Your company may soon face more regulations in how it gathers and maintains customer data online. On Tuesday April 11, 2011, Sens. John Kerry (D) of Massachusetts and John McCain (R) of Arizona introduced a new bill titled the Commercial Privacy Bill of Rights Act of 2011. If passed the bill would impose new responsibilities on companies to disclose what data is collected from online visitors to their sites and would entitle users to opt out.
The bill seems to be explicitly directed at re-advertisers. It explicitly states that it will target companies that take information solely for the purpose of advertising, and will be more lenient towards companies that have “existing relationships with customers.” “The bill does not allow for the collection and sharing of private data by businesses that have no relationship to the consumer for purposes other than advertising and marketing,” McCain said in the joint statement with Kerry. “It is this practice that American consumers reject as an unreasonable invasion of privacy.”
An additional factor that is likely to be the object of scrutiny as the bill advances through congress is a requirement that data that is collected by adequately secured once it has been gathered. The FTC would be empowered to publish rules setting forth security requirements. This portion of the bill responds to growing consumer concerns at unauthorized personal information leaks in the news.
On Wednesday April 6, 2011, the Senate Judiciary Committee met to discuss overhauling the Electronic Communications Privacy Act of 1986 (“ECPA”). This law governs privacy related to data collection and electronic communications but is lacking in any provisions regarding new technologies and practices such as mobile phones, mobile hotspots, social networking and cloud computing.
At least one party opposed to changing the law is the Department of Justice. (“DOJ”) James A. Baker, associate deputy attorney general for the DOJ, told the committee that “the government’s ability to access, review, analyze, and act promptly upon the communications of criminals that we acquire lawfully, as well as data pertaining to such communications, is vital to our mission to protect the public from terrorists, spies, organized criminals, kidnappers, and other malicious actors.”
Mr. Baker tried to persuade the panel that great government access to our private and corporate information actually provides for a more private environment. “By authorizing law enforcement officers to obtain evidence from communications providers, ECPA enables the government to investigate and prosecute hackers, identity thieves, and other online criminals. Pursuant to ECPA, the government obtains evidence critical to prosecuting these privacy-related crimes.”
What solution does the DOJ offer? Well, for the moment none, however, Cameron F. Kerry, general counsel for the U.S. Department of Commerce, told the committee that the departments of Commerce and the DOJ “have been working together to develop a specific set of legislative proposals.” No suggested tie frame for these proposals was stated.
Senator Patrick Leahy, chairman of the committee, opening remarks at the hearing suggest that the committee might be deferential to the DOJ and DOC on these topics.