Privacy & Information Security Law Blog

On December 10, 2010, Senior Advisor to U.S. Senator John Kerry (D-Mass.), Daniel Sepulveda, briefed the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) members on Senator Kerry’s forthcoming privacy legislation.  The bill, which will be introduced next Congress, aims to establish a regulatory framework for the comprehensive protection of individuals’ personal data that authorizes rulemakings by the Federal Trade Commission.

Sepulveda highlighted the following key concepts of Kerry’s privacy legislation:

• The bill requires that covered entities be accountable for their information collection practices and respect the covenants they make with individuals regarding these practices. The accountability provision echoes Kerry’s December 1 statement that “proper stewardship of information is as important as how it is collected.”
• The bill grants the FTC rulemaking authority with respect to notice requirements and individual participation mechanisms (i.e., opt-in and opt-out consents).
• The legislation seeks to make Fair Information Practice Principles (“FIPPs”) “universally applicable” to organizations that collect significant amounts of personally identifiable information and to effectuate them through a “hybrid mechanism” that ensures non-negotiable FIPPs are protected and enforced strictly through the FTC’s rulemaking.  In a press statement on December 1 following the release of the FTC’s privacy report, Kerry identified three rights as non-negotiable: (1) all firms must put procedures in place to secure personally identifiable information; (2) consumers have a right to know in clear and concise terms what firms intend to collect, why and how it will be used; and (3) consumers should be given a simple mechanism for opting out of the process.  Under the bill, the more vague FIPPs (like data minimization and data quality) would be adjudicated through a complaint process.
• The bill authorizes the FTC to establish a co-regulatory safe harbor program that incentivizes organizations to meet high standards of data protection by shielding safe harbor participants from the private right of action, and exempting them from the opt-in requirement for the transfer of non-sensitive personally identifiable information to third parties, and the complaint and adjudication process provided in the bill.
• The legislation sets forth sufficiently broad definitions for “personally identifiable information” and “sensitive personally identifiable” that grant the FTC the discretion and flexibility to construct a list of more specific data categories.

Sepulveda noted that the legislation exempts certain data, including financial data covered under the Gramm-Leach-Bliley Act, which imposes comparatively less stringent requirements on its covered entities.  He indicated that the intent is for this bill to establish a high standard for privacy legislation and for other committees to follow suit.

As we reported in July, Kerry announced his intention to introduce an online privacy bill as Chairman of the Commerce Subcommittee on Communications, Technology, and the Internet, indicating that the bill would go beyond the regulation of targeted advertising.

We will post a draft of the legislation as soon as the bill is introduced.