Info Law Group : Technology Lawyers & Attorneys : Information Law Group : Privacy, Security & Intellectual Property Law

General Observations

Like the comments described in Part One, many of these commenters expressed concern that the draft goes too far, that consumers benefit from the free flow of information, and that proposed draft would stifle innovation and the retail economy. 

ABM "cautions against government regulations that go beyond the threshold of transparency, notice and choice for business users" and urges the drafters "to consider the possible, unintended consequences of establishing new requirements for content providers that may disadvantage the innumerable American businesses that rely on business information products and services to receive targeted and customized information solutions."

The ANA notes that, "[s]ince e-commerce is one of the most vibrant parts of our economy, particularly during this difficult period it is critical that Congress not do anything prematurely to restrict the growth of this marketplace."  The ANA also suggests that Congress consider the harm that such legislation is meant to address, unlike the specific harms anticipated by existing sectoral (health and financial) legislation:  "What is the potential harm that can come to a consumer from the use or transfer of . . . [information such as how many shirts someone orders from a retailer and what color, size and price they were]? Does that potential harm justify a sweeping, virtually all-inclusive new privacy regime that imposes substantial costs and burdens on every business in America?"

The MRA identifies concerns for the research survey industry that include perhaps unintended consequences of the bill for the greater economy, noting that the discussion draft would make it even harder "to reach research participants, increase non-response bias and adversely impact the accuracy of research results." In addition, the MRA points out:

This wouldn’t just impede bona fide survey and opinion research. It would ultimately result in higher costs for research -- costs which would be passed on to the individuals you are trying to protect, in the form of:

• higher prices for goods and services;
   
• lengthier time before new or better goods and services are brought to the marketplace;
   
• delayed introduction of new or better public policies; and
   
• a decreased amount of research ordered by companies, who might then bring less well-tested and researched products and services to market, harming consumers in the end because the goods and services did not fulfill consumer expectations or needs.

NRF also cautions that the economy may suffer:  "The information collected ensures that stores are opened in locations where demand is the highest, the right merchandise is stocked on those shelves, and customers are offered the best sales and promotions to get them in the door."

The U.S. Chamber of Commerce also identifies potential consequences for the economy, including potential restrictions on content currently available for free on the Internet:

Advertising revenue frequently allows Web sites to offer consumers content for free. This ad-supported business model has been a key to the success of many Internet ventures and has helped to make the Internet an engine of growth in the U.S. economy. Unfortunately, the draft bill would disrupt this pro-consumer business.

Self-Regulation

ANA argues that legislation is not necessary at this time:  "We believe that consumers can be best protected through a combination of existing privacy laws and regulations, privacy enhancing technology, effective self-regulation and the backstop of the FTC’s current powers to stop false, deceptive or unfair acts or practices."  ANA highlights the existing industry Self-Regulatory Principles, discussed in Part One, and identifies several pending industry projects regarding online behavioral advertising (OBA):

• Developing an industry icon that will appear on OBA-served web ads
   
• An outreach program to educate consumers about the benefits of OBA
   
• An industry webpage where consumers can go to opt-out of OBA
   
• An accountability program to be operated by the CBBB (the DMA has a separate accountability program for DMA member companies)

The NRF echoes the comments of other industry and advertiser commenters in calling for self-regulation and industry oversight in lieu of government mandated restrictions:  "We do believe that selfregulation and, in the case of retailing, industry leadership (or 'leading practices') are among the most effective ways to protect consumers while allowing businesses the flexibility to continue to innovate and adopt new technologies to better serve their customers." 

The U.S. Chamber of Commerce also favors self-regulation, arguing that "[s]elf-regulatory practices promulgated by . . . industry groups or the FTC should be granted 'safe harbor' status along with the concepts outlined in the law specifically for 'network advertisers.'”  The Chamber also maintains that the bill should take into consideration browser privacy controls:  "[t]here is also a burgeoning privacy-by-design business model being developed using 'plug-ins' and other tools to give browsers more privacy features and user controls. Increasing emphasis should be given to this self-regulatory vehicle. However, this draft would curtail the incentive for innovation regarding these browser controls."

Coverage of Offline Information

ABM argues for an exemption of "offline collection of basic information from persons acting in clear business capacities" or, at a minimum, "a variation of a 'business card' exception – that is, the information normally found on a business card or related to professional services or other public occupational and industry information [including a home or office address used for business purposes] should not be subject to the opt-in rules or other requirements when collected offline."

ANA seeks an equal playing field that takes into account the different manner in which advertisers work in the online and offline worlds:

any new laws or regulations should provide sufficient flexibility to reflect different ways of communicating with consumers. If the Subcommittee pursues legislation in this area, we strongly urge you to avoid any policy choices that provide a competitive advantage (or disadvantage) to either the online or offline business community. The focus should be on maintaining and enhancing a fair regulatory playing field for online and offline businesses, rather than on a one-size fits all regulatory regime.

