InfoLawGroup LLP

View Original

Reactions to the Boucher Bill, Part Two

This post is Part Two in my review and discussion of some of the comments submitted in the response to the Boucher Bill privacy and data security legislation discussion draft.  You can find Part One here.  You can find a FAQ on the Boucher Bill itself here.  As in Part One, Part Two will describe and summarize at a high level some (but not all) of the issues identified by the commenters.

Part Two covers comments (linked here) submitted by:

Although the media reports that both Facebook and Google submitted comments, it appears that those comments have not been made public.

General Observations

Like the comments described in Part One, many of these commenters expressed concern that the draft goes too far, that consumers benefit from the free flow of information, and that proposed draft would stifle innovation and the retail economy. 

ABM "cautions against government regulations that go beyond the threshold of transparency, notice and choice for business users" and urges the drafters "to consider the possible, unintended consequences of establishing new requirements for content providers that may disadvantage the innumerable American businesses that rely on business information products and services to receive targeted and customized information solutions."

The ANA notes that, "[s]ince e-commerce is one of the most vibrant parts of our economy, particularly during this difficult period it is critical that Congress not do anything prematurely to restrict the growth of this marketplace."  The ANA also suggests that Congress consider the harm that such legislation is meant to address, unlike the specific harms anticipated by existing sectoral (health and financial) legislation:  "What is the potential harm that can come to a consumer from the use or transfer of . . . [information such as how many shirts someone orders from a retailer and what color, size and price they were]? Does that potential harm justify a sweeping, virtually all-inclusive new privacy regime that imposes substantial costs and burdens on every business in America?"

The MRA identifies concerns for the research survey industry that include perhaps unintended consequences of the bill for the greater economy, noting that the discussion draft would make it even harder "to reach research participants, increase non-response bias and adversely impact the accuracy of research results." In addition, the MRA points out:

This wouldn’t just impede bona fide survey and opinion research. It would ultimately result in higher costs for research -- costs which would be passed on to the individuals you are trying to protect, in the form of:

  • higher prices for goods and services;
     
  • lengthier time before new or better goods and services are brought to the marketplace;
     
  • delayed introduction of new or better public policies; and
     
  • a decreased amount of research ordered by companies, who might then bring less well-tested and researched products and services to market, harming consumers in the end because the goods and services did not fulfill consumer expectations or needs.

NRF also cautions that the economy may suffer:  "The information collected ensures that stores are opened in locations where demand is the highest, the right merchandise is stocked on those shelves, and customers are offered the best sales and promotions to get them in the door."

The U.S. Chamber of Commerce also identifies potential consequences for the economy, including potential restrictions on content currently available for free on the Internet:

Advertising revenue frequently allows Web sites to offer consumers content for free. This ad-supported business model has been a key to the success of many Internet ventures and has helped to make the Internet an engine of growth in the U.S. economy. Unfortunately, the draft bill would disrupt this pro-consumer business.

Self-Regulation

ANA argues that legislation is not necessary at this time:  "We believe that consumers can be best protected through a combination of existing privacy laws and regulations, privacy enhancing technology, effective self-regulation and the backstop of the FTC’s current powers to stop false, deceptive or unfair acts or practices."  ANA highlights the existing industry Self-Regulatory Principles, discussed in Part One, and identifies several pending industry projects regarding online behavioral advertising (OBA):

  • Developing an industry icon that will appear on OBA-served web ads
     
  • An outreach program to educate consumers about the benefits of OBA
     
  • An industry webpage where consumers can go to opt-out of OBA
     
  • An accountability program to be operated by the CBBB (the DMA has a separate accountability program for DMA member companies)

The NRF echoes the comments of other industry and advertiser commenters in calling for self-regulation and industry oversight in lieu of government mandated restrictions:  "We do believe that selfregulation and, in the case of retailing, industry leadership (or 'leading practices') are among the most effective ways to protect consumers while allowing businesses the flexibility to continue to innovate and adopt new technologies to better serve their customers." 

