Two new Internet privacy bills enter Congress: How they differ
Over the course of the last two days, two new privacy bills were introduced to Congress: one on Tuesday to the Senate, and one on Wednesday to the House. Though they both seek to establish some standard of privacy for consumers, they have some chief differences between them.
Senators John Kerry (D-Mass.) and John McCain (R-Ariz.) introduced The Kerry-McCain Commercial Privacy Bill of Rights Act of 2011 to the Senate on Tuesday of this week. This bill lists a number of "rights" that the private citizen has, and splits responsibilities between the federal government and state authorities and provides a "safe harbor" clause for companies participating in the collection of data.
Hallmarks of the Kerry-McCain Bill
Consumers have the right to security and accountability, security measures for anyone who collects personally identifiable information are mandatory.
Businesses must provide notice about- ask consent for- and allow access to any collected information. All collection must be opt-out/opt-in, and clear notice must be provided that info is being collected. Consumers must have better access to recorded information for cessation or correction.
Data required to process transactions and services must be kept to a minimum, and data retention limited.
Data collectors must "bind third parties by contract to ensure that any individual information transferred to the third party by the collector will only be used or maintained in accordance with the bill's requirements"
The Federal Trade Commission and State Attorneys General would enforce the rules; and the Department of Commerce would be responsible for research and development for the safe harbor programs. These programs would give nongovernmental organizations the option to voluntarily participate, but they would have to achieve "protections as rigorous or more so as those enumerated in the bill."
Yesterday, Represenatatives Cliff Stearns (R-FL) and Jim Matheson (D-UT) introduced The Consumer Privacy Protection Act of 2011 (H.R. 1528), which Stearns built from the House Resolution proposed last year by Representative Rick Boucher, which also sought to give the FTC authority to enforce privacy rules. But unlike the Kerry-McCain Bill, this would be strictly a federal task.
Hallmarks of Strearns' H.R. 1528
Consumers must be notified that their personally identifiable information may be used for a purpose unrelated to the transaction.
Consumers must be alerted whenever companies change their privacy policies.
Businesses must establish easy-to-access privacy policies regarding the collection, sale, disclosure, or use of the consumer's information.
Entities must provide consumers the opportunity to preclude the sale or disclosure of their information to any organization that is not an information-sharing partner.
The Federal Trade Commission (FTC) must approve a five-year self-regulatory program and prescribe requirements for a self-regulatory consumer dispute resolution process.
The FTC must presume that an entity is in compliance with this Act if it participates in an approved self-regulatory program.
The bill grants no private right of action. This means a private party cannot bring a lawsuit against another private party over violations of this bill.
Finally, this is a federal action with full state preemption (i.e. no State Attorneys General.)