NRF argues that inclusion of offline information in the bill is "fundamentally unworkable."

The U.S. Chamber of Commerce echoes the sentiments of the ANA:  "in the offline arena, covered information may be collected in different formats and technologies, so more flexibility is needed for the timing and content of notice and how and where to offer choice."  

"Covered Information"

ABM expresses concern that "covered information" might include information regarding individuals within businesses or the businesses themselves, arguing that businesses do not enjoy rights to privacy in the same way that individuals do, and that individuals acting in a professional capacity have different expectations of privacy than individuals operating in a personal capacity.  Footnote One of the ABM comments includes the following citations in support of this argument: 

""[C]orporations can claim no equality with individuals in the enjoyment of a right to privacy." United States v. Morton Salt Co., 338 U.S. 632, 652 (1950); see also Restatement (Second) of Torts § 652I cmt. c ("A corporation, partnership or unincorporated association has no personal right of privacy."); Browning-Ferris Indus. v. Kelco Disposal, Inc., 492 U.S. 257, 284 (1989) (O'Connor, J., concurring in part, dissenting in part) ("[A] corporation has no ... right to privacy."). Indeed, the Supreme Court has recognized that "a business, by its special nature and voluntary existence, may open itself to intrusions that would not be permissible in a purely private context." G.M. Leasing Corp. v. United States, 429 U.S. 338, 353 (1977). Moreover, many courts have found that business employees, acting as such, often have lower privacy interests in their business conduct than they would have in their private capacities. E.g., Curto v. Medical World Communications, Inc., 2006 WL 1318387 (E.D.N.Y. 2006) ("Employees expressly waive any right of privacy in anything they create, store, send, or receive on the computer or through the Internet or any other computer network.").

ABM also opposes the inclusion of IP addresses within the definition of "covered information": 

Expanding the definition of covered information to include defining an IP address would make it extremely difficult to continue, as B-to-B content providers, to serve relevant content or even contextual first-party advertising. Allowing a consumer to an ABM publication to opt-out of all usages of covered information, including IP addresses, would pose a great danger to the ad-based models currently used by every major publisher.  . . .  One potentially damaging consequence would be the inability of ABM members and other content providers to enforce their intellectual property rights by determining where piracy of their materials has occurred because of customer activities. At the very least, the bill should acknowledge and allow for collection of IP addresses for use in connection with legal proceedings, investigations of crimes or other wrongdoing.

ABM also seeks limitation of the definition to exclude publicly available and public domain information about individuals:

the current draft covers as well all information collected about individuals, meaning that it covers information obtained from published and public domain sources. The "about" restriction therefore means that it would become unlawful merely to reprint, disseminate, or use certain information that has already been publicly distributed and widely used. Already published information is by nature not private and should not be treated as such. Moreover, serious First Amendment and state-federal preemption issues would be raised by classifying as “private,” or making it unlawful to use, information that is already in the public sphere. Cf. Cox Publishing Co. v. Cohn, 420 U.S. 469 (1975) (“…the First and Fourteenth Amendments command nothing less than that the States may not impose sanctions on the publication of truthful information contained in official court records open to public inspection”)."

ANA objects to the breadth of the draft overall and the definition of "covered information," maintaining that it would conflict with numerous existing federal laws, and that the catch-all provision would "swallow up and cover the entire information universe."

NRF, like other advertisers, objects to the broad definition of "covered information":  "SSN’s and financial account numbers are listed together with much less sensitive and widely available data such as name, address, and phone number. Additionally, non-personal identifiers such as Internet Protocol addresses, preference profiles, and cookies are, for the first time, also covered."  NRF worries that this broad definition puts the draft in conflict with legislation such as the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), and state data breach notification laws.  (Note, however, that the discussion draft would preempt conflicting state laws.) 

The U.S. Chamber of Commerce also objects to the broad definition, arguing that it should encompass "only data elements that could be used to commit identity theft or other direct consumer harm," and that "data elements such as 'unique identifier,' 'persistent identifier,' 'Internet Protocol address,' 'telephone number,' and 'fax number' should be removed from the definition "except where such data has already been merged with other personal information elements."  The Chamber also maintains that "the definition of 'personally identifiable information' should specifically exclude any personal information that has been rendered anonymous or 'de-identified' prior to its use."  Like DMA (described in Part One), the Chamber also objects to the term "render anonymous" and recommends harmonizing the definition "with HIPAA’s existing de-identification standard such that compliance with a similar de-identification process would provide a similar exclusion from this legislation."  Like ABM, the Chamber objects to the inclusion of publicly available information in the definition of "covered information."