The U.S. Chamber of Commerce also favors self-regulation, arguing that "[s]elf-regulatory practices promulgated by . . . industry groups or the FTC should be granted 'safe harbor' status along with the concepts outlined in the law specifically for 'network advertisers.'”  The Chamber also maintains that the bill should take into consideration browser privacy controls:  "[t]here is also a burgeoning privacy-by-design business model being developed using 'plug-ins' and other tools to give browsers more privacy features and user controls. Increasing emphasis should be given to this self-regulatory vehicle. However, this draft would curtail the incentive for innovation regarding these browser controls."

Coverage of Offline Information

ABM argues for an exemption of "offline collection of basic information from persons acting in clear business capacities" or, at a minimum, "a variation of a 'business card' exception – that is, the information normally found on a business card or related to professional services or other public occupational and industry information [including a home or office address used for business purposes] should not be subject to the opt-in rules or other requirements when collected offline."

ANA seeks an equal playing field that takes into account the different manner in which advertisers work in the online and offline worlds:

any new laws or regulations should provide sufficient flexibility to reflect different ways of communicating with consumers. If the Subcommittee pursues legislation in this area, we strongly urge you to avoid any policy choices that provide a competitive advantage (or disadvantage) to either the online or offline business community. The focus should be on maintaining and enhancing a fair regulatory playing field for online and offline businesses, rather than on a one-size fits all regulatory regime.

NRF argues that inclusion of offline information in the bill is "fundamentally unworkable."

The U.S. Chamber of Commerce echoes the sentiments of the ANA:  "in the offline arena, covered information may be collected in different formats and technologies, so more flexibility is needed for the timing and content of notice and how and where to offer choice."  

"Covered Information"

ABM expresses concern that "covered information" might include information regarding individuals within businesses or the businesses themselves, arguing that businesses do not enjoy rights to privacy in the same way that individuals do, and that individuals acting in a professional capacity have different expectations of privacy than individuals operating in a personal capacity.  Footnote One of the ABM comments includes the following citations in support of this argument: 

""[C]orporations can claim no equality with individuals in the enjoyment of a right to privacy." United States v. Morton Salt Co., 338 U.S. 632, 652 (1950); see also Restatement (Second) of Torts § 652I cmt. c ("A corporation, partnership or unincorporated association has no personal right of privacy."); Browning-Ferris Indus. v. Kelco Disposal, Inc., 492 U.S. 257, 284 (1989) (O'Connor, J., concurring in part, dissenting in part) ("[A] corporation has no ... right to privacy."). Indeed, the Supreme Court has recognized that "a business, by its special nature and voluntary existence, may open itself to intrusions that would not be permissible in a purely private context." G.M. Leasing Corp. v. United States, 429 U.S. 338, 353 (1977). Moreover, many courts have found that business employees, acting as such, often have lower privacy interests in their business conduct than they would have in their private capacities. E.g., Curto v. Medical World Communications, Inc., 2006 WL 1318387 (E.D.N.Y. 2006) ("Employees expressly waive any right of privacy in anything they create, store, send, or receive on the computer or through the Internet or any other computer network.").

ABM also opposes the inclusion of IP addresses within the definition of "covered information": 

Expanding the definition of covered information to include defining an IP address would make it extremely difficult to continue, as B-to-B content providers, to serve relevant content or even contextual first-party advertising. Allowing a consumer to an ABM publication to opt-out of all usages of covered information, including IP addresses, would pose a great danger to the ad-based models currently used by every major publisher.  . . .  One potentially damaging consequence would be the inability of ABM members and other content providers to enforce their intellectual property rights by determining where piracy of their materials has occurred because of customer activities. At the very least, the bill should acknowledge and allow for collection of IP addresses for use in connection with legal proceedings, investigations of crimes or other wrongdoing.

