As previously reported here, in early May Reps. Rick Boucher (D-Va.) and Cliff Stearns (R-Fla.) introduced a discussion draft of proposed federal privacy and data security legislation. Reps. Boucher and Stearns sought comments on the discussion draft, setting a deadline of last Friday, June 4, 2010. Numerous organizations have submitted comments. This multi-part post will describe and summarize, at a high level, some (but not all) of the issues identified by the commenters. Part One, set forth below, will address comments submitted by the following organizations (the comments themselves are linked below):
- The Center for Democracy & Technology (CDT);
- Consumers Union, as reported by the National Journal Tech Daily Dose;
- The Direct Marketing Association (DMA);
- Information Technology & Innovative Foundation (ITIF);
- The Interactive Advertising Bureau (IAB), as reported by MediaPost News;
- Professor Ira Rubenstein (to the extent cited in the CDT comments); and
- a group of 10 organizations, including the Center for Digital Democracy (CDD), the Consumer Federation of America, the Electronic Frontier Foundation (EFF), Consumer Action, Privacy Rights Clearinghouse, Consumer Watchdog, World Privacy Forum, USPIRG, Privacy Lives, and Privacy Times (referred to herein as the "Privacy Groups").
(Part Two, next week, will address comments by the Association of National Advertisers, the National Retail Federation and Shop.org, and the American Business Media, and others).
Advertisers and privacy advocates alike think the legislation is lacking, for different reasons.
The IAB writes that the proposed legislation "would fundamentally change online information and online advertising practices to the detriment of consumers." ITIF argues that "much of the concern over data privacy is speculative . . . consumers have experienced few, if any, harms because of the current privacy laws [and, therefore,] . . . [b]efore Congress enacts new laws, it should first demonstrate that better enforcement of existing privacy regulations are insufficient to protect consumers."
On the flip side, the Privacy Groups argue that the draft in its current form is not strong enough and "must be considerably revised to provide the protection that consumers truly need and garner the support of consumer and privacy groups."
The IAB argues that self-regulation "is inherently more flexible and better suited to govern a dynamic environment than legislation" and therefore "is the best approach to help ensure that consumers receive transparency and choice online." Last year, in July 2009, the IAB, along with the American Association of Advertising Agencies, the Association of National Advertisers, the Council of Better Business Bureaus, and the DMA, issued cross-industry Self-Regulatory Principles for Online Behavioral Advertising, that corresponded with the “Self-Regulatory Principles for Online Behavioral Advertising” proposed by the Federal Trade Commission in February 2009, described here.
DMA agrees that self-regulation is preferable because it "is better suited for governing a rapidly changing environment and responding to evolving consumer expectations," pointing to its Commitment to Consumer Choice Guidelines for members using mail in the offline world, and the Self-Regulatory Principles for Online Behavioral Advertising, mentioned in the paragraph above, in the online world. DMA emphasizes that the FTC has encouraged the development of self-regulatory programs and argues that, if there is legislation, it should "preserve and
allow incentives to continue to exist for this essential role for industry self-regulation."
Notice and Choice/Fair Information Practices (FIPS) Model
The Consumers Union criticizes the discussion draft as "exclusively rely[ing] on the notice and choice model, which has been shown to be particularly ineffective in protecting consumer privacy online." The Privacy Groups also criticize the notice and choice model, stating that it "promotes bureaucracy but does not promote privacy," and argues in favor of a model based on FIPS, as a minimum.
By contrast, CDT agrees with the notice and choice framework, including the opt-in/opt-out structure. Nonetheless, CDT takes issue with reliance on consent as a model for consumer protection and encourages adoption of all FIPS: transparency, individual participation, purpose specification, data minimization, use limitation, data quality and integrity, security, accountability and auditing.
Coverage of Offline Information
CDT praises the legislation for encompassing both online and offline information: "There is no longer a bright line between the online and offline world. Modern data flows often involve collection and use of data derived and combined from both, and the rights of consumers and obligations of companies with respect to consumer data should apply to both as well."
ITIF argues that the offline privacy notice requirement is both costly and wasteful.