Highlighting a concern not identified by most commenters, the Chamber also seeks an exclusion from the coverage of the legislation for information collected from or about a former, existing or prospective employee by an employer:

Not only are employers required under federal tax and other laws to collect much of the data that would meet the definition of "covered information" in this draft bill, there are numerous existing federal and state laws that already protect the privacy and security of such employee information, not to mention court decisions that have sought to strike the proper balance between employer and employee rights to the information. It would be well beyond the stated purpose of this bill to re-write the laws on employer/employee data collection and use. Moreover, if employee information were to be covered, the proposed legislation would arguably affect nearly every employer in the nation, including the smallest of commercial entities, forcing them to modify employee data management practices.

Definition and Treatment of "Sensitive Information"

The MRA expresses concern regarding the inclusion in the definition of "sensitive information" of numerous categories of information often used in survey research:

the definition of sensitive information in the draft bill is so broad that it includes “. . . race or ethnicity”, one of the most commonly used categories of demographic data in all research. While “. . . religious beliefs” and “. . . sexual orientation” are not as standard, they are still relatively common demographic questions in survey and opinion research.

. . . While MRA understands the concern for privacy of medical records, the definition of “. . . medical records, including medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional” could be construed to mean far more than actual records of a doctor or hospital. If a telephone survey were to ask a research participant, “Have you ever suffered from one of the following illnesses”, would the resulting data constitute a medical record according to your draft bill? How about responses to a question such as, “How are you feeling today? Are you feeling better or worse than yesterday?” Such questions are quite common in research studies and would seem to run afoul of the draft bill’s restrictions on sensitive information.

MRA also would like clarification on “. . . financial records” to ensure that it does not include data on a research participant’s individual or household income – again, one of the most common categories of demographic data in any research study.

NRF objects to the inclusion within the definition of "sensitive information" of " race or ethnicity, religious beliefs, account information, and geolocation information." 

The U.S. Chamber of Commerce also finds the definition of "sensitive information" to be overbroad, noting, like the MRA, that it might "include self-reported financial and health information in survey data," and arguing that it would resulting in conflicting requirements for organizations under different federal laws.  The Chamber expresses concern that "'[r]ace or ethnicity' could cover ads delivered in different languages" and argues that the definition of “[m]ental or physical condition" should "relate a [sic] specific diagnosis."  The Chamber also argues that precise geographical information should not be covered by the law and should be left to self-regulation at this time.

Covered Entities

The U.S. Chamber of Commerce argues that the bill should exempt from the definition of "covered entities" organizations already regulated by federal privacy legislation such as GLBA, FCRA and HIPAA.

Detailed Notice/Privacy Policy Requirements

ABM points out that its members already provide privacy notices offline with opt-out rights.  ABM also seeks a "blanket exemption of any collection of [individual’s name, address, phone number and email address] from the notice provisions of the bill, without the limitation . . . to collection as 'part of a first party transaction'” and objects to any requirement that an organization include retention periods in privacy notices since those time periods will vary significantly depending on the circumstances.

Like other advertisers, ANA notes criticism by regulators of long and dense privacy notices that consumers are unlikely to read or understand, and objects to requirements in the discussion draft that would require even more detail:  "Many policymakers and critics argue that the privacy policies that are now on most commercial websites are too long, complex and legalistic. The notice requirements of the Discussion Draft would provide little assistance in this regard to consumers and are likely to exacerbate this problem."

The MRA expresses a concern related to the anticipated difficulty of distributing written privacy notices prior to collection of certain information by telephone for research purposes:

Making a copy of the privacy notice “available to an individual in writing before the covered entity collects any covered information from that individual” would mean mailing potential research participants a copy of the privacy notice in advance of contact. Even that action would require some data collection, because the researcher would need to know the individual’s name and mailing address in order to send the notice. This would dramatically increase the cost of a research study and the time required to complete it. Time-sensitive studies, like most political and public opinion polling, would be imperiled. In situations where timely data is as critical as accurate data, information will not be readily deliverable to companies, government agencies, and other entities that need to make swift decisions.

As such, the MRA recommends a revision "to help clarify how a privacy notice could be made 'available' in the context of data collection for research purposes over the telephone."  That revision would require that, where "the covered entity collects covered information by phone for bona fide survey and opinion research purposes, the covered entity . . .  instruct an individual on where to find the privacy notice . . . on the Internet . . . or offer to send a copy of the privacy notice by mail to an individual, before the covered entity collects any covered information from that individual."  The MRA also suggests the addition of a new definition of "bona fide survey and opinion research" as follows:  "the collection and analysis of data regarding opinions, needs, awareness, knowledge, views, experiences and behaviors of a population, through the development and administration of surveys, interviews, focus groups, polls, observation, or other research methodologies, in which no sales, promotional or marketing efforts are involved and through which there is no attempt to influence a participant’s attitudes or behavior."