ABM also seeks limitation of the definition to exclude publicly available and public domain information about individuals:

the current draft covers as well all information collected about individuals, meaning that it covers information obtained from published and public domain sources. The "about" restriction therefore means that it would become unlawful merely to reprint, disseminate, or use certain information that has already been publicly distributed and widely used. Already published information is by nature not private and should not be treated as such. Moreover, serious First Amendment and state-federal preemption issues would be raised by classifying as “private,” or making it unlawful to use, information that is already in the public sphere. Cf. Cox Publishing Co. v. Cohn, 420 U.S. 469 (1975) (“…the First and Fourteenth Amendments command nothing less than that the States may not impose sanctions on the publication of truthful information contained in official court records open to public inspection”)."

ANA objects to the breadth of the draft overall and the definition of "covered information," maintaining that it would conflict with numerous existing federal laws, and that the catch-all provision would "swallow up and cover the entire information universe."

NRF, like other advertisers, objects to the broad definition of "covered information":  "SSN’s and financial account numbers are listed together with much less sensitive and widely available data such as name, address, and phone number. Additionally, non-personal identifiers such as Internet Protocol addresses, preference profiles, and cookies are, for the first time, also covered."  NRF worries that this broad definition puts the draft in conflict with legislation such as the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), and state data breach notification laws.  (Note, however, that the discussion draft would preempt conflicting state laws.) 

The U.S. Chamber of Commerce also objects to the broad definition, arguing that it should encompass "only data elements that could be used to commit identity theft or other direct consumer harm," and that "data elements such as 'unique identifier,' 'persistent identifier,' 'Internet Protocol address,' 'telephone number,' and 'fax number' should be removed from the definition "except where such data has already been merged with other personal information elements."  The Chamber also maintains that "the definition of 'personally identifiable information' should specifically exclude any personal information that has been rendered anonymous or 'de-identified' prior to its use."  Like DMA (described in Part One), the Chamber also objects to the term "render anonymous" and recommends harmonizing the definition "with HIPAA’s existing de-identification standard such that compliance with a similar de-identification process would provide a similar exclusion from this legislation."  Like ABM, the Chamber objects to the inclusion of publicly available information in the definition of "covered information."

Highlighting a concern not identified by most commenters, the Chamber also seeks an exclusion from the coverage of the legislation for information collected from or about a former, existing or prospective employee by an employer:

Not only are employers required under federal tax and other laws to collect much of the data that would meet the definition of "covered information" in this draft bill, there are numerous existing federal and state laws that already protect the privacy and security of such employee information, not to mention court decisions that have sought to strike the proper balance between employer and employee rights to the information. It would be well beyond the stated purpose of this bill to re-write the laws on employer/employee data collection and use. Moreover, if employee information were to be covered, the proposed legislation would arguably affect nearly every employer in the nation, including the smallest of commercial entities, forcing them to modify employee data management practices.

Definition and Treatment of "Sensitive Information"

The MRA expresses concern regarding the inclusion in the definition of "sensitive information" of numerous categories of information often used in survey research:

the definition of sensitive information in the draft bill is so broad that it includes “. . . race or ethnicity”, one of the most commonly used categories of demographic data in all research. While “. . . religious beliefs” and “. . . sexual orientation” are not as standard, they are still relatively common demographic questions in survey and opinion research.

. . . While MRA understands the concern for privacy of medical records, the definition of “. . . medical records, including medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional” could be construed to mean far more than actual records of a doctor or hospital. If a telephone survey were to ask a research participant, “Have you ever suffered from one of the following illnesses”, would the resulting data constitute a medical record according to your draft bill? How about responses to a question such as, “How are you feeling today? Are you feeling better or worse than yesterday?” Such questions are quite common in research studies and would seem to run afoul of the draft bill’s restrictions on sensitive information.

MRA also would like clarification on “. . . financial records” to ensure that it does not include data on a research participant’s individual or household income – again, one of the most common categories of demographic data in any research study.

NRF objects to the inclusion within the definition of "sensitive information" of " race or ethnicity, religious beliefs, account information, and geolocation information." 

