Proposed Data Privacy Legislation Generates Relief as Well as Concerns
July, 2010
By
Daniel T. Rockey
Electronic Commerce & Law ReportLast month, U.S. Representatives Rick Boucher (D-Va) and Cliff Stearns (R-Fl), Chair and Ranking Member, respectively, of the Subcommittee on Communications, Technology, and the Internet, released a "discussion draft" of proposed legislation aimed at regulating the collection and sharing of information for marketing purposes (15 ECLR 741, 5/12/10). After repeated threats by FTC Commissioner Jon Leibowitz to press for an "opt-in" regulatory scheme for data collection, marketers breathed an initial sigh of relief at the fact that, in many respects, the draft embraces the notice and "opt-out"approach advocated by many self-regulatory organizations. The relief was short-lived, however, as the reality set in that the legislation, as proposed, would impose sweeping changes in existing practices in both online and offline advertising. This article discusses notable provisions of the Boucher proposal, and identifies a number issues that must be addressed by the authors before the measure is brought to committee.
Broad Definition of Covered Data
In general, the Boucher proposal prohibits any entity1 from collecting, using, or disclosing "covered information"unless it first makes available to the consumer a comprehensive privacy notice and obtains "consent" within the meaning of the bill. Although the objectives of the bill are relatively non-controversial, the categories of information deemed to implicate privacy interests("covered information") are quite broad, even amorphous, and go beyond the definitions of Personally Identifiable Information in existing regulatory regimes. See, e.g., California Online Privacy Protection Act,2 Massachusetts Data Protection Act.3 In addition to the categories of data traditionally considered PII, such as name, address, Social Security Number, financial account numbers, etc., the Boucher proposal extends coverage to IP addresses, cookies, user alias' and any other "unique identifier, where such identifier is used to collect, store, or identify information about a specific individual or a computer, device, or software application owned or used by a particular user or that is otherwise associated with a particular user." In a similar vein, covered information also includes "preference profiles;" defined as "a list of information, categories of information, or preferences associated with a specific individual or a computer or device owned or used by a particular user that is maintained by or relied upon by a covered entity." Although it is generally accepted that persistent cookies, IP addresses, preference profiles, "browser fingerprints," and the like can and are being used to track users online, until now there has been little agreement as to whether such data constitutes personally identifiable information. The Boucher proposal answers this question in the affirmative, and thereby brings network advertisers and others who rely on such data to serve ads within the fold.
——————————————————————————————
1 The bill would exempt anyone who collects data from fewer than 5,000 individuals in a 12-month period.
2 See Cal. Bus. & Prof. § 22577 ("The term "personally identifiable information" means individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:
(1) A first and last name.
(2) A home or other physical address, including street name and name of a city or town.
(3) An e-mail address.
(4) A telephone number.
(5) A social security number.
(6) Any other identifier that permits the physical or online contacting of a specific individual.
(7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.").
3 201 CMR 17.02 ("Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account.").
——————————————————————————————
More troubling is the bill's catch-all provision covering "[a]ny other information that is collected, stored, used or disclosed in connection with any covered information." It is unclear what kinds of information were intended to be captured by this provision, or how broadly such a provision would be interpreted. Calls for clarification have already been heard with respect to this provision and should result in much needed guidance from the authors and/or revisions to the final bill.
Preserves Opt-Out for First-Party Online Data Collection, With Expansive Privacy Disclosures
The bill largely preserves existing industry best practices with respect to the online collection of data in first party interactions, (i.e., use by the collecting entity), requiring only that the entity "make available" its privacy policy and provide an opportunity to the consumer to opt-out. The notice mechanism – clear and conspicuous posting, accessible from a link on the homepage – is generally consistent with existing self-regulatory guidelines and current state law governing privacy policies.4 And, consistent with recent comments by the FTC Commissioner, the bill exempts from the notice and consent requirement data collected or used for a transactional5 or operational purpose.6
——————————————————————————————
4 See Cal. Bus. & Prof. § 22575(a), 22577(b).
5 A transactional purpose is one necessary for "effecting, administering or enforcing a transaction" with the consumer.
6 An operational purpose includes site or product optimization, data security, legal compulsion or sharing with an affiliate.
——————————————————————————————
The bill would, however, require all but the most fastidious firms to revise, and expand, their privacy policies to more comprehensively address their data collection, marketing and storage practices. In addition to disclosing what data is collected and to whom it may be disclosed, the privacy policy mandated by the bill would include, among other items, descriptions as to how the data will be used, how it will be stored, for how long it will be kept in personally identifiable form, whether and how it may be merged with data from unaffiliated sources, and how the company will provide notification of changes to the policy. Concerns have been raised that by imposing an ever-expanding list of privacy disclosures, the bill would actually render privacy policies more complicated and less transparent, and would therefore be counter to the stated goal of enhancing consumer information and choice. Others have raised concerns that certain of the proposed disclosures would generate security concerns by providing valuable information to prospective identity thieves. In light of prior comments by the FTC's Liebowitz concerning the need to streamline the disclosure process, it seems like likely that this provision will be the subject of further discussion.