The U.S. Chamber of Commerce includes comments reminiscent of those submitted by the DMA, described in Part One, regarding the practical difficulties resulting from a requirement that notice be provided prior to collection of information, in the online and offline worlds alike. The Chamber recommends elimination of this requirement:

Data collection begins immediately when a consumer enters a Web site address in a browser and clicks the go or return function, as an IP address must be collected before a Web site can be delivered to the browser for display. Also, each third party conducting business on the Web site, whether for marketing, fraud detection, or setting a time and data stamp, begins collecting information before the Web site actually loads. Therefore, significant amounts of covered information, as defined in the proposed bill, could be collected before a consumer would actually read a privacy policy and be able to make a choice. In many cases, consumers rarely if ever choose to read a privacy policy, so presumably all data collected to display the Web site would be in violation of the proposed law.
 

Opt-Out for Certain First Party Practices

ABM argues for an exemption for all "first-party online advertising, including specific contextual advertising."  ANA also objects to opt-out requirements for first party transactions, noting that this goes beyond current practices and FTC policies.

Like ABM, ANA and DMA, NRF objects to the opt-out requirements for first-party marketing:  "retailers have engaged in extensive CRM (Customer Relationship Management) in both the catalog and brick and mortar world for years. As retailing moved online, CRM moved to the web as well, with first-party customer interaction being vitally important to both the retailer and to the consumer. It is our belief that the current draft creates the potential for a 'small-print web' where even common firstparty processes would have to be disclaimed by site operators and customers would be constantly bombarded with marketing 'choices.'”  NRF notes that it made the same comments on the original FTC Self-Regulatory Guidelines, and that the final version of those Guidelines contained a clear first-party exemption.

NRF also raises questions about the practicality of such a rule:

If consumers don’t even open their mail, it becomes hard to conceptualize a practical mechanism by which a consumer would have a privacy policy delivered and exercise a real-time opt-out without significantly disrupting their shopping session. Also, would the retailer have to provide an opt-out every time a customer placed something in their shopping cart and a cookie was simultaneously placed on their computer if that same cookie might be used to “save the cart” for 30 days or deliver promotional information the next time the customer visited the site? Would the same type of notice have to be provided before a consumer could knowingly and voluntarily provide personally identifying information such e-mail, shipping and credit card information to complete a transaction?

NRF maintains that consumers do not take advantage of opt-outs, in any event:  "In fact, by our estimates, only 6 percent of retail customers exercised their right to opt-out of marketing e-mails in 2007."

The U.S. Chamber of Commerce also opposes any first party opt-out requirement, noting that, among other things, it would "hinder[] fraud prevention, disabl[e] basic Web site monitoring and advertising metrics, and hamper[] content customization and retail product recommendations online."

Opt-In Requirements

ABM opposes opt-in requirements "for the offline collection of basic information from individuals wishing to establish business relationships, or acting within an established business capacity, and believes that the offline collection of basic business information, like that found on a business card or other public industry information, should be exempted from the bill."  ABM also objects to opt-in requirements for transfers to third parties, and seeks clarification as to what would be included, particularly in the offline world.  ABM opposes opt-in for material changes to privacy policies.  Finally, ABM seeks clarification of the definition of "precise geolocation," so that businesses know whether " geolocation would include data points such as a zip code, IP address, area code or even mailing address" and "urges [the drafters] to carefully consider innovation in serving advertising supported content to mobile devices by clarifying the term 'precise geolocation information' to ensure that first party transactions involving the location of a mobile device are exempted from an opt-in requirement."

The ANA objects to all opt-in requirements as unduly costly and unlikely to be productive, citing studies on opt-in by various organizations and companies.  For example, it cites a study from the Privacy Leadership Initiative finding that, "[i]n the apparel sales area alone, it was demonstrated that if catalog sellers were unable to use routine data that they collect from customers and obtain third party data, they would have to raise their prices by more than $1.4 billion annually." 

The MRA expresses concerns with respect to the opt-in restrictions on third party transfers as they would effect the research industry, noting that,

[a]lthough no personally identifiable data is shared with the clients requesting a study without the consent of the research participants, identifiable data must be transferred between various companies involved in conducting the study in order to complete the work. The average research study requires multiple organizations that divide the labor: one company is hired by a client to conduct a study and it contracts with others to get the study completed. For instance, one company might do the recruitment of research participants or provide the “sample”, another would collect the data, yet another might translate any responses from foreign languages, one more would process and analyze the data -- all before the original hired company puts together the study results (presenting aggregate de-identified data) into a report for the client.

