Kerry and McCain Bill Signals Privacy Law Momentum

johnkerry-privacyhearingU.S. Senators John Kerry, a Democrat, and John McCain, a Republican, introduced their bipartisan privacy bill today. “The Commercial Privacy Bill of Rights Act of 2011” addresses both online and offline data privacy.

The bill calls for the Federal Trade Commission to establish rules requiring companies collecting personally identifiable data to provide “clear, concise, and timely notice” of data collection, use and transfer. Personally identifiable data includes information such as names and email addresses. If passed, the law would grant the FTC oversight of a requirement that companies offer “a clear and conspicuous mechanism for opt-out consent for any unauthorized use of their personally identifiable information.”

In particular, the legislation would have the FTC develop rules requiring that companies offer consumers “a robust, clear, and conspicuous” opt-out mechanism from use of their personally-identifiable data by third parties “for behavioral advertising or marketing.” An earlier draft of the bill did not make specific mention of data collection and use for online advertising.

The Kerry/McCain bill would be the first comprehensive data privacy protection bill introduced in the Senate recently. Coupled with related bills introduced in the U.S. House, the new bill signals increasing momentum behind privacy legislations affecting online advertisers.

Unlike another bill introduced in the House recently by Democrat Jackie Speier, the Kerry/McCain bill does not refer specifically to do-not-track, a concept popularized by the FTC. “The commercial privacy bill of rights will keep our private data safe by laying down fair information practices for anyone collecting it,” stated Kerry during a press conference announcing the bill.

A provision in the bill gives the FTC power to establish a safe harbor program and to approve of and monitor non-governmental initiatives – such as an industry self-regulatory program – for providing consumers a “clear, conspicuous, persistent, and effective” opt-out from data transfer for behavioral ads or “location-based advertising.” The bill also gives the FTC the ability to impose civil penalties on groups running such programs if they are found to be noncompliant.

Whether the online ad industry’s self-regulatory program, implemented under the Digital Advertising Alliance umbrella, would satisfy those FTC requirements is not clear.

The Direct Marketing Association is a key member of that alliance, and requires its members to abide by the alliance’s privacy guidelines. In a press release today, the DMA stated its “concern that legislation would impose untold regulatory compliance costs on businesses without a showing that there is a market failure or a need to regulate.” The group went on to say it “does not believe that the case has been made that consumers have been harmed.”

“Senator McCain and I have introduced this legislation with sensitivity to the economy,” stated Kerry.

The Kerry/McCain bill, like a related House bill sponsored by Democrat Bobby Rush, allows the FTC to slap penalties on violators. It also prohibits private right of action, and calls for the Department of Commerce to work with industry and other groups in developing codes of conduct for safe harbor application.

“I will do my part to foster further discussions and considerations of both bills among all interested parties and stakeholders,” stated Rep. Rush in a statement supporting the Kerry/McCain bill. “I’ll continue to work diligently to ensure the passage of legislation that is based on a sound understanding of the relevant offline and online ecosystems at work, today, but that can bend to evolutionary developments and still meet consumers needs without breaking.”

Related reading