Imposes Opt-In Requirement For Retroactive Modifications
Also of concern to marketers is the proposal to require opt-in for "material changes" to the treatment of previously collected data. Many clients have objected that the provision would create an administrative nightmare, requiring marketers to implement a complicated data segregation scheme to ensure alignment of business practices with policy changes, and may over time stifle innovation and flexibility by discouraging changes in data collection policies and practices. However, given that the provision effectively codifies the FTC's current interpretation of the FTC Act Section 5, as applied in prior FTC enforcement actions, see, e.g., In the Matter of Gateway Learning Corp., FTC Docket No. C-4120 (Sept. 10, 2004)(9 ECLR 622, 7/14/04), significant changes to this provision appear unlikely.
Imposes Opt-In For Sharing With Unaffiliated Entities
Perhaps the most controversial provision, and the one most likely to engender fierce opposition from certain quarters of the marketing industry, is the proposal to require opt-in— "express affirmative consent"—to share data with unaffiliated parties(i.e. entities not under common corporate control). The provision would have a significant impact on many current business practices, including in particular offline marketers, cataloguers, list brokers, and others that compile or rely on marketing lists, or who append data gathered by third parties to enhance customer targeting and modeling,
The bill attempts to mitigate the impact of this provision in two ways. First, the bill includes a safe-harbor provision for online advertising networks. Essentially adopting the self-regulatory model of the NAI, the bill allows members of advertising networks to freely share data within the network so long as the network (1) provides a persistent opt-out mechanism, (2) data is deleted or rendered anonymous after 18 months, (3) a seal or symbol is placed on ads linking to the privacy policy and an opt-out mechanism and (4) the data is not shared outside the network. Second, the bill exempts disclosures to "service providers" for the purpose of "executing a first party transaction," so long as the entity has complied with the opt-out consent requirement applicable to first party interactions and the agreement with the service provider includes an appropriate non-disclosure provision. This provision would presumably cover not only payment processors, fulfillment services and the like, but marketing vendors and ad servers as well.
However, neither of the proposed exemptions does much to address the concerns of offline marketers and others who have traditionally relied on data collected by third parties. It is likely that this provision will be the subject of intense negotiations and revisions before a final bill is introduced.
Proposal Would Require Substantial Changes to Offline Data Collection
Although the impetus of the Boucher proposal was clearly to regulate the use of online behavioral advertising, by its terms it extends its regulatory reach to the offline marketing world. The Boucher proposal provides that where data is collected by "any means that does not use the Internet," the entity must nevertheless provide the prescribed privacy notice, in writing, to the individual from or about whom the data is collected "before the covered entity collects any covered information." (emphasis added). Although a seemingly commonsense provision, the practical implications of this requirement have generated great concern among direct mailers, cataloguers, telemarketers and list brokers, as it raises a number of questions concerning how the provision would be implemented. The bill does, however, exempt from the notice and consent requirement the offline collection of certain basic data, including name, address, telephone number and email address, and does not include within the definition of covered information demographic or other data that would typically be appended thereto.
Sensitive Information
The bill requires express affirmative consent (opt-in) for the collection or use of "sensitive information," which expectedly includes medical data and financial data, but which also includes data concerning an individual's race or ethnicity, religious beliefs, sexual orientation and "precise geolocation information." Restrictions on the latter categories may have significant impacts in certain niche marketing circles and may have enormous implications for mobile ad networks and geolocation service providers, such as Quova and Digital Envoy, and certain social networking applications that seek to leverage geolocation data. Furthermore, because "sensitive information"is said to include data that "relates" to the enumerated categories, concerns have been expressed that it could include information from which sensitive information might be inferred, such as the consumer's preferred language, which might raise an inference of the consumer's ethnicity. As a result, it is likely that the authors will act to clarify the limits of what is considered sensitive information prior to placing the bill in final form.
National Data Security Standards?
Finally, taking a page from existing state law on data security, the Boucher proposal would also create national data security standards, requiring covered entities to establish, implement and maintain appropriate administrative, technical and physical safeguards to protect against security threats and unauthorized access or misuse. However, unlike most state regulatory schemes, the Boucher proposal does not incorporate a data breach notification requirement, requiring only that a covered entity determine the scope of any data breach and take steps to prevent further access to the data and restore the integrity of the data. Significantly, the bill includes a general preemption provision, stating that it preempts any state law that "includes requirements for the collection, use or disclosure of covered information."As a result of this provision, the data security requirements would presumably preempt current state data security schemes, such as those in Massachusetts, Minnesota, and Utah, and perhaps the ubiquitous state data breach notification laws as well. Uniform national standards would certainly be welcomed by the industry, but consumer groups and others have already objected to the preemption provisions and the prohibition on private rights of action, setting the stage for a showdown on these issues as the bill heads to committee.
Daniel Rockey is of counsel with Bullivant Houser Bailey PC, working in the firm's San Francisco office. He practices complex commercial litigation with an emphasis on matters involving companies and individuals in the technology sector, including the internet and social media, semiconductor, computer networking, and software companies.