The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Senators Kerry and McCain Introduce the Privacy Bill of Rights Act of 2011

Sen. John Kerry (D-Mass.) and Sen. John McCain (R-Ariz.) introduced today a bi-partisan privacy bill, the Privacy Bill of Rights Act of 2011, a bill “[t]o establish a regulatory framework for the comprehensive protection of personal data for individuals under the aegis of the Federal Trade Commission, and for other purposes.”

The Act would apply to covered entities, that is, “any person who collects, uses, transfers, or stores covered information concerning more than 5,000 individuals during any consecutive 12-month period,” and is a person a person over which the FTC has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act , a common carrier, or is a non-profit organization (p.29-30).

The Act would be enforced by the FTC and by State Attorney Generals (p.30-31). However, no simultaneous enforcement by a State Attorney General and the FTC would be allowed. The Act would also prevent private rights of action (p.37).

The FTC would establish rules to be followed by nongovernmental organizations administrating safe harbor programs. Participation in these programs would be voluntary, not mandatory (p. 37-41).

The right of security and accountability

Not later than 180 days after the enactment of the Act, the FTC would initiate a rulemaking proceeding requiring covered entities to implement security measures protecting the coverd personal data information they collect and maintain. These security measures would be proportional to the size, type, and nature of the collected information (p.15). Covered entities would have a duty “to respond to non-frivolous inquiries from individuals regarding the collection, use, transfer, or storage of [their] covered information.”

Covered entities will “in a manner proportional to the size, type, and nature of the covered information that it collects, implement a comprehensive information privacy program.” Such a program would be a “privacy by design program,” which would “incorporate necessary development processes and practices throughout the product life cycle that are designed to safeguard (… ) [individuals’] personally identifiable information based on both individuals’ reasonable privacy expectations in their data  and relevant threats against data privacy (p.17).

The right to notice, consent, access, and correct information

Not later than 60 days after the enactment of the Act, the FTC would initiate a rulemaking proceeding requiring covered entities “to provide clear, concise, and timely notice to individuals” regarding data collection, use, transfer, and storage of covered information, and also regarding the specific purposes of those practices.  Covered entities would have “to provide clear, concise, and timely notice to individuals before implementing a material change in such practice (p.18).

The FTC rulemaking proceeding would also require covered entities:

“to offer individuals a clear and conspicuous mechanism for opt-out consent for any use of their covered information(…);  to offer individuals a robust, clear, and conspicuous mechanism for opt-out consent for the use by third parties of the individuals’ covered information for behavioral advertising or marketing;  to offer individuals a clear and conspicuous mechanism for opt-in consent for (… ) the collection, use, or transfer of sensitive personally identifiable information other than (i)to process or enforce a transaction or deliver a service requested by that individual; (ii) for fraud prevention and detection; or (iii) to provide for a secure physical or virtual environment ( … )”

In case of bankruptcy or if an individual requests termination of a service, a individual would have the right to request that all of his personally identifiable information maintained by covered entity, except for some publicly shared information or information that the individual authorized the sharing of, “be rendered not personally identifiable,” or, if this is not possible, the covered entity will have to stop the use or transferring such information to a third party (p.18-20).

The right to data minimization, constraints on distribution, and data integrity

Covered entities would be authorized to collect “only as much covered information relating to an individual as is reasonably necessary “during a transaction or when delivering a service requested by the individual. However, covered entities could keep such data “for research and development conducted for the improvement of carrying out a transaction or delivering a service” and for “internal operations” such as customer satisfaction surveys (p. 24-25).

Covered entities will have to require by contract that any third party to which they transfer covered information use the information only for purposes consistent with the provisions of the Act, and as specified in the contract (p. 25), unless the covered entity obtains individuals’ consents to such transfers. Data transfers to unreliable third parties would be prohibited (p.27).

Data integrity would be achieved by covered entities by establishing and maintaining “reasonable procedures to ensure that (… ) covered information (… ) is accurate in those instances where the covered information could be used to deny consumers benefits or cause significant harm” (p. 28).

More information here.