DMA argues that the exceptions to the opt-in requirement for transfers to third party advertising networks in the online world should be applicable in the offline world as well: "By omitting offline data transfers, the exception creates a discriminatory regime in which offline data transfers are subject to a stricter consent requirement than online data transfers." DMA points to "DMAchoice, a consumer mail preference tool created by the DMA, [a]s an example of the type of consumer preference tool that may obviate any opt-in consent requirement for offline data transfers."
"Covered Information": Treatment of non-PII
IAB takes issue with the treatment of non personally identifiable information (such as IP addresses) as personally identifiable information (PII), stating that "[t]he mere fact that information could identify a computer or device does not necessarily raise privacy issues." Similarly, NetChoice argues that regulation should not use the same approach for PII and what they refer to as "non-identifying information." By contrast, Consumers Union reportedly praised the inclusion of IP addresses in the definition.
DMA argues that "covered information" is defined far too broadly and should be narrowed to include only information that is linked back to an individual, not information that can be linked back to an individual, or information that may link to a computer. DMA has the same objections to the definition of "render anonymous."
CDT promotes a more nuanced approach, noting that, as technologies change, some types of information may become more sensitive, while others may become less so. Thus, CDT advocates "empowering the FTC to clarify and update the definition of covered information to take account of new developments."
Definition and Treatment of "Sensitive Information"
This topic received comments from nearly every group.
CDT applauds the inclusion of precise geolocational information in the definition of sensitive information, but argues that "medical information" should be changed to "health information" and broadened to reach health data generated by users online. CDT suggest that part two of the definition of “health information” in HIPAA, 45 CFR 160.103, may be a useful model. That provision of the HIPAA rules defines health information as relating "to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual."
The Privacy Groups contend that sensitive information is too narrowly defined, and suggest a more broad definition of medical information similar to that suggested by CDT, as well as the inclusion of income and credit score, and Social Security number, in the definition of sensitive information.
The Privacy Groups are in favor of a blanket prohibition on the collection or use of sensitive data "for any purposes other than for the transactions for which they have provided it."
On the other side of the spectrum, ITIF opposes any definition of sensitive information, arguing that "[l]egislation should not codify existing social norms at the expense of future innovation."
DMA recommends further studies before imposing new requirements with respect to sensitive information. It also finds the definition to be vague and suggests limiting the definition "to data gathered directly from the individual rather than any information that ‘relates to’ the enumerated items." DMA opposes the inclusion of precise geolocational information, arguing for self-regulation: "[l]ocational technology is currently an area of rapid innovation and advancements, which are likely to have beneficial applications, and we caution against the creation of new restrictions that are likely to stifle this vibrant technological growth and evolution."
DMA argues that covered entities should include only the entities that originally collect information and not the "downstream" entities that receive covered information: "For example, many companies obtain data from third party aggregators in order to combine it with information collected from customers. We believe that when obtaining such data, businesses should be able to rely on the practices of the company that originally collected the information, because it would be impracticable for the receiving company to reach out again to consumers to provide any notice or choice required."
Not surprisingly, this is another controversial topic with the commenters.
CDT recognizes the difficulties of balancing transparency and comprehensiveness in detailed, long privacy policies that few consumers bother to read or can understand. CDT therefore recommends that "the bill refrain from mandating the specific elements of notice and instead
provide the FTC with the authority to institute a proceeding on the issue" and that "the FTC be empowered to develop a model short form notice that companies can adapt to make notice and consent more meaningful to consumers." CDT’s recommendation would bring online privacy notices closer to the model of regulation currently in place for financial institution annual privacy notices under the Gramm-Leach-Bliley Act.
DMA points out the inconsistency between recent FTC pronouncements regarding the ineffectiveness of detailed privacy policies and the proposed draft legislation, which would require inclusion of numerous details: "Requiring such privacy notices to include fifteen prescribed disclosures, as this bill contemplates, is therefore at odds with the current debate on how best to provide consumers with transparency." DMA recommends an approach that allows entities flexibility with respect to description of their data collection and use practices.
