Privacy & Information Security Law Blog

On April 12, 2011, U.S. Senators John Kerry (D-MA) and John McCain (R-AZ) introduced the Commercial Privacy Bill of Rights Act of 2011 (the “Act”) to “establish a regulatory framework for the comprehensive protection of personal data for individuals under the aegis of the Federal Trade Commission.”  The bill applies broadly to entities that collect, use, transfer or store the “covered information” of more than 5,000 individuals over a consecutive 12-month period.  Certain provisions of the bill would direct the FTC to initiate rulemaking proceedings within specified timeframes, but the bill also imposes requirements directly on covered entities.

The defined terms included in the bill are key to understanding its implications.

A “covered entity” is any person who collects, uses, transfers or stores covered information concerning more than 5,000 individuals during any consecutive 12-month period, and is either (1) subject to the FTC’s authority under Section 5 of the FTC Act, (2) a common carrier subject to the Communications Act of 1934 or (3) a nonprofit organization.

“Covered information” means only:

• Personally identifiable information
• Unique identifier information
• Any information that is collected, used or stored in connection with personally identifiable information or unique identifier information in a manner that may reasonably be used by the party collecting the information to identify a specific individual

The term “covered information” does not include:

• Personally identifiable information obtained from public records that is not merged with covered information gathered elsewhere
• Personally identifiable information that is obtained from a forum
  • where the individual voluntarily shared the information or authorized the information to be shared; and
  • that is widely and publicly available and contains no restrictions on who can access and view such information.
• Personally identifiable information reported in public media
• Personally identifiable information dedicated to contacting an individual at the individual’s place of work

“Personally identifiable information” means any of the following information about an individual:

• The first name (or initial) and last name of an individual, whether given at birth or time of adoption, or resulting from a lawful change of name
• The postal address of a physical place of residence of such individual
• An email address
• A telephone number or mobile device number
• A Social Security number or other government issued identification number issued to such individual
• The account number of a credit card issued to such individual
• Unique identifier information that alone can be used to identify a specific individual
• Biometric data about such individual, including fingerprints and retina scans

The term “personally identifiable information” also includes any of the following information if it is used, transferred or stored in connection with one or more of the items of information described above:

• A date of birth
• The number of a certificate of birth or adoption
• A place of birth
• Unique identifier information that alone cannot be used to identify a specific individual.
• Precise geographic location, at the same degree of specificity as a global positioning system or equivalent system, and not including any general geographic information that may be derived from an Internet Protocol address
• Information about an individual’s quantity, technical configuration, type, destination, location and amount of uses of voice services, regardless of technology used
• Any other information concerning an individual that may reasonably be used by the party using, collecting or storing that information to identify that individual

“Sensitive personally identifiable information” means:

• Personally identifiable information which, if lost, compromised or disclosed without authorization either alone or with other information, carries a significant risk of economic or physical harm; or
• Information related to a particular medical condition or a health record; or the religious affiliation of an individual.

“Unauthorized use” means the use of covered information by a covered entity or its service provider for any purpose not authorized by the individual to whom such information relates.  The term “unauthorized use” does not include the following uses of covered information relating to an individual by a covered entity or its service provider (if the use is reasonable and consistent with the practices and purposes described in the covered entity’s privacy notice given the individual):

• To process and enforce a transaction or deliver a service requested by that individual
• To operate the covered entity that is providing a transaction or delivering a service requested by that individual, such as inventory management, financial reporting and accounting, planning and product or service improvement or forecasting
• To prevent or detect fraud or to provide for a physically or virtually secure environment
• To investigate a possible crime
• Use that is required by a provision of law or legal process
• To market or advertise to an individual from a covered entity within the context of a covered entity’s own Internet website, services or products if the covered information used for such marketing or advertising was
  • collected directly by the covered entity; or
  • shared with the covered entity at the affirmative request of the individual; or by an entity with which the individual has an established business relationship.
• Use that is necessary for the improvement of transaction or service delivery through research, testing, analysis and development
• Use that is necessary for internal operations, including the following:
  • Collecting customer satisfaction surveys and conducting customer research to improve customer service information.
  • Information collected by an Internet website about the visits to such website and the click-through rates at such website to improve website navigation and performance; or to understand and improve a the interaction of an individual with the advertising of a covered entity.
• Use by a covered entity with which an individual has an established business relationship which the individual could have reasonably expected, at the time such relationship was established, was related to a service provided pursuant to such relationship; and which does not constitute a material change in use or practice from what could have reasonably been expected.

In brief, the bill incorporates the following key elements:

Right to Security and Accountability.  The bill instructs the FTC to initiate a rulemaking proceeding that would require each covered entity to implement security measures to protect the covered information the entity collects and maintains.  The bill also requires each covered entity to have “managerial accountability” (proportional to the entity’s size and structure) and to implement processes for responding to non-frivolous consumer inquiries.  In addition, the bill includes a “privacy by design” provision which requires each covered entity to implement a comprehensive information privacy program by incorporating necessary development processes and practices throughout the product life cycle that are designed to safeguard PII that is covered information.

Right to Notice and Individual Participation.  The bill instructs the FTC to initiate a rulemaking proceeding to require each covered entity to provide clear, concise and timely notice regarding the entity’s information practices, and the purposes of, and any material changes to, such practices.  The bill also instructs the FTC to initiate a rulemaking proceeding that requires each covered entity to offer a clear and conspicuous mechanism for individuals to opt-out of the (1) “unauthorized use” of their covered information (unless such use requires an opt-in), or (2) use by third parties of their covered information for behavioral advertising or marketing purposes.

In short, opt-in consent is required for (1) the collection, use or transfer of sensitive PII (other than for processing a transaction or delivering a service, fraud prevention and detection or physical or virtual security purposes), and (2) the use of previously collected covered information or transfer to a third party for an unauthorized use of such information if there is a material change to the entity’s stated practices or if such use or transfer creates a risk of economic or physical harm to an individual.  In addition to consent mechanisms, the bill directs the FTC to initiate a rulemaking proceeding to require each covered entity to provide individuals with (1) appropriate and reasonable access to, and the ability to correct, their information, and (2) the option to request that the individual’s PII that is covered information be rendered not personally identifiable, if possible, when the entity enters bankruptcy or the individual terminates its relationship with the entity, except where the individual has shared the information with the covered entity in a “widely and publicly available forum.”

Rights Relating to Data Minimization; Constraints on Distribution; Data Integrity.  Covered entities shall collect only as much covered information as is reasonably necessary for the purposes that are not considered “unauthorized uses” (as outlined above), and retain covered information for such duration as is reasonably necessary (1) to provide the transaction or service, (2) to conduct research and development, or (3) as required by law.  Covered entities also must attempt to establish and maintain reasonable procedures to ensure that certain PII that is covered information is accurate in instances where the information could be used to deny benefits to consumers or cause significant harm.

Safe Harbor.  The bill calls for the FTC to approve non-governmental organizations to run voluntary safe harbor programs that would exempt participating entities from certain requirements of the Act.

Enforcement.  “Knowing or repetitive” violations shall be enforceable by the FTC as unfair or deceptive acts or practices, and state attorneys general also may bring civil actions.  Violators may subject to civil penalties, but the bill explicitly does not provide any private right of action.

As we reported in July 2010, Senator Kerry announced his intention to introduce an online privacy bill as Chairman of the Commerce Subcommittee on Communications, Technology, and the Internet and indicated that the bill would go beyond the regulation of targeted advertising.  In December, we reported that the Senior Advisor to Senator Kerry briefed the members of the Centre for Information Policy Leadership at Hunton & Williams on this privacy legislation.