Leave a comment

FTC’s Data Privacy Staff Report – Comments Due Jan. 31

Last week, the Federal Trade Commission released its long-awaited privacy report.  Called “Protecting Consumer Privacy in an Era of Rapid Change”, the 79-page preliminary staff report outlines a framework for consumer privacy based on three principles: (1) Privacy By Design; (2) Simplified Choice; and (3) Transparency. 
Some of its key proposals include: a “Do Not Track” browser add-on and other changes to consumer privacy choices; broadening the scope “to all commercial entities that collect consumer data in both offline and online contexts, regardless of whether such entities interact directly with consumers;” and looking at whether COPPA-style consent requirements should apply to teenagers. The FTC is requesting comments on the report by January 31, 2011, and plans to issue a final report later in 2011. Annexed to the report are six pages of questions to which the FTC seeks comments.
The first half of the report discusses the principles of “notice and choice” and “harm” that have formed the basis for the FTC’s privacy-related policy work, educational efforts, and enforcement actions. It also summarizes the FTC’s activities and provides an overview of key issues raised during several years of roundtable discussions involving consumer advocacy groups, businesses, academicians and others. The second half of the report expands on the new principles, which appear to simply consolidate and expand upon the earlier principles – “notice” becomes “transparency”, “choice” becomes “simplified choice”, and “harm” becomes “privacy by design”:
  • Privacy by Design – Companies are urged to “incorporate substantive privacy and security protections into their everyday business practices and consider privacy issues systemically, at all stages of the design and development of their products and services.” Companies are urged to collect information only for a specific purpose, limit the amount of time that data is stored, use reasonable safeguards, and develop comprehensive, company-wide privacy programs. However, the FTC staff also recognizes that these measures need to be tailored to each company’s data practices – companies that collect limited amounts of non-sensitive data need not implement the same types of programs required by a company that sells large amounts of sensitive personal data.
  • Simplified Choice – Companies should “describe consumer choices clearly and concisely, and offer easy-to-use choice mechanisms . . .at a time and in a context in which the consumer is making a decision about his or her data.”  The FTC is proposing a new “laundry list” approach to determine whether or not companies need to provide choice to consumers. For example, defined “commonly accepted practices” generally will not require choice, whereas other practices may require either (1) some type of choice mechanism; (2) enhanced choice mechanism; or (3) even more restrictions than enhanced consent. As this is designed for both online and offline behaviors, categorizing each company’s practices as “commonly accepted” or not could be a daunting task.  A chart below outlines the basics of simplified choice.  
    • Do-Not-Track: The day after the report issued, the Commerce Department’s NTIA testified to Congress that it would be convening industry and consumer groups to discuss the “achieving voluntary agreements” on Do-Not-Track.   The FTC would then “ensure compliance with these voluntary agreements, as appropriate.” 
    • ABA Antitrust Section Members note: Companies in markets with limited competition may be subject to “Enhanced Privacy protections” and/or “Additional Enhanced Privacy Protections.” 
  • Greater Transparency – Companies should “make their data practices more transparent to consumers”. The FTC suggests developing a standardized policy like the notice templates currently developed for financial companies complying with Gramm-Leach-Bliley. The FTC is also considering whether increase the transparency of data broker activities and proposes allowing consumers to access (but not necessarily change) profiles compiled about them from many sources.
Two Commissioners issued concurring statements to the proposed framework. Commissioner Kovacic called some of the recommendations “premature” – including the Do-Not-Track proposal. He also pointed out the report lacked consideration of the existing federal and state oversight of privacy concerns. Commissioner Rauch issued a concurring statement that applauds the report as a useful “horatory exercise”, but criticizes the new approach. He states that it could be overstepping the FTC’s bounds to consider “reputational harm” and “other intangible privacy interests” if no deception is involved.
Stay tuned – there are many privacy developments on the horizon. In remarks delivered with the report, Chairman Liebowitz declared that “despite some good actors, self-regulation of privacy has not worked adequately and is not working adequately for Americans consumers.” He signaled that the FTC will be bringing more cases in the coming months – and that cases involving children are of particular interest.  In addition, the Commerce Department’s “green paper” on Commercial Data Privacy is expected soon.
                                                            Table – Simplified Choice
Choice Not Required
Choice Mechanism REQUIRED
Choice Not Required
No choice, but Additional Transparency (Notice)
(Unspecified – presumably Company Discretion; also Do Not Track)
Enhanced Consent (Affirmative Express Consent)
“Even more heightened restrictions” than Enhanced Consent
Do Not Track
1. “Commonly Accepted Practices” 
Laundry list of practices, report suggests: first party marketing (FTC seeks comment on scope); internal operations, legal compliance, fraud prevention.
1. Technically Difficult/not feasible to provide choice mechanism: e.g. Data Brokers? (comment sought)
2.“Enhancement?” – compiling data from several sources to profile consumers (comment sought re: whether choice should be provided about these practices?) 
1. Not “Commonly Accepted Practices” and not “Technically Difficult” e.g. Data Brokers (comment sought).
1. Sensitive Information for online behavioral advertising; information about children, financial & medical information, precise geolocation data.
2. Sensitive Users: Children: Teenagers (staff seeks comment); Users who lack meaningful choice (lack of competition in market) (Staff seeks comment).
3. Changing specific purpose: Use of data in materially different manner than claimed when data was posted, collected, or otherwise obtained.
1. Lack of alternative consumer choices through Industry factors (competition): Broadband ISP deep packet inspection.
2, Others?
1. Online Behavioral Advertisers.
2. Others?