As such, MRA suggests a revision to the opt-in requirement that would provide as follows:  "The consent requirements of this subsection shall not apply to the disclosure of covered information as part of a bona fide survey and opinion research study, provided that-(A) only aggregate information will be shared with the end user who requested or sponsored the study; and (B) all unaffiliated parties to whom covered information is disclosed agree to use such covered information solely for the purpose of conducting the bona fide survey and opinion research study and not to disclose the covered information to any other person."

NRF, like other advertisers, objects to any opt-in requirement in any context, focusing on the impracticality of such requirements.  Among other things, NRF argues the chance of a consumer even obtaining and opening an opt-in notice is slim:  "If these marketing statistics bear out in the context of opt-in, a retailer has an 88-94 percent chance that an opt-in could not be obtained every time a material change is made."

The U.S. Chamber of Commerce disapproves of an opt-in for sharing with third parties, noting that this requirement does not focus on the "intended purpose" or protect any perceived harm, echoing some of the concerns evinced by the ANA described in "General Observations" above.  The Chamber also maintains that affiliated parties should include entities that operate websites as joint ventures.  Further, the Chamber objects to opt-in restrictions for undefined "material changes" to privacy policies.

Operational and Transactional Purpose Exception

ABM seeks clarification of the transactional purpose definition, proffering the following example: "when an ABM member company produces a trade show, and a business signs up to attend the trade show, that should be viewed as a transaction, so that exchanges and sharing of information collected from the attendees at the trade show fall within the transactional exemption."

The U.S. Chamber of Commerce argues that the operational purpose exception is too narrow because it "does not apply if the data is also used for marketing, advertising, or sales," and that "[t]he draft bill should be technology-neutral and should not favor one type of advertising over another." The Chamber further recommends that "operational purpose" include "'detecting, preventing, or acting against actual or suspected fraud targeting the individual.'” The Chamber also seeks clarification of the "transactional purpose" definition to make sure "[m]arketing efforts designed to encourage transactions or sales" are covered.

Exception for "Individual Managed Preference Profiles"

ABM argues that "the in-ad notice and preference profile requirements necessary to achieve exemption from 'opt-in' for advertisements served by unaffiliated third party ad networks should be the responsibility of the ad network, not the first party publisher."

The U.S. Chamber argues that all entities engaged in OBA should be similarly regulated, independent of the business model:

the draft allows entities that construct and maintain user preference profiles to utilize opt-out consent for the collection and use of covered information, but appears to preclude any new or different business models from doing so.

The draft should provide all entities involved in OBA with equal opportunities to utilize opt-out consent for the collection and use of covered information. It should not disfavor particular business models with more burdensome regulatory obligations, since doing so would deter entry, harm innovation, and undermine competition and choice in the OBA marketplace.

Conflict with First Amendment Rights

Like NetChoice (comments described in Part One), the ANA argues that "[s]ome courts and legal scholars believe that [an opt-in requirement] raises serious First Amendment issues. In 1999 in U.S. West v. Federal Communications Commission, 182 F.3d 1224, the 10th Circuit Court of Appeals held that the government must carry out a careful calculation of costs and benefits associated with burdens on speech imposed by an opt-in rule. In that case, the court struck down an FCC rule that contained an opt-in requirement, concluding that the rule violated the First Amendment."

Data Accuracy Requirements

As noted in our FAQ on the bill here, the discussion draft would require "in very general terms that a covered entity 'establish reasonable procedures to assure the accuracy of the covered information it collects.'"  ANA, unlike most commenters, specifically calls out this provision as problematic due to the possibility of providing unlimited access rights to consumers that might actually create additional privacy and security risks:  "We are concerned that this provision could under the Draft possibly lead to a broad right of consumer access to all information held about them by a company and the right to 'correct' that information. Providing consumers with such broad access to all information, without adequate protections, can create, if not carefully developed, a new set of major privacy and security risks."

Status

Last Wednesday, Rep. Boucher told Tech Daily Dose that "most business groups believe the legislation is 'too strict,' while privacy advocates and public interest groups say it doesn't go far enough to protect consumer privacy."  As such, Boucher told Tech Daily Dose, he believes he has a "very centrist proposal."  In any event, Boucher indicated that he intends to make some modifications to the bill based on the feedback, "including lawmakers on both sides of the aisle in meetings with stakeholders," but did not specify a timeframe for completion of that process.

• Isn't the Boucher Bill just about online behavioral advertising conducted by large marketers?

No.  The Boucher Bill is proposed federal privacy and data security legislation that is very broad and far-reaching and goes way beyond regulation of online behavioral advertising as defined by the FTC.

• What would the Boucher Bill prohibit?

