Another bipartisan privacy bill – this one introduced today in the U.S. House – appears to have been written six years ago. The “Consumer Privacy Protection Act of 2011,” sponsored by Florida Republican Cliff Stearns and Utah Democrat Jim Matheson uses as a template a bill introduced by Stearns in March 2005, when conversations about privacy online focused on web seals and privacy policies.
The Stearns/Matheson bill is perhaps the most industry-friendly of the privacy bills introduced in the House and Senate thus far, in part because it relies on privacy policies to alert consumers to data collection and usage, rather than requiring a clear and conspicuous mechanism for opting out from such collection and usage. At this stage, most companies that collect data online have privacy policies and allow for some form of opt-out from sharing or other usage of that data.
Both Stearns and Matheson – who is part of the Democrats’ right-leaning Blue Dog coalition – are members of the House Energy and Commerce Committee, along with Illinois Democrat Bobby Rush, who himself re-introduced his privacy legislation in February.
The Stearns bill, which comes just a day after a bipartisan privacy bill was introduced by Senators John Kerry and John McCain, calls for “brief, concise, clear, and conspicuous” privacy policies. It would require companies to notify consumers via a privacy statement of future use of personally-identifiable data for purposes unrelated to a transaction between the company and the consumer. It also would require that they give consumers the opportunity to stop the sale or disclosure of PII.
All four privacy bills now introduced – three in the House and one in the Senate – give the Federal Trade Commission authority over new federal privacy requirements. The Stearns bill gives the agency the ability to approve a self-regulatory program, and assumes companies subject to such a program are compliant.
The other bills, devised after online data tracking and behavioral advertising have proliferated, require the FTC to guide establishment of an opt-out system giving consumers more control over who collects and stores their behavioral data and how it can be used. Unlike the Stearns bill, the others specifically mention online advertising and behavioral data collection and usage – issues that have attracted greater awareness and concern in the past few years.
In its December privacy report, the FTC indicated support for a browser-based do-not-track system that would ideally give consumers a universal, persistent means of opting out from online tracking and ad targeting. While browser firms have heeded the call and introduced opt-out tools, they have not been widely adopted by the media, advertising, and analytics firms tracking and collecting online data, thus limiting their efficacy.
Just how a digital do-not-track system would affect offline data collection and usage is unclear.
The Stearns, Rush, and Kerry bills all recognize industry self-regulatory programs, giving the FTC authority to monitor the programs for compliance with would-be privacy rules. The agency has already suggested that the online ad industry’s current self-regulatory program, led by the ad industry coalition group Digital Ad Alliance, may not satisfy its privacy guidelines since opt-outs through the system don’t always disable online tracking by participating companies. Instead, some opt-outs only disable some forms of online ad targeting – the actual delivery of ads – allowing data collection to continue.
The Direct Marketing Association, which leads compliance monitoring for the DAA self-regulatory program, expressed concern that the Stearns bill was over-reaching, despite the fact that the industry already does much of what the bill requires. “It is DMA’s view that the bill is overly prescriptive and delegates too much additional authority to the Federal Trade Commission…particularly in the area of self-regulation,” the organization said in a press release. “It is not necessary or appropriate to give the FTC authority to regulate self-regulatory programs or to review corporate privacy policies. This type of government oversight would reduce the effectiveness of existing self-regulatory efforts and discourage future efforts by industry.”
The original Stearns privacy bill never became law. It was co-sponsored by Rep. Rick Boucher, former chairman of the House Subcommittee on Communications, Technology and the Internet and a proponent of passing bipartisan privacy legislation until his failure to win reelection in 2010. That 2005 bill, H.R. 1263, is nearly identical to the one introduced today by Stearns and Matheson, except for the removal of the earlier version’s sections on identity theft and international provisions. Indeed, the current bill, introduced in the 112th Congress, maintains a “109H1263” header denoting its introduction into the 109th Congress.
“Using my privacy legislation from the 109th Congress as a base, I took the comments submitted to Chairman Boucher and worked with stakeholders on developing this bill,” said Stearns in a press release. “The introduction of this bill is not the end of the process. I will continue to work to improve the language to ensure that regulatory distinctions are not being made on like services and that privacy is administered by a single agency, across the entire Internet economy.”