertisement networks, unless certain requirements are met (see the next bullet); (2) when the web site collects or discloses any “sensitive information,” which is defined as medical records or history, race, ethnicity, religious beliefs, sexual orientation, financial records or other information associated with a financial account, or geolocation information; or (3) when the web site collects or discloses “all or substantially all of an individual’s online activity.”

  • Nevertheless, the bill would provide an exception permitting a web site to share user information with unaffiliated third parties for the purposes of marketing, advertising, or selling without express opt-in consent if it:  (1) provides users with a “readily accessible” opt-out mechanism; (2) deletes or renders anonymous any “covered information” within 18 months after it is first collected; (3) allows users to review and modify, or completely opt out of having, any profiles maintained about their preferences by web sites or their advertisement network partners for marketing purposes (these so-called “preference profiles” must be accessible through a hyperlinked “symbol or seal” on the web site and on or near any advertisement served based on the profile); and (4) prohibits advertisement networks from further disclosing any such information they receive.  This would seem to almost directly endorse the use of the online behavioral privacy icon put forth by groups supporting industry self-regulation of behavioral advertising.

  • The term “covered information” would include a number of individual data elements – such as name, e-mail address, and Social Security number – that might otherwise be considered personally identifiable information under other statutory or regulatory regimes (at least in combination with other data elements).  In addition to the novel development of regulating the collection of these data elements individually, the bill includes in its definition of covered information:

    "Any unique persistent identifier, such as a customer number, unique pseudonym or user alias, Internet Protocol address, or other unique identifier, where such identifier is used to collect, store, or identify information about a specific individual or a computer, device, or software application owned or used by a particular user or that is otherwise associated with a particular user."

    Adopting this definition would be significant because no American privacy law has ever considered an anonymous identifier or IP address to be legally protected information (though IP addresses are considered to be personally identifiable in the EU and FTC Chairman Jon Leibowitz commented just a couple weeks ago that he believes that IP addresses should be considered personal information).  Additionally, this definition means that the bill would apply to any web site that maintains and uses information about users keyed to a unique identifier, which means that it applies to just about every web site that collects user registration information.

Continue reading

Leave a comment

OCR Issues Guidance on Risk Analysis for HIPAA Security Compliance

On Friday, May 7, 2010, the Office for Civil Rights (“OCR”) issued guidance related to the HIPAA Security Rule’s risk analysis requirement.  Under HITECH, OCR is responsible for issuing annual guidance on provisions of the HIPAA Security Rule.  This guidance is the first in a series of documents aimed at helping covered entities and business associates implement effective and appropriate administrative, physical, and technical security safeguards. 

This guidance document is generally consistent with the materials provided by the Centers for Medicare and Medicaid Services (“CMS”) prior to the introduction of HITECH.  For example, like the recently released OCR guidance, CMS historically directed covered entities to refer to the National Institute of Standards and Technology’s Special Publication 800-66 Rev.1, An Introductory Resource Guide for Implementing the HIPAA Security Rule (October 2008) (“NIST 800-66”).  NIST 800-66 frequently directs readers to consult NIST SP 800-30, Risk Management Guide for Information Technology Systems (July 2002), which is also quoted extensively in the recently released OCR guidance.  Moreover, the OCR guidance is quite similar to the HIPAA Security Series, Paper 6: Basics of Risk Analysis and Risk Management which was most recently revised by CMS in March 2007. 

OCR encourages the public to offer feedback on the risk analysis guidance. Comments can be submitted to OCR at

Mark Paulding of the Privacy and Information Management practice in Hogan Lovells’ Washington, D.C. office prepared this entry.