Under the Boucher Bill, a "covered entity" would be prohibited from collecting, using, or disclosing "covered information" from or about an individual for any purpose unless the covered entity (A) makes available to the individual a prescribed form of privacy notice prior to the collection of any covered information; and (B) obtains the consent of the individual to such collection in the manner set forth in the Bill.

This is interesting given that many regulators and legislators, including the FTC, have been calling for an end to the notice and consent model when it comes to meaningful privacy choice.

• What is a "covered entity"?

The Boucher Bill broadly defines a "covered entity" as any person engaged in interstate commerce that collects data containing covered information.  A covered entity would not include a government agency or any person that collects covered information from fewer than 5,000 individuals in any 12-month period and does not collect sensitive information.  Thus, it appears that just about any organization with more than 5,000 employees and/or customers would be a "covered entity" under the Boucher Bill.

• What is "covered information"?

The short answer is - just about anything that identifies (or even might identify) an individual.  "Covered information" is defined as, with respect to an individual, any of the following:

1. The first name or initial and last name.
2. A postal address.
3. A telephone or fax number.
4. An email address.
5. Unique biometric data, including a fingerprint or retina scan.
6. Social Security number, tax identification number, passport number, driver’s license number, or any other government-issued identification number.
7. A financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.
8. Any unique persistent identifier, such as a customer number, unique pseudonym or user alias, Internet Protocol address, or other unique identifier, where such identifier is used
   to collect, store, or identify information about a specific individual or a computer, device, or software application owned or used by a particular user or that is otherwise associated with a particular user.
9. A preference profile.
10. Any other information that is collected, stored, used, or disclosed in connection with any covered information described in 1-9 above.

• What is a "preference profile"?

A "preference profile" is a list of information, categories of information, or preferences associated with a specific individual or a computer or device owned or used by a particular user that is maintained by or relied upon by a covered entity.

• How would a "covered entity" collecting "covered information" provide the required notice?

The answer depends on whether the covered entity collects the information online or offline.

Online:  If a covered entity collects covered information through the Internet, the Boucher Bill requires that it must post a privacy notice clearly and conspicuously on the website through which the covered information is collected.  The privacy notice must be accessible through a direct link from the Internet homepage of the covered entity.  This is very much like California's Online Privacy Protection Act, Business and Professions Code section 22575 et seq. 

Offline:  Unlike California (or any existing state law), the Boucher Bill would require notice even where information is collected offline or by means other than the Internet.  If a covered entity collects covered information by any means that does not utilize the Internet, the Bill requires that notice be made available to an individual in writing before the covered entity collects any covered information from that individual.

• What information must be included in the privacy notice?

The privacy notice (for online and offline collection) must include all of the following:

1. The identity of the covered entity collecting the covered information;
2. A description of any covered information collected by the covered entity;
3. How the covered entity collects covered information;
4. The specific purposes for which the covered entity collects and uses covered information;
5. How the covered entity stores covered information.
6. How the covered entity may merge, link, or combine covered information collected about the individual with other information about the individual that the covered entity may acquire from unaffiliated parties [an "unaffiliated party" is any entity that is not related by common ownership or affiliated by corporate control with a covered entity];
7. How long the covered entity retains covered information in identifiable form;
8. How the covered entity disposes of or renders anonymous covered information after the expiration of the retention period;
9. The purposes for which covered information may be disclosed, and the categories of unaffiliated parties who may receive such information for each such purpose;
10. The choice and means the covered entity offers individuals to limit or prohibit the collection and disclosure of covered information;
11. The means by and the extent to which individuals may obtain access to covered information that has been collected by the covered entity;
12. A means by which an individual may contact the covered entity with any inquiries or complaints regarding the covered entity’s handling of covered information;
13. The process by which the covered entity notifies individuals of material changes to its privacy notice;
14. A hyperlink to or a listing of the FTC's online consumer complaint form or the toll-free telephone number for the FTC's Consumer Response Center; and
15. The effective date of the privacy notice.

This goes far beyond the content requirements of California's Online Privacy Protection Act.

• Are there any exceptions to these notice requirements?

Yes. The notice requirements would not apply to covered information that (1)  is collected by any means that does not utilize the Internet and (2)  (a)  is collected for a "transactional purpose" or an "operational purpose" or (b)  consists solely of a first name or initial and last name, a postal address, a telephone or fax number, and/or an email address, and is part of a "first party transaction."

• What is a "transactional purpose"?

A "transactional purpose" is a purpose necessary for effecting, administering, or enforcing a transaction between a covered entity and an individual.

• What is an "operational purpose"?