The U.S. Chamber of Commerce also finds the definition of "sensitive information" to be overbroad, noting, like the MRA, that it might "include self-reported financial and health information in survey data," and arguing that it would resulting in conflicting requirements for organizations under different federal laws.  The Chamber expresses concern that "'[r]ace or ethnicity' could cover ads delivered in different languages" and argues that the definition of “[m]ental or physical condition" should "relate a [sic] specific diagnosis."  The Chamber also argues that precise geographical information should not be covered by the law and should be left to self-regulation at this time.

Covered Entities

The U.S. Chamber of Commerce argues that the bill should exempt from the definition of "covered entities" organizations already regulated by federal privacy legislation such as GLBA, FCRA and HIPAA.

Detailed Notice/Privacy Policy Requirements

ABM points out that its members already provide privacy notices offline with opt-out rights.  ABM also seeks a "blanket exemption of any collection of [individual’s name, address, phone number and email address] from the notice provisions of the bill, without the limitation . . . to collection as 'part of a first party transaction'” and objects to any requirement that an organization include retention periods in privacy notices since those time periods will vary significantly depending on the circumstances.

Like other advertisers, ANA notes criticism by regulators of long and dense privacy notices that consumers are unlikely to read or understand, and objects to requirements in the discussion draft that would require even more detail:  "Many policymakers and critics argue that the privacy policies that are now on most commercial websites are too long, complex and legalistic. The notice requirements of the Discussion Draft would provide little assistance in this regard to consumers and are likely to exacerbate this problem."

The MRA expresses a concern related to the anticipated difficulty of distributing written privacy notices prior to collection of certain information by telephone for research purposes:

Making a copy of the privacy notice “available to an individual in writing before the covered entity collects any covered information from that individual” would mean mailing potential research participants a copy of the privacy notice in advance of contact. Even that action would require some data collection, because the researcher would need to know the individual’s name and mailing address in order to send the notice. This would dramatically increase the cost of a research study and the time required to complete it. Time-sensitive studies, like most political and public opinion polling, would be imperiled. In situations where timely data is as critical as accurate data, information will not be readily deliverable to companies, government agencies, and other entities that need to make swift decisions.

As such, the MRA recommends a revision "to help clarify how a privacy notice could be made 'available' in the context of data collection for research purposes over the telephone."  That revision would require that, where "the covered entity collects covered information by phone for bona fide survey and opinion research purposes, the covered entity . . .  instruct an individual on where to find the privacy notice . . . on the Internet . . . or offer to send a copy of the privacy notice by mail to an individual, before the covered entity collects any covered information from that individual."  The MRA also suggests the addition of a new definition of "bona fide survey and opinion research" as follows:  "the collection and analysis of data regarding opinions, needs, awareness, knowledge, views, experiences and behaviors of a population, through the development and administration of surveys, interviews, focus groups, polls, observation, or other research methodologies, in which no sales, promotional or marketing efforts are involved and through which there is no attempt to influence a participant’s attitudes or behavior."

The U.S. Chamber of Commerce includes comments reminiscent of those submitted by the DMA, described in Part One, regarding the practical difficulties resulting from a requirement that notice be provided prior to collection of information, in the online and offline worlds alike. The Chamber recommends elimination of this requirement:

Data collection begins immediately when a consumer enters a Web site address in a browser and clicks the go or return function, as an IP address must be collected before a Web site can be delivered to the browser for display. Also, each third party conducting business on the Web site, whether for marketing, fraud detection, or setting a time and data stamp, begins collecting information before the Web site actually loads. Therefore, significant amounts of covered information, as defined in the proposed bill, could be collected before a consumer would actually read a privacy policy and be able to make a choice. In many cases, consumers rarely if ever choose to read a privacy policy, so presumably all data collected to display the Web site would be in violation of the proposed law.
 

Opt-Out for Certain First Party Practices

ABM argues for an exemption for all "first-party online advertising, including specific contextual advertising."  ANA also objects to opt-out requirements for first party transactions, noting that this goes beyond current practices and FTC policies.

