On April 12, 2011, Senators John Kerry (D-Mass) and John McCain (R-Ariz) announced proposed legislation that could become the first federal privacy and data security law. If passed into law, The Commercial Privacy Bill of Rights will have a huge impact on how personal information is collected, used, and shared by eCommerce websites. And penalties for failure to comply could be high, very high.
The Way It Was – And Still Is
A little background information is required for perspective.
Prior to 2000, the Internet was essentially like the “wild wild west” in terms of privacy and data security. Essentially, there was no regulation. Generally speaking, except in California, privacy issues were not high on the radar screens of government regulators.
In 2000, California became the first state to have an agency dedicated to promoting and protecting the privacy rights of consumers. In 2003, California passed the California Privacy Protection Act of 2003 (OPPA), which was the first state law in the nation regulating operators of commercial websites on online services to post a privacy policy. OPPA in essence became a de facto federal statute because it applied to any person or company in the United States (and conceivably the world), and no commercial website would want to attempt to screen out California residents from participation in its services or the purchase of its products.
When OPPA became law, there was no federal privacy legislation of general application. The Bush administration essentially wanted to stay out of the way of the commercial development of the Internet.
Despite the lack of a federal statute of general application (which continues to this day), the feds did get involved with online privacy enforcement through the Federal Trade Commission (FTC). Empowered by The Federal Trade Commission Act, the FTC may take legal actions to prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.
Beginning in 2000, the FTC issued a report to Congress outlining four core principles of privacy protection. Since then, the FTC has taken action against companies that fail to comply with their own privacy policies or otherwise misrepresent their information management practices.
So, although the requirement for a privacy policy originated with California’s OPPA, the feds, through the FTC, are empowered to act if a website is deceptive in failing to comply with its privacy policy.
Key Provisions of the Proposed Law
If The Commercial Privacy Bill of Rights Act becomes law, this will change – in a big way. For the first time, we’ll have a federal privacy statute of general application.
So, what’s new with the proposed law? Here are some of the key points:
* Covered entities – any site that collects, uses, transfers, or stores “covered information” about more than 5,000 individuals during any consecutive 12-month period.
* “Covered Information” – personally identifiable information and any unique persistent identifier associated with an individual or networked device that may be used to identify a specific individual.
* Rights to security and accountability – included is “privacy by design” which requires the implementation of a comprehensive privacy program that incorporates privacy practices throughout the product life cycle.
* Rights to transparent notice and individual participation – notice includes clear, concise, and timely notices of privacy practices; opt–out mechanisms for (i) specific uses of covered information, and (ii) use of covered information by third parties for behavioral advertising; opt–in mechanisms for (i) use of covered information for uses other than processing a transaction, and (ii) use or transfer of previously collected covered information if there is a material change in privacy practices that would create a risk of physical harm; access to covered information; and de-identification of covered information when individual service terminates.
* Use of service providers – covered entities that use service providers are required to enter into a contract with the service provider to treat covered information as private and secure in accordance with the new statute.
* Collection of information – limited to collection of only as much information as is reasonably necessary to process a transaction or request, prevent fraud, investigate a crime or comply with a law, market using the information collected directly, conduct research and development to improve service, or for surveys of website analytics.
* Retention of covered information – retention is authorized only as long as needed to process a transaction or deliver a service, conduct research and development, or comply with the law.
* Distribution of information – transfers of any information to a third party are authorized only if covered entity performs due diligence indicating that the third party is reliable and the third party enters into a contract to use the information consistent with the new statute; combination of the information by the third party with other information is prohibited unless opt–in consent has been given.
* Enforcement – enforcement would be permitted by the FTC and state attorneys general; there would be no private of action.
* Penalties – civil penalties up to $16,500 per day for affected individuals, with a cap of $3 million for violating the security and accountability provisions, and a cap of $3 million for violating the notice and individual participation provisions.
Conclusion
If passed as proposed, The Commercial Privacy Bill of Rights will have a huge impact on covered ecommerce websites. The cost to comply will be substantial. Penalties for non-compliance are potentially devastating.
The proposed law would not only affect a website’s policies for collection, use, and sharing of personal information, but they would also affect the design of websites, the design and structure of customer and prospect databases, and how websites actually function and operate.