An "operational purpose" is a purpose reasonably necessary for the operation of the covered entity, including (i) providing, operating, or improving a product or service used, requested, or authorized by an individual; (ii) detecting, preventing, or acting against actual or reasonably suspected threats to the covered entity’s product or service, including security attacks, unauthorized transactions, and fraud; (iii) analyzing data related to use of the product or service for purposes of optimizing or improving the covered entity’s products, services, or operations; (iv) carrying out an employment relationship with an individual; (v) disclosing covered information based on a good faith belief that such disclosure is necessary to comply with a Federal, State, or local law, rule, or other applicable legal requirement, including disclosures pursuant to a court order, subpoena, summons, or other properly executed compulsory process; and (vi) disclosing covered information to a parent company of, controlled subsidiary of, or affiliate of the covered entity, or other covered entity under common control with the covered entity where the parent, subsidiary, affiliate, or other covered entity operates under a common or substantially similar set of internal policies and procedures as the covered entity, and the policies and procedures include adherence to the covered entity’s privacy policies as set forth in its privacy notice.  However, "operational purpose" does not include the use of covered information for marketing, advertising, or sales purposes, or any use of or disclosure of covered information to an unaffiliated party for such purposes.

• What is a "first party transaction"?

A "first party transaction" is an interaction between an entity that collects covered information when an individual visits that entity’s website or place of business and the individual from whom covered information is collected.

• Do the consent requirements call for opt-in or opt-out consent?

It depends. 

Opt-out consent is enough in many circumstances.  Under the Bill, a covered entity is deemed to have the consent of an individual for the collection and use of covered information relating to that individual if the covered entity has provided to the individual a clear statement containing the information described above and informing the individual that he or she has the right to decline consent to such collection and use, and the individual either affirmatively grants consent for such collection and use or does not decline consent at the time such statement is presented to the individual.  (However, if an individual declines consent at any time subsequent to the initial collection of covered information, the covered entity may not collect covered information from the individual or use covered information previously collected.)  Alternatively, a covered entity may comply by enabling an individual to decline consent for the collection and use only of particular covered information, provided the individual has been given the opportunity to decline consent for the collection and use of all covered information.

However, some situations require opt-in consent:

1. A covered entity must provide the notice described above and obtain the express affirmative consent of the individual prior to making a material change in privacy practices governing previously collected covered information from that individual or disclosing covered information for a purpose not previously disclosed to the individual and which the individual, acting reasonably under the circumstances, would not expect based on the covered entity’s prior privacy notice.  This would codify existing law that a company may not unilaterally alter its privacy policy and use previously collected data in a manner that materially differs from the terms under which the data was originally collected. See In the Matter of Gateway Learning Corp., FTC Docket No. C-4120 (Sept. 10, 2004).
    
2. A covered entity is prohibited from selling, sharing, or otherwise disclosing covered information to an unaffiliated party without first obtaining the express affirmative consent of the individual to whom the covered information relates.  This would represent a fundamental change in existing US privacy law, except in particular narrow sectors.  Further, a covered entity that has obtained express affirmative consent from an individual must provide the individual with the opportunity, without charge, to withdraw such consent at any time thereafter.
    
3. A covered entity is prohibited from collecting or disclosing sensitive information from or about an individual for any purpose unless the covered entity makes available to such individual the privacy notice described above prior to the collection of any sensitive information and obtains the express affirmative consent of the individual to whom the sensitive information relates prior to collecting or disclosing such sensitive information.  ["Sensitive information" is any information that is associated with covered information of an individual and relates to that individual’s (A) medical records, including medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (B) race or ethnicity; (C) religious beliefs; (D) sexual orientation; (E) financial records and other financial information associated with a financial account, including balances and other financial information; or (F) precise geolocation information.]  This would also be a significant shift in US privacy law, bringing the US much closer to existing stringent privacy protections in the EU.
    
4. A covered entity is prohibited from collecting or disclosing covered information about all or substantially all of an individual’s online activity, including across websites, for any purpose unless such covered entity makes available to such individual the privacy notice described above prior to the collection of the covered information about all or substantially all of the individual’s online activity and obtains the express affirmative consent of the individual to whom the covered information relates prior to collecting or disclosing such covered information.
    
5. With certain limited exceptions, any provider of a product or service that uses location-based information would be prohibited from disclosing such location based information concerning the user of such product or service without that user’s express opt-in consent.

• Are there any exceptions from these consent requirements?

Yes, but only with respect to the opt-out consent requirements and the opt-in consent requirements under (1) and (2) above.  There are no exceptions to the opt-in requirements under (3), (4) and (5) above.

The opt-out requirements and the Gateway-type opt-in requirements described in (1) above do not apply to the collection, use, or disclosure of covered information for a transactional purpose or an operational purpose.