Like ABM, ANA and DMA, NRF objects to the opt-out requirements for first-party marketing:  "retailers have engaged in extensive CRM (Customer Relationship Management) in both the catalog and brick and mortar world for years. As retailing moved online, CRM moved to the web as well, with first-party customer interaction being vitally important to both the retailer and to the consumer. It is our belief that the current draft creates the potential for a 'small-print web' where even common firstparty processes would have to be disclaimed by site operators and customers would be constantly bombarded with marketing 'choices.'”  NRF notes that it made the same comments on the original FTC Self-Regulatory Guidelines, and that the final version of those Guidelines contained a clear first-party exemption.

NRF also raises questions about the practicality of such a rule:

If consumers don’t even open their mail, it becomes hard to conceptualize a practical mechanism by which a consumer would have a privacy policy delivered and exercise a real-time opt-out without significantly disrupting their shopping session. Also, would the retailer have to provide an opt-out every time a customer placed something in their shopping cart and a cookie was simultaneously placed on their computer if that same cookie might be used to “save the cart” for 30 days or deliver promotional information the next time the customer visited the site? Would the same type of notice have to be provided before a consumer could knowingly and voluntarily provide personally identifying information such e-mail, shipping and credit card information to complete a transaction?

NRF maintains that consumers do not take advantage of opt-outs, in any event:  "In fact, by our estimates, only 6 percent of retail customers exercised their right to opt-out of marketing e-mails in 2007."

The U.S. Chamber of Commerce also opposes any first party opt-out requirement, noting that, among other things, it would "hinder[] fraud prevention, disabl[e] basic Web site monitoring and advertising metrics, and hamper[] content customization and retail product recommendations online."

Opt-In Requirements

ABM opposes opt-in requirements "for the offline collection of basic information from individuals wishing to establish business relationships, or acting within an established business capacity, and believes that the offline collection of basic business information, like that found on a business card or other public industry information, should be exempted from the bill."  ABM also objects to opt-in requirements for transfers to third parties, and seeks clarification as to what would be included, particularly in the offline world.  ABM opposes opt-in for material changes to privacy policies.  Finally, ABM seeks clarification of the definition of "precise geolocation," so that businesses know whether " geolocation would include data points such as a zip code, IP address, area code or even mailing address" and "urges [the drafters] to carefully consider innovation in serving advertising supported content to mobile devices by clarifying the term 'precise geolocation information' to ensure that first party transactions involving the location of a mobile device are exempted from an opt-in requirement."

The ANA objects to all opt-in requirements as unduly costly and unlikely to be productive, citing studies on opt-in by various organizations and companies.  For example, it cites a study from the Privacy Leadership Initiative finding that, "[i]n the apparel sales area alone, it was demonstrated that if catalog sellers were unable to use routine data that they collect from customers and obtain third party data, they would have to raise their prices by more than $1.4 billion annually." 

The MRA expresses concerns with respect to the opt-in restrictions on third party transfers as they would effect the research industry, noting that,

[a]lthough no personally identifiable data is shared with the clients requesting a study without the consent of the research participants, identifiable data must be transferred between various companies involved in conducting the study in order to complete the work. The average research study requires multiple organizations that divide the labor: one company is hired by a client to conduct a study and it contracts with others to get the study completed. For instance, one company might do the recruitment of research participants or provide the “sample”, another would collect the data, yet another might translate any responses from foreign languages, one more would process and analyze the data -- all before the original hired company puts together the study results (presenting aggregate de-identified data) into a report for the client.

As such, MRA suggests a revision to the opt-in requirement that would provide as follows:  "The consent requirements of this subsection shall not apply to the disclosure of covered information as part of a bona fide survey and opinion research study, provided that-(A) only aggregate information will be shared with the end user who requested or sponsored the study; and (B) all unaffiliated parties to whom covered information is disclosed agree to use such covered information solely for the purpose of conducting the bona fide survey and opinion research study and not to disclose the covered information to any other person."

NRF, like other advertisers, objects to any opt-in requirement in any context, focusing on the impracticality of such requirements.  Among other things, NRF argues the chance of a consumer even obtaining and opening an opt-in notice is slim:  "If these marketing statistics bear out in the context of opt-in, a retailer has an 88-94 percent chance that an opt-in could not be obtained every time a material change is made."

The U.S. Chamber of Commerce disapproves of an opt-in for sharing with third parties, noting that this requirement does not focus on the "intended purpose" or protect any perceived harm, echoing some of the concerns evinced by the ANA described in "General Observations" above.  The Chamber also maintains that affiliated parties should include entities that operate websites as joint ventures.  Further, the Chamber objects to opt-in restrictions for undefined "material changes" to privacy policies.

Operational and Transactional Purpose Exception

ABM seeks clarification of the transactional purpose definition, proffering the following example: "when an ABM member company produces a trade show, and a business signs up to attend the trade show, that should be viewed as a transaction, so that exchanges and sharing of information collected from the attendees at the trade show fall within the transactional exemption."

The U.S. Chamber of Commerce argues that the operational purpose exception is too narrow because it "does not apply if the data is also used for marketing, advertising, or sales," and that "[t]he draft bill should be technology-neutral and should not favor one type of advertising over another." The Chamber further recommends that "operational purpose" include "'detecting, preventing, or acting against actual or suspected fraud targeting the individual.'” The Chamber also seeks clarification of the "transactional purpose" definition to make sure "[m]arketing efforts designed to encourage transactions or sales" are covered.

Exception for "Individual Managed Preference Profiles"

ABM argues that "the in-ad notice and preference profile requirements necessary to achieve exemption from 'opt-in' for advertisements served by unaffiliated third party ad networks should be the responsibility of the ad network, not the first party publisher."

The U.S. Chamber argues that all entities engaged in OBA should be similarly regulated, independent of the business model:

the draft allows entities that construct and maintain user preference profiles to utilize opt-out consent for the collection and use of covered information, but appears to preclude any new or different business models from doing so.

The draft should provide all entities involved in OBA with equal opportunities to utilize opt-out consent for the collection and use of covered information. It should not disfavor particular business models with more burdensome regulatory obligations, since doing so would deter entry, harm innovation, and undermine competition and choice in the OBA marketplace.

Conflict with First Amendment Rights

Like NetChoice (comments described in Part One), the ANA argues that "[s]ome courts and legal scholars believe that [an opt-in requirement] raises serious First Amendment issues. In 1999 in U.S. West v. Federal Communications Commission, 182 F.3d 1224, the 10th Circuit Court of Appeals held that the government must carry out a careful calculation of costs and benefits associated with burdens on speech imposed by an opt-in rule. In that case, the court struck down an FCC rule that contained an opt-in requirement, concluding that the rule violated the First Amendment."

Data Accuracy Requirements

As noted in our FAQ on the bill here, the discussion draft would require "in very general terms that a covered entity 'establish reasonable procedures to assure the accuracy of the covered information it collects.'"  ANA, unlike most commenters, specifically calls out this provision as problematic due to the possibility of providing unlimited access rights to consumers that might actually create additional privacy and security risks:  "We are concerned that this provision could under the Draft possibly lead to a broad right of consumer access to all information held about them by a company and the right to 'correct' that information. Providing consumers with such broad access to all information, without adequate protections, can create, if not carefully developed, a new set of major privacy and security risks."

Status

Last Wednesday, Rep. Boucher told Tech Daily Dose that "most business groups believe the legislation is 'too strict,' while privacy advocates and public interest groups say it doesn't go far enough to protect consumer privacy."  As such, Boucher told Tech Daily Dose, he believes he has a "very centrist proposal."  In any event, Boucher indicated that he intends to make some modifications to the bill based on the feedback, "including lawmakers on both sides of the aisle in meetings with stakeholders," but did not specify a timeframe for completion of that process.