Now that we have looked at the entire FTC proposal, what’s next? To make the FTC’s “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policymakers” law, Congress would have to act. Today, as our final installment in preparation for my presentation tomorrow at the SMX West Conference on the FTC’s Do Not Track proposal, we look at the legislative proposals that have come after the FTC’s proposal.
The first legislative proposal comes from California Democratic Congresswoman Jackie Speier entitled the “Do Not Tack Me Online Bill” (H.R. 654). In a sentence, it requires the FTC do promulgate rules that would require the implementation of an opt-out Do Not Track.
The bill would give the FTC the authority to require certain notice provisions allowing the FTC to except certain generally accepted practices. It “may” require covered entities to provide consumers with access to their data profiles. It would require companies to provide the FTC yearly reports and allow the FTC to randomly audit. Violating the proposed law or the subsequent regulations would constitute an unfair and deceptive act allowing the FTC to take action. State attorneys general would be able to enforce the law and companies could be fined up to $11,000 per day per violation with the maximum fine not to exceed $5,000,000.
Speier previously spearheaded the California Financial Privacy Act and has a separate Financial Privacy Act also pending. Speier’s bill essentially punts to the FTC giving them the authority they have asked for in their December 2010 report. Speier’s bill does not have a Republican co-Sponsor and unlike the author of the next bill we look at, Speier is not a member of the House Energy and Commerce Committee.
Speier’s proposal is a mere 14 pages. Illinois Democratic Congressman Bobby Rush’s is over 50 pages and is much more comprehensive. His bill, which mirrors his bill from last year, is dubbed the Building Effective Strategies To Promote Responsibility Accountability Transparency Innovation Consumer Expectations and Safeguard Act, or you guessed it, the Best Practices Act.
Under Congressman Rush’s proposal, companies can collect and use consumer information, but must obtain consent before it is shared with third parties. Some of the “best practices” would include notice regarding:- the type of information collected- the purpose of its collection- the length of time it is stored- when it may be disclosed- how consumers can access the information- how to exercise choices about the use of the data- how to challenge the accuracy of the data- how the data could be linked with other data-
It would allow the FTC to come up with a standard notice form. If the proper notice is not provided, it would be illegal to collect and use the data. Notice, there was no consent requirement for the collection of the data. The law would only require consent if the data is disclosed to third parties, web usage is tracked, or “sensitive” data such as health or net worth is collected. The bill expressly allows companies to make consent a condition to providing the service or for an upgraded service. Congressmen Rush’s bill also has a Fair Credit Reporting Act type disclosure and dispute process. The bill would also require companies to implement reasonable safeguards to protect the data. One of the more interesting aspects is what the bill calls Self Regulatory Choice as a Safe Harbor. Industry groups can submit for FTC approval a voluntary program that would comply with the law.
It would have to:- provide clear and conspicuous opt-out procedures before information is shared with third-parties- allow consumers to easily set preferences for communications and behavioral tracking.- Include an application and verification process before companies would qualify- Include random reviews- Include penalties for non-complianceThe other interesting aspect is the private enforcement provision. In addition to the similar FTC and state attorneys general actions, private citizens would be able to bring complaints receiving damages, punitive damages and attorneys’ fees for “willful violations.” If a company is part of a Choice Program it would not be liable to consumers and a judge is required to take it into consideration if it is a government action. The proposal would expressly preempt state law. These bills were filed within days of each other and certainly won’t be the only options. The Senate is putting together a sub-committee to study the issue as well, To the extent the FTC wanted to spur Congressional action, it has succeeded. Without significant self-regulation, you can expect there to be some type of action out of Washington D.C.