The opt-in requirements described in (2) above do not apply to the disclosure of covered information by a covered entity to a service provider for purposes of executing a first party transaction if (A) the covered entity has obtained consent for the collection of covered information (opt-out and/or Gateway-type opt-in consent described above); and (B) the service provider agrees to use such covered information solely for the purpose of providing an agreed-upon service to a covered entity and not to disclose the covered information to any other person.   [A "service provider" is an entity that collects, maintains, processes, stores, or otherwise handles covered information on behalf of a covered entity, including, for the purposes of serving as a data processing center, providing customer support, serving advertisements to the website of the covered entity, maintaining the covered entity’s records, or performing other administrative support functions for the covered entity.]

In addition, notwithstanding (2) above, a covered entity may collect, use, and disclose covered information if (1) the covered entity provides individuals with the ability to opt out of the collection, use, and disclosure of covered information by the covered entity using a readily accessible opt-out mechanism whereby the opt-out choice of the individual is preserved and protected from incidental or accidental deletion, including by (A) website interactions on the covered entity’s website or a website where the preference profile is being used; (B) a toll-free phone number; or (C) letter to an address provided by the covered entity; (2) the covered entity deletes or renders anonymous any covered information not later than 24 months after the date the covered information is first collected; (3) the covered entity includes the placement of a symbol or seal in a prominent location on the website of the covered entity and on or near any advertisements delivered by the covered entity based on the preference profile of an individual that enables an individual to connect to additional information that (A) describes the practices used by the covered entity or by an advertisement network in which the covered entity participates to create a preference profile and that led to the delivery of the advertisement using an individual’s preference profile, including the information, categories of information, or list of preferences associated with the individual that may have led to the delivery of the advertisement to that individual; and (B) allows individuals to review and modify, or completely opt out of having, a preference profile created and maintained by a covered entity or by an advertisement network in which the covered entity participates; and (4) an advertisement network to which a covered entity discloses covered information does not disclose such covered information to any other entity without the express affirmative consent of the individual to whom the covered information relates.  [An "advertisement network" is an entity that provides advertisements to participating websites on the basis of individuals’ activity across some or all of those websites.]

• Are there any other exemptions under the Bill?

Yes.  The Bill explicitly provides that nothing therein shall prohibit a covered entity from collecting or disclosing aggregate information or covered information that has been rendered anonymous.

• What is "aggregate information"?

"Aggregate information" is data that relates to a group or category of services or individuals, from which all information identifying an individual has been removed.

• What does "render anonymous" mean?

"Render anonymous" means to remove or obscure covered information such that the remaining information does not identify, and there is no reasonable basis to believe that the information can be used to identify the specific individual to whom such covered information relates or a computer or device owned or used by a particular user.

• Does the Boucher Bill include any data security requirements?

Yes.  A covered entity or service provider that collects covered information about an individual for any purpose must establish, implement, and maintain appropriate administrative, technical, and physical safeguards that the FTC determines are necessary to (A) ensure the security, integrity, and confidentiality of such information; (B) protect against anticipated threats or hazards to the security or integrity of such information; (C) protect against unauthorized access to and loss, misuse, alteration, or destruction of, such information; and (D) in the event of a security breach, determine the scope of the breach, make every reasonable attempt to prevent further unauthorized access to the affected covered information, and restore reasonable integrity to the affected covered information.  The Bill would therefore extend certain GLBA- and HIPAA-like protections to non-financial and non-health care sectors.

The Bill anticipates that the FTC will develop standards to carry out this section and, in doing so, will consider the size and complexity of a covered entity, the nature and scope of the activities of a covered entity, the sensitivity of the covered information, the current state of the art in administrative, technical, and physical safeguards for protecting information, and the cost of implementing such safeguards. 

The Bill prohibits the FTC, in promulgating rules pursuant to the Bill, from requiring the deployment or use of any specific products or technologies, including any specific computer software or hardware. Thus, the Bill seeks to make any security requirements technology-neutral (similar to the Massachusetts data security regulations and other state data security laws).

• Does the Boucher Bill say anything about data integrity?

Not exactly.  The Boucher Bill addresses data "accuracy," requiring in very general terms that a covered entity "establish reasonable procedures to assure the accuracy of the covered information it collects."

• Who would enforce the Boucher Bill?

Not surprisingly, the Bill gives the FTC enforcement power and would make a violation an unfair and deceptive act or practice in violation of the FTC Act.

The Boucher Bill also gives State attorneys general the power to bring a civil action seeking injunctive relief and/or damages.

The Bill explicitly states that it does not provide any private right of action.

• Would the Boucher Bill preempt state law?

Yes, the Bill would preempt many state laws.  The Bill would supersede any provision of a statute, regulation, or rule of a State or political subdivision of a State, that includes requirements for the collection, use, or disclosure of covered information. 

The Bill would have no effect on GLBA, HIPAA, COPPA, the CAN-SPAM Act, certain other federal laws, or the FTC's authority pursuant to other laws.