DMA also objects to the timing requirement that privacy notices be provided prior to collection of information, noting that this may be impossible. "In the online context, data collection begins from the moment a person types in a URL address. Covered information such as an Internet Protocol address must be collected from the device to know where to deliver the requested content. Even if a privacy notice could be delivered before a person is transferred to the requested site, an entity would need some information to know where to deliver the notice. Requiring a privacy notice to be provided before any online collection of information would thus be impossible." DMA also argues that this requirement would severely interfere with commerce in the offline world: "the draft bill would effectively eliminate the ability of companies to gather marketing information through call centers that consumers reach to order products seen in a catalog or on television, because it would be impracticable for operators to provide a written privacy notice. In offline environments that involve a personal interaction, such as a shopping or hotel transaction, companies would face a need to make vast investments in new materials and infrastructure in order to comply with the requirements in the draft bill."
Opt-Out for Certain First Party Practices
DMA objects to the proposed opt-out requirements for certain first party website collection and information use for marketing, advertising and sales, and seeks clarification as to what would fall within these categories: "It is important to recognize that businesses often undertake data-related activities for multiple purposes including marketing. For example, data analysis in order to optimize or improve products and services is defined in the legislation as an ‘operational purpose’ but also serves the goal of increasing eventual sales. Moreover, applying an expansive definition of marketing, advertising, and sales purposes is likely to result in excessive consent requests that are likely to confuse or frustrate consumers." DMA also seeks an exemption for marketing, "the most benign reason to collect and use consumer information, and a principal economic driver."
Commenters are sharply divided on opt-in.
The IAB rejects the opt-in approach, writing that "[r]equiring consumers to opt-in to transfers to third parties would drastically reduce the free flow of information that is the heart and soul of today’s Internet offerings." ITIF maintains that opt-in is costly and administratively burdensome for organizations and should not be required for sharing with third parties (or even for material changes to privacy policies). DMA agrees that an opt-in requirements for transfers to third parties would "disrupt widespread and legitimate business practices, particularly in the offline arena." DMA argues that this will defeat the "societal benefits" of direct marketing, that "the cost of products will go up for consumers, and that they will have less access to relevant information at a time when they need it." DMA also opposes opt-in for material changes to privacy policies governing prospective collection of information.
Not surprisingly, the Privacy Groups argue that resistance to opt-in is misplaced, maintaining that "[b]usinesses will become more innovative and responsive to consumers’ desires concerning the collection and use if their data if they must first ask for their express affirmative consent" and recommending that "non-sensitive information should only be allowed to be collected and used for advertising purposes for 24 hours, after which opt-in consent would be required to continue to store and use it," with exceptions for collection and use of public record data and of data for operational and transactional purposes (but more narrowly defined than in the current draft).
Indeed, the Privacy Groups argue that opt-in is not enough where consumers’ "sensitive data could be used for purposes other than for transactions they decide to make."
Operational Purpose Exception/Definition of "Affiliates"
NetChoice argues that the operational purpose exception is too narrow in that it does not permit use of covered information for marketing or advertising to existing customers.
By contrast, CDT expresses concern that the exception may be too broad depending on the definition of affiliates and recommends that "’affiliate of the covered entity’ be limited in scope to entities under common branding with the covered entity, entities that a reasonable consumer would understand is under common control."
The Privacy Groups argue that affiliates should be treated the same as third parties "and that affiliate sharing should only be allowed on an opt-in basis except for transactional and operational purposes."
Restrictions on Targeted Advertising
ITIF objects to many of the restrictions on online behavioral advertising on the grounds that these restrictions will hinder innovation and economic growth and exacerbate the problems raised by the demise of print media: "[r]equiring targeted ads to have a special mark identifying them . . . would unfairly disadvantage targeted ads against non-targeted ads. Given that targeted ads generate more than two times the revenue of non-targeted ads, this would have a negative impact on revenues for online publishers and service providers and would harm the Internet ecosystem, particularly the so-called ‘long tail’ of small websites supported by ad revenues. In addition, policymakers concerned with the decline of print media should note that greater revenue from targeted online advertising will likely be necessary for journalism to survive in the Internet age."
Data Retention Limits
The Privacy Groups are in favor of data retention limits for information in addition to the proposed limits for managed profiles, and argue for retention periods of less than 18 months for managed profiles.
