National Online Privacy Law a 'When,' Not an 'If'4 Oct, 2011 By: William I. Rothbard
Between high-noon debt-ceiling standoffs and government shutdown threats, Congress has continued to seek consensus around a national online privacy law, sparked by the Federal Trade Commission’s (FTC) 2010 preliminary report calling, among other things, for a “Do Not Track” (“DNT”) option for consumers. Passage now is hardly assured as the 2012 election campaign gets underway, but given current bipartisan sponsorship and industry support of leading bills, eventual enactment seems to be a matter of when, not if.
Meanwhile, privacy protection remains a top FTC priority. Earlier this year, it reached a landmark settlement with Google requiring, among other things, opt-in to third party datasharing. On the policy front, the FTC is developing a final set of online privacy recommendations, has just proposed changes to the Children’s Online Privacy Protection Rule to address new technologies, and will be hosting a workshop on privacy implications of facial technology in social networking and mobile apps.
While a flurry of bills have been introduced, “The Commercial Privacy Bill of Rights Act of 2011,” co-sponsored by Senators John Kerry (D-Mass.) and John McCain (R-Az.), seems poised to be the prime legislative vehicle. It could be blended with a House bill, the “Consumer Privacy Protection Act of 2011,” introduced by Reps. Cliff Stearns (R-Fla.) and Jim Matheson (D-Utah). Neither includes DNT, but should Congress decide to give consumers that option, there is no shortage of DNT measures, including ones introduced by Sen. Jay Rockefeller (D-W.Va.), Rep. Jackie Speier (D-Calif.), and jointly by Reps. Ed Markey (D-Mass.) and Joe Barton (R-Texas).
Both Kerry-McCain and Stearns-Matheson adopt the FTC’s “Fair Information Practice Principles” (notice, choice, consent, data access/security), create “safe harbors” for FTC-blessed privacy programs, would largely preempt state privacy laws, and would not allow a private right of action. Their chief differences are that Kerry-McCain is more prescriptive and would delegate substantial rulemaking powers to the FTC, while Stearns-Matheson relies more on disclosure and self-regulation.
Stearns-Matheson, by contrast, would require companies to publish privacy policies describing their collection, use and transfer of PII (which many, of course, already do), but stops short of mandating standards or empowering the FTC to establish standards.
Thus far, Kerry-McCain has garnered the most support, including backing from the White House and major technology companies, though consumer group sentiment is mixed. However, a national online privacy law seems assured. The stakes are high for marketers, consumers, and the future of behavioral advertising.