The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Rep. Stearns Introduces New Privacy Bill

Leave a comment

Rep. Cliff Stearns, (R-FL), introduced yesterday a new privacy bill, H.R.1528, “To protect and enhance consumer privacy, and for other purposes.” Rep. Stearns had worked on a draft privacy bill with Rep. Rick Boucher (D-VA) during the last Congress. Rep. Boucher was defeated during the last election.

Rep. Stearns said: “Using my privacy legislation from the 109th Congress as a base, I took the comments submitted to Chairman Boucher and worked with stakeholders on developing this bill.  The introduction of this bill is not the end of the process.  I will continue to work to improve the language to ensure that regulatory distinctions are not being made on like services and that privacy is administered by a single agency, across the entire Internet economy.”

Violation of any provision of the Act would be an unfair or deceptive act or practice unlawful under 16 section 5(a)(1) of the Federal Trade Commission Act. The Act would not provide any private right of action, and would preempt state laws.

The bill would apply to an entity, its agents, or affiliates that “collects, sells, discloses for consideration, or uses personally identifiable information of more than 5,000 consumers during any consecutive 12-month period.” This definition includes non-profit organizations, but does not include governmental agencies, provider of professional services, and data processing outsourcing entities, Section 3(4).

Regulating the “cloud”

Data processing outsourcing entities would be have to be “contractually obligated to comply  with security controls specified by [covered entities] and [would have] no right to use the covered entity’s personally identifiable information other than for performing data processing outsourcing services for the covered entity or as required by contract or law,” Section 3(5).

Notice to consumers before using personally identifiable information for a purpose unrelated to the transaction

Covered entities would have to notify consumers before using any personally identifiable information they collected for a purpose unrelated to a transaction, Section 4(a)(1).

Notice to consumers of any material change in their privacy policy

Covered entities would have to provide notice to consumers after making a material change to their privacy policies, Section 4(a)(2).

Establishing a written and clear privacy policy, and a security policy

Covered entities would have to establish a privacy policy with respect to the collection, sale, disclosure, dissemination, use, and security of the personally identifiable information of consumers, Section 5(a), using written “brief, concise, clear, and conspicuous (… ) plain language,” Section 5(b)(1). The privacy policy would inform consumers about the “types of information that may be collected or used, how  the information may be used, and whether the consumer is required to provide the information in order to do business with the covered entity,” Section 5(b)(3). 

The policy would also inform consumers about the extent to which their information is “subject to sale or disclosure for consideration to a covered entity that is not an information sharing affiliate of the covered entity,” Section (b)(3)(E), and whether the information security practices of the covered entity meet “security requirements necessary to prevent unauthorized disclosure or release of personally identifiable information,” Section (b)(3)(F).

Indeed, covered entities would have to implement an “information security policy applicable to the information security practices and treatment of personally identifiable information maintained by the covered entity, that is designed to prevent the unauthorized disclosure or release of such information,” Section 8.

Providing consumers the opportunity to preclude the sale or disclosure of their information to any organization that is not an information-sharing partner

Covered entities would have to provide consumers, at no charge, the “opportunity to preclude any sale or disclosure for consideration of the consumer’s personally identifiable information, provided in a particular data collection, that may be used for a purpose other than a transaction with consumer, to any covered entity that is not an information-sharing affiliate of the covered entity providing such opportunity,” Section 6(a)(1). This preclusion would remain in effect during 5 years, or until the consumer indicates otherwise, whichever occurs sooner, Section 6(a)(2). Covered entities could provide the consumer an opportunity to allow the sale or disclosure “in exchange for a benefit to the consumer, “Section (6)(b).

Self-regulatory programs approved by the FTC

The Federal Trade Commission (“FTC”) would presume that a covered entity complies with the provisions of the Act if it participates in a self-regulatory program, Section 9(a), which would have to be approved by the FTC, Section 9(b). Denial of approval of a self-regulatory program would be subject to judicial review, Section 9(b)(5).

Self-Regulatory consumer dispute resolution process

If a consumer has a dispute with a participant in a self-regulatory program, and if this dispute pertains to the entity’s privacy policy or practices required for participation in the self-regulatory program, the consumer would have to initially seek resolution through a dispute resolution process, Section 9(d).

Author: marieandreeweiss

Marie-Andrée was educated in France and in the United States, and holds law degrees from both countries. She is fully bilingual English-French, and writes articles regularly in these two languages on various privacy-related topics. Marie-Andrée is a member of the Bar of the State of New York. As an attorney in solo practice, she focuses on intellectual property, First Amendment, privacy, and Internet-related issues. Before becoming an attorney, she worked several years in the fashion retail industry, as a buyer then a director of marketing. She is a member of the New York State Bar Association (Intellectual Property Section and International Section), and of the American Bar Association (Business Law Section, Section of Antitrust Law, and Section of Intellectual Property Law)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s