DMA, by contrast, argues that the month period is not long enough in many circumstances because, for example, a "company that has an ongoing relationship with a consumer would need to retain information about that consumer in order to conduct billing, service, and transactional operations."
Exception for "Individual Managed Preference Profiles"
IAB opposes mandated preference profiles, nothing that "it is too soon in the experimentation of these practices to codify managed preference profiles into federal legislation."
NetChoice expresses concerns that ad networks may not be able to take advantage of this exception because they "will have to obtain affirmative consent to share covered information among unaffiliated advertisers, even if this covered information is not personally-identifying."
ITIF argues that consumers should not have the right to review and modify their profiles because this would be costly and allow for free riders.
On the other side of the debate, the Privacy Groups oppose the exception, arguing that "[c]onsumers should be asked to opt-in for such profiles, or there must be some way to ensure that consumers have an easy way to opt-out of all such profiling through a federal Do Not Track registry."
Small Business Exception
NetChoice argues that the small business exception is problematic in that it would not cover small businesses that collect certain kinds of financial information (which are included within the definition of sensitive information).
Addition of Safe Harbor
CDT recommends the creation of a safe harbor framework "giving industries or industry segments flexibility to develop tailored privacy solutions with FTC oversight," arguing that this "is the best way to accommodate differences between industries, create certainty for companies (because following approved practices would be deemed compliance with the statute), encourage privacy innovation over time, and reward adoption of accountable practices." CDT’s cites to a similar recommendation by Professor Rubenstein.
Addition of Accountability Measures
CDT recommends the addition of accountability measures such as mandated Privacy Impact Assessments (PIAs) "prior to the implementation of new products, services or marketing initiatives, which involve the collection, use, and disclosure of, covered data," and citing scholarship on the concept of Privacy by Design.
Addition of More Access, Correction, and Deletion Rights
The Privacy Groups favor the addition of more access, correction and deletion rights for consumers (similar to those set forth in EU member country privacy legislation).
Neutrality as to Technology
CDT cautions that changes in technology recommend that legislation include only general requirements. CDT suggests that the specifics be left to FTC rulemaking.
Consumers Union and the Privacy Groups object to the broad preemption of stronger state laws set forth in the discussion draft. CDT argues that the scope of state law preemption is overbroad, recommending looking to H.R. 2221 (Rep. Rush’s proposed Data Accountability and Trust Act, passed by the House on December 8, 2009) "for a model of a narrowly tailored preemption provision." The Privacy Groups recommend that the legislation allow states to enact stronger laws.
CDT also expresses concern that the existing draft would preempt certain sectoral federal privacy laws, such as the Video Privacy Protection Act (VPPA), the Genetic Information Nondiscrimination Act (GINA), and the health privacy provisions in the American Recovery and Reinvestment Act of 2009 (ARRA), and suggests that those sectoral privacy laws be left in place or that the drafters make explicit the preemption of any federal privacy law.
By contrast, ITIF applauds the broad scope of preemption: "[t]o be effective, a federal framework for consumer data privacy should establish a single, nationwide standard for consumer privacy thereby reducing regulatory complexity for the private sector. If Congress does move forward with privacy legislation, it should ensure that any new regulations preempt state laws, otherwise online service providers will find themselves facing competing, and possibly contradictory, data use and handling requirements for consumers."
Lack of Private Right of Action
Consumers Union and the Privacy Groups criticize the absence of any private right of action in the legislation. CDT also objects to the lack of a private right of action and recommends the addition of such a right with liquidated damages, such as that provided under the Telephone Consumer Protection Act (TCPA), 47 U.S.C. sec. 227(b)(5).
CDT expresses concern that the discussion draft purports to preclude actions brought under state laws and common law and recommends a more narrow approach, like that in Section 6(b) of H.R. 2221, precluding a state law action “if such action is premised in whole or in part upon the defendant violating any provision of this Act.”
Conflict with First Amendment Rights
NetChoice argues that the bill "includes unintended consequences that extend beyond the online world and into traditionally protected speech" in that it "would even require express affirmative consent for collecting information